Login

Cybersecurity and resilience: A brief guide for medical practice

New
Monday, 16 Mar 2026

Ben Ryan, Avant Law - Partner, Commercial & Corporate

Marko Novakov, Avant Law - Senior Associate, Commercial & Corporate

New
Browse similar topics:Commercial & corporate

Cybersecurity is no longer a back-office technical matter for IT departments and specialists.  It is now a board-level responsibility with significant legal, regulatory and reputational consequences. A single breach can damage patient trust, interrupt operations and expose your practice to avoidable consequences. 

Cybersecurity self-assessment!

Our checklist will help you assess how effectively your current systems and protocols protect patients, staff, and the community against potential data breaches. 

Download now!

Legal considerations

Medical practices and practitioners, who handle sensitive health information of patients, are required to comply with the data security measures under the Privacy Act 1988 (Cth) (Privacy Act).

For board directors of a medical practice through a company structure (including a company trustee of a trust), they have a duty under the Corporations Act 2001 (Cth) (Corporations Act).

As a result of recent reforms to the Privacy Act and enforcement actions by the Australian Securities and Information Commissioner (ASIC), board directors are now expected to formally integrate cyber risk into their enterprise risk management frameworks.

  • Corporations Act – Section 180: Director duty of care and diligence to exercise their powers and discharge their duties with care and diligence. ASIC has launched legal action against RI Advice Group Pty Ltd, HSBC Bank Australia Limited and FIIG Securities Limited in connection with cybersecurity incidents. All three companies are in the financial services industry, but the ASIC actions are relevant to all companies of any industry on the basis that companies are now expected to have adequate cybersecurity risk management in place and a failure to do so can be a breach of directors’ duties.  
  • Privacy Act – Australian Privacy Principles 1 and 11: Taking ‘reasonable steps’ beyond technical security measures to protect and ensure the integrity of personal information throughout the information lifecycle, including implementing strategies in relation to governance, internal practices, processes and systems, and dealing with third party providers.
  • Notifiable Data Brach Scheme under the Privacy Act – the mandatory reporting of breaches to the regulator and affected individuals provides visibility of compliance with relevant security standards and allows affected individuals to mitigate personal risk.
  • Contractual obligations – companies will enter into contractual arrangements with third parties (including suppliers) where they are likely to have obligations that relate to the retention and security of information. In the medical industry, this will inevitably include contracts with IT providers and practice management software businesses that involve the sharing of patient data (in addition to employee and supplier information).

How this impacts medical practices

According to the Office of that Australian Information Commissioner (OAIC), the health sector consistently reports the highest volume of data breaches with recent data showing it's the most targeted industry.

These developments should compel medical practice owners to invest in strong cyber strategy measures – not just IT-focused approaches, but rather governance led in which decisions are made from an overall organisational strategy to take reasonable steps to protect the integrity of personal data. This includes IT solutions as well as employee training and strong contractual protections with third party providers.

Reasonable steps your practice can take now

It is worth downloading our self-assessment tool and following along as you read this article. If you answer no or unsure to any section, it may be a sign that your practice is exposed to cyber risks and may not meet privacy or security expectations. 

Download our Cybersecurity self-assessment!

Download now!

Each section below expands on an area raised in the self-assessment to help you understand its impact on your business and also to facilitate compliance with legislative requirements and contractual obligations:

  • Cybersecurity and automated systems: A strong cybersecurity framework begins with understanding your systems. Every practice should know when it last reviewed its cybersecurity protections, including automated processes such as data back-ups and file transfers. Regular assessments help confirm that your technology is working as intended and that your systems are resilient to attacks. 
  • IT team and vendor management: Your IT support plays a critical role in protecting your practice. Stability in your IT team reduces errors, miscommunication and overlooked risks. When you bring in external IT vendors, due diligence is essential. You need clarity about their capabilities and contracts that outline responsibilities, response times and security standards. 
  • Employee training and cyber awareness: Your employees are often the first line of defence. Staff should receive regular training on how to identify suspicious emails, unusual activity and potential threats. Without this training, even the best security systems can fail. A well trained team helps prevent cyber complacency and ensures issues are reported quickly. 
  • Systems, tools and technical protections: Every practice needs tools that can block harmful websites, monitor systems for unusual activity and filter suspicious emails. Consistent back ups of patient records and practice data are essential for keeping your information safe if something goes wrong. Updated anti virus and end point security software then add another layer of protection by reducing the risk of ransomware attacks and helping secure every device connected to your network. 
  • Internal protocols and response plans: Cybersecurity is not only about prevention. It is also about knowing what to do when something goes wrong. Your practice should have internal rules that restrict who can access sensitive information. You also need a clear business continuity plan that guides your response to a cyber attack and outlines who must be notified, including key stakeholders and regulators. 
  • Privacy and security documentation: Policies should be reviewed regularly to make sure they reflect current risks and legal requirements. This includes your privacy policy, website terms and conditions, patient forms, acceptable use policies and your data breach notification policy. Up to date documents help protect your business and show that you take privacy obligations seriously. 

How Avant Law can assist

Cybersecurity risks are growing across the health sector, and medical practices are frequent targets. A no or unsure answer in your self-assessment is an early warning sign that your systems need attention. Working through each of these areas helps protect your practice, your patients and the long-term stability of your business. 

For medical practice owners, Avant Law can assist you in the following ways in taking reasonable steps to ensure your company has implemented effective cybersecurity measures and for compliance responses.

If you have any questions, or would like more information about how we can assist you or your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here 

About the authors

Ben Ryan

Ben Ryan is a Partner in the commercial and corporate law practice at Avant Law, based in Brisbane. Ben has been working with medical practices since 2013. Ben works primarily on commercial structuring and intellectual property matters to help clients achieve strategic and commercially sensible results. He pursued a career in law to provide reliable and honest support to those in need of legal assistance and enjoys working with clients to develop solutions-oriented legal strategy and advice.

Marko Novakov

Marko Novakov is a Senior Associate in the commercial and corporate law practice at Avant Law, based in Melbourne. Marko has broad based experience practising in law firms and in-house legal roles in the areas of commercial law, corporate and regulatory governance, and litigation and alternative dispute resolution. Since 2023, Marko has focused on working with health practitioners and medical practices, primarily on commercial acquisitions and sales, governance, dispute resolution and intellectual property matters in order to help clients achieve both their strategic and commercial objectives. In working with his clients, Marko has developed a reputation of being a trusted advisor who can bridge the gap between legal expertise and effective communication. 

Prior to becoming a lawyer, Marko completed his Bachelor of Science Degree at the University of Toronto with a focus on Behavioural Neuroscience and with multiple publications in a peer-reviewed scientific journal for behavioural neuroendocrinology. Marko also attends and delivers presentations at conferences for doctors on commercial matters related to private practice. 

The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of this content. The information in this article is current to 23 February 2026. Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme. 

Back to top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant Law

avant-linkedin

In the spirit of reconciliation Avant acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.

Professional indemnity insurance is issued by Avant Insurance Limited (ACN 003 707 471, AFSL 238 765) (‘AIL’). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company (ACN 086 083 605) and AIL. AIL arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited (ACN 000 122 850, AFSL 234 708) and may receive a commission on each policy arranged. Life Risk Advice and the LIST provided by Doctors Financial Services Pty Ltd (ACN 610 510 328, AFSL 487758) trading as Avant Life Insurance (‘DFS’). Private health insurance products are issued by The Doctors’ Health Fund Pty Limited (ACN 001 417 527). Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited (ACN 003 191 035, AFSL 239 545) (QBE) and Avant Mutual Group Limited (‘AMGL’). Avant Travel Cover is underwritten by QBE and AMGL may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ACN 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative for LMG Broker Services Pty Ltd (ACN 632 405 504 Australian Credit License 517192). Legal services are provided by Avant Law Pty Ltd (ACN 63 136 429 153) (‘Avant Law’). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


Any financial product advice is general advice and has been prepared without considering your objectives, financial situation or needs and you should consider the appropriateness of that advice, having regard to those matters, and the Product Disclosure Statement or policy terms available from this website, before acting it or deciding to whether to acquire or continue to hold the product. Otherwise, the information provided on this website does not constitute legal, medical or other professional advice and Avant is not responsible for any loss suffered in connection with its use.