The NSW Auditor General December 2025 report on Cyber security in Local Health Districts states
NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in Local Health Districts. In addition, Local Health Districts have not met the minimum NSW Government cyber secuements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats. This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services and compromise the security of sensitive patient information. eHealth NSW has not clearly defined or communicated its roles and the expected roles of Local Health Districts regarding cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery), and identifying and mitigating critical vulnerabilities, threats and risks. Local Health District management of cyber security is hampered by a lack of support, coordination and oversight from eHealth NSW in cyber security matters.
The report states
The New South Wales (NSW) public health system includes more than 220 public hospitals, community and other public health services. 15 Local Health Districts across NSW administer the hospitals and other health services. eHealth NSW was established in 2014 to provide statewide leadership on the planning, implementation and support of information communication technologies (ICT) and digital capabilities across NSW Health. Health service delivery is increasingly reliant on digital systems, which in turn requires the effective management of cyber security risks. Cyber attacks can harm health service delivery and may include the theft of information, breaches of private health information, denial of access to critical technology or even the hijacking of systems for profit or malicious intent. These outcomes can adversely affect the community and damage trust in government.
Audit objective
This audit assessed whether NSW Health is effectively safeguarding clinical systems, required to support healthcare delivery in Local Health Districts, from cyber threats. The audit assessed this with the following questions: Do relevant NSW Health organisations effectively manage cyber security risks to clinical systems? Do relevant NSW Health organisations effectively respond to cyber attacks that affect the clinical systems that are essential for service delivery? To focus the audit, 4 of the 15 Local Health Districts were selected for audit. These districts are referred to as ‘the audited Local Health Districts’ throughout this report. The audit further focused on one facility in each of the audited Local Health Districts that provided a common type of healthcare service. The names of the audited Local Health Districts, selected facilities and healthcare services are not disclosed.
Conclusion
NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in Local Health Districts. In addition, Local Health Districts have not met the minimum NSW Government cyber security requirements that have been outlined in NSW Cyber Security Policy since 2019. Local Health Districts are not adequately prepared to respond effectively to cyber security incidents. Systemic non-compliance with NSW Government cyber security requirements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats. This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services and compromise the security of sensitive patient information. eHealth NSW has not clearly defined or communicated its roles and the expected roles of Local Health Districts regarding cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery), and identifying and mitigating critical vulnerabilities, threats and risks. Local Health District management of cyber security is hampered by a lack of support, coordination and oversight from eHealth NSW in cyber security matters.
Key findings are
Local Health Districts do not manage cyber security risks effectively
Local Health Districts generate, use and maintain large volumes of sensitive personal and health information about patients. The NSW Cyber Security Policy sets out an expectation that cyber security efforts are commensurate with the potential effect of a successful cyber breach. Under NSW Health policy, Local Health Districts, in collaboration with eHealth NSW, are responsible for managing cyber security and resourcing a fit-for-purpose cyber security function. The current NSW Cyber Security Policy 2023–2024 recognises that agencies providing critical or high-risk services, such as Local Health Districts, should implement a wider range of controls and aim for broader coverage and effective implementation of additional controls. However, the audited Local Health Districts have not complied with the minimum requirements of the NSW Cyber Security Policy since it was introduced in 2019. None of the four districts had effective cyber security plans. Local Health Districts that do not have effective cyber security plans cannot articulate their approach to managing cyber security risks and are not adequately prepared to respond to and manage cyber security risks and incidents.
Local Health Districts do not have plans and processes in place to respond effectively to a cyber attack
None of the audited Local Health Districts had effective cyber security response plans. Nor did Local Health District business continuity plans and disaster recovery plans consider cyber security risks. Local Health Districts that do not have effective cyber security response, disaster recovery or business continuity plans that include considerations of cyber security, may not be able to safeguard clinical systems against potential cyber security incidents. This may also hamper responses during an incident because roles and responsibilities may not be understood, and actions to address cyber security incidents may not be undertaken as quickly as required, affecting the delivery of services to patients.
NSW Health has not clearly communicated cyber security roles and responsibilities amongst NSW Health organisations
eHealth NSW coordinates cyber security matters within NSW Health. However, eHealth NSW has not clearly defined and communicated its roles and the expected roles of Local Health Districts for cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery) and identifying and mitigating critical vulnerabilities, threats and risks. eHealth NSW does not provide Local Health Districts with sufficient support to manage cyber security risks, and Local Health Districts have not applied the tools provided by eHealth NSW to all clinically important systems eHealth NSW has developed and distributed cyber security frameworks, guidance and training to all Local Health Districts. eHealth NSW has developed whole-of-system tools to meet key requirements of the NSW Cyber Security Policy and improve the effectiveness of Local Health Districts’ cyber security activities. These tools include risk assessment frameworks. However, eHealth NSW has not ensured that its tools have been implemented in Local Health Districts, nor whether Local Health Districts have the capability or capacity to do so. In the audited Local Health Districts, the effectiveness of eHealth’s cyber threat identification tools is hampered by incomplete application to all clinically important ICT assets. This means that critical systems used by Local Health Districts to deliver, or support the delivery of, clinical treatment are not effectively protected from cyber security incidents.
Local Health Districts do not have an effective cyber security culture
In all audited Local Health Districts, critical cyber security controls are not consistently applied by clinical staff who perceive a tension between the urgency of clinical service delivery and the importance of cyber security policies. This has led to normalisation of non-compliance with cyber security controls. This audit observed clinical staff non-compliance at all audited Local Health Districts with multiple cyber security controls that Local Health Districts had put in place. Despite known systemic non-compliance by clinical staff, the audited Local Health Districts have not assessed the effectiveness of the controls they have put in place, nor have they identified any alternatives that might balance the need for clinical urgency with effective cyber security practice. In addition, they have not considered investing in alternative ICT solutions that better meet the needs of clinical staff while also addressing cyber security concerns.
NSW Health’s Cyber Security Policy attestation lacks transparency on the level of cyber security capability within the health system
The NSW Cyber Security Policy requires an agency head to attest to the agency’s compliance with the policy. In 2023, eHealth NSW surveyed all NSW Health organisations, including Local Health Districts, on their self-assessed maturity against the NSW Cyber Security Policy in developing a summary assessment for NSW Health to inform its attestation of NSW Cyber Security Policy compliance. That summary showed that Local Health Districts had immature cyber security controls, including for the Essential Eight controls – the most effective set of controls identified by the Australian Cyber Security Centre. However, in 2024, the survey was not completed, so NSW Health aggregated its assessment of whether NSW Health organisations had met NSW Cyber Security Policy requirements. This audit identified systemic Local Health District non-compliance with NSW Cyber Security Policy. The 2024 attestation therefore obscures the risks that exist in Local Health Districts. If NSW Health continues to attest to Cyber Security Policy compliance in the aggregate, the risk is that neither NSW Health nor Cyber Security NSW fully understand where and what the cyber security risks are across NSW Health organisations.
Recommendations
The Ministry of Health should:
by October 2025, collate and validate information on compliance with NSW Cyber Security Policy by each entity that reports to or via the Ministry of Health prior to annual attestation by December 2025, finalise and communicate cyber security roles and responsibilities within the NSW Health system.
By December 2025, eHealth NSW should:
work with the Ministry of Health to develop clear guidance for Local Health Districts on the obligation to manage the need to deliver clinical services while meeting critical cyber security requirements determine and apply sufficient resources to support the Privacy and Security Assessment Framework and Cyber Security Risk Assessments in Local Health Districts support Local Health Districts to improve cyber security capability by articulating a whole-of-health cyber security risk appetite statement providing direct assistance to localise centrally developed tools and frameworks ensuring all Local Health District crown jewel assets are monitored by the Health Security Operations Centre.
By December 2025, Local Health Districts should:
design and implement a fit-for-purpose cyber security risk management framework incorporating: an enterprise cyber security risk appetite statement, which aligns with the whole-of-health statement complete up-to-date cyber security and cyber security response plans, which are regularly tested and updated investment in establishing and maintaining the Essential Eight cyber controls cyber security controls that identify and address the root causes of non-compliance and balance the need for clinical urgency with effective cyber security consideration of cyber security needs in the implementation of any new clinical systems.
