17. Data Integrity Policy
Luma takes data integrity very seriously. As stewards and partners of Luma Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the Luma mission of data protection.
Production systems that create, receive, store, or transmit Customer data (hereafter “Production Systems”) must follow the guidelines described in this section.
17.1 Applicable Standards
17.1.1 Applicable Standards from the HITRUST Common Security Framework
- 10.b - Input Data Validation
17.1.2 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(8) - Evaluation
17.2 Disabling Non-Essential Services
- All Production Systems must disable services that are not required to achieve the business purpose or function of the system.
17.3 Monitoring Log-in Attempts
- All access to Production Systems must be logged. This is done following the Luma Auditing Policy.
17.4 Prevention of Malware on Production Systems
- All Production Systems must have up-to-date anti-malware installed and make regular scans. Detected malware is evaluated and removed.
- Virus scanning software is run on all Production Systems for anti-virus protection.
- Hosts are scanned on boot and daily for malicious binaries in critical system paths.
- The malware signature database is checked hourly and automatically updated if new signatures are available.
- Logs of virus scans are maintained according to the requirements outlined in §8.6.
- All Production Systems are to only be used for Luma business needs.
- Malicious code that is identified is blocked, quarantined, and an alert is sent to administrators.
- Anti-malware is centrally managed and cannot be disabled by the users.
17.5 Patch Management
Software patches and updates will be applied to all systems in a timely manner. In the case of routine updates, they will be applied after thorough testing. In the case of updates to correct known vulnerabilities, priority will be given to testing to speed the time to production. Critical security patches are applied within 30 days from testing and all security patches are applied within 90 days after testing.
17.6 Intrusion Detection and Vulnerability Scanning
- Production systems are monitored using IDS systems. Suspicious activity is logged and alerts are generated by our hosting partner AWS.
- Vulnerability scanning of Production Systems must occur on a predetermined, regular basis, no less than annually. Currently it is weekly. Scans are reviewed by Security Officer, with defined steps for risk mitigation, and retained for future reference.
17.7 Production System Security
- System, network, and server security is managed and maintained by the Security Officer in conjunction with the DevOps team.
- Up to date system lists and architecture diagrams are kept for all production environments.
- Access to Production Systems is controlled using centralized tools and two-factor authentication.
- The process for granting access to the Production Systems is owned by the Information Security team and is outlined below. Any disruption in the described process will result in a delay or rejection of the request to the Production System.
- The requesting user will submit a request utilizing a Slack workflow
- The requesting user’s Supervisor will approve the stated business need
- The Information Security Team will verify the HIPAA training completion, disk encryption, Jamf management, and CrowdStrike sensor installation on the device and provide access to the designated device and user following a security training pertaining specifically to the Production System.
17.8 Production Data Security
- Production data must only be stored in authorized locations.
- Production data storage is limited to the minimum required.
- Reduce the risk of compromise of Production Data.
- Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
- Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
- All Production Data at rest is stored on encrypted volumes using encryption keys managed by Luma’s hosting partner Amazon AWS. Encryption at rest is ensured through the use of automated deployment scripts referenced in the Configuration Management Policy.
- Production Data must only reside within the United States, this includes any data stored with a partner, such as AWS and MondoDB, and these are configured to use US-Based hosting only.
- Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
- Key management is implemented based on specific roles and responsibilities, and in consideration of national and international regulations, restrictions, and issues
- Encrypted volumes use AES encryption with a minimum of 256-bit keys, or keys and ciphers of equivalent or higher cryptographic strength.
- Copy, move, print, and storage of sensitive data are prohibited remotely without a defined business need. This is resctrited via technical and procedural controls implemented by Luma and present by default in operating systems in use. Access to the production infrastructure is outlined in the System Access Policy.
17.9 Transmission Security
- All data transmission is encrypted end to end using encryption keys managed by Luma. Encryption is not terminated at the network end point, and is carried through to the application ensuring that security is managed through all aspects of any transactions.
- Encryption is used to protect covered information on mobile/removable media and across communication lines.
- Information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception.
- Transmission encryption keys and machines that generate keys are protected from unauthorized access. Transmission encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
- Transmission encryption keys use a minimum of 4096-bit RSA keys, or keys and ciphers of equivalent or higher cryptographic strength (e.g., 256-bit AES session keys in the case of IPsec encryption).
- Luma uses a trusted autority to issue certificates, ensuring that security is integrated and embedded throughout the entire end-to-end certificate.
- Transmission encryption keys are limited to use for one year and then must be regenerated.
- System logs of all transmissions of Production Data access. These logs must be available for audit.
- Transaction details, such as logs are stored outside of publically available environments. All such information remains within Luma’s AWS envrionment with no public route accessible.
- Data containing PHI must not be sent over Fax, Instant Messaging or Chat platforms.
- Luma does not disclose PII to any external parties via any method including telephone, fax and e-mail without first obtaining consent from the data subject. Consent is obtained via E-Mail and retained for a period of 6 years.
- Stronger controls are in place to protect certain electronic messages, such as E-Mail, ensuring they are protected end-to-end.
- E-Mail communications use opportunistic TLS by default, ensuring that all transmissions are sent over an encrypted channel providing they can be accepted by the recipient. Data containing PHI should not be transmitted over E-Mail.
17.10 Data De-Identification
Luma follows the U.S. Department of Health and Human Services Safe Harbor guidelines for de-indentification of data containing PHI to ensure we remain in compliance with HIPAA.
Luma ensures that the following identifiers (if existing) are removed:
- Names
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data
- The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people
- The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates that are directly related to an individual
- Telephone Numbers
- Vehicle Identifiers
- Fax Numbers
- Device information, such as serial numbers
- Email Addresses
- Web URLs
- Social Security Numbers
- IP Address information
- Medical Record Numbers
- Biometric Identifiers
- Health Plan beneficiary numbers
- Photographs
- Account Numbers
- Any other unique identifying number, characteristic, or code
- Certificate/license numbers