Discover a Technology career with real meaning. One that offers the opportunity to showcase your talents, achieve measurable success and gain immense satisfaction by enabling healthier lives everywhere, every day.
Our Information Technology (IT) department is looking for an SME in medical device security and systems to take on a pivotal role in shaping the future of Hologic’s core connected product portfolio and digital transformation. If you possess solid years of industry experience relating to medical devices specifically in their security domains, read on!
As a Principal Connected Medical Device Security Architect, you will be partnering closely with the commercial product development and engineering divisions to build and enhance security in our connected medical device products and services.
You will be given an opportunity to:
- Take ownership of and be the lead architect in constructing the organization-wide connected medical device security program.
- Innovate, strategize, and design technical solutions to solve security challenges in connected medical device architecture, implementation, testing, release, and operations.
- Be a key advisor in establishing connected medical device security standards and processes and defining appropriate program metrics. You will be playing a pivotal role in driving maturity and adoption of the overall program.
- Be a technical partner and implement organization-wide best practices for effective avoidance, identification, and resolution of security weaknesses in our connected medical device products, services, and related processes
Other responsibilities you are signing up for:
- Engage with medical device teams as both advisor and contributing team member to enable building security into complex systems across the entire connected medical device lifecycle (from concept through deployment and use, including conducting security reviews and coordinating penetration testing.
- Lead and Partner with developers and testers in security activities during the connected medical device lifecycle, such as secure design reviews/threat modeling, security code reviews, security test planning, and component security hardening, to identify potential security weaknesses.
- Coordinate and guide the response to security vulnerabilities that are reported by 3rd party researchers or customers against released connected medical device products and services.
- Work closely with other security professionals in the Information Security Team or other groups within Hologic to execute key functions such as secure code signing, secure manufacturing, and secure product operations.
- Interact with development and manufacturing partners to enable the security of connected medical device components in the supply chain.
- Keep abreast of advances in secure system design and development practices, threats and threat actors, and new attack techniques or areas of security research, and provide guidance to the product organizations to help them avoid or mitigate future security concerns.
- Contribute to the risk management process for connected medical device development.
- Perform analysis and execute POCs (Proof of Concepts) or POFs (Proof of Feasibility) initiatives covering connected medical device security and advanced cryptography
What do we expect?
- Experience working with digital platforms, cloud, mobile, and/or embedded/IoT device ecosystems
- Experience in software medical device development classified as Class and/or Class 3 medical device
- Demonstrated applied expertise in FDA design control requirements (21 CFR 820.30) as applied to medical device software and medical device regulations including ISO 13485, ISO 14971:2019, “AAMI TIR57, Cybersecurity, IEC 62366, and IEC 62304
- Demonstrated applied expertise in writing architecture and design specifications for Class 2 and/or Class 3 software-based medical device software with compliance to IEC 62304
- Thread Modeling & Scoring (STRIDE, Microsoft SDL, DREAD, CVSS)
- Demonstrated applied expertise with Software FMEA process, and secure software/systems development lifecycle experience (OpenSAMM, CMMI-Dev)
- Code Analysis (SAST & DAST)
- Knowledge of common security standards and best practices, such as NIST 800-53/800-160/1800-30, ISO 270xx, CWE, CVSS, OWASP Top 10, CERT Secure Coding Standards.
- Experience with Cryptographic Libraries (EX: wolfssl/openssl)
- Core knowledge Public Key Infrastructure (PKI) architecture, use cases, components, and Hardware Security Devices
- Experience leading secure architecture, design, and code reviews.
- Direct development experience in languages including C/C++ (x86 or ARM), Python, and Java; Go or Swift experience desirable.
- Experience with CI/CD tools and practices
- Experience in Waterfall, Agile, DevOps, and/or V-Model development methodologies
- Experience with any of the application security tools as SonarQube, Fortify, Clang preferred
- Experience using CIS Security benchmarks or US DISA Security Technical Implementation Guides
- Prior or current involvement in industry security initiatives such as IETF, OWASP, ISO, CWE, BSIMM, Cloud Security Alliance, or any open-source project related to security
- Experience with the Industrial or Consumer Internet of Things (IoT) products
Other demonstrable knowledge and experience include Structured Modeling (Data flow diagrams (DFDs), Swim Lanes, State Diagrams, Attack Trees, Kill Chains, Cyber Attach Lifecycles, MITRE ATT&CK Framework / D3FEND Knowledge Graph); Familiarity with SaMD development; Familiarity with health and data privacy regulations; System security engineering; Embedded device security; Application or system hardening; Security Testing / Penetration Testing; Mobile application security; Cloud security; Cryptography; Forensics or reverse engineering;
Other desired skills:
- Experience with scripting (PowerShell, Python)
- Familiar with NIST CSF, ISO27001, and other security standards
- Experience in leading risk assessments
- Experience in participating in IT Security audits and remediating findings
- Experience with configuration languages / IaC: Terraform, Azure DevOps
- One or more of the following certifications:
- Certified Software Security Lifecycle Professional (CSSLP)
- Certified Information Systems Security Professional (CISSP)
- SANS GIAC Certified Incident Handler (GCIH)
- SANS GIAC Certified Penetration Tester (GPEN)
- Certified Information Privacy Professional (CIPP)
- HealthCare Information Security and Privacy Practitioner (HCISPP)
We are committed to making Hologic the company where top talent comes to grow. For you to succeed, we want to enable you with the tools and knowledge required and so we provide comprehensive training when you join as well as continued development and training throughout your career.
We offer a competitive salary and annual bonus scheme, and one of our Talent Partners would be happy to discuss this in more detail with you.
If you have the right skills and experience, apply today!
Agency and Third Party Recruiter Notice:
Agencies that submit a resume to Hologic must have a current executed Hologic Agency Agreement executed by a member of the Human Resource Department. In addition Agencies may only submit candidates to positions for which they have been invited to do so by a Hologic Recruiter. All resumes must be sent to the Hologic Recruiter under these terms or they will not be considered.
Hologic, Inc. is proud to be an Equal Opportunity Employer inclusive of disability and veterans.
- Address Marlborough, MA, USA
- Salary Offer $100.000 ~
- Experience Level Senior
- Total Years Experience 0-5