Guarding your practice against cyber threats: Real-life lessons and practical tips

Avant media

Tuesday, 29 April 2025

Graphic of a fishing hook in front of distorted hands typing on a laptop

Cybersecurity is a crucial aspect of running a medical practice. An Avant webinar on cybersecurity and privacy highlighted an all-too-common scenario, the ramifications, and practical tips to help protect your practice.  

The phishing email 

Mary*, a receptionist at a busy medical practice, received an email that looked like it was from their telecommunications provider. The email included a link to view an outstanding bill. After clicking the link and entering her Microsoft 365 email and password, Mary realised there was no bill.  

The next day, patients started calling about emails they received from the practice, asking them to click a link to view their test results. It turned out the email was a phishing attempt. By entering her credentials, Mary had unknowingly given hackers access to the practice's email account. The hackers then used this access to send phishing emails to patients.  

To prevent these kinds of incidents, it's crucial to implement multi-factor authentication (MFA) to add an extra layer of security and prevent unauthorised access even if passwords are compromised. Regularly training staff to recognise phishing emails and other cyber threats is also essential. Additionally, avoid using email as a storage system for sensitive information; instead, transfer important data to secure storage locations and delete unnecessary emails. 

The network compromise 

Following the phishing attack, the practice's IT provider conducted a thorough threat hunt to check for any further network compromise. They discovered the entire email inbox, containing five years of emails, had been downloaded by the hackers. This meant the hackers had access to a significant amount of sensitive patient information. 

To mitigate these risks, it's important to ensure all critical data is backed up regularly and stored securely, separate from the main network. Engaging an external IT provider with healthcare experience can help implement robust cybersecurity measures and conduct regular security audits. Additionally, developing a contingency plan to prepare for cyber incidents and ensure operations can continue if systems are compromised is vital. 

The data breach notification

The practice, with the help of a law firm, assessed the data breach and determined it was likely to cause serious harm to individuals. They notified the Office of the Information Commissioner (OAIC) and took steps to contact affected patients. The practice reviewed all emails to identify affected individuals and notify them about the breach, providing guidance on how to protect their data.  

To handle such situations effectively, it's important to be aware of the requirements under the Notifiable Data Breach scheme and take appropriate steps to notify affected individuals and authorities. Working with legal and public relations experts to create clear and concise communications for patients is crucial. Plus, providing support to staff involved in the incident to manage stress and ensure they understand the steps being taken to resolve the issue is key. 

The importance of cyber insurance 

Despite best efforts to prevent cyber incidents, they can still occur. Cyber insurance, such as the one offered through Avant Practice Medical Indemnity Insurance, can provide protection and support in the event of a cyber-attack. It can cover cyber incidents involving digital asset damage, extortion, and reputational damage. 

Key lessons: 

  • Implement multi-factor authentication (MFA): MFA adds an extra layer of security, making it harder for hackers to access your systems.  
  • Train staff regularly: Regular staff training ensures everyone can recognise and respond to cyber threats. 
  • Ensure regular backups and engage an external IT provider: Regularly back up critical data and store it securely, separate from your main network. An external IT provider with healthcare experience can help implement strong cybersecurity measures and conduct regular audits. 
  • Develop a contingency plan: Have a plan in place to maintain operations during a cyber incident.  
  • Understand legal obligations: Understand your legal obligations under the Notifiable Data Breach scheme to ensure timely notification of affected individuals and authorities. 
  • Consider cyber insurance for financial protection and expert support: Cyber insurance provides financial protection and expert support in the event of a cyber-attack, covering costs like data recovery, legal fees, and reputational damage. 

More information 

If you are a victim of a cyber-attack on your practice and you are an Avant practice policy holder, you can contact the medico-legal advice team here, or call 1800 128 268, 24/7 in emergencies. 

Not an Avant practice policy holder? Protect your practice with Avant’s comprehensive practice indemnity and complimentary cyber cover for eligible practices. Learn more about our policies here

Useful resources

Avant webinar: Protecting your practice: A webinar on cybersecurity and privacy 

Avant case study: Unauthorised access to patient records  

Avant factsheet: Storing, retaining, and disposing of medical records  

Avant factsheet: Responding to a cyber security incident 

*Fictional character

Disclaimers

Avant Practice Medical Indemnity Insurance is issued by Avant Insurance Limited ABN 82 003 707 471, AFSL 238 765. The policy wording is available at www.avant.org.au or by contacting us on 1800 128 268. Practices need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation. Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant Insurance. 

IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. 

Topic
Career stage

Other resources

image of two computer screens with security breach and man holding head with hands

Being aware of cyber security

Hooded men at laptop surrounded by coding background

Cyber security framework gaps can be a costly oversight

woman sitting and desk with glasses wiping her eyes

7 steps to avoiding a human data breach

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Our CPD courses for Avant members

Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes. 

Learn now

Need support?

Dealing with a medico-legal issue can be stressful. Find out how Avant and other organisations can help.

Key support services
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.



The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.