Data Security and Compliance (Healthcare)

Data Security and Compliance Consultant (Healthcare)

Location: Bangalore, India

Job Title: Data Security and Compliance Consultant (Healthcare)

Role Type: Contract or Full-time

Company overview

HBOX is a US Based Venture backed Digital Health Company. We enable Health Care Providers (HCP) to capture true Virtual Care Opportunities beyond Telehealth. We enable HCP to provide Proactive and Continuous Care and add new Recurring monthly revenue streams without any upfront cost. With our unique distribution and business model, we are seeing fast acceptance and great adaptation with our target customers.

We have built unique and Industry’s first Integrated Hardware, Cloud & AI Technologies based Virtual care Platforms for HCP Market. We are a US-focused Post revenue company with customers in 9 US States and growing fast. We provide an excellent opportunity to Innovate and work on cutting-edge product technologies in a very fast-moving dynamic and empowered environment.

Role Overview

We are seeking an experienced Data Security and Compliance Consultant with deep healthcare domain expertise to assess our current security and privacy posture, close policy and process gaps, and lead us to required certifications. The ideal candidate has led multiple HIPAA/HITRUST/SOC 2/ISO 27001 readiness engagements, can translate regulations into practical controls, and can drive cross-functional execution in cloud-native environments.

Key Responsibilities

Perform comprehensive gap assessments of current policies, procedures, and controls against:

o HIPAA Security, Privacy, and Breach Notification Rules; HITECH

o HITRUST CSF

o SOC 2 (Trust Services Criteria)

o ISO/IEC 27001 (and ISO 27002 control guidance)

o NIST CSF and NIST 800-53

o Applicable privacy laws (e.g., GDPR, CCPA/CPRA) based on business footprint

o Additional healthcare-relevant regulations as applicable (e.g., ONC Cures Act, 21 CFR Part 11)

Build and maintain a control matrix mapping company controls to the above frameworks; define remediation roadmap with owners, budgets, and timelines.

Lead Security Risk Analysis (SRA) for HIPAA, maintain risk register, and drive risk treatment plans; facilitate periodic internal audits.

Define, draft, and operationalize policies and procedures, including:

o Information Security, Acceptable Use, Access Control, Encryption/Key Management, Data Classification/Handling, DLP

o Secure SDLC and product security (threat modeling, SAST/DAST, SBOM, third-party components)

o Cloud security (AWS/Azure/GCP), hardening baselines, logging/monitoring, SIEM

o Vulnerability and patch management, change management, configuration management

o Incident Response and Breach Notification (including OCR expectations), tabletop exercises

o Business Continuity/Disaster Recovery and backup/restore testing

o Vendor Risk Management, BAAs, DPAs, third-party due diligence and continuous monitoring

o Mobile/BYOD, MDM, endpoint protection/EDR, asset management

o Data retention/deletion, de-identification/pseudonymization, data subject rights workflows

Create healthcare-specific data maps and inventories:

o PHI/ePHI flows, HL7/FHIR integrations, EHR connections, and interoperability touchpoints

o Records of processing activities (ROPA) where required

Plan and execute certification/readiness programs:

o SOC 2 Type I/II, HITRUST validated assessment, ISO 27001 ISMS implementation and certification

o Coordinate evidence collection, auditor engagement, and remediation closure

o Recommend and implement GRC tooling for control management and continuous compliance

Drive security awareness and privacy training programs with role-based curricula and policy attestations.

Support customer security questionnaires, RFPs, and due diligence; serve as SME in client and partner audits.

Establish and report KPIs/KRIs (e.g., risk reduction, control coverage, time-to-remediate, audit findings, training completion).

Qualifications

5+ years of progressive experience in information security, privacy, and compliance, with at least 4 years focused on healthcare environments (providers, payers, digital health, health tech, EHR vendors).

Proven track record leading HIPAA/HITRUST/SOC 2/ISO 27001 programs from gap assessment through audit/certification.

Strong knowledge of HIPAA/HITECH, HITRUST CSF, SOC 2 TSC, ISO 27001/27002, NIST CSF/800-53; familiarity with GDPR/CCPA, ONC/Cures Act, and 21 CFR Part 11 preferred.

Hands-on experience in cloud-first architectures and SaaS security (IAM/MFA/SSO, network segmentation, key management, logging/monitoring, SIEM, EDR, MDM).

Demonstrated ability to author clear, actionable policies/procedures and build sustainable operational processes.

Excellent stakeholder management and communication skills; able to influence engineering, product, legal, and leadership.

Tools familiarity: GRC platforms (e.g., ServiceNow GRC, Archer, OneTrust, Drata, Vanta), SIEM (e.g., Splunk, Sentinel), vulnerability scanners (e.g., Qualys, Nessus), ticketing (Jira), documentation (Confluence), IdP (Okta/Azure AD), MDM (Intune/Jamf).

Preferred Certifications

HCISPP, CHPS, CCSFP (HITRUST), CISSP/CISM/CISA

ISO 27001 Lead Implementer or Lead Auditor

Privacy certifications (e.g., CIPP/US, CIPM)

Cloud security certifications (e.g., AWS/Azure Security Specialty)

Job Types: Full-time, Part-time, Permanent, Contractual / Temporary
Contract length: 12 months

Pay: From ₹700,000.00 per year

Work Location: In person