• In Australia, healthcare information and security is regulated by the Privacy Act 1988 (Cth) together with issue-specific legislation. Cyber risks remain a key concern for the healthcare sector, heightened by the public health and technological responses triggered by the COVID-19 pandemic.


  • Australia’s healthcare systems have increasingly embraced health record digitalisation, enabling them to transition from hospital-focused and specialised approaches to care management, towards more collaborative and distributed forms of patient-oriented care. Consequently, healthcare providers have increasingly begun to store information on complex and diverse operating systems, giving rise to cyber security risks.
  • The healthcare industry is well-known for having ‘low security maturity’, with poor cyber security tools compared to other sectors.
  • Offner et al suggest the reasons for inadequate cyber security infrastructure in healthcare include: budgetary constraints; poor cyber security training and knowledge by healthcare managers; heterogenous and complex healthcare information infrastructure; reactive approaches to cyber defences; and insufficient cyber security professionals working in healthcare.


National Health Security Act 2007 (Cth)

  • The National Health Security Act 2007 (Cth):
    • creates a national system of information exchange and public health surveillance concerning important public health events and situations; and
    • authorises the disclosure of personal information where doing so will assist in a national or international response (including to the World Health Organisation and countries affected by a public health crisis).
  • Part 2 Div 6 of the Act contains regulations regarding notification, sharing information and liaising in relation to public health events of national significance and listed human diseases.
  • Part 2 Div 8 of the Act regulates the confidentiality of information, including "protected information", authorised use of that information, plus related offences and defences.

My Health Records Act 2012 (Cth)

  • The My Health Records Act 2012 (Cth):
  • The Act creates offences for inappropriate use of My Health Information, including unauthorised disclosure for a prohibited purpose.
    • Section 66 of the Act permits the secondary use of My Health Record Data. However, it does not clearly identify who can access the data on the system for ‘secondary use’, as well as how and when they can receive consent.
  • The Act also prescribes authorised use of My Health Information based on legitimate reasons for use - e.g. to provide healthcare, consult with a nominated representative, where there is a serious threat to life or safety, or where the law authorises the use.
  • Part 4 Div 4 of the Act regulates the Act's interaction with the Privacy Act 1988 (Cth).
  • Part 5 of the Act prescribes the procedure to be followed following a data breach.

Therapeutic Goods Act 1989 (Cth)

  • Chapter 4 of the Therapeutic Goods Act 1989 (Cth) regulates 'medical devices', which may include software applications or products (e.g. smartphone apps that detect insulin, x-ray image processing systems, etc). Chapter 4 regulates the safety and proper usage of medical devices, establishes standards and processes to ensure their secure use, and outlines mechanisms for enforcement.
  • Schedule 1 of the Therapeutic Goods (Medical Devices) Regulations 2002 (Cth) outlines 15 'Essential Principles' for the use of medical devices, many of which emphasise that cyber security must be achieved to ensure compliance.

Epidemiological Studies (Confidentiality) Act 1981 (Cth)

Regulatory & Policy Framework

Relevant Organisations

Inquiries & Consultations

Industry Materials

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine