Data security and compliance Consultant (Healthcare)

Bangalore, Karnataka
Contract
Full-time

10 hours ago

Job Title: Data Security and Compliance Consultant (Healthcare)Location: Bangalore, IndiaRole Type: ContractLocation: BengaluruCompany overviewWe are a US Based Venture backed Digital Health Company. We enable Health Care Providers (HCP) to capture true Virtual Care Opportunities beyond Telehealth. We enable HCP to provide Proactive and Continuous Care and add new Recurring monthly revenue streams without any upfront cost. With our unique distribution and business model, we are seeing fast acceptance and great adaptation with our target
customers.We have built unique and Industry’s first Integrated Hardware, Cloud & AI Technologies based Virtual care Platforms for HCP Market. We are a US-focused Post revenue company with customers in 9 US States and growing fast. We provide an excellent opportunity to Innovate and work on cutting-edge product technologies in a very fast-moving dynamic and empowered environment.Role OverviewWe are seeking an experienced Data Security and Compliance Consultant with deep healthcare domain expertise to assess our current security and privacy posture, close policy and process gaps, and lead us to required certifications. The ideal candidate has led multiple HIPAA/HITRUST/SOC 2/ISO 27001 readiness engagements, can translate regulations into practical controls, and can drive cross-functional execution in cloud-native environments.Key Responsibilities

Perform comprehensive gap assessments of current policies, procedures, and controls against:

HIPAA Security, Privacy, and Breach Notification Rules; HITECH
HITRUST CSF
SOC 2 (Trust Services Criteria)
ISO/IEC 27001 (and ISO 27002 control guidance)
NIST CSF and NIST 800-53
Applicable privacy laws (e.g., GDPR, CCPA/CPRA) based on business footprint
Additional healthcare-relevant regulations as applicable (e.g., ONC Cures Act, 21 CFR Part 11)
Build and maintain a control matrix mapping company controls to the above frameworks; define

remediation roadmap with owners, budgets, and timelines. * Lead Security Risk Analysis (SRA) for HIPAA, maintain risk register, and drive risk treatment plans;facilitate periodic internal audits. * Define, draft, and operationalize policies and procedures, including:

Information Security, Acceptable Use, Access Control, Encryption/Key Management, Data Classification/Handling, DLP
Secure SDLC and product security (threat modeling, SAST/DAST, SBOM, third-party components)
Cloud security (AWS/Azure/GCP), hardening baselines, logging/monitoring, SIEM
Vulnerability and patch management, change management, configuration management
Incident Response and Breach Notification (including OCR expectations), tabletop exercises
Business Continuity/Disaster Recovery and backup/restore testing
Vendor Risk Management, BAAs, DPAs, third-party due diligence and continuous monitoring
Mobile/BYOD, MDM, endpoint protection/EDR, asset management

Data retention/deletion, de-identification/pseudonymization, data subject rights workflows
Create healthcare-specific data maps and inventories:

PHI/ePHI flows, HL7/FHIR integrations, EHR connections, and interoperability touchpoints
Records of processing activities (ROPA) where required
Plan and execute certification/readiness programs:

SOC 2 Type I/II, HITRUST validated assessment, ISO 27001 ISMS implementation and certification
Coordinate evidence collection, auditor engagement, and remediation closure
Recommend and implement GRC tooling for control management and continuous compliance
Drive security awareness and privacy training programs with role-based curricula and policy attestations.
Support customer security questionnaires, RFPs, and due diligence; serve as SME in client and partner audits.
Establish and report KPIs/KRIs (e.g., risk reduction, control coverage, time-to-remediate, audit findings, training completion).

Qualifications

5+ years of progressive experience in information security, privacy, and compliance, with at least 4 years focused on healthcare environments (providers, payers, digital health, health tech, EHR vendors).
Proven track record leading HIPAA/HITRUST/SOC 2/ISO 27001 programs from gap assessment through audit/certification.
Strong knowledge of HIPAA/HITECH, HITRUST CSF, SOC 2 TSC, ISO 27001/27002, NIST CSF/800-53; familiarity with GDPR/CCPA, ONC/Cures Act, and 21 CFR Part 11 preferred.
Hands-on experience in cloud-first architectures and SaaS security (IAM/MFA/SSO, network segmentation, key management, logging/monitoring, SIEM, EDR, MDM).
Demonstrated ability to author clear, actionable policies/procedures and build sustainable operational processes.
Excellent stakeholder management and communication skills; able to influence engineering, product, legal, and leadership.
Tools familiarity: GRC platforms (e.g., ServiceNow GRC, Archer, OneTrust, Drata, Vanta), SIEM (e.g., Splunk, Sentinel), vulnerability scanners (e.g., Qualys, Nessus), ticketing (Jira), documentation (Confluence), IdP (Okta/Azure AD), MDM (Intune/Jamf).

Preferred Certifications

HCISPP, CHPS, CCSFP (HITRUST), CISSP/CISM/CISA
ISO 27001 Lead Implementer or Lead Auditor
Privacy certifications (e.g., CIPP/US, CIPM)
Cloud security certifications (e.g., AWS/Azure Security Specialty)

Nexifyr Consulting

Apply Now