Medical Practice Cybersecurity Checklist

This checklist is designed for practice managers, owners and operations staff who want a clear, practical view of where their practice stands on cybersecurity. It covers the controls we see most often in Australian medical, dental and allied health environments — and the gaps that tend to cause the most harm when something goes wrong.

Work through each section at your own pace. You can complete some items yourself, while others will need a short conversation with your IT provider or whoever manages your Microsoft 365 tenant.

Why cybersecurity matters for medical practices

Modern practices depend on technology for almost every activity — appointments, billing, clinical records, imaging, pathology results, electronic prescribing, secure messaging, email and phones. When that technology fails or is compromised, the impact is not only operational. It also touches patient trust, privacy obligations under the Privacy Act, accreditation standards and, increasingly, cyber insurance renewals.

Practices do not need to be large to be targeted. Most incidents we see do not begin with a sophisticated attack on the clinic itself. They begin with a generic phishing email, a reused password, a missed software update or a single account without multi-factor authentication.

Common cybersecurity risks in healthcare practices

The patterns below cover the majority of incidents that affect smaller practices:

• Phishing — staff are sent a convincing email that looks like it is from Microsoft, a supplier, a bank or a colleague, and asked to sign in or approve a request.
• Business email compromise — an attacker gains access to a mailbox and uses it to send fake invoices, change supplier payment details, or impersonate the owner.
• Ransomware — files on a workstation or server are encrypted, often via a compromised account or an unpatched system, and the practice cannot operate until systems are restored.
• Weak or reused passwords — staff use the same password across multiple systems, or simple passwords that appear in known data breaches.
• Shared accounts — reception, locum or after-hours accounts shared between several people, making it impossible to know who did what.
• Unmanaged devices — personal laptops, ageing PCs or old servers that are not patched, encrypted or monitored.

Identity and access

Identity is the single most important control area for a modern practice. The majority of incidents start with a compromised account, not a compromised network.

• Multi-factor authentication enforced for every user, not optional
• Each staff member has a unique account — no shared logins
• Administrator accounts are separate from day-to-day user accounts
• A documented list of who has admin access to what
• Quarterly account reviews to remove former staff and old contractors
• Strong, unique passwords stored in a password manager (not in a spreadsheet)

Email security

Email is the most common entry point for attacks against a practice. The following configuration items reduce the volume of malicious messages that reach staff inboxes and reduce the risk of impersonation:

• SPF record configured for every domain that sends email
• DKIM signing enabled in Microsoft 365 or your mail platform
• DMARC policy in place and monitored, not left at p=none indefinitely
• Anti-phishing and impersonation protection enabled
• External sender warnings or banners on incoming email
• Process for staff to report suspected phishing in one click

Microsoft 365 security

Most Australian practices now run Microsoft 365 for email, files and collaboration. Out-of-the-box settings prioritise ease of use, not security. A short review of the items below typically uncovers several easy improvements:

• Conditional access policies for risky sign-ins and untrusted countries
• MFA enforced via conditional access, not legacy per-user MFA
• Legacy authentication (POP, IMAP, basic auth) blocked
• Secure external sharing defaults for SharePoint and OneDrive
• Microsoft 365 audit log retention enabled and monitored
• A clear joiner / mover / leaver process for staff accounts

Devices

Workstations, laptops and servers used by the practice should be managed, monitored and kept current. Personal devices that handle practice data need a clear policy.

• Modern endpoint protection (EDR) on every workstation and server
• Operating system and application patches applied on a defined schedule
• Disk encryption (BitLocker) enabled on every laptop
• Devices retired before they reach end-of-support
• A current asset list — who has which device
• USB and removable media controls where appropriate

Backups

Backups are the single most important control if something does go wrong. The most common backup failures we see are not the absence of backups — they are backups that have never been restored, or backups that do not cover Microsoft 365 data.

• Server, file and database backups run on a defined schedule
• Microsoft 365 data (email, OneDrive, SharePoint, Teams) is backed up
• Backups are stored off-site or in a separate cloud tenancy
• At least one full restore is tested every year
• Documented recovery procedures the practice manager can follow
• Defined retention periods that align with practice requirements

Staff awareness

Staff are not the problem — but they are the most frequent target. Short, regular awareness training is far more effective than an annual one-hour session that is immediately forgotten.

• All staff complete cybersecurity awareness training annually
• New starters are briefed on phishing and password practices during onboarding
• A simple, well-known way to report suspicious emails
• Practice manager is notified of repeated phishing attempts
• Simulated phishing exercises run once or twice a year

Incident response

Every practice should have a short written plan that answers two questions: who do we call, and what do we do first. It does not need to be long — it needs to be findable and current.

• Written incident response contacts pinned at reception and in shared drives
• Primary IT/security contact with after-hours availability
• Defined steps for isolating an infected device
• Awareness of the Notifiable Data Breaches scheme obligations
• Cyber insurer hotline details (if applicable) recorded in the plan
• Annual tabletop exercise to walk through a realistic scenario

Practice manager action checklist

If you are time-poor, the following short list is the most useful place to start. Tackling these items first will materially reduce the likelihood of a serious incident.

1. Confirm MFA is enforced for every user in Microsoft 365.
2. List everyone with administrator access and remove anyone who no longer needs it.
3. Remove shared mailboxes and shared logins where individual accounts would do.
4. Confirm Microsoft 365 data is backed up to a separate location.
5. Run a real restore test in the next 90 days.
6. Document an incident response contact list and share it with all staff.
7. Schedule a cybersecurity refresher for the whole team.

Need help working through this list? Review the common IT risks we see in medical practices, explore our healthcare IT services, or book a Healthcare IT & Cybersecurity Alignment Review.