Product Security Manager
United States of America
Full Time
3 days ago
$127,000 - $165,000 USD
H1B Sponsor Likely
Key skills
Product SecurityMedical Device SecurityFDA Cybersecurity ComplianceCybersecurity Risk Assessments (CSRAs)Threat ModelingSoftware Bill of Materials (SBOM)Security DocumentationData Flow DiagramsSecurity Design ReviewsVulnerability AnalysisVulnerability ManagementThreat Detection ToolsVeracodeSnykGitLabIncident ResponseData Privacy ComplianceHIPAAGDPRNIST Cybersecurity FrameworkNIST SP 800-171NIST SP 800-53NIST SP 800-92NIST SP 800-63STRIDE MethodologyRegulated Environment ComplianceSoftware as a Medical Device (SaMD)Medical Device Software Development510(k) SubmissionsCISSPCISMCISAEU MDRJIS T 2304IEC 62304Penetration TestingProgramming Languages for Medical DevicesSDLCCommunicationCollaboration
About this role
iRhythm Technologies, Inc. is a leading digital healthcare company focused on providing innovative cardiac health solutions. They are seeking a Product Security Manager to ensure the protection of patient data and device integrity while ensuring compliance with regulatory requirements throughout the product lifecycle.
Responsibilities:
- Ensure compliance with FDA cybersecurity guidance and regulations in collaboration with Cybersecurity, Regulatory, Quality, and Systems Development teams
- Conduct comprehensive security risk assessments, including Cybersecurity Risk Assessments (CSRAs), to identify vulnerabilities and threats across device hardware, firmware, software, and cloud components
- Develop and maintain device-specific cyber threat models, factoring in patient safety, data privacy, and operational continuity
- Demonstrate familiarity with Software Bill of Materials (SBOM) and effectively communicate technical details
- Create and maintain cybersecurity documentation for pre- and post-market activities, ensuring regulatory alignment
- Produce detailed data flow diagrams to support the threat modeling process
- Participate in design reviews of medical device architectures and implementations, providing actionable recommendations for system security requirements
- Perform and support vulnerability analysis and coordinate the vulnerability management program, including scanning, patching, and remediation for medical devices
- Leverage and maintain application and threat detection tools (Veracode, Snyk, GitLab, or equivalent) to identify security flaws early in the SDLC
- Support investigation and remediation of device-related security incidents, minimizing impact and preventing recurrence
- Partner with the Privacy Team to ensure adherence to HIPAA, GDPR, and other data protection regulations
Requirements:
- Bachelor's degree in Computer Science, Information Security, or related field
- 6+ years of experience in information security, with direct focus on product security for medical devices
- Strong understanding of security principles, methodologies, and tools within the PDLC and SDLC
- Demonstrated experience conducting Cybersecurity Risk Assessments (CSRAs), vulnerability analysis, and working with modern threat detection tools (Veracode, Snyk, GitLab, or similar)
- Familiarity with NIST Cybersecurity Framework, NIST SP 800-171, and deeper controls/frameworks such as NIST SP 800-53 (Security and Privacy Controls), NIST SP 800-92 (Log Management), and NIST SP 800-63 (Digital Identity Guidelines)
- Hands-on experience with vulnerability identification and threat modeling within healthcare using methodologies such as STRIDE
- Experience operating in a regulated environment (FDA, HIPAA, GDPR, international regulatory frameworks)
- Experience with medical device hardware or Software as a Medical Device (SaMD)
- Experience with medical device software development and regulatory processes
- Excellent problem-solving, analytical, and communication skills, able to take a multi-siloed approach
- Ability to understand intro dependencies of teams across; mobile applications, hardware and cloud environments
- Demonstrated experience supporting 510(k) submissions, with a focus on product security documentation, risk assessments, and regulatory compliance
- Industry certifications such as CISSP, CISM, CISA, or medical device security–specific certifications
- Experience with international frameworks and standards (EU MDR, JIS T 2304 / IEC 62304)
- Understanding penetration testing methodologies and tools, able to work with pen test teams independently with little guidance
- Proficiency with programming languages and technologies commonly used in medical device development