You can view real-time information on our System Status here, as well as historical uptime and incident information.
If you have a security concern with the Luma platform, or you have reason to believe you have discovered a security weakness or vulnerability in our platform, please contact firstname.lastname@example.org
Identity and Access Management
All system access at Luma Health is centrally managed, with Single Sign On required wherever possible. Multi-Factor Authentication is enforced across the organization. All access is Role-Based, follows the principle of least privilege and requires management and/or system owner approval. Access entitlement reviews take place every 90 days for regular accounts, and every 60 days for elevated accounts.
Our Infrastructure is 100% cloud-based, with no on-premise infrastructure. We run a modern, auto-scaling microservices architecture, all managed by code. Infrastructure changes follow our standard, fully-documented change control process.
We perform automated vulnerability scans of our infrastructure monthly, and scans of any emerging threats and vulnerabilities as soon as they are known. New infrastructure targets are automatically added to the scan rotation. Any discovered vulnerabilities are remediated in line with our defined schedule.
SDLC and Change Management
We have a fully documented SDLC which follows the OWASP Top Ten. All development is performed in-house, and all new code as well as changes to existing code are subject to both automated and manual security checks and peer review before being considered for a production release.
Every change and release follows our change control process, which includes peer review, testing and validation in lower environments, a backout plan, management approval, and separation of duties between development and release.
Audit and Compliance
Our Internal Audit team performs all our audit activities on an established schedule. This includes regular user entitlement reviews, and annual reviews of third-party vendors. The team reviews any requests for new software/vendors and any user access requests. The team continuously maintains our compliance program to ensure ongoing success with any certifications and attestations such as SOC 2 and HITRUST.
End User Security
All Luma employees are required to complete a background check, HIPAA training, Information Security training, and policy acknowledgement before accessing Luma systems. All employees are issued a Luma-owned device, which is centrally managed via an MDM solution and protected by various security controls including full disk encryption, activity lock, next-generation anti-virus, and an Endpoint Detection and Response solution.
Our fully documented Incident Management policy and procedures cover all aspects of an incident lifecycle, including what classifies as an incident, how and when an incident should be declared, running the incident, post-incident activities including a post-mortem exercise, lessons learned and action items as well as internal and customer communication. We test our incident response function no less than annually to verify it is operating effectively and to identify any areas for improvement.
Business Continuity and Disaster Recovery
We partner with Amazon Web Services (AWS) to provide cloud hosting, and we take advantage of AWS Availability Zones with real-time replication to ensure our 99.9% uptime target is met. Our code-based microservices architecture allows us to quickly deploy a production instance into any AWS data center should the need arise. We fully test our Business Continuity and Disaster Recovery function annually.