At Lyra Health, security is a consideration in everything we do. Our commitment to security gives our customers, members, and clients peace of mind knowing that their information is treated with the highest respect and given the protection it deserves.
Lyra ensures that all Protected Health Information (PHI) under its care is securely transmitted, retained, processed, and disposed of in compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. Furthermore, Lyra implements privacy-focused processes and controls to ensure compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act of 2020 (CPRA).
Lyra undergoes annual audits to maintain compliance with the HITRUST Common Security Framework (CSF). HITRUST CSF is an integration of security and privacy regulations and standards at federal and state levels into one framework that incorporates standards defined in HIPAA, HITECH, NIST, ISO, PCI, FTC, and COBIT. It was designed through a collaboration between the health care industry and information security professionals. This prescriptive framework accommodates both risk and compliance.
Lyra works with reputable third-party firms to conduct annual external penetration tests on Lyra’s web application. All findings are addressed in accordance with Lyra’s formally documented Vulnerability Management policy. Lyra can provide a letter of attestation from the external firm for its most recent penetration test upon request.
The Security team at Lyra consists of the Director of Security, who is responsible for all aspects of security within the organization, and multiple Security Analysts, responsible for information gathering and performing day-to-day security-related activities. Lyra’s Security team implements both organizational measures (policies, procedures, processes, and training/education) and technical controls (infrastructure and endpoint security, physical security, security operations, vulnerability management, incident management, and risk management) to protect Lyra systems, data, employees, and customers. The Security team works alongside internal stakeholders, such as Legal, Engineering, and DevOps teams to ensure that all implemented measures are compliant with the requirements of HIPAA and other applicable federal and state regulations.
Lyra’s Security team creates, updates, and publishes policies and procedures for all aspects of its security program, which are available to all employees through Lyra’s internal wiki platform. Upon hire, employees must review and sign Lyra’s Employee Handbook, which defines the terms of Acceptable Use that all employees must follow. Any employee who violates Lyra’s Employee Handbook or security policies is subject to disciplinary action, up to and including termination of employment, as defined in Lyra’s Sanctions Policy.
Lyra’s People Operations team conducts background checks for all employees prior to their onboarding. This check includes both reference verification and a criminal screening.
Employees undergo annual security awareness training led by our Director of Security and Privacy Officer, and receive HIPAA-specific security and privacy training during onboarding. Lyra’s Security team also regularly provides company-wide security alerts and notifications to ensure that all employees are aware of important security practices and emerging risks.
Software development practices at Lyra are geared toward producing performant, secure, and maintainable code. Code reviews are performed prior to each deployment for both knowledge sharing and ensuring code quality. Specific aspects covered during internal code reviews include:
The Director of Security authorizes only a restricted set of people to update the operational software, applications, and program libraries. Vendor-supplied software used in operational systems is maintained to a supplier-supported level. Applications and operating systems are successfully tested for usability, security, and impact prior to production. Lyra maintains documentation of all implemented applications and systems and ensures that prior versions are archived. Additionally, Lyra utilizes tools such as web application firewalls and static bytecode analysis to protect its applications from common web exploits and risks such as the OWASP Top 10.
Lyra’s Security and DevOps teams work closely together to ensure that all systems and services delivered through AWS are securely managed. Lyra follows recommended configurations as defined in AWS’ Well-Architected Framework for all AWS resources. We utilize AWS features such as GuardDuty, Inspector, IAM Access Analyzer, and Security Hub to aid in detecting and responding to anomalous events, misconfigurations, and emerging threats. Investigations, remediations, and corrective action plans are formally documented and tracked using our internal ticketing system.
Lyra enforces full-disk encryption (Apple FileVault) on all managed laptops through enterprise management software and device encryption on all BYOD mobile devices through mobile device management (MDM). Lyra’s Security team and IT Administrators use continuous monitoring to ensure that devices remain in compliance with our encryption policy.
All encryption of data residing in Lyra’s AWS environment follows a minimum standard of TLS 1.2 (in transit) and AES-256 (at rest). Encryption is implemented and enforced at all layers (database, application servers, and web servers) through AWS’ Key Management Service (KMS). All customer data is encrypted in our database using customer-specific encryption keys.
Lyra implements Web Application Firewall (WAF) rules, network ACLs, and Security Groups within AWS to logically segment its networks (VPCs) and ensure that the sensitive systems and data within them remain secure. The network level firewalls (AWS Security Groups) deny all access by default and only allow traffic that has been authorized and configured by DevOps Engineers. Systems used for the storage or processing of sensitive data are isolated in private networks (VPCs), which are only accessible to authorized personnel through Lyra’s corporate VPN.
The corporate wireless network available in Lyra’s office utilizes WPA2 and requires employees to sign in using their Lyra-provided Google account credentials before accessing. Lyra’s wireless network is entirely separated from all production networks within AWS.
Lyra deploys Crowdstrike Falcon as its antivirus/anti-malware solution for all managed workstations. Additionally, privilege management and application denylisting are implemented on all managed workstations to ensure that employees do not have local administrator privileges and are only allowed to install and run pre-approved applications. Lyra deploys a corporate MDM on all BYOD mobile devices to ensure that a minimum device security baseline (encryption, passcode/lock screen requirements, isolation of corporate data, and remote wipe) is enforced. Lyra prohibits the use of jailbroken mobile devices or installation of software from unofficial app stores and enforces these requirements.
Lyra requires that all employee passwords are at least eight characters and contain an uppercase letter, lowercase letter, number, and special character. Standard user account passwords are rotated every 90 days. Employees who require access to Lyra’s AWS environment are issued a separate AWS user account with a password that adheres to the same complexity requirements, but is rotated every 60 days. Lyra’s Security team monitors password use within the organization and receives automated alerts for potential weak or compromised passwords.
Lyra implements a password-protected screen saver on all managed workstations, which goes into effect after five minutes of inactivity.
Employees are prohibited from sharing their user account passwords. Lyra utilizes an enterprise password management system to ensure that employees can easily create unique and complex passwords across all their accounts and securely store them in an encrypted state.
Lyra follows the principles of least privilege, role-based assignment, and need-to-know when provisioning network and application access. All access requests (whether for onboarding, role changes, or offboarding) are tracked, reviewed, and approved using Lyra’s internal ticketing system. The Security team reviews all access requests to ensure that they meet our security standards. Key administrative access is limited only to authorized personnel and is reviewed on a monthly basis by the Security team. Service accounts are used only when necessary to fulfill a defined business or operational requirement and are scoped with the minimum amount of privileges necessary for their purpose.
Lyra ensures that all employee user accounts have multi-factor authentication (MFA) enabled. Access to Lyra’s production environments in AWS requires MFA in the form of either an app-generated software token or a physical token, such as a YubiKey. Additionally, direct administrative access to systems containing sensitive information is restricted only to authorized users who are also connected to Lyra’s corporate VPN.
Lyra also utilizes single sign-on (SSO) functionality through Google Sign-In to ensure that Lyra’s authentication standards are met whenever an employee authenticates to a corporate app or service.
Monitoring and technical controls for data loss prevention are in place across Lyra’s communication and collaboration platforms to ensure that sensitive information is encrypted and made available only to authorized parties. Lyra prohibits the use of portable media (USB devices) by policy and enforces this through configuration management applied to all managed workstations.
Lyra takes a layered approach to enforcing physical security and access to its offices. All entry to Lyra’s offices requires badge access or having checked in as a visitor, and visitors must be escorted by authorized personnel once inside our facilities. Access to critical resources such as office network devices and computer inventory is further restricted to separate locked rooms which only key authorized employees may enter. Additionally, all employees adhere to a clean desk policy while inside Lyra’s offices.
Amazon ensures that physical access to its data centers and facilities housing AWS customer infrastructure components is properly secured and restricted only to authorized personnel. For more information regarding the physical security of AWS data centers, please refer to the following documentation from AWS.
Lyra utilizes AWS services such as GuardDuty, Inspector, and Trusted Advisor to continuously monitor for vulnerabilities in our Production environment. Additionally, the Security and DevOps teams perform monthly vulnerability scans to proactively identify and remediate vulnerabilities. Any vulnerabilities that are identified are remediated in a timely manner as defined in Lyra’s formal Vulnerability Management policy.
Lyra ensures that managed systems are deployed with a hardened security baseline configuration and are regularly updated to protect against emerging threats and vulnerabilities. In cases where an out-of-band patch is required to address a critical vulnerability, the Security team works with system owners and users to ensure that patching is performed with the appropriate urgency.
Lyra has implemented a formal change management process across all aspects of system maintenance and development. Changes are individually requested, reviewed, and tracked using Lyra’s internal ticketing system to ensure that all changes are validated prior to implementation. Changes must receive independent management approval and include rollback strategies where appropriate.
Across all teams in the organization, Lyra ensures that a separation of duties is followed in order to minimize the opportunity for unauthorized or unintended access or modification of Lyra systems and data.
Lyra utilizes a combination of asset management systems in order to track the provisioning and use of all systems used to interact with Lyra data (such as Lyra managed-workstations, servers, and BYOD mobile devices). The Security team, in conjunction with TechOps, regularly reviews the content and status of these management systems to ensure that all devices are authorized for use and compliant with Lyra’s system security standards.
Lyra implements log monitoring and alerting solutions across all networks, systems, and services within its environment in order to detect and respond to potential security incidents in a timely manner. Alerts are regularly reviewed by the Security team and escalated or re-assigned to additional personnel when appropriate.
Lyra’s Incident Management policy has been developed for compliance with HIPAA regulations and the requirements issued through HITRUST CSF. The Security team reviews Lyra’s Incident Management policy, and additional incident playbooks, on an annual basis to ensure that the organization’s response strategy remains current.
In the event of a security breach (as defined by HIPAA), Lyra will appropriately notify affected parties and follow the requirements of all applicable laws and regulations.
Lyra has implemented a comprehensive disaster preparedness policy and procedures to address potential natural disasters and ensure that all significant business activities (financial functions, telecommunication services, data processing, and network services) are highly available. The Security team ensures that copies of these documents are distributed to key contingency personnel. Lyra conducts an annual company-wide training (and also during new hire onboarding) to ensure that employees are aware of the procedures in place to support continued operations in the event of a natural disaster.
Lyra utilizes a location-independent work environment and as a result, classic location-based disaster scenarios requiring relocation to an alternate space are not directly applicable. As such, Lyra’s documentation and testing procedures around business continuity are focused on maintaining the delivery of Lyra’s customer-facing product and services.
Lyra has developed and implemented a formal policy and procedures around risk management in order to effectively identify, assess, and reduce organizational risk. The Security and Legal teams conduct annual risk assessments to evaluate both existing and potential risks and put in place appropriate corrective measures. Corrective action plans are then formalized and assigned to responsible personnel for implementation and tracked on an ongoing basis by the Security team.
Lyra is committed to maintaining a high standard of supply-chain security and has implemented a formal security assessment process for all third-party vendors prior to the use of their services. The Security team ensures that third parties complete a standard security questionnaire and provide all relevant security-specific documentation and attestation. Assessment findings are then formally documented and requests for corrective action (where necessary) are shared with the vendor and addressed prior to their onboarding.
No. Unlike SaaS offerings, there are no software or per-seat licenses, there is no application or thin-client that needs to be installed, and there is no administration portal or other elevated user roles.
Our customer companies (or their designated human resources provider) send us what is known as an eligibility file, which includes details about who is covered under their program and is thus eligible to use Lyra Health services.
Yes, we treat all customer data as highly sensitive and take every precaution to keep it safe.
All data is stored within our AWS environment. This includes all data provided by our customers, as well as data provided by our members and clients that are covered by those customers.
All data is stored within our production VPC, which is isolated from the internet as well as any other environment. We encrypt all data by default. While data is in transit during any point of its lifecycle it is, at minimum, encrypted using TLS 1.2. We also incorporate AES 256 encryption for data at rest and in use. All data is encrypted at the database level as well as the application server level. All customer data is logically separated within our database and encryption is done using customer-specific keys that are managed using AWS KMS.
Access to data is very tightly restricted and is granted only on a verifiable need-to-know basis, and then adhering to minimum required principals. Some teams, such as our care team, need access in order to provide help and support to our members when necessary.
Access to any data is granted on an individual basis after establishing business requirement justification. All access to data is controlled via VPN.
Yes. We utilize multiple availability zones within our primary AWS region providing redundancy for our production services. We also have a backup environment in a physically distant separate AWS region. Additionally, we have a location-independent work model. If there is a physical or environmental, or other, reason that prevents us from being able to work within our offices, all personnel are equipped and trained to work remotely with no interruption in their ability to provide services and complete tasks. During the COVID-19 pandemic in 2020, we experienced no downtime in any capacity.
We do not. We do require clients to have a payment card on file; however, we utilize Stripe for all payment card information storing and transactions.