Senior Data Security Architect

McKesson is an impact-driven, Fortune 10 company that touches virtually every aspect of healthcare. We are known for delivering insights, products, and services that make quality care more accessible and affordable. Here, we focus on the health, happiness, and well-being of you and those we serve - we care.

What you do at McKesson matters. We foster a culture where you can grow, make an impact, and are empowered to bring new ideas. Together, we thrive as we shape the future of health for patients, our communities, and our people. If you want to be part of tomorrow's health today, we want to hear from you.

CoverMyMeds Technology is seeking a Senior Data Security Architect to join our Data & Analytics organization. Our team is a highly technical group of engineers, architects, and governance professionals focused on delivering trusted, secure, and compliant data solutions at scale. This work directly supports healthcare operations that help more people get the medicine they need to live healthier lives - and doing so securely is non-negotiable.

*McKesson complies with all applicable U.S. immigration laws and regulations. The Company does not provide employer support or sponsorship for any immigration related employment benefit for this role.

Applicants must be currently authorized to work in the United States on a fulltime basis without the need for employer support or sponsorship now or in the future. This includes having the legal right to work in the United States without the need for McKesson support or sponsorship for any immigration related employment authorization (e.g., H1B, O1, E3, H1B1, TN, F1 OPT, F1 STEM OPT, F1 CPT, etc.) now or in the future. If you will require McKessonto provide immigration support or sponsorship now or in the future, you should not apply for this position.

About the Role:

The Senior Data Security Architect is a specialized, senior individual contributor responsible for designing and governing the end-to-end data security architecture across CoverMyMeds' cloud and on-premises data ecosystem. This role bridges compliance frameworks (SOX, HIPAA, SOC 2, FedRAMP) with hands-on implementation of security controls at every layer of the data platform - from ingestion through Gold-layer consumption.

The ideal candidate has implemented data rights and security governance at enterprise scale in healthcare or financial services environments, understands how security must be designed differently when external customers consume reports or data products, and can translate regulatory requirements into reusable, auditable architectural patterns on Databricks and Azure.

Responsibilities:

• Define and own the enterprise data security architecture across the CoverMyMeds data platform - spanning Databricks Unity Catalog, Azure Data Lake Storage, Azure Data Factory, and downstream BI/reporting layers.

• Design and implement role-based access control (RBAC), attribute-based access control (ABAC), and row/column-level security patterns across Unity Catalog, ensuring controls propagate correctly from source to Gold-layer consumption.

• Lead data rights enforcement architecture - designing entitlement models, consent-based access patterns, and contractual data tier controls that support both internal use cases and external customer data sharing.

• Architect identity and access management (IAM) patterns integrated with Okta, Microsoft Entra ID, SailPoint, and CyberArk - covering human users, service accounts, and CI/CD service principals.

• Define tokenization, de-identification, and encryption strategies for PHI/PII data across all platform layers, including selection and integration of tools such as Datavant for tokenization and Azure Key Vault for secrets management.

• Design masking architecture across non-production environments, ensuring analysts and engineers can validate pipelines against production-representative data without exposure to raw PHI/PII.

• Establish external-facing data security patterns for customer portals, partner integrations, and embedded analytics - including multi-tenant access isolation, data residency controls, and audit logging.

• Build the SOX ITGC control evidence architecture: defining how logical access reviews (SailPoint UAR), change management audit trails (CI/CD deployment logs), segregation of duties, and privileged access restrictions are documented and evidenced.

• Lead HIPAA, SOC Type II, and FedRAMP alignment across data platform controls - partnering with Legal, Compliance, and Privacy teams to ensure regulatory requirements are implemented as concrete platform controls rather than policy statements.

• Partner with Data Engineering, SRE, and DBA teams to embed security controls into pipeline development standards, CI/CD deployment gates, and platform onboarding checklists.

• Define data classification frameworks, PII/PHI tagging governance, and tag propagation standards across the medallion architecture - including accountability models for tag validation and source contract change notification.

• Evaluate and recommend security tooling decisions, including resolution of platform-level decisions such as TrustLogix versus Unity Catalog native fine-grained access control.

• Produce architecture decision records, security control matrices, and evidence artifacts consumable by internal audit teams and external auditors.

Skills You'll Need:

• Bachelor's degree in Computer Science, Information Systems, Cybersecurity, or a related field.

• 7+ years of technical and professional experience, with at least 4 years focused on data security architecture or data governance in a cloud environment.

• Proven experience implementing data security controls in regulated healthcare environments: HIPAA/HITECH compliance, PHI handling, and audit-ready evidence production.

• Strong working knowledge of SOX ITGC controls - specifically logical security, change management, user administration, and computer operations domains as they apply to data platforms.

• Hands-on experience with IAM platforms: Okta, Microsoft Entra ID (Azure AD), SailPoint, and CyberArk service account management.

• Deep knowledge of Databricks Unity Catalog security: RBAC, ABAC tag-based policies, dynamic data masking, row/column-level security, and the interaction between workspace-level and catalog-level permissions.

• Experience implementing tokenization, de-identification, pseudonymization, and encryption-at-rest/in-transit strategies for sensitive healthcare data.

• Understanding of Azure cloud security architecture: Azure Private Endpoints, VNet-level network isolation, Azure Key Vault, managed identities, and Azure RBAC.

• Experience designing security architecture for external customer-facing data products: multi-tenant access isolation, partner data sharing controls, and row-level security in BI tools (Tableau, Power BI).

• Strong ability to translate regulatory requirements into concrete, implementable platform controls - not just policy documentation.

• Excellent communication skills; ability to produce audit-quality evidence artifacts and explain security architecture to both technical teams and compliance auditors.

Preferred Skills:

• SOC 2 Type II and/or FedRAMP implementation experience - specifically scoping, control mapping, and evidence production for cloud-hosted data platforms.

• Experience with healthcare data sharing and consent frameworks - including HIPAA minimum necessary standards, TPO exceptions, and patient authorization models for data use.

• Knowledge of data rights enforcement at scale: contractual data tier entitlements, data sharing agreements, and purpose-based access controls that survive schema evolution.

• Experience with FHIR-based data platforms and the security implications of interoperability standards in regulated environments.

• Familiarity with data security posture management (DSPM) tooling and cloud security posture management (CSPM) platforms.

• Experience governing de-identification mechanisms for non-production environments, including tooling evaluation and integration (e.g., Datavant, Privitar, or equivalent).

• Working knowledge of Databricks Asset Bundle deployment security: CI/CD service account scoping, environment-level permission boundaries, and change management audit trail design.

• Experience operating within complex enterprise governance structures involving corporate IT, legal, privacy, and compliance stakeholders across multiple business units.

Why Join CoverMyMeds

We hire people looking for a career, not just a job. As part of our Data & Analytics organization, you will play a key role in ensuring that CoverMyMeds' data platform is trusted, compliant, and secure for both internal teams and the external healthcare partners who depend on our data products. Your architecture decisions will directly protect patient data and enable our mission to help more people get the medicine they need.

About CoverMyMeds

CoverMyMeds, part of McKesson Corporation, is a medication access company committed to helping people get the medicine they need to live healthier lives. Through innovation and collaboration, CoverMyMeds' solutions seamlessly connect the healthcare network to improve medication access - increasing speed to therapy and reducing prescription abandonment. CoverMyMeds' network includes 75% of electronic health record systems (EHRs), 50,000+ pharmacies, 750,000 providers and most health plans and pharmacy benefit managers. Visit covermymeds.com for more information.

We are proud to offer a competitive compensation package at McKesson as part of our Total Rewards. This is determined by several factors, including performance, experience and skills, equity, regular job market evaluations, and geographical markets. The pay range shown below is aligned with McKesson's pay philosophy, and pay will always be compliant with any applicable regulations. In addition to base pay, other compensation, such as an annual bonus or long-term incentive opportunities may be offered. For more information regarding benefits at McKesson, pleaseclick here.

Our Base Pay Range for this position

McKesson has become aware of online recruiting-related scams in which individuals who are not affiliated with or authorized by McKesson are using McKesson's (or affiliated entities, like CoverMyMeds or RxCrossroads) name in fraudulent emails, job postings or social media messages. In light of these scams, please bear the following in mind:

McKesson Talent Advisors will never solicit money or credit card information in connection with a McKesson job application.

McKesson Talent Advisors do not communicate with candidates via online chatrooms or using email accounts such as Gmail or Hotmail. Note that McKesson does rely on a virtual assistant (Gia) for certain recruiting-related communications with candidates.

McKesson job postings are posted on our career site: careers.mckesson.com.

McKesson is an Equal Opportunity Employer

McKesson provides equal employment opportunities to applicants and employees, without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status, disability, age, genetic information, or any other legally protected category. For additional information on McKesson's full Equal Employment Opportunity policies, visit our Equal Employment Opportunity page.

McKesson is committed to being an Equal Employment Opportunity Employer and offers opportunities to all job seekers including job seekers with disabilities. If you need a reasonable accommodation to assist with your job search or application for employment, please contact us by sending an email to (United States) Disability_Accommodation@McKesson.com or (Canada) Accessibility@mckesson.ca. Resumes or CVs submitted to this email box will not be accepted.

Join us at McKesson!