Role: Security & compliance leadership
Scope
Connected medical devices face a dual compliance burden: HIPAA for any system that touches protected health information, and FDA pre- and post-market cybersecurity guidance for the device itself. The program addressed both simultaneously, covering:
- HIPAA compliance, administrative, physical, and technical safeguards; Business Associate Agreement management; breach notification procedures; risk analysis and risk management per the Security Rule.
- Pre-market cybersecurity, threat modeling during design, security risk management integrated into the ISO 14971 process, software bill of materials (SBOM) per IEC 62304 requirements, and security testing as part of design verification.
- Post-market cybersecurity, vulnerability monitoring, coordinated disclosure procedures, patch management, and security update documentation for regulatory files.
- Access control and encryption, role-based access, data-at-rest and in-transit encryption, and audit logging to satisfy both 21 CFR Part 11 and HIPAA audit controls.
Role
Security and compliance leadership across the medical-device programs at Sensus Healthcare: built and maintained the security and HIPAA compliance infrastructure as devices became increasingly connected, expanding from standalone devices to networked systems with EMR integration and remote service capabilities.
Standards
The program was designed to align with ISO 13485 (quality management), 21 CFR Part 11 (electronic records and signatures), 21 CFR Part 820 (design controls), IEC 62304 (software lifecycle), and FDA cybersecurity guidance (both the 2014 pre-market and 2022 updated pre-market draft guidance).
TODO(nick): supply the specific program(s), scope, and measurable outcomes.