Essential Eight for Medical Practices

The Essential Eight is a set of eight mitigation strategies published by the Australian Cyber Security Centre (ACSC). They are widely used in Australia as a reference for what good cybersecurity looks like inside an organisation — including medical, dental and allied health practices.

This page explains each mitigation in plain English, with practical context for healthcare practices. It is not a compliance assessment, and it does not turn a practice into a "certified" anything. Used well, it is a useful structure for prioritising cybersecurity work over the next 12 to 24 months.

What is the Essential Eight?

The Essential Eight is the ACSC's recommended baseline set of mitigations against common cyber threats. It groups controls into eight areas, each described at four maturity levels (zero through three). Most small Australian organisations aim for Maturity Level One as a credible starting point.

For medical practices, the value of the Essential Eight is not the label. It is the structure. Each of the eight areas maps to a category of incident we routinely see affect smaller practices.

Why healthcare is frequently targeted

Healthcare attracts attention for several reasons. Practices hold sensitive personal and health information. They run business-critical systems with low tolerance for downtime — every cancelled session of consultations has a real cost. They often use a mix of cloud and on-premises systems, with several different vendors connected to the environment. And many practices have grown organically, with IT decisions made over many years and across several providers.

None of this means a practice is doing the wrong thing. It does mean a structured approach is more useful than ad-hoc improvements.

The eight mitigations, in plain English

1. Application control

Application control prevents software that has not been approved from running on practice devices. The aim is to reduce the impact of malware, including ransomware, that arrives via email or web downloads. For small practices, a sensible starting point is to combine modern endpoint protection with a process for managing what software is allowed on practice-owned devices.

2. Patch applications

Patching applications — web browsers, PDF readers, Microsoft Office, line-of-business and practice management software — is one of the highest-value activities a practice can do. Most successful attacks against small organisations exploit known vulnerabilities that already have a fix available. The target is a defined patch cycle rather than relying on individual users to remember.

3. Microsoft Office macro controls

Office macros are small programs that can run inside Word, Excel and other Office documents. They are a common delivery method for malware. The Essential Eight recommends that macros from the internet are blocked by default, and that macros are only allowed where there is a clear business need. Most medical practices do not need macros at all.

4. User application hardening

User application hardening reduces the attack surface of the software that staff use every day — primarily web browsers and email clients. It includes disabling legacy features (such as old browser plugins), restricting risky content, and enforcing secure defaults. Most of this can be configured centrally in Microsoft 365 and modern Windows.

5. Restrict administrative privileges

Administrator accounts can change configurations, install software and access more data. They are also the primary target of an attacker who has compromised a user. The principle is simple: most staff do not need administrator rights, and the people who do should use separate accounts for admin tasks rather than logging in as administrator all day.

6. Patch operating systems

Operating system patching covers Windows, Windows Server, macOS where used, and the firmware on network devices. Practices should also retire systems that have reached end-of-support — they no longer receive security fixes and are a known weak point in many incidents.

7. Multi-factor authentication

Multi-factor authentication (MFA) requires a second verification step in addition to a password. It is the single most effective defence against compromised credentials and the most common control referenced by both insurers and accreditation bodies. For medical practices, MFA should apply to email, remote access and any cloud admin portal, with no exceptions for "VIP" users.

8. Regular backups

Backups are the foundation of recovery from any serious incident, including ransomware. The Essential Eight focuses on the existence of backups, their protection from tampering, and the testing of restoration. A backup that has never been restored should not be trusted to work when it matters.

How small practices can approach the Essential Eight

The Essential Eight is most useful as a structured improvement plan, not as a pass / fail assessment. A practical approach for a small practice looks like this:

1. Baseline. Work with your IT provider to honestly assess where you sit on each of the eight mitigations today.
2. Prioritise. Tackle MFA, patching and admin privileges first — these are the highest-impact controls for most practices.
3. Sequence. Move into application hardening, macro controls and application control as the environment matures.
4. Operationalise backups. Add testing and Microsoft 365 backup if they are missing.
5. Review. Reassess annually, and after any major change or incident.

Common mistakes

• Treating the Essential Eight as a one-off project rather than an ongoing discipline.
• Implementing controls but never testing them — especially backups.
• Granting "temporary" admin rights that quietly become permanent.
• Leaving legacy authentication enabled in Microsoft 365 because "one app needs it".
• Assuming that MFA on email is enough, while remote access or admin portals still accept passwords alone.

Prioritisation strategy

If you have to choose where to invest first, the order we suggest for most healthcare practices is: MFA, then patching, then admin privileges, then backups, then macro and application hardening, then application control. This sequence prioritises the controls that prevent and contain the most common incidents.

Maturity levels explained simply

Each mitigation is described at four maturity levels:

• Maturity Level Zero — the mitigation is not implemented or has significant gaps.
• Maturity Level One — the baseline expected for most small organisations. A reasonable target for a small practice over 12 to 24 months.
• Maturity Level Two — broader coverage, more rigorous controls and better evidence. Appropriate for higher-risk environments.
• Maturity Level Three — the strongest level, with significant ongoing operational effort.

What "aligned with the Essential Eight" actually means

Phrases such as "aligned with the Essential Eight" or "working towards Maturity Level One" describe the direction of travel and the target maturity. They are not certifications. The Essential Eight does not have its own certification scheme, and practices should be cautious of suppliers who describe their work as making the practice "certified" or "compliant".

Why Essential Eight is a journey

The Essential Eight is not a destination. Software changes, threats change and the practice itself changes — new staff, new locations, new clinical systems. The most successful practices treat the Essential Eight as a structure for the next conversation with their IT partner, not a one-off checklist.

Want a starting baseline? Book a Healthcare IT & Cybersecurity Alignment Review, explore our healthcare IT services, or read about the common IT risks we see in medical practices.