What We Learned Going Through SOC 2 as a Healthcare Infrastructure Company
When we started the SOC 2 Type II audit process, we thought we knew what we were getting into. VectorCare has operated in healthcare for 14 years, serving 2,500+ facilities and processing millions of patient logistics transactions. We've always taken security seriously — HIPAA compliance, encrypted data flows, role-based access controls. But SOC 2 forced us to prove it, in writing, to an independent auditor. And the process taught us more than we expected.
This post isn't a press release announcing our certification. It's a candid look at what the SOC 2 journey actually involved — what surprised us, what we changed, and why we think every company building infrastructure for clinical workflows should go through it.
Healthcare's security conversation tends to focus on two things: protecting patient data (HIPAA) and protecting the network perimeter. But there's a growing blind spot: the applications embedded inside clinical workflows. As SMART on FHIR adoption accelerates and health systems embed third-party applications directly into their EHR environments, the attack surface expands. These applications have access to patient data through standardized APIs — which is the point. But it also means the security posture of every embedded application matters as much as the EHR's own defenses.
We want to be transparent about what the audit actually changed in our operations. First, incident response procedures — we had capabilities, but the documented, tested, timed response plan that SOC 2 requires was a different standard. We now run tabletop exercises quarterly with defined escalation paths and specific SLAs for every severity level. Second, change management controls — every code deployment to production now follows a documented approval workflow with separation of duties. Third, vendor risk management — we audit our own vendors now with the same rigor our customers apply to us. Every subprocessor that touches patient data has a documented risk assessment and review cycle. Fourth, access review cadence — quarterly access reviews across every system, with documented revocation for any employee who changes roles or departs. Fifth, continuous monitoring and alerting — real-time alerting on access anomalies, failed authentication attempts, and data egress patterns. The monitoring was always technically possible; SOC 2 required us to prove it was actually configured, tested, and reviewed.
If you're a CIO or CISO evaluating vendors that embed applications in your EHR environment, here's what we'd encourage you to ask: Is the vendor SOC 2 Type II certified — not just Type I? Does the vendor's security posture cover the full data flow — from API authentication through processing, storage, and transmission? Can the vendor provide their SOC 2 report under NDA, and does it include any qualified opinions or exceptions? How does the vendor handle subprocessor security? These aren't trick questions. They're the questions we asked ourselves, and the ones we're now prepared to answer with documented evidence rather than self-attestation.
The most important lesson from our SOC 2 process wasn't any single control or policy change. It was a shift in how we think about security's role in our product. VectorCare is building the infrastructure layer that connects clinical workflows to patient logistics vendors — transportation, DME, home health, post-acute care. That infrastructure sits inside the EHR, handles protected health information, and orchestrates real-time decisions about patient care transitions. If that layer isn't secure, nothing built on top of it is secure either. SOC 2 certification isn't the finish line. It's the baseline. We'll continue to invest in security infrastructure at the same level we invest in product capability — because for the health systems that trust us with their clinical workflows, those are the same thing.
Accelerate the Future of Patient Logistics. Streamline patient logistics with VectorCare. Manage transport to home care with real-time updates and AI tools that boost coordination, reduce delays, and improve outcomes. Request a demo today.
