Information Security, Data Privacy, and Trust at Luma Health

At Luma, our goal is to put patients at the center of everything we do. Our security, privacy, and compliance programs help us support our customers and achieve this goal.”
Nick Lees
Nick Lees
Director of Information Security and Compliance

Security and Certifications

We have certified our security program against the gold standard in healthcare technology, HITRUST CSF. Luma also performs a SOC 2 Type 2 Attestation annually.

Current and prospective Luma customers can opt to receive a copy of these reports by reaching out to your Customer Success Manager or security@lumahealth.io.

aicpa Hi trust

System Status

You can view real-time information on our System Status here, as well as historical uptime and incident information.
https://status.lumahealth.io

If you have a security concern with the Luma platform, or you have reason to believe you have discovered a security weakness or vulnerability in our platform, please contact security@lumahealth.io

Identity and Access Management

All system access at Luma Health is centrally managed, with Single Sign On required wherever possible. Multi-Factor Authentication is enforced across the organization. All access is Role-Based, follows the principle of least privilege and requires management and/or system owner approval. Access entitlement reviews take place every 90 days for regular accounts, and every 60 days for elevated accounts.

Infrastructure

Our Infrastructure is 100% cloud-based, with no on-premise infrastructure. We run a modern, auto-scaling microservices architecture, all managed by code. Infrastructure changes follow our standard, fully-documented change control process.

Vulnerability Management

We perform automated vulnerability scans of our infrastructure monthly, and scans of any emerging threats and vulnerabilities as soon as they are known. New infrastructure targets are automatically added to the scan rotation. Any discovered vulnerabilities are remediated in line with our defined schedule.

SDLC and Change Management

We have a fully documented SDLC which follows the OWASP Top Ten. All development is performed in-house, and all new code as well as changes to existing code are subject to both automated and manual security checks and peer review before being considered for a production release.

Every change and release follows our change control process, which includes peer review, testing and validation in lower environments, a backout plan, management approval, and separation of duties between development and release.

Audit and Compliance

Our Internal Audit team performs all our audit activities on an established schedule. This includes regular user entitlement reviews, and annual reviews of third-party vendors. The team reviews any requests for new software/vendors and any user access requests. The team continuously maintains our compliance program to ensure ongoing success with any certifications and attestations such as SOC 2 and HITRUST.

End User Security

All Luma employees are required to complete a background check, HIPAA training, Information Security training, and policy acknowledgement before accessing Luma systems. All employees are issued a Luma-owned device, which is centrally managed via an MDM solution and protected by various security controls including full disk encryption, activity lock, next-generation anti-virus, and an Endpoint Detection and Response solution.

Incident Management

Our fully documented Incident Management policy and procedures cover all aspects of an incident lifecycle, including what classifies as an incident, how and when an incident should be declared, running the incident, post-incident activities including a post-mortem exercise, lessons learned and action items as well as internal and customer communication. We test our incident response function no less than annually to verify it is operating effectively and to identify any areas for improvement.

Business Continuity and Disaster Recovery

We partner with Amazon Web Services (AWS) to provide cloud hosting, and we take advantage of AWS Availability Zones with real-time replication to ensure our 99.9% uptime target is met. Our code-based microservices architecture allows us to quickly deploy a production instance into any AWS data center should the need arise. We fully test our Business Continuity and Disaster Recovery function annually.