Navigating Healthcare Compliance with Josh Daymont, CEO of Securisea

Healthcare technology organizations face an increasingly complex landscape of security assessments and compliance requirements. From SOC 2 examination to ISO 27001 certification, it can be difficult to know where to start. We recently sat down with Josh Daymont, CEO of Securisea, the most optimally configured compliance partner for organizations navigating multiple assessments and certifications at once, to discuss how healthcare companies can streamline their compliance journey.

Q: Healthcare technology organizations like Blackbird Health often need to pursue multiple security assessments or compliance frameworks at once. What's the biggest mistake you see companies making in this process?

A: The most common mistake is treating each assessment like it's completely separate from the others. Organizations will hire different firms to manage their SOC 2 examination and ISO 27001 certification, which leads to duplicated work, increased administrative burden to keep up with multiple points of contact, and just complete exhaustion across their teams. But here's the thing: these standards actually share significant overlap.

For example, both SOC 2 and ISO 27001 address access controls, encryption, incident response, and risk management through similar requirements. When you approach them strategically as one integrated program instead of two separate projects, you cut out so much redundancy and move more efficiently.

Q: What should healthcare technology companies prioritize when beginning their compliance journey?

A: Start by looking at what your customers are actually asking for in their vendor risk assessments and contracts. For most healthcare technology companies selling to enterprise clients, a SOC 2 examination has become a baseline requirement. Hospitals, insurance companies, and health systems routinely request SOC 2 Type 2 reports before they'll sign contracts or integrate your platform with their systems.

Once you've identified SOC 2 as a priority, I recommend considering ISO 27001 certification alongside it. ISO 27001 provides international credibility and demonstrates a comprehensive information security management system. It's particularly valuable if you're expanding internationally or working with partners who recognize ISO standards as the gold standard.

The key is working with a service auditor or certification body that can handle both standards simultaneously. That integrated approach gives you significant efficiency gains because you're building one security program that satisfies multiple requirements rather than maintaining separate programs for each standard.

Q: How has the compliance landscape changed for digital health companies in recent years?

A: Customers and partners expect so much more now. They want to see a comprehensive security program, not just one compliance checkbox. Five years ago, smaller healthcare technology companies could get by with basic security documentation. Today, enterprise healthcare clients routinely ask for SOC 2 reports from licensed CPA firms, and many also want to see ISO 27001 certification as evidence of a structured information security management system.

Plus, if you're working with health plans or handling protected health information, your cyber insurance provider may have premium incentives or requirements tied to recognized security assessments. The expectations have gone up across the board, and vendors who can't demonstrate robust security practices through independent assurance are increasingly being locked out of enterprise deals.

Q: What's your advice for healthcare organizations trying to maintain compliance while innovating rapidly?

A: Build security and compliance into your development process from day one instead of letting it sneak up on you later on. Make security practices part of how you work: multi-factor authentication, role-based access control, encrypted data at rest and in transit, documented

change management, audit logging, and regular security testing like vulnerability scanning and penetration testing.

When compliance is baked into everything you do, it typically reduces remediation costs and helps you avoid late-stage release blockers compared to "bolt-on" compliance. In short, it's an upfront investment but it'll speed things up overall. The worst scenario is scrambling to implement controls three months before a major customer needs your SOC 2 report.

Q: What indicators suggest a healthcare organization has done the foundational work needed before engaging with a practitioner or certification body?

A: There are a few key indicators. First, they've documented their policies and procedures thoroughly in a way that accurately reflects how their organization operates. Second, their controls are suitably designed, implemented, and operating effectively. Things like encryption, access controls, logging, and vulnerability management, depending on the standard or framework.

Another critical indicator is that they've been operating these controls for a meaningful period, ideally at least three to six months before the examination or assessment begins. You need to see evidence of consistent operating effectiveness. I also look for organizations that have conducted internal gap analyses and started addressing issues proactively.

And leadership buy-in matters tremendously. When the executive team understands the scope and resource requirements, you avoid last-minute surprises. Organizations that check these boxes typically move through the process much more smoothly and with significantly less stress.

Q: How do you see the relationship between SOC 2 and ISO 27001 for healthcare technology companies?

A: They're actually quite complementary. SOC 2 is designed specifically for service organizations and is built around the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy, with security as the mandatory baseline. It's an examination performed under attestation standards and issued by a licensed CPA firm. Most enterprise healthcare clients in the U.S. are familiar with SOC 2 and expect to see those reports.

ISO 27001, on the other hand, is an international standard you can certify against that demonstrates you've implemented an information security management system following internationally recognized requirements. It requires more formal documentation and makes risk assessment architecturally central to control selection, which can actually strengthen your overall security program.

Where they overlap is in the fundamental security controls. Both require you to manage access, protect data, monitor systems, respond to incidents, and maintain security awareness. So if you're implementing controls for SOC 2, you're already building much of what you need for ISO

27001, and vice versa. The documentation requirements differ, but the underlying security practices align closely.

That's why pursuing both simultaneously makes so much sense. You're not building two separate security programs. You're building one robust program that satisfies both sets of criteria and requirements.

Connect with the Securisea team at www.securisea.com to discover how an integrated approach can accelerate your SOC 2 examination and ISO 27001 certification.