Responsibilities
- Design and implement infrastructure protections across our cloud and endpoint environments, including AWS security tooling, Google Workspace, and laptop MDM.
- Lead our HITRUST r2 certification project and ensure ongoing compliance with FDA medical device cybersecurity requirements.
- Build and maintain automated audits to validate IAM policies, VPN configurations, infrastructure settings, and PHI data access.
- Collaborate with engineers to protect both production and critical internal systems using tools such as rate limiting, autoscaling, and anomaly detection.
- Work with technical management to encourage secure SDLC practices (e.g., secrets management and CI/CD hardening).
- Configure and operate runtime alerting for suspicious behavior using tools like Datadog and Nightfall, and respond to potential threats.
- Own the vulnerability management lifecycle — coordinating penetration tests, configuring automated scans, triaging findings, coordinating reviews, and driving timely remediation.
- Maintain and evolve internal security policies and lead IT/security onboarding, training, offboarding, and endpoint protection.
- Communicate with health system clients and internal teams about our security practices, and review the security implications of new integrations and deployments.
- Develop threat models and perform and maintain security risk assessments to identify weaknesses in company systems.
- Coordinate with development teams and Regulatory/Quality teams to implement security controls that reduce risk, improve security and maintain agility and usability.
Requirements
- 5+ years of experience in security operations, infrastructure security, or cloud security roles.
- Deep familiarity with AWS security tooling and cloud networking.
- Hands-on experience with endpoint management tools and security automation.
- Experience conducting or supporting audits for HITRUST, SOC 2, or similar frameworks.
- Deep understanding of securing sensitive healthcare data (PHI/PII) in cloud environments.
- Excellent written and verbal communication skills.
- Excited to work in a fast-paced, remote-first startup.
Nice to Have
- Experience securing systems in healthcare, life sciences, or similarly regulated industries.
- Familiarity with HIPAA, HITECH, and HITRUST frameworks.
- Experience with FDA cybersecurity guidance or medical device security standards (e.g. premarket guidance, postmarket management).
- Knowledge of AAMI TIR-57, IEC 81001-5-1 or other Medical Product Security Standards.
- Experience implementing SIEM or XDR solutions (e.g., Datadog, Splunk, Sentinel).
- Track record of setting up scalable, automated security operations in a highly sensitive security environment.
