Why this matters for your practice
Healthcare is consistently one of the most breached sectors in Australia, and medical practices hold exactly the kind of sensitive data attackers want. The Essential Eight is the most widely used baseline for defending against that, and the RACGP's information security guidance maps closely to it. A practice that can show it is working toward the Essential Eight has a concrete, recognised way to demonstrate that its security is reasonable, which also supports its obligations under APP 11 and the Notifiable Data Breaches scheme.
It is not a legal requirement for private practices in itself, but it is the de facto standard a practice will be measured against if something goes wrong.
The eight strategies
The Essential Eight are grouped by what they achieve:
Prevent attacks
- Application control (only approved applications can run).
- Patch applications (fix known software vulnerabilities quickly).
- Configure Microsoft Office macro settings (block untrusted macros).
- User application hardening (disable risky features such as Flash, ads, and Java in browsers).
Limit the extent of incidents 5. Restrict administrative privileges (limit who has admin access). 6. Patch operating systems (keep operating systems up to date). 7. Multi-factor authentication (require more than a password to log in).
Recover data and system availability 8. Regular backups (maintain and test backups so you can recover).
The maturity model
Progress is measured on a four-level scale:
- Maturity Level Zero: strategies not implemented, or significant gaps.
- Maturity Level One: basic protection against attackers using common, widely available techniques.
- Maturity Level Two: protection against more capable attackers.
- Maturity Level Three: protection against advanced, targeted attackers.
The guidance is to reach the same maturity level across all eight strategies before moving up, rather than maxing out one and ignoring others. Maturity Level Two is a common target for organisations holding sensitive personal data.
Common mistakes
- Cherry-picking strategies, for example doing MFA but skipping backups or patching.
- Uneven maturity, with some controls at Level Two and others at Level Zero.
- Untested backups, which fail exactly when a ransomware incident makes them matter.
- Treating it as a one-off project rather than an ongoing posture.
Frequently Asked Questions
What is the Essential Eight?
The Essential Eight is a set of eight baseline cyber security mitigation strategies from the Australian Signals Directorate. They are designed to protect organisations against common cyber threats and are grouped into preventing attacks, limiting their extent, and recovering data and systems.
What are the eight strategies?
They are application control, patching applications, configuring Microsoft Office macros, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups.
What are the Essential Eight maturity levels?
The maturity model runs from Maturity Level Zero (not implemented) through Levels One, Two, and Three, representing protection against progressively more capable attackers. The guidance is to achieve the same level across all eight strategies before moving to a higher one.
Related terms
Go deeper
Last reviewed