YC-backed healthcare data startup Metriport is hiring a Senior Security Engineer to secure its open-source platform handling sensitive patient records, requiring deep expertise in cloud security frameworks and healthcare compliance standards.
Healthcare technology startup Metriport is recruiting a Senior Security Engineer to fortify its open-source data intelligence platform that processes sensitive patient information for healthcare providers. The San Francisco-based company, part of Y Combinator's S22 batch, handles medical records for over 300 million individuals through integrations with major US healthcare IT systems.
Technical Responsibilities and Requirements
The role demands ownership of security initiatives across Metriport's infrastructure, which includes:
- Implementing enterprise-grade security controls for healthcare data pipelines
- Designing RBAC systems for API key management (AWS IAM policies)
- Establishing SOC 2/HIPAA compliance frameworks
- Configuring encryption protocols (mTLS, RSA, HMAC)
- Managing vulnerability scanning within CI/CD pipelines
Candidates require 6+ years' experience with:
- AWS security services (WAF, KMS, IAM)
- Security frameworks (NIST, HITRUST, FedRAMP)
- Data protection tooling (SSO, MDM, secret management)
- Healthcare compliance standards (HIPAA, IHE profiles)
Engineering Environment
Metriport's technical stack centers on:
- Frontend: React
- Backend: Node.js/TypeScript
- Infrastructure: AWS (ECS, Lambda, Fargate) managed via CDK
- Datastores: PostgreSQL, DynamoDB, FHIR servers
- Security: Oneleet for compliance automation
The engineering team operates with minimal bureaucracy, prioritizing output over hours logged. Security engineers will conduct PR reviews with security lenses and collaborate directly with GTM teams on customer security assessments.
Healthcare Security Challenges
This position addresses critical healthcare-industry requirements:
- Data Sensitivity: Patient records demand cryptographic guarantees beyond standard web apps
- Regulatory Complexity: Navigating HIPAA requirements while maintaining developer velocity
- Scale Constraints: Securing data flows across 100+ customer integrations
- Legacy Interoperability: Securing connections with hospital IT systems using IHE profiles
Metriport reports multi-million ARR with customers including Strive Health and Brightside Health. The role offers $160K-$220K base salary plus equity, though it requires Bay Area presence and emphasizes intense output expectations typical of founder-led teams.
Critical Considerations
Prospective candidates should note:
- Technical Tradeoffs: The role balances 'move fast' startup culture against healthcare's compliance requirements
- Architectural Constraints: FHIR API security introduces unique challenges versus REST paradigms
- Tooling Limitations: Existing compliance automation (via Oneleet) may require customization
- Implementation Risks: RBAC designs must prevent privilege escalation in multi-tenant environments
The position reflects growing demand for specialized security engineers in healthcare tech as interoperability mandates increase under the 21st Century Cures Act.
Comments
Please log in or register to join the discussion