Identity and access management

HeartAI provides a variety of platform environments and functionalities with the ability to interact with these being dependent on the user’s identity. These identities are managed by an identity management framework that assigns users to varying groups and roles with a corresponding allocation of permissions. This framework is used to constrain user access in alignment with their assigned permissions and is generally intended to operate with a minimum-necessary permissions allocation. HeartAI administrators and developers typically have a greater level of access to internal HeartAI platform environments, such as operational environments, elevated data server access, and logging, monitoring, and observability systems. HeartAI end-user access is often designated for application interaction corresponding to the user’s role and use-case.

HeartAI implements integrated functionality for identity and access management. This includes support for authentication, authorisation, token exchange, identity brokering, identity federation, and multi-factor authentication. Through these approaches HeartAI users are categorised through a role-based access control (RBAC) mechanism. In addition, identity and access management frameworks are further extended by integration with HeartAI logging, monitoring, and observability systems, such that important identity and access event information is recorded and analyses. This includes the recording and auditing of login events, token requests, token rotations, token revocations, failed authentications and authorisations, unusual pattern detection, and behavioural profiling.

Within South Australian health system digital environments, HeartAI supports identity brokering and identity federation with existing identity and access providers. This allows HeartAI to authenticate and authorise users through these existing providers, such as with SA Health Health Active Directory (HAD) identity and service principal accounts. Identity information and corresponding permissions may be issued through brokering or federation from these providers such that existing identity management and credentialing processes are maintained.

Policy

  1. Overview
    1.1. HeartAI provides a variety of platform environments and functionalities with the ability to interact with these being dependent on the user’s identity. These identities are managed by an identity management framework that assigns users to varying groups and roles with a corresponding allocation of permissions.
  2. Identity assignment
    2.1. Within HeartAI environments users are allocated one or more identities on the basis of their assigned roles and operational use cases. The allocation of these identities should correspond to the users organisational remit and should be issued with a minimum-necessary permissions constraint.
    2.2. Identities should provide relevant information about the user appropriate for the environmental context. This may include information such as: email address(es), first and last name, contact details, organisational title and department, group membership, and any other relevant information.
    2.3. Identities should be reviewed in alignment to any potential change of scope. This should include: change of user’s primary details, change of organisational role, and change to organisational structure or policy.
    2.4. Identities should be reviewed routinely. HeartAI recommends that identities are reviewed at least every 12 months.
  3. Access control
    3.1. Access and interaction with HeartAI environments should correspond to information provided by HeartAI identity principals. This should constrain access to these environments on the basis of whether a user’s identity has the required permissions.
    3.2. Assessment of required permissions should include authentication and authorisation of the user’s identity, with strong controls for the secure establishment of these protocols.
  4. Identity and access management
    4.1. For the management of identity accounts and access controls generally, HeartAI provides a variety of frameworks and tooling to ensure that identity and access management follows rigorous and best-practice standards.
    4.2. HeartAI must ensure that identity and access management is suitable for the potentially sensitive health system context. This must include following state and federal level laws, policies, regulations, and compliance standards.
    4.3. HeartAI should endeavour to provide identity and access management that provides modern approaches to authentication, authorisation, identity brokering, identity federation, and multi-factor authentication.
    4.4. Additionally, relevant event information should be gathered and securely stored. This should include information such as login events, token requests, token rotations, token revocations, failed authentications and authorisations, unusual pattern detection, and behavioural profiling.
  5. In relation to the ongoing review of this policy:
    5.1. This policy should be reviewed at least every 6 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
    5.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
    5.3. This policy welcomes suggestions and feedback.
  6. In relation to the governance and compliance of this policy:
    6.1. This policy must be understood and agreed to by HeartAI administrators and developers before the approval of access to HeartAI platform components.
    6.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
    6.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.