Key Takeaways
- The RACGP Computer and Information Security Standards (CISS) cover 12 domains of IT security and are assessed during accreditation under Criterion C6.4. Practices without documented policies and evidence of implementation risk non-conformity.
- The ASD Essential Eight is the Australian Government's baseline cybersecurity framework. Most GP practices currently sit at Maturity Level 0 or 1. Cyber insurers increasingly require Maturity Level 2 as a minimum condition of coverage.
- A single healthcare data breach can trigger three separate reporting obligations at the same time: the Notifiable Data Breaches scheme (Privacy Act), the My Health Record Act, and the Cyber Security Act 2024 ransomware payment reporting rule.
- The Australian Clinical Labs $5.8 million penalty in October 2025 specifically cited the absence of mandatory MFA for remote access, untested incident response plans, and inadequate application controls as failures to meet the "reasonable steps" standard under APP 11.
- Healthcare has been Australia's most-breached sector in every OAIC report since 2018, and the ASD found that malicious actors succeeded in 95% of healthcare incidents they responded to, compared to 52% across all other sectors.
Healthcare cybersecurity in Australia is no longer a conversation about whether your practice could be targeted. The ASD's Annual Cyber Threat Report for 2024-25 found that ransomware incidents against healthcare doubled year-on-year. In October 2025, the Federal Court handed Australian Clinical Labs a $5.8 million civil penalty for failing to take reasonable steps to protect patient data. That penalty was not issued because ACL was hacked. It was issued because the court found specific, documented gaps in their security controls: no mandatory MFA for remote access, untested incident response plans, no data loss prevention, and insufficient log retention. Every one of those gaps exists in most Australian GP practices today.
This guide consolidates what your practice actually needs to comply with across two frameworks (RACGP CISS and the Essential Eight) and three regulatory regimes, and translates it into a practical checklist that a practice manager or MSP can work through.
What the RACGP CISS Requires
The RACGP Computer and Information Security Standards provide detailed guidance for general practices on IT and information security. They underpin Criterion C6.4 in the RACGP Standards for General Practices, which requires that your practice has a system for information security. When AGPAL or QPA assessors visit for accreditation, C6.4 is where they look for documented policies, evidence of implementation, and staff awareness.
The CISS covers 12 domains. Each one requires both a written policy and evidence that the policy is being followed.
Access Control and Passwords
Every staff member must have their own named user account. Shared logins are a non-conformity at accreditation and a direct security risk, because you cannot audit who accessed what if three people share the same credentials. Role-based access should follow least privilege, meaning reception staff do not need the same PMS functions as clinicians. Passwords must be at least 12 characters with complexity requirements, and MFA should be enabled on every system that supports it: your PMS, email, cloud services, remote access, and PRODA/HPOS. The ACL judgment specifically cited the absence of mandatory MFA for remote access as a departure from reasonable steps under APP 11.
Backup and Recovery
Your practice needs daily automated backups of your PMS and clinical data, a minimum 30-day retention period, at least one offsite or cloud copy, and quarterly test restores that are documented. The quarterly restore test is the part most practices skip. Having backups is not enough if you have never verified they actually work. A 3-2-1 strategy (three copies, two media types, one offsite) is the CISS baseline. You also need a documented business continuity plan for operating without IT systems, because if ransomware encrypts everything, your team needs to know how the practice keeps running while recovery happens.
Patching and Software Updates
Critical vulnerabilities with known exploits must be patched within 48 hours. All other patches should be applied within 14 days. End-of-life software, meaning anything that no longer receives security updates from the vendor, must be identified and replaced. This is one of the most common gaps in general practice: practices running Windows versions or PMS versions that have not received a security patch in months. Automated patching should be enabled where possible.
Network and Endpoint Security
Every practice needs current antivirus or endpoint protection on all devices with real-time scanning enabled, a hardware or next-generation firewall at the network perimeter, and Wi-Fi secured with WPA3. Your guest Wi-Fi network must be isolated from your clinical network. USB scanning should be enforced or USB ports disabled on clinical workstations entirely. Application control, meaning only approved software can execute, is both an Essential Eight strategy and a CISS recommendation.
Staff Training
All new staff must receive cybersecurity awareness training at induction. All staff must complete an annual refresher, and completion records must be kept as evidence for accreditation. Phishing simulation exercises should be run at least twice a year. When new threats emerge (a wave of healthcare-targeted phishing, for example), alerts should be communicated to staff promptly.
The Remaining Domains
The CISS also covers email and internet security (phishing awareness, encrypted clinical messaging via HealthLink, Argus, or Medical Objects), mobile device and remote access (VPN requirements, lost device protocols, BYOD policies), disposal and decommissioning of IT equipment (data destruction following NIST 800-88 or equivalent, with certificates of destruction retained), incident response (contain, report, assess, notify under the NDB scheme, remediate, review), and third-party vendor management (security certifications, Australian data residency, contractual security obligations). Each domain requires a documented policy and evidence of implementation.
Where the Essential Eight Fits In
The ASD Essential Eight is the Australian Government's baseline cybersecurity framework, developed by the Australian Signals Directorate. It consists of eight mitigation strategies that, when implemented together, make it significantly harder for adversaries to compromise your systems.
The eight strategies are: application control (only approved software can run), patching applications (internet-facing applications within 48 hours of a known exploit, everything else within two weeks), configuring Microsoft Office macro settings (block macros from the internet), user application hardening (disable unnecessary features like Flash and Java), restricting administrative privileges (separate admin accounts, least privilege), patching operating systems (same timelines as application patching), multi-factor authentication (phishing-resistant MFA preferred over SMS), and regular backups (tested, offsite, encrypted).
Why Maturity Level 2 Is the Target
The Essential Eight uses four maturity levels: ML0 (not aligned), ML1 (partly aligned, protects against opportunistic attacks), ML2 (mostly aligned, protects against targeted attacks by moderately capable adversaries), and ML3 (fully aligned, protects against sophisticated adversaries).
Most GP practices currently sit at ML0 or ML1. Common gaps include no application control whatsoever (any software can be installed on any workstation), shared admin accounts, patching delays measured in months rather than weeks, and MFA deployed on some systems but not others.
ML2 is the target for healthcare. The Australian Digital Health Agency references Essential Eight ML2 in its security guidance. Cyber insurers in Australia now routinely require ML2 as a minimum prerequisite for coverage, and some will not quote without evidence of compliance. If your practice cannot demonstrate ML2 alignment, you may find yourself uninsurable against cyber incidents, which is a significant financial exposure given the breach statistics in healthcare.
The practical reality is that the jump from ML1 to ML2 is where most of the meaningful security improvement happens. It is also where most of the overlap with RACGP CISS requirements sits. If you achieve ML2, you will meet most of the CISS technical requirements as a matter of course.
The Three Regulatory Obligations That Stack
A single cybersecurity incident at your practice can trigger three separate reporting obligations simultaneously, each with different timelines and different recipients.
The first is the Notifiable Data Breaches scheme under the Privacy Act 1988. This applies to all health service providers regardless of size or turnover. There is no small business exemption for health information. When you suspect an eligible data breach, you have 30 days to assess it and must notify the OAIC and affected individuals as soon as practicable after confirming it meets the threshold. The maximum civil penalty is $50 million per contravention following the 2022 amendments.
The second is the My Health Record Act 2012. If your practice is connected to the My Health Record system, you must notify both the OAIC and the Australian Digital Health Agency when a breach may have occurred. The trigger here is lower than the NDB scheme: you report when a breach may have occurred, not just when you have confirmed it. Penalties reach up to $108,000 for an organisation.
The third is the Cyber Security Act 2024, which commenced on 30 May 2025. Any entity with annual turnover above $3 million must report a ransomware payment to the Australian Signals Directorate within 72 hours through cyber.gov.au. This is specifically about payments, not incidents. If your practice is hit by ransomware and does not pay, this obligation does not apply, but the NDB and My Health Record obligations still do.
Understanding which obligation is live and what action each requires is not optional once an incident begins. Having this mapped out before an incident happens is part of what RACGP CISS means by a documented incident response plan.
My Health Record Rule 42: The Obligation Most Practices Overlook
Every healthcare provider organisation connected to My Health Record must have a written Security and Access Policy under Rule 42 of the My Health Records Rule 2016. The OAIC conducts periodic compliance assessments and publishes the results.
Your Rule 42 policy must address: how you authorise staff access to My Health Record, how staff are trained on their MHR obligations and the consequences of unauthorised access, what process you use to verify the identity of anyone requesting MHR access, what physical and information security measures protect the systems used to access MHR, how user accounts are managed (including under Rule 44), what strategies you have to identify, mitigate, and report risks to the MHR system, and version control with an effective date.
This is not a one-off exercise. Your Security and Access Policy must be current, version-controlled, and reflected in your actual practice operations. NASH certificates, which authenticate your clinical software and secure messaging with the My Health Record system, must be installed and maintained.
What the ACL Penalty Means for Your Practice
The Australian Clinical Labs case is not just a headline. The Federal Court's judgment established specific legal precedent about what "reasonable steps" means under APP 11, and every GP practice should understand it.
The court found that APP 11 imposes an objective standard. You cannot discharge your obligation by outsourcing security to an IT provider "without doing anything more." The assessment is holistic, looking at your full framework of systems, policies, and procedures. Perfection is not required, but a "substantial departure from reasonable standards" will attract penalties.
The specific control gaps the court identified in ACL's systems read like a checklist of common GP practice weaknesses: no mandatory MFA for remote access, untested incident response playbooks, no data loss prevention tools, inadequate application controls, insufficient log retention, and weak recovery plans. If your practice shares any of those gaps, the ACL judgment is the clearest possible signal that those gaps represent a departure from the legal standard you are held to.
The broader statistics reinforce the urgency. Healthcare has been Australia's most-breached sector in every OAIC report since the NDB scheme launched in 2018. The ASD found that malicious actors succeeded in 95% of healthcare sector incidents they responded to, compared to 52% across all other sectors. The MediSecure breach in April 2024 exposed 12.9 million records. The Genea Fertility breach in February 2025 saw 700GB of unencrypted IVF patient data published on the dark web, with affected individuals not contacted for five months. These are not theoretical risks.
The Practical Checklist
If your practice or MSP wants a structured starting point, here is what you should be working through across governance, technical controls, and operations.
Governance
Your practice needs a written IT security policy framework covering the 12 CISS domains, a designated person responsible for information security (this can be the practice manager working with your IT provider, but the responsibility must be documented), an annual IT risk assessment, a documented and tested cyber incident response plan, an IT provider or MSP service agreement that clearly documents security responsibilities, and a current My Health Record Security and Access Policy under Rule 42.
Technical Controls
Individual named user accounts for every staff member with no shared logins, MFA enabled on your PMS, email, cloud services, remote access, and PRODA/HPOS, role-based access following least privilege, a documented process for revoking access on the same day a staff member leaves, daily automated backups with 30-day retention and at least one offsite copy, quarterly backup restore tests that are documented, critical patches applied within 48 hours and all other patches within 14 days, end-of-life software identified and replaced, current endpoint protection on all devices, a hardware firewall with default-deny rules, WPA3 Wi-Fi with guest network isolation, application control blocking unapproved software, and Microsoft Office macros from the internet blocked.
Operations
Cybersecurity awareness training at induction for all new staff, annual refresher training with documented completion records, phishing simulation exercises at least twice per year, an annual access review across all systems, quarterly backup restore tests, an annual software and licence audit, and annual policy review with version control. Your IT provider's security certifications should be current, all cloud services should store data in Australia, and vendor contracts should include security obligations and breach notification requirements.
How ClinicComply Helps
ClinicComply includes the RACGP Computer and Information Security Standards as a built-in compliance framework, with checklist items mapped across policy, access control, backup, network security, and training domains. Your practice can track progress against each CISS requirement, upload evidence documents, assign responsibility to team members, and set review reminders, all in one place alongside your other compliance frameworks.
For MSPs managing cybersecurity across multiple practices, ClinicComply's MSP tier provides a single dashboard view of CISS compliance status across your entire client portfolio, so you can see which practices have gaps and prioritise your work accordingly.
If your practice does not currently have a structured way to track cybersecurity compliance, or if your accreditation is approaching and you need to demonstrate C6.4 conformity, now is the right time to get organised. Start your free trial at cliniccomply.com.au.
Frequently Asked Questions
What cybersecurity standards must Australian GP practices comply with?
Australian GP practices must comply with the RACGP Computer and Information Security Standards (CISS), which cover 12 domains of IT security and are assessed under Criterion C6.4 during RACGP accreditation. Practices should also align with the ASD Essential Eight cybersecurity framework, targeting Maturity Level 2 as a minimum. Additional obligations come from the Privacy Act 1988 (APP 11 reasonable steps), the My Health Record Act (Rule 42 Security and Access Policy), and the Cyber Security Act 2024 (ransomware payment reporting).
What Essential Eight maturity level should a GP practice target?
GP practices should target Essential Eight Maturity Level 2. This is the level recommended for organisations handling sensitive data, referenced by the Australian Digital Health Agency, and increasingly required by cyber insurers as a condition of coverage. Most GP practices currently sit at Maturity Level 0 or 1, with the most common gaps being no application control, shared admin accounts, delayed patching, and inconsistent MFA deployment.
Is MFA mandatory for Australian medical practices?
MFA is not universally mandated by a single law, but it is effectively required through multiple overlapping obligations. The RACGP CISS recommends MFA for all systems holding patient data. The ACL penalty specifically cited the absence of mandatory MFA for remote access as a failure under APP 11. PRODA and government services require MFA from September 2025. Cyber insurers routinely require MFA as a condition of coverage. In practice, any GP that does not have MFA on their PMS, email, and remote access is exposed to both regulatory and insurance risk.
What is My Health Record Rule 42?
Rule 42 of the My Health Records Rule 2016 requires every healthcare provider organisation connected to My Health Record to maintain a written Security and Access Policy. The policy must cover staff access authorisation, training on MHR obligations, identity verification processes, physical and information security measures, user account management, risk identification and mitigation strategies, and version control. The OAIC conducts periodic compliance assessments and publishes the results.
How does the RACGP CISS relate to accreditation?
The RACGP CISS underpins Criterion C6.4 (Information Security) in the RACGP Standards for General Practices. During accreditation, AGPAL or QPA assessors evaluate whether your practice has documented IT security policies covering the 12 CISS domains and evidence that those policies are being implemented. Evidence includes backup test logs, training completion records, access review documentation, and incident response testing records. A practice without documented CISS policies risks non-conformity at accreditation.
What are the penalties for a healthcare data breach in Australia?
The maximum civil penalty under the Privacy Act 1988 is $50 million per contravention following the 2022 amendments. The first civil penalty in Australian history was the $5.8 million imposed on Australian Clinical Labs in October 2025. Under the My Health Record Act, penalties reach up to $108,000 per organisation. The Cyber Security Act 2024 imposes penalties of up to $99,000 for a body corporate that fails to report a ransomware payment within 72 hours. These penalties can stack because each obligation is assessed independently.