Securing Operational Technology in Residential Aged Care

As Australia's new Aged Care Act (2024!!) approaches implementation on July 1, 2025, residential aged care facilities face unprecedented technological and regulatory challenges.

The increasing digitalisation of care services offers tremendous opportunities for improved resident care and operational efficiency, but also introduces (increases?) complex cybersecurity considerations that require careful management.

The following analysis explores the intersection of technology, compliance, and security across the aged care industry drawing on Microsolves' 25+ years of experience with a number of Australia's leading Aged Care providers.

The Digital Landscape in Australian Residential Aged Care

The aged care sector is undergoing significant transformation as facilities increasingly adopt digital solutions to enhance care delivery, streamline operations, and improve resident experiences. With Australia's population aging rapidly, there is a growing need for innovative technology solutions that create better opportunities for independence, social inclusion, and community participation in residential aged care facilities.

Digital transformation in aged care extends far beyond simple record-keeping. Today's facilities deploy a complex ecosystem of operational technology (OT) that includes care management systems, resident monitoring devices, communication platforms, and administrative tools. These technologies enable more personalized care while simultaneously generating vast amounts of sensitive data that requires protection.

As the world becomes increasingly digitized, the convergence of operational technology with traditional enterprise IT networks is inevitable. This integration allows aged care providers to better adapt to changing work environments and harness the power of a connected world. However, while such integration unlocks efficiency and innovation, it also introduces significant cybersecurity challenges.

Legislative Requirements Shaping Technology Deployment

The New Aged Care Act 2024

The Australian Government has introduced the Aged Care Bill 2024, which passed Parliament in late 2024, and is scheduled to become the new Aged Care Act from July 1, 2025. This legislation represents a fundamental shift from a provider-centered model to one focused on the rights and needs of older Australians.

The new Act aims to improve service delivery to older people across various settings, including residential aged care homes. It establishes new system oversight and accountability arrangements, increases provider accountability through a new regulatory model, and strengthens the aged care regulator. These changes directly impact how facilities must approach technology deployment and data security.

Information Security Requirements

Under the Aged Care Bill 2024, protecting client information is a non-negotiable responsibility for every aged care provider, regardless of size. The legislation introduces stringent requirements for managing protected information, including personal, health, and commercially sensitive data.

Providers must ensure that data is securely collected and stored to protect against unauthorised access, loss, or misuse. Personal data should only be used for its intended purpose, and providers must obtain consent from residents before sharing their information. Staff and contractors should also be bound by confidentiality agreements to prevent unauthorised disclosure.

Non-compliance with these requirements could lead to significant penalties, including fines and potential imprisonment for serious breaches. This makes it imperative for facilities to implement robust information security measures.

Security of Critical Infrastructure Act

As part of the healthcare and medical sector, aged care providers are now considered 'critical infrastructure' under the Security of Critical Infrastructure Act (SOCI Act). This classification requires providers to create and maintain a critical infrastructure Risk Management Program (RMP) and to register critical assets and report any cybersecurity events.

The RMP process involves identifying which components and sites of an asset are critical, then pinpointing potential threats and hazards that could harm operations. Providers must then implement measures that are "reasonably practicable" to minimise and mitigate these risks.

My Health Records Obligations

Healthcare provider organisations, including aged care facilities, have specific obligations under the My Health Records Act 2012 and My Health Records Rule 2016. Rule 42 requires healthcare provider organisations to have, communicate, and enforce a written security and access policy to register and remain registered to use the My Health Record system.

Organisations must maintain this policy regardless of the organization's size or how often they access the My Health Record system. This requirement underscores the importance of establishing formal cybersecurity protocols in all aged care settings.

Critical Operational Technology Systems in Aged Care

Care Management Systems

Modern aged care facilities rely heavily on electronic care management systems to coordinate and document resident care. These systems track medications, treatments, appointments, and other essential care activities. They enable staff to access real-time client data, improving responsiveness and decision-making while reducing administrative burden.

Resident Monitoring Technologies

A growing array of IoT and IoMT devices is being deployed to monitor resident health and safety. These include wearable devices, bed sensors, fall detection systems, and various medical monitoring equipment. While these technologies enhance care, they also create potential entry points for cyber threats if not properly secured.

Communication Platforms

Digital communication systems connect staff, residents, and families, facilitating better information sharing and coordination. Instead of pressing a single button to summon a carer, residents can now use smart devices to communicate their specific needs, leading to more timely responses and improved team productivity.

Administrative and Operational Systems

Back-office systems manage scheduling, billing, procurement, and other operational functions. These systems often contain sensitive financial and personal data that must be protected against unauthorized access or theft.

Cybersecurity Standards and Implementation

Establishing a Security-First Mindset

Cybersecurity in aged care extends beyond deploying advanced technology—it requires embedding a security-first mindset across the organization. As cyber threats evolve, aged care providers must equip staff with the knowledge and tools to protect sensitive resident data and maintain operational integrity.

Vigilance is the cornerstone of safeguarding resident data. Every employee, from frontline caregivers to executive leadership, plays a critical role in maintaining security. Regular training and reinforcement of security protocols empower staff to detect and respond to threats effectively.

Key Elements of Cyber Security

Effective cyber security should include processes for prevention, detection, response, and recovery of cyber security incidents:

• Prevention: Systems and processes that safeguard the collection, storage, and use of data. While investment in IT infrastructure is essential, good security starts with developing a holistic cyber defense capability that considers people, culture, processes, risk, and technology.
• Detection: Systems and processes to monitor and identify possible cyber incidents, such as data breaches or cyber attacks. It's a misconception that effective cyber security requires absolute prevention of all incidents; certain events may be unavoidable despite reasonable precautions.
• Response: Processes to respond appropriately to a cyber incident. Staff and service providers should be trained on how to respond to minimize harm and satisfy reporting obligations.
• Recovery and Review: Containment and management of the incident before returning to normal operations, followed by evaluation of data recovery and risk mitigation effectiveness.

Essential 8 Framework

Under the Aged Care Bill, providers are expected to implement a cybersecurity framework that complies with standards such as the Essential 8 to minimize cyber risks. The Essential 8 framework, developed by the Australian Cyber Security Centre, outlines eight essential mitigation strategies to protect against cyber threats.

These strategies include application control, patching applications, restricting administrative privileges, patching operating systems, using multi-factor authentication, regular backups, and implementing email and web filters. Implementing these measures can significantly reduce the risk of cyber incidents.

Impact on Security Posture

Expanded Attack Surface

The situation becomes increasingly complex with the surging adoption of IoT and IoMT devices across both OT and IT domains. Every additional device connected to the network—from medical equipment to communications systems—widens the attack surface. This expansive linked environment provides ample opportunities for potential attackers to exploit vulnerabilities.

Shrinking Air Gaps

Historically, legacy healthcare OT systems enjoyed a certain degree of security due to an 'air gap,' which physically isolated these systems from other networks, minimizing cyber threats. However, as OT and IT networks intertwine, this air gap is shrinking, causing previously siloed departments to face unprecedented vulnerabilities.

High-Value Data Targets

While aged care might not seem an obvious cyber target, the sensitive personal, health, and assessment records that aged care providers hold are of great interest to hackers as a precursor to identity theft. Health records sell for far more on the dark web than credit card numbers, making aged care facilities attractive targets for cybercriminals.

Operational Disruption Risks

Cyber incidents, including ransomware attacks and data breaches, can severely disrupt aged care operations. There have already been cases where facilities have endured data breaches and systems outages that left them without easy access to records, essentially paralyzing operations until computer access is restored.

Risk Identification and Mitigation Strategies

Develop a Clear Incident Response Plan

A vital measure of cyber resilience is to have and practice a clear Incident Response Plan. This plan should outline step-by-step procedures for responding to various types of cyber incidents, including who to notify, how to contain the breach, and how to recover affected systems.

Regular data backups—preferably automated and securely stored off-site—ensure business continuity in the event of an attack. Routine testing of response strategies minimises downtime and enables swift recovery.

Educate Staff and Residents

Cybersecurity is an ongoing challenge that demands continuous education. All aged care employees should engage in interactive, user-friendly training programs designed to address emerging threats and regulatory requirements. Particular attention must be given to individuals with elevated system access, ensuring they understand their crucial role in enforcing security measures.

Many common cyber breach attempts could be avoided through staff education on recognizing phishing attempts, using strong passwords, and following security protocols. Residents should also receive appropriate guidance on safe technology use.

Conduct Testing on Business Continuity Plans

Regular testing of Business Continuity Plans helps identify digital weaknesses across the business before they can be exploited. These tests should simulate various scenarios, such as ransomware attacks or data breaches, to ensure that response procedures are effective and that staff are prepared to implement them.

Optimise Restricted Access Controls

A fundamental cybersecurity measure is restricting access to sensitive data. Employees should only have access to the information necessary for their job functions. This minimizes the risk of accidental data exposure and reduces the number of potential entry points for cybercriminals.

Limiting accessibility according to user requirements can help manage the exposure of critical information. Aged care providers should ensure sufficient restricted access to systems, networks, applications, and data across all devices in the facility.

Implement a Risk Management Framework

Risk management informs and drives organizational strategy and performance and is an enabler to organizations achieving their strategic objectives. Governing bodies and executives need to ensure an effective risk management framework is in place, which comprises the policies, processes, systems, and tools required to effectively identify and manage risks.

The framework should consider ISO 31000:2018 Risk Management when developed, integrate with the organization's purpose and objectives, apply consistently to all risks, and define roles and responsibilities with regular monitoring and reporting for transparency and accountability.

The Role of Governance in Technology Security

Board-Level Oversight

Cybersecurity must be treated with the same level of responsibility as resident safety. Establishing clear accountability ensures that every team member recognizes their role in safeguarding resident information. Additionally, technology teams should have representation at the board level to align cybersecurity strategies with broader business objectives.

Including cybersecurity in risk management committees or board sub-committees fosters proactive decision-making and enhances the management of digital threats. Embedding cybersecurity awareness into performance expectations and compliance measures enables organizations to reinforce a culture of responsibility and vigilance.

Governing Body Responsibilities

The governing body is responsible for ensuring that appropriate technology and systems are in place to support organization-wide governance. They must ensure that technology and data are being used safely, efficiently, and effectively to deliver services to consumers.

With respect to the oversight of cybersecurity risks, governing bodies should ensure their role in overseeing cybersecurity and cyber incident responses are clearly defined and documented. They should be aware of trends in cybersecurity risks and emerging issues to effectively and proactively manage those risks.

Summary Checklist for Aged Care Providers

Legislative Compliance

• Review and understand requirements under the new Aged Care Act 2024
• Develop and maintain a Risk Management Program (RMP) as required by the SOCI Act
• Establish a written security and access policy for My Health Record system access
• Implement data protection measures compliant with the Privacy Act 1988

Technology Systems Assessment

• Inventory all operational technology systems and devices used in the facility (Asset workbook available for download)
• Identify integration points between OT and IT systems
• Document data flows and storage locations for sensitive information
• Assess the security features of each system against current standards
• Cybersecurity Implementation
• Deploy Essential 8 framework controls across all systems
• Establish regular patching and update processes for all software
• Implement multi-factor authentication for all sensitive systems
• Configure network segmentation to isolate critical care systems
• Deploy endpoint protection on all devices
• Establish secure backup solutions with offline copies

Risk Management

• Develop a comprehensive cyber risk register (Risk workbook available for download)
• Create and regularly test an Incident Response Plan
• Establish a Business Continuity Plan for technology systems
• Conduct regular vulnerability assessments and penetration testing
• Implement access controls based on the principle of least privilege
• Establish key risk indicators (KRIs) for cybersecurity monitoring

Staff and Resident Engagement

• Provide regular cybersecurity awareness training for all staff
• Create easy-to-follow security guidelines for residents using technology
• Establish clear reporting procedures for potential security incidents
• Include cybersecurity responsibilities in job descriptions and performance reviews

Monitoring and Continuous Improvement

• Implement security monitoring solutions across all systems
• Establish regular reporting on security metrics to the governing body
• Conduct annual security assessments and gap analyses
• Stay informed about emerging threats and vulnerabilities
• Participate in industry information sharing groups

Where to From Here?

As the Australian aged care sector continues its digital transformation, the deployment of operational technology presents both opportunities and challenges. The new Aged Care Act 2024 and related legislation establish clear expectations for protecting sensitive data while leveraging technology to enhance care delivery.

By adopting a security-first mindset, implementing comprehensive risk management strategies, and ensuring proper governance oversight, aged care providers can navigate this complex landscape successfully. The investment in robust cybersecurity measures is not merely a compliance obligation but an essential component of providing safe, high-quality care in today's interconnected world.

The digital future of aged care is bright, but it must be built on a foundation of security, privacy, and trust. By following the strategies and checklist provided in this article, aged care providers can confidently embrace new technologies while safeguarding their residents, staff, and operations from emerging cyber threats.

Resources