Vice President, Chief Information Security Officer

Sutter Health is one of California’s most comprehensive healthcare systems and one of the nation’s largest, generating $18+ billion in revenues. Headquartered in Sacramento, Sutter Health is a not-for-profit, integrated healthcare system committed to health equity, community partnerships and innovative, high-quality patient care. Sutter’s 60,500+ employees, 14,000+ physicians and advanced practice clinicians, serve more than 3.5 million patients through its network of hospitals, medical foundations, ambulatory surgery centers, urgent and walk-in care centers, telehealth, home health and hospice services.

• Develop and implement a multi-year information security strategy that aligns with organizational priorities, digital transformation goals, and regulatory requirements.
• Advise the CEO, CDO, COO, and Board of Directors on emerging cyber threats, risks to patient care, and mitigation strategies.
• Lead enterprise participation in healthcare security coalitions, information sharing groups (e.g., H-ISAC), and public–private partnerships.

• Establish and maintain a security governance program based on healthcare-aligned frameworks (NIST CSF 2.0, HITRUST CSF, HICP, HIPAA/HITECH).
• Drive enterprise risk assessments and develop mitigation plans for cybersecurity, privacy, and clinical safety risks.
• Ensure compliance with HIPAA, HITECH, CMS, FDA (for medical device security), and state privacy regulations.
• Oversee security audits, penetration tests, and third-party/vendor risk assessments, ensuring remediation of findings.

• Protect the Electronic Health Record (EHR), patient-facing portals, and digital health platforms against compromise, downtime, or data loss.
• Partner with Clinical Engineering and Biomedical teams to secure medical devices and Internet of Medical Things (IoMT).
• Lead preparedness for ransomware, phishing, insider threats, and advanced persistent threats with an emphasis on minimizing patient safety impact.
• Oversee disaster recovery and business continuity planning in alignment with emergency preparedness and patient safety frameworks.

• Partner with Digital, Compliance, Privacy, Clinical, and Operational leaders to embed security into new initiatives, system design, and patient engagement platforms.
• Build and lead organization-wide security awareness and phishing-resistance training tailored to caregivers, clinicians, and administrative staff.
• Serve as the public face of information security during regulatory reviews, patient safety investigations, and stakeholder engagements.

• Recruit, develop, and lead a high-performing healthcare cybersecurity team across areas such as threat intelligence, incident response, IAM, and risk management.
• Promote a culture of accountability, clinical safety, and innovation in cybersecurity practices.
• Provide coaching and mentoring for next-generation security leaders.

• Bachelor’s degree in Information Technology, Cybersecurity, Healthcare Administration, or related field required;
  Master’s degree preferred.
• 10+ years of progressive leadership in information security and risk management, with 5+ years in healthcare or another highly regulated industry.
• Demonstrated success implementing enterprise cybersecurity programs in a multi-hospital health system, payer, or large healthcare delivery network.

• Deep knowledge of HIPAA, HITECH, CMS, OCR enforcement, FDA guidance for medical devices, and healthcare-specific risk management frameworks.
• Expertise in EHR security (Epic preferred), identity and access management, cloud security, and medical device security.
• Strong business and clinical acumen; ability to align security with patient care priorities.
• Exceptional communication skills with the ability to present to clinical leaders, executives, and boards.
• Relevant certifications strongly preferred: CISSP, HCISPP, CISM, CISA, or CHPS.

The primary office location of this position will be in Sacramento or Emeryville, CA.