Available for consulting and collabrartion

Pham Duy Hoan

Head of Software | DevSecOps & Security & Cloud

Building secure, compliant platforms for systems

8+ Years ExperienceISO 27001HSA CompliantCloud Experience

Specializing in compliance-driven systems, DevSecOps, and secure cloud architecture. Delivered systems that passed ISO 27001 & HSA audits.

View ExperienceContact Me

About Me

Building Secure Systems That Pass Real Audits

As Head of Software at Biorithm, I lead engineering teams focused on medical device software and healthcare compliance. With over 8+ years of hands-on experience, I specialize in designing and implementing systems that not only work—but are built to pass the most rigorous regulatory audits.

My expertise spans the full SDLC: from threat modeling and secure architecture design to implementing DevSecOps pipelines and observability stacks. I've led teams through successful HSA and ISO 27001 certifications, ensuring every control, every log, and every deployment meets regulatory standards.

I believe security isn't a feature—it's the foundation. Every system I build starts with compliance in mind, because in healthcare, there's no room for shortcuts.

Leadership

Leading engineering teams to deliver audit-ready medical device software at Biorithm

Security-First

Implementing secure SDLC practices and threat modeling from day one

Audit Ready

Comprehensive technical documentation and compliance controls

Expertise

Core Competencies

8+ years building secure, scalable systems with a focus on compliance, DevSecOps, and cloud architecture for regulated industries.

DevSecOps Engineering

Implementing security at every stage of the development lifecycle. Building automated security scanning, vulnerability management, and incident response pipelines.

Cloud Architecture

Designing scalable, secure cloud infrastructure on Cloud. Implementing VPC designs, IAM strategies, and multi-layer security architectures.

Compliance Engineering

Deep expertise in HSA and ISO 27001 compliance. Building systems with audit trails, access controls, and regulatory documentation.

Secure SDLC

Implementing security practices throughout the development lifecycle. From threat modeling to penetration testing and secure code review.

Observability & Monitoring

Building comprehensive observability with ELK stack, CloudWatch, and custom dashboards. Real-time alerting and incident response automation.

Experience

Professional Journey

A track record of delivering secure, compliant systems that pass real regulatory audits.

2019 - PresentFull-time

Head of Software

Biorithm

  • Led engineering for medical device software, ensuring HSA and ISO 27001 compliance
  • Research Algorithms as unique selling point products with IEEE publications
  • Designed and implemented secure cloud architecture (AWS, GCP) with zero-trust principles
  • Built end-to-end DevSecOps pipelines with automated security scanning at every stage
  • Established secure SDLC practices and threat modeling framework across all projects
  • Reduced security vulnerabilities by 85% through automated SAST/DAST integration
  • Implemented comprehensive observability stack using ELK and CloudWatch
2019 - PresentFull-time

Head of Software

Biorithm

  • Led engineering for medical device software, ensuring HSA and ISO 27001 compliance
  • Research Algorithms as unique selling point products with IEEE publications
  • Designed and implemented secure cloud architecture (AWS, GCP) with zero-trust principles
  • Built end-to-end DevSecOps pipelines with automated security scanning at every stage
  • Established secure SDLC practices and threat modeling framework across all projects
  • Reduced security vulnerabilities by 85% through automated SAST/DAST integration
  • Implemented comprehensive observability stack using ELK and CloudWatch
2017 - 2019Full-time

Signal Procesing Engineer | Software Engineer

Viettel - 5G Deparment

  • Implement Algorithms for Signal Processing in Layer1 - 5G system at Viettel, a telecom corporation in Vietnam
  • Software Engineer to implement algorithms in multi thread - multi process approach in Linux
  • Build CICD system for teams

Architecture

Technical Diagrams

Visual representations of security-first architectures and compliance workflows.

Compliance Lifecycle

Continuous compliance process from requirements gathering through audit certification and ongoing monitoring.

flowchart LR subgraph Requirements["Requirements"] R1[Business Requirements] --> R2[Regulatory Requirements] R2 --> R3[Security Requirements] end subgraph Assessment["Risk Assessment"] R3 --> RA[Risk Analysis] RA --> TR[Threat Modeling] end subgraph Controls["Security Controls"] TR --> SC[Security Controls] SC --> IM[Implementation] end subgraph Audit["Audit & Certification"] IM --> DOC[Documentation] DOC --> TEST[Testing & Validation] TEST --> AUD[External Audit] end subgraph Monitoring["Continuous Monitoring"] AUD --> CM[Monitoring] CM --> IR[Incident Response] IR --> RA end style Requirements fill:#e0f2fe,stroke:#0284c7 style Assessment fill:#fef3c7,stroke:#d97706 style Controls fill:#dcfce7,stroke:#16a34a style Audit fill:#fee2e2,stroke:#dc2626 style Monitoring fill:#f3e8ff,stroke:#9333ea

DevSecOps Pipeline

End-to-end security integration throughout the development lifecycle, from code commit to production monitoring.

flowchart LR subgraph Build["Build Stage"] A[Code] --> B[Build] B --> C[Test] end subgraph Security["Security Stage"] C --> D[SAST] D --> E[DAST] E --> F[Container Scan] end subgraph Deploy["Deploy Stage"] F --> G[Deploy to Staging] G --> H[Security Review] H --> I[Deploy to Prod] end subgraph Monitor["Monitor Stage"] I --> J[Monitor] J --> K[Alert] K --> L[Respond] L --> A end style Build fill:#e0f2fe,stroke:#0284c7 style Security fill:#fef3c7,stroke:#d97706 style Deploy fill:#dcfce7,stroke:#16a34a style Monitor fill:#f3e8ff,stroke:#9333ea

Case Studies

Selected Projects

Real-world implementations of compliance-driven, security-first engineering.

Healthcare Compliance

Compliance Management Platform

Built a comprehensive compliance management system for medical device software, enabling teams to track regulatory requirements, manage controls, and maintain audit-ready documentation for HSA and ISO 27001 certifications.

Key Results

  • Achieved HSA audit certification
  • Reduced compliance documentation time by 70%
  • Implemented automated control monitoring
  • Zero findings in subsequent audits
ComplianceHSAISO 27001Audit-Ready
Security Engineering

DevSecOps Pipeline Implementation

Designed and implemented an end-to-end DevSecOps pipeline with automated security scanning, vulnerability management, and incident response integration. Integrated SAST, DAST, and container scanning into every deployment.

Key Results

  • Reduced vulnerabilities in production by 85%
  • Decreased mean time to detection (MTTD) by 60%
  • Automated security gates eliminated manual review bottlenecks
  • Continuous compliance monitoring enabled
DevSecOpsSASTDASTCI/CDGitHub Actions
Cloud Architecture

Secure Cloud Infrastructure

Architected a zero-trust AWS infrastructure for healthcare applications, implementing private networking, IAM-based access control, encryption at rest and in transit, and comprehensive logging for audit trails.

Key Results

  • Zero security incidents in 24+ months
  • Achieved ISO 27001 certification
  • Reduced infrastructure costs by 30%
  • 99.99% uptime maintained
AWSEKSTerraformIAMSecurity

Tech Stack

Tools & Technologies

Technologies I work with to build secure, scalable, and compliant systems.

Cloud & Infrastructure

AWS
EKS
EC2
S3
CloudFront
IAM
CloudWatch

Containers & Orchestration

Kubernetes
Docker
Helm
Kustomize

Infrastructure as Code

Terraform
AWS CDK
Pulumi

CI/CD & DevOps

GitHub Actions
ArgoCD
Jenkins

Security Tools

SAST (SonarQube)
DAST (OWASP ZAP)
Trivy
Falco
Vault

Observability

ELK Stack
Prometheus
Grafana
Datadog

Contact

Let's Connect

Interested in discussing compliance-driven systems, DevSecOps, or secure cloud architecture? I'm available for consulting and collaboration.

Email

admin@lighthappy.org

LinkedIn

Connect with me

GitHub

View my work