Healthcare IT compliance · Sydney

Patient data security
demands a different
kind of IT partner

Australian medical practices face obligations under the Privacy Act 1988, ASD Essential Eight, and My Health Record. Generic IT support doesn’t cover this. PIP does.

Talk to a specialist
See our approach

#1
Health sector is consistently the highest source of data breach notifications in Australia (OAIC)
30+
Years supporting Sydney GP clinics and specialist practices
Most breaches are opportunistic — not sophisticated. Unpatched software. Recycled passwords. Untested backups.

OAIC 2024:
Health remains Australia’s most-breached sector — ahead of finance, legal, and education.

Most incidents are preventable with baseline controls.

Regulatory obligations

Privacy Act 1988 &
what it means in practice

Medical practices handling health information are bound by the Privacy Act and the Australian Privacy Principles. Three obligations are operationally significant from an IT perspective.

APP 11

Security of personal information

You must take reasonable steps to protect patient data from misuse, loss, unauthorised access, or disclosure. “Reasonable steps” means documented, implemented, and tested controls — not good intentions. Encrypted storage, access controls, audit logs, and a tested incident response procedure are the baseline.

APP 1

Open and transparent management

Your practice must maintain a current, accessible privacy policy covering how patient data is collected, used, stored, and disclosed. If yours hasn’t been reviewed since before My Health Record became opt-out, it almost certainly needs updating.

NDB Scheme

Notifiable Data Breaches

If a breach is likely to cause serious harm, your practice must notify both the OAIC and affected individuals — typically within 30 days. Many practices don’t know this applies to them, or underestimate what constitutes a reportable event.

How breaches actually happen in GP clinics

!

Unpatched clinical software with known vulnerabilities

!

Recycled or shared passwords across staff logins

!

Phishing emails landing in reception inboxes

!

Backups scheduled but never tested — empty when needed

!

Departed staff credentials left active in clinical systems

!

Shared logins masking which user accessed what records

These are not sophisticated attacks. They are the result of ordinary gaps in IT management — gaps a specialist provider closes as a matter of routine.

Why it’s different

Medical practices aren’t
small businesses with a database

They connect to Medicare Online, My Health Record, pathology networks, imaging systems, and referral platforms. Every connection is an attack vector. Every login is a credential that needs protecting.

Generic IT support

Doesn’t understand how Best Practice connects to Medicare Online
Can’t identify a suspicious login pattern in a 5-GP clinic
No knowledge of NDB obligations or OAIC reporting
Treats a practice like any other small business network
Multiple vendors pointing at each other when something goes wrong
Compliance assumed to be someone else’s responsibility

PIP medical IT

Knows Best Practice, Medical Director, Genie, and Pracsoft deeply
Understands Medicare Online integration and its security implications
Builds environments compliant with Privacy Act and Essential Eight
Manages My Health Record access controls and audit log retention
One contract, one escalation point — no gap between hosting and support
30 years supporting Sydney GP clinics and specialist practices

ASD Essential Eight

The government’s baseline
applied to your practice

The Essential Eight isn’t a formal legal requirement for GP clinics — but it’s the benchmark regulators, professional indemnity insurers, and health networks increasingly use to assess whether a practice takes security seriously.

01
Application control
Only approved, known software runs on practice computers. No unauthorised installations.

02
Patch applications
Best Practice, Medical Director, Genie, and browsers kept current on a defined schedule.

03
Macro settings
Office macros — a common ransomware vector — restricted to approved use cases only.

04
App hardening
Browsers and Office applications hardened against web-based and email-based attacks.

05
Admin privileges
Staff access only what their role requires. Reception staff don’t hold admin rights on clinical workstations.

06
Patch operating systems
Windows updates on a tested, controlled cadence — not auto-update at 8:58am when patients arrive.

07
Multi-factor authentication
Required for remote access, Microsoft 365, and any cloud service holding practice or patient data.

08
Regular backups
Encrypted, tested, and stored separately from source data. Scheduled is not the same as working.

Clinical software in scope
Best Practice
Medical Director
Genie
Pracsoft
Audit4
Medicare Online
My Health Record

My Health Record

Obligations under the
My Health Records Act

Most Australian GP practices participate in the My Health Record system. That participation creates specific obligations under the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.

Review your compliance position

  • Access controls

    Only authorised clinical staff may view or upload records on behalf of the practice. This must be enforced at the software and user level — not left to convention. Shared logins are a common and serious exposure point.

  • Audit logging

    Access through your clinical software must be logged. Best Practice, Medical Director, and Genie all generate these logs. They need to be retained and accessible when required — PIP manages this as part of our configuration.

  • Breach reporting

    Suspected or confirmed unauthorised access must be reported to the Australian Digital Health Agency, in addition to any NDB obligations. Two parallel reporting requirements apply — PIP supports practices through both.

PIP’s approach

Support, hosting, and compliance —
one partner, one contract

Most Sydney practices manage IT across three vendors. When something goes wrong, they point at each other. PIP’s medical IT service is deliberately integrated — no gap between your hosting environment and your support desk.

Managed IT support

Sydney-based engineers. On-site when it matters, remote for everything else. One escalation point for all clinical IT issues.

On-site
Remote
Sydney
30+ years

Secure Australian hosting

ISO/IEC 27001 certified data centres. Patient data never leaves Australia. Hosted environments for Best Practice and Medical Director.

ISO 27001
AU hosted
Best Practice
Medical Director

Compliance management

Essential Eight alignment, privacy documentation, incident response procedures. Documentation ready for audits, health networks, and insurers.

Essential Eight
Privacy Act
NDB scheme
OAIC support

Related services

PIP medical IT services

Support

Medical IT Support Sydney

On-site and remote support for GP clinics and specialist practices.


Hosting

Medical Cloud Hosting

Australian-hosted infrastructure for clinical data. ISO 27001 certified.


Hosting

Medical Director Cloud

Secure hosted environments for Medical Director and Pracsoft practices.


Hosting

Best Practice Cloud

Hosted Best Practice environments for Sydney GP clinics.


Software

Clinical Software Support

Installation, configuration, and troubleshooting for all clinical platforms.

“The practices most exposed to a serious breach aren’t the ones being targeted — they’re the ones that assumed their IT provider had compliance covered. Usually no one does, because no one’s been asked to.”

PIP IT — Sydney medical IT specialists

Review your compliance position

Talk to a Sydney medical IT specialist about where your practice stands — and what needs to change.

Contact PIP
All medical IT services

Scroll to Top