Case Studies

Case Study: How Talkatoo Tackled HIPAA and SOC 2 Compliance (Without a Dedicated Security Team)

Case Study: How Talkatoo Tackled HIPAA and SOC 2 Compliance (Without a Dedicated Security Team)

We recently had the opportunity to interview Talkatoo’s CFO Aly Mawji for a customer case study. We discussed the importance of security in a rapidly growing tech company, their decision to pursue HIPAA and SOC 2 compliance, and how Carbide’s information security management platform accelerated their compliance journey. You can watch an excerpt of the interview below.

How would you describe Talkatoo and what you do?

Talkatoo is a SaaS company that produces dictation software to help doctors and veterinarians. Our customers have hectic schedules, and our software speeds up their time to do clinical documentation. By using our software, they end up having more time in the day.

Why is security important to you and your customers?

We originally started out in the field of veterinarians — with animal health, privacy and security are not as much of an issue. However, as we moved into human health, we needed to be HIPAA-compliant, which is the privacy and health regulation in the United States. 

We deal with a lot of very sensitive, secure patient data — health records and information on people’s lives that doctors and other healthcare professionals deal with. We need to treat that information with a level of privacy and security. And our customers need to know that we take those issues seriously and that we have strong security and privacy.

Our growth plans would be pretty much impossible to do without the security program we have in place.

Who is responsible for security in your organization?

I’m the executive sponsor for this program. And as a CFO, I undertake security responsibilities as part of my job, but I work very closely with our CTO and our Systems Administrator to make all this happen.

We don’t have a dedicated security resource, and I think that would be too expensive for a company of our size. That’s why we needed help from experts and access to a platform that allows us to fill that gap and perform in the security area in the way that we need to.

What was the HIPAA compliance process like?

The HIPAA process was quite an effort, but having the Carbide platform really made the process much smoother and easier for us and sped up the time that it took us to do that. We were lucky to have Carbide and all the tools in place to do that. Carbide’s experts made it easier for us to understand what needed to get done and how to get it done rather than trying to spend a lot of time figuring out what was required to meet the frameworks.

I don’t think we would’ve been able to do it quite frankly without that. 

Once you already had HIPAA compliance, why did you pursue SOC 2 as well?

We started selling into larger companies, and these larger enterprise customers said, “Okay, it’s great that you’re HIPAA certified, but we also would like you to be SOC 2 compliant.” It was an intense and rigorous process, and it’s not a one-time thing; it’s an ongoing effort.

Our large enterprise customers are going to drive the business over the next 2-5 years. Those customers really expect us to have a strong security program in place, and they have been asking for us to have the SOC 2 certification. We need to be HIPAA-compliant; we need to be SOC 2 compliant — and not just Type 1, but also Type 2 of SOC 2. 

What was the SOC 2 process like?

We were able to achieve SOC 2 compliance within about four months. I’ve heard horror stories of people taking a year or longer to achieve SOC 2 compliance.

I have to hand it to the platform and the team that helped us get through that process. They made it smooth and easy. They told us exactly what we needed to do. We were able to capitalize on the work we had already done with HIPAA, fill in any missing information on the platform, and keep the information up to date.

Quite frankly, it’s an ongoing effort. It’s not a one-time thing. So because we have the Carbide platform in place, we can hop on there; we can update information; we can move things around; we can change roles. And it’s just an easy way to deal with this project. Having the Carbide team helps make the effort a lot easier.

What are the benefits of using the Carbide platform?

Without a dedicated security resource, we really rely on the platform and the tools that are provided within it to set up security policies, set up tasks, assign those tasks to people, and then understand where our efforts are at any stage. With Carbide, we have been able to validate existing controls and build new ones, while also really allowing us to do the monitoring and the reporting of our entire security program.

Now that we have the Carbide platform to help us deal with compliance on a regular basis, we are pretty confident that we can, at any point, understand where our security efforts are at. And the platform basically gives us a tool to assign critical tasks to people, to see where things are at, to give us an overview, and to provide reporting for our security program.

What’s been your experience with the Carbide team?

The team has been fantastic. Their knowledge in the area is very specialized — knowledge that we just didn’t have internally. They know what they’re doing, and they’re able to help guide us through the process. 

Without their help, there’s no way that we would have been able to achieve HIPAA compliance or our SOC 2 certification

Can you quantify the value of Carbide and your security program as a whole?

I mentioned that we’re bringing on large enterprise customers. Those enterprises are going to absolutely make or break this business. And because we have those customers, now we’re able to raise capital.

I don’t know how to put a number on it, but I would say our business would not be possible without the security program and the help that we’ve had from the team.

So having a strong security program in place has allowed us to bring on the large enterprise customers that are going to be the drivers of our business over time. So the impact on our business is absolutely huge. Without Carbide and the security program that we have in place, it would not have been possible to bring on enterprise customers or for us to raise capital the way we have to continue our business.

Carbide Streamlines Your Path to Compliance

Proving you are compliant with security standards like HIPAA and SOC 2 to your enterprise customer can be a costly and laborious undertaking. The Carbide Platform houses controls, policies, generates high-priority tasks, and planning tools designed to help you speed up your time to compliance. Talk with us about how Carbide can save you time and money on SOC 2, HIPAA, and more.