SOC 2: Key considerations for HIM directors

In a recent interview with HCPro’s Revenue Cycle Advisor geared towards Health Information Management (HIM) executives, Clearway Health’s Rusty Atkinson, vice president of information technology (IT) and Tim Williams, director of information security, share guidance on how HIM executives can interpret SOC 2 reports, build more resilient operations, and navigate gaps between cybersecurity expectations and real-world practice. Here are a few excerpts from the interview:

SOC 2’s role in HIM decision-making

Many HIM professionals rely on SOC 2 reports (specifically Type 2) as evidence that a vendor’s security program is trustworthy. However, Atkinson notes that the certification has important limits that HIM leaders should keep in mind.

“SOC 2 Type 2 is an industry-recognized standard, but it is important to understand what it actually measures,” he says.

SOC 2 focuses on whether an organization’s internal governance processes—such as change management, onboarding and offboarding, and policy adherence—are in place and followed consistently over time. These elements matter for operational stability, but they do not capture the depth of technical safeguards that HIM departments often assume are being evaluated.

“It does not evaluate the technical depth of an organization’s security, nor does it ensure protection against breaches, ransomware, or compromise of systems,” according to Atkinson. In practice, HIM leaders should treat SOC 2 as a foundational element rather than evidence of robust protection.

“SOC 2 should be viewed largely as a go-to-market assurance or a basic due-diligence check box for vendors rather than as an indicator of true security resilience,” says Atkinson.‍

Strengthening HIM governance

While SOC 2 has limitations, the process of preparing for an assessment provides lessons that HIM leaders can apply to their own operations. Atkinson emphasizes the transformative impact of effective governance tooling, explaining that having a governance, risk, and compliance platform dramatically improves SOC 2 readiness.

Centralizing controls, maintaining evidence, and automating gap detection allows teams to stay ahead of audit expectations rather than scrambling before deadlines. For HIM departments that manage documentation systems, release-of-information (ROI) workflows, coding applications, and departmental policies, a similar approach can streamline compliance tasks and tighten governance across the board.

Setting realistic expectations for vendor controls

HIM leaders often assume that vendors should be able to mirror the same internal security controls used within hospital environments. Williams explains why that expectation is rarely realistic.

“It is very difficult and often impossible to hold downstream vendors to the exact same security controls used by a hospital system,” he says.

Hospitals operate with large, highly resourced IT and security teams; smaller third-party vendors generally do not. While business associate and service agreements establish contractual expectations, they do not grant hospitals the ability to dictate internal tooling, processes, or system architecture.

“Some organizations assume they can impose their internal policies and technical controls on vendors down to the smallest detail, but in practice, this is not feasible or operationally realistic,” says Williams.

This does not mean HIM leaders lack leverage. Instead, Williams recommends focusing on the vendor’s risk profile and the sensitivity and volume of data they handle. Not every partner needs identical safeguards, especially when data types vary.

“Not every downstream vendor needs enterprise-grade controls like full data loss prevention,” he says. “Imposing blanket requirements often forces smaller vendors into costly implementations that don’t materially reduce risk.”

A more practical approach includes assessing the vendor’s existing safeguards, ensuring HIPAA/HITECH obligations are met, and using contractual mechanisms to transfer or mitigate risk. This helps HIM leaders gain meaningful assurance without forcing smaller partners into unsustainable implementations.

Building resilience against ransomware and data breaches

As cyberattacks escalate across the healthcare sector, HIM departments must plan for disruption rather than assume systems will remain continuously available. Williams outlines the core patterns seen in real-world incidents: most breaches begin with compromised credentials or account takeover. From his perspective, HIM teams should prioritize closing that single point of failure.

Williams explains that organizations need to prioritize two areas: preventing the initial breach and ensuring that ransomware resilience is mature, tested, and reliable. Controls such as device trust, high-quality monitoring, strong multi-factor authentication (MFA), non-password-base dauthentication, and just-in-time privileged access significantly reduce the risk of credential-driven compromise. When used together, these controls can prevent the overwhelming majority of credential-driven breaches, he says.

Resilience is just as important as prevention. Williams stresses that true readiness requires reliable, tested recovery capabilities across HIM systems, documentation workflows, ROI tools, and backend platforms. He also notes that immutability is essential.

“It is not enabled by default in AWS, Microsoft, or most backup platforms, but it is essential because it prevents attackers from deleting or modifying backups,” he says.

Quarterly recovery exercises—not tabletop discussions—give HIM executives confidence that operations can resume quickly after a breach or ransomware event.