Encryption and cryptography

HeartAI operates in increasingly complex and demanding environments. Through HeartAI engagement with health system organisations, including South Australian government and health organisations such as SA Health and South Australian Local Health Networks, HeartAI maintains responsibility for the management of potentially sensitive information. The appropriate management of this information is taken very seriously. To support the rigorous management of this information, HeartAI implements a variety of security controls, including strong policies and practices for encryption and cryptography. In general, this includes policies to enforce encryption at-rest and in-transit wherever possible, for both network interfaces at HeartAI network edges in addition to internal transmission with HeartAI network environments. A range of supporting capabilities supports these practices, including automated certificate management, policy-enforcement middleware, and network monitoring metrics for encryption generally.

Policy

  1. Overview
    1.1. HeartAI operates in a complex digital environment. Through engagement with health systems, including South Australian government and health organisations such as SA Health and South Australian Local Health Networks, HeartAI regularly manages and interacts with potentially sensitive information. It is imperative that HeartAI maintains responsibilities and obligations for the management of this information. This should include best-practice approaches to digital security, including strong controls for encryption and cryptography.
    1.2. HeartAI deploys and manages robust platform environments. Within these environments are various points where encryption can be applied. These include network, service, and application endpoints, and infrastructural components such as data and message servers.
    1.3. General end-users typically engage with HeartAI through network, service, and application endpoints at the network edge. These endpoints are particularly sensitive and experience complex traffic patterns and interactions. Strong encryption practices are paramount at these endpoints.
    1.4. In addition to edge network endpoints, HeartAI internal environments can be further security by broad application of encryption, including encryption across internal endpoints, internal backing services, and persistent storage at-rest.
    1.5. Encryption mechanisms can be additionally supported by management frameworks, such as certificate management frameworks, policy-enforcement middleware, and network monitoring metrics for encryption generally.
    1.6. The implementation of encryption mechanisms should consider principled approaches to cryptography. This should include the understanding and implementation of modern cryptographic protocols, appropriate encryption key strength, and suitable usage of cipher suites.
  2. In relation to the ongoing review of this policy:
    2.1. This policy should be reviewed at least every 6 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
    2.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
    2.3. This policy welcomes suggestions and feedback.
  3. In relation to the governance and compliance of this policy:
    3.1. This policy must be understood and agreed to by HeartAI administrators and developers before the approval of access to HeartAI platform components.
    3.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
    3.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.