As Australia's new Aged Care Act (2024!!) approaches implementation on July 1, 2025, residential aged care facilities face unprecedented technological and regulatory challenges.
The increasing digitalisation of care services offers tremendous opportunities for improved resident care and operational efficiency, but also introduces (increases?) complex cybersecurity considerations that require careful management.
The following analysis explores the intersection of technology, compliance, and security across the aged care industry drawing on Microsolves' 25+ years of experience with a number of Australia's leading Aged Care providers.
The aged care sector is undergoing significant transformation as facilities increasingly adopt digital solutions to enhance care delivery, streamline operations, and improve resident experiences. With Australia's population aging rapidly, there is a growing need for innovative technology solutions that create better opportunities for independence, social inclusion, and community participation in residential aged care facilities.
Digital transformation in aged care extends far beyond simple record-keeping. Today's facilities deploy a complex ecosystem of operational technology (OT) that includes care management systems, resident monitoring devices, communication platforms, and administrative tools. These technologies enable more personalized care while simultaneously generating vast amounts of sensitive data that requires protection.
As the world becomes increasingly digitized, the convergence of operational technology with traditional enterprise IT networks is inevitable. This integration allows aged care providers to better adapt to changing work environments and harness the power of a connected world. However, while such integration unlocks efficiency and innovation, it also introduces significant cybersecurity challenges.
The Australian Government has introduced the Aged Care Bill 2024, which passed Parliament in late 2024, and is scheduled to become the new Aged Care Act from July 1, 2025. This legislation represents a fundamental shift from a provider-centered model to one focused on the rights and needs of older Australians.
The new Act aims to improve service delivery to older people across various settings, including residential aged care homes. It establishes new system oversight and accountability arrangements, increases provider accountability through a new regulatory model, and strengthens the aged care regulator. These changes directly impact how facilities must approach technology deployment and data security.
Under the Aged Care Bill 2024, protecting client information is a non-negotiable responsibility for every aged care provider, regardless of size. The legislation introduces stringent requirements for managing protected information, including personal, health, and commercially sensitive data.
Providers must ensure that data is securely collected and stored to protect against unauthorised access, loss, or misuse. Personal data should only be used for its intended purpose, and providers must obtain consent from residents before sharing their information. Staff and contractors should also be bound by confidentiality agreements to prevent unauthorised disclosure.
Non-compliance with these requirements could lead to significant penalties, including fines and potential imprisonment for serious breaches. This makes it imperative for facilities to implement robust information security measures.
As part of the healthcare and medical sector, aged care providers are now considered 'critical infrastructure' under the Security of Critical Infrastructure Act (SOCI Act). This classification requires providers to create and maintain a critical infrastructure Risk Management Program (RMP) and to register critical assets and report any cybersecurity events.
The RMP process involves identifying which components and sites of an asset are critical, then pinpointing potential threats and hazards that could harm operations. Providers must then implement measures that are "reasonably practicable" to minimise and mitigate these risks.
Healthcare provider organisations, including aged care facilities, have specific obligations under the My Health Records Act 2012 and My Health Records Rule 2016. Rule 42 requires healthcare provider organisations to have, communicate, and enforce a written security and access policy to register and remain registered to use the My Health Record system.
Organisations must maintain this policy regardless of the organization's size or how often they access the My Health Record system. This requirement underscores the importance of establishing formal cybersecurity protocols in all aged care settings.
Modern aged care facilities rely heavily on electronic care management systems to coordinate and document resident care. These systems track medications, treatments, appointments, and other essential care activities. They enable staff to access real-time client data, improving responsiveness and decision-making while reducing administrative burden.
A growing array of IoT and IoMT devices is being deployed to monitor resident health and safety. These include wearable devices, bed sensors, fall detection systems, and various medical monitoring equipment. While these technologies enhance care, they also create potential entry points for cyber threats if not properly secured.
Digital communication systems connect staff, residents, and families, facilitating better information sharing and coordination. Instead of pressing a single button to summon a carer, residents can now use smart devices to communicate their specific needs, leading to more timely responses and improved team productivity.
Back-office systems manage scheduling, billing, procurement, and other operational functions. These systems often contain sensitive financial and personal data that must be protected against unauthorized access or theft.
Cybersecurity in aged care extends beyond deploying advanced technology—it requires embedding a security-first mindset across the organization. As cyber threats evolve, aged care providers must equip staff with the knowledge and tools to protect sensitive resident data and maintain operational integrity.
Vigilance is the cornerstone of safeguarding resident data. Every employee, from frontline caregivers to executive leadership, plays a critical role in maintaining security. Regular training and reinforcement of security protocols empower staff to detect and respond to threats effectively.
Effective cyber security should include processes for prevention, detection, response, and recovery of cyber security incidents:
Under the Aged Care Bill, providers are expected to implement a cybersecurity framework that complies with standards such as the Essential 8 to minimize cyber risks. The Essential 8 framework, developed by the Australian Cyber Security Centre, outlines eight essential mitigation strategies to protect against cyber threats.
These strategies include application control, patching applications, restricting administrative privileges, patching operating systems, using multi-factor authentication, regular backups, and implementing email and web filters. Implementing these measures can significantly reduce the risk of cyber incidents.
The situation becomes increasingly complex with the surging adoption of IoT and IoMT devices across both OT and IT domains. Every additional device connected to the network—from medical equipment to communications systems—widens the attack surface. This expansive linked environment provides ample opportunities for potential attackers to exploit vulnerabilities.
Historically, legacy healthcare OT systems enjoyed a certain degree of security due to an 'air gap,' which physically isolated these systems from other networks, minimizing cyber threats. However, as OT and IT networks intertwine, this air gap is shrinking, causing previously siloed departments to face unprecedented vulnerabilities.
While aged care might not seem an obvious cyber target, the sensitive personal, health, and assessment records that aged care providers hold are of great interest to hackers as a precursor to identity theft. Health records sell for far more on the dark web than credit card numbers, making aged care facilities attractive targets for cybercriminals.
Cyber incidents, including ransomware attacks and data breaches, can severely disrupt aged care operations. There have already been cases where facilities have endured data breaches and systems outages that left them without easy access to records, essentially paralyzing operations until computer access is restored.
A vital measure of cyber resilience is to have and practice a clear Incident Response Plan. This plan should outline step-by-step procedures for responding to various types of cyber incidents, including who to notify, how to contain the breach, and how to recover affected systems.
Regular data backups—preferably automated and securely stored off-site—ensure business continuity in the event of an attack. Routine testing of response strategies minimises downtime and enables swift recovery.
Cybersecurity is an ongoing challenge that demands continuous education. All aged care employees should engage in interactive, user-friendly training programs designed to address emerging threats and regulatory requirements. Particular attention must be given to individuals with elevated system access, ensuring they understand their crucial role in enforcing security measures.
Many common cyber breach attempts could be avoided through staff education on recognizing phishing attempts, using strong passwords, and following security protocols. Residents should also receive appropriate guidance on safe technology use.
Regular testing of Business Continuity Plans helps identify digital weaknesses across the business before they can be exploited. These tests should simulate various scenarios, such as ransomware attacks or data breaches, to ensure that response procedures are effective and that staff are prepared to implement them.
A fundamental cybersecurity measure is restricting access to sensitive data. Employees should only have access to the information necessary for their job functions. This minimizes the risk of accidental data exposure and reduces the number of potential entry points for cybercriminals.
Limiting accessibility according to user requirements can help manage the exposure of critical information. Aged care providers should ensure sufficient restricted access to systems, networks, applications, and data across all devices in the facility.
Risk management informs and drives organizational strategy and performance and is an enabler to organizations achieving their strategic objectives. Governing bodies and executives need to ensure an effective risk management framework is in place, which comprises the policies, processes, systems, and tools required to effectively identify and manage risks.
The framework should consider ISO 31000:2018 Risk Management when developed, integrate with the organization's purpose and objectives, apply consistently to all risks, and define roles and responsibilities with regular monitoring and reporting for transparency and accountability.
Cybersecurity must be treated with the same level of responsibility as resident safety. Establishing clear accountability ensures that every team member recognizes their role in safeguarding resident information. Additionally, technology teams should have representation at the board level to align cybersecurity strategies with broader business objectives.
Including cybersecurity in risk management committees or board sub-committees fosters proactive decision-making and enhances the management of digital threats. Embedding cybersecurity awareness into performance expectations and compliance measures enables organizations to reinforce a culture of responsibility and vigilance.
The governing body is responsible for ensuring that appropriate technology and systems are in place to support organization-wide governance. They must ensure that technology and data are being used safely, efficiently, and effectively to deliver services to consumers.
With respect to the oversight of cybersecurity risks, governing bodies should ensure their role in overseeing cybersecurity and cyber incident responses are clearly defined and documented. They should be aware of trends in cybersecurity risks and emerging issues to effectively and proactively manage those risks.
Technology Systems Assessment
As the Australian aged care sector continues its digital transformation, the deployment of operational technology presents both opportunities and challenges. The new Aged Care Act 2024 and related legislation establish clear expectations for protecting sensitive data while leveraging technology to enhance care delivery.
By adopting a security-first mindset, implementing comprehensive risk management strategies, and ensuring proper governance oversight, aged care providers can navigate this complex landscape successfully. The investment in robust cybersecurity measures is not merely a compliance obligation but an essential component of providing safe, high-quality care in today's interconnected world.
The digital future of aged care is bright, but it must be built on a foundation of security, privacy, and trust. By following the strategies and checklist provided in this article, aged care providers can confidently embrace new technologies while safeguarding their residents, staff, and operations from emerging cyber threats.