We are currently processing payments for Medical Indemnity 1 January 2025 renewals. Please note that your cover is not impacted and you can continue to practice. You can access your documents, including your Confirmation Certificate which can be provided as evidence of cover, via the Medical Indemnity Member Login.

Guarding against a cyber attack on your practice

Kate Gillman, BA LLB, Head of Medico-legal Advisory Service, Avant

Monday, 30 September 2024

Guarding against a cyber attack on your practice

A cyber-attack can have a devastating impact on your medical practice, potentially locking out clinical and administration systems for weeks and breaching patient privacy

Every medical practice using the internet is at risk of a cyber incident. However, practice owners and managers can be prepared for and minimise the risks of a cyber incident by having clear IT security policies and procedures for all practitioners and staff.

A hard cyber lesson

Avant member Mary (a pseudonym), spoke to Avant about the devastating impact of a ransomware attack on her practice.

It was a hard lesson on why cyber security policies and procedures are essential in every practice, particularly ensuring your backup is secure.

Mary described the cyber-attack at her practice as a catastrophe. The practice had a policy of changing passwords regularly. Beyond that, like many medical practices, it had relied on its IT provider to deal with cyber security and IT systems. The practice did not have a separate cyber response plan and staff in the practice felt unprepared to respond to a cyber incident.

When the attack happened, the paperless practice suddenly found it had no information on any patients. It discovered its backup was not sufficiently secure and had been infected as well. Ultimately all systems, data and backup files were inaccessible, from appointment books to patient records. It was five weeks before all patient information was recovered.

Finding the right IT provider

Mary’s experience also highlighted the importance of having an IT provider with the expertise and experience to understand your practice’s needs and help protect you from cyber incidents. Organising an IT risk assessment to identify any weaknesses in your system may also help offer you reassurance.

Recognising a cyber attack

It can be difficult to recognise a cyber incident, which may appear to be an internet connection or service provider problem.

Typical symptoms include the system not starting normally or repeatedly crashing, or the internet browser going to unwanted pages or advertisements popping up in an unusual manner.

Minimise the damage

If your practice experiences IT problems, assume the worst and shut down all computers, including unplugging from power points.

Be aware that if you try to restore your files from your backups while your system is still exposed to the attack, you may infect your backup. Do not connect the backup data or any portable devices such as laptops to the network. Contact your IT provider immediately.

Don’t rely on being able to pay to restore your data

Seek advice from Avant and IT experts if you receive a ransomware demand.

Mary’s practice received a ransom demand about 24 hours after the cyber-attack. After four weeks of being unable to access data and backup files, the practice owners decided to pay the ransom.

Be aware though that even if you do get a decryption code, this is no guarantee you will get all your data back. In Mary’s case, it took another week before the decryption code worked. Recent reports also now suggest ransomware files may corrupt data, so even getting it decrypted may not restore everything that was lost.

The Australian Cyber Security Centre advises against paying ransoms. In some circumstances, paying ransomware may be an offence under Commonwealth legislation that prohibits money laundering or payments to terrorist organisations.

Recreating patient records

While trying to get data restored, Mary’s practice had to rebuild its data systems, including medical records, because the backup files were also inaccessible.

If a practice has separate and secure backups, it may be able to retrieve clinical and administrative information and be operating as normal within a few days of an attack. However, when backup files cannot be accessed, the practice will have to gather patient information from other sources. You may also be able to access information from a patient’s My Health Record.

Lack of access to electronic medical records will make patient care difficult, but in most cases you should continue to see patients, unless you are unable to provide adequate health care.

In Mary’s case the practice appointments were in the IT system that could not be accessed. When a patient arrived for an appointment, the practice took demographic details and contacted the patient’s GP, other specialists, pathology/imaging practices, pharmacists and hospitals to provide clinical data for the patient.

The most concerning aspect for Mary was not knowing if patients had not attended an appointment.

Patient privacy

Mary contacted Avant for advice as soon as she became aware of what had happened at the practice. She was particularly concerned about privacy obligations. The Office of the Australian Information Commissioner (OAIC) did ask the practice for information about the incident. In this case it was ultimately agreed that as the firewall had not been breached there was no reasonable chance that data had been accessed by unauthorised people or exported. Therefore, there was no obligation to report the incident to the OAIC under the Notifiable Data Breach scheme.

However, this may not always be the case. Whenever there is a cyber incident, the practice owners or manager should check if the incident is a notifiable data breach that needs to be reported to the OAIC and patients under the Notifiable Data Breach scheme.

Why cyber security is essential in your practice

What happened to Mary and her colleagues is a sobering warning of what can happen if your medical practice does not have cyber security policies and procedures.

Their experience alerted other practices to the risks of cyber-attack. Mary said that every practice contacted to retrieve patient data looked at their systems after hearing what had happened.

The main lessons from Mary’s experience were:

  • Ensure your backup is safe, secure and impenetrable.
  • Have strong cyber security policies and procedures in place and ensure all practitioners and staff adhere to these, especially password security.
  • Conduct a cyber audit. Mary said she would now recommend getting a second opinion on IT security from another provider or consultant to ensure there are no weaknesses in the system, rather than relying on one provider.

Useful resources:

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

Share your view

We welcome your feedback on this article.

Contact the editor

Other resources

  1. New privacy laws have passed! - Avant

    New Privacy Laws Have Passed - time to review your privacy practices!

  2. AI scribes in practice: common errors to consider - Avant

    AI scribes in practice: common errors to consider

  3. AI scribes and patient consent - Avant

    AI scribes and patient consent

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Disclaimers

The case discussed in this article is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality.

Legal Services are provided by Avant Law Pty Limited ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.