Luma is HITRUST CSF certified: Q&A with Luma’s security director 

Healthcare providers have good reason to be concerned about data breaches. According to the HIPAA Journal, in the first half of 2022, there were 347 data breaches of 500 or more healthcare records, and healthcare providers are consistently the worst-affected type of HIPAA-covered entity.

At Luma, patient success must also mean comprehensive data security. We are proud to announce that Luma has earned HITRUST CSF certification, a validated security certification for healthcare IT companies. The HITRUST Risk-based, 2-year (r2) Validated Assessment is among the most rigorous industry security certifications, and involves the performance of onsite procedures, as well as an extensive testing program. 

To find out more about HITRUST and what it means for Luma’s customers and partners, we caught up with Nick Lees, Luma’s information security and compliance director.

Why is HITRUST so important?

Our customers and partners are putting a huge amount of trust in us to securely handle their data—and their patients’ data—securely. When partnering with a vendor such as Luma, they want to ensure they are not introducing additional security risk into their business. For any HIPAA-compliant  IT vendor, attaining HITRUST certification is essential.

What does attaining a HITRUST certification say about Luma?

HITRUST is the security gold standard for companies that are handling health information. By successfully completing all the steps needed to attain HITRUST Risk-based, 2-year (r2) Validated Assessment, we are assuring our customers and business partners that a) we are deeply committed to security, and b) the way we conduct business and handle sensitive data meets or exceeds recognized, industry-specific best practices.  

What makes the HITRUST certification the gold standard?

Unlike security audits such as SOC 2, HITRUST certification requires that an authorized HITRUST assessor spend time onsite to observe data-handling practices and score a business across several dimensions. Luma was graded on security policy, process, and implementation, and had to achieve a specific score for all of the controls that HITRUST requires to qualify for certification.

Through this process, what did you learn about Luma’s systems and processes?

We discovered that we have a very strong and mature information security program, backed up with a fully documented set of policies, procedures and controls. These have now been independently audited and validated, so we can be sure we are supporting our customers securely.

How does this certification prepare us for the evolution of healthcare regulations?

The HITRUST certification is constantly evolving, with new control requirements being added as the healthcare tech landscape changes. Luma’s already excellent foundation is now certified against the HITRUST framework so we can drive continuous improvement and stay ahead of any new requirements.