Applications Security Analyst (Epic) III / Senior

The Senior Application Security Analyst professional will lead the day-to-day execution and continuous improvement of Epic application access in a high-volume hospital environment. This role blends operational excellence (hundreds of access tickets weekly) with senior-level ownership of access models, governance, and audit readiness.

This role will also be a key application-side partner in our IAM/IGA automation program—helping define the Epic roles/entitlements, approvals, and access review structures that enable scalable onboarding and offboarding automation. Over the next 12–24 months, this team’s scope is expected to broaden from Epic-focused access to enterprise application access governance across the organization.

Position: Applications Security Analyst (Epic) III / Senior        

Department: Information Security

Schedule: Full Time

• Own and execute work in a high-volume ServiceNow queue, consistently handling hundreds of tickets per week for joiner/mover/leaver access changes, troubleshooting, and triage.

• Prioritize and route requests using impact, urgency, patient-care considerations, risk, and defined SLAs; escalate complex/high-risk issues appropriately.

• Troubleshoot access end-to-end (request intent, user attributes, role mapping, provisioning outcomes, in-application authorization) and document decisions/outcomes clearly for auditability.

• Serve as the senior escalation point for Epic access design/build and complex access issues; ensure access is scalable, supportable, and aligned to policy.

• Develop and maintain standardized access patterns Attribute Based Access Control (ABAC)/templates, privileged/elevated access controls) aligned to least privilege.

• Partner with Epic application teams and operational leaders to translate workflows into durable access models and reduce one-off exceptions.

• Maintain an Epic access catalog (roles/entitlements, risk tiers, prerequisites, approval paths) and keep it current as workflows evolve.

• Support access reviews/attestations for high-risk roles and privileged access; drive remediation of findings and control gaps.

• Support investigations related to inappropriate access/privacy concerns and contribute to corrective action plans.

• Partner with IAM/IGA stakeholders during SailPoint implementation to ensure Epic is “automation-ready” (clean entitlements, requestable roles, approvals, constraints, and edge-case handling).

• Help align access with authoritative source systems (HR, operations, credentialing, etc.) by defining needed attributes and lifecycle scenarios (joiner/mover/leaver, LOA, contractors, students).

• Support testing/UAT and rollout readiness by validating that automated provisioning yields correct in-application authorization and usable audit trails.

• Mentor and quality-review work performed by Level II analysts; establish standard work, runbooks, knowledge articles, and queue hygiene practices.

• Track and improve key operational metrics (turnaround time, rework/defect rate, exception volume, access quality) and drive measurable process improvement.

• Associates degree OR equivalent education or experience

• Epic certification(s), Security strongly preferred.

• 5+ years of experience in Epic security/access, application access governance, or closely related healthcare IT security operations with substantial Epic access responsibility.

• Strong Epic import/export, Microsoft Excel skills and experience.

• Demonstrated expertise in Attribute Based Access Control (ABAC)/least privilege, access standardization, and governing elevated access in a complex clinical/operational environment.

• Proven ability to thrive in a high-volume ticket environment while maintaining quality, consistency, and audit-ready documentation.

• Strong cross-functional collaboration skills (Epic teams, operations, HR, IAM/IGA, IT) and clear written communication.

• Bachelor’s degree; majors in Computer Science, Information Systems, Cybersecurity, Healthcare Informatics, or related fields are preferred.

• Additional Epic certifications.

• Strong Data Governance knowledge and experience.

• Experience implementing or partnering with IAM/IGA platforms (Okta LCM or SailPoint ISC/IIQ preferred; similar tools acceptable).

• Experience with access reviews/attestations, segregation-of-duties concepts, and audit support in healthcare.

• Microsoft Access database experience.

• Sit inside Cybersecurity under the CISO organization with meaningful influence on enterprise access strategy.

• Help shape the application authorization layer that makes IGA automation successful (Epic first; broader application portfolio next).

• Have real scale: high operational volume, high-impact clinical workflows, and a multi-year IAM/IGA automation program modernizing access lifecycle controls.

Compensation Range:

This range offers an estimate based on the minimum job qualifications. However, our approach to determining base pay is comprehensive, and a broad range of factors is considered when making an offer. This includes education, experience, skills, and certifications/licensures as they directly relate to position requirements; as well as business/organizational needs, internal equity, and market-competitiveness. In addition, BMCHS offers generous total compensation that includes, but is not limited to, benefits (medical, dental, vision, pharmacy), discretionary annual bonuses and merit increases, Flexible Spending Accounts, 403(b) savings matches, paid time off, career advancement opportunities, and resources to support employee and family well-being. 

NOTE: This range is based on Boston-area data, and is subject to modification based on geographic location.

Equal Opportunity Employer/Disabled/Veterans

According to the FTC, there has been a rise in employment offer scams. Our current job openings are listed on our website and applications are received only through our website. We do not ask or require downloads of any applications, or “apps” job offers are not extended over text messages or social media platforms. We do not ask individuals to purchase equipment for or prior to employment.