NH-ISAC Board of Directors


Aetna, Inc. – James Routh – CISM, CSSLP, Chief Information Security Officer
Mr. Routh leads Global Information Security with over 20 years of experience as a practitioner, management consultant and leader of technology and information security functions for global service firms. Prior to Aetna, he was the Global Head of Application and Mobile Security for JP Morgan Chase, and CISO for KPMG, Depository Trust & Clearing Corporation, and American Express. Mr. Routh is also Chairman of the FS-ISAC Products & Services Committee and former Board member.

Allergan plc – Mike Towers – VP Chief Information Security Officer
Mike is accountable globally for protecting the confidentiality, integrity and availability of Allergan’s vast information assets across an R&D supply chain and commercial enterprise spanning 250+ locations in ~100 countries. Previously, Mike was VP, Information Security Assurance at GlaxoSmithKline (GSK). There, Mike was accountable for the security of GSK’s information systems and computing infrastructure spanning 400+ sites in 110 countries, owning shared services in the areas of platform, network, application, data security and advanced threat defense.

Amgen – Gregory Barnes – Global Chief Information Security Officer
Mr. Barnes is the Global Chief Information Security Officer at Amgen and has over 20 years of experience as a practitioner. He began his security career in the United States Air Force, where he managed classified intelligence and cyber operations systems. Prior to joining Amgen, Mr. Barnes served as the CISO for Horizon Blue Cross Blue Shield of New Jersey, worked for Health Care Service Corporation as the ISO for Blue Cross of Oklahoma, and Lucent Technologies as a Managing Principal. At Lucent, he lead multiple highly skilled technology teams, designing advanced technology networks for MCI/Worldcom and conducting numerous program designs, penetration tests and technology engagements for Exxon, Washington Mutual, Cisco, State Farm, Williams Communications, WalMart and others. Mr. Barnes served as a former Chair to the Payer Subsector of the Healthcare and Public Health (HPH) Sector Coordinating Council (SCC,) and former Blue Cross Blue Shield Association (BCBSA) Cyber Security Subcommittee advisor.

BlueCross BlueShield of Western New York – Scott Morris – Chief Information Security Officer
Scott Morris serves as Chief Information Security Officer for BlueCross BlueShield of Western New York headquartered in Buffalo, New York. Morris is responsible for the development, governance and assurance of the health insurance company’s technology risk and third party risk programs, as well as the management of all information and cyber security domains. A seasoned information security executive possessing nearly two decades of experience, Morris has a successful track record of developing project methodologies, architectural governance, enterprise documentation, and team development. Morris is actively engaged in the cyber community, serving on the executive board of directors for InfoTech Niagara, the Advisory Board for local accounting firm, and is a frequent speaker at several national and local events and conferences.

CVS Health – Frank Price – Chief Information Security Officer
Frank Price serves as Chief Information Security Officer of CVS Health, the largest pharmacy healthcare provider in the United States, and is responsible for the company’s Enterprise Information Security Program. Prior to joining CVS Health in 2013, Frank worked in the telecommunications sector as Chief Information Security Officer of Alcatel-Lucent and in the healthcare sector as Vice President of Global Information Security at Medco Health Services, Inc. (now Express Scripts.) Frank has also held Information Security roles in the banking sector at Dai-Ichi Kangyo Bank and Long Island Savings Bank. He obtained his Bachelor of Science degree in Information Systems Management from New York University.

Emory University – Brad Sanford – Chief Information Security Officer
Brad Sanford currently serves as the Chief Information Security Officer for Emory University where he has overarching information security responsibilities for both Emory University and Emory Healthcare. Brad has over 25 years of IT experience working for organizations such as Humana, Vanderbilt University, Hospital Corporation of America, and Emory University where he has focused on creating and leading Information Security programs and developing innovative Information Security solutions. Brad was a finalist for Southeast Information Security Executive of the Year in 2011 and was the recipient of the 2011 Healthcare Information Security Executive of the Year award for North America. Brad is an active member of the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC). Additionally, Brad serves on the SANS Educational Advisory Board and served on customer advisory boards for Lancope and TippingPoint. Brad is also an Emory University faculty member within the Rollins School of Public Health where he serves as a periodic lecturer and has taught a graduate course on Information Security and Privacy.

Intermountain Healthcare – Karl West – Chief Information Security Officer and Assistant Vice President
Karl West has been involved in information technology and security for more than 30 years. His current responsibilities span all aspects of Cybersecurity and Strategy at Intermountain Healthcare, an integrated delivery network of 22 hospitals and 185 clinics in Utah and Southern Idaho. Security specialties include governance, architecture, risk and compliance, Identity and Access, eDiscovery, forensics, and incident management. He is currently a member of the Utah Health Information Network (UHIN) Privacy and Security Board, a member of the Association for Executives in Healthcare Information Security (AEHIS), which is part of CHIME, and also Weber State College’s Computer Science department.

Johnson & Johnson – Michael Wagner – Senior Director, IT Risk & Information Management
As a member of the IT Risk Management and Supply Chain Leadership Teams, Mr. Wagner has responsibility for the IT Risk Management Operating Model, Worldwide Information Security, Digital Asset Risk Management and the Worldwide Records and Information Management Program. Prior to J&J, he was Director of Information Security at Medco Health Solutions. Mr. Wagner holds a BS degree in Biology, US Air Force Academy; Master of Science degree.

McKesson – Spencer J Mott, SVP and Global CISO
Worldwide responsibility for Information Security and Risk Management with a staff of 200 and operating in a highly federated and diverse global healthcare business including drug distribution, manufacturing, devices, pharmacies, clinics and patient support programs. Prior to McKesson served as the Interim CIO at Amgen Biotechnology and also as CISO. Thirty years experience in the security sector including CISO at Electronic Arts, the Motion Picture Association and 15 years in the Metropolitan Police including the UK Security Services.

Merck & Co. – Terence Rice – Vice President, Information Risk Management and CISO
Mr. Rice is responsible for Information Security, IT Regulatory Readiness, Quality/Technical Assurance, Business Continuity Planning and Policy, and has held multiple roles at Merck, as Executive Director, Information Risk Management & Compliance within the Enterprise Technology & Application Services organization. Prior to Merck, Mr. Rice served as Director of Global Information Security for Johnson & Johnson, and then in the consulting industry in a variety of roles. Mr. Rice holds a BS degree from West Point; and a Masters of Science degree from George Washington University.

Medtronic – Patrick Joyce – Vice President – Information Technology, Chief Security & Privacy Officer (CISO)
Patrick Joyce is responsible for all global functions, strategies, operations and execution related to all forms of security and privacy across the company, including IT/cybersecurity, physical/facility and travel security, identity & access management (IAM), the product/device security programs and data privacy. Within Global IT, he is also responsible for the global process teams supporting Master Data Management, IT Quality Management and Legal/Compliance.
Patrick joined Medtronic in 2005 to initially build the Corporate IT Audit function, providing audit and consulting services across Medtronic’s global business units, corporate functions and IT organizations. In subsequent roles, he has also had responsibility for leading Medtronic’s Global IT Program & Portfolio Management Office, as well as Medtronic’s Global Physical Security organization and many of the IT Core Process Teams.

Partners Healthcare – Jigar Kadakia –  Chief Information Security and Privacy Officer CISSP, CIPP, CRISC
Jigar is the Chief Information Security and Privacy Officer for Partners Healthcare. He has more than 17 years of information security experience across multiple industries with a focus on healthcare delivery. Jigar holds a Bachelor of Science degree in Chemical Engineering from the University of Cincinnati and a Master in Business Administration from Xavier University.

Royal Philips –  Michael McNeil – Global Product Security & Services Officer
Michael C. McNeil is the current Global Product Security & Services Officer for Royal Philips. In this capacity, McNeil is responsible for leading the global product security program for the company and ensuring consistent repeatable processes are deployed throughout their products and services in the Healthcare market. Prior to this assignment, McNeil was the former Global Chief Privacy & Security Officer at Medtronic responsible for the development and design of their initial product security and incident response management programs; Chief IT Security Officer at Liberty Mutual Group; Global Chief Privacy Officer at Pitney Bowes, and Vice President, Chief Privacy Officer of Data Services for Reynolds & Reynolds.

UC Davis Medical Center – Jeanie Larson – Chief Information Security Officer
Ms. Larson is a seasoned IT security practitioner who is passionate about information sharing. Ms. Larson’s current role includes leading cyber incident response, vulnerability management, security operations, IT compliance and risk management programs. Prior to UC Davis, Ms. Larson led cybersecurity initiatives for Stanford Health Care and held various positions in the U.S. Government including the Office of Director of National Intelligence, where she led cyber threat information sharing initiatives across the government, including public-private partnerships with the Defense Industrial Base and the National Cybersecurity Investigative Joint Task Force (DC3/FBI).


NH-ISAC – Denise Anderson – President
Denise Anderson is President of the National Health Information Sharing and Analysis Center (NH-ISAC). Prior to NH-ISAC, she was a Vice President of FS-ISAC where for almost nine years she helped the ISAC grow and achieve its successful status in the information sharing community. She has over 25 years of executive management level experience in the private sector. Denise currently serves as Chair of the National Council of ISACs (NCI). She was instrumental in implementing a CI/KR industry initiative to establish a private sector liaison seat at the National Infrastructure Coordinating Center (NICC) to enhance information sharing between the private sector, CI/KR community and the federal government and serves as one of the liaisons. She is a health sector representative to the National Cybersecurity and Communications Integration Center (NCCIC) — a Department of Homeland Security-led coordinated watch and warning center that improves national efforts to address threats and incidents affecting the nation’s critical information technology and cyber infrastructure. Denise was certified as an EMT (B), and Firefighter I/II for twenty years and as an Instructor I/II and state EMT evaluator in Virginia for over ten years. Denise holds an MBA in International Business and is a graduate of the Executive Leaders Program at the Naval Postgraduate School Center for Homeland Defense and Security.