Cybersecurity Engineer

Verathon is a global medical device company focused on supporting customers by being their trusted partner, delivering high-quality products that endure over time and ensure clinical and economic utility. Two areas where Verathon has significantly impacted patient care, and become the market leader in each, are bladder volume measurement and airway management. The company's BladderScan portable ultrasound and GlideScope video laryngoscopy & bronchoscopy systems effectively address unmet needs for healthcare providers and meaningfully raise the standard of care for patients. Verathon, a subsidiary of Roper Technologies, is headquartered in Bothell, Washington, USA and has international subsidiaries in Canada, Europe and Asia Pacific. For more information, please visit www.verathon.com.

Verathon is looking for a Cybersecurity Engineer to become the newest member of our R&D Team located in Bothell, Washington.

The Cybersecurity Engineer is responsible for leading the system-level cybersecurity engineering activities required to design and sustain secure medical devices across Verathon's product portfolio. This role is the primary owner of product security architecture, system threat modeling, and the translation of FDA and consensus standards guidance into actionable security requirements and verification evidence. Working closely with Software Engineering, Quality, and Regulatory teams, the Cybersecurity Engineer ensures that Verathon's products are designed and documented to satisfy regulatory expectations throughout the product lifecycle, from initial design through post-market sustaining activities.

Define product security architecture, including identification of software and hardware assets, trust boundaries, control objectives, and interface documentation; specify and review designs for authentication, authorization, cryptography, secure update mechanisms, event logging, data integrity, and system hardening (including STIG-based hardening where applicable)
• Lead system-level threat modeling (e.g., STRIDE / MITRE ATT&CK for ICS) and allocate mitigations across hardware, firmware, and software; ensure trust-boundary assumptions are explicit, traceable, and testable
• Derive cybersecurity requirements from FDA guidance and consensus standards (IEC 62443, IEC 81001-5-1, AAMI SW96); define verification strategies specifying required evidence, timing, and ownership
• Produce and maintain design-level product security documentation including architecture views, control rationale, security requirements traceability matrices, and interface/external connection records
• Own the engineering interface during penetration testing and other third-party security engagements: lead scope clarification, environment setup, and technical Q&A; assess design impact of findings; define remediation technical approach and support retest readiness
• When post-release remediation is required, define technical scope and verification approach; coordinate with engineering and release functions to ensure validated deployment and documentation closure
• Lead interoperability security assessments for device interfaces with external systems, networks, and devices; evaluate security and safety risks across normal and fault operating modes and define appropriate risk controls for interface trust boundaries
• Conduct CVE impact analysis for fielded products; assess applicability of newly disclosed vulnerabilities to system-level components and architecture; support prioritization and remediation scoping
• Contribute to release readiness for security-driven sustaining updates, including inputs to patch packaging, documentation updates, and design change records
• Collaborate with the Software to ensure security requirements are correctly allocated and verification evidence is complete across the system
• Work cross-functionally across Systems, Software, Quality, and Regulatory disciplines to align on security architecture decisions and ensure consistent implementation
• Own and maintain the Product Security Management Plan and associated Product Security Management File, ensuring all required cybersecurity activities are planned, traceable, and audit-ready
• Support Verathon's Quality Management System (QMS), including participation in design reviews, ECO procedures, and DHF/regulatory submission artifact preparation
• Stay current with evolving FDA cybersecurity guidance, EU MDR and MDCG 2019-16, NIST CSF, and relevant medical device security standards; identify implications for Verathon products and processes

• Bachelor's degree in Systems Engineering, Electrical Engineering, Computer Engineering, or a related technical discipline is required
• 5+ years of demonstrated experience in cybersecurity engineering, product security engineering, or a related field, with at least 3 years focused on cybersecurity for connected or regulated products
• Demonstrated experience with system-level threat modeling methodologies (e.g., STRIDE, PASTA, or TARA as defined in IEC 81001-5-1 / AAMI SW96)
• Working knowledge of medical device cybersecurity regulatory requirements, including FDA premarket and postmarket cybersecurity guidance, IEC 81001-5-1, AAMI SW96, and IEC 62443
• Experience defining security requirements and producing verification evidence in a regulated product development environment (FDA QSR / ISO 13485 QMS preferred)
• Experience with CVE/NVD triage and vulnerability impact assessment at the system level including CVSS-based vulnerability scoring and cybersecurity risk assessment methodologies
• Experience supporting or managing third-party penetration testing engagements, including findings triage and remediation scoping, is strongly preferred
• Working knowledge of networking fundamentals (ports, protocols, firewalls) and OS-level security concepts across Linux and/or Windows environments relevant to connected medical devices
• Relevant security certification (e.g., CISSP, CISM, CEH, CompTIA Security+, or equivalent) is preferred; candidates with equivalent demonstrated experience will be considered
• Familiarity with SBOM concepts and supply chain security considerations for medical devices is an asset
• Working knowledge of architecture and modeling tools (e.g., Visio, PlantUML, or basic SysML) for producing security architecture and threat-model artifacts
• Strong written communication skills with demonstrated ability to produce clear, audit-ready technical documentation

Salary range - $124,105 - $151,300 (Compensation will vary based on skills, experience and location; it is not typical to be hired at or above the top of the salary range).

Full-time employees who are not on a commission plan are eligible for Verathon's annual bonus plan based on company and individual performance.

Verathon provides a competitive benefits package including medical, dental, vision, basic life insurance, paid holidays, paid time off and a 401(k) matching plan. For more information, please visit our complete Benefits Summary at https://www.verathon.com/sites/default/files/2026-02/US_HQ_Employee_Benefits_Summary.pdf.