Tennessee’s healthcare sector operates under some of the most demanding conditions in cybersecurity: regulated environments, complex clinical infrastructure, sensitive patient data, and institutions that cannot afford meaningful downtime. The leaders in this feature have built their careers inside those constraints, across health systems, specialty hospitals, and employer-based health platforms that together represent a significant slice of the state’s healthcare landscape.
Andy Heins — Vice President and Chief Security and Privacy Officer, Lifepoint Health
Andy Heins leads an unusually broad portfolio at Lifepoint Health, overseeing information security, identity management, privacy, enterprise architecture, IT service management, clinical systems, data centre operations, and networking across a health system that includes more than 60 community hospitals, 49 rehabilitation hospitals, and 25 behavioural health facilities. Before joining Lifepoint, he held information security compliance roles at Community Health Systems and information security and internal audit roles at HCA Healthcare, giving him a foundation built across multiple large health system environments. A CISSP holder with an Executive CISO Certificate from Carnegie Mellon University’s Heinz College, he also serves as a founding advisory board member of TennesseeCISO and sits on multiple technology and academic advisory boards.
Joey Johnson — Chief Information Security Officer, Premise Health
Joey Johnson has served as CISO at Premise Health for nearly sixteen years, a tenure that reflects sustained institutional investment in building security as a business function rather than a compliance requirement. Over that period, he has transitioned the security programme from an isolated function into one integrated across business units, positioned it as a client-facing differentiator, and built an identity and access management capability at enterprise scale. Beyond Premise Health, he serves as an advisor and board member to cybersecurity investment groups, technology companies, and industry councils, and contributes to vendor risk management model development and M&A security diligence work that reflects a broader view of the healthcare security market.
Brian Elrod — Vice President and Chief Information Security Officer, St. Jude Children’s Research Hospital
Brian Elrod brings a career built entirely within the Memphis healthcare environment, progressing from information security internships and contractor roles through network security engineering before moving into executive security leadership at St. Jude Children’s Research Hospital. That long institutional arc, shaped by hands-on work in firewall administration, vulnerability scanning, penetration testing, DNS security, and HIPAA compliance, gives him a grounding in both the infrastructure and governance dimensions of healthcare cybersecurity. His profile reflects the kind of technically fluent, governance-oriented leadership that a research hospital environment demands.
Steve Crocker — Vice President and Chief Information Security Officer, Methodist Le Bonheur Healthcare
Steve Crocker joined Methodist Le Bonheur Healthcare as its first CISO in 2015, charged with building the organisation’s inaugural information security programme from the ground up. Over the decade since, he has developed and overseen enterprise security strategy, board and executive reporting, identity and access management, threat and vulnerability management, incident response, disaster recovery, IoT and medical device cybersecurity, and IT audit and compliance. His background spans healthcare, banking, government defence, hospitality, and manufacturing, and his certifications include CISSP, PMP, CEH, MCSE, and CCNA. He is also a member and former board member of Memphis InfraGard and the Society for Information Management.
Why healthcare cybersecurity leadership in Tennessee matters
Healthcare remains one of the most targeted sectors in cybersecurity, and the consequences of a breach or outage extend well beyond data loss. Patient safety, care continuity, regulatory accountability, and institutional trust all depend on security programmes that are operationally sound and strategically connected to how the organisation actually runs. The leaders in this feature reflect what that looks like in practice: long tenures, programme-building experience, and a consistent ability to work across clinical, administrative, and governance environments where the stakes are high and the margin for error is low.
Explore more profiles of the leaders shaping cybersecurity across numerous industries in our CISOs to Watch collection.