Incident management and business continuity

For HeartAI provision of operationally-ready services, there is an expectation that these services will impact business and clinical decision-making. To maintain these responsibilities and obligations it is imperative that HeartAI provides formalised processes for incident management and business continuity. HeartAI will coordinate with clients, partners, and governance authorities to define and manage these processes. These should include formal documentation for service provision and engagement, and suitably maintain robustness with organisational, operational, and technical service delivery. This should also include formalised processes to manage potential incidents, such as service outages and disaster modes, with appropriate responses to both operationally and technically manage and recover from these situations. Procedures for business continuity should generally be specified and maintained.

The following policy governs HeartAI incident management and business continuity. This includes processes for documentation, appropriate incident response, and disaster recovery.

Policy

  1. Overview
    1.1. HeartAI provides operationally-ready services where there is an expectation that these services will impact business and clinical decision-making. These services should be reliable even in extreme situations of service outages and disaster modes.
    1.2. To ensure that these services are able to maintain these responsibilities and obligations, it is imperative that HeartAI provides formalised processes for incident management and business continuity. These processes should provide protocolised pathways to manage incidents and recovery services to an operationally-ready state.
  2. In relation to organisational and administrative governance:
    2.1. HeartAI service delivery and operations should align with, but is not limited to:
    2.1.1. An understanding of administrative and operational responsibilities, and,
    2.1.2. Appropriate assessments of risk, and,
    2.1.3. Well-defined definitions and documentation for service-level expectations and delivery.
    2.2. In the event of a significant impact to HeartAI service delivery and operations, HeartAI administrators should coordinate with the corresponding organisation(s) and governing authorities to determine an appropriate course of action.
    2.3. HeartAI administrators should ensure that appropriate business continuity plans are in place to support HeartAI service delivery and operations. The extent of these plans should relate to corresponding service and operational requirements.
    2.4. HeartAI service delivery and operations must comply with SA Health and SA Government policies.
  3. In relation to technical governance:
    3.1. HeartAI platform components should provide appropriate monitoring and logging of platform resources. This should include, but is not limited to:
    3.1.1. Changes to platform state, including: modifications to the HeartAI source code repository and modifications to the HeartAI production environment deployment.
    3.1.2. Access control events, including: logins and logouts, authentication and authorisation events, requests for identity or access tokens, processing of identity or access tokens, calls to persistent data stores, and calls to service endpoints.
    3.1.3. System monitoring events, including: resource usage, changes to platform state, alert triggers and event rules, and user-driven eventing.
    3.2. HeartAI platform components must provide mechanisms to detect an abnormal platform state. This should include mechanisms to alert HeartAI administrators that an abnormal state is active or imminent.
    3.3. HeartAI administrators must ensure that appropriate mechanisms are in place to readily respond to incidents. This should include appropriate measures to recover platform components from abnormal states.
    3.4. HeartAI administrators should ensure that HeartAI platform components have an expected level of technical maturity to comply with SA Health and SA Government policies.
    3.5. HeartAI service delivery and operations should be well-managed and documented, and readily available for review and audit.
  4. In relation to the ongoing review of this policy:
    4.1. This policy should be reviewed at least every 6 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
    4.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
    4.3. This policy welcomes suggestions and feedback.
  5. In relation to the governance and compliance of this policy:
    5.1. This policy must be understood and agreed to by HeartAI administrators and developers before the approval of access to HeartAI platform components.
    5.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
    5.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.