Cybersecurity in healthcare

By Krist Davood - November 28, 2017

Starting from the 22 February 2018, most organisations with a turnover above $3 million will fall within the scope of new Privacy Act measures requiring mandatory notification of cybersecurity breaches.

This applies to the healthcare sector too.  Healthcare and cyber colliding can be a visceral experience unless proper planning and preparation is undertaken. Let’s illustrate with an example inspired by a true story.

Consider 27 year old Olivia who has been suffering from chronic heart disease.  Olivia was being prepped for life-saving surgery when a cyber-attack occurred.  The surgeons were unable to access critical systems, the operation was postponed, and Olivia was left waiting for her life-changing event.

With this in mind, healthcare executives would have three main concerns:

  1. Business Continuity
  2. Integrity of systems and data
  3. Privacy

From a cybersecurity perspective, Pitcher Partners recommend that five key artefacts should be in place and signed-off by the executive or the board:

  1. Crisis Management Blueprint
  2. Business Continuity Plan
  3. Encryption Policies
  4. Public Disclosure Plans
  5. Cybersecurity Dashboard, highlighting your compliance with regulatory requirements

As well as protecting against adverse patient outcomes such as Olivia's, these artefacts mitigate compliance risks in relation to relevant Acts and regulations. Some of these will include the Privacy Act Amendments, the Victorian Protective Data Security Framework (VPDSF), the National Institute of Standards and Technology - Cybersecurity Framework (NIST CSF) as well as NIST SP800-30 risk management framework.

Upcoming penalties of up to $1.7 million for companies, and up to $340,000 for individuals, means Directors will need to be prepared for the Privacy Amendment Act (Notifiable Data Breaches) 2017 to ensure they do not pay fines. These penalties do not include reparation costs for customers impacted by the breach.

If your organisation is concerned, please contact Pitcher Partners who can help you perform a Cybersecurity Health Check, a first step towards understanding your risk and evaluating your organisation’s ability to meet your obligations.

Click here to watch our short ‘Cybersecurity in Healthcare’ video.

Krist Davood is a Principal Consultant in Pitcher Partners Consulting (PPC) and PPC’s Cybersecurity Lead.

Contact our experts

Other articles


Top of Page


Rob Southwell

Rob Southwell's picture


Managing Partner and Partner – Private Business and Family Advisory

> View profile

Nigel Fischer

Nigel Fischer's picture


Managing Partner - Private Business and Family Advisory

> View profile

Michael Minter

Michael Minter's picture


Managing Partner

> View profile

Leon Mok

Leon Mok's picture


Managing Director

> View profile

Brendan Britten

Brendan Britten's picture


Managing Partner and Executive Director/Partner- Business Advisory and Assurance

> View profile

Tom Verco

Tom Verco's picture


Managing Principal - Private Business and Family Advisory

> View profile

Partnership fraud


Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud


Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration


A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more

@PitcherPartner EXCELLENCE IN ENGINEERING | Our Newcastle & Hunter firm is proud to have sponsored the 2019 Hunter Business Chamber…