Healthcare organizations depend on third parties across nearly every critical function, from cloud hosting and revenue cycle support to patient engagement tools, analytics platforms, device integrations, and outsourced administrative services. That dependency, along with accountability, is not going away.
During the recent webinar, “What SOC Reports Reveal About Vendor Cyber Risk,” a crucial point was shared: healthcare organizations should note that accountability for cyber risk doesn’t transfer when services are outsourced.
SOC Reports can help healthcare organizations understand control environments in relation to their vendors, but they’re most useful when they’re treated as part of a process, instead of a standalone sign-off.
That distinction matters in healthcare because a third-party incident often carries more than one consequence. A vendor event can affect privacy, operations, reimbursement workflows, patient communications, scheduling, continuity of care, and leadership reporting.
Consider the following: could an organization explain why a vendor was approved, what was reviewed, what gaps were identified, and why the decision was reasonable at the time? For healthcare leaders, these areas are important to understand, especially when something goes wrong.
Why Do SOC Reports Matter in Healthcare Vendor Risk Management?
Vendor risk management in healthcare is critical. In the Cost of a Data Breach Report 2025 from IBM and Ponemon Institute, breach-cost data shows that healthcare remains the most costly industry for data breaches, driven in part by the continued targeting of patient personal identifiable information by attackers.1
SOC Reports can help healthcare organizations understand whether a vendor has been examined against a relevant control framework and whether testing identified issues that could affect security, availability, confidentiality, processing integrity, or privacy. American Institute of CPAs (AICPA) resources continue to position SOC Reports as a valuable tool for users of outsourced services, and common vendor-review guidance recommends checking report scope, dates, testing results, subservice organizations, and Complementary User Entity Controls (CUECs).
U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) guidance separately reinforces that risk management is a critical part of both HIPAA Security Rule compliance and broader cybersecurity preparedness for covered entities and business associates.2
Put simply, healthcare organizations operate in an environment in which vendor oversight is not only a procurement matter, but also a part of privacy, security, and resilience governance.
What Should Healthcare Organizations Look for First in a SOC Report?
SOC Reports contain expansive sections, and not every part of the report matters equally for vendor risk management. It’s helpful to focus on the areas most likely to affect decisions, such as scope alignment, exceptions, subservice organizations, CUECs, report timing, and signs that the vendor has a meaningful vendor-management program of its own.
To begin, look at scope. Does the report cover the services, applications, and environments that the healthcare organization uses? If the vendor provides multiple products, it’s possible to receive a report that’s current and still not particularly relevant to the service the organization needs.
External review guidance makes the same point. User entities should confirm that the report aligns to the outsourced service in question and understand whether important third-party dependencies sit outside the examination scope. In healthcare, that issue can be especially important when hosting, messaging, analytics, or connected-service layers rely on subservice organizations.
Then, review exceptions and timing. A “clean” opinion doesn’t automatically mean low risk, and an older report can leave a healthcare organization relying on stale information. Organizations should ask for the most recent report and review it soon after issuance. This process is especially applicable for healthcare teams that need current insight into continuity, data-handling, and access-control issues when the service touches sensitive information or critical operations.
CUECs are critical here, as well. If a vendor assumes that the healthcare organization is performing certain controls, those assumptions need to be validated. HHS and Office of the National Coordinator (ONC) materials on HIPAA risk management and risk assessment reinforce the broader idea that regulated entities need to understand and manage the risks within their own environment, including vendor-related exposures.3 A healthcare organization cannot rely on vendor controls in the abstract if its own side of the control relationship is weak or undocumented.
How Does Healthcare Regulation & Accountability Change How Vendors Should be Reviewed?
When it comes to vendor oversight, healthcare organizations should not treat this area as disconnected from the broader operating and regulatory environment. Privacy law changes, incident reporting expectations, children’s data protections, cross‑border data restrictions, and emerging artificial intelligence (AI) governance requirements can influence how vendors should be evaluated. While not all of those requirements apply to every healthcare organization in the same way, the key point is that vendor oversight should align to the actual risk environment each organization faces.
Healthcare regulations already reinforce this approach. HHS guidance emphasizes that risk management is a core element of HIPAA Security Rule compliance, and CMS guidance makes clear that covered entities remain responsible for helping to ensure that business associates meet applicable HIPAA requirements when performing covered functions.4 In practice, this means that vendor oversight should be risk-based, continual, and tied to how services are delivered.
Red Flags for Healthcare Leaders to Note
Healthcare leaders should be concerned when a vendor outsources meaningful services, but its SOC Report doesn’t reflect effective vendor-management controls. For healthcare organizations, this is a useful threshold because many vendors rely on a chain of technology providers, hosting firms, and subcontractors. If those relationships are not formally managed, the healthcare organization may be inheriting risk that’s not fully visible.
Another underappreciated area is training evidence. Interactive information security training is generally more effective than passive, click-through content, and there’s value in demonstrating that personnel not only completed the training but also understood it.
In healthcare, where workforce behavior and access practices remain a major factor in cybersecurity and privacy incidents, this process becomes a practical lens for vendor diligence. A vendor’s statement that training exists is only a starting point. Organizations should look for signals that training is current, meaningful, and supported by evidence.
Who Should Review Vendor Risk Information in Healthcare?
Vendor review is a collective effort for healthcare organizations and requires cross-functional work to produce a more defensible result (as opposed to an isolated review).
Privacy team members may understand data use and disclosure questions. Information security team members may understand technical controls and monitoring. Compliance and legal team members may evaluate agreements and notice obligations. Operations team members may understand how disruptions would affect care delivery or revenue. Finance and Internal Audit team members may need visibility into control dependencies and reporting implications. When these areas work together, the result is a collaborative, informed vendor assessment.
Actions to Consider Now
Healthcare organizations can begin their vendor review journey as follows:
- First, view SOC Reports as part of a broader healthcare vendor review. Pair them with contract review, business associate requirements where applicable, continuity planning, and risk-based oversight.
- Focus on the highest-value sections first. Start with scope, dates, exceptions, subservice organizations, and CUECs.
- Ask what happens if the vendor goes down. In healthcare, availability and contingency planning often matter as much as confidentiality. Preparation is key.
- Look for evidence, not statements only. This guidance applies to training, incident response, monitoring, and vendor governance.
- Document why the decision was reasonable. If an incident occurs at a later date, that record can support discussions with leadership, audit, and regulators.
How Forvis Mazars Can Help
In healthcare, vendor reviews should ultimately answer a practical question: Can we explain why this service is acceptable for our environment, based on the risk, controls, and way we plan to monitor it over time? SOC Reports can support that answer, most effectively when they’re used with context and judgment.
For more information on SOC Reports, vendor assessments, or other risk-related questions for healthcare organizations, please reach out to a professional at Forvis Mazars.
- 1“Cost of a Data Breach Report 2025,” ibm.com, August 2025.
- 2“Security Rule Guidance Material,” hhs.gov, June 2026.
- 3“Guidance on Risk Analysis,” hhs.gov, June 2026.
- 4“Go to Guidance: Guidance on HIPAA Covered Entities’ responsibility to require that Business Associate’s comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations,” cms.gov, March 22, 2022.