Johnson & Johnson logo

Principal Med Device Security Engineer

Johnson & Johnson
June 27, 2026
Remote friendly (Spruance City, DE)
United States
IT
Principal Product Security Engineer (MedTech cybersecurity)

Location/Work model: Remote-based or onsite in Danvers, MA or Raritan, NJ; up to 10% travel.

Responsibilities / Role scope
- Own implementation of J&J’s enterprise Product Security strategy and framework across the Heart Recovery medical device portfolio and supporting platforms.
- Deliver security architecture, cryptographic controls, embedded protections/controls, and threat mitigation across the product lifecycle (pre-market and post-market).
- Support development phases: review security requirements and recommend designs, complete quality documentation, perform threat modeling, coordinate third-party penetration testing, and provide software architecture and code/security testing recommendations.
- Post-market: monitor vulnerabilities, support patching/remediation, respond to customer security questionnaires, and review security language in contractual agreements.
- Drive secure boot, firmware integrity validation, and anti-tamper mechanisms.
- Enforce cryptographic protocols for data-at-rest and data-in-transit (FDA cybersecurity requirements, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management infrastructure (PKI, HSMs, TPMs, secure enclave integration).
- Develop vulnerability assessment techniques for wireless communications (Bluetooth LE, NFC, Wi-Fi, 5G, proprietary RF).
- Implement Zero Trust for device-to-cloud connectivity (mTLS, continuous authentication) for clinical applications.
- Oversee secure OTA updates (rollback protection, code signing, supply chain integrity).
- Lead Secure Development Lifecycle (threat modeling, static/dynamic analysis, fuzz testing, formal verification).
- Define hardware security architecture with trust zones/HRoT and secure microcontroller protections; implement memory safety mitigations for RTOS/bare-metal firmware.

Required qualifications
- 8+ years information security; 5+ years embedded/IoT/medical device cybersecurity; Bachelor’s degree or equivalent.
- Threat modeling without tools; risk assessments using CVSS 3.1+ with STRIDE.
- Write security requirements; execute third-party penetration testing and vulnerability scanning.
- Regulatory submissions/compliance (FDA Cybersecurity Guidance 2025, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- OS hardening and cloud security knowledge; generate SBOMs and pre/post-market risk assessments (STRIDE, SCA SBOM scans).
- Create security architecture views (Global System, Multi-Patient Harm, updateability/patchability) and translate requirements into solutions.
- Secure coding recommendations/reviews; data privacy (HIPAA, GDPR); knowledge of HITRUST/ISO 27001.
- Autonomy, leadership, project tracking; create security awareness communications; creative problem-solving; strong collaboration/influence.

Preferred qualifications
- Formal security audits; experience with QNX QOS, Yocto, Linux (Ubuntu/Alpine).
- Familiarity with FDA/global regulatory cybersecurity submission; web/server hardening (AWS/Azure), OWASP Top 10, blue teaming.
- Cybersecurity pre-sales; software development experience; CISSP/CISM or other cert; MS/advanced degree.

Benefits (time off)
- Vacation: 120 hours/year; Sick time: 40 hours/year (Colorado: 48; Washington: 56); Holiday pay including floating holidays: 13 days/year; Work/Personal/Family time: up to 40 hours/year; Parental leave: 480 hours; Bereavement: 240 hours (immediate) / 40 hours (extended); Caregiver leave: 80 hours (52-week rolling); Volunteer leave: 32 hours; Military spouse time-off: 80 hours/year.