Can you manage our practice-management software (Best Practice, Medical Director, Genie, Gentu, Halaxy, etc.)?

We manage the environment those applications run on: the server or cloud tenant, the devices, the network, the backups, the identities, the access reviews. Application-level support (how a template works, how a prescription prints) stays with the software vendor. We know the boundary and we own everything on the systems side end-to-end.

Our current IT person installed Windows 11 on our server. Is that a problem?

Yes. Server operating systems and desktop operating systems aren't interchangeable. Desktop Windows isn't licensed or designed for hosting multi-user services, and a lot of compliance auditors will pick it up immediately. We'd rebuild it properly and tell your auditor what we did, so the next visit is clean.

Is our backup OK if the practice gets ransomware?

The honest answer is "we'd need to test it to tell you." A backup that has never been restored is a hope, not a control. Our backup service performs automated validation every business day and a full disaster-recovery test once a year; after the first full test we report the actual recovery time so you know the answer before you need it.

A GP thinks an email they clicked might have been a scam. What do we do?

Don't send anything else through that mailbox, don't delete the email, and ring us. We'll isolate the account, verify whether credentials were entered or harvested, and check for any forwarding rules or session-based persistence that wouldn't show up on a password reset. If it was nothing, we document it and close the ticket. If it was something, the first hour is where most of the damage is prevented.

Can clinicians use Microsoft 365 Copilot, AI scribe tools, or ChatGPT on patient data?

Extremely carefully, and only on enterprise tiers with the right data-handling terms. The obligations under the Privacy Act and the My Health Records Act don't bend for AI, and several AI transcription and scribe tools in clinical use have had their data-residency and training-use terms change repeatedly. We help practices assess specific tools (Heidi, Lyrebird, Nuance DAX, Microsoft 365 Copilot, Claude for Work), check data handling against APP obligations, and write an acceptable-use policy clinicians can actually follow. Consumer-tier tools are blocked at DNS level.

Industry · Health

IT and cybersecurity for Australian private health practices.

Clinical information is the most sensitive data an SMB handles. The obligations around it are strict, the attacks targeting it are targeted, and the practice-management systems involved each come with their own quirks. We run the systems around the clinical apps so the clinicians can actually clinical.

What's actually different in health

Private health is clinical work plus regulatory hygiene.

A GP clinic, a specialist rooms, an allied-health group, a private day-surgery: the clinical work varies, the systems pattern is surprisingly similar. A practice-management platform at the centre, a pathology and imaging integration layer, Microsoft 365 for the admin side, a backup arrangement that's often more optimistic than tested, and a staff group working across multiple roles and devices.

The obligations are likewise consistent: Australian Privacy Principles for all personal and sensitive information, My Health Record-specific controls if you're connected to the platform, and state-based health-information laws where applicable. Compliance isn't a product you buy; it's a posture you operate.

Most incidents we see in this sector don't start with a clinical system. They start with a receptionist's email, a recycled password, or a server running an OS that stopped receiving patches eighteen months ago. The clinical stack gets blamed; the underlying environment is where the failure actually happened.

Live right now · health

The 2026 pressure points we're actively working on with clients.

The specific asks, deadlines and enforcement actions shaping 2026 conversations in your sector.

My Health Record 'Share by Default', 1 July 2026

From 1 July 2026, prescribed providers must upload pathology and diagnostic imaging reports to My Health Record by default unless a patient opts out. Registration failures carry penalties up to $82,500; missed uploads up to $9,900 each. Practices that haven't connected yet should apply for an extension in March 2026 and start the integration work now.

My Health Records Rules 2026: written security policy required

Every registered provider organisation now needs a documented security and access policy covering staff authorisation, training and IT account management, specific to My Health Record access. "We have MFA" doesn't satisfy it. The policy has to exist on paper and be reviewed.

AHPRA + RACGP AI-scribe guidance

The AHPRA shared code update (August 2024) and the RACGP AI-scribe fact sheet (July 2024) bind clinicians using tools like Heidi, Lyrebird, Smart Scribe and Nuance DAX to documented privacy, consent and clinical-verification obligations. Practices deploying AI scribes without a written policy are exposed. We help clients write and operate the policy.

Mandatory ransomware payment reporting, 72 hours

Businesses above $3M turnover must report ransomware payments to ASD within 72 hours under the Cyber Security Act (commenced 30 May 2025). This captures most group GP practices, specialist clinics, allied-health groups and private day surgeries. The IR plan isn't optional any more.

Frameworks that turn up in the room

Industry frameworks, regulations and audit standards for health in Australia.

Privacy Act 1988 + APPs: Health information is a special category of sensitive information under the Australian Privacy Principles. Any practice handling it (effectively all of them) inherits the full APP obligations plus the Notifiable Data Breaches scheme.
My Health Records Act 2012: Practice management systems connected to My Health Record carry specific security and audit obligations, including restrictions on who can access the data and what it can be used for. Non-compliance carries civil penalties.
RACGP / AHPRA practice standards: Accreditation standards reference secure information handling, backup practices, and staff training on privacy. Not a technology specification, but your next re-accreditation visit will ask.
State-based health information laws: Several states have additional legislation (e.g. the Health Records and Information Privacy Act 2002 in NSW; the Health Records Act 2001 in Victoria) layering obligations on top of the APPs.
ACSC Essential Eight: The control baseline increasingly referenced by private-hospital operators, insurers, and larger allied-health networks. See /essential-eight for the maturity model.

Common questions

The things health clients ask us first.

Can you manage our practice-management software (Best Practice, Medical Director, Genie, Gentu, Halaxy, etc.)?: We manage the environment those applications run on: the server or cloud tenant, the devices, the network, the backups, the identities, the access reviews. Application-level support (how a template works, how a prescription prints) stays with the software vendor. We know the boundary and we own everything on the systems side end-to-end.
Our current IT person installed Windows 11 on our server. Is that a problem?: Yes. Server operating systems and desktop operating systems aren't interchangeable. Desktop Windows isn't licensed or designed for hosting multi-user services, and a lot of compliance auditors will pick it up immediately. We'd rebuild it properly and tell your auditor what we did, so the next visit is clean.
Is our backup OK if the practice gets ransomware?: The honest answer is "we'd need to test it to tell you." A backup that has never been restored is a hope, not a control. Our backup service performs automated validation every business day and a full disaster-recovery test once a year; after the first full test we report the actual recovery time so you know the answer before you need it.
A GP thinks an email they clicked might have been a scam. What do we do?: Don't send anything else through that mailbox, don't delete the email, and ring us. We'll isolate the account, verify whether credentials were entered or harvested, and check for any forwarding rules or session-based persistence that wouldn't show up on a password reset. If it was nothing, we document it and close the ticket. If it was something, the first hour is where most of the damage is prevented.
Can clinicians use Microsoft 365 Copilot, AI scribe tools, or ChatGPT on patient data?: Extremely carefully, and only on enterprise tiers with the right data-handling terms. The obligations under the Privacy Act and the My Health Records Act don't bend for AI, and several AI transcription and scribe tools in clinical use have had their data-residency and training-use terms change repeatedly. We help practices assess specific tools (Heidi, Lyrebird, Nuance DAX, Microsoft 365 Copilot, Claude for Work), check data handling against APP obligations, and write an acceptable-use policy clinicians can actually follow. Consumer-tier tools are blocked at DNS level.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.