Senior Cyber Incident Responder

As a core member of the Office of Information Security's Detection and Response Team (DaRT), the Senior Incident Responder plays a mission-critical role in protecting patient care, safeguarding sensitive health information, ensuring clinical continuity, and enabling diagnostic and genetic innovation. This position leads the investigation, containment, and resolution of cybersecurity incidents that could impact the confidentiality, integrity, or availability of systems across the enterprise.

You'll collaborate across clinical, IT, and compliance teams to respond to security threats. You'll handle escalated events from the SOC, perform technical investigations, and lead recovery efforts while maintaining compliance with requirements associated with HIPAA, HITRUST, GDPR, etc. If you're driven by purpose, technically sharp, and thrive in fast-paced environments where security meets patient care-this is the role for you.

Applicants who live within 35 miles of either the Burlington, NC or Durham, NC location will follow a hybrid schedule. This schedule includes a minimum of three in-office days per week at an assigned location, either Burlington or Durham, supporting both collaboration and flexibility.

RESPONSIBILITIES

• Serve as the lead responder for validated cyber incidents-prioritizing threats that could impact clinical operations, electronic health records (EHR), connected medical devices, or protected health information (PHI).
• Coordinate with technical and clinical stakeholders to contain and remediate threats across hospitals, clinics, and remote care environments.
• Drive improvements to the Incident Response Plan-ensuring readiness for ransomware, business email compromise, and other threats.
• Lead triage, containment, and root cause analysis of events affecting clinical applications, patient portals, imaging systems, and backend infrastructure.
• Analyze logs and EDR telemetry from a wide range of systems-medical devices, cloud applications, employee workstations, and data exchange platforms
• Perform investigations across Windows, Linux, iOS, and cloud platforms, using SIEM and manual log analysis where required.
• Lead stakeholder briefings during high-severity incidents.
• Enrich investigations using internal threat intel, OSINT, and health sector-specific sources (e.g., H-ISAC, HC3 bulletins).
• Contribute to detection engineering and playbook development aligned with healthcare-specific threat vectors.
• Write post-incident reports with clear insights for operational, risk, and compliance teams.

• 3+ years of experience in cybersecurity, preferably with exposure to healthcare IT, hospital systems, or regulated environments.
• Hands-on incident response experience in large enterprise environments (30K+ users, multiple business units or hospitals).
• Strong understanding of HIPAA security rule, HITECH, and how regulatory requirements intersect with incident handling.
• Familiarity with common healthcare systems such as Epic, Cerner, HL7/FHIR interfaces, or IoMT devices.
• Experience with incident response frameworks (NIST 800-61, HITRUST IRM, etc.) and adversary models (MITRE ATT&CK, Cyber Kill Chain).
• Proficient in SIEM (e.g., Splunk, Anvilogic), EDR platforms (e.g., CrowdStrike, SentinelOne, ), and forensic tools.
• Strong skills in Windows and Linux OS investigations, network protocol analysis, and EDR telemetry.
• Proficient in writing detection rules and custom signatures to identify malicious activity.
• PowerShell, Python, or Bash scripting skills are a plus.
• Clear communicator with experience handling sensitive incidents in regulated industries.
• Ability to lead investigations that involve patient data and coordinate with privacy and compliance officers.

• Bachelor's degree in Cybersecurity, Information Systems, or a related field-or equivalent experience in a regulated enterprise.
• Preferred certifications include:
  • GCIH, GCFA, GCFE, GNFA, GCTI, CISSP, or HCISPP (Healthcare Certified Information Security and Privacy Practitioner).