HeartAI operates in an increasingly complex business and clinical environment with a broad variety of platform components, service engagements, and user experiences. The maintenance of rigorous security in these environments is paramount. In addition, the global threat environment is continually evolving and becoming increasingly sophisticated. It is critical that HeartAI platform components can manage these responsibilities and obligations. To support this, HeartAI can prepare personnel and supporting communities for the secure use of HeartAI services, products, and technologies, and generally ensure that interactions with digital environments are safe and well-governed. This should include a program of security education and awareness, with a focus on fundamental security principles and security best practices, to inform HeartAI users of how they can best prepare for digital experiences.
This policy document provides definitions and specifications for the general education and awareness of HeartAI personnel in addition to engagements with clients, service partners, and governance authorities. The adherence to this policy should guide these parties to engage with HeartAI services, products, and technologies in a way that appropriately informs their interactions and responsibilities.
1.1. HeartAI operates in potentially sensitive and increasingly complex business and clinical environments. There is an imperative for HeartAI platform components, personnel, and supporting communities to be appropriately informed of potential security risks, practices that ensure safe engagement, and changes to the threat and vulnerability landscape.
1.2. HeartAI should provide educational and awareness programs to appropriately prepare all parties for their use of HeartAI services, products, and technologies, particularly corresponding to their intended use case and scope of engagement.
1.3. Additionally, HeartAI should generally inform these parties of security best practices in general, to encourage ongoing improvements with capability and understanding.
- In relation to the scope of security awareness
2.1. HeartAI provides environments where a range of platform interactions can occur. For HeartAI administrators and developers, this interaction may include access to internal platform environments, and access to environments that may contain potentially sensitive information. HeartAI end-users and supporting communities may have access to user applications, service endpoints, and general digital environments. HeartAI must have a general understanding of the potential risks, threats, and vulnerabilities these parties may experience during their interaction with these environments, and provide security education and awareness that best prepares these parties for these interactions.
2.2. Security awareness should consider generally:
2.2.1. Development best practices, including minimising exposure to sensitive information and maintenance of minimum necessary permissions.
2.2.2. Secure management, transfer, and disposal of data.
2.2.3. Policies and practices for managing sensitive data.
2.2.4. Typical security threats and vulnerabilities, such as phishing, scams, and social engineering.
2.2.5. Active security alerts and incidents.
- In relation to security education and awareness
3.1. For HeartAI administrators and developers, HeartAI should ensure that security practices are discussed in an ongoing manner. This should include reviews of development practices at team meetings, documentation of security best practices, appropriate responses to security incidents and risks, and ongoing education through email bulletins and training programs.
3.2. For HeartAI end-users, HeartAI personnel should provide appropriate training and guidance to end-users when engaging with HeartAI services, products, and technologies. This should include general and specific risks and vulnerabilities that the end-users should be aware of when engaging with these services. Documentation should be maintained as a point-of-reference of HeartAI services, and security awareness should be embedded into documentation and reference manuals. End-users should understand what the corresponding contact points are in the event of a security incident or enquiry.
- In relation to the ongoing review of this policy:
4.1. This policy should be reviewed at least every 6 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
4.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
4.3. This policy welcomes suggestions and feedback.
- In relation to the governance and compliance of this policy:
5.1. This policy must be understood and agreed to by HeartAI administrators and developers before the approval of access to HeartAI platform components.
5.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
5.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.