Our commitment to security

Lyra’s mission is to transform access to life-changing mental health care. Lyra blends the best providers, advanced technology, and a steadfast commitment to quality care for all. Worldwide, 970 million people are living with mental health issues. The biggest hurdle isn’t treatment—it’s access. Lyra’s co-founder and board chairman, David Ebersman, left his job as Meta’s chief financial officer in 2014 to tackle the problem by making it easier to find care and get treatment. More than 300 leading companies have partnered to offer Lyra’s mental health benefits to their employees, including Meta, Pinterest, and Starbucks, giving more than 17 million people access to life-changing care. To learn more, visit lyrahealth.com

Lyra delivers evidence-based mental health care that boosts employee well-being and drives business impact.

We offer the most comprehensive and effective global workforce mental health benefit, supporting the full spectrum of mental health care needs for employees and their families. Through AI-powered provider matching, personalized support, and a digital platform, every member gets fast access to the right care for their needs, when, where, and how they want it.

Lyraʼs premium provider network, evidence-based therapies, and comprehensive care means more people get better faster and stay better longer. And when employeesʼ lives improve, companies save, thanks to lower turnover, improved productivity, and lower medical spending. Extensive peer-reviewed published research confirms Lyra’s transformative care model helps people recover twice as fast and a 26% reduction in overall health care claims costs for participants annually.

HIPAA and CCPA

Lyra ensures that all Protected Health Information (PHI) under its care is securely transmitted, retained, processed, and disposed of in compliance with HIPAA requirements. Furthermore, Lyra implements privacy focused processes & controls to ensure compliance with CCPA and CPRA.

HITRUST Common Security Framework (CSF)

Lyra undergoes annual audits to maintain compliance with the HITRUST Common Security Framework (CSF). HITRUST CSF is an integration of security and privacy regulations and standards at federal and state-levels into one framework that incorporates standards defined in HIPAA, HITECH, NIST, ISO, PCI, FTC, and COBIT. It was designed through a collaboration between the healthcare industry and information security professionals. This prescriptive framework accommodates both risk and compliance.

Third-Party Penetration Tests

Lyra works with reputable third-party firms to conduct annual external penetration tests on Lyra’s web application. All findings are addressed in accordance with Lyra’s formally documented Vulnerability Management policy. Lyra can provide a letter of attestation from the external firm for its most recent penetration test upon request.

Certifications

To access our latest certifications and compliance documents, simply click on any of the following pages to submit a request.

Security Team

The Security team at Lyra Health consists of the Head of Security, who is responsible for all aspects of security within the organization, and five Security Analysts, responsible for information gathering and performing day-to-day security-related activities. Lyra’s Security team implements both organizational measures (policies, procedures, processes, training/education) and technical controls (infrastructure & endpoint security, physical security, security operations, vulnerability management, incident management, risk management) to protect Lyra systems, data, employees, and customers. The Security team works alongside internal stakeholders, such as Legal, Engineering, and DevOps teams to ensure that all implemented measures are compliant with the requirements of HIPAA and other applicable federal and state regulations.

Privacy

Lyra takes the responsibility of safeguarding the data under its care very seriously. Our Privacy Policy is regularly updated to address changes in company policy and the requirements of federal and state regulations, such as HIPAA & CCPA, with which Lyra complies. Please visit: https://www.lyrahealth.com/privacy-policy/ to review our Privacy Policy in detail.

Policies and Procedures

Lyra’s Security Team creates, updates, and publishes policies and procedures for all aspects of its security program, which are available to all employees through Lyra’s internal wiki platform. Upon hire, employees must review and sign Lyra’s Employee Handbook, which defines the terms of Acceptable Use that all employees must follow. Any employee who violates Lyra’s Employee Handbook or security policies is subject to disciplinary action, up to and including termination of employment, as defined in Lyra’s Sanctions Policy.

Background Checks

Lyra’s People Operations team conducts background checks for all employees prior to their onboarding. This check includes both reference verification and a criminal screening.

Security Awareness Training

Employees undergo annual security awareness training led by our Head of Security and Privacy Officer and additionally receive HIPAA-specific security & privacy training during onboarding. Lyra’s Security team also regularly provides company-wide security alerts and notifications to ensure that all employees are aware of important security practices and emerging risks.

Application Security

Lyra’s software development practices focus on producing efficient, secure, and maintainable code. Code reviews are conducted before deployment to share knowledge and ensure code quality, including modularity, code reuse, error handling, naming conventions, secure coding, comments, unit test coverage, and keeping sensitive information out of the code repository.

The Head of Security restricts access to update operational software. Vendor software is maintained to supplier standards. Applications and operating systems are tested before production. Documentation is maintained and prior versions archived. Tools such as web application firewalls and static bytecode analysis protect applications from common web exploits and risks.

Secure Development

Lyra ensures that we follow industry best practices in developing applications. The security team defines the security controls related to information in application services. Lyra utilizes separate production and development environments. All changes go through a formal change management and quality assurance testing process before deployment to production. Additionally, all engineers periodically review the OWASP Top 10.

Cloud Security

Lyra’s Security & DevOps teams work closely together to ensure that all systems & services delivered through AWS are securely managed. Lyra follows recommended configurations as defined in AWS’ Well-Architected Framework for all AWS resources. We utilize AWS features such as GuardDuty, Inspector, IAM Access Analyzer, and Security Hub to aid in detecting and responding to anomalous events, misconfigurations, and emerging threats. Investigations, remediations, and corrective action plans are formally documented and tracked using our internal ticketing system.

Encryption

Lyra enforces full-disk encryption on all managed laptops through enterprise management software and device encryption on all BYOD mobile devices through mobile device management (MDM). Lyra’s Security team & IT Administrators use continuous monitoring to ensure that devices remain in compliance with our encryption policy.

All encryption of data residing in Lyra’s AWS environment follows a minimum standard of TLS 1.2 (in transit) and AES-256 (at rest). Encryption is implemented and enforced at all layers (database, application servers, web servers) through AWS’ Key Management Service (KMS). All customer data is encrypted in our database using customer specific encryption keys.

Network Security

Lyra implements Web Application Firewall (WAF) rules, network ACLs, and Security Groups within AWS to logically segment its networks (VPCs) and ensure that the sensitive systems and data within them remain secure. The network level firewalls deny all access by default
and only allow traffic that has been authorized and configured by DevOps Engineers. Systems used for the storage or processing of sensitive data are isolated in private networks (VPCs), which are only accessible to authorized personnel through Lyra’s corporate ZTNA.

The corporate wireless network available in Lyra’s office utilizes WPA2 and requires employees to sign-in using their Lyra provided Google account credentials before accessing. Lyra’s wireless network is entirely separated from all production networks within AWS.

Endpoint Protection

Lyra deploys enterprise EDP solutions for all managed workstations. Additionally, privilege management & application denylisting are implemented on all managed workstations to ensure that employees do not have local administrator privileges and are only allowed to install and run pre-approved applications. Lyra deploys a corporate MDM on all BYOD mobile devices to ensure that a minimum device security baseline (encryption, passcode/lock screen requirements, isolation of corporate data, remote wipe) is enforced. Lyra prohibits the use of jailbroken mobile devices or installation of software from unofficial app stores and enforces these requirements.

Passwords

Lyra requires that all employee passwords are at least 12 characters and contain an uppercase letter, lowercase letter, number, and special character. Standard user account passwords are rotated every 180 days. Lyra’s Security team monitors password use within the organization and receives automated alerts for potential weak or compromised passwords.

Lyra implements a password-protected screen saver on all managed workstations which goes into effect after 5 minutes of inactivity.

Employees are prohibited from sharing their user account passwords. Lyra utilizes an enterprise password management system to ensure that employees can easily create unique and complex passwords across all their accounts and securely store them in an encrypted state.

Identity and Access Management

Lyra follows the principles of least privilege, role based assignment, and need-to-know when provisioning network and application access. All access requests (whether for onboarding, role changes, or offboarding) are tracked, reviewed, and approved using Lyra’s internal ticketing system. Key administrative access is limited only to authorized personnel and is reviewed on a monthly basis by the Security team.

Authentication

Lyra ensures that all employee user accounts have multi-factor authentication (MFA) enabled. Additionally, direct administrative access to systems containing sensitive information is restricted only to authorized users who are also connected to Lyra’s corporate ZTNA.

Data Loss Prevention

Monitoring and technical controls for data loss prevention across Lyra’s communication and collaboration platforms ensure that sensitive information is encrypted and is made available only to authorized parties. Lyra prohibits the use of portable media (usb devices) by policy and enforces this through configuration management applied to all managed workstations.

Lyra Offices

Lyra takes a layered approach to enforcing physical security & access to its offices. All entry to Lyra’s offices requires badge access or having checked in as a visitor, and visitors must be escorted by authorized personnel once inside our facilities. Access to critical resources such as office network devices and computer inventory is further restricted to separate locked rooms which only key authorized employees may enter. All employees adhere to a clean desk policy while inside Lyra’s offices.

Vulnerability Management

Lyra utilizes a software based solution to constantly monitor our internal and external network and provide alerts for any exploitable vulnerabilities in our Production environment. Any vulnerabilities that are identified are remediated in a timely manner as defined in Lyra’s formal Vulnerability Management policy.

Patch Management

Lyra ensures that managed systems are deployed with a hardened security baseline configuration and are regularly updated to protect against emerging threats & vulnerabilities. In cases where an out-of-band patch is required to address a critical vulnerability, the Security team works with system owners & users to ensure that patching is performed with the appropriate urgency.

Change Management

Lyra has implemented a formal change management process across all aspects of system maintenance and development. Changes are individually requested, reviewed, and tracked using Lyra’s internal ticketing system to ensure that all changes are validated prior to implementation. Changes must receive independent management approval and include rollback strategies where appropriate.

Separation of Duties

Across all teams in the organization, Lyra ensures that a separation of duties is followed in order to minimize the opportunity for unauthorized or unintended access or modification of Lyra systems & data.

Asset Management

Lyra utilizes a combination of asset management systems in order to track the provisioning and use of all systems used to interact with Lyra data (such as Lyra managed-workstations, servers, and BYOD mobile devices). The Security team, in conjunction with IT, regularly reviews the content and status of these management systems to ensure that all devices are authorized for use and compliant with Lyra’s system security standards.

Detection & Response

Lyra implements log monitoring & alerting solutions across all networks, systems, and services within its environment in order to detect and respond to potential security incidents in a timely manner. Alerts are regularly reviewed by the Security team and escalated or re-assigned to additional personnel when appropriate.

Lyra’s Incident Management policy has been developed for compliance with HIPAA regulations and the requirements issued through HITRUST CSF. The Security team reviews Lyra’s Incident Management policy, and additional incident playbooks, on an annual basis to ensure that the organization’s response strategy remains current.

Business Continuity

Lyra has implemented a comprehensive disaster preparedness policy and procedures to address potential natural disasters and ensure that all significant business activities (financial functions, telecommunication services, data processing, network services) are highly available. The Security team ensures that copies of these documents are distributed to key contingency personnel. Lyra conducts an annual company-wide training (and also during new hire onboarding) to ensure that employees are aware of the procedures in place to support continued operations in the event of a natural disaster.

Lyra utilizes a location-independent work environment and as a result, classic location based disaster scenarios requiring relocation to an alternate space are not directly applicable. As such, Lyra’s documentation and testing procedures around business continuity are focused on maintaining the delivery of Lyra’s customer-facing product and services.

Organizational Risk Management

Lyra has developed and implemented formal policy and procedures around risk management in order to effectively identify, assess, and reduce organizational risk. The Security & Legal teams conduct annual risk assessments to evaluate both existing and potential risks and put in place appropriate corrective measures. Corrective action plans are then formalized and assigned to responsible personnel for implementation and tracked on an ongoing basis by the Security team.

Vendor Risk Management

Lyra is committed to maintaining a high standard of supply-chain security and has implemented a formal security assessment process for all third-party vendors prior to the use of their services. The Security team ensures that third-parties complete a standard security questionnaire and provide all relevant security specific documentation & attestation. Assessment findings are then formally documented and requests for corrective action (where necessary) are shared with the vendor and addressed prior to their onboarding.