Cyber Security for Aged Care and Disability Support Providers

Aged care providers and NDIS disability support businesses handle some of the most sensitive personal information imaginable — health conditions, daily routines, home addresses, financial details, and the intimate details of people's care needs. That information has real value to criminals, and the organisations that hold it are increasingly being targeted. At the same time, many small providers operate with limited IT support, high staff turnover, and workers spread across multiple homes and sites.

This guide is written for small and medium aged care providers, NDIS registered providers, and disability support businesses who want to understand the risks and take practical steps to protect the people in their care.

Why This Sector Is Being Targeted

Aged care and disability providers are attractive to cybercriminals for several reasons:

• Highly sensitive data: Participant health records, medication information, NDIS plans, and financial details are all valuable on dark web markets and useful for identity fraud.
• Under-resourced IT: Many providers are small community organisations or sole operators without dedicated IT staff, making security gaps more likely.
• High staff turnover: The sector has among the highest staff turnover in Australia, which creates risk around account access, data handling, and offboarding.
• Remote and distributed workforces: Support workers operating in clients' homes use personal devices and connect from a range of networks, making consistent security harder to enforce.

The Threats Most Likely to Affect Your Organisation

Ransomware on Care Management Systems

Ransomware attacks encrypt your files and demand payment for the key to unlock them. For a care provider, this can mean losing access to participant care plans, medication schedules, rostering, and incident records — all at once. Systems like Carelink+, ShiftCare, Nightingale, and Brevity hold critical operational data. Without access, service delivery can grind to a halt. Regular, tested backups stored separately from your main systems are the primary defence.

Phishing Targeting Support Workers

Support workers often receive communications from multiple sources — their employer, the NDIS Commission, participants' families, and others. Phishing emails that appear to come from these trusted sources can trick workers into clicking malicious links or entering their login credentials on a fake website. Workers accessing the NDIS myplace provider portal or iCare on personal devices are particularly exposed if those devices aren't secured.

Fraud via Compromised Worker Accounts

If an attacker gains access to a support worker's account, they may be able to view participant NDIS plans, access bank account information linked to plan management, or submit fraudulent service claims. This type of fraud is increasingly being investigated by the NDIS Commission.

Data Breaches Exposing Participant Health Information

Health information is subject to heightened protections under the Privacy Act. A breach that exposes a participant's diagnosis, mental health history, or care needs can cause serious harm — and can trigger mandatory notification obligations to the Office of the Australian Information Commissioner.

Your Regulatory Obligations

Operating in this sector means meeting multiple overlapping obligations:

• NDIS Practice Standards: The Quality and Safeguards Commission requires registered providers to maintain secure systems for managing participant information and to report certain incidents through the Commission's incident management system.
• Aged Care Quality Standards: Standard 8 covers organisational governance and includes requirements for information management systems that protect consumer privacy.
• Privacy Act — APP 11: Requires reasonable steps to protect personal and health information from misuse, loss, and unauthorised access or disclosure.
• Notifiable Data Breaches: If a breach is likely to result in serious harm, notification to the OAIC and affected individuals is mandatory.

Practical Controls for Small Providers

MFA on the NDIS Portal and Care Management Software

Multi-factor authentication should be enabled on every platform that holds participant data — the NDIS myplace provider portal, ShiftCare, Brevity, and any other care management tools you use. MFA means a stolen password alone isn't enough to access your systems.

Secure Onboarding and Offboarding Given High Turnover

Create a checklist for when staff start and finish. When someone leaves, revoke their access to all systems on their last day — not weeks later. With high turnover in care and support roles, this is one of the most common sources of data security incidents. Don't wait until you remember to do it.

Mobile Device Management for Field Workers

If workers use personal phones to access participant information or the NDIS portal, establish minimum standards — screen locks, up-to-date operating systems, and no sharing of participant information via personal SMS. Consider a simple mobile device management (MDM) solution that allows you to remotely wipe a lost or stolen device.

Staff Training on Phishing

Support workers are busy, often working alone, and may not have a strong technology background. Brief, practical training — even a 15-minute session on how to spot a phishing email — can significantly reduce the risk of a worker being tricked into handing over their credentials. Focus on real examples, not technical jargon.

Encrypted Backups of Participant Records

Back up participant records regularly, store backups in a separate location (cloud or external drive kept offsite), and test that you can actually restore from them. In the event of a ransomware attack, a good backup is what stands between you and paying a criminal for your own data.

The People in Your Care Depend on Your Security

Participants trust your organisation with information about some of the most vulnerable periods of their lives. Protecting that information is part of the care you provide — and it's a legal obligation. You don't need a large IT team to take meaningful steps. Start with MFA, a clear offboarding process, and regular backups. These three actions alone will significantly reduce your exposure.