In October 2019, the Ryuk ransomware variant encrypted Microsoft Active Directory and Exchange servers at National Veterinary Associates' support center. Approximately 400 of NVA's roughly 700 hospitals were infected. The attack separated practices from their patient records, payment systems, and practice management software, as reported by KrebsOnSecurity. Although NVA stated publicly that all hospitals remained open and able to see clients, recovery of full system access took weeks. NVA had been hit by Ryuk earlier that same year.

The veterinary sector has not become safer. AAHA posted in 2025 that "cyberattacks, ransomware, and data extortion attacks continue to make headlines — and veterinary hospitals have good reason to pay attention." Healthcare-adjacent sectors are prime ransomware targets because data is time-sensitive and downtime is expensive. Sixty-seven percent of healthcare organizations were hit by ransomware in 2024, nearly double the 2021 rate. The average cost of a healthcare data breach reached $9.8 million in 2024, growing at twice the rate of other industries.

For an independent companion-animal practice running $1.5M annual revenue, even a modest ransomware incident — one that takes the PIMS offline for five days — costs roughly $30,000 in lost gross revenue plus the downstream effects of client churn. LUCCA Veterinary Data Security, a firm specializing in veterinary IT, has documented cases where practices lost all client and patient data permanently because the backup was not tested, was on the same network as the production system, or simply did not exist.

Most veterinary practices now use cloud-based PIMS. Cloud deployment shifts the security burden from the practice's server closet to the vendor's infrastructure — but it does not eliminate it. The practice is still the entity whose client payment data, patient records, and controlled-substance logs are exposed when the vendor's controls fail. The question is not whether your cloud PIMS vendor has security. It is whether their security has been independently verified, whether it covers the threats that matter to your practice, and what happens when it fails.

This article is a vendor security audit framework for veterinary practice operators. It is not a generic cybersecurity guide. It is the specific set of questions, certifications, and verification steps to run before you trust a cloud PIMS with your practice's data — and the annual checks to run afterward.

The certifications that matter

SOC 2 Type II

SOC 2 is the baseline security certification for any SaaS vendor handling customer data. Developed by the American Institute of Certified Public Accountants (AICPA), it evaluates whether a service organization's controls for security, availability, processing integrity, confidentiality, and privacy are designed and operating effectively.

Type I assesses whether controls are properly designed at a point in time. Type II — the one that matters — evaluates whether those controls operated effectively over a defined audit period, typically six months or more.

Shepherd announced SOC 2 compliance in 2024 after an audit by Johanson Group, covering data security, firewall configurations, change management, logical access, backup management, business continuity/disaster recovery, and security incident response. ezyVet is also SOC 2 compliant and describes it as "one of the most widely accepted frameworks for assessing data security practices." ezyVet notes that very few veterinary PIMS vendors hold this certification.

What to ask your vendor:

1. "Are you SOC 2 Type II certified? May I see the most recent report?" If the vendor is certified, they should provide the SOC 2 report or a summary (sometimes called a "bridge letter") upon request. If they deflect, they are not certified.

2. "Which Trust Services Criteria are covered?" Security is mandatory; the others (availability, processing integrity, confidentiality, privacy) are optional. A vendor certified only on Security has met a lower bar than one certified on all five.

3. "Who performed the audit?" The auditor should be an independent CPA firm, not an internal team.

PCI DSS (for payment processing)

If your PIMS processes, stores, or transmits credit card data — and most do — the vendor must comply with the Payment Card Industry Data Security Standard (PCI DSS). Shepherd, for example, notes PCI DSS compliance for its Shepherd Pay feature. Your practice's card-processing agreement may also impose obligations; verify that the PIMS vendor's PCI compliance covers the specific payment flows your practice uses.

State data-protection laws

HIPAA does not apply to veterinary practices — but at least 35 states have their own medical-records confidentiality laws, according to co.vet's 2026 veterinary EMR guide. Record-retention requirements range from 2 to 7 or more years from the date of the last patient visit, depending on the state. Your cloud PIMS must be able to retain records for the longest applicable retention period in every state where your practice operates.

The technical controls to verify

Certifications confirm that a vendor was audited. Technical controls confirm how the vendor actually protects your data day-to-day.

Encryption

If the vendor cannot clearly state their encryption standard, that is a disqualifying gap. AES-256 for data at rest and TLS 1.2+ for data in transit are the industry minimums.

Multi-factor authentication (MFA)

MFA is the single most effective control against credential-based attacks, which account for approximately 80% of data breaches, according to the Identity Defined Security Alliance. Every user account on your PIMS — veterinarians, technicians, CSRs, managers — should require MFA for login.

What to ask:

• "Is MFA required for all user accounts, or is it optional?" Optional MFA means some accounts will not have it, and those accounts are the ones attackers will target.
• "What MFA methods do you support?" Authenticator app (TOTP), hardware key (YubiKey), and SMS are the common options. SMS is the weakest and most vulnerable to SIM-swapping; authenticator apps are the recommended minimum.
• "Can the practice administrator enforce MFA for all users?" If the admin cannot force MFA, individual users will disable it.

Role-based access controls (RBAC)

A well-designed RBAC system limits the blast radius of a compromised account. If a CSR's credentials are stolen, the attacker should not be able to export the entire patient database. The PIMS should support granular role definitions that restrict:

• Who can view versus edit patient records
• Who can export data (CSV, PDF, print)
• Who can access controlled-substance logs
• Who can modify fee schedules, reminder rules, or clinical templates
• Who can add or deactivate user accounts

This overlaps with the practice's own internal RBAC configuration — covered in detail in our veterinary PIMS role-based access control guide — but the vendor must provide the technical capability to enforce these restrictions.

Audit logs

Audit logs are the forensic record of who did what in your PIMS and when. After a breach, an internal investigation, or a DEA audit of controlled-substance records, the audit log is what you will need.

What to ask:

• "Do you maintain immutable audit logs of all user actions, including login attempts, record views, edits, deletions, and data exports?"
• "How long are audit logs retained?" The answer should be at least as long as your state's record-retention requirement, and preferably longer.
• "Can the practice administrator export audit logs without vendor assistance?" If you need to open a support ticket to see your own audit trail, that is a problem.
• "Are audit logs stored separately from the production database?" If the logs are on the same server as the data, an attacker who compromises the database can also tamper with the logs.

Data backup and recovery

Cloud PIMS vendors handle backup differently from on-premise systems, and the practice needs to understand exactly what is backed up, how often, and how recovery works.

What to ask:

• "What is your Recovery Point Objective (RPO)?" — the maximum amount of data the practice could lose in a failure scenario. A vendor with a 1-hour RPO means you could lose up to 1 hour of data entry.
• "What is your Recovery Time Objective (RTO)?" — the maximum time the system could be unavailable. A vendor with a 4-hour RTO means the PIMS could be down for up to 4 hours after a failure.
• "Are backups stored in a geographically separate location from the production environment?" If the vendor's primary data center and backup data center are in the same building or the same region, a natural disaster or regional infrastructure failure could take both offline.
• "Does the vendor have a documented disaster-recovery plan, and is it tested regularly?" SOC 2 Type II certification requires evidence of disaster-recovery testing; ask to see the results.

API and integration security

Most cloud PIMS connect to third-party services: lab integrations (IDEXX, Antech), payment processors, reminder platforms (PetDesk, VitusVet), and AI scribe tools. Each integration is an additional attack surface.

What to ask:

• "Do third-party integrations use OAuth 2.0 or equivalent authorization, or do they require shared credentials (username/password)?" Shared credentials are a serious security gap — if the third party is breached, your PIMS credentials are exposed.
• "Can the practice administrator see which integrations are active and revoke access to any of them independently?" If you cannot disconnect an integration yourself, you are dependent on the vendor's response time during a security incident.
• "Is the API rate-limited and logged?" Unrestricted API access allows an attacker with stolen credentials to rapidly exfiltrate data.

The breach-response checklist

No security system is impenetrable. What separates a manageable incident from a catastrophic one is the vendor's response process.

Questions to ask before signing:

1. Incident-notification SLA. "If a breach occurs, how quickly will you notify affected practices?" The answer should be measured in hours, not days. A vendor that takes 72 hours to notify you of a breach means your practice is exposed for three days before you can take protective action.

2. Breach-investigation support. "Will you provide forensic details of the breach — what data was accessed, how the attack occurred, and what remediation was performed?" A vendor that tells you only "there was an incident" without specifics cannot help you assess your actual exposure.

3. Data-recovery commitment. "If data is lost or corrupted, what is your commitment to restoring it, and from what point in time?" Verify that the RPO and RTO commitments are contractual, not aspirational.

4. Client-notification responsibility. "Who is responsible for notifying clients whose data was exposed — the vendor or the practice?" In most cases, the practice is legally responsible for notifying clients. The vendor should provide the information the practice needs to fulfill that obligation promptly.

5. Financial liability. "Does the vendor accept any financial liability for a breach, or does the contract limit liability to the subscription fee?" Most SaaS contracts cap the vendor's total liability at the amount you paid in the preceding 12 months. For a practice paying $500/month, that is a $6,000 liability cap against a potential six-figure breach cost. Understand this gap and consider whether cyber-liability insurance is appropriate for your practice.

The 15-question vendor security checklist

Run this checklist before signing a contract and annually thereafter:

A vendor that cannot answer all 15 questions with documented, verifiable responses has not earned the trust of storing your practice's patient records, client payment data, and controlled-substance logs.

The veterinary-specific gap

Most cybersecurity frameworks were designed for human healthcare or general SaaS. Veterinary practices have two additional concerns that standard audits do not fully address:

Controlled-substance record integrity. DEA regulations require accurate, complete, and retrievable records of controlled-substance receipt, administration, and disposal. If a cloud PIMS stores these records and the vendor suffers a data-corruption event, the practice is on the hook for a DEA audit with incomplete logs. Verify that the vendor's backup includes controlled-substance records specifically and that the audit log captures controlled-drug entries with the same granularity as the DEA requires.

State veterinary-records laws. At least 35 states have their own veterinary medical-records statutes covering retention periods, client access rights, and confidentiality. HIPAA does not apply, but these state laws do — and they impose obligations on the practice that the cloud vendor must be able to support. Ask specifically: "Can your platform enforce record-retention policies by state, and can you produce records in the format required by my state's veterinary medical board?"

Cloud PIMS security by platform (2026 snapshot)

"Verification recommended" means the vendor has not publicly disclosed SOC 2 certification but may hold it — ask directly. ezyVet notes that SOC 2 compliance is uncommon among veterinary PIMS vendors, so do not assume it without confirmation. For IDEXX software products (Cornerstone, Neo, Vello), the IDEXX Trust Center provides security documentation upon request.

What to do after you sign

The security audit does not end at contract signing. Annual review:

1. Request the current SOC 2 report. SOC 2 Type II certification requires annual re-auditing. A report that is more than 18 months old is stale.
2. Review the vendor's breach disclosure page or security blog. Most reputable SaaS vendors publish transparency reports or post-incident analyses. If the vendor had a breach in the past year, read the details and assess whether the root cause was addressed.
3. Verify that your practice's security configuration is still correct. MFA enforcement, user-role permissions, and integration access should be reviewed quarterly. Practices that disable MFA for convenience or give admin access to departing employees erode the vendor's security controls from the inside.
4. Run your own backup drill. Verify that you can export your practice data (patient records, financial records, controlled-substance logs) in a usable format without vendor assistance. This is the single most important verification — if the vendor goes out of business, suffers a catastrophic outage, or locks your account in a contract dispute, the data export is your only safety net. Our PIMS data export checklist covers this in detail.

Sources

• KrebsOnSecurity / NVA ransomware reporting, as documented in LUCCA Veterinary Data Security and AAHA publications.
• Shepherd Veterinary Solutions. "Shepherd Veterinary Software Is Now SOC 2 Compliant." https://www.shepherd.vet/blog/shepherd-veterinary-software-is-now-soc-2-compliant
• ezyVet. "What Veterinary Practices Need to Know About SOC 2 Compliance." https://www.ezyvet.com/blog/soc-2-veterinary-software
• AAHA. "Cyberattacks, Ransomware, and Data Extortion Attacks Continue to Make Headlines." https://www.facebook.com/AAHAHealthyPet/posts/1536749494482843
• ScienceSoft. "Ransomware Tops Growing Cyber Threats in Healthcare." https://www.scnsoft.com/healthcare/cybersecurity-statistics
• Exabeam. "61 Cloud Security Statistics You Must Know in 2025." https://www.exabeam.com/explainers/cloud-security/61-cloud-security-statistics-you-must-know-in-2025
• SentinelOne. "50+ Cloud Security Statistics in 2026." https://www.sentinelone.com/cybersecurity-101/cloud-security/cloud-security-statistics
• IBM / HIPAA Journal. "Healthcare Data Breach Statistics." https://www.hipaajournal.com/healthcare-data-breach-statistics
• LUCCA Veterinary Data Security. "How to Respond to a Data Breach in Your Veterinary Practice." https://www.lucca.vet/blog-post/responding-to-a-data-breach-in-your-veterinary-hospital
• Encryption Consulting. "Your Guide to SOC 2 Compliance." https://www.encryptionconsulting.com/soc-2-compliance
• Co.vet. "Veterinary Electronic Medical Records: A Practical Guide for 2026." https://co.vet/post/veterinary-electronic-medical-record
• Digitail. "Cloud-Based vs. Server-Based Veterinary Software Comparison." https://digitail.com/blog/cloud-based-vs-server-based-veterinary-software-comparison
• MarketsandMarkets. "Veterinary Software Market Report 2025–2030." https://www.marketsandmarkets.com/Market-Reports/veterinary-software-market-186264514.html