Application Analyst - Identity

At Duke Health, we're driven by a commitment to compassionate care that changes the lives of patients, their loved ones, and the greater community. No matter where your talents lie, join us and discover how we can advance health together.

About Duke Health Technology Solutions

Pursue your passion for caring and innovation with Duke Heath Technology Solutions, which is dedicated to the transformation, development, and management of enterprise information technology solutions across Duke Health. By harnessing the power of innovative technologies like cloud computing and artificial intelligence — and pairing them with a forward-thinking approach — Duke Health Technology Solutions is revolutionizing the future of health care at Duke Health and beyond.

Job Title:     DHTS Application Analyst (Security & Provider Record Design)

Occupational Summary 
The Information Security Analyst provides support for a variety of operational and consultative functions as part of a Duke Information Security Office (ISO). The Information Security Analyst helps design, implement, manage, and monitor technical, administrative, and physical controls to protect the confidentiality, integrity, and availability of the organization's information assets. The Information Security Analyst will carry out these responsibilities in collaboration with IT, clinical, research, and management staff from across Duke. 
Duke Health Information Security Office analysts will perform work across multiple domains of information security but will have primary duties assigned specifically from analyst Working Titles.

Primary Role: IAM Security Analyst 
The Maestro Care Security & Provider Record Design Analyst provides support for the Epic application working closely with the Security & Provider Record Design Design Team Lead and other Security & Provider Record Design Team members.
  
The Maestro Care Security & Provider Record Design Analyst contributes to the design, implementation, and testing of Maestro Care Security Templates that cross modules as well as the overall design and provisioning strategy for provider records.  As a focused leader, duties include participating in the Security Work Group and Provider Record Stakeholder to provide solutions for appropriate user security and provider access and authorizations. Must understand how applications integrate and how multiple applications use provider record settings in order to set the security strategy and provide guidance to the organization.

CERTIFICATION: 
The employee for this position is required to obtain Epic Certification in one of the Live Modules implemented at DUHS and to hold at least the Epic Security Proficiency within 90 days of hire.  Adding on the Provider Badge is highly encouraged.

Reports To
Security & Provider Record Design Manager

Essential Tasks/Responsibilities
•    Epic knowledge of security architecture, concepts and how pieces are interrelated (e.g. templates, sub templates, security class, user roles, menus, activities, and profiles)
•    Supports Epic Care Everywhere workflows to ensure Transition of Care Summaries are delivered electronically to external referring providers and places of service, primarily by direct addresses loaded via External Directory loads and Surescripts imports. Document system and user procedures as necessary within ServiceNow
•    Ensure that the security & provider record build adhere to policies set forth by Duke leadership, Compliance, Information Security Office and Internal Audit 
•    Participates in  the Security Workgroup meetings, Provider Stakeholder, and Security Governance
•    Review audit findings and determine strategy for correcting, mitigating, or accepting risks
•    Provide both business and afterhours on-call support for issues pertaining to production: including the analysis, prioritization and implementation of requested changes, analysis of new functionality, coordination of software release updates, system testing and interface enhancements
•    Assists the team in gathering requirements, troubleshooting, and alternative solutions to existing workflows and technical issues
•    Assist in the documentation, prioritization, and resolution of identified deployment issues through the use of Epic’s Nova and Sherlock tracking systems.
•    Provide oversight within identified development and production support meetings, reviews, and design sessions as assigned
•    Partner with Maestro Care Build Teams and User Provisioning Analysts to ensure security template and provider role, designation, and title selections are appropriate.
•    Adhere to organizational policies and procedures and follow all change control processes defined within Maestro Care Change Management

Across all analysts in the Duke Information Security Office, the following Core Competencies are established. In addition, all analysts are expected to perform other related duties incidental to the work described herein. 
LEVEL 1: 
•    Directed work on individual tasks as assigned by manager with direct supervision, oversight, and guidance by manager; 
•    Assess risk and provide guidance on remediation planning using pre-established operating procedures and decision trees; 
•    Commitment to customer satisfaction; 
•    Strong written and oral communication skills; 
•    Attention to detail and organization. 
LEVEL 2: 
•    In addition to the duties described for the Level 1, the Level 2 will, at a minimum: 
•    Independent work on individual tasks and projects as assigned by manager with limited supervision, oversight, and guidance by manager; 
•    Assess risk and provide guidance on remediation planning using additional professional judgment and institutional knowledge. As requested by management, provide input for reports and analysis; 
•    Participate in activities that could have significant impact for operational, financial and/or risk improvement as directed by management; 
•    Lead and influence initiatives within the Duke Health ISO; 
•    Strong critical thinking, analytical, and problem-solving skills; 
•    Ongoing knowledge of latest security trends, emerging threats, and industry best practices; 
•    Strong interpersonal skills and the ability to build relationships with colleagues, customers, vendors, and other third parties. 
LEVEL 3: 
•    In addition to the duties described for the Level 1/2, the Level 3 will, at a minimum: 
•    Assess risk and provide guidance on remediation planning as a Subject Matter Expert in a specific domain or tool; 
•    Identify areas that could have significant impact for operational, financial and/or risk improvement and bring a developed plan to management for approval. If approved, lead execution of project;  
•    Represent Duke Health ISO to DHTS (Duke Health Technology Solutions) Senior Leadership Team or Duke Executive boards. Prepare and independently present reports and presentations on the status of security controls to management and technical staff; 
•    Mentor, guide, and provide support to management in day-to-day personnel oversight and workflow management activities and evaluation input for Level 1/2 staff performance;  
•    Lead and influence initiatives outside of the Duke Health ISO within the broader Duke community;
•    As appropriate, participates in external professional organizations that are relevant to the objectives of the information security program; 
•    Utilize knowledge of latest security trends, emerging threats, and industry best practices to provide recommendations for improving system and enterprise security posture; 
•    Exemplary capability to communicate with technical and non-technical audiences in both formal and informal settings; 
•    Able to understand and translate between business and technical requirements.   
Behaviors/Soft Competencies: 
Advancement to the level 3 or above requires the employee, at a minimum, successfully attain the following: 
•    The following measures can help create a fair and comprehensive evaluation process for promotions, ensuring that the most deserving employees are recognized and given opportunities to advance. 
•    Proven ability to work at the next level: This involves demonstrating the skills and competencies required for the next level of responsibility. Employees should have demonstrated that they can handle tasks and challenges that are typically associated with the higher position. 
•    Potential to serve beyond the next level: This measure looks at the employee's long-term potential and their ability to grow within the organization. The employee should have the vision, ambition, and capability to take on even greater responsibilities in the future. 
•    Consistently demonstrates a values-based approach in how they work: Employees should consistently exhibit behaviors and decision-making processes that align with DUHS values. The exhibited values are integrity, teamwork, diversity excellence and safety.  Patient-focused is also critical to success. 
•    Is considered one of the top performers at their level across the organization: This measure evaluates the employee's overall performance and reputation within DHTS. Top performers are often recognized for their exceptional contributions, reliability, and ability to exceed expectations.  We will select the best and not the best available. 

Education/training
EDUCATION:
Level 1, 2 and 3 - Bachelor's degree in a related clinical or technical field, or four years of equivalent technical experience required. 
Level 3 - A Master's degree in a related clinical or technical field is preferred. 
LICENSURE/CERTIFICATION: 
LEVEL 1: 
Epic Security Certification/Proficiency achieved within 90 days of hire
Preferred: Relevant Certifications or Proficiencies in at least 1 non-Security Epic module
 
LEVEL 2: 
In addition to the requirements described for the Level 1: 
Required: at last 1 non-Security Epic module
Preferred: Epic Provider Administration Badge
 
LEVEL 3: 
In addition to the requirements described for the Level 2, the Level 3 requires: 
Epic Provide Administration Badge. 
    
    
Experience
Required:    •    Microsoft office suite, to include Word, Excel, and PowerPoint
•    Knowledge and experience with health care information systems
Skills
Required:    •    Advanced computer skills
•    Good written and oral communication skills
•    Good workflow analysis and business process integration skills 
•    Ability to work as a member of a team and independently without supervision
•    Excellent attention to detail, interpersonal skills and troubleshooting/analytical skills
•    Excellent analytical, organizational and process disciplines
•    Well-developed time management skills and the ability to work rapidly without a loss of quality
•    Ability to communicate clearly and effectively in spoken and written English
•    Ability to manage competing priorities in a complex environment
All Levels: 
Must have conceptual familiarity with most of the following information security practices, standards, and systems: 
•    Data Loss Prevention (DLP) 
•    Intrusion Detection and Prevention Systems (IDS/IPS)  
•    Security Information Event Management (SIEM) systems 
•    Virtual Private Network (VPN) systems 
•    Encryption technologies and standards 
•    Endpoint security  
•    Firewalls 
•    Cloud security platforms and tools 
•    Incident response 
•    Forensic investigation 
•    Network and/or application penetration testing 
•    Vulnerability management  
•    Vulnerability scanning tools 
•    Governance, Risk, Policy, and Exception Management 
•    Business Continuity and Disaster Recovery (BCDR) 
•    Identity and Access Management (IAM) 
•    Risk assessment practices 
•    Security Awareness and Training 
Must have a working knowledge of at least one of the following regulatory compliance requirements and IT management frameworks: 
•    FISMA 
•    NIST information security standards 
•    HIPAA Security and/or Privacy Rules 
•    HITECH and Meaningful Use 
•    HITRUST Common Security Framework (CSF) 
•    ISO 27000-series standards 
•    PCI DSS