Health Tech Firms Raise Security Bar with Full SOC 2 Type II Attestation

HOUSTON, TX – January 13, 2026 – In a move that signals a significant step forward for data security in the healthcare sector, technology providers Lightning Step and Sunwave have successfully achieved SOC 2 Type II attestation. The certification covers all five of the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy, representing a comprehensive validation of the companies' security posture and operational integrity.

This full-scope attestation is a critical milestone for the two companies, which specialize in providing electronic medical records (EMR), revenue cycle management (RCM), and customer relationship management (CRM) platforms for behavioral health and addiction treatment providers. Unlike a SOC 2 Type I report, which assesses the design of security controls at a single point in time, the Type II attestation evaluates the operating effectiveness of those controls over an extended period, offering a more robust and reliable measure of a vendor's commitment to data protection.

The New Gold Standard in a High-Risk Sector

For healthcare organizations, particularly those in the behavioral health space handling exceptionally sensitive patient information, the distinction is paramount. SOC 2 Type II is widely regarded by cybersecurity experts as the gold standard for technology service providers. Achieving it across all five trust criteria demonstrates a holistic approach to security that goes far beyond the baseline requirements of HIPAA compliance.

While HIPAA provides the legal framework for protecting patient health information, SOC 2 offers a detailed, operational roadmap for the systems and processes that secure that data. The five criteria provide a comprehensive assurance:

• Security: Systems and data are protected against unauthorized access and disclosure.
• Availability: Systems are available for operation and use as committed or agreed.
• Confidentiality: Information designated as confidential is protected as committed or agreed.
• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
• Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice.

This independent, third-party validation provides healthcare providers with objective proof that a vendor not only has strong security policies but consistently enforces them. “Achieving SOC 2 Type II attestation is a reflection of how we design and operate our technology from the ground up,” said Dr. Martin Ignatovski, Ph.D., Chief Technology Officer of Lightning Step. “Security, reliability, and data integrity are foundational principles.”

A Strategic Differentiator in a Crowded Market

In the increasingly crowded healthcare technology landscape, many vendors make general claims about their security or rely on internal assessments. Lightning Step and Sunwave's public achievement of a full-scope SOC 2 Type II attestation serves as a powerful market differentiator. It provides a tangible answer to the rigorous due diligence questions posed by hospital CIOs, compliance officers, and procurement teams.

For healthcare organizations, selecting a technology partner is a high-stakes decision. The vendor becomes a steward of their most sensitive asset: patient data. A breach originating from a third-party vendor can lead to devastating consequences, including regulatory fines, legal liability, and an irreparable loss of patient trust. This certification streamlines the vendor risk assessment process, giving providers confidence that they are partnering with an organization whose security practices have been independently and rigorously tested over time.

“For healthcare organizations, trust is built on proof,” said Brent Michael, CEO of Lightning Step and Sunwave. “This independent attestation provides clear validation that our security and compliance programs meet the highest standards expected in regulated environments.” By proactively achieving this certification, the companies reduce the compliance burden on their clients and demonstrate a mature, enterprise-ready security program.

Responding to an Unprecedented Wave of Cyber Threats

The timing of this achievement could not be more critical. The healthcare industry remains a top target for cybercriminals, with the frequency and scale of data breaches reaching alarming new heights. Recent years have seen a massive surge in attacks, with hundreds of millions of patient records compromised. High-profile incidents, such as the ransomware attack on Change Healthcare, have exposed the fragility of the interconnected healthcare ecosystem and the catastrophic disruptions that can result from a single security failure.

The U.S. Department of Health & Human Services (HHS) breach portal paints a grim picture, with hacking and IT incidents consistently listed as the primary cause of breaches affecting 500 or more individuals. Ransomware attacks in particular have grown more sophisticated, crippling hospital operations and exposing vast amounts of personal data.

Behavioral health providers are especially vulnerable. The data they manage—including therapy notes, substance abuse histories, and mental health diagnoses—is intensely personal and holds a high value on the dark web. In this high-threat environment, a vendor's security posture is not merely a feature but a foundational requirement for operational resilience and patient safety. Certifications like SOC 2 Type II are no longer a luxury but a necessity for any technology firm seeking to responsibly serve the healthcare market.

From Compliance to Confidence: The Impact on Care

Ultimately, the impact of robust security extends beyond compliance checklists and into the daily practice of healthcare. When clinical and operational platforms are secure, reliable, and consistently available, clinicians can focus on their primary mission: patient care. The assurance of system availability and data integrity means less downtime, fewer workflow disruptions, and greater confidence in the tools they use every day.

For patients, particularly those seeking behavioral health treatment, trust is the cornerstone of the therapeutic relationship. Knowing that a healthcare provider uses technology that has been independently verified to protect their privacy can help foster that trust. It assures them that their most personal struggles and data are being handled with the highest degree of care and responsibility.

The successful attestation by Lightning Step and Sunwave reflects a broader, necessary trend in healthcare technology. As care delivery becomes increasingly reliant on digital platforms, the integrity of those platforms is inextricably linked to the quality and safety of the care itself. By investing in and proving their commitment to the highest security standards, these companies are not just protecting data; they are helping to fortify the foundation of trust upon which the entire healthcare system is built.