Head of IT & Security at NexHealth

Seattle, Washington, United StatesFull-timeEngineeringPosted 26 days ago

About the Role

<div class="content-intro">About NexHealth Our healthcare system remains frustratingly analog. When you live in a world of one-tap car rides, instant meal delivery, and unlimited streaming, why do you still have to call to schedule a doctor’s appointment and fill out a clipboard in the waiting room? NexHealth’s mission is to accelerate innovation in healthcare by connecting patients, providers, and developers. We’re building the infrastructure layer for modern healthcare, connecting thousands of fragmented, on-premise, and closed EHR systems into a single, modern platform that powers software, APIs, payments, and patient experiences across the ecosystem. <ul> <li>Founded: 2017</li> <li>Headquarters: San Francisco, CA</li> <li>Funding: $177M Series C </li> <li>Employees: 200+</li> <li>Trusted by tens of thousands of providers and hundreds of health-tech developers — forging the infrastructure layer that modern healthcare needs</li> </ul></div><h1>About the Role</h1> NexHealth is a technology company building infrastructure that's reshaping how patient data moves and how the HealthTech ecosystem connects. We're looking for a Security Lead to own our security governance, compliance, IT operations, vendor security, and incident response — establishing the function, embedding strong practices, and partnering closely with engineering, legal, and leadership. This is a player-coach role with real hands-on expectation in year one. You'll drive the next phase of our security and compliance program, and build your team. <h1>What You'll Do</h1> <ul> <li style="font-size: 10pt;">Own NexHealth's security governance, compliance, and IT programs end-to-end.</li> <li style="font-size: 10pt;">Serve as named Information Security Officer and Privacy Officer for SOC 2 and HIPAA — own the policy manual (40+ documents), audit liaison relationship with A-LIGN, control mapping across overlapping regimes, and evidence collection pipelines.</li> <li style="font-size: 10pt;">Set security standards across application security, vulnerability management, cloud security (AWS), audit logging, and access controls — driving the technical program through Engineering via influence, not direct authority.</li> <li style="font-size: 10pt;">Build, hire, and develop the IT and workforce security program: endpoints, identity, SaaS administration, phishing simulations, role-specific training modules, and facilities security.</li> <li style="font-size: 10pt;">Own vendor security: intake, classification, assessment, BAA execution, ongoing oversight, and customer-facing trust artifacts including Trust Center and subprocessor disclosure.</li> <li style="font-size: 10pt;">Lead incident response in Officer capacity; partner with outside counsel on breach determinations, own IR tracking, and run annual tabletop exercises.</li> <li style="font-size: 10pt;">Own the risk register, risk acceptance decisions, privacy operations (DSARs, data subject rights, privacy complaints), BC/DR plan, and cyber insurance relationship.</li> <li style="font-size: 10pt;">Hire a Staff-level IT IC within year one and grow the function from there.</li> </ul> <h1>What You'll Bring</h1> <h2>Experience</h2> <ul> <li style="font-size: 10pt;">8+ years of relevant security experience, including 3+ years in a security leadership role where you were materially building the program, not maintaining it.</li> <li style="font-size: 10pt;">Has built (not inherited) a security program from a near-zero baseline at least once.</li> <li style="font-size: 10pt;">Has owned a recurring external audit cycle end-to-end (e.g., SOC 2, ISO, PCI, HITRUST) — designed evidence collection, mapped controls, ran the auditor relationship, and made the next cycle materially easier than the last.</li> <li style="font-size: 10pt;">Software engineering background. Can read a pull request, evaluate cloud configurations, and push back on Engineering with technical substance.</li> <li style="font-size: 10pt;">Experience hiring and developing senior security or IT individual contributors.</li> </ul>   Qualifications <ul> <li style="font-size: 10pt;">Hands-on experience with security tools and technologies such as SIEM, MDR, IDS/IPS, WAF, DLP, and vulnerability scanners.</li> <li style="font-size: 10pt;">You've reshaped how a company engages with auditors, regulators, or customer security teams — moved questionnaires to Trust Centers, audits from manual to automated, or vendor reviews from one-off projects to continuous programs.</li> <li style="font-size: 10pt;">You drive sustained operational change in functions you don't manage.</li> <li style="font-size: 10pt;">You treat engineering velocity as a security input. Slow shipping creates security risk too.</li> <li style="font-size: 10pt;">You can frame risk for a Board-level audience and for an engineering audience in the same week.</li> </ul> Behavioral Traits <ul> <li style="font-size: 10pt;">First-principles thinker.</li> <li style="font-size: 10pt;">Writes. NexHealth runs on documents; verbal-first operators struggle here.</li> <li style="font-size: 10pt;">Comfortable being the ranking voice on policy and risk.</li> </ul><div class="content-pay-transparency"><div class="pay-input"><div class="description">Compensation Actual salaries will vary depending on factors including but not limited to location, experience, and performance. The range listed is just the base salary component of NexHealth’s total compensation package for employees. Other benefits may include stock options, an unlimited paid time off policy, and up to 100% coverage on medical, vision and dental insurance.</div><div class="title">NexHealth Compensation Range</div><div class="pay-range">$175,000—$220,000 USD</div></div></div><div class="content-conclusion">Benefits <ul> <li>Full Medical, Dental, and Vision (up to 100% covered)</li> <li>401K and commuter benefits</li> <li>Flexible PTO</li> <li>High-impact work that directly improves the healthcare experience for millions</li> </ul> Our Values <ul> <li>Solve the customer’s problems, not yours When making decisions, think from the perspective of the customer. It’s easy to make decisions that make our lives simpler, but not the customers.</li> <li>Do the things others are not willing to do As a Nexer, always go after the hardest problems. Pursue things at the highest quality. Move at the fastest pace. </li> <li>Take ownership Act like a founder. Own your roles, destinies, mistakes, behavior, and our mission. The buck stops with each of us - no blaming or excuses.</li> <li>Say what’s on your mind, with positive intent Be direct, proactive, transparent, and frequent in your communication.</li> <li>Default trust As a Nexer, you do not have to earn trust, trust is given to you by default. If we by default trust each other, our speed of communication, feedback, information sharing, and overall improvements will be a lot faster.</li> <li>Think in first principles We first identify the problem and then break it down to its fundamentals before diving into solutions. We constantly ask “why” to validate our assumptions.</li> </ul> We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, sex, gender expression, sexual orientation, age, marital status, veteran status, or disability status. We provide reasonable accommodation for individuals with disabilities to participate in the application or interview process. Contact [email protected] to request assistance.</div>

About the Role

About the Role

Related Roles

About the Role

Related Roles