Blog Post

Cyber attacks on healthcare organisations are becoming more frequent and more disruptive. In Australia, ransomware incidents in the sector have recently doubled year on year, and most reported incidents involve some level of system compromise. When systems go down or data is exposed, the impact isn’t just technical. It affects patient care, operations, and trust.

It’s not always the breach itself that causes the most disruption. It’s the uncertainty that follows. Who do we call? What needs to come back online first? Are we doing the right thing, or just responding without a clear plan?

For busy practices, these questions don’t usually come up until they have to. Day to day, the focus is where it should be – on patients, staff, and keeping things running smoothly. Cyber security can feel like something that sits in the background, handled by systems or external providers. But when something does happen, the pressure builds quickly. Decisions need to be made fast, often with incomplete information, and any gaps in roles, priorities, or processes tend to surface immediately.

In this blog, we’ll walk through some of the key questions every medical practice should be able to answer before an incident happens – so you can sense-check your readiness without getting lost in technical detail.

If you can answer these questions confidently now, you’ll be in a much stronger position when it matters most.

Question 1 – Do We Know What Systems Are Critical to Keep Running?

Most practices rely on a mix of systems to keep things moving, but not all of them carry the same weight. Some are essential to delivering care in the moment, while others support the background processes that keep the practice running.

The real test is whether you have a clear view of what your team depends on to access patient information, manage appointments, and keep services running safely.

This usually includes your practice management system, clinical software, Medicare or billing connections, and any tools your team relies on day to day. There may also be devices or integrations in the background that play a bigger role than expected – especially when it comes to accessing patient information or keeping appointments on track.

The question isn’t whether these systems are important, because they all are in different ways. It’s whether your practice understands how they fit together, and what the impact would be if any one of them became unavailable.

In the middle of an incident, without that shared understanding, teams can lose valuable time trying to piece things together on the spot. Practices that are prepared have already mapped this out – they know what they rely on, where the pressure points are, and what needs attention first.

Question 2 – Do We Know Who to Call, and What Counts as Urgent?

When something goes wrong, one of the first reactions is to reach out for help. But in the moment, it’s not always as clear as it should be who that help should come from, or how quickly a situation needs to be escalated.

In most practices, there are a few different moving parts. Your internal team, your IT provider, software vendors, and sometimes external partners like insurers all play a role. Each of them may have a different idea of what “urgent” looks like, especially when you’re balancing operational needs with patient care.

What can catch teams off guard is the gap between what feels urgent in the moment and what has already been agreed as urgent. For example, something that disrupts clinical access or patient care may need immediate escalation, while other issues can be managed differently. Often, valuable time can be lost working out how serious something is, rather than acting on it.

This also raises practical questions around availability. Do you know who to contact after hours? Is there a clear escalation path if the first point of contact isn’t available? Would your team feel confident making that call, or would they hesitate?

Practices that respond well in these situations tend to have this worked out ahead of time. They know who to call, when to call them, and what level of response to expect. That clarity removes a lot of the uncertainty and helps everyone move more quickly when it matters most.

Question 3 – Do We Understand Our Data, Backups and Recovery Expectations?

Most practices have backups in place, but there’s often less visibility into how dependable they are or what recovery would actually involve in practice.

Your data sits at the centre of your operations. Patient records, appointments, billing information, clinical notes – it all plays a role in keeping the practice running. The key is understanding what your team relies on most, and how confident you are that it could be restored in a usable state if needed.

It’s also worth thinking about expectations. If systems went offline, how long could the practice realistically operate without access to certain information? What would need to be available within hours, and what could wait a little longer?

Another area that often gets overlooked is whether recovery processes have been tested. Having backups is one thing, but knowing they can be relied on and that your team understands what recovery would look like in practice, makes a significant difference when time is limited.

Question 4 – Do We Know Our Reporting and Notification Obligations?

When an incident involves patient or business data, the response doesn’t just stay within the practice. There are often obligations around who needs to be informed, what needs to be reported, and how quickly those steps need to happen.

For many practices, this is where uncertainty can creep in. It’s not always clear what qualifies as a notifiable breach, who makes that call, or whether it sits with the practice, an external provider, or a combination of both. In the moment, that uncertainty can slow things down or lead to decisions being made without full confidence.

There’s also a timing element to consider. Some obligations are time sensitive, and delays can increase both risk and pressure. Knowing what needs to happen, and having a clear path for escalating and confirming those decisions, helps reduce that pressure significantly.

Understanding the obligations in advance doesn’t require deep technical or legal knowledge. It’s more about knowing where those decisions sit, and how they would be escalated if needed.

Question 5 – Are Our Roles and Responsibilities Clear?

When something unexpected happens, people naturally look to each other for direction. In a practice environment, that can involve practice managers, owners, internal staff, IT providers, and sometimes external partners. Each group plays a role, but it’s not always clear who is responsible for making which decisions when it matters most.

This can lead to situations where everyone is waiting for someone else to take the lead, or where multiple people step in at once without a shared plan. Neither approach tends to work well under pressure, especially when decisions need to be made quickly and confidently.

It’s worth considering how responsibilities are currently understood within your practice. Who is responsible for escalating an issue? Who makes the call on next steps? Where does your IT provider step in, and where does the responsibility remain with the practice?

Clarity in these areas doesn’t require a complex structure, but it does rely on everyone having the same understanding. When roles are clearly defined, teams are able to move more smoothly, communicate more effectively, and avoid unnecessary delays.

Question 6 – Could We Explain Our Position to an Insurer or Regulator?

If an incident were to occur, there’s a good chance you’d be asked to explain what happened and how your practice was managing risk beforehand. That conversation might be with an insurer, a regulator, or another external party, and it often comes down to how clearly you can describe your approach.

This isn’t about having everything perfectly documented or being able to point to every possible control. It’s about being able to show that your practice has taken reasonable steps to understand its risks, put appropriate measures in place, and make informed decisions along the way.

For many practices, this is where things can feel a bit unclear. You may have processes in place, systems supporting you, and external providers involved, but it’s not always obvious how that all comes together when you need to explain it to someone else.

It’s worth thinking about what you would say if you were asked to walk someone through your setup. Could you describe what you have in place, why those decisions were made, and how your practice would respond in a real situation? Being able to explain that structure is often what matters most.

Want to Sense-Check Your Practice’s Readiness?

If these questions have highlighted a few areas you’re unsure about, you’re not alone. For most practices, it’s not about starting from scratch – it’s about getting a clearer view of what’s already in place, and where a bit more alignment could make a real difference.

At Impact ICT, we work with healthcare organisations across Mandurah and the Peel region to help bring that clarity together. That includes reviewing how systems support day-to-day operations, understanding roles and responsibilities, and helping practices feel more confident in how they would respond during an incident.

Book a discovery call with Impact ICT and we can walk through your current setup and what a more prepared position could look like for your practice.