Cyber Security for GP Clinics and Allied Health: What AHPRA's 'Reasonable Steps' Obligation Actually Requires

A GP clinic in Brisbane. A physiotherapy practice in Perth. A psychology group in Melbourne. Three very different businesses — but all holding some of the most sensitive personal information in existence: diagnoses, medications, mental health histories, Medicare numbers, and clinical notes that patients have shared in confidence.

Cybercriminals know this, and they target health practices accordingly. According to the Australian Signals Directorate's (ASD) Annual Cyber Threat Report 2024–25, ransomware incidents against Australia's healthcare sector doubled in the 2024–25 financial year compared to the year before. Malicious actors were successful in 95% of all healthcare and social assistance sector incidents — compared to 52% across all sectors. Healthcare is not a bystander in Australia's cyber threat environment. It is a primary target.

What most practitioners at small clinics don't fully appreciate is that this risk carries specific professional and legal obligations — and that those obligations apply regardless of how small the practice is.

The Two Frameworks That Apply to Every Health Practice

Health practitioners face cyber security obligations from two distinct but overlapping sources: their professional registration body (typically the Australian Health Practitioner Regulation Agency, or AHPRA) and the Privacy Act 1988 (Cth). Understanding both — and where they differ — matters for knowing what you're actually required to do.

1. AHPRA's Shared Code of Conduct

AHPRA's Shared Code of Conduct applies to practitioners registered under 12 National Boards, including physiotherapists, occupational therapists, chiropractors, dental practitioners, optometrists, osteopaths, pharmacists, podiatrists, parametics, medical radiation practitioners, Chinese medicine practitioners, and Aboriginal and Torres Strait Islander Health Practitioners. Medical practitioners, nurses, midwives, and psychologists have profession-specific codes with equivalent obligations.

The Code is explicit on patient privacy: "You have ethical and legal obligations to protect the privacy of patients. Patients have a right to expect that you will hold information about them in confidence."

The Code specifically requires practitioners to:

• Be aware of the requirements of privacy and health records legislation, and apply them to information held in all formats, including electronic information
• Ensure that all staff are aware of the need to respect the confidentiality and privacy of patients
• Never access records when not professionally involved in the care of the person or authorised to do so
• Not transmit, share, reproduce, or post any person's information or images without first getting written and informed consent

The phrase "information held in all formats, including electronic information" is deliberate. It means your practice management software, your cloud storage, your email system, your appointment booking platform, and any other system holding patient data all fall within the scope of your professional confidentiality obligations — not just paper records.

2. The Privacy Act 1988 (Cth) — and Why the Turnover Threshold Doesn't Apply to You

Most small businesses are only subject to the Privacy Act if they have an annual turnover above $3 million. Health service providers are a statutory exception. Under the Privacy Act, all private health service providers — regardless of turnover, regardless of how many patients they see, regardless of whether they operate as a sole trader or a partnership — are classified as "APP entities" and must comply with the Australian Privacy Principles (APPs).

This means a sole-practitioner physiotherapist working two days a week from a shared clinic room has the same Privacy Act obligations as a large private hospital. The turnover threshold simply does not apply.

The relevant obligation for cyber security is Australian Privacy Principle 11 (APP 11), which requires every APP entity to take such steps as are reasonable in the circumstances to protect personal information from:

• Misuse, interference, and loss
• Unauthorised access, modification, or disclosure

Health information is also classified as "sensitive information" under the Privacy Act, which triggers a higher standard of protection and stricter rules for how it can be collected, used, and disclosed.

The Notifiable Data Breach (NDB) scheme — which requires notification to the Office of the Australian Information Commissioner (OAIC) and affected patients when a breach is likely to cause serious harm — applies to all health service providers without exception.

Why Health Practices Are Such High-Value Targets

The concentration of sensitive data in a typical health practice is extraordinary. A GP clinic holding records for 2,000 active patients may have:

• Complete medical histories, diagnoses, and medication lists
• Mental health notes and referrals
• Medicare numbers and Health Care Card details
• Pathology and imaging results
• Private health insurance information
• Demographic and contact details for patients and families

A patient's medical record can contain information they haven't shared with their employer, their family, or their insurer. The sensitivity — and therefore the value to criminals — is unusually high. Medical identity theft, insurance fraud, and targeted extortion are all enabled by stolen health records.

Allied health practices face the same risks, often with less IT infrastructure and fewer staff to manage it. A psychologist's practice notes are among the most sensitive documents in existence. A dental clinic holds not just clinical records but payment details and health fund information. An occupational therapy practice working with workplace injury claims holds data with direct employment and insurance implications. Practices that also deliver NDIS-funded supports face both sets of obligations concurrently — the AHPRA Code and the NDIS Commission's Practice Standards apply simultaneously.

What 'Reasonable Steps' Actually Means for a Small Practice

The phrase "reasonable steps" in APP 11 is deliberately flexible — it is assessed in the context of the size of the practice, the sensitivity of the information held, and what a reasonable practitioner in that position would have done. For health providers, given the extreme sensitivity of clinical data, the bar for what is "reasonable" is meaningfully higher than for other small businesses.

The OAIC has published detailed guidance on what reasonable steps under APP 11 look like in practice. The ASD's Essential Eight framework provides a practical set of baseline controls that are widely referenced as a benchmark for reasonable security hygiene. Together, these point to the following as the baseline that health practices should be meeting:

Multi-Factor Authentication on Practice Systems

Multi-factor authentication (MFA) — requiring a second verification step beyond a password to log in — is the single most effective control against credential-based attacks. It should be enabled on your practice management software (Best Practice, Medical Director, Cliniko, Halaxy, or equivalent), your email system, your cloud storage, your patient booking platform, and any telehealth tools you use. Credential theft through phishing is the most common entry point for healthcare attacks; MFA directly addresses this.

Regular, Tested Backups Stored Separately

If ransomware encrypts your patient records and you have no backup, your options are to pay the ransom or rebuild from scratch — losing potentially years of clinical records in the process. Backups should run automatically, be stored separately from your main systems (so ransomware cannot reach them), and be tested periodically by actually restoring a file. A backup you've never tested is an assumption, not a verified control.

Software and Systems Kept Up to Date

Unpatched software contains known vulnerabilities that attackers actively exploit. This includes your practice management software, your operating system, your browser, and any plugins or integrations. Automatic updates should be enabled where possible. For medical devices or older systems that cannot be automatically updated, a manual review process should be in place.

Staff Access Limited to What's Needed

Not every staff member needs access to every patient's records. A receptionist booking appointments does not need access to clinical notes. A locum covering for a week does not need access to records for patients they won't see. Excessive access means a single compromised account — through phishing, a personal device breach, or a departing employee — can expose the entire practice. Access should be provisioned by role and removed promptly when staff leave or their role changes.

Staff Awareness of Phishing

The vast majority of cyber attacks against small practices begin with a staff member clicking a malicious link or entering credentials on a fake login page. Staff don't need to be security experts — they need to know what a suspicious email looks like, why they should never click links asking them to re-enter login credentials, and who to contact if they're unsure. This doesn't require a formal training programme. It requires the topic to be raised regularly.

A Basic Incident Response Plan

If something goes wrong, what do you do? Who do you call? When are you required to notify the OAIC? When do you need to notify patients? A basic incident response plan — even a one-page document — that answers these questions in advance is both good practice and strong evidence of due diligence. Without it, the response to an incident tends to be chaotic, and chaos amplifies the damage.

Your Notification Obligations If a Breach Occurs

Under the NDB scheme, if you experience a data breach that is likely to result in serious harm to any individual, you are required to:

• Notify the OAIC as soon as practicable
• Notify affected patients directly

For health practices, "serious harm" is almost always in scope — given the sensitivity of clinical records, the potential for identity theft, insurance fraud, and psychological harm from disclosure of sensitive medical information is well-established. You should assume the NDB scheme applies to any breach involving patient clinical data and seek advice if you're uncertain.

Failing to notify when required is itself a breach of the Privacy Act and attracts penalties separate from the original breach. For serious or repeated privacy breaches, penalties of up to $50 million apply to corporations (Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022).

Beyond Privacy Act obligations, a breach involving patient data may also trigger a notification obligation to your professional indemnity insurer, and — depending on the circumstances — may need to be considered under your professional obligations to the relevant National Board.

What AHPRA Can Do If You Fall Short

If a patient makes a complaint to AHPRA following a data breach, or if a breach comes to the attention of the relevant National Board, the Board has a range of regulatory options available under the Health Practitioner Regulation National Law. These include requiring the practitioner to complete additional training or supervision, imposing conditions on registration, suspending registration, or cancelling registration in serious cases.

The standard applied is not whether a sophisticated attacker succeeded — attackers sometimes succeed regardless of good controls. The standard is whether the practitioner had taken reasonable steps before the incident occurred. A practitioner who can demonstrate documented controls, staff training, and a structured security review is in a materially different position to one who had no security practices in place at all.

What Evidence Do You Need?

If a breach occurs and your controls are questioned — by the OAIC, a National Board, a patient's legal representative, or your insurer — the relevant question is whether you can demonstrate that reasonable steps were in place. Documentation matters:

• Records showing MFA was enabled on practice systems
• Backup logs or evidence of tested restoration
• Evidence that staff received security awareness information
• An incident response plan, even a basic one
• A documented security assessment showing you reviewed your posture and identified gaps

A structured security assessment — one that walks through the specific controls relevant to your practice type, scores your current position, and produces a written report — gives you both the gaps to address and the evidence that you took your obligations seriously before any incident occurred.

The Practical Starting Point

For most GP clinics and allied health practices, the immediate priority is: enable MFA on your practice management software and email, verify that your backups are running and can actually be restored, review who has access to what, and make sure staff have been briefed on phishing. These four actions address the most common attack vectors against healthcare practices and provide a defensible starting point.

From there, a structured assessment specific to your practice type will identify the remaining gaps — including ones that a generic checklist won't surface, such as telehealth platform security, allied health-specific software, and the security of systems used by any contractors or visiting practitioners.