Our Commitment to Security

Compliance

HIPAA and CCPA

Lyra ensures that all Protected Health Information (PHI) under its care is securely transmitted, retained, processed, and disposed of in compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. Furthermore, Lyra implements privacy-focused processes and controls to ensure compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act of 2020 (CPRA).

HITRUST Common Security Framework (CSF)

Lyra undergoes annual audits to maintain compliance with the HITRUST Common Security Framework (CSF). HITRUST CSF is an integration of security and privacy regulations and standards at federal and state levels into one framework that incorporates standards defined in HIPAA, HITECH, NIST, ISO, PCI, FTC, and COBIT. It was designed through a collaboration between the health care industry and information security professionals. This prescriptive framework accommodates both risk and compliance.

Third-party penetration tests

Lyra works with reputable third-party firms to conduct annual external penetration tests on Lyra’s web application. All findings are addressed in accordance with Lyra’s formally documented Vulnerability Management policy. Lyra can provide a letter of attestation from the external firm for its most recent penetration test upon request.

Organizational security

Security team

The Security team at Lyra consists of the Director of Security, who is responsible for all aspects of security within the organization, and multiple Security Analysts, responsible for information gathering and performing day-to-day security-related activities. Lyra’s Security team implements both organizational measures (policies, procedures, processes, and training/education) and technical controls (infrastructure and endpoint security, physical security, security operations, vulnerability management, incident management, and risk management) to protect Lyra systems, data, employees, and customers. The Security team works alongside internal stakeholders, such as Legal, Engineering, and DevOps teams to ensure that all implemented measures are compliant with the requirements of HIPAA and other applicable federal and state regulations.

Privacy

Lyra takes the responsibility of safeguarding the data under its care very seriously. Our Privacy Policy is regularly updated to address changes in company policy and the requirements of federal and state regulations, such as HIPAA and CCPA, with which Lyra complies. Review our Privacy Policy in detail.

Policies and procedures

Lyra’s Security team creates, updates, and publishes policies and procedures for all aspects of its security program, which are available to all employees through Lyra’s internal wiki platform. Upon hire, employees must review and sign Lyra’s Employee Handbook, which defines the terms of Acceptable Use that all employees must follow. Any employee who violates Lyra’s Employee Handbook or security policies is subject to disciplinary action, up to and including termination of employment, as defined in Lyra’s Sanctions Policy.

Background checks

Lyra’s People Operations team conducts background checks for all employees prior to their onboarding. This check includes both reference verification and a criminal screening.

Security awareness training

Employees undergo annual security awareness training led by our Director of Security and Privacy Officer, and receive HIPAA-specific security and privacy training during onboarding. Lyra’s Security team also regularly provides company-wide security alerts and notifications to ensure that all employees are aware of important security practices and emerging risks.

Infrastructure and endpoint security

Application security

Software development practices at Lyra are geared toward producing performant, secure, and maintainable code. Code reviews are performed prior to each deployment for both knowledge sharing and ensuring code quality. Specific aspects covered during internal code reviews include:

• Modularity through separation of concerns and single responsibility principle
• Code reuse and avoiding duplication
• Graceful and explicit error handling
• Expressive names for variables and methods following standard coding conventions
• Following secure coding guidelines
• Abundant comments to enable code maintenance
• Deletion of unused/commented code
• Unit tests coverage
• Disallow credentials and sensitive information into the code repository

The Director of Security authorizes only a restricted set of people to update the operational software, applications, and program libraries. Vendor-supplied software used in operational systems is maintained to a supplier-supported level. Applications and operating systems are successfully tested for usability, security, and impact prior to production. Lyra maintains documentation of all implemented applications and systems and ensures that prior versions are archived. Additionally, Lyra utilizes tools such as web application firewalls and static bytecode analysis to protect its applications from common web exploits and risks such as the OWASP Top 10.

AWS security

Lyra’s Security and DevOps teams work closely together to ensure that all systems and services delivered through AWS are securely managed. Lyra follows recommended configurations as defined in AWS’ Well-Architected Framework for all AWS resources. We utilize AWS features such as GuardDuty, Inspector, IAM Access Analyzer, and Security Hub to aid in detecting and responding to anomalous events, misconfigurations, and emerging threats. Investigations, remediations, and corrective action plans are formally documented and tracked using our internal ticketing system.

Encryption

Lyra enforces full-disk encryption (Apple FileVault) on all managed laptops through enterprise management software and device encryption on all BYOD mobile devices through mobile device management (MDM). Lyra’s Security team and IT Administrators use continuous monitoring to ensure that devices remain in compliance with our encryption policy.

All encryption of data residing in Lyra’s AWS environment follows a minimum standard of TLS 1.2 (in transit) and AES-256 (at rest). Encryption is implemented and enforced at all layers (database, application servers, and web servers) through AWS’ Key Management Service (KMS). All customer data is encrypted in our database using customer-specific encryption keys.

Network security

Lyra implements Web Application Firewall (WAF) rules, network ACLs, and Security Groups within AWS to logically segment its networks (VPCs) and ensure that the sensitive systems and data within them remain secure. The network level firewalls (AWS Security Groups) deny all access by default and only allow traffic that has been authorized and configured by DevOps Engineers. Systems used for the storage or processing of sensitive data are isolated in private networks (VPCs), which are only accessible to authorized personnel through Lyra’s corporate VPN.

The corporate wireless network available in Lyra’s office utilizes WPA2 and requires employees to sign in using their Lyra-provided Google account credentials before accessing. Lyra’s wireless network is entirely separated from all production networks within AWS.

Endpoint protection

Lyra deploys Crowdstrike Falcon as its antivirus/anti-malware solution for all managed workstations. Additionally, privilege management and application denylisting are implemented on all managed workstations to ensure that employees do not have local administrator privileges and are only allowed to install and run pre-approved applications. Lyra deploys a corporate MDM on all BYOD mobile devices to ensure that a minimum device security baseline (encryption, passcode/lock screen requirements, isolation of corporate data, and remote wipe) is enforced. Lyra prohibits the use of jailbroken mobile devices or installation of software from unofficial app stores and enforces these requirements.

Passwords

Lyra requires that all employee passwords are at least eight characters and contain an uppercase letter, lowercase letter, number, and special character. Standard user account passwords are rotated every 90 days. Employees who require access to Lyra’s AWS environment are issued a separate AWS user account with a password that adheres to the same complexity requirements, but is rotated every 60 days. Lyra’s Security team monitors password use within the organization and receives automated alerts for potential weak or compromised passwords.

Lyra implements a password-protected screen saver on all managed workstations, which goes into effect after five minutes of inactivity.

Employees are prohibited from sharing their user account passwords. Lyra utilizes an enterprise password management system to ensure that employees can easily create unique and complex passwords across all their accounts and securely store them in an encrypted state.

Identity and access management

Lyra follows the principles of least privilege, role-based assignment, and need-to-know when provisioning network and application access. All access requests (whether for onboarding, role changes, or offboarding) are tracked, reviewed, and approved using Lyra’s internal ticketing system. The Security team reviews all access requests to ensure that they meet our security standards. Key administrative access is limited only to authorized personnel and is reviewed on a monthly basis by the Security team. Service accounts are used only when necessary to fulfill a defined business or operational requirement and are scoped with the minimum amount of privileges necessary for their purpose.

Authentication

Lyra ensures that all employee user accounts have multi-factor authentication (MFA) enabled. Access to Lyra’s production environments in AWS requires MFA in the form of either an app-generated software token or a physical token, such as a YubiKey. Additionally, direct administrative access to systems containing sensitive information is restricted only to authorized users who are also connected to Lyra’s corporate VPN.

Lyra also utilizes single sign-on (SSO) functionality through Google Sign-In to ensure that Lyra’s authentication standards are met whenever an employee authenticates to a corporate app or service.

Data loss prevention

Monitoring and technical controls for data loss prevention are in place across Lyra’s communication and collaboration platforms to ensure that sensitive information is encrypted and made available only to authorized parties. Lyra prohibits the use of portable media (USB devices) by policy and enforces this through configuration management applied to all managed workstations.

Physical security

Lyra offices

Lyra takes a layered approach to enforcing physical security and access to its offices. All entry to Lyra’s offices requires badge access or having checked in as a visitor, and visitors must be escorted by authorized personnel once inside our facilities. Access to critical resources such as office network devices and computer inventory is further restricted to separate locked rooms which only key authorized employees may enter. Additionally, all employees adhere to a clean desk policy while inside Lyra’s offices.

AWS

Amazon ensures that physical access to its data centers and facilities housing AWS customer infrastructure components is properly secured and restricted only to authorized personnel. For more information regarding the physical security of AWS data centers, please refer to the following documentation from AWS.

Security operations

Vulnerability management

Lyra utilizes AWS services such as GuardDuty, Inspector, and Trusted Advisor to continuously monitor for vulnerabilities in our Production environment. Additionally, the Security and DevOps teams perform monthly vulnerability scans to proactively identify and remediate vulnerabilities. Any vulnerabilities that are identified are remediated in a timely manner as defined in Lyra’s formal Vulnerability Management policy.

Patch management

Lyra ensures that managed systems are deployed with a hardened security baseline configuration and are regularly updated to protect against emerging threats and vulnerabilities. In cases where an out-of-band patch is required to address a critical vulnerability, the Security team works with system owners and users to ensure that patching is performed with the appropriate urgency.

Change management

Lyra has implemented a formal change management process across all aspects of system maintenance and development. Changes are individually requested, reviewed, and tracked using Lyra’s internal ticketing system to ensure that all changes are validated prior to implementation. Changes must receive independent management approval and include rollback strategies where appropriate.

Separation of duties

Across all teams in the organization, Lyra ensures that a separation of duties is followed in order to minimize the opportunity for unauthorized or unintended access or modification of Lyra systems and data.

Asset management

Lyra utilizes a combination of asset management systems in order to track the provisioning and use of all systems used to interact with Lyra data (such as Lyra managed-workstations, servers, and BYOD mobile devices). The Security team, in conjunction with TechOps, regularly reviews the content and status of these management systems to ensure that all devices are authorized for use and compliant with Lyra’s system security standards.

Incident management

Detection and response

Lyra implements log monitoring and alerting solutions across all networks, systems, and services within its environment in order to detect and respond to potential security incidents in a timely manner. Alerts are regularly reviewed by the Security team and escalated or re-assigned to additional personnel when appropriate.

Lyra’s Incident Management policy has been developed for compliance with HIPAA regulations and the requirements issued through HITRUST CSF. The Security team reviews Lyra’s Incident Management policy, and additional incident playbooks, on an annual basis to ensure that the organization’s response strategy remains current.

In the event of a security breach (as defined by HIPAA), Lyra will appropriately notify affected parties and follow the requirements of all applicable laws and regulations.

Business continuity

Lyra has implemented a comprehensive disaster preparedness policy and procedures to address potential natural disasters and ensure that all significant business activities (financial functions, telecommunication services, data processing, and network services) are highly available. The Security team ensures that copies of these documents are distributed to key contingency personnel. Lyra conducts an annual company-wide training (and also during new hire onboarding) to ensure that employees are aware of the procedures in place to support continued operations in the event of a natural disaster.

Lyra utilizes a location-independent work environment and as a result, classic location-based disaster scenarios requiring relocation to an alternate space are not directly applicable. As such, Lyra’s documentation and testing procedures around business continuity are focused on maintaining the delivery of Lyra’s customer-facing product and services.

Risk management

Organizational risk management

Lyra has developed and implemented a formal policy and procedures around risk management in order to effectively identify, assess, and reduce organizational risk. The Security and Legal teams conduct annual risk assessments to evaluate both existing and potential risks and put in place appropriate corrective measures. Corrective action plans are then formalized and assigned to responsible personnel for implementation and tracked on an ongoing basis by the Security team.

Vendor risk management

Lyra is committed to maintaining a high standard of supply-chain security and has implemented a formal security assessment process for all third-party vendors prior to the use of their services. The Security team ensures that third parties complete a standard security questionnaire and provide all relevant security-specific documentation and attestation. Assessment findings are then formally documented and requests for corrective action (where necessary) are shared with the vendor and addressed prior to their onboarding.