Product Security Officer - Medical Device

I represent a medical device company who is close to launching their new cutting-edge infusion pump. This device is a touch-screen-driven system that connects to hospital networks via Wi-Fi and incorporates advanced cybersecurity features. It also supports Bluetooth and NFC connectivity. The device uses proprietary vision-based technology to directly measure flow rate.

The initial product launch is focused on medication delivery from IV bags, with subsequent product releases planned to support syringe-based delivery.

We anticipate that this technology will significantly enhance patient safety and advance the infusion device market.

The PSO is the executive-facing leader responsible for the Total Product Lifecycle (TPLC) security of the infusion platform. This role ensures the pump meets the rigorous FDA Final Guidance (2025) and ISO 14971 standards, serving as the bridge between engineering, the hospital's IT department, and federal regulators.

Regulatory Leadership: Own the cybersecurity documentation for FDA 510(k)/PMA submissions, ensuring adherence to the 2023/2025 Final Guidance.

Risk Integration: Partner with clinical teams to map technical vulnerabilities to patient safety hazards under ISO 14971.

System Architecture: Lead threat modeling across the pump ecosystem, including embedded firmware, Wi-Fi/BLE stacks, and drug library management apps.

Lifecycle Management: Oversee the Software Bill of Materials (SBOM), Coordinated

Vulnerability Disclosure (CVD), and secure Over-the-Air (OTA) update policies.

Governance: Establish a Secure SDLC, ensuring security is "baked in" from design to post-market surveillance.

Experience:

7+ years in cybersecurity, with a focus on regulated hardware (Med Tech, Aerospace, or Automotive).

Regulatory Mastery:
Deep knowledge of the PATCH Act, AAMI TIR
57, and IEC 81001-5-1. Technical Depth:
Familiarity with hardware Root of Trust, mTLS, and secure boot processes.

Communication:
The ability to explain complex security risks to both a Software Engineer and a

Hospital CISO.

Bachelor’s degree in Computer Science, Electrical/Electronics Engineering, or Cybersecurity. Core

Experience:

7–10+ years in cybersecurity or product security.

Domain Expertise:
At least 3–5 years specifically within Medical Devices (Class II or III). Experience with infusion pumps or other bedside "connected" hardware is a massive plus.

Regulatory Track Record:
Proven experience taking a product through FDA 510(k) or PMA submissions, specifically authoring the cybersecurity management sections.

Critical Technical Skills

Threat Modeling: Mastery of STRIDE or DREAD methodologies applied to hardware/software ecosystems.

Risk Management: Expert-level knowledge of ISO 14971 and how to translate "cybersecurity bugs" into "clinical patient hazards."

Standards Proficiency: Familiarity with the "Medical Device Security Trinity": AAMI TIR
57/TIR
97 (Risk Management/Post-market)

IEC 81001-5-1 (Security in the software lifecycle)

Secure SDLC: Experience implementing automated security "guardrails" (SAST/DAST/SBOM) in an engineering pipeline.

Master’s degree in Computer Science, Electrical/Electronics Engineering, or Cybersecurity.

CISSP (Certified Information Systems Security Professional) – The gold standard for security leadership.

CISM (Certified Information Security Manager) – Focuses on governance and risk. HCISPP (Healthcare Information Security and Privacy Practitioner) – Specific to the

Will consider relocation for the right candidate., but would prefer someone already living in the Buffalo/Rochester, NY area.