Boston Scientific is hiring: Principal Cybersecurity Engineer in Maple Grove

Principal Cybersecurity Engineer

Boston Scientific is seeking an experienced Principal Cybersecurity Engineer with a strong background in the design, development, and testing of cybersecurity features and controls in a regulated industry. This individual will be responsible for overseeing and guiding the cybersecurity strategy throughout the product lifecycle, ensuring compliance with relevant standards and regulations.

Be a part of the Interventional Cardiology team, one of Boston Scientific's most product-diverse divisions, supporting R&D in the design of exciting new products and business development activities. These products adhere to industry standards and include computing devices, single-use devices, and support devices. At Boston Scientific, we value collaboration and synergy. This role follows a hybrid work model, requiring employees to be in our Maple Grove, MN office at least three days per week.

Your responsibilities will include:

• Interpret and apply relevant cybersecurity standards and regulations (e.g., FDA/CMDE/MDCG Cybersecurity Guidance, IEC 62443, ISO 14971, HIPAA, GDPR) to ensure product compliance.
• Stay current with emerging regulations and standards related to medical device security (e.g., FDA Premarket Guidance, Post-market Cybersecurity Guidance).
• Collaborate with product development teams to embed security controls throughout the design, development, and maintenance phases.
• Lead threat modeling and security risk assessments across the organization, identifying and evaluating potential threats and vulnerabilities.
• Elicit and define product security needs and requirements; define product security architectures and design specifications, and verification and validation strategies.
• Conduct vulnerability assessments, fuzzing and penetration testing to identify and mitigate risks.
• Establish best practices and processes for secure coding, configuration management, and patching.
• Develop and implement risk mitigation strategies and maintain risk management documentation.
• Oversee and enhance incident response plans and processes, ensuring rapid and effective resolution of security incidents.
• Drive continuous improvement of vulnerability management, including the evaluation and deployment of necessary patches or updates.
• Work closely with internal stakeholders (Software Development, Quality, Regulatory, IT, etc.) to align security goals and requirements.
• Present cybersecurity findings, reports, and recommendations to senior leadership, regulators, and external auditors.

Required qualifications:

• Bachelor's or master's degree in Cybersecurity, Computer Science, Computer Engineering, or a related field.
• 9+ years of experience in cybersecurity engineering, with a focus on product development and risk management.
• Proven experience leading security design and architecture reviews for complex, embedded medical devices or similar technologies.
• Demonstrated track record of creating and executing security risk assessments and mitigation strategies.
• In-depth understanding of cybersecurity frameworks (e.g., NIST Cybersecurity Framework).
• Understanding of privacy regulations (HIPAA, GDPR) and their intersection with medical device cybersecurity.
• Strong leadership, decision-making, and team-building capabilities.
• Excellent written and verbal communication skills for interfacing technical teams, stakeholders, and executive leadership.
• Ability to work collaboratively across multidisciplinary teams, bridging gaps between technical, regulatory, and business functions.

Preferred qualifications:

• 5+ years of experience working in the medical device industry or a similarly regulated environment; security architecture or medical device administration experience in healthcare settings is also a plus.
• Hands-on experience with secure coding practices, vulnerability scanning tools, fuzzing, and penetration testing methodologies.
• Knowledge of embedded systems security, wireless communications, network protocols, and PKI.
• Familiarity with FDA regulations and guidance documents for medical devices (e.g., 21 CFR Part 820).
• Working knowledge of SW96/TIR57/TIR97, IEC 62304 (software lifecycle), IEC 60601 (electrical safety), and ISO 14971 (risk management).
• Experience supporting VA Handbook 6500 compliance and ISO/IEC 27001 certification.
• Relevant certifications (e.g., GIAC, OffSec, CISSP, CISM, CRISC) are a plus.

Compensation will be commensurate with demonstrable level of experience and training, pertinent education including licensure and certifications, among other relevant business or organizational needs.