Graphic announcing Patients Know Best SOC 2 Type 2 audit completion for 2026, featuring the A-LIGN SOC 2 compliance seal against a teal background.

Scaling Safely: Why SOC 2 Type II is the Choice for Global Health

PKB News Leave a comment

Why SOC 2 Type II is important

At Patients Know Best (PKB), we’ve always operated under a simple premise: if you ask patients to trust you with their health data, you must prove you are worthy of that trust.

I’m sure there are many people around that remember the difficulties of storing and accessing paper based medical records, no definitive audit trail of data access, entire paper records getting lost or misplaced, and most of all, significant barriers for patients to access their own data. 

With the shift to digital health records came the birth of the immutable audit trail – an unalterable log of every clinical interaction.  This evolution enabled real-time data sharing, granted patients direct access to their own records, and ultimately improved clinical outcomes.  In the early days of on-premise digital records I remember scare stories of un-encrypted backups being left by an open window and going missing or USB drives being lost/found with patient data on. These new risks translated quickly into a need to ensure secure access, storage and transport of patient records, everything from simple tasks like password/encryption management to a world with ever increasing cyber threats needed to be monitored, managed and mitigated.  

Technology has significantly improved efficiency but with providers now responsible for managing data security, availability, and confidentiality in the cloud, focussed security is needed to maintain trust and an ability to demonstrate to customers that all the processes are in place throughout day-to-day operations.  This is where SOC2 comes into play.

In an era where data is both a patient’s greatest asset and a target for cyber threats, security is obviously a constant priority. We recently certified for SOC 2  (System and Organization Controls) as a prerequisite for international expansion into new markets like Canada.  We believe that utilising its rigorous framework not only demonstrates our commitment to security and privacy, but helps us remain vigilant as we continue to scale.   

The difference between a snapshot and a constant

You can certify for SOC 2 in two ways:

  • Type I – which assesses the design of controls at a specific point in time, offering a quick snapshot. 
  • Type II – which independently audits the operational effectiveness of these controls over a period, typically 3-12 months, providing deeper, ongoing assurance. 

It was clear that Type II was the only way to truly demonstrate that our security isn’t just a policy but integral to our operating system and culture.

Type II subjects every facet of the organisation to rigorous testing – from the lifecycle of employee access (starters, movers and leavers), change management protocols to encryption standards and incident response – ensuring that security controls are not just theoretical policies, but consistently applied habits. By verifying that these safeguards function effectively in practice for months at a time, the audit provides partners and customers with audited evidence across nearly 300 individual tests.

Global benchmark for trust

In the Healthcare sector we cannot be complacent about security, as custodians of highly sensitive Protected Health Information (PHI) we must be constantly monitoring and adapting to the escalating landscape of cyber threats.  SOC 2, as an international benchmark, provides a common language that all our partners and customers globally can immediately recognize as a hallmark of operational excellence.

Today, PKB has over 6.6 million registered users. Our platform handles billions of data, providing a borderless health record that follows the patient wherever they go. Maintaining SOC 2 Type II ensures that whether you are a provider in the UK, a patient in Germany, or a setting up a single patient record system in Nigeria, your data is governed by the highest tier of operational excellence.

Strengthening the healthcare supply chain

Cyber resilience across the Health and Care supply chain has never been more urgent. Healthcare providers are rightly concerned about Third-Party Risk Management (TPRM), they need to know that their partners aren’t the weak link in their security chain.  By maintaining SOC 2 compliance, we take that burden off our partners providing audited evidence that customers across the world can use to satisfy their own risk assessments. 

Security as a standard, not a project

The SOC 2 Type II accreditation is not a one-time goal, but a continuous cycle of accountability. As we continue to expand our global footprint, this framework helps us evolve our security posture evolves as  inevitably the threats we face change. By choosing the most rigorous path to compliance, we provide our partners and customers with more than just a platform, we provide that assurance that we are committed to transforming healthcare safely.

Leave a Reply