Hospitals and health systems across the country are appointing chief information security officers to oversee cybersecurity efforts, assist with data management and drive new technology implementation. While the role can vary from one organization to another, many CISOs featured on this list are experts in healthcare cybersecurity and manage teams who specialize in keeping patient and provider data safe.
This list highlights the outstanding efforts of CISOs across the country, many of whom have extensive IT leadership experience. They have received professional recognition from health IT societies, advised on health IT initiatives and held leadership roles for professional development organizations.
Becker's Hospital Review accepted nominations for this list and conducted internal research to develop the final profiles. Individuals and organizations featured on this list do not pay and cannot pay for inclusion. CISOs are listed in alphabetical order.
For questions or comments on this list, contact Laura Dyrda at ldyrda@beckershealthcare.com.
Tom Balcavage. CISO of Jefferson Health (Philadelphia). Mr. Balcavage is responsible for implementing enterprisewide cybersecurity strategy at Jefferson Health, which includes 14 hospitals, large physician practices and several ambulatory locations. He oversees the security for thousands of patient records and ensures Jefferson Health's network is secure. Prior to joining Jefferson, Mr. Balcavage was the CIO and chief technology officer of Kennedy Health, a New Jersey-based health system that merged with Jefferson in 2017.
Dan Bowden. Vice President and CISO of Sentara Healthcare (Norfolk, Va.). Mr. Bowden oversees the information security program at Sentara Health, working on cybersecurity solutions for the organization's digital platforms. He previously served as CISO of Salt Lake City-based University of Utah Healthcare. He is a frequent speaker at HIMSS conferences and works with Virginia-based universities to help encourage the development of a cybersecurity workforce. His part-time staff includes 10-plus university students.
Andrew Coyne. CISO of Mayo Clinic (Rochester, Minn.). Mr. Coyne became CISO at Mayo Clinic in April 2016. He oversees information security for the health system, which serves 1.3 million patients annually and includes 4,729 staff physicians and scientists. Prior to that, he was a director in PwC's Health Industries Cybersecurity practice, where he spearheaded the creation of information security programs for Fortune 500 companies.
Kevin Crain. CISO of University of Maryland Medical System (Baltimore). Before serving as CISO of University of Maryland Medical System, Mr. Crain was CISO for Pocono Health System in East Stroudsburg, Pa. He has received the Certified Information Security Manager certification from ISACA and the Certified Information Systems Security Professional certification from the International Information System Security Certification Consortium to denote his training. Mr. Crain chairs the UMMS Security Council and oversees the development and approach to the UMMS adoption of the NIST framework for cybersecurity.
Auston Davis. CISO of Lucile Packard Children's Hospital (Palo Alto, Calif.). Mr. Davis brings more than 18 years of information security, technology and investigations experience to his role as CISO of Lucile Packard Children's Hospital. He previously worked with the U.S. Air Force and Air Force Reserves and has served as a special agent with the Air Force Office of Special Investigations, focusing on counterintelligence and cybercrimes. He also serves on the adjunct faculty of San Jose (Calif.) State University, teaching cryptology and computer security.
Erik Decker. Chief Security and Privacy Officer of University of Chicago Medicine. Mr. Decker oversees cybersecurity, identity and access management and privacy programs as chief security and privacy officer for the University of Chicago Medicine. He is the industry co-chair for the CISA 405d joint public-private task group, which focuses on creating best practices and cybersecurity initiative in the healthcare arena. He is also board chair of the Association of Executives in Healthcare Information Security that includes 800 CISOs.
Scott Dresen. Senior Vice President of Information Services, Chief Technology Officer and CISO of Spectrum Health (Grand Rapids, Mich.). Mr. Dresen is senior vice president of information services, chief technology officer and CISO at Spectrum Health, a 12-hospital health system that includes 2,000 employed physicians and advanced practice providers. The health system offers patients the ability to communicate with providers 24/7 through technology on their laptop, tablets or smartphones. Mr. Dresen oversees the technology infrastructure and information security for the $6 billion-plus integrated health system.
Kelley Ealy. CISO of TriHealth (Cincinnati). Ms. Ealy assumed the newly created CISO role at TriHealth March 5. She focuses on establishing and maintaining the health system's information security management program. She previously worked as CISO of Software Information Systems, a technology solutions and services company. She has earned the Certified Cloud Security Professional credential from the Cloud Security Alliance and International Information System Security Certification Consortium.
Michael Erickson. CISO of Baptist Health (Louisville, Ky.). Mr. Erickson became CISO of Baptist Health in 2016, prior to which he was the health system's executive director of IT infrastructure and security. In addition to serving as CISO, he is a member of the system enterprise risk management committee, which oversees Baptist's information security risk management programs. He serves as a member of the Kentucky chapter of InfraGard, a nonprofit public-private partnership between U.S. businesses and the FBI.
Cris Ewell, PhD. CISO of UW Medicine (Seattle). Before he became CISO at UW Medicine, Dr. Ewell served as CISO of Seattle Children's Hospital. He has earned the Certified Information Security Manager certification from ISACA and the Certified Information Systems Security Professional certification from the International Information System Security Certification Consortium. He also serves as an affiliate assistant professor of biomedical informatics and medical education at the University of Washington in Seattle.
Nick Falcone. CISO of Albert Einstein Healthcare Network (Philadelphia). As CISO of Albert Einstein Healthcare Network, Mr. Falcone is responsible for all risk, security, provisioning and privacy programs. He collaborates regularly with state and federal bodies and contributes to proposed regulations on privacy and information security. His prior experience includes serving as an enterprise information security officer and security operations engineer.
Bruce Forman. CISO of UMass Memorial Health (Worcester, Mass.). At UMass Memorial Health, Mr. Forman focuses on protecting electronic patient health information as well as overall IT security. Previously, Mr. Forman was director of information security for Kennett Square, Pa.-based Genesis HealthCare, which operates about 450 skilled nursing centers and senior living facilities across the country. There, he played a key role in establishing security strategies, among other accomplishments.
Jim Garrett. Interim CISO at University Hospital (Newark, N.J.). Mr. Garrett serves as interim CISO of University Hospital, where he assisted in the hospital's completion of Meaningful Use attestation. He also supports the governance risk and compliance framework to conduct Meaningful Use and HIPAA compliance assessments. Mr. Garrett previously served as CISO for the State of New York and oversaw the state's enterprise information security office. He also was 3M's first CISO.
Jeremiah Grant. Vice President and CISO of Novant Health (Winston-Salem, N.C.). Mr. Grant is responsible for working with the health system's leadership to provide cybersecurity across the system. He is a member of Novant's enterprise risk management committee and evaluates its cybersecurity program performance. Mr. Grant previously served as the manager of the information security office and as an information security architect at Novant before he was promoted to his current role as vice president and CISO. In 2018, he was nominated for the CISO Breakaway Leader Award.
Andy Heins. Vice President, Information Security Officer at LifePoint Health (Brentwood, Tenn.). Mr. Heins serves as the highest information security official for LifePoint Health, which owns and operates hospitals and other healthcare providers in more than 70 communities. He is responsible for day-to-day cybersecurity strategy and operations. Mr. Heins previously held roles in information security compliance at Franklin, Tenn.-based Community Health Systems and information security and internal audit roles at Nashville, Tenn.-based HCA Healthcare.
Dan Henke. Vice President of Information Security at Mercy Technology Services (St. Louis). Mr. Henke has more than two decades of IT experience. At Mercy Technology Services, he manages the information security office. He previously served as CISO for sales and marketing services company Maritz Holdings.
Chris Joerg. CISO of Cedars-Sinai Health System (Los Angeles). Mr. Joerg is an information security industry expert with more than 20 years of experience. He worked at global IT company Unisys before joining Cedars-Sinai Health System as CISO. He has also served in leadership roles at IBM, CompuCom and Caesars Entertainment Corp.
David Jollow. CISO of Nemours (Jacksonville, Fla.). Mr. Jollow directs, coordinates, plans and organizes information security activities at Nemours, a health system with three main locations in Florida focused on pediatric care. He also serves as the primary contact for third parties and internal staff on information security issues.
Thien Lam. Vice President and CISO of BayCare (Clearwater, Fla.). At BayCare, a 15-hospital health system, Mr. Lam is responsible for information security and cybersecurity. He previously served as data security officer and director of information security for Houston Methodist. He also held security positions at the University of Texas MD Anderson Cancer Center and Kelsey-Seybold Clinic, both in Houston.
Michael Maksymow Jr. Vice President and CIO of Beebe Healthcare (Lewes, Del.). Mr. Maksymow leads the information systems and technology, IT security, project management, telecommunications, clinical informatics, and biomedical engineering teams at Beebe Healthcare. Before that, he was director of IT operations at Marlton, N.J.-based Continuum Health Alliance. He also served as director of information services and telecommunications for Robert Wood Johnson University Hospital Hamilton (N.J.).
Kevin McDonald. Director of Clinical Information Security at Mayo Clinic (Rochester, Minn.). Mr. McDonald has worked in healthcare for more than 35 years. In his current role as director of clinical information security, he is responsible for ensuring medical devices, environmental systems and clinical support systems at Mayo Clinic are secure. He has worked in various areas during his healthcare career, including critical care and emergency nursing, nursing management, and EMR implementation.
Ronald Mehring. CISO and Vice President of Information Security for Texas Health Resources (Arlington). Mr. Mehring works at Texas Health Resources, which owns, operates or has joint ventures with 29 hospitals. As vice president of information security, he leads IT governance, risk management and compliance, security architecture, security operations, and the IT business continuity and disaster recovery program. Before joining Texas Health Resources, he worked for the Department of Veterans Affairs after a 21-year military career. At the VA, he led compliance assessment teams and served as deputy director for network and security operations.
Jacki Monson. CISO and Chief Privacy Officer of Sutter Health (Sacramento, Calif.). Sutter Health hired Ms. Monson as chief privacy officer and CISO to build out the company's privacy program, and within two years she successfully developed a fully functioning model. Ms. Monson now oversees all facets of the $12 billion health system's privacy and information security programs. She is equipped with more than two years of experience as Rochester, Minn.-based Mayo Clinic's chief privacy officer, and she has held privacy and information security roles for other organizations.
Mitchell Parker. Executive Director of Information Security at IU Health (Indianapolis). Mr. Parker has served as executive director of information security for the largest healthcare system in Indiana since September 2016. He leads the 21-person team charged with protecting the systems and data of more than a dozen IU Health-affiliated hospitals. Mr. Parker assumed responsibility for keeping IU Health's 130,000 machines secure after serving as Philadelphia-based TempleHealth's CISO for eight years.
Christy Preen. CISO of Tenet Healthcare (Dallas). Ms. Preen manages security for Tenet Healthcare, which operates integrated care delivery networks for 68 acute care and specialty hospitals, as well as other facilities. In 2016, she served as a panelist alongside three other experts at a Dallas/Fort Worth American Nursing Informatics Association event.
Anahi Santiago. CISO at ChristianaCare (New Castle, Del.). As CISO of ChristianaCare, Ms. Santiago works closely with the system's regulatory division and promotes professional training opportunities for the IT and security teams. Previously, she served as Philadelphia-based Einstein Healthcare Network's director of information security and support services for eight years. Ms. Santiago sits on an advisory board for the nonprofit eHealth Initiative, which provides guidance on information security to federal agencies.
Larry Schunder. Chief Technology Officer and CISO of Ardent Health Services (Nashville, Tenn.). Mr. Schunder is responsible for all aspects of technology, networking, data management, and security at Ardent Health Services, a 31-hospital health system that includes 25,000 employees and 1,150 employed providers. During his time at Ardent, Mr. Schunder has successfully consolidated its data center from acquisitions and deployed programs systemwide to ensure devices are encrypted and current on anti-virus protection. He also integrated three help desks into one and enhanced the health system's hot disaster recovery site.
Anthony Siravo. Vice President and CISO of Lifespan (Providence, R.I.). Mr. Siravo became Lifespan's CISO in November 2015, assuming responsibility for ensuring IT security infrastructure compliance. In his previous role as CISO of Zebra Technologies, a tech company with more than 140 locations around the world, Mr. Siravo oversaw the successful $3.5 billion acquisition and integration of Motorola Solutions' enterprise business. He earned his MBA from Smithfield, R.I.-based Bryant University, which enables him to explain cybersecurity risks in terms of business goals and metrics.
Glynn Stanton. CISO of Yale New Haven (Conn.) Health. As head of the Office of Information Security at Yale New Haven Health, Mr. Stanton manages cybersecurity, network operations and disaster recovery processes for the health system's five hospitals, 250 ambulatory locations and a physician foundation comprising 1,000-plus providers. Mr. Stanton also supports the 1,300 Yale Medicine physicians and all staff members who rely on Yale New Haven's EMR. Mr. Stanton created the Connecticut Hospital Association's CISO workgroup, serves on the IT committee of the insurance company MCIC Vermont, and is a member of New Haven-based Yale University's HIPAA Privacy and Security Advisory Committee.
Tom Stumpek. CISO of Lahey Health (Burlington, Mass.). Mr. Stumpek is responsible for the information security of Lahey Health's network of more than 1,400 primary care providers. He previously held CISO, chief technology officer and CIO titles at General Electric, where he devoted more than 20 years to working in the financial services, insurance, manufacturing and corporate sectors. At numerous executive IT events, Mr. Stumpek has delivered lectures on technology strategy, enterprise risk, innovation risk and developing a culture of change.
Dave Summitt. CISO of H. Lee Moffitt Cancer Center and Research Institute (Tampa, Fla.). Mr. Summitt directs Moffitt's enterprise information security management program and all activities related to patient, employee and corporate information security. In addition to collaborating with executive management to determine acceptable risk levels, he advises leaders on handling cybersecurity risks. In 2017, Information Security Executive awarded Mr. Summitt the Southeast People's Choice Award for outstanding IT leadership.
John Weller. CISO of Metro Health Hospital (Wyoming, Mich.). With more than 30 years of IT experience, Mr. Weller continuously reviews Metro Health Hospital's cybersecurity strengths, weaknesses and compliance requirements. His approach to ensuring security for the hospital's thousands of medical devices, employees and vendors involves heavy reliance on skilled systems administrators.