Governance, Risk & Compliance (GRC) Analyst

About xCures:

xCures is redefining how healthcare organizations access, trust, and act on patient data. Our mission is to ensure that critical patient information is available when, where, and how it’s needed most — helping care providers and partners make faster, better-informed decisions that improve health outcomes.

Our AI-powered software platform aggregates, structures, normalizes, and distills patient health data from care encounters nationwide. Within minutes, xCures delivers validated, traceable, and clinically actionable insights, addressing healthcare’s most persistent challenges: missing data, messy data, and opaque insights. Our driving purpose is to equip our partners, such that they are enabled to provide care and services in a form that inspires confidence and provides real clinical utility.

At xCures, quality and trust are not features — they’re foundational to the tools we’ve built. Our work is driven by precision, performance, and purpose. xCures is excited to champion responsible interoperability and the transformative potential of AI in healthcare, when done with the right values at the front of mind.

About the role 

As a GRC Analyst, you will play a key role in executing and maturing xCures’ governance, risk, and compliance program, with a primary focus on HITRUST certification and healthcare regulatory requirements, while supporting future ISO 27001 and GDPR readiness initiatives. You will work cross-functionally to operationalize controls, coordinate audit activities, and drive remediation initiatives across the organization.

This role is ideal for a candidate with audit, advisory, or consulting experience who is looking to transition from external audit/advisory into an in-house, operational compliance role where you can own controls end-to-end, contribute to global compliance expansion, and see direct business impact.

Responsibilities

• Support and execute the HITRUST CSF certification program, including validated assessments and interim reviews.
• Partner with internal stakeholders to design, document, and operationalize controls aligned with HITRUST, HIPAA, ISO 27001, and GDPR requirements.
• Assist in preparing the organization for future ISO 27001 certification efforts, including gap assessments and control mapping.
• Support GDPR compliance initiatives, including documentation of data protection controls, data flow mapping, and privacy impact assessments.
• Lead audit coordination efforts, including evidence collection, walkthroughs, and assessor interactions.
• Perform internal control testing and gap assessments across technical, administrative, and privacy domains.
• Track remediation plans and corrective action items through completion, ensuring accountability and timely resolution.
• Maintain and enhance policies, procedures, and control documentation across multiple frameworks.
• Assist in enterprise risk assessment activities and maintain the risk register.
• Support third-party risk management activities, including vendor risk assessments and due diligence reviews.
• Respond to customer security questionnaires and compliance-related diligence requests.
• Develop executive-ready compliance reporting, dashboards, and status updates.
• Drive continuous improvement initiatives to strengthen control maturity and reduce audit friction across multiple regulatory frameworks.
• Collaborate with IT, Security, Engineering, Product, Legal, and Privacy stakeholders to ensure controls are properly implemented and operating effectively.

Basic Qualifications

• 2+ years of experience in Governance, Risk & Compliance, IT Audit, Risk Advisory, or Information Security.
• Experience supporting HITRUST, HIPAA, SOC 2, ISO 27001, GDPR, NIST, or similar regulatory frameworks.
• Experience performing control testing, walkthroughs, and evidence validation.
• Strong documentation and analytical skills.
• Experience managing multiple compliance workstreams and deadlines.
• Ability to translate regulatory and privacy requirements into practical business controls.
• Strong written and verbal communication skills.
• Must reside in the United States.
• Must have authorization to work in the United States.

Preferred Qualifications

• 3–5 years of experience in public accounting, risk advisory, or consulting.
• Direct experience supporting or assessing HITRUST and/or ISO 27001 environments.
• Experience mapping controls across multiple frameworks (HITRUST, HIPAA, ISO 27001, GDPR, SOC 2, NIST).
• Experience supporting GDPR compliance programs, including data protection impact assessments (DPIAs).
• Experience leading portions of audits or acting as day-to-day client contact.
• Experience building risk registers, remediation plans, and executive reporting materials.
• Experience working in healthcare, digital health, SaaS, or regulated technology environments.
• Relevant certifications such as Security+, CISA, CRISC, CISM, CISSP, HITRUST CCSFP, ISO 27001 Lead Implementer or Lead Auditor, CIPP/US or CIPP/E.

What We’re Looking For

• A compliance professional who wants to move from external advisory to internal ownership or has a strong desire to learn and grow in governance, risk, and compliance.
• A willingness to learn and become productive across all of the Information Security profession and pitch-in when needed.
• Strong project management instincts and ability to drive multi-framework initiatives.
• Comfort engaging both technical engineers and business leaders.
• Ability to operate independently while collaborating cross-functionally.
• A proactive mindset focused on building scalable compliance programs rather than reacting to audits.
• High integrity and commitment to protecting sensitive healthcare and personal data.
• Interest in helping scale compliance from HITRUST-focused to broader global frameworks.

To apply, please send your cover letter and resume to infosec-jobs@xcures.com

Comp & Benefits

• Salary range : 72K to 140K Annual
• Medical, Dental, Vision insurance
• 401k

xCures acknowledges that equal opportunity for all persons is a fundamental human value. Each employee and applicant will be considered on the basis of individual ability and merit, without regard to race, color, religion, age, sex, sexual orientation, gender identity, gender expression, pregnancy, national origin, marital status, physical disability, mental disability, medical condition, genetic information, protected military or veteran status, or any other characteristics.