Information security

Information security is fundamental to HeartAI development and operations. HeartAI deploys to a variety of environments, including South Australian Government digital networks, where there are important responsibilities and obligations for the management of information. Within the South Australian health system context this also includes the management of potentially sensitive information. HeartAI takes the management of this information very seriously and has implemented a suite of security controls to ensure that this information is appropriately maintained.

HeartAI information security controls provide a range of organisational, operational, and technical constructs to ensure the ongoing rigour of platform components and operations. These controls manage HeartAI information security by addressing security best-practices, with particular focus to the concerns stated with the confidentiality, integrity, and availability (CIA) conceptualisation framework. These are:

  • Confidentiality. Includes the ability to ensure privacy with information, such as by restricting information to constrained environments and providing appropriate encryption for information moving between environments and at-rest. Access to information should be restricted to users with corresponding permissions, with these assigned as minimum-necessary permissions for the user’s role and remit. There should be further functionality to securely remove information and generally provide strong controls over the access scope and self-administration of corresponding confidential information.
  • Integrity. Controls that ensure information is as expected and devoid of any potential tampering. This should include mechanisms to audit information modification and to provide technical guarantees for non-repudiation. Further supported by processes that detect unusual information access and modification, such as abnormal pattern detection and behavioural profiling. Information should be recoverable with robust mechanisms for disaster recovery and backup capabilities.
  • Availability. Constructs that ensure platform components and operational processes are highly-available and resilient to error or failure states. This should include mechanisms to replicate and distribute platform components and provide a degree of separation between platform environments.

Policy

  1. Overview
    1.1. HeartAI takes information security very seriously. HeartAI operates in a variety of complex environments including South Australian Government digital networks, where there are important responsibilities and obligations for the management of information. Within the South Australian health system context this also includes the management of potentially sensitive information.
    1.1. HeartAI provides a range of information security controls that implement best-practice security concerns. This includes controls that address confidentiality, integrity, and availability.
  2. Confidentiality of information
    2.1. Confidentiality of information refers to the ability to ensure privacy with information. This includes restricted access to information and the ability to securely remove information.
    2.2. HeartAI provides a range of information security controls to ensure confidentiality of information. These include:
    2.2.1 A strong identity and access management framework that restricts access to information on the basis of platform identity. This framework is implemented with a minimum-necessary permissions paradigm.
    2.2.2. Separation between platform environments such that confidential information is not unnecessarily exposed.
    2.2.3. Broad application of encryption and cryptographic methods, including encryption at the network edge and across internal HeartAI environments.
    2.2.4. Secure information removal capabilities that utilise entropy overwriting and secure removal of cryptographic keys.
  3. Integrity of information
    3.1. Integrity of information refers to the ability to ensure that information is as expected and devoid of tampering. This should include mechanisms to audit information and provide technical guarantees for non-repudiation.
    3.2. HeartAI provides a range of information security controls to ensure integrity of information. These include:
    3.2.1. Identity and access control mechanisms that restrict access to information, such that only users or service principals with the corresponding permissions have the ability to modify information.
    3.2.2. Logging, monitoring, and observability capabilities that record how information is modified, with supporting capability to audit retrospective information interactions. These capabilities are aligned to platform identity and provide a well-defined history of information modification.
    3.2.3. Platform information stores that support backup and disaster recovery. This includes retention of data and logging stores. Data servers are typically retained for 7 days. Logging stores are typically retained for 6 months.
  4. Availability of information
    4.1. Availability of information refers to the ability to ensure that information is highly-available and resilient to error or failure states. This should include mechanisms to replicate and distribute platform components and provide a degree of separation between platform environments.
    4.2. HeartAI supports information availability with a range of information security controls. These include:
    4.2.1. Natively replicated and distributed platform components that apply best-practice cloud and systems practices. Platform components are often multiply-replicated and highly-available ensuring a high degree of service uptime and resilience to error and failure states.
    4.2.2. Broad logging, monitoring, and observability to continuously assess platform operations. These are further extended with alerted systems that provide rapid notice of unusual platform state, such as resource contention or abnormal pattern detection.
    4.2.3. Automated roll-forward and roll-back deployment paradigms that enable platform components to be deployed with zero downtime.
    4.2.4. Extensive testing integration to ensure that platform components operate as expected before deployment to corresponding environments.
  5. In relation to the ongoing review of this policy:
    5.1. This policy should be reviewed at least every 5 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
    5.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
    5.3. This policy welcomes suggestions and feedback.
  6. In relation to the governance and compliance of this policy:
    6.1. This policy must be understood and agreed to by HeartAI administrators and developers before the approval of access to HeartAI platform components.
    6.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
    6.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.