Senior Security Engineer

San Francisco, CA

Metriport is an open-source data intelligence platform that helps healthcare organizations access and exchange patient data in real-time. We integrate with all major US healthcare IT systems and tap into comprehensive medical data for 300+ million individuals.

We've found product-market fit with multi-million ARR, 100+ customers (including Strive Health, Circle Medical, and Brightside Health), backing from top VCs, and years of runway. We're ready to scale. We're a tight-knit, high-performing team of mostly former founders (including two YC alumni). We're engineering-heavy, operate with minimal bureaucracy and high autonomy, and hire based on competence, not prestige. We push hard—founders work six days a week from our SF office—but give everyone freedom to craft their schedule. We measure output and we're committed to sustainable intensity.

About you

In a nutshell, we're looking for a security engineer with the following specific qualities:

• You’re entrepreneurial-minded, with an olympian-level work ethic (nearly our entire engineering team consists of former founders).

• You are passionate about security and are excited to own security related projects within the company end-to-end.

• You are confident in your ability to build scalable systems across the full stack, and people usually come to you for technical guidance.

• You believe you can solve any problem that comes at you, and don't shy away from diving deep into areas where you may lack domain expertise.

• You have a strong sense of ownership over your work, and have demonstrated ability to lead others.

• You know how to move fast - while still maintaining a strong security posture.

• You care more about the end result and delivering value, rather than what new and frilly tech is being used under the hood for a given feature.

• When someone scopes out a project with an ETA of 3 weeks, you ask yourself "why can't it be done in 3 days?".

• You’re a hacker at heart, and have a good sense of what rules should, and shouldn’t, be broken.

What you'll be doing

After quickly ramping up using our comprehensive onboarding materials to get familiar with our domain, product, and codebase, the goal would be to get you shipping product directly to customers as quickly as possible. Specifically, day to day, this looks like:

• Evangelizing security across Metriport’s growing team - we will look to you for guidance, and training.

• Driving full-stack security projects , big and small, end-to-end from ideation to production rollout.These projects could include things like:

  • Implement an enterprise-grade audit logging solution for a new national healthcare network infrastructure stack.

  • Implement fine grained RBAC on the API key access layer, and more robust roles on our UIs.

  • Help us revamp our internal security policies and put tools in place to keep the platform, and employees, secure while still allowing the team to be efficient.

• Helping the engineering team with PR reviews with a security-focused lens.

• Work with the Go to Market team to complete customer security assessments and questionnaires.

• Work with the engineering team to harden security across the development lifecycle - think secret management, access controls, and vulnerability scanning.

• Managing your own work in Linear.

• Participating in bi-weekly sprint planning / retro sessions, and quarterly planning sessions.

• Attending a daily 30 minute remote stand-up at 7:30am PST Mon-Fri (our only regular mandatory meeting).

Requirements

• You have 6+ years experience in security engineering and information security.

• You’re located in San Francisco or the Bay Area (or willing to relocate).

• Familiar with HIPAA compliant environments.

• Experience rolling out and maintaining security frameworks like SOC 2, NIST, HITRUST, FedRAMP, etc.

• Experience rolling out data protection technologies like SSO, MFA, VPN, FIPS, etc.

• Experience with organizational secret management.

• Experience implementing SCA, SAST, DAST in CICD workflows.

• Experience with Mobile Device Management (MDM).

• Proficiency in cloud security & networking on AWS - IAM, WAF, KMS, etc.

• Proficiency in authentication, cryptography, encryption, and security protocols such as: mTLS, RSA, SSL, HMAC, RBAC, etc.

• Bonus: experience with IHE profiles (ATNA, CT, XUA).

Benefits

• Competitive equity + compensation package 🚀

• Full family Platinum health insurance, dental, and vision coverage 🦷

• 401(k) retirement plan + matching 💰

• Flexible work from home or in-office 🏢

• Healthy lunches are complimentary when working in-office (and breakfast + dinners as needed) 🍏

• Quarterly company off-sites with the team ⛷️

• MacBook provided by us 💻

• Unlimited PTO (we work hard, but trust you to take time you need to be at your best) 🧘‍♂️

Our tech

On the frontend, we use React - on the backend, we rely on Node.js and TypeScript for writing core business logic. We deploy a wide range of AWS cloud services (ie ECS, Fargate, Lambda, etc), and manage our infrastructure as code with AWS CDK. Data lives in PostgreSQL, DynamoDB, S3, Snowflake, FHIR servers, and more. We use Oneleet for security and compliance.

Metriport provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability, genetics, sexual orientation, gender identity, or gender expression. We are committed to a diverse and inclusive workforce and welcome people from all backgrounds, experiences, perspectives, and abilities.