SOC 2 discourse has been dominating my LinkedIn feed for months. We’re clearly in the middle of a reckoning: signal drowning in noise, and a pay-to-play culture that’s hollowed out a lot of what these attestations were supposed to mean.
In healthcare, SOC 2 Type 2, HIPAA, and PCI aren’t differentiators. They’re table stakes. Having just wrapped our most recent SOC 2 and HIPAA audit at Tendo, it feels like the right moment to reflect on where we stand as a company and as an industry.
I’ve never believed in treating compliance as a silo. Throughout my career I’ve watched that approach produce theater instead of security. Our audits are something different: a chance to validate and stress-test our controls, sharpen our reporting, advance our compliance automation, and build a security narrative grounded in evidence rather than marketing.
We’re a healthcare company. That means we’re not just vendors in this space, we’re participants in it. We run the same TPRM processes we ask of others. As patients ourselves, we wonder where our own PHI lives and who’s handling it. We get the same breach notifications everyone else does. And while the industry seems to be growing numb to those notifications, our response is to tighten, not shrug.
The debate about what these attestations are actually worth will keep playing out on social media. We’ll keep doing the work, choosing the harder right over the easier wrong, and maintaining the track record we’ve built doing things that aren’t easy.
Learn more at trust.tendo.com
