Cyber Security for Medical and Dental Practices: Protecting Patient Records

Healthcare is the most targeted sector for cyberattacks globally, and Australia is not exempt. For GP clinics, dental practices, physiotherapy studios, and allied health businesses, the stakes are particularly high — patient health records carry the strongest privacy protections under Australian law, the financial and clinical consequences of a ransomware attack can be immediate, and the regulatory obligations are serious.

This post is written for practice owners, principal clinicians, and practice managers who want to understand the real risks and take practical steps to reduce them.

Why Healthcare Is Such a High-Value Target

Health records are worth significantly more than credit card data on the dark web. A stolen credit card can be cancelled within hours. A person's complete health record — including their diagnoses, medications, mental health history, and Medicare number — is permanent, uniquely identifying, and can be used for insurance fraud, identity theft, and blackmail for years.

Beyond data theft, ransomware attacks on healthcare practices are devastating because they don't just affect data — they affect your ability to function clinically. If your practice management system is locked by ransomware, you can't access patient records, view appointment histories, check medication lists, or process Medicare claims. Practices have been forced to cancel appointments for days or weeks following an attack.

The Threats Most Likely to Hit Your Practice

Ransomware via Phishing Email

The most common entry point for ransomware in healthcare is a staff member clicking a malicious link or attachment in an email. Attackers know that practice staff are busy, often working under time pressure, and may not scrutinise an email carefully before clicking. A single click can deploy malware that encrypts your entire server within hours.

Unsecured Medical Devices on the Network

X-ray machines, PACS systems, ECG equipment, and other networked medical devices often run old operating systems — sometimes Windows XP or Windows 7 — that no longer receive security updates. If these devices are connected to the same network as your clinical workstations, a compromise of one can spread to the others. This is a common and underappreciated risk in small practices.

Software Provider Access

Your practice management software vendors — whether you use Best Practice, Medical Director, Dental4Windows, or Cliniko — may have remote access capability for support purposes. If that access isn't properly controlled, it represents a pathway into your systems. You should know which vendors have remote access to your systems, when they last used it, and whether that access can be restricted to on-demand rather than always-on.

Legacy Windows Systems

Many practices continue to run older Windows versions — sometimes because a specific piece of clinical software hasn't been certified for newer operating systems. Legacy systems that no longer receive Microsoft security patches are a significant vulnerability. Where possible, work with your software vendor to move to supported versions, and isolate any systems that genuinely can't be updated.

Key Controls for Medical and Dental Practices

Multi-Factor Authentication on Everything

Enable MFA on your clinical software, email, PRODA (for My Health Record access), Medicare Online, and any cloud services your practice uses. This is the single most effective control you can implement. Most modern practice management platforms support MFA — if yours doesn't, raise it with your vendor.

Network Segmentation for Medical Devices

Put your clinical workstations, imaging equipment, and other networked medical devices on a separate network (VLAN) from your general office computers and guest Wi-Fi. This limits the blast radius if any one device is compromised. Your IT provider or managed service provider can configure this — it doesn't require replacing any hardware, just a change to your router or managed switch settings.

Encrypted, Tested Backups

Your backups are your last line of defence against ransomware. Back up patient data daily, store backups in at least two places (one off-site or in the cloud), and encrypt the backups so that even if they're stolen, the data can't be read. Critically — test your backups. Many practices discover too late that their backup process was failing silently. Restore a test backup at least every quarter.

Staff Training on Phishing

Every person in your practice who uses email needs to understand what a phishing email looks like. This doesn't require a lengthy training day — a 30-minute session covering how to spot suspicious emails, what to do when something looks wrong, and who to report it to is sufficient to start. Repeat it annually and whenever a major new scam is circulating.

Vendor Access Controls

Review which third parties have remote access to your systems. Ask your IT provider for a list of all remote access tools installed. Prefer vendors who use on-demand remote access (where you grant access when needed) over always-on connections. Keep vendor credentials separate from your own accounts.

Your Legal Obligations

Patient health records held by a healthcare provider are classified as sensitive information under the Privacy Act 1988, which carries stricter obligations than ordinary personal information. You must take reasonable steps to protect health records from misuse, loss, and unauthorised access. The Notifiable Data Breaches (NDB) scheme requires you to notify both the OAIC and affected patients if a breach is likely to result in serious harm.

For practices that interact with My Health Record, additional obligations apply under the My Health Records Act 2012, including obligations around access controls and breach reporting to the Australian Digital Health Agency.

If Ransomware Hits Your Practice

Don't pay the ransom — there is no guarantee your data will be restored, and payment funds further criminal activity. Isolate affected computers by unplugging them from the network immediately. Contact your IT provider and a cybersecurity incident response specialist. Report the incident to the Australian Cyber Security Centre (report.cyber.gov.au) and assess your NDB notification obligations. Document everything from the moment you discover the incident.

A ransomware attack on a medical practice is a clinical emergency as much as a technology one. Plan for it before it happens — know who you'll call, what systems you'll revert to manually, and how you'll communicate with patients if your systems are down.