Compliance Engineer

Job ID 2018-1075

Other Portland, Oregon Indianapolis, Indiana


WebMD’s Health Services business enables employers and health plans to provide their employees and plan members with access to personalized health and benefit information, decision support technology that helps them make informed benefit, provider and treatment choices and provides telephonic health coaching services.

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.

WebMD Health Services is seeking a Compliance Engineer to work with the Security and Legal teams to develop a new compliance function. The ideal candidate will be familiar with healthcare industry compliance frameworks such as HITRUST and HIPAA or have prior work experience with similar frameworks such as FedRAMP/DOD or PCI Level 1. This role will work closely with operational and development teams to ensure WebMD Health Services meets our governance requirements and works to achieve operational excellence.


  • Lead the execution of the HITRUST Compliance Program and ensure that the organization maintains HITRUST compliance.
  • Provide guidance to all constituencies on the appropriate implementation of applicable controls.
  • Evaluate potential GRC (Governance Risk and Compliance) tools to automate recurring work.
  • Communicate and manage compliance expectations across all levels of the organization.
  • Develop detailed reports and dashboards that meet the needs of executives and managers within the organization.
  • Collaborate with the various stakeholders to develop relevant and comprehensive metrics including key performance indicators (KPIs) and key risk indicators (KRIs).
  • Identify and report on compliance risk.  Where deficiencies are identified, work with control owners to initiate corrective action plans to reduce risk to known and acceptable levels.
  • Develop an ongoing program to oversee audit all of the organizational controls to ensure that they are in place and remain effective.
  • Maintain expertise on compliance trends through training and research to ensure potential compliance exposures can be mitigated.
  • Serve as the compliance subject matter expert and brief the highest levels of the organization effectively and regularly on HITRUST, HIPAA/HITECH and other critical compliance mandates.
  • Advise on the direction of the compliance program in evaluating remediation challenges and new requirements.


  • A degree from an accredited university in a related field, or the equivalent work experience.
  • 5 or more years of work experience in a Compliance and Audit role.
  • A minimum of 3-5 years of Compliance program management and operations experience.
  • Familiarity with Information Security Frameworks and applicable regulations including HIPAA, HITECH, and HITRUST.
  • Must have a broad knowledge base in technical operational and security domains to identify compliance issues, develop risk mitigation plans and translate issues between all departments clearly.
  • Ability to translate control framework requirements into understandable and actionable tasks.
  • Drive and capacity to continually expand knowledge base and apply findings to organizational mission, and manage the evolution of the compliance plan.
  • Must be a team-oriented, self-motivated professional.
  • Time management, communications, decision making, presentation, human relations, and organizational skills.
  • Program and project management, planning, and organizational skills with demonstrated ability to prioritize and execute multiple tasks and projects.
  • Must communicate effectively with audiences having varied levels of technical knowledge.

Preferred Experience:

  • Significant experience managing Information Technology compliance programs.
  • Proven successes in assisting organizations in developing Information Security programs, conducting assessments, and obtaining certifications in one or more of HITRUST, ISO 27000 series or NIST SP800-53.
  • Experience implementing tools and processes to simplify and manage complex compliance requirements.

Candidates with one or more of the following certifications are preferred:

  • CCSFP (HITRUST) - Certified Common Security Framework Professional
  • CISSP – Certified Information System Security Professional
  • CISM – Certified Information Security Manager
  • CISA – Certified Information Systems Auditor
  • CRISC – Certified in Risk and Information Systems Control

*As a member of WebMD Health Services, you may have access to confidential information that will require you to follow additional protocols to ensure the security of our data. As a core requirement, you must implement and act in accordance with the organization’s information security policies; protect assets from unauthorized access, disclosure, modification, destruction or interference; execute security processes or activities; and report security events or potential events or other security risks to the appropriate parties within the organization.