Tennessee’s healthcare sector extends well beyond its largest health systems. Across managed care, long-term care, behavioral health, and academic medical centres, security leaders are building and sustaining programs that protect patient data, satisfy complex regulatory requirements, and keep clinical operations running. The leaders in this feature represent that breadth, with backgrounds spanning governance, architecture, compliance, and operational security across some of the state’s most consequential healthcare organisations.
John Jeffries — Information Security Director, UT Medical Center
John Jeffries has spent nearly eleven years at UT Medical Center, the last eight as information security director, where he built the organisation’s inaugural cybersecurity roadmap and expanded the security team from the ground up. His program spans PCI, GRC, incident response, business continuity, identity and access management, cloud security, vulnerability management, and a managed SOC, all within a clinical environment subject to HIPAA and PHI requirements. He architected the enterprise PCI DSS compliance program from inception to certification, chaired the IT Policy Committee, and founded a cyber internship program in partnership with local universities. He has maintained a 90 percent team retention rate over nine years, which in a field defined by talent scarcity is a meaningful operational achievement.
Roger Brotz — Chief Information Security Officer, Acadia Healthcare
Roger Brotz brings more than forty years of progressive IT experience to his role as CISO at Acadia Healthcare, where he has served since 2023 after stepping up from senior director of information security. His tenure at Acadia spans nearly five years across both roles, giving him continuity across a behavioral health organization that operates at significant scale. He is also a founding member and advisory board member of TennesseeCISO, the peer leadership network for the state’s senior security executives, reflecting an investment in the broader Tennessee cybersecurity community alongside his operational responsibilities.
Benjamin Hicks — Assistant Vice President and Chief Information Security Officer, National HealthCare Corporation
Benjamin Hicks has spent more than eighteen years at National HealthCare Corporation, a tenure that reflects deep institutional knowledge across a long-term care environment with a large and geographically distributed footprint. He moved into the CISO role in 2022 after serving as director of information security and network operations, and before that spent a decade as a Unix administrator overseeing backup infrastructure, networking systems, email infrastructure, virtualization, and endpoint management across hundreds of locations. That technical foundation, built inside the same organization he now leads from a security perspective, gives him an operational grounding that is relatively uncommon at the executive level.
Nathan Kennedy — Vice President and Deputy Chief Information Security Officer, Molina Healthcare
Nathan Kennedy has built his entire career at the intersection of cybersecurity and healthcare, spending sixteen years at Molina Healthcare across roles in security architecture, associate vice president of security, and now deputy CISO. His areas of depth include identity management, data loss prevention, privileged account management, security architecture, and HIPAA and HITECH compliance, and he holds certifications from ISC2, ISACA, SANS, EC-Council, and HITRUST. He founded the Middle Tennessee ISC2 chapter, contributed to the initial development of the NIST Cybersecurity Framework, and has served as a speaker and working group lead across healthcare IT security communities.
TJ Bean — Chief Information Security Officer, HCA Healthcare
TJ Bean has spent more than two decades at HCA Healthcare, where he has been responsible for building several of the organisation’s foundational security capabilities, including its first SIEM in 2006, its first formalised phishing program in 2008, its first automated vulnerability scanning program in 2009, its first mature GRC program in 2014, and its first in-house 24/7 Cyber Defense Center in 2016. He also established HCA’s ISAC and Cyber Intelligence program in 2017. That record of sustained first-mover program development inside one of the largest healthcare systems in the United States reflects both the operational scope of the role and the institutional credibility required to execute at that scale over an extended period.
The depth behind Tennessee’s healthcare security bench
What distinguishes this group is not just their individual credentials but the institutional weight they collectively represent. Long tenures, program-building experience, and deep familiarity with the regulatory and clinical realities of healthcare security are common threads. In a sector where the cost of a security failure is measured not only in dollars but in patient outcomes and regulatory exposure, that kind of grounded, sustained leadership is exactly what the environment demands.
Explore more profiles of the leaders shaping cybersecurity across numerous industries in our CISOs to Watch collection.