Blog Post

Healthcare organisations rely heavily on technology. Patient records, clinical systems, secure messaging and cloud platforms all support day-to-day operations. When those systems run smoothly, cyber risk can feel distant or abstract.

The 2024 MediSecure breach in Australia exposed the personal data of millions, while the 2024 ransomware attack on Synnovis in the UK disrupted pathology services across NHS hospitals and delayed patient care. These events show how quickly technology risk becomes patient risk.

They also highlight an important question for practice owners and managers: when something goes wrong, who is actually responsible?

Healthcare environments are rarely simple. Most practices use a mix of clinical software, Microsoft 365, cloud backups, remote access tools and connected devices, often supported by different vendors. It’s common to assume that cyber security sits primarily with the IT provider.

In reality, responsibility is more shared than many realise.

Under the Privacy Act 1988, healthcare organisations remain accountable for how patient information is collected, stored and protected, even where IT services are outsourced. Health information is classified as sensitive information and carries higher protection obligations. Engaging external providers supports compliance, but it does not transfer it.

Understanding how these responsibilities are distributed helps reduce uncertainty if an incident ever occurs.

Why Responsibility Can Feel Unclear

In many healthcare practices, responsibility for cyber risk is never formally mapped out. It develops over time.

An IT provider manages systems. Software vendors maintain their platforms. Practice managers oversee daily processes. Owners focus on compliance and broader business oversight. Everyone plays a role.

What is not always clearly defined is where one responsibility ends and another begins.

An IT provider may implement technical safeguards but not be involved in governance discussions. A director may assume reporting decisions sit externally. A practice manager may not be certain when an issue needs to be escalated beyond routine support.

This is not unusual. It reflects how healthcare technology environments often evolve.

These gaps are rarely visible when everything is working as expected. They tend to surface when decisions need to be made quickly, which is why taking the time to define roles in advance is so important. Defining roles before an incident occurs is far more effective than trying to resolve uncertainty afterwards.

Understanding the Shared Responsibility Model

Cyber risk in healthcare is best viewed as shared responsibility.

At a high level, responsibility is spread across:

• Practice leadership
• Practice management
• IT providers
• Software vendors
• Insurers
• Regulators

Each party contributes to risk management in a different way. The key is ensuring that these roles are understood and documented, rather than assumed.

The Role of Practice Owners and Board Members

For owners and board members, responsibility is focused on governance rather than technical detail.

Under the Corporations Act 2001, directors of incorporated entities are expected to exercise care and diligence in managing foreseeable business risks. Cyber risk is now widely recognised as one of those risks. ASIC has indicated that cyber resilience forms part of responsible governance.

In practice, this means leadership should ensure that reasonable security measures have been considered, that cyber risk is discussed at an appropriate level, and that there is an incident response process in place. It involves asking informed questions and overseeing policy settings, not configuring systems.

Frameworks such as the Australian Cyber Security Centre’s Essential Eight are often used as a reference point for what reasonable technical controls may look like. They provide guidance, but governance decisions remain with the organisation.

The Role of Practice Managers

Practice managers typically carry operational responsibility.

They oversee staff access, onboarding and offboarding processes, policy implementation and coordination with external providers. If an issue arises, they are often central to gathering information and facilitating communication between leadership, IT providers and insurers.

Under Australia’s Notifiable Data Breaches scheme, certain breaches must be assessed promptly and may require notification to the Office of the Australian Information Commissioner and affected individuals. While the legal responsibility sits with the organisation, practice managers are usually the ones escalating concerns and ensuring the right people are informed.

Having clear internal escalation processes in place makes this far more manageable if it ever becomes necessary.

The Role of IT Providers

IT providers implement and maintain agreed technical safeguards. This may include patching, endpoint protection, backups, monitoring and general system maintenance. They can provide advice on risk reduction and system improvements.

However, IT providers do not usually carry the organisation’s legal compliance obligations. They cannot make governance decisions or determine whether regulatory notification is required. Those decisions remain with practice leadership.

Clear service agreements and defined scopes of responsibility help ensure expectations are aligned.

Software Vendors and Insurers

Software vendors are responsible for securing their own platforms and issuing updates. They are not responsible for how a practice configures permissions or manages internal processes.

Cyber insurers provide financial protection and, in many cases, access to specialist response services. Insurance can significantly reduce the financial impact of an incident, but it does not replace the need for sound governance. Policies commonly require reasonable security controls and timely notification.

Privacy compliance in Australia is overseen by the Office of the Australian Information Commissioner. Depending on the circumstances, professional standards bodies may also have expectations relating to information handling. These regulatory settings reinforce that cyber risk is both a technical and organisational responsibility.

Why Role Definition Matters

When responsibilities are clearly understood, incident response is more coordinated and less stressful. Leadership knows its oversight role. Managers understand escalation pathways. IT providers know when to advise and when to notify.

When responsibilities are not clearly defined, decision making can slow down at the very time it needs to be prompt.

Healthcare practices do not need to approach cyber risk with alarm. They do, however, benefit from a shared understanding of who is accountable for what.

Moving Forward with Confidence

No practice can remove risk entirely. The goal is to manage it responsibly, in line with the size and complexity of the organisation.

A practical first step is to review how responsibilities are currently structured across leadership, management and external providers. Ensuring those roles are clearly defined supports compliance, strengthens resilience and reduces uncertainty if an incident occurs.

Cyber risk in healthcare is shared. When roles are aligned and understood, practices are better placed to respond thoughtfully and effectively.

Want to Review How Responsibility Sits in Your Practice?

At Impact ICT, we work with healthcare organisations across Mandurah and the Peel region to review existing systems, clarify responsibilities between leadership and IT, and ensure technical controls support your privacy obligations.

If you would value a practical conversation about how this looks in your practice, our local team is here to help.

Book a discovery call with Impact ICT and we’ll walk through your current setup and outline sensible next steps.