HCA Healthcare
Associate Security Vulnerability Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About HCA Healthcare
HCA Healthcare, Inc. is a for-profit operator of healthcare facilities based in Nashville, Tennessee. Founded in 1968, the company operates around 190 hospitals and approximately 2,400 sites of care, including surgery centers, freestanding emergency rooms, urgent care centers, and physician clinics across 20 U.S. states and the United Kingdom. HCA Healthcare focuses on providing comprehensive healthcare services through an integrated network. Its core offerings include hospital-based care, ambulatory and outpatient services, and support services such as supply chain management and data analytics for clinical improvements. The company emphasizes physician-driven care and operational excellence, aiming to enhance patient outcomes through innovation and efficiency. HCA Healthcare also engages in philanthropic initiatives to support medical education and community service.
Security at HCA Healthcare
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
- HCA Healthcare's AppSec philosophy includes having information protection policies in place.
- They aim to establish and continuously refine standards and processes that align with the development lifecycle, and serve as an internal information security consultant to the enterprise.
- A stated goal is to monitor and track remediation activities to address weaknesses.
- However, no public, verbatim statements explicitly define a dedicated AppSec mission statement, a 'developer-first' vs 'gatekeeper' policy, or explicit public claims of a Security Champions program.
Security Team
The organizational structure and reporting line for HCA Healthcare's AppSec team are not publicly available. Key public-facing leadership includes Jason Barnett, Vice President and Chief Security Officer, who 'leads a converged program that includes cyber security, physical security, privacy' and 'oversees physical security, privacy, identity engagement, business risk solutions and cybersecurity.' The team size estimate is not publicly available, though a LinkedIn search for 'HCA Healthcare application security LinkedIn profiles' returned 3 profiles. As of, there are 4 active security-related job postings. Common skill/tool patterns from these postings include requirements to 'align with the development lifecycle', 'working knowledge of information security concepts, including ... cloud', 'monitor and track remediation activities to address weaknesses', and 'Lead and support the IPS program by assessing new applications and technologies'. No public org chart, explicit reporting line, headcount, or team composition breakdown was found.
Key Initiatives
No public evidence was found for a Security Champions Program at HCA Healthcare. 'Shift Left' practices are indicated by efforts to 'Establish and continuously refine standards and processes that align with the development lifecycle' and 'participate in strategic planning and sprint management using agile methodology'. The vulnerability management process involves intake by 'assessing new applications and technologies' and triage/remediation through partnering 'with appropriate stakeholders on vulnerability remediation' and monitoring/tracking 'remediation activities to address weaknesses'. Secure SDLC artifacts include participation 'in strategic planning and sprint management using agile methodology' and establishing/refining 'standards and processes that align with the development lifecycle'. Recent initiatives (last 6 months) are not publicly available. There is no public documentation detailing SLAs, MTTR targets, ticketing workflows, or a published vulnerability triage SLA.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.