Cyber security fundamentals
Protecting health information is an extension of caring for healthcare consumers and everyone needs to manage cyber security risks.
Why cyber security matters
People working in healthcare organisations – whether large, small, public or private - need to always be aware of potential cyber security issues and know how to action them.
Cybercriminals seek out weaknesses in an organisation’s people, processes or technologies that can be exploited. A successful exploit is a cyber attack, which can lead to:
- loss or theft of information or intellectual property
- losing access to critical business systems
- significant disruptions to service delivery and business as usual
- placing your patients, clients and colleagues at risk reputational damage
- loss of confidence from customers and key stakeholders
- fines if your organisation is found negligent.
Preventing a cyber attack is not the sole responsibility of IT departments - everyone plays a part in keeping personal and professional information secure.
The health sector has become a prime target for cyber attack and has seen increased threat activity and compromised systems.
Practical steps to protect against cyber attacks
You should start with becoming familiar with different types of cyber threats and how to defend your organisation against them.
The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security to help make our country the most secure place to connect online. Go to Learn the basics at Cyber.gov.au to find out more or follow the links below.
- Keep your software up to date and do not allow the installation of unapproved or unverified software programs on your networks.
- Use strong passphrases and turn on multi-factor authentication
- Back up your data regularly.
- Never respond to phishing emails, texts and calls. If you or a staff member shares confidential information, such as username and password, with a phishing scam - change the compromised password immediately.
- If you fall victim to ransomware, do not pay the ransom - call the Australian Cyber Security Centre 24/7 hotline on 1300 CYBER1 (1300 292 371).
For cyber security information specific to the healthcare sector, you can attend our Digital Health Security Awareness eLearning course.
To receive timely information about threats to digital health software and cyber attack campaigns relevant to the healthcare sector, subscribe to our Digital Health Cyber Security Alerts
If you’re keen to join a community of healthcare professionals who want to lead, share insights and learn about how to drive positive cyber security culture and behaviours within your healthcare organisation, join the Australia-wide Cyber Champions Network. Find out more or submit an expression of interest here.
Cyber security compliance
Healthcare provider organisations have certain obligations under the My Health Records Act 2012 (Cth) and My Health Records Rule 2016.
Rule 42 of the My Health Records Rule requires healthcare provider organisations to have, communicate and enforce a written security and access policy in order to register, and remain registered, to use the My Health Record system.
Organisations registered with the My Health Record system must have a security and access policy regardless of the organisation’s size or how often they access the My Health Record system.
Download the My Health Record system security and access policy template and access the eLearning course for Developing a My Health Record Security and Access Policy for your Organisation - both created by the Australian Digital Health Agency.
Learn more about securing your healthcare business
Visit our cyber security awareness page for free cyber training and guidance resources to help everyone in your organisation understand cyber security risks and how to secure your business.