Cyber Security in the Australian Healthcare Sector

Lucas Roe
September 18, 2023


The healthcare sector continues to be the most targeted industry in Australia, reporting 15% of all data breach notifications in the Office of the Australian Information Commissioner’s (OAIC) latest data breaches report. These attacks can lead to serious breaches of sensitive hospital and patient data with widespread implications. With targeted attacks on the rise it's vital for security professionals in the industry to understand their responsibilities towards cyber security and how it will shape critical infrastructure.

In this blog, we’ll examine the current state of incidents affecting Australian hospitals and healthcare providers, highlight some cyber security challenges security professionals are facing and look at the regulations and guidelines proposed by the Australian Government to help protect the healthcare sector from emerging threats.


According to the Australian Cyber Security Centre (ACSC) there was an 84% rise in cyber attacks in the healthcare industry in Australia between 2019 and 2020 however the true number could be even higher. An ongoing challenge is these attacks are often difficult for hospital and technology services providers to detect; many attacks involve long-lasting persistence techniques, with threat actors taking their time to dig into systems and data to assist in supporting targeted objectives.

One of the most serious recent examples was an incident affecting a Healthcare provider in 2022. Threat actors demanded a $10 million ransom from a health insurance provider for the return of sensitive patient information. With almost 10 million customers impacted, the breach was a huge wake-up call, showing the dire need for an overhaul of information and privacy protections in the industry.


The healthcare sector is a lucrative target for threat actors due to the wealth of valuable data held in healthcare systems and applications, including confidential patient files or market-sensitive financial records. Securing personal and sensitive data is one of many challenges security professionals face on a daily basis. Some other key challenges of cyber security in Healthcare include:

  • End-of-Life Systems - End-of-life systems such as networked medical equipment and workstations are frequently used by healthcare companies due to the high costs and complexities of transitioning to modern solutions. These systems often have outdated, weak or non-existent security measures and are more susceptible to exploit.
  • Compromised Third and Fourth Parties - healthcare organisations often collaborate with various third-party vendors and partners, such as medical device manufacturers, insurance providers, and research institutions. These interactions create vulnerabilities and points of leverage for many threat actors, with these partners storing, processing or transmitting sensitive patient data or disrupting critical healthcare services.  
  • Hybrid Cloud Threats - with more healthcare companies using cloud services for IT solutions, the misunderstanding of roles and the shared responsibilities required through the adoption and consumption of third-party services are frequently misunderstood, and whilst network and operating system security becomes less visible through the increased consumption of externally hosted services the need to provide security controls remain critical.
  • Limited Budget - healthcare providers, as with all organisations and agencies, have limited budgets to manage cyber security risks due to competing financial priorities including patient care and equipment upgrades. Fragmented IT services and ownership of security control can be expensive to acquire and maintain. This fragmentation often leads to higher operational costs, decreased productivity, and a lack of effective and targeted provision of security controls.
  • Lack of awareness - the lack of awareness about IT and cyber security in healthcare organisations can be attributed to factors such as limited training and awareness activities for staff, a focus on patient care over IT services and security, and a surprising misconception healthcare data is not a primary target. This can result in inadequate investment and preparedness for cyber threats.


The Australian government has released a new cyber security strategy that aims to introduce more rigorous regulations to protect personal data. The plan is set to take effect by 2030 and will include widespread measures to protect all Australian industries. As part of these reforms, the Australian Cyber and Infrastructure Security Centre (CISC) has recently published advisory information for critical infrastructure sectors including the medical and healthcare sectors; providing some guidance for effectively managing risks associated with the operation and ownership of critical infrastructure assets. A number of new obligations and regulations proposed include:

  • CIRMP Obligations - the Security of Critical Infrastructure Risk Management Program (CIRMP) rules outline specific requirements that must be included within critical infrastructure, including cyber and information security hazards such as the improper access or misuse of information or systems.
  • The SOCI Act - the government has made amendments to the Security of Critical Infrastructure Act 2018 (The SOCI Act) to strengthen the security of critical infrastructure by extending the sectors and assets classes it applies to; healthcare and medical is one of the eleven sectors now subject to an enhanced regulatory framework.

A primary purpose of these reforms is to improve risk management, prevention and resilience against the ever-growing and sophisticated attacks on critical infrastructure. By facilitating collaboration between the government, regulators and healthcare providers, the government is hoping to ensure vital services and sensitive data are protected.


When it comes to critical infrastructure, security is a shared responsibility. While the government is taking action Australian healthcare providers need to quickly improve their controls to keep up with growing cyber threats and similarly meet new regulations aimed to do the same.

At InfoTrust we offer consulting and advisory services to help uplift your security program, increase your capacity to meet any future mandatory legislative standards, and introduce and operate effective Information Security Management Systems.

If you are a professional in the healthcare sector and would like to know more about developing good risk management practices join our virtual session on Thursday, 28th September 2023.