Job Description:
Role Summary:
The Third Party Risk Management Analyst / Business Analyst (BA) is a temporary contractor supporting the Patient Trust initiative by identifying, strengthening oversight, accountability, and risk management of third-party processors that store, access, or handle patient data (including PHI/PII as applicable). The BA partners with Security, Privacy, Procurement, Legal, Risk, and business owners to define requirements, analyze current state and deliver foundational governance artifacts such as a unified third-party patient data inventory, a vendor lookback plan, and a risk-tiering model.
Key Responsibilities:
- Deliver Phase 1 foundations for Workstream 3: translate the deck deliverables into requirements, detailed process steps, owners, and measurable outputs across the Vendor Lookback Plan, Unified Third-Party Patient Data Inventory, and Risk-Tiering Model.
- Vendor Lookback Plan (Apr-Nov): build the initial vendor universe: coordinate OneTrust pull, LeanIX pull, and define comparison logic to establish the starting population of potential patient-data vendors.
- Identify likely patient-data service areas: perform procurement taxonomy review, category classification, and targeted vendor list requests to focus on service areas most likely to process patient data.
- Consolidate and normalize the master vendor list: merge OneTrust/LeanIX/Procurement sources; deduplicate; standardize vendor names; and capture baseline context (service description, business owner, system/app linkage as available).
- Confirm patient data processing (in-scope determination): execute desktop validation and drive targeted business owner confirmations to finalize binary in-scope / out-of-scope decisions.
- Operationalize risk-based lookback triggers: define and document trigger logic (time since review, data sensitivity, volume, access level, criticality) and apply it to the in-scope vendor set to determine reassessment needs.
- Drive formal approval of the lookback methodology: prepare decision materials and facilitate approvals for scope, triggers, and prioritization logic with Workstream 3 stakeholders.
- Deliver the Unified Third-Party Patient Data Inventory (Jul-Nov): ensure the inventory captures required outputs (normalized vendor name, business owner, service description, patient data involvement yes/no, data types, geographic footprint, and risk tier once established).
- Build the Risk-Tiering Model (Aug-Nov) and prioritized lookback queue: define tier inputs (sensitivity, volume, access, criticality, time since review), group vendors into high/medium/low tiers tied to review expectations, and create an execution queue aligned to capacity, phased waves, and future automation.
- Support Phase 2 execution (Oversight & Monitoring): support conduct of lookback assessments and operationalization of the Third-Party Assurance Program (annual security & privacy reviews, evidence-based control testing, SOC 2 / ISO 27001 intake review processes).
- Continuous monitoring of critical vendors: help define the monitoring approach using questionnaires, external signals, and/or integrated vendor-risk tools; document thresholds, cadence, escalation paths, and reporting.
- Third-Party Incident Response Integration: define and document vendor notification and cooperation expectations within defined timeframes for patient data/PHI exposure events; align playbooks and handoffs with Security Incident Response and Privacy.
Required Qualifications:
- 5+ years of business analysis experience delivering process, data, and governance outcomes in regulated environments.
- Hands-on experience with third-party / vendor security risk management (TPRM), including risk assessments, evidence collection, remediation tracking, and stakeholder communications.
- Strong understanding of security and privacy fundamentals as they relate to third parties (e.g., access, data handling, encryption, incident response, audit artifacts).
- Demonstrated ability to build and maintain inventories or registries (vendors, applications, data flows) with attention to data quality, normalization, and reporting.
- Proficiency with requirements elicitation/documentation techniques (workshops, interviews, user stories, acceptance criteria) and process mapping.
- Excellent written and verbal communication skills; ability to translate technical and control concepts into business-friendly language.
- Experience working cross-functionally with Security, Privacy, Procurement/Vendor
- Management, Legal, IT, and business owners.
- Experience supporting healthcare data programs and/or familiarity with HIPAA/HITECH concepts (or equivalent healthcare privacy/security frameworks).
- Experience reviewing third-party audit reports and certifications (SOC 2 Type II, ISO 27001, NIST Privacy Framework, ISO 27701) and translating results into risk decisions.
- Experience with TPRM and GRC tooling and/or enterprise inventory sources (e.g., OneTrust, LeanIX, procurement systems, vendor-risk platforms).
- Experience defining risk tiering methodologies and prioritization queues aligned to capacity and operational realities.
- Familiarity with contract/security addenda requirements and third-party incident notification language.
- Project delivery experience in Agile, hybrid, or waterfall environments; comfort with backlog management and delivery planning.
