Australia: Cybersecurity laws strengthened in health care and medical sector

Who will the reforms apply to?

The proposed reforms extend the application of the SoCI Act to a number of additional “critical infrastructure sectors” including those operating in the “health care and medical sector”. 

The “health care and medical sector” is broadly defined as the sector that involves:

1. the provision of “health care”. “Health care” includes services provided by individuals who practice in a range of medical professions, including, for example; dental, optometry, pharmacy, psychology and nursing.  It also includes treatment and maintenance as a patient at a hospital; or  
2. the production, distribution or supply of “medical supplies”.  “Medical supplies” includes goods for therapeutic use.  This would include, for example, personal protective equipment and diagnostic equipment), pharmaceutical products and medicines, pacemakers and prosthetics.  

Additional sectors include communications (relevant to telehealth services), financial services and markets sector (including health insurance business), data storage or processing (such as cloud service providers) and food and grocery sector. 

Key obligations

The proposed reforms have introduced a number of obligations to those operating in the health care and medical sector, including (amongst others):

Critical infrastructure risk management programs 

The “responsible entity” for one or more “critical infrastructure assets” must have, and comply with, a critical infrastructure risk management program. 

Responsible entities are those entities with ultimate operational responsibility for the “critical infrastructure asset”.  These entities have effective control or authority over the operations and functioning of the asset as a whole (even if they do not have direct control over a particular part of the asset), and are in a position to engage the services of contractors and other operators.

In the context of the health care and medical sector, the “critical infrastructure assets” relate to those owned or operated by a hospital with a general intensive care unit.  If the critical hospital is a public hospital, the responsible entity is the local hospital network that operates the hospital.  Alternatively, if the critical hospital is a private hospital, the responsible entity is the entity that holds the license, approval or authorisation under state/territory law to operate the hospital.

The purpose of a critical infrastructure risk management program is to identify each hazard where there is a material risk and to minimise, eliminate and mitigate the relevant impact of such a hazard.  The Government has not yet detailed the sector specific rules applicable to risk management programs for the health care and medical sector. These are anticipated to be developed in early 2021 through a co-design process with the industry.

Notification of cyber security incidents

The Bill introduces the obligation to notify the Australian Signals Directorate of any cyber security incidents which have a relevant impact on a critical infrastructure asset.  The responsibility for notification lies with the responsible entity for the asset.  Broadly, depending on the severity of the critical cyber security incident, the responsibly entity for the critical infrastructure asset must notify the relevant Commonwealth body between 12 – 72 hours after the entity becomes aware of the incident. 

Enhanced cyber security obligations

The responsible entity for a system of national significance may be subject to statutory incident response planning, including a requirement to undertake a cyber security exercise and vulnerability assessment.

In determining whether an asset is of national significance, the Minister must have regard to:

• the consequences that would arise for:
  • the social or economic stability of Australia or its people; or
  • the defence of Australia; or
  • national security;

if a hazard were to occur that had a significant relevant impact on the asset; and

• if the Minister is aware of one or more interdependencies between the asset and one or more other critical infrastructure assets—the nature and extent of those interdependencies; and
• such other matters (if any) as the Minister considers relevant.

Government assistance and intervention

The Bill also establishes a regime for government assistance and intervention to respond to serious “cyber security incidents”.

A “cyber security incident” is defined as one or more acts, events or circumstances involving any of the following:

• unauthorised access to computer data or a computer program;
• unauthorised modification of computer data or a computer program;
• unauthorised impairment of electronic communication to or from a computer; or
• unauthorised impairment of the availability, reliability, security or operation of a computer, computer data or a computer program.

A “serious cyber security incident” is one that has, or  is likely to have, a relevant impact on a critical infrastructure asset.  In such cases, the Minister may, in order to respond to the incident, do any or all of the following things:

• authorise the Secretary to give information gathering directions to a relevant entity for the asset;
• authorise the Secretary to give an action direction to a relevant entity for the asset; or
• authorise the Secretary to give an intervention request to the authorised agency.

It is intended that direct government intervention in relation to assets is appropriately reserved for extraordinary circumstances.  That is, the Minister must be satisfied that legally compelling the entity to do the action would not amount to a practical and effective response to the incident.

Next steps

Cyber security incidents are a significant area of concern to those operating in the health care and medical sector given the sensitivity of data in this sector.  

It is important for those operating in the health care and medical sector to understand the obligations imposed by the Bill and develop a cyber security program to take proactive measures in minimising the risk of malicious attacks or cyber security incidents.   

If the Bill is passed, the reforms are likely to take effect from mid-2021.  Sector specific rules are expected to be developed in early 2021 through a co-design process with the industry. 

Please contact us for more information.

Authored by Mandi Jacobson and Angell Zhang