Protecting the privacy & security of your patient’s health information.

BLOG POST: SOC 2 With Another Set of Eyes: The Role of Third-Party Audits in Certification

By Bethany Page, IT Risk Management

It seems that not a day goes by without data breaches being in the spotlight, as organizations face the consequences. Knowing the proper controls and standards for security can be a tough process, so security certifications such as SOC 2 have become the de facto way to prove your organization is following best practices when it comes to risk management and regulatory compliance.  

A SOC 2 attestation involves implementing controls in at least one (or many) of the five areas: Security, Availability, Confidentiality, Processing Integrity and Privacy.  Moreover, a SOC 2 Type II attestation requires having a third-party auditor review the controls to make sure they are effective.   Having an another “set of eyes” review internal security controls involves three main components described below.

Components of a Third-Party Security Audit

A third-party security audit consists of the following three components:

  • Preparation: Defining the scope and timeline

  • Examination of Evidence: Identifying security gaps

  • Review: Security Ratings Report

Step 1: Preparation: Defining the Scope and Timelines

Preparation is the key to success!  Before even beginning the process, it is important to understand the proper scope and timeline. Review can last anywhere from three months all the way to a full year. Though SOC 2 is a technical audit, policies and procedures form the base for a sturdy internal control environment. Don’t skimp out on the “what” and “how” as it is the first thing an auditor will ask for to understand the security landscape of your organization.

Step 2: Examination of Evidence: Identifying Security Gaps

Follow the evidence to find security gaps.  During the reporting period, the auditor will send an “evidence request list” to see specific examples of each control criteria. For example, if the auditor wanted to test if security overviews were being conducted by leadership each month, they may ask for meeting minutes to prove it.  A more technical request may require the system password parameters, which could be supported by a screenshot of the password configuration settings.

Apart from evidence, the auditors will also need to set up time for on-site interviews and walkthroughs of the facility to collect additional information. This process typically takes a week.

What exactly counts as evidence?  Any of the following documents could be used:

  • Organizational charts

  • On-boarding/off-boarding processes

  • Employee, contractor, and vendor listings

  • Network diagrams

  • Vulnerability scan reports

  • HIPAA training materials sample

  • Business Associate Agreement sample

  • Asset inventory

  • Prior risk assessments

Step 3: Security Controls Ratings Review

So, am I certified now?

Not quite! After all the information collected from evidence and interviews is tested by the auditor, they will provide one of two opinions; “Qualified” or “Unqualified” for each control. Finally, the assessor will issue the draft report containing all tested criteria with their ratings.

If the scoring is in the clear, you are finally at the last step. Now is the opportunity for your organization to give feedback before the final report is sent out for certification.

Partner with a Healthcare “Savvy” Auditing Firm

Select an auditing partner who “knows their stuff” for patient and member data security.  Ask prospective auditors about their specific knowledge of the healthcare industry including the data handling environments of healthcare providers, health plans and their business associates involved in delivery of patient care and payment services.  The selection of a partner with proven experience in conducting security audits for SOC 2 attestation specifically for the healthcare industry and health plan businesses; will maximize the investment in the SOC 2 attestation process.


Bethany advises a variety of healthcare clients on healthcare compliance matters.  Her experience includes Meaningful Use compliance, HIPAA privacy and security assessments, remediation planning and project management, Office for Civil Rights investigations, HITRUST Common Security Framework remediation and other pertinent federal and state healthcare technology requirements.  She is a lead team member in Meditology’s Privacy Practice and represents the firm on national standards committees, such as ANSI.  Her clients range from small physician practices to large health systems.