Job Description Summary

As a Staff Product Security Engineer within PCS Service Technology Team, you will be cybersecurity focal point for secure product development and maintenance of released products.

We are looking for a person with strong technical acumen in Cybersecurity, preferably a person who has knowledge / expertise in device security, traditional hospital on-premises architecture and Cloud. You will provide Leadership on Cybersecurity by working with the product teams and the Global teams and help define the cybersecurity strategy for PCS Service Technology solutions/products.

GE Healthcare is a leading global medical technology and digital solutions innovator. Our mission is to improve lives in the moments that matter. Unlock your ambition, turn ideas into world-changing realities, and join an organization where every voice makes a difference, and every difference builds a healthier world.

Job Description

Job Description

Roles and Responsibilities:

1. Provide privacy and security technical expertise in support of the product team throughout product development, design change, and life- cycle management.

2. Work with the Product Security Leader (PSL) to support the product team with process expertise for the GE HealthCare-GEHC Product Cybersecurity Standard and life-cycle management.

3. Product cybersecurity development responsibilities:

•   Assess the privacy and cybersecurity state of the product and define product roadmap features/enhancements with stakeholder approval

•   Responsible for security architecture and coordination of product development for cybersecurity features and enhancements

•   Own/create Threat models, Security Risk Assessment, Privacy Impact Assessment and other required Product Security / DEPS deliverables for PCS Service Technology products/platforms

•   Assess product components and SBoM integrated into the product

•   Perform defect management for cybersecurity issues

•   Identify operational responsibilities and adherence to cloud standards for cloud- based products

•   Responsible for Product and Security Manual and MDS2 documentation

4. In coordination with the PSL, own and deliver GEHC Product Cybersecurity Standard artifacts, which includes:

•   Design input activities to identify, evaluate, roadmap, and drive cybersecurity and privacy features and enhancements within product development programs

•   Create Design Engineering Privacy and Security (DEPS) artifacts for privacy and security risk assessments to engage in domain-specific product threat modeling, attack surface analysis, risk management and reduction

•   Coordinates with the PSL to support the product team in scheduling and performing vulnerability scans and cybersecurity assessments

•   Lead product Security Technical Design Reviews

•   Along with the product Lead System Designer (LSD), responsible for the GEHC Product Cybersecurity Standard compliance and other pertinent standards and process.

5. Stay current on healthcare privacy trends and regulatory environment (i.e. FDA, HIPAA, GDPR, etc.) to effectively communicate privacy awareness with the product team.

6. Work with the GEHC Product Security team and QARA on released product life-cycle, including:

•   Participate in post-market product vulnerability monitoring

•   Participate as a Subject Matter Expert to determine product vulnerability impact, investigation, and risk assessment.

•   Responsible for product vulnerability mitigation and design change.

•   Responsible for GEHC vulnerability tool update to ensure accurate customer communication.

7. Address customer and Sales RFP privacy and security feedback/questions.

8. Provide technical expertise on customer concerns, complaints, and CSO escalations.

9. Create/Maintain responsible product records within GEHC product cybersecurity tools.

10. Active involvement in DoD RMF submission process and maintenance.

Required Qualifications:

•   Bachelor’s degree in engineering

•   8+ years of development and security experience which includes application security, mobile security, network security, OS security and Cloud Security.

•   Product/Information security experience in all phases of service/product development and deployment including architecture, design, development, testing and deployment.

•   Experience in designing security solutions.

•   Hands-on experience in execution and review of Static & Dynamic Code Analysis reports and ability to discuss with development teams for true positives.

•   Strong knowledge of secure software development lifecycle and practices such as threat modelling, security reviews, penetration tests, and security incident response

•   Experience and knowledge of penetration testing methodologies and tools.

•   Conducting information security analyses, audits, and reviews

•   Willingness to learn new technologies and work on security for varied products.

•   Strong interpersonal skills with the ability to facilitate diverse groups, help negotiate priorities, and resolve conflicts among project stakeholders

•   Sound security engineering knowledge (technical) so as to work collaboratively with the Tech Leads and software/products architects to ensure secure products.

•   Knowledge of information system architecture and security controls (e.g., firewall, specialized appliances)

•   Sound understanding of Cryptography, various Encryption Algorithms, Code Signing, Public key Infrastructure (PKI) and Certificate Authority (CA), OAUTH authentication, 2FA

Desired Characteristics:

•    Hands on Experience with AWS services; AWS Solution Architect – Associate certification.

•   Experience in Rest API, Kubernetes and container security assessments

•   Experience of Information security assessment in healthcare sector.

•   Exposure to privacy requirements

•   Understanding of security by design principles and architecture level security concepts

•   Up to date knowledge of current and emerging security threats and techniques for exploiting security vulnerabilities

•   Ability to relate cyber security incidents from cross-industries.

•   Good to have security certifications like OSCP/CCSP/CISSP

Additional Information