The recent leaking of private details of hundreds of patients including sensitive health information and Medicare numbers on the dark web following a cyberattack on a private specialist who works at the Epworth and Royal Melbourne hospitals highlights the importance of small medical practices and specialists taking proactive steps to ensure that their patient data is secure. 

Louise Hanna, General Manager of Excite Cyber (ASX:EXT), one of Australia’s largest listed cybersecurity firms, says this incident is a stark reminder that GPs, specialists, and small private practices are now prime targets for cybercriminals due to their comparatively weaker cyber defences. 

“Hospitals may have stronger defences, but attackers know the weak link often lies in the smaller, less protected third-party medical providers. Medical professionals running small or private clinics should urgently review their cybersecurity protections and enhance them.  

Louise Hanna, General Manager of Excite Cyber

The Office of the Australian Information Commissioner reports that the health sector continues to report the highest number of data breaches across all industries. Between July and December 2023, 121 breaches were reported in the health sector, up from 79 in the same period in 2022. 

Louise recommends the following eight essential steps for all medical specialists, GPs and smaller practices: 

1. Audit personally identifiable information – It’s important to know where your patients’ personally identifiable sensitive information is stored and how well it’s protected. Doing a risk check such as a penetration test, can help find any weak spots in your system before problems happen. Security checks provide insights on where you might be vulnerable and identify steps you can take to better protect your data.  
2. Use strong, unique passphrases – Combine upper and lowercase letters, numbers, and symbols. Avoid reusing passwords across systems. 
3.   Enable Multi-Factor Authentication (MFA) – Add a second layer of protection, such as an app or SMS code, to all logins, especially email and patient management systems. 
4.   Back up critical data regularly – Store backups in a secure, offsite or cloud location, and test recovery procedures. 
5.   Train all staff in cybersecurity awareness – Regularly educate staff on phishing, suspicious links, and social engineering tactics. 
6.   Update software and systems – Ensure operating systems, antivirus software, and medical practice platforms are kept current with the latest security patches. 
7.   Limit access to sensitive data – Only give access to patient data to staff who need it and use role-based permissions. 
8.   Undertake regular security reviews – Regular security reviews are key to keep your information safe, build trust with your patients, and make sure your business runs smoothly. 

Louise also stresses that hospitals should work proactively with all third-party specialists to uplift their security posture. “It’s also important to remember that while you can outsource the storage and operations of the IT systems used to support your practice, you can’t outsource responsibility for protecting the data,” she says.