Sr. Technology Risk Assessor Consultant – Medical Device / IoT Cybersecurity – ITmPowered
Serve as Sr. Technology Risk Assessor Consultant on behalf of Technology Risk Management organization in support of national Technology Risk Management program for Medical Device / IoT Cybersecurity. Technology Risk consultant helping the medical device cybersecurity program and clinical healthcare technology group understand the cyber and regulatory landscape and how best to align with cyber, privacy and industry framework requirements including but not limited to: NIST CSF, NIST SP 800-53, HIPAA/HITECH, FDA cybersecurity, Cyber Executive Orders, etc. Help build an effective Medical Device cybersecurity risk management program that helps the Hospital Network Clinical Technology group manage the risks against control framework commitments, regulatory obligations, and cyber threats to their Board/stakeholders.
Responsibilities:
- Perform Medical Device cyber risk assessments to determine whether NIST Controls, HIPAA, regulatory and cybersecurity requirements are being effectively met through control design and execution.
- Lead and facilitate IT Risk Assessments end to end; Scoping, Planning, Fieldwork (NIST controls testing and evidence gathering), and Reporting findings, risks, remediation / corrective action plans.
- Advise on Cyber Risk Controls design, risk mitigation design, compensating controls, and risk reduction.
- Consult on Medical Device Cybersecurity Controls baselines and hardening guides across device families.
- Perform risk assessments on cybersecurity controls tools themselves (IAM, PAM, micro firewalls, netseg).
- Advise on integration of baseline security practices into corporate medical device security framework in alignment with NIST 800-53 and HIPAA frameworks.
- Advise on mapping IT Risk processes to Medical Device Cyber Risk processes, intake, workflows, workloads, process steps, actions, documentation, and reporting.
- Provide Risk Advisory guidance to Medical Device cyber program practitioners on effective risk assessment processes, controls frameworks and standards, hardening guides and baselines, risk reporting and remediation.
- Set upfront expectations with stakeholders on assessment process, scope, plan, schedule, stakeholder involvement, assessment reports, remediation planning, corrective action plans.
- Write clear, effective, succinct Cyber Risk Assessment documentation and templates including Cyber Risk Assessment Reports, Executive Summaries, Detailed Risk Reports, Remediation plans, Corrective Action Plans, and clear recommendation guidance on effective Controls Design and implementation.
- Communicate fluidly with Clinical Healthcare Technology Managers and medical device cybersecurity operations with clear, succinct, digestible information that resonates with each audience and drives risk reduction.
Qualifications / Skills / Abilities:
- Education: Bachelor’s Degree in information systems is preferred or 5+ years of equivalent work experience.
- 5+ years of Sr. Lead IT Auditor experience. (Will also consider Risk Assessment, Risk Management, GRC, or Cybersecurity Risk Assessment experience)
- CISA Certified required – and one other: CISSP, CRISC, CISM, CRMA, CSNA, ISSMP certification is desired.
- Hospital IT Audit / Med Device / IoT Cybersecurity background – Assessing patient monitoring devices, Wearable Med Devices, Laboratory / Imaging / radiology devices, Medical Facility Controls (Badging, cameras, doors, elevators). Technical background.
- Experience with risk / control frameworks / standards: NIST SP 800-53, NIST CSF, HITRUST, etc.
- Familiarity with HIPAA Security, IT controls, and controls mapping. FDA cybersecurity guidance preferred.
- Familiarity with OWASP Top 10, CIS Top 20 Controls.
- Ability to lead and facilitate end to end cyber risk assessments (Scope, Plan, Kickoff, Fieldwork, Report).
- Ability to manage multiple assessment projects with broad scope, ambiguity, and high degree of difficulty.
- Strong writing and verbal communication skills to convey technical and risk concepts to non-experts.
- Flexibility in the face of changing priorities and business needs.
- Independently research new topics and present executive summaries.
Preferred Experience / Nice to have:
- Prior experience IT Auditing / Cyber / Risk Assessing – Medical Devices.
- Background in Clinical Healthcare Technology Management (CHTM / CBET / etc.).
- Familiarity with CMMS / Medical device asset management systems, FDA/TJC regulations, medical device vendor cybersecurity (MDS2/CBOM), CHTM asset onboarding and certification processes.
About ITmPowered Cybersecurity Practice:
ITmPowered Consulting’s Cybersecurity Practice continues to be a key differentiator for the firm. Our senior consultants provide support in Cybersecurity, Cloud Security, Application Security, DevSecOps, Network Security, Data Security, Threat and Vulnerability management, Identity and Access Management, Encryption, PKI / CLM Architecture, Technology Risk Management, GRC Solutions, IT Audit, IT Compliance, IT Controls Integration, IT Compliance, Report and Certification preparation and remediation, and Advisory services on program design, build, review, and modernization.
#J-18808-Ljbffr