Principal Med Device Security Engineer
Johnson & Johnson
5 months ago
Remote friendly (Maine, NY)
United States
IT
Principal Product Security Engineer (remote or onsite in Danvers, MA or Raritan, NJ; up to 10% travel). Own Product Security process across pre-market and post-market engineering for the Heart Recovery portfolio (Impella heart pump technologies, cardiac support systems, connected medical devices). Implement J&J enterprise Product Security strategy/framework, delivering security architecture, cryptographic controls, embedded protections, and threat mitigation.
Responsibilities:
- Support product security requirements review and recommend security design solutions; complete quality documentation and threat modeling.
- Coordinate third-party penetration testing, software architecture reviews, code analysis, and security testing.
- Post-market: monitor vulnerabilities, support patch/remediation plans, respond to customer security questionnaires, review security language in contracts.
- Drive alignment to Product Security framework.
- Define/implement secure boot, firmware integrity validation, anti-tamper; enforce crypto for data-at-rest/in-transit (FDA cybersecurity, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management (PKI, HSMs, TPMs, secure enclave); develop real-time vulnerability assessment for wireless (Bluetooth LE, NFC, Wi-Fi, 5G, proprietary RF).
- Implement Zero Trust device-to-cloud connectivity (mTLS, continuous authentication); oversee secure OTA updates (rollback protection, signing, supply chain integrity).
- Lead SDL (threat modeling, static/dynamic analysis, fuzzing, formal verification); define hardware security architecture (trust zones, HRoT, secure microcontrollers); implement memory safety for RTOS/bare-metal.
Required:
- 8+ years information security; 5+ years embedded/IoT/medical device cybersecurity; bachelorβs or equivalent.
- Threat modeling (without tools), risk assessments using CVSS 3.1+ with STRIDE; write security requirements; third-party pen testing/vuln scanning.
- Regulatory submission experience (FDA guidance 2025, EU MDR, NIST 800-53, IMDRF, AAMI TIR57); RTOS hardening and cloud security knowledge.
- Generate SBOMs; create pre-/post-market risk assessments; produce medical device security architecture views.
- Translate requirements into solutions; secure coding recommendations/reviews.
- Data privacy (HIPAA, GDPR); standards/certs (HITRUST, ISO 27001).
- Autonomy, leadership, project tracking, and cybersecurity communications.
Preferred:
- Formal security audits; OS experience (QNX, Yocto, Linux Ubuntu, Alpine); global regulatory submission familiarity.
- Web apps/server hardening (AWS/Azure), OWASP Top 10/blue teaming; pre-sales; software development; CISSP/CISM; MS/advanced degree.
Benefits (time off): Vacation (120 hrs/yr), Sick time (40 hrs/yr; CO 48; WA 56), Holiday/Floating Holidays (13 days/yr), Work/Personal/Family Time (up to 40 hrs/yr), Parental Leave (480 hrs), Bereavement (240 immediate family; 40 extended), Caregiver Leave (80 hrs/52-week rolling period), Volunteer Leave (32 hrs/yr), Military Spouse Time-Off (80 hrs/yr).
Responsibilities:
- Support product security requirements review and recommend security design solutions; complete quality documentation and threat modeling.
- Coordinate third-party penetration testing, software architecture reviews, code analysis, and security testing.
- Post-market: monitor vulnerabilities, support patch/remediation plans, respond to customer security questionnaires, review security language in contracts.
- Drive alignment to Product Security framework.
- Define/implement secure boot, firmware integrity validation, anti-tamper; enforce crypto for data-at-rest/in-transit (FDA cybersecurity, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management (PKI, HSMs, TPMs, secure enclave); develop real-time vulnerability assessment for wireless (Bluetooth LE, NFC, Wi-Fi, 5G, proprietary RF).
- Implement Zero Trust device-to-cloud connectivity (mTLS, continuous authentication); oversee secure OTA updates (rollback protection, signing, supply chain integrity).
- Lead SDL (threat modeling, static/dynamic analysis, fuzzing, formal verification); define hardware security architecture (trust zones, HRoT, secure microcontrollers); implement memory safety for RTOS/bare-metal.
Required:
- 8+ years information security; 5+ years embedded/IoT/medical device cybersecurity; bachelorβs or equivalent.
- Threat modeling (without tools), risk assessments using CVSS 3.1+ with STRIDE; write security requirements; third-party pen testing/vuln scanning.
- Regulatory submission experience (FDA guidance 2025, EU MDR, NIST 800-53, IMDRF, AAMI TIR57); RTOS hardening and cloud security knowledge.
- Generate SBOMs; create pre-/post-market risk assessments; produce medical device security architecture views.
- Translate requirements into solutions; secure coding recommendations/reviews.
- Data privacy (HIPAA, GDPR); standards/certs (HITRUST, ISO 27001).
- Autonomy, leadership, project tracking, and cybersecurity communications.
Preferred:
- Formal security audits; OS experience (QNX, Yocto, Linux Ubuntu, Alpine); global regulatory submission familiarity.
- Web apps/server hardening (AWS/Azure), OWASP Top 10/blue teaming; pre-sales; software development; CISSP/CISM; MS/advanced degree.
Benefits (time off): Vacation (120 hrs/yr), Sick time (40 hrs/yr; CO 48; WA 56), Holiday/Floating Holidays (13 days/yr), Work/Personal/Family Time (up to 40 hrs/yr), Parental Leave (480 hrs), Bereavement (240 immediate family; 40 extended), Caregiver Leave (80 hrs/52-week rolling period), Volunteer Leave (32 hrs/yr), Military Spouse Time-Off (80 hrs/yr).