Report snapshot: Cyber security in Local Health Districts

19 December 2025
Health

This audit assessed whether NSW Health is effectively safeguarding clinical systems, required to support healthcare delivery in Local Health Districts, from cyber threats.

Conclusion 

NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in Local Health Districts. In addition, Local Health Districts have not met the minimum NSW Government cyber security requirements that have been outlined in NSW Cyber Security Policy since 2019. 

Local Health Districts are not adequately prepared to respond effectively to cyber security incidents. Systemic non-compliance with NSW Government cyber security requirements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats. This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services and compromise the security of sensitive patient information.

eHealth NSW has not clearly defined or communicated its roles and the expected roles of Local Health Districts regarding cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery), and identifying and mitigating critical vulnerabilities, threats and risks. Local Health District management of cyber security is hampered by a lack of support, coordination and oversight from eHealth NSW in cyber security matters. 

Recommendations 

The audit recommended that: 

  • The Ministry of Health collate and validate information on compliance with the NSW Cyber Security Policy
  • The Ministry of Health finalise and communicate cyber security roles and responsibilities within the NSW Health system
  • eHealth NSW develops clear guidance to Local Health Districts on balancing need to deliver clinical services while meeting cyber security requirements and supports Local Health Districts to improve cyber security capability
  • Local Health Districts design and implement a fit for purpose cyber security risk management framework.
Fast facts
  • 3 of 4 audited Local Health Districts do not have a cyber security plan
  • 2 of 4 audited Local Health Districts have conducted desktop exercises to test their cyber security incident response plans
  • 4 of 4 audited Local Health District cyber security response plans are not fit for purpose

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

Cyber security in Local Health Districts