Technical Fellow, Product Security - Remote US

View full description

Requirements:

• Expertise in secure microcontroller architectures and hardware security modules (HSMs).
• Understanding of PKI, TLS 1.3, and cryptographic primitives used in medical devices.
• Strong background in threat modeling for cybersecurity, and security analytics in medical devices and digital medical devices ecosystems
• Experience with secure OTA updates, SBOM automation, and FDA cybersecurity premarket/post market processes.
• Security certifications such as CISSP, CSSLP, OSCP, CEH, or GIAC GICSP are highly preferred.

Responsibilities:

• Play a critical role in shaping Abiomed’s cybersecurity strategy and influencing senior leadership to ensure security is a core component of business and technology decisions.
• Articulate the importance of cybersecurity as a business enabler, aligning security investments with Abiomed’s innovation roadmap and patient safety goals.
• Provide cybersecurity briefings to Abiomed heart recovery global management board and senior leadership, emphasizing risk management, regulatory compliance, and industry trends.
• Translate technical cybersecurity risks into business risks, ensuring leadership understands the financial, operational, and reputational impact of security decisions.
• Advocate for product security funding and resource allocation, ensuring product security is embedded in R&D budgets and technology roadmaps.
• Act as the technical cybersecurity thought leader, engaging with executives, regulatory agencies, and global cybersecurity consortia to shape medical device security best practices.
• Mentor and upskill internal teams, fostering a security-first engineering culture
• Architect end-to-end security solutions for implantable, wearable, and external cardiac assist devices, ensuring protection from cyber threats across embedded, edge, cloud, and mobile ecosystems.
• Define and implement secure boot, firmware integrity validation, and anti-tamper mechanisms to protect Impella firmware against unauthorized modification.
• Enforce cryptographic protocols for data-at-rest and data-in-transit, ensuring compliance with NIST 800-175, FIPS 140-3, IEC 62443, and FDA cybersecurity requirements.
• Design key management infrastructure (PKI, HSMs, TPMs, and secure enclave integration) for device identity, authentication, and software signing.
• Lead Secure Development Lifecycle practices, integrating threat modeling, static/dynamic analysis, fuzz testing, and formal verification into the development process.
• Define hardware security architecture, including trust zones, hardware root of trust (HRoT), and secure microcontroller protections
• Implement memory safety strategies to mitigate buffer overflows, side-channel attacks, and execution vulnerabilities in real-time operating systems (RTOS) and bare-metal firmware.
• Use J&J’s ISRM Product Security framework to ensure a structured, risk-based approach to identifying, assessing, mitigating, monitoring and resolving cybersecurity threats across the medical device total product lifecycle
• Utilize MITRE CVSS rubric for medical devices and structured threat modeling methodologies (STRIDE) to assess vulnerabilities, prioritize risks based on clinical impact, and implement proactive security controls
• Develop real-time vulnerability assessment techniques for detecting security flaws in wireless communications (Bluetooth LE, NFC, Wi-Fi, 5G, proprietary RF) used in Abiomed’s devices.
• Implement Zero Trust security for device-to-cloud connectivity, integrating mTLS, OAuth2, and continuous authentication models into clinical applications.
• Oversee secure OTA (over-the-air) update mechanisms, ensuring firmware rollbacks, code signing, and supply chain integrity validation.
• Lead regulatory security submissions, ensuring compliance with FDA Cybersecurity Guidance (2023), EU MDR, NIST 800-53, IMDRF, and AAMI TIR57.
• Ensure post-market cybersecurity monitoring and SBOM management strategies, integrating real-time CVE tracking, AI-driven anomaly detection, and automated patch validation.
• Oversee Product Security Incident Response for real-time incident response, forensic analysis, and coordinated vulnerability disclosure