Senior Product Security Engineer
United States of America
Full Time
5 hours ago
$127,000 - $165,000 USD
H1B Sponsor Likely
Key skills
Product security for medical devicesCybersecurity Risk Assessments (CSRAs)Vulnerability analysisThreat detection tools VeracodeThreat detection tools SnykThreat detection tools GitLabNIST Cybersecurity FrameworkNIST SP 800-171NIST SP 800-53NIST SP 800-92NIST SP 800-63Threat modeling (STRIDE)FDA cybersecurity complianceHIPAA complianceGDPR complianceMedical device hardwareSoftware as a Medical Device (SaMD)Medical device software developmentRegulatory compliance for medical devices510(k) submissionsCISSPCISMCISAAnalytical skillsGitLabSDLCCommunicationCollaborationSnykPenetration Testing
About this role
iRhythm Technologies, Inc. is shaping a future where everyone can access the best possible cardiac health solutions. They are seeking a Senior Product Security Engineer to ensure robust protection of patient data and device integrity while driving compliance with FDA cybersecurity requirements.
Responsibilities:
- FDA Cybersecurity Compliance: Ensure compliance with FDA cybersecurity guidance and regulations in collaboration with Cybersecurity, Regulatory, Quality, and Systems Development teams
- Risk Assessments & CSRAs: Conduct comprehensive security risk assessments, including Cybersecurity Risk Assessments (CSRAs), to identify vulnerabilities and threats across device hardware, firmware, software, and cloud components
- Threat Modeling: Develop and maintain device-specific cyber threat models, factoring in patient safety, data privacy, and operational continuity
- SBOM Management: Demonstrate familiarity with Software Bill of Materials (SBOM) and effectively communicate technical details
- Security Documentation: Create and maintain cybersecurity documentation for pre- and post-market activities, ensuring regulatory alignment
- Data Flow Diagrams: Produce detailed data flow diagrams to support the threat modeling process
- Security Design Reviews: Participate in design reviews of medical device architectures and implementations, providing actionable recommendations for system security requirements
- Vulnerability Analysis & Management: Perform and support vulnerability analysis and coordinate the vulnerability management program, including scanning, patching, and remediation for medical devices
- Threat Detection Tools: Leverage and maintain application and threat detection tools (Veracode, Snyk, GitLab, or equivalent) to identify security flaws early in the SDLC
- Incident Response: Support investigation and remediation of device-related security incidents, minimizing impact and preventing recurrence
- Data Privacy Compliance: Partner with the Privacy Team to ensure adherence to HIPAA, GDPR, and other data protection regulations
Requirements:
- Bachelor's degree in Computer Science, Information Security, or related field
- 6+ years of experience in information security, with direct focus on product security for medical devices
- Strong understanding of security principles, methodologies, and tools within the PDLC and SDLC
- Demonstrated experience conducting Cybersecurity Risk Assessments (CSRAs), vulnerability analysis, and working with modern threat detection tools (Veracode, Snyk, GitLab, or similar)
- Familiarity with NIST Cybersecurity Framework, NIST SP 800-171, and deeper controls/frameworks such as NIST SP 800-53 (Security and Privacy Controls), NIST SP 800-92 (Log Management), and NIST SP 800-63 (Digital Identity Guidelines)
- Hands-on experience with vulnerability identification and threat modeling within healthcare using methodologies such as STRIDE
- Experience operating in a regulated environment (FDA, HIPAA, GDPR, international regulatory frameworks)
- Experience with medical device hardware or Software as a Medical Device (SaMD)
- Experience with medical device software development and regulatory processes
- Excellent problem-solving, analytical, and communication skills, able to take a multi-siloed approach
- Ability to understand intro dependencies of teams across; mobile applications, hardware and cloud environments
- Demonstrated experience supporting 510(k) submissions, with a focus on product security documentation, risk assessments, and regulatory compliance
- Industry certifications such as CISSP, CISM, CISA, or medical device security–specific certifications
- Experience with international frameworks and standards (EU MDR, JIS T 2304 / IEC 62304)
- Understanding penetration testing methodologies and tools, able to work with pen test teams independently with little guidance
- Proficiency with programming languages and technologies commonly used in medical device development