Senior Security Engineer – Medical Device Cybersecurity & Compliance

Job Title: Senior Security Engineer – Medical Device Cybersecurity & Compliance

Experience Level: 5-10 years

Key Responsibilities:

• Drive end-to-end cybersecurity integration across the medical device product development life cycle, ensuring security is embedded from concept to release.
• Develop and maintain cybersecurity for medical products, including security requirements specifications, risk assessments, threat models, and product security architecture documentation.
• Conduct thorough gap assessments to evaluate compliance with IEC 81001-5-1, IEC 60601-4-5, AAMI TIR 57, and AAMI TIR 97 standards, and implement remediation measures.
• Perform hands-on vulnerability assessments, penetration testing, and secure code reviews of embedded devices, IoMT (Internet of Medical Things) components, and connected systems.
• Collaborate closely with development, compliance, and regulatory teams to ensure product security measures meet both internal security policies and external regulatory expectations.
• Support SBOM management, software supply chain risk evaluations, and third-party component analysis to maintain software transparency and mitigate risks.
• Provide expert input on secure communication protocols, encryption standards, data protection for both at-rest and in-transit data, and cloud-based connectivity of medical systems.
• Assist in developing incident response strategies and bring working knowledge of HIPAA, GDPR, and HL7 to address data privacy and healthcare-specific regulatory concerns.
• Contribute to the continuous enhancement of internal secure development processes, tools, and methodologies, while championing security best practices within product teams.

Required Skills and Qualifications:

• Minimum of 6 years of experience in cybersecurity, including at least 3 years focused on medical devices, embedded systems, or IoT security.

• Proven track record in authoring security design, defining technical requirements, and documenting security architectures aligned with regulatory needs.
• Hands-on experience in embedded system security including secure boot, firmware security, threat modeling techniques (e.g., STRIDE, DREAD), and product-level risk assessments.
• Strong understanding of IEC 81001-5-1, IEC 60601-4-5, AAMI TIR 57, and AAMI TIR 97, along with working knowledge of the medical device product development lifecycle and quality standards like ISO 14971.
• Demonstrated expertise in vulnerability management and penetration testing of connected products across device and cloud ecosystems.
• Familiarity with data privacy and interoperability standards such as HIPAA, GDPR, and HL7 is highly desirable.
• Excellent problem-solving skills, critical thinking, and ability to lead gap analysis and remediation activities in regulated environments.
• Strong collaboration skills with the ability to influence cross-functional teams including R&D, compliance, and product management.