Cyber Security Manager

About Tuesday Health


Tuesday Health is an innovative, value based care organization offering compassionate care for patients and caregivers navigating serious illness. The company is dedicated to revolutionizing the approach to serious illness and end of life care through leading edge supportive care models founded upon clinical expertise, industry-leading data, and technology. Our team believes deeply in our mission and puts patients first in all that we do.


The company began operations in 2023 and is backed with a significant financial commitment from a syndicate of healthcare industry partners and leading value based care investor Valtruis. Now that our company has been formed and funded, we are ready to engage with patients and excited to expand our team with passionate clinicians and support professionals!


Cyber Security Manager

Location: Remote


Who We Are

Tuesday Health is a value-based palliative care provider group dedicated to transforming serious illness and end-of-life care. We deliver goal-centered care focused on alleviating physical symptoms and emotional stress for individuals and their caregivers. Our interdisciplinary care teams reduce avoidable hospitalizations and improve quality of life wherever individuals call home. Through our leading-edge care model, Tuesday Health is shaping the future of community-based palliative care nationwide.

The Role

The Security Manager safeguards the confidentiality, integrity, and availability of our systems, data, facilities, and medical operations. This role leads security governance, risk management, and compliance efforts; oversees security operations and incident response; and partners with IT, Clinical Operations, Privacy, and Compliance to ensure our organization meets regulatory requirements (e.g., HIPAA Security Rule) and industry frameworks (e.g., SOC 2, HITRUST). The Security Manager is accountable for proactive risk reduction, rapid detection and response to threats, and building a strong security culture across the company.

 

You will work closely with our engineering team and third-party security partners to define secure coding standards, validate security controls, and coordinate penetration testing and remediation for a modern cloud-native stack built on Azure, .NET Minimal APIs, Blazor WASM, MAUI, and PostgreSQL.

 

Key responsibilities of this role may include:

·       Governance, Risk & Compliance (GRC)

o   Lead the enterprise security program aligned to HIPAA Security Rule, SOC 2 Type II, HITRUST CSF, and internal policies.

o   Own risk assessments, risk register, treatment plans, and executive reporting.

o   Maintain security policies and standards (access control, encryption, vendor risk, vulnerability management, incident response, acceptable use, AI/GenAI usage).

o   Coordinate audits, evidence collection, corrective actions, and ongoing compliance monitoring.

 

·       Security Operations

o   Oversee daily security operations: SIEM monitoring, EDR, vulnerability scanning, patch management, and email security/anti-phishing.

o   Implement and tune detection rules, playbooks, and escalation paths; manage MDR/SOC vendors as applicable.

o   Ensure Azure security posture through Defender for Cloud, Sentinel, and RBAC enforcement.

o   Validate security configurations for .NET APIs, Blazor WASM, MAUI apps, and PostgreSQL—working with engineering to confirm adherence to secure coding guidelines.

o   Collaborate with third-party penetration testing vendors: schedule tests, review findings, and track remediation.

DevSecOps Guidance

o   Define and enforce secure coding standards for .NET, Blazor, and MAUI applications.

o   Ensure CI/CD pipelines include security checks (SAST, DAST, dependency scanning).

o   Provide oversight for infrastructure-as-code security (ARM/Bicep templates) and zero-trust principles.

o   Advise engineering on OWASP best practices and secure API design.

·       Incident Response & Business Continuity

o   Lead incident response lifecycle (prepare, detect, contain, eradicate, recover, lessons learned) with documented runbooks.

o   Coordinate with Privacy/Legal on reportable events; align to HIPAA breach requirements and internal incident procedures.

o   Maintain and test Business Continuity and Disaster Recovery plans; run tabletop exercises at least twice annually.

·       Identity, Access & Data Protection

o   Enforce least-privilege, role-based access control (RBAC), and periodic access reviews for PHI/PII and critical systems.

o   Manage Entra ID, privileged access management (PAM).

o   Implement data loss prevention (DLP) and encryption standards (in transit and at rest), including key management in Azure Key Vault.

·       Vendor Management Responsibilities

o   Oversee third-party risk management for all vendors handling PHI, PII, or critical systems.

o   Conduct security due diligence, including reviewing SOC 2/ISO certifications, penetration test results, and security questionnaires.

o   Ensure Business Associate Agreements (BAAs) are in place for vendors processing PHI and verify compliance with HIPAA Security Rule.

o   Maintain a vendor risk register and track remediation of identified gaps.

o   Monitor vendor adherence to contractual security obligations, including data residency, retention, and model training restrictions for AI tools.

o   Collaborate with Procurement and Legal to include security requirements in contracts and enforce breach notification timelines.

o   Periodically reassess vendor security posture and update risk ratings based on audits or incidents.

A strong candidate will demonstrate the following:

·       Bachelor’s degree in Information Security, Computer Science, or related field—or equivalent experience.

·       5–8+ years in security roles with 2–3+ years leading security operations or GRC initiatives.

·       Hands-on experience with  cloud security

·       Working knowledge of HIPAA Security Rule, PHI/PII handling, SOC 2 Type II, and incident response practices.

·       Hands-on experience with Azure security services (Defender for Cloud, Sentinel, Key Vault, RBAC).

·       Familiarity with secure development practices for .NET, Blazor WASM, MAUI, and PostgreSQL (oversight, not coding).

·       Proven ability to run risk assessments, develop policies, and manage audits.

·       Strong communication skills; ability to influence cross-functional leaders and train non-technical audiences.

 

What We Offer

·       Competitive compensation, reflecting our commitment to attracting, retaining, and motivating the best talent in the industry

·       Comprehensive benefits including medical, dental, vision, and life insurance, paid time off and holidays, employer 401(K) match, etc.

·       Remote work with multiple onsite sessions each year to maximize collaboration and team building

·       A dynamic and inclusive team environment where you can lean on your teammates, offer candid feedback, bring your true self to work each day, and deliver tremendous impact while having fun along the way

·       Meaningful work each day; we care deeply about our mission, our patients, and each other

 

If you are passionate about improving the quality of care for seriously ill individuals and their caregivers through innovative solutions, we would love to hear from you.

 

Tuesday Health seeks to recruit and retain staff from diverse backgrounds and encourages qualified candidates to apply. Tuesday Health is an equal opportunity employer and does not discriminate on the basis of age, sex, gender identity/expression, sexual orientation, color, race, creed, national origin, ancestry, religion, marital status, political belief, physical or mental disability, pregnancy, military, or veteran status.

Technology

Remote (United States)

Share on:

Terms of servicePrivacyCookiesPowered by Rippling