Cloud security

Legislative compliance

The HeartAI system must comply with the following legislative requirements:

• Australian Privacy Principles
• Privacy Act 1988.

Policy compliance

In additional to legislative requirements, the HeartAI system aligns with the following policies:

• South Australian Cyber Security Framework (SACSF)
• South Australian Information Classification System

The following policy directives are within the jurisdiction of SA Health:

• SA Health Information Classification System Policy Directive
• Digital Health SA Information Security Policy Directive
• Digital Health SA Information Security Management Framework
• Digital Health SA Information Asset Classification
• Digital Health SA Security Impact Assessment

Reference specifications

The HeartAI system security posture endeavours to align to best practice regulations and guidelines, including:

• ISO/IEC 27000-series
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
• CIS Microsoft Azure Foundations Benchmark

Management of sensitive information

HeartAI is approved to store medical information that is classified at a level of OFFICIAL: Sensitive. The security and rigour of privacy and confidentiality is taken very seriously.

Azure Database for PostgreSQL

The HeartAI instance of Azure Database for PostgreSQL implements the following security considerations:

• Enforced TLS: All data in-transit is encrypted with enforced TLS. The minimum TLS version required is TLS 1.2.
• Encryption at-rest: PostgreSQL servers use the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk, including the temporary files created while running queries. The cipher uses AES with 256-bit key strength. Storage encryption is always enforced.
• Private link: HeartAI instances of Azure Database for PostgreSQL integrate with Azure Private Link, such that network communication occurs privately over the Microsoft backbone network.