Senior Product Security Engineer

About The Position

Requirements

• Bachelor’s degree in Computer Science, Information Security, or related field.
• 6+ years of experience in information security, with direct focus on product security for medical devices.
• Strong understanding of security principles, methodologies, and tools within the PDLC and SDLC.
• Demonstrated experience conducting Cybersecurity Risk Assessments (CSRAs), vulnerability analysis, and working with modern threat detection tools (Veracode, Snyk, GitLab, or similar).
• Familiarity with NIST Cybersecurity Framework, NIST SP 800-171, and deeper controls/frameworks such as NIST SP 800-53 (Security and Privacy Controls), NIST SP 800-92 (Log Management), and NIST SP 800-63 (Digital Identity Guidelines).
• Hands-on experience with vulnerability identification and threat modeling within healthcare using methodologies such as STRIDE.
• Experience operating in a regulated environment (FDA, HIPAA, GDPR, international regulatory frameworks).
• Experience with medical device hardware or Software as a Medical Device (SaMD).
• Experience with medical device software development and regulatory processes.
• Excellent problem-solving, analytical, and communication skills, able to take a multi-siloed approach.
• Ability to understand intro dependencies of teams across; mobile applications, hardware and cloud environments.
• Demonstrated experience supporting 510(k) submissions, with a focus on product security documentation, risk assessments, and regulatory compliance.

Nice To Haves

• Industry certifications such as CISSP, CISM, CISA, or medical device security–specific certifications.
• Experience with international frameworks and standards (EU MDR, JIS T 2304 / IEC 62304).
• Understanding penetration testing methodologies and tools, able to work with pen test teams independently with little guidance.
• Proficiency with programming languages and technologies commonly used in medical device development.

Responsibilities

• Ensure compliance with FDA cybersecurity guidance and regulations in collaboration with Cybersecurity, Regulatory, Quality, and Systems Development teams.
• Conduct comprehensive security risk assessments, including Cybersecurity Risk Assessments (CSRAs), to identify vulnerabilities and threats across device hardware, firmware, software, and cloud components.
• Develop and maintain device-specific cyber threat models, factoring in patient safety, data privacy, and operational continuity.
• Demonstrate familiarity with Software Bill of Materials (SBOM) and effectively communicate technical details.
• Create and maintain cybersecurity documentation for pre- and post-market activities, ensuring regulatory alignment.
• Produce detailed data flow diagrams to support the threat modeling process.
• Participate in design reviews of medical device architectures and implementations, providing actionable recommendations for system security requirements.
• Perform and support vulnerability analysis and coordinate the vulnerability management program, including scanning, patching, and remediation for medical devices.
• Leverage and maintain application and threat detection tools (Veracode, Snyk, GitLab, or equivalent) to identify security flaws early in the SDLC.
• Support investigation and remediation of device-related security incidents, minimizing impact and preventing recurrence.
• Partner with the Privacy Team to ensure adherence to HIPAA, GDPR, and other data protection regulations.

Benefits

• Estimated Pay Range $127,000.00 - $165,000.00