Principal Med Device Security Engineer
Johnson & Johnson
6 days ago
Remote
United States
IT
Principal Product Security Engineer (remote or onsite in Danvers, MA or Raritan, NJ; up to 10% travel)
Responsibilities:
- Implement J&Jβs enterprise Product Security strategy/framework for the Heart Recovery portfolio (Imped/Impella heart pumps, next-gen cardiac support systems, connected devices).
- Deliver security architecture, cryptographic controls, embedded security protections/controls, and threat mitigation across the product lifecycle (pre-market and post-market).
- Review security requirements; recommend and implement security design solutions; complete quality documentation; perform threat modeling; coordinate third-party penetration testing; conduct software architecture reviews; perform code analysis/security testing.
- Post-market: monitor vulnerabilities, assist with patching/remediation, respond to security questionnaires, and review security language in contractual agreements.
- Define/implement secure boot, firmware integrity validation, anti-tamper; enforce crypto for data-at-rest/in-transit (FDA cybersecurity guidance, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management (PKI, HSMs, TPMs, secure enclave integration); build real-time vulnerability assessment for wireless protocols.
- Implement Zero Trust (mTLS, continuous authentication) for device-to-cloud; oversee secure OTA updates (rollbacks, code signing, supply chain integrity).
- Lead Secure Development Lifecycle (threat modeling, static/dynamic analysis, fuzzing, formal verification); define hardware security architecture (trust zones, HRoT, secure microcontroller protections); implement memory safety strategies.
Required Qualifications:
- 8+ years information security; 5+ years embedded/IoT/medical device cybersecurity.
- Bachelorβs degree (or equivalent); ability to generate threat models without tools; perform risk assessments using CVSS 3.1+/STRIDE.
- Write technical security requirements; execute third-party penetration testing/vulnerability scanning; regulatory submission experience (FDA Cybersecurity Guidance 2025, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- Knowledge of RTOS hardening and cloud security; generate SBOMs (source/code, binaries, firmware, OS).
- Create pre-/post-market risk assessments; produce security architecture views (global, multi-patient harm, updateability/patchability).
- Translate requirements to solutions; secure coding recommendations/reviews; data privacy (HIPAA, GDPR); standards/certifications (HITRUST, ISO 27001).
- Work autonomously, lead projects, communicate cybersecurity and awareness, creative problem-solving, customer focus, strong collaboration/leadership.
Preferred Qualifications:
- Formal security audit experience; OS experience (QNX, Yocto, Linux, Ubuntu, Alpine); familiarity with global regulatory submission processes.
- Web/app and server hardening (AWS/Azure), OWASP Top 10, blue teaming; cybersecurity pre-sales; software development; CISSP/CISM or other certifications; MS/advanced degree.
Benefits (time off):
- Vacation: 120 hours/year; Sick: 40 hours/year (CO: 48; WA: 56); Holiday pay incl. floating: 13 days/year; Work/Personal/Family: up to 40 hours/year; Parental leave: 480 hours; Bereavement: 240 hours immediate family (40 extended); Caregiver leave: 80 hours in 52-week period; Volunteer leave: 32 hours/year; Military spouse time-off: 80 hours/year.
Responsibilities:
- Implement J&Jβs enterprise Product Security strategy/framework for the Heart Recovery portfolio (Imped/Impella heart pumps, next-gen cardiac support systems, connected devices).
- Deliver security architecture, cryptographic controls, embedded security protections/controls, and threat mitigation across the product lifecycle (pre-market and post-market).
- Review security requirements; recommend and implement security design solutions; complete quality documentation; perform threat modeling; coordinate third-party penetration testing; conduct software architecture reviews; perform code analysis/security testing.
- Post-market: monitor vulnerabilities, assist with patching/remediation, respond to security questionnaires, and review security language in contractual agreements.
- Define/implement secure boot, firmware integrity validation, anti-tamper; enforce crypto for data-at-rest/in-transit (FDA cybersecurity guidance, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management (PKI, HSMs, TPMs, secure enclave integration); build real-time vulnerability assessment for wireless protocols.
- Implement Zero Trust (mTLS, continuous authentication) for device-to-cloud; oversee secure OTA updates (rollbacks, code signing, supply chain integrity).
- Lead Secure Development Lifecycle (threat modeling, static/dynamic analysis, fuzzing, formal verification); define hardware security architecture (trust zones, HRoT, secure microcontroller protections); implement memory safety strategies.
Required Qualifications:
- 8+ years information security; 5+ years embedded/IoT/medical device cybersecurity.
- Bachelorβs degree (or equivalent); ability to generate threat models without tools; perform risk assessments using CVSS 3.1+/STRIDE.
- Write technical security requirements; execute third-party penetration testing/vulnerability scanning; regulatory submission experience (FDA Cybersecurity Guidance 2025, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- Knowledge of RTOS hardening and cloud security; generate SBOMs (source/code, binaries, firmware, OS).
- Create pre-/post-market risk assessments; produce security architecture views (global, multi-patient harm, updateability/patchability).
- Translate requirements to solutions; secure coding recommendations/reviews; data privacy (HIPAA, GDPR); standards/certifications (HITRUST, ISO 27001).
- Work autonomously, lead projects, communicate cybersecurity and awareness, creative problem-solving, customer focus, strong collaboration/leadership.
Preferred Qualifications:
- Formal security audit experience; OS experience (QNX, Yocto, Linux, Ubuntu, Alpine); familiarity with global regulatory submission processes.
- Web/app and server hardening (AWS/Azure), OWASP Top 10, blue teaming; cybersecurity pre-sales; software development; CISSP/CISM or other certifications; MS/advanced degree.
Benefits (time off):
- Vacation: 120 hours/year; Sick: 40 hours/year (CO: 48; WA: 56); Holiday pay incl. floating: 13 days/year; Work/Personal/Family: up to 40 hours/year; Parental leave: 480 hours; Bereavement: 240 hours immediate family (40 extended); Caregiver leave: 80 hours in 52-week period; Volunteer leave: 32 hours/year; Military spouse time-off: 80 hours/year.