Entry to competitive HealthTech markets should be accessible to all

According to research released in April 2023, 99% of healthcare and/or hospital webpages keep and track user data, with a median of 16 third parties per webpage having access to that data. With that in mind, 55% of Healthcare companies reported in late 2022 that they had suffered a third-party data breach within the past year.   

Add to this the dozens, if not hundreds (or even thousands) of third-party vendors that are at play at your local physician’s office, hospital, or insurance network, and you can see why healthcare, in particular, needs to be diligent with information security and privacy compliance. 

The cost of innovation

What separates HealthTech from some of the bigger healthcare players is their innovation and the speed to market. With new technology and unique ways of tackling niche pain points, companies in tele-health, wearables, or remote monitoring are able to offer solutions that simply move faster than larger, more established players.

But is innovation–which has major upsides in an expensive, often-broken industry–worth the risks in an era of desperate need for security and data privacy compliance?

Consider the role of tele-health in response to Covid-19 just a few years ago. While not a new HealthTech innovation, its demand skyrocketed as people sequestered themselves but still wanted to see their physicians or psychiatrists. Those offices rushed to meet demand often by using off-the-shelf products like Zoom.

Many industry insiders were fine with looking the other way in cases where standards like HIPAA were more at risk than when services were rendered inside the four walls of a protected examination room. Still, as time has passed, more and more tele-health companies and solutions are moving to a more robust (and compliant) approach to data security.


As mentioned, HIPAA is the national standard that comes to mind first when thinking about privacy and information security in and around HealthTech. To say it’s the most common requirement across the industry isn’t an overstatement. It’s a federal law created to secure medical records and other protected health information and has broad reach. But what many people beyond the industry don’t understand is that HIPAA is, at its core, self-regulated. Companies can be HIPAA compliant-ish simply by self-auditing and reporting, not unlike an Honors System. It’s not required per se, and formal certification or other third party attestation is, in effect, optional.

There’s nothing inherently wrong with enforcing HIPAA in this way. However, for obvious reasons–especially in light of the increasing number of third parties in a digital marketplace multiplied by the increasing number of breaches–the healthcare industry has called for more stringent controls in recent years.

HITRUST is the answer to this call.  HITRUST CSF is an internationally respected cybersecurity framework that was created to unify the rules of many other industry and regulatory frameworks, including HIPAA. It is a standardized compliance framework, assessment, and certification process that supports data protection and security compliance through a prescriptive framework of controls. It is accepted alongside other well-known audits and certifications, such as SOC 2 and ISO 27001, for many industries; however, it is required for vendors of most healthcare systems and health insurance companies. Their assessments–e1 for essential security, i1 for more robust controls, and r2 for comprehensive controls, documentation, and assurance –are considered incredibly robust, with assessment ranging from 44 to 200+ requirements.

The problem is that HITRUST relies on the two things that innovators fear the most in their evolution from start-up to scale-up: time and money.

Because HITRUST is so respected and robust (and increasingly required by significant healthcare players like United Healthcare, Blue Cross Blue Shield, etc.), it can take a long time to prepare for and achieve certification. Of course, the money required to do the work and maintain compliance follows close behind.

Stylized image of medicine being distributed according to a digital application
Recommended Reading
Your HITRUST assessment: A complete guide

SOC 2 as a starting point

HITRUST is not inherently only for healthcare or HealthTech companies. Its controls are stringent, which matches where the healthcare industry is in its infosec evolution, and so many of its early adopters have been located within the industry. As a result, HITRUST is internationally recognized and respected but not yet as ubiquitous as other frameworks.

You can’t say the same about SOC 2, which has been and continues to be the common currency in infosec compliance in many industries, especially for those companies operating out of North America.

Especially when we think about the “tech” side of HealthTech, it makes sense that many companies seek out SOC 2 reports as they start to scale. Not only are these companies increasingly collecting customer data, they’re increasingly doing deals and forming partnerships with other Cloud-based companies, making infosec compliance–in many cases–essential to success.

At my company, Thoropass, we not only have our own origin stories about struggling with SOC 2 for the first time, but we also started by focusing on SOC 2. While we now specialize in several frameworks (including ISO, HIPAA, and HITRUST), our unique strategy of offering automating software alongside in-house audit experts lowered the barrier to entry for a new generation of innovators. Our entire business was founded on the belief that innovative companies must keep their focus on innovating while we guide them through the compliance process. It’s a belief that we still hold today.

One audit, two frameworks

As a result of our business strategy and the reliability of SOC 2 for security and business purposes, we continue to offer in-house audits and technology to a host of industries, chief among them HealthTech, which is an industry that just seems to be getting stronger each year.

But as we offer HealthTech companies this SOC 2 experience, we began to ask ourselves how else we could lower barriers to innovation through compliance. We naturally landed on HITRUST, one of the most sought-after compliance frameworks for serious innovators in healthcare.

Specifically, we identified HITRUST e1–their essential framework–as a perfect extension of the SOC 2 audits we already offer. Not only does a SOC 2 audit get most customers over halfway to the controls needed to satisfy HITRUST e1, but our in-house auditors can provide both SOC 2 attestation and HITRUST assessment.

In short, we can do one audit to get HealthTech innovators to two frameworks without the traditional extra investments in time and money.

Increasing access to compliance

Having led IT control, compliance, and vendor management at Citigroup for over two decades, I know firsthand how gatekeeping and (lack of) trust can open doors or slam them shut for small or medium businesses trying to break into larger markets.

It can be counterintuitive to think of an investment in infosec compliance as a way to speed this access up. However, with my co-founders at Thoropass, we want to instill that kind of innovative thought process in new and scaling businesses.

Compliance–especially frameworks as robust as HITRUST–should be a mark of excellence and security. The reports and attestations should mean something. But the path to attaining them shouldn’t be reserved for the select few who can afford the resources to attain them in good faith. At Thoropass, we’re on the side of the companies trying their best to do their best–regardless of their temporary limitations–so that they can innovate and lead us all into a safer future.

Share this post with your network: