Healthcare is one of the sectors most frequently targeted by ransomware groups globally and in Australia. Medical records command premium prices on criminal markets — they contain identity information, health history, and financial data that enables identity theft, insurance fraud, and targeted extortion. The 2022 Medibank breach and a string of subsequent incidents affecting smaller healthcare providers have demonstrated that this targeting extends well below the enterprise tier.
Regulatory Framework
Healthcare organisations handling personal health information are subject to the Privacy Act 1988 and the Australian Privacy Principles, the Notifiable Data Breaches scheme, and — for those interacting with the My Health Records system — the My Health Records Act 2012. The My Health Records Act imposes specific obligations around access controls and incident reporting that go beyond general privacy law.
ACSC Healthcare Guidance
The ACSC has published specific guidance for the healthcare sector recognising its elevated risk profile. The guidance recommends Essential Eight implementation as a baseline, with particular emphasis on MFA for all systems accessing patient records, network segmentation isolating clinical systems from administrative networks, and verified backup capability for electronic medical record systems.
Electronic Medical Records and Backup
Electronic medical record systems are often hosted by specialist vendors with proprietary backup arrangements. Healthcare organisations should verify that their EMR vendor's backup capability meets the Essential Eight requirements — specifically that backups are offline or immutable and that restoration has been tested. Vendor contractual arrangements should specify recovery time objectives and backup retention periods.
Does our GP clinic or medical practice need to implement the Essential Eight?
The Essential Eight is the ASD's recommended baseline for all Australian organisations. It is not mandated for GP practices by specific regulation, but the ACSC guidance for healthcare strongly recommends it, and it is increasingly referenced in health sector cyber insurance applications and vendor contracts. Given the sensitivity of the data held, it represents a proportionate minimum baseline.
