5-7 years of experience in IT security operations, particularly in healthcare technology
Proven expertise in SOC 2 Type 2 and HIPAA compliance controls
Hands-on knowledge of identity and access management implementations
Experience with infrastructure as code tools like Terraform
Familiarity with security information and event management (SIEM) systems, preferably in AWS
Demonstrated project management skills in IT environments
Bachelor's degree in computer science or a related field.
Responsibilities
Lead compliance and governance efforts for HIPAA and SOC 2 Type 2
Manage ongoing audits and maintain evidence for compliance controls
Direct risk assessments and manage the Business Associate Agreement lifecycle
Enforce data protection policies and access controls across systems
Oversee cloud operations and infrastructure management as code
Monitor security incidents and maintain response plans
Guide the internal helpdesk and corporate IT functions.
Benefits
Health, long-term disability, and life insurance coverage
Unlimited Paid Time Off
Ten paid holidays and paid parental leave
Work Anniversary Bonus and Employee of the Quarter Program
Monthly connectivity stipend reimbursement
401K match program enhancing employee contributions.
Full Job Description
RealTime's Director of IT & Security Operations owns the security, availability, and compliance of the systems that run RealTime's multi-tenant clinical-trial platform and corporate environment. The role is accountable for operating and evidencing the controls that keep RealTime HIPAA-compliant and SOC 2 Type 2 audit-ready. This covers protecting Protected Health Information (PHI) across per-customer databases, governing how infrastructure is provisioned as code, and controlling how AI systems access regulated data. The role leads corporate IT and helpdesk and is the subject-matter expert for system and security architecture, uptime, and security posture.
WHAT WILL YOU BE DOING?
Compliance & Security Governance (HIPAA / SOC 2 Type 2)
Operate and evidence the controls required for SOC 2 Type 2 (Security, Availability, and Confidentiality) and the HIPAA Security, Privacy, and Breach Notification Rules.
Act as day-to-day lead for external SOC 2 Type 2 and HIPAA audits. Maintain the control narrative, coordinate evidence, and close findings.
Run continuous control monitoring (GRC) tooling such as Vanta or Drata so control status and evidence stay current.
Maintain the risk register and run an annual risk assessment covering PHI systems, vendors, and infrastructure.
Own the Business Associate Agreement (BAA) lifecycle and third-party risk. Execute and track BAAs with every vendor that touches PHI, including cloud and AI vendors, and review vendor security annually.
Data Protection & Access Management
Enforce least privilege of access across corporate and production systems: role-based access control, MFA, and time-bound access to customer databases and PHI.
Own the joiner-mover-leaver process and run quarterly access reviews, including privileged access, with evidence retained for audit.
Deploy data-leakage controls: data classification, DLP, egress filtering, and database activity monitoring to detect and block unauthorized bulk access.
Validate multi-tenant isolation as a standing control and confirm one customer's data cannot be reached from another tenant. Manage encryption at rest and in transit, with keys held separately from the data.
Own secrets management. No credentials, keys, or tokens in source code, container images, or infrastructure-as-code state.
Cloud Operations & Infrastructure as Code
Manage cloud hosting vendors and environment changes. Maintain and improve the RTSS database infrastructure architecture in a cloud-hosted environment, including replication, federation, availability, and recoverability.
Manage cloud infrastructure as code (Terraform) as the source of truth: peer-reviewed changes, drift detection, and policy-as-code enforced in CI/CD, with separation between the author and approver of a change.
Detect and resolve infrastructure performance issues (CPU, memory, disk I/O, resource contention). Design and deploy infrastructure to meet the CIS Critical Security Controls.
Own vulnerability and patch management with remediation SLAs by severity, recurring scanning, and annual third-party penetration testing, tracked to closure.
Support the team on customer non-code issues such as email and SSO.
Security Operations & Incident Response
Monitor the security of corporate and cloud environments. Identify detection gaps and expand log collection, detection, and analytics.
Run centralized, tamper-evident logging (SIEM) with anomaly alerting and six-year retention aligned to HIPAA.
Maintain and test a documented incident response plan with defined severity levels, escalation, and evidence retention. Run tabletop exercises.
Investigate incidents, determine root causes, preserve evidence, and meet HIPAA breach-notification timelines within 60 days.
AI / LLM Governance
Set and enforce controls for how AI and LLM systems access regulated data, including internal MCP services and cloud AI such as AWS Bedrock. Confirm BAA coverage of AI vendors, prevent PHI exposure to models, and audit AI usage.
Set and enforce an acceptable-use policy covering unmanaged AI tools.
Internal Helpdesk
Manage the team by providing technical support to employees.
Manage corporate IT: desktop support, business applications, and procurement and asset management of hardware and software.
Provide project management for internal IT deployments, migrations, and mergers.
Technology Leadership
Develop and maintain IT, security, and systems architecture SOPs, and run security-awareness training for the workforce.
Design and manage the disaster-recovery and business-continuity process with defined RTO and RPO targets and periodic recovery testing.
Define and report security and reliability KPIs: access-review completion, patch and remediation SLA attainment, mean time to detect and respond, control pass rate, and uptime.
Participate in technical solution and design discussions. Maintain compliance with company policies on the HIPAA Privacy Rule. This role may view PHI as part of daily duties.
WHAT DO YOU NEED?
Deep understanding of operations, systems, network, and cloud security.
Experience operating and evidencing controls for SOC 2 Type 2 and the HIPAA Security Rule in a production environment handling regulated data.
Hands-on experience with identity and access management, least-privilege design, and privileged access management.
Experience with infrastructure as code (Terraform) and change management in a CI/CD pipeline.
Experience with SIEM and security monitoring of cloud environments. AWS preferred.
Strong leadership and business judgment. Experience managing multiple projects across prioritization, planning, and execution.
Experience troubleshooting production workloads using application and system monitoring tools.
Experience with replication, federation, and relational databases.
WHAT SETS YOU APART?
Security certification such as CISSP, CISM, or CCSP.
Experience leading or coordinating a SOC 2 Type 2 examination or HIPAA audit. Two or more years of HIPAA compliance experience.
Experience with DLP, database activity monitoring, and data-egress controls in a multi-tenant SaaS environment.
Experience governing AI or LLM systems that process regulated data.
Experience managing remote employees and supporting corporate IT globally.
Working knowledge of Git and source control (GitHub or Subversion). Experience with Kanban or other agile methods.
Bachelor's degree in computer science, software engineering, or equivalent experience.
WHAT IS IN IT FOR YOU?
The company sponsors health insurance, long-term disability, and life insurance.
Unlimited Paid Time Off.
10 paid Holidays.
Paid Parental Leave.
Work Anniversary Bonus.
Participation in the Employee of the Quarter Program.
Monthly $100 Connectivity Stipend Reimbursement.
RealTime matches employee 401K contributions at 100% of the first 3% invested and 50% of the next 2% invested.
All successful candidates must complete and pass reference and background checks.
The desired salary must be indicated for the application to be considered.
The pay rate is commensurate with experience and is determined on an individual basis after an interview has occurred.