Information Security, Data Privacy, and Trust at Luma Health

At Luma Health we hold a number of Information Security and Data Privacy certifications to give you the assurance that we treat the Security of you and your patient’s data with the utmost importance

ISO aicpa Hi trust Hi trust Hi trust

ISO 27001:2022

Luma Health is ISO 27001:2022 Certified - an internationally recognized standard for the implementation of an Information Security Management System (ISMS).

HITRUST CSF r2

We are HITRUST CSF r2 Certified – a risk based certification that is the gold standard in healthcare technology.

SOC 2 Type II

We perform a SOC 2 Type II attestation annually, providing assurance that not only do we have appropriate security controls in place, they are also operating effectively.

TX-RAMP Level 2

We are TX-RAMP (Texas Risk and Authorization Management Program) Level 2 certified - a framework designed to ensure the security and compliance of cloud services used by Texas state agencies.

US – EU Privacy Framework

We participate in the US.- EU Privacy framework, including the UK and Swiss extensions

Imagem

"At Luma, our goal is to put patients at the center of everything we do. Our security, privacy, and compliance programs help us support our customers and achieve this goal.”

Nick Lees | Head of Information Security and Compliance

If you have a security concern with the Luma platform, or you have reason to believe you have discovered a security weakness or vulnerability in our platform, please contact security@lumahealth.io

System Status

You can view real-time information on our System Status here, as well as historical uptime and incident information.
https://status.lumahealth.io

Identity and Access Management

All system access at Luma Health is centrally managed, with Single Sign On required wherever possible. Multi-Factor Authentication is enforced across the organization. All access is Role-Based, follows the principle of least privilege and requires management and/or system owner approval. Access entitlement reviews take place every 90 days for regular accounts, and every 60 days for elevated accounts.

Infrastructure

Our Infrastructure is 100% cloud-based, with no on-premise infrastructure. We run a modern, auto-scaling microservices architecture, all managed by code. Infrastructure changes follow our standard, fully-documented change control process.

Vulnerability Management

We perform automated vulnerability scans of our infrastructure monthly, and scans of any emerging threats and vulnerabilities as soon as they are known. New infrastructure targets are automatically added to the scan rotation. Any discovered vulnerabilities are remediated in line with our defined schedule.

SDLC and Change Management

We have a fully documented SDLC which follows the OWASP Top Ten. All development is performed in-house, and all new code as well as changes to existing code are subject to both automated and manual security checks and peer review before being considered for a production release.

Every change and release follows our change control process, which includes peer review, testing and validation in lower environments, a backout plan, management approval, and separation of duties between development and release.

Audit and Compliance

Our Internal Audit team performs all our audit activities on an established schedule. This includes regular user entitlement reviews, and annual reviews of third-party vendors. The team reviews any requests for new software/vendors and any user access requests. The team continuously maintains our compliance program to ensure ongoing success with any certifications and attestations such as ISO 27001:2022, SOC 2 and HITRUST r2.

End User Security

All Luma employees are required to complete a background check, HIPAA training, Information Security training, and policy acknowledgement before accessing Luma systems. All employees are issued a Luma-owned device, which is centrally managed via an MDM solution and protected by various security controls including full disk encryption, activity lock, next-generation anti-virus, and an Endpoint Detection and Response solution.

Incident Management

Our fully documented Incident Management policy and procedures cover all aspects of an incident lifecycle, including what classifies as an incident, how and when an incident should be declared, running the incident, post-incident activities including a post-mortem exercise, lessons learned and action items as well as internal and customer communication. We test our incident response function no less than annually to verify it is operating effectively and to identify any areas for improvement.

Business Continuity and Disaster Recovery

We partner with Amazon Web Services (AWS) to provide cloud hosting, and we take advantage of AWS Availability Zones with real-time replication to ensure our 99.9% uptime target is met. Our code-based microservices architecture allows us to quickly deploy a production instance into any AWS data center should the need arise. We fully test our Business Continuity and Disaster Recovery function annually.

AI Data, Privacy and Security

Luma Health AI enabled products such as Spark Navigator are built to be ISO 42001 compliant. These products operate under a Zero Data Retention model meaning there is no long term persistent storage of any customer data. Customer and patient data is not shared with or made available to other customers, is not shared with or made available to any of our partners or service providers and customer data is not used to train, retrain or improve any models.

Data Privacy

We only ever use your data to provide the services that you contract with us for. We never share or sell your data to any third parties, and your data is never used for advertising purposes.

We comply  with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit
https://www.dataprivacyframework.gov