Are your contact details up to date? Login to view and update your personal details for the upcoming financial year.

How to respond to a cybersecurity incident

Table of contents

Disclaimer

How to respond to a cybersecurity incident

If you suspect a cybersecurity incident has occurred, turn off all computers in the practice and remove their power cords from the walls to try to isolate the affected systems. Do not connect backup systems or portable devices such as laptops to the network, as this can spread an infection.

Enact your cybersecurity incident response plan

Next, carry out your cybersecurity incident response plan. Ensure that relevant staff members are aware of their roles in carrying out the plan.

Seek help

Contact your IT provider or a forensic IT specialist so that they can identify the cause of the cybersecurity incident, limit further damage by containing and eliminating the threat, and repair and restore your key business systems. Consider how best to contact these people, as it may be safest not to use your practice email accounts.

Consider whether you need to contact police and/or your medical defence organisation. Your practice may also have insurance that offers specific coverage for cybersecurity incidents.

Report to relevant authorities

A cybersecurity incident can result in a data breach, where personal information held by the practice is lost, or is disclosed or accessed without authorisation. Data breaches satisfying particular criteria are subject to a mandatory notification process.⁷ To determine whether the cybersecurity incident needs to be reported to the Office of the Australian Information Commissioner (OAIC) and patients, refer to the Managing notifiable data breaches in general practice flow chart in the Reporting a cybersecurity incident section of this resource.

The ACSC asks that individuals and organisations who have experienced a cybersecurity incident use their site ReportCyber. Reporting assists the ACSC in developing advice, capabilities and techniques to prevent and respond to cyber threats, which helps them to disrupt criminal operations.

Avoid responding to a ransom demand

If you’re faced with a ransomware demand, it’s best not to pay. There are no guarantees that the files will be decrypted if you pay the ransom, and paying makes you vulnerable to being attacked again as it marks you as an easy target.

No More Ransom!, an initiative supported by the Australian Federal Police and international law enforcement and IT security companies, provides free advice on recovering data without paying cybercriminals.

The ACSC advises victims of a ransomware attack to report the infection, seek help from an IT professional, consider the data lost and use backup files.

Retrieve backups

Your practice should already have a policy pertaining to backups and a reliable backup system that allows you to access business-critical and clinical information when disaster strikes. Your IT provider can help you safely retrieve your backup data without compromising your systems further.

For more information about creating and enacting a backup strategy, refer to the Information backup section in this resource.

Manage reputational damage if necessary

General practices should be prepared for media attention if a data breach has occurred. Your cybersecurity incident response plan should include details on how to manage media and respond to patient, stakeholder and community concerns in the wake of the incident.⁸

Resume practice

Enact your business continuity plan. A business continuity plan gives your practice a pathway back to delivering patient care following a major system failure. Such a plan should include information on the following functions of the practice:

Providing clinical care without access to patient health records
Scheduling appointments
Billing
Issuing prescriptions
Critical financial operations, such as payroll and Medicare claims

Reception and clinical staff may need to use paper-based systems as an interim measure, such as hard-copy appointment diaries and paper script pads. Appropriate steps must be taken to secure those records. Any information collected on paper should be added to the patient’s electronic medical record once the incident is resolved.

If you are unable to access backups, you may need to retrieve patient information from other sources to resume clinical care. Possible sources include My Health Record, pathology/imaging companies for recent results and reports, specialists for copies of letters and referrals, pharmacies and nursing homes for medication histories, and hospitals for discharge summaries.⁹

References

7. Office of the Australian Information Commissioner. Data breach preparation and response. Sydney: OAIC, 2024.
8. Avant Mutual. Responding to data breach. Sydney: Avant, 2024.
9. Avant Mutual. Responding to a cyber security incident. Sydney: Avant, 2023.

Did you know you can now log your CPD with a click of a button?

Create Quick log

Advertising