Senior Security Engineer - Compliance and Risk

About the role: 

We are seeking a detail-oriented, proactive Security Compliance Engineer to join our Security team. 

In this role, you will not just check boxes; you will own the governance and compliance lifecycle for critical security programs and, in many cases, be actively involved in implementation and remediation. You will ensure that our vulnerability management, privacy, data retention, and business continuity efforts meet the rigorous standards of SOC 2, HIPAA, and HITRUST, protecting our sensitive healthcare data and maintaining trust with our partners.

What you will do:

Vulnerability Management Governance

• Oversee the compliance aspect of the vulnerability management program, ensuring scans and remediation efforts adhere to SLAs.
• Track and report on remediation timelines to ensure evidence is audit-ready.
• Collaborate with engineering and IT teams to validate that exceptions are documented, risk-accepted, and reviewed periodically.
• Manage and handle “tracking technologies” to comply with partner requirements

Privacy & Data Governance

• Manage adherence to internal privacy policies and external regulations (HIPAA, State Laws, CCPA).
• Manage adherence to partner-specific health system requirements
• Monitor data retention schedules to ensure data is stored, archived, and purged in accordance with policy and legal requirements.
• Conduct periodic privacy impact assessments (PIAs) for new products or features.

Disaster Recovery (DR) & Business Continuity (BCP)

• Coordinate annual or bi-annual DR/BCP table-top exercises and technical tests.
• Maintain and update DR/BCP documentation, ensuring contact lists and recovery procedures are current.
• Review post-mortem reports from tests to ensure continuous improvement and compliance with availability trust principles.

Audit & Framework Management (SOC 2 & HITRUST)

• Serve as a primary point of contact for external auditors during SOC 2 and HITRUST assessments.
• Collect, organize, and review evidence on the controls for the programs above.
• Identify compliance gaps and drive remediation projects before external audits begin.

AI/ML in healthcare and emerging federal and state AI regulations

What we're looking for: 

• Experience: 3-5+ years of experience in Information Security, Governance, Risk, Vulnerability Management, Compliance (GRC), or IT Audit.
• Program Management: Proven experience managing specific compliance verticals like vulnerability management or business continuity.
• Communication: Ability to translate compliance requirements into actionable technical tasks for engineering teams.
• Organization: Exceptional documentation skills—you understand that "if it isn't written down, it didn't happen."
• Influence: Ability to drive consensus and compliance across teams without direct management authority.

Benefits & Perks:  #LI-Hybrid

• Hybrid work schedule with weekly lunches and stocked fridges 
• Monthly social committees for company events
• 18 vacation days, 9 company holidays, 5 sick days, and 2 personal days 
• Stock options for every full-time employee 
• Paid parental leave
• 401k benefit
• Commuter Benefits 
• Competitive health, dental, and vision insurance options 

Who We Are: 

Behind every leading health system is K Health’s AI-powered virtual care engine. 

Esteemed health systems like Mayo Clinic, Cedars-Sinai, Mass General Brigham, Hackensack Meridian Health, and Hartford Healthcare partner with K Health to build and run modern primary virtual care clinics on their behalf. 

Our deeply integrated model modernizes the primary care loop by using AI to put humans first. For our patients, we offer clinical AI (i.e., PatientGPT) and unparalleled access to close care gaps around the clock. For our Providers, we deliver provider-serving agentic solutions (i.e., Perfect Note) to eliminate administrative overload and burnout. And for the health systems, we deploy our top-grade Virtualists in AI-powered virtual clinics 24/7 to capture the patients' care journeys at step one, retain the journey through the system for longitudinal care, and strengthen profitability.  

We’re founded in 2016, headquartered in New York City, and backed by nearly $400 million from leading investors including Valor Equity Partners, Claure Group, Mangrove Capital Partners, 14W, Notable Capital, Lerer Hippeau, Primary Venture Partners, Comcast Ventures, PICO Venture Partners, Max Ventures, and other strategic healthcare partners.

We offer competitive compensation packages based on industry benchmarks for function, level, and geographic location. Offer amounts are determined by multiple factors such as a candidate's experience and expertise.  

We are proud to be an Equal Opportunity Employer and consider applicants for employment regardless of race, ethnicity, religion, color, national origin, ancestry, disability, medical condition, genetic information, marital status, sex, gender, gender identity, gender expression, sexual orientation, pregnancy, childbirth and breastfeeding, age, citizenship, military or veteran status, or any other class protected by applicable federal, state, and local laws. We’re deeply committed to building teams as diverse as the patients we serve and strive to cultivate an environment where everyone can bring their most authentic self to work. We depend on our differences to make our team stronger, our workplace more dynamic, and our product accessible to all of our users.

We are committed to maintaining the integrity of our hiring process and ensuring a safe environment for all candidates. All communication for job offers from K Health will come from email addresses ending in @khealth.com. K Health will never ask you to provide financial information about yourself during the recruitment process. We will never use personal email accounts or other domains for official correspondence. Our official job postings are only listed on our official website and reputable job boards. Be cautious of job offers from sources other than these platforms.