Skip to content

Introducing: The Lumistry Platform. Learn more here!

Introducing: The Lumistry Platform. Learn more here!

Information Security Program

Last Updated: January 22, 2024

The Lumistry Information Security Program is designed around the Information Systems upon which applications and solutions are deployed by Lumistry on behalf of its clients.

Policies and Procedures

Lumistry maintains a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures which are designed to secure the information maintained on Lumistry’s Information Systems. Lumistry’s program, at a minimum:

  • Assigns data security responsibilities and accountabilities to specific individuals;
  • Describes acceptable use of Lumistry’s Information Systems;
  • Provides access control and password attributes for Lumistry end users, administrators, and operating systems;
  • Enforces Lumistry’s end user authentication requirements;
  • Describes audit logging and monitoring of Lumistry’s Information Systems;
  • Details Lumistry’s incident response plan;
  • Describes appropriate risk management controls, security certifications and periodic risk assessments; and
  • Describes the physical and environmental security requirements for Lumistry’s Information Systems.

Lumistry tightly controls and does not distribute written or electronic copies of its security policies and procedures. Lumistry regularly reviews and modifies its security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.

Technical Security

Access Control

Lumistry grants access to Information Systems based upon role, completion of training and the principle of least privilege for access. Information systems access is strictly enforced using state of the art security technology and processes ensuring access is appropriate and satisfies compliance and exceeds industry regulation. Lumistry manages identity and access management to Information Systems by:

  • Enabling access based on the individual’s roles.
  • Ensuring the identity of the individual prior to access via background checks.
  • Limiting Information Systems access to the minimum necessary per the role.
  • Removing access as an individual’s roles change per the minimum necessary per the role.
  • Monitoring the activity, or lack thereof, on weekly access audit logs to ensure role-based access is limited to the minimum required.
  • Enabling Multi-Factor Authentication to Information Systems to ensure only authorized individuals are granted access.
  • Revoking credentials and locking access to endpoints within 24 hours of an individual’s voluntary separation of employment.
  • Ensuring privileged access and functions are strictly limited to individuals with a business justification for use.
Information Systems Protection

Lumistry uses a breadth and depth approach to securing Information Systems. The following is a non-inclusive list of examples of the security technologies and processes Lumistry uses to protect Information Systems:

  • Perimeter defense, monitoring, threat and anomaly detection on Cloud Infrastructure
  • Network firewalls, intrusion detection and prevention, network segmentation and segmentation of data, server, and endpoint firewalls ensure layered security protection
  • Next generation anti-virus and anti-malware software with machine learning capabilities ensure endpoint and server protection
  • Endpoint and server hardening that incorporates encryption at rest and in storage, enabling firewalls, and limiting privileged function access to only authorized users
  • Audit Log monitoring of all information, services, and network systems.
  • Patch Management to ensure up to date security patches are maintained.
  • Change Management to review and ensure kernel, infrastructure configuration, and code changes are secure and do not propagate vulnerabilities from development to production.
  • Software development process ensures automated static analysis, peer reviews and QA  of code to ensure compliance to the security OWASP standards.
  • Data Loss Prevention (DLP) is implemented to ensure no PII or ePHI is not disseminated.

Vulnerability Management

Penetration testing is performed at least annually and vulnerability scans performed monthly by independent third parties who have appropriate industry certifications and credentials. As part of Lumistry’s vulnerability and threat management program, Lumistry’s security professionals analyze and quantify the risk potential of identified vulnerabilities and threats to both Lumistry and its clients. Lumistry conducts continuous production scanning of our Information Systems for threats, anomalies, and vulnerabilities based upon the expected impact to the environment and external exposure. Vulnerabilities are assessed for remediation and the process of remediation is initiated. As part of the assessment and remediation, vulnerabilities are ranked accordingly:

  • Urgent: 48 hours when no work around is available. Iif a work around is available that can mitigate the impact, two (2) weeks may be authorized to implement a permanent solution
  • Critical: 30 days
  • High: 90 days
  • Medium: 180
  • Low: 365 days

Physical and Environmental Security

All sensitive information is maintained in production environments managed by SOC 2 Type II, ISO 27001, and HIPAA compliant cloud service providers that have implemented the appropriate physical and environmental security standards. Corporate Offices require badge reader access and electronic visitor sign in. Ingress, egress, and network closets are monitored with video surveillance. Network closet access is managed and monitored using badge card reader access.

Incident Management

Security Incidents

Lumistry maintains a security incident management process to investigate, mitigate, and communicate system security events occurring within its Information Systems. Impacted clients are informed of relevant security incidents in a timely manner and advised of recommended corrective measures to be taken.

Security Event Management

Lumistry does not notify clients or publicly speak about “named” vulnerability events (e.g. WannaCry, Heartbleed, and ShellShock). Lumistry will engage in private discussions if clients have questions about Lumistry’s approach to specific events.


Training & Awareness

Lumistry’s workforce members (employees, contractors and volunteers) participate in mandatory HIPAA, Privacy and Security training during on-boarding, annually or if significant events arise. The security awareness training activities are defined based on their specific role.

Background Checks

Lumistry workforce members (employees, contractors and volunteers) undergo a thorough background check prior to providing access to sensitive information. Background checks consist of:

  • SSN Trace
  • Sex Offender Watchlist
  • Global Watchlist
  • County Searches
  • National Search

Certifications and Audits

Lumistry regularly conducts internal assessments and undergoes external audits to examine the controls present within the Platform and Lumistry’s operations and to validate that Lumistry is operating effectively in accordance with its Information Security Program.


HITRUST Risk-based, 2-year (r2) Certified status demonstrates that the Lumisty Platform and Lumistry IVR have met key regulations and industry-defined requirements and is appropriately managing risk.

HIPAA – Health Insurance Portability and Accountability Act

Lumistry has established and maintains the necessary controls required for compliance with HIPAA (as amended by HITECH). HIPAA (internal or external) assessments take place on an annual basis and examine all appropriate corporate and client environments.