Why Should Your Healthcare IT Vendor Be SOC 2 Certified?


Welcome to the Steer Growth Academy, our bi-weekly newsletter on LinkedIn, featuring a free article and a roundup of news and advice on marketing, hiring, healthcare innovation, and technology.

Don’t miss these other updates:

  • We held a webinar on April 28th! Missed it? Don’t worry, you can still get the recording here.
  • We recently launched our patient check-in kiosk solution to help your practice improve data entry, claims processing, and financial outcomes. Schedule a free demo here.

Top Story: Why Should Your Healthcare Vendor Be SOC 2 Certified?

In recent years, SOC 2 compliance has grown in popularity and become table stakes for SaaS companies. A completed SOC 2 report strengthens trust, drives business growth, and shows patients that health systems are committed to protecting their data.

A 2023 AICPA survey of over 400 firms revealed that the increasing awareness of the importance of IT security has led to an almost 50% increase in the demand for SOC 2 engagements.

Your healthcare company deals with patient data, so SOC 2 is a hot topic in the security landscape. More and more, potential clients are making SOC 2 compliance an absolute necessity for any vendor they’ll consider closing a deal with.

And you should hold the same standards for your vendor as well. But, what does SOC 2 compliance entail? Let’s dive into what the report is, why it’s important to ensure that your vendor is SOC 2 certified, and how Steer Health demonstrates SOC 2 Type II compliance standards.

So, what exactly is SOC 2 compliance?

The American Institute of CPAs (AICPA) developed voluntary SOC compliance standards for organizations regarding how they should manage customer or patient data.

Each SOC  report—SOC 1, SOC 2, SOC 3—fulfills distinct roles within compliance assessments. SOC 1 focuses on financial reporting, SOC 2 focuses on a broader range of data management practices, and SOC 3 provides a summary of the SOC 2 attestation report that’s suitable for the general public.

SOC 2 covers internal controls for security, confidentiality, processing, integrity, privacy, and availability of customer/ patient data. On the other hand, SOC 3 reports do not provide confidential information or as much detail as SOC 2 reports so they can be released publicly as marketing material.

Organizations that store, process, or transmit any kind of personal data, such as technology vendors, should consider SOC 2 assurance. There are two different types of SOC 2 reports: SOC 2 Type I and SOC 2 Type II.

Simply put, SOC 2 Type 1 evaluates whether controls are designed properly at a point of time, whereas SOC 2 Type 2 evaluates whether controls are designed and functioning as intended over a specified period of time. Therefore, SOC 2 Type II audits require a greater investment of both time and resources.

Take a look at this graphic here for a more in-depth analysis of the difference between SOC 2 Type I and Type II Report:

What are the benefits of SOC 2 Type II Compliance?

Providers transfer sensitive data everyday, including patient records, which contain financial records and personally identifiable information (PII). When this information is being shared with external parties or stored in remote servers, it becomes vulnerable to unauthorized access and potential breaches.

The reality is that cybersecurity attacks happen- especially in the healthcare space. As of the first week of March 2024, 116 healthcare data breaches were reported to the HHS Office of Civil Rights (OCR), impacting over 13 million individuals.

If your vendor adheres to SOC 2 compliance, you can trust that it has established strong security measures to safeguard crucial data against unauthorized access, breaches, or leaks. Notably, achieving SOC 2 Type II certification indicates that the organization has consistently upheld strict data security standards for a period of six to twelve months, validated by an independent auditor for transparency.

Overall, a SOC 2 Type II report shows that your health system’s vendor is responsible with:

  • Process monitoring
  • Encryption control
  • Intrusion detection
  • User access authentication
  • Disaster recovery

Not only do SOC 2 Type II companies have all the right tools and procedures to safeguard sensitive information, but many SOC 2 requirements align with other frameworks like ISO 27001 and HIPAA. These certifications enable companies to fulfill multiple compliance obligations simultaneously.

If a vendor that you’re interested in working with cannot complete the SOC 2 Type 2 certification, it is likely because they are not implementing and enforcing the necessary data governance controls, best-practices, and security strategies required to protect data.

Last week, Steer Health successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that Steer Health’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security, including:

  • Information security: How do you protect your data from unauthorized access and use?
  • Logical and physical access controls: How does your company manage and restrict logical and physical access to prevent unauthorized use?
  • System operations: How do you manage your system operations to detect and mitigate process deviations?
  • Change management: How do you implement a controlled change management process and prevent unauthorized changes?

Risk mitigation: How do you identify and mitigate risk for business disruptions and vendor services?

What does a SOC 2 Type II completion mean for our clients?

At Steer Health, we ensure that access to important resources is restricted to only vetted personnel. For instance:

  • All Steer Health contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
  • All employees, contractors, and others who access sensitive or internal information sign confidentiality or other types of Non-Disclosure Agreements (NDAs).
  • Steer Health conducts employee security training & testing using current and emerging techniques and attack vectors.

Secure Testing:

Steer Health adheres to OWASP Top 10 recommendations for web application security during software development. Furthermore, we conduct both internal and third party penetration testing on new systems, products, or significant changes to existing systems, services, and products.

This approach ensures a comprehensive and real-world assessment of our products and environment from multiple perspectives. Steer Health also performs static and dynamic software application security testing of all code, including open-source libraries, as part of our software development process.

Cloud Security:

At Steer Health, we prioritize data security through encryption both at rest and in transmission, protecting against unauthorized access and potential breaches.

For instance, Steer Health Cloud ensures maximum security by offering complete customer isolation within a contemporary, multi-tenant cloud framework. Our system leverages the physical and network security features of the cloud service, entrusting the providers with maintaining infrastructure, services, and physical access protocols.

In addition, all customer cloud environments and data benefit from Steer Health’s patented isolation approach. Each customer environment is housed within a dedicated trust zone, preventing any unintentional or malicious co-mingling.

Steer Health was audited by Prescient Assurance, a leader in security and compliance certifications for B2B and SAAS companies worldwide. The company offers a range of risk management and assurance services, encompassing SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR, and more.

According to 2023 research by IBM & Ponemon Institute, nearly 30% of businesses will experience a data breach in the next two years. Given the level of risk involved, prospective clients seek assurance that you can safeguard their sensitive data.

The successful completion of the SOC 2 Type II audit report signifies to both current and prospective customers that Steer Health upholds the highest standards of security and compliance in managing data.

We prioritize the security of our data, our clients’ data, and our customers’ data.


Steer Health is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance.

For more information get in touch via helene@steerhealth.io

Subscribe Now

Get insights, tips, and best practices for healthcare practice growth delivered weekly.


Popular Blogs

Whitepaper Digital Front Door

Whitepaper Digital Front Door

The Digital Front Door: Top…
Clinician Experience in 2024

Clinician Experience in 2024

Combatting Staff Burnout: Clinician Experience…
Fierce Playbook

Fierce Playbook

Navigating Health Systems’ Financial Challenges:…

Ready To Power A Better

Healthcare Experience For Your People?