Machine Learning Biomedical Engineer Jobs in Rochester, NY

Job Summary:
Excellus BCBS is a healthcare company seeking a Principal AI Security Engineer to lead the security efforts for machine learning and AI systems. This role involves creating security architecture, performing threat modeling, and implementing controls to ensure the secure handling of sensitive health information.
Responsibilities:
• Creates reference architectures, defines security requirements and patterns for model training, inference, retrieval-augmented generation (RAG), agent orchestration, tool calling, and multi-model pipelines across cloud and hybrid environments.
• Performs deep threat modeling for artificial intelligence (AI) systems, including prompt injection, indirect prompt injection, insecure output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, data poisoning, model theft, model inversion, supply chain compromise, and denial-of-service.
• Defines guardrails for protected health information and electronic protected health information processing, including data minimization, de-identification, context scoping, encryption in transit and at rest, retention boundaries, and access paths into model context windows, vector stores, caches, and logs.
• Designs and implement secure machine learning operations (MLOps) controls for datasets, features, models, prompts, and policies: provenance tracking, artifact signing, environment separation, approval workflows, reproducible builds, rollback paths, and tamper-evident audit trails.
• Defines and sets standards for identity, service-to-service authentication, secrets management, token scoping, least privilege, just-in-time access, and network segmentation for AI services, model gateways, and external tool integrations.
• Leads offensive security activities for AI systems, including adversarial testing, AI red teaming, prompt and tool abuse simulation, fuzzing, jailbreak testing, attack path validation, and control verification against production-like workflows and third-party model providers.
• Leads defensive security and blue team capabilities for AI platforms, including telemetry design, prompt and response event logging, model gateway instrumentation, security information and event management/security orchestration, automation, and response (SIEM/SOAR) integration, detection engineering, exfiltration and jailbreak detections, anomalous agent action monitoring, incident triage playbooks, and continuous tuning based on observed attack patterns.
• Leads security reviews of RAG and agentic systems, including chunking and retrieval policies, vector store isolation, embedding pipeline validation, retrieval authorization, tool allow-listing, action confirmation, and human-in-the-loop controls for high-risk operations.
• Defines security requirements for model evaluation pipelines, benchmark data handling, canary tests, policy enforcement, and release gates so unsafe or noncompliant behavior is identified before promotion.
• Collaborates to ensure secure, compliant handling of sensitive and regulated data across AI systems and enterprise data platforms, including enforcement of data classification, retention, access controls, auditability, and secure data readiness for approved AI use cases.
• Collaborates on the design and implementation of AI and data governance frameworks, translating legal, regulatory, and compliance requirements into enforceable technical controls, security standards, and operational processes.
• Coordinates the development of secure data pipelines and control implementations, ensuring proper data sourcing, minimization, de-identification, and consistent application of enterprise data protection controls (e.g., DLP, encryption, retention) within AI architectures and workflows.
• Partner with application security, platform engineering, and data science teams to enable secure adoption of AI technologies.
• Jointly support investigations, incident response, and regulatory inquiries involving AI systems and enterprise data, including forensic analysis, evidence preservation, defensible documentation, and production of audit-ready artifacts for legal and compliance purposes.
• Develop and maintain integrated monitoring, detection, and response capabilities, aligning tools and processes (e.g., DSPM, eDiscovery, SIEM/SOAR, AI observability) to proactively identify and mitigate data leakage, insider risk, AI misuse, and anomalous system or user behavior.
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies’ mission and values, adhering to the Corporate Code of Conduct, and leading to the Lifetime Way values and beliefs.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Regular and reliable attendance is expected and required.
• Performs other functions as assigned by management.
Qualifications:
Required:
• Ten (10) years of hands-on security engineering experience spanning application security, cloud security, security architecture, detection and response, platform security, or infrastructure security.
• Bachelor's degree in computer science, information technology, or relevant field. In lieu of degree, six (6) cumulative years of related experience required.
• Demonstrated experience securing production AI/ML systems, including large language model (LLM) applications, model serving stacks, retrieval-augmented generation architecture, or agent frameworks.
• Demonstrated advanced expertise in AI threat modeling and adversarial testing, including prompt injections, jailbreaks, insecure tool use, data and model poisoning, vector store abuse, model extraction, and sensitive data disclosure.
• Strong implementation knowledge of secure software development lifecycle (SDLC), continuous integration/continuous delivery (CI/CD) security, infrastructure as code (IaC), container and Kubernetes security, application programming interface (API) security, identity and access management (IAM), secrets management, key management service/hardware security module (KMS/HSM) integration, and cloud-native telemetry pipelines.
• Experience designing or reviewing controls for secure machine learning operations (MLOps): artifact provenance, signed builds, feature and dataset integrity, model registry controls, environment promotion, reproducibility, and rollback.
• Experience instrumenting detections and response workflows using logs, traces, metrics, security information and event management/security orchestration, automation, and response (SIEM/SOAR) pipelines, alert tuning, and incident handling for distributed systems or AI services.
• Advanced working knowledge of RAG security, embedding pipelines, retrieval authorization, policy engines, content filtering, and evaluation harnesses for safety, security, and regulated-data compliance.
• Advanced ability to write engineering standards, design docs, threat models, and control requirements that can be implemented and tested by platform and product teams.
• Hands-on familiarity with model gateways, policy enforcement layers, prompt filtering, content moderation, retrieval authorization, vector databases, and AI observability tooling.
• Working knowledge of static/dynamic application security testing, infrastructure as code (IaC) scanning, container image scanning, software bill of materials generation, artifact signing, secret scanning, and dependency-risk management as applied to AI delivery pipelines.
• Experience with AI red teaming platforms, safety and abuse evaluation harnesses, benchmark design, and automated release gates for model or prompt changes.
• Ability to work prolonged periods sitting and/or standing at a workstation and working on a computer.
• Ability to travel across the Health Plan service region for meetings and/or trainings as needed.
• Ability to work in a home office for continuous periods of time for business continuity.
Preferred:
• CISA, CISM, CCSP, HCISPP, GIAC and or CISSP certifications preferred.
• Prior experience in healthcare, payer, provider or similarly regulated environments with PHI/ePHI safeguards preferred.
• Familiarity with Sarbanes Oxley, HIPAA, OCR, AI RFM, HCFA, PCI/DSS, NIST and other regulations impacting security (with ISO17799 and NIST security standards) is preferred, as well as COBIT and COSO familiarity.
Company:
Excellus BlueCross BlueShield, a nonprofit independent licensee of the BlueCross BlueShield Association, is part of a family of companies that finances and delivers vital health care services to about 1.5 million people across upstate New York. Founded in 1932, the company is headquartered in Rochester, USA, with a team of 5001-10000 employees. The company is currently Late Stage.