Luminare Security Standards

Data security is patient safety. We handle both seriously.

Security Overview

At Luminare, we believe that keeping data confidentiality, integrity and availability are part of patient safety.  Data security is incorporated into our culture and practices.  Our solutions are HIPAA-compliant and meet or exceed National Institute of Standards and Technology (NIST) recommendations. To report security, confidentiality, integrity and availability failures, incidents, concerns, and other complaints please fill out this form.

Security in Our Software

  • Data encrypted with AES-256 standards
  • Granular user-roles restricting access promoting least privilege
  • Cookie options for HttpOnly and encryption
  • SQL injection prevention using prepared statements
  • Input validation and output sanitization to prevent XSS
  • Rate limiting to prevent brute force login attempts

Security in Our Process

  • Shift left security implementation with DeepFence
  • Automated blocking of dependencies with known security advisories
  • Code runs in tightly restricted domain environments
  • Continuous integration via GitHub
  • In-depth code reviews
  • Secure system engineering principles

Security in Our Platform

  • Hosted on Microsoft Azure Cloud
  • Data hosted only in US data centers
  • Data transmissions secured via TLS 1.2 or higher
  • Best-practice security features such as firewalls and brute-force prevention
  • Encrypted databases and drives
  • HIPAA compliant data retention policy
  • Snapshots and individual data backups, tested regularly
  • Terraform IaC(Infrastructure-as-Code) for provisioning and maintaining baselines and configuration management
  • Continuous performance and availability monitoring
  • Technical and administrative controls enforcing least-privilege
  • IAM security profiles with two-factor authentication for all employees
  • Detailed continuous system monitoring

Security in Our Vendors

  • Business Associate Agreement (BAA) with all PHI vendors
  • Rigorous annual third-party Risk Assessment Process
  • Most vendors hold SOC2 certifications

Security in Our Company

  • Well-established security policy reviewed annually and after major updates
  • Ongoing technical security training for engineers
  • Background checks at hire for all employees
  • Security awareness training for all employees
  • Quarterly access-control review for Privileged Access
  • Cybersecurity insurance to address residual risk