An Aged Care Provider's Guide to the Aged Care Act 2024 IT Obligations in 2026

This is an IT operator’s perspective on the systems and software Australian aged-care providers are using to operate under the Aged Care Act 2024 and the Strengthened Aged Care Quality Standards. It isn’t legal advice, a clinical-governance opinion, or an Aged Care Quality and Safety Commission compliance ruling. Whether any particular control satisfies your obligations is your governance lead’s, your aged-care lawyer’s, or the Commission’s call. We implement the technical stack. They sign off on whether it clears the bar.

The Aged Care Act 2024 has been in force since 1 November 2025. Six months on, the providers we work with are starting to see what the Strengthened Quality Standards mean in operational practice, and the IT side is heavier than most expected at commencement. Information management is now an explicit standard with a practice guide behind it. Cyber resilience expectations have firmed up significantly. The Commission’s audit posture has shifted from “do you have a policy” to “show me how the policy operates”.

Aged care has been the most-attacked sub-sector of healthcare in Australia for the last several years, and the threat actors have not slowed down since the new Act commenced. Small and mid-size providers (residential providers running one to five facilities, home-care providers with 50 to 250 staff) sit in the band where the new Act’s expectations and the available staffing budget are hardest to reconcile. CCP-sized providers can no longer carry a default IT posture and meet the Strengthened Standards. The work is real.

What did the Aged Care Act 2024 change for IT?

The Aged Care Act 2024 replaced the Aged Care Act 1997 and consolidated the regulatory framework for residential, home, and flexible aged care under a single rights-based statute. For IT, the most consequential changes are an explicit Information Management standard within the Strengthened Quality Standards, a sharper governance expectation around cybersecurity, and a tighter linkage between information integrity and quality of care. The Act and the Standards are rights-based and outcomes-focused; they do not prescribe technology, but the outcomes they require are difficult to deliver without modern identity controls, retention discipline, and properly-tested resilience.

The transition from the 1997 framework to the 2024 framework was material in clinical and governance terms. In IT terms, the practical impact is that “we have a system” is no longer enough; providers have to show the system operates the way the standards describe, with audit-grade evidence to back it up. The Commission’s emerging audit posture matches this shift.

What does the Strengthened Information Management standard require?

The standard requires the provider to put in place an information management system that manages records, gives workers access to the right information at the right time, enables older people and their supporters to access the information they need, and ensures stored information is accurate and complete. The Commission’s practice guide expands on each element, describing what compliance looks like in operation across a provider’s clinical, financial, workforce, and quality records.

The key word is “system”. The standard is not satisfied by a clinical-records platform on its own. It requires the provider to operate a coherent environment across clinical records, care planning, incident management, complaints, workforce credentialling, financial management, and the records each of those produce. The information has to flow across systems where it needs to, with appropriate access controls at each step, and with an audit trail that demonstrates information integrity.

In practice, this is the standard that exposes providers running a patchwork of legacy systems with manual data movement between them. A provider with one system for clinical care, a different system for incidents and complaints, a third for workforce, a fourth for finance, and Microsoft 365 in the middle as the documents-and-email layer can satisfy the standard, but only if the integrations are documented, the access controls are coherent across the systems, and the audit trail can be reconstructed end-to-end. Most providers we onboard cannot do that out of the box.

Which provider records have to be retained, and for how long?

Clinical records, care plans, incident reports, complaints records, medication administration records, and the financial records associated with a resident’s or recipient’s care all carry retention obligations. The minimums vary by record type and applicable state legislation, with seven years from the date of the last entry being a common floor for clinical records of an adult, longer for the records of a person who was a minor at the time of care. Some records (those subject to active complaints, investigations, or coronial proceedings) attract indefinite retention until those processes conclude.

For most providers the retention obligations stack across overlapping requirements: the Aged Care Act, state health-records legislation, Privacy Act obligations for personal information, professional registration obligations for clinical staff. The IT system that holds these records has to honour the longest applicable rule for any given record. A flat retention rule applied at the system level does not survive the layered obligation; record-level retention labelling is the only sustainable answer.

What cybersecurity expectations does the new framework actually carry?

The Strengthened Quality Standards do not prescribe specific cybersecurity controls, but the Governance and Information Management standards together create an expectation that providers manage the cyber risks to the information they hold. The Commission has been clear in published guidance and in audit conduct that providers cannot treat cybersecurity as optional. A breach affecting personal information attracts Notifiable Data Breach obligations under the Privacy Act independently; a breach attributable to absent baseline controls also attracts Commission attention through the governance standard.

The practical baseline that has emerged from audit conversations across CCP’s aged-care client base is closer to the Essential Eight controls than to anything more specialist. Multi-factor authentication on all administrative and clinical-system access. Application control or restricted application installation. Patching of operating systems and applications on a defined cadence. User application hardening. Restricted use of administrative privileges. Backup of critical data with tested restore. Daily backups of critical data. The Commission does not name the Essential Eight, but a provider that can demonstrate operation of those controls is substantially better positioned in an audit conversation than one that cannot.

Aged-care-specific cyber risk

Aged care is the most-attacked sub-sector of Australian healthcare, and the targeting is opportunistic rather than sophisticated. Phishing-led ransomware deployment against under-resourced IT environments is the dominant pattern. Providers without MFA on their email environment, without application control on staff devices, and without tested backup are the easiest targets in the sector. A meaningful number of the ransomware events we have responded to in this sector started with a clinical or rostering staff member opening an email attachment from a familiar-looking sender on a device with no application control.

The risk is real, the controls to mitigate it are well-understood, and the Commission’s audit posture under the new Act gives providers an explicit accountability framework for managing the risk. The intersection between Privacy Act notification obligations, Commission compliance expectations, and the operational reality of running care services through a ransomware event is harsh on providers without baseline controls.

What systems do aged-care providers typically run, and where are the weak points?

A typical mid-size residential or home-care provider runs a clinical-care platform (AutumnCare, Manad Plus, Leecare, iCareHealth, Person Centred Software and similar), a workforce and rostering platform, a finance system, Microsoft 365 for general productivity, and various point tools for medication administration, incident management, family communication, and clinical assessment. The weak points cluster in three places.

First, the integrations between the clinical platform and everything else. The clinical platform usually has its own access controls and audit trail, which the provider has invested time in configuring. The other systems are often configured to a default that does not match. A workforce system that lets HR see clinical records they do not need is a finding waiting to happen. Second, the Microsoft 365 environment. Most providers run Microsoft 365 because Microsoft 365 came with the email subscription, not because it was configured for an aged-care information-management posture. Retention labels are usually absent, conditional access is usually permissive, audit logging is usually unconfigured, and DLP is usually off. Third, the device estate. Clinical staff use shared devices in care areas, administrative staff use personal devices in some configurations, and the device estate in many providers has not been brought under modern device management. A device that is not enrolled cannot be patched, controlled, or wiped if lost.

Home-care versus residential exposure

Home-care providers carry a different IT risk profile to residential providers. The workforce is mobile, devices travel, and the provider’s network controls do not reach the device when the staff member is in a recipient’s home. The information-management obligations are the same, but the practical implementation has to be device-centric (managed devices, conditional access, encryption at rest, MFA enforced regardless of location) rather than network-centric. Home-care providers running a “trusted office network” model with personal devices outside it tend to have larger remediation projects than residential providers of equivalent size.

What software is worth shortlisting for an aged-care provider under the new Act?

There is no single shortlist; the choice depends on which clinical platform the provider is committed to and what the existing Microsoft 365 environment supports. The patterns that have worked in CCP engagements over the past six months are: a clinical platform with mature audit logging and role-based access at the field level (some Australian aged-care platforms have invested heavily in this; others lag); a Microsoft 365 environment configured properly for aged-care information management (retention labels by record type, conditional access by user role, audit logging on, DLP applied to clinical and financial document libraries); modern device management (Microsoft Intune for the typical Microsoft-aligned provider); and a backup and recovery posture that has been tested against the clinical platform, not just promised by the vendor.

The clinical platform is the most consequential decision. Providers due a clinical platform refresh should evaluate against the Strengthened Standards’ Information Management criteria directly, not against an older procurement framework. Audit logging at field level, role-based access control with least-privilege defaults, and an exportable audit trail that can survive the provider switching vendors at some future point are non-negotiable.

Off-the-shelf versus custom build

There is no case for a custom-built clinical platform in an Australian aged-care provider of CCP’s typical client size. The off-the-shelf market is mature and competitive. Custom development in a regulated clinical environment carries risk that the marginal feature differentiation cannot justify.

What is realistic is integration work to wire the off-the-shelf clinical platform, the workforce platform, the finance system, and Microsoft 365 together in a way that the Strengthened Standards can be operated against coherently. That integration work is where most of the real implementation effort lands.

Microsoft 365 licensing for aged-care providers

If the provider’s information-management evidence relies on Microsoft 365 for retention labelling, audit logging, conditional access, and DLP (most do), the licence tier matters. Business Premium covers the basic features. E3 with the E5 Security add-on, or full E5, adds the advanced auditing, eDiscovery, and identity protection features that audits and serious incident responses both rely on. Providers on Business Standard cannot produce the evidence the Strengthened Standards imply.

The licence step-up is a real cost line. For a provider of 100 staff, the difference between Business Premium and E3 plus E5 Security across all named users is meaningful annually. It belongs in the IT budget conversation alongside the clinical platform fees.

What does Aged Care Act 2024 IT compliance cost a provider to operate?

For a 50-to-200-seat Australian aged-care provider, the typical IT-side annual operating cost of running compliantly with the Strengthened Standards is in the 30,000 to 90,000 Australian-dollar range across software licensing, integration support, device management, and backup-and-recovery discipline. One-off remediation projects (typically the year a provider catches up on an end-of-life clinical platform, an unmanaged device estate, or a Microsoft 365 environment that needs comprehensive baseline configuration) can be a multiple of that.

The cost varies most with the maturity of the existing environment. A provider with a current clinical platform, a clean Microsoft 365 tenant, and a managed device estate sits at the lower end. A provider with deferred IT investment across the board sits at the higher end and usually needs a one-off catch-up project before the operating cost stabilises.

What this means for the CEO and the governance committee

It means cybersecurity and information management are now governance-level concerns with a specific accountability framework. The CEO needs to be confident that an Aged Care Quality and Safety Commission audit will not surface a material finding on the IT side, and the governance committee needs visibility on the controls that protect resident and recipient information. Sub-sector ransomware incidents over the past two years have made the cyber dimension of governance unavoidable.

The practical version of governance attention is two things. A documented assessment of the IT environment against the Strengthened Standards, refreshed annually, with the gaps tracked and remediated against a budget. And a standing reporting line: monthly cyber-risk position to the executive, quarterly governance-committee briefing on information management, and a documented incident-response plan that the committee has signed off on.

What CCP does about the Aged Care Act 2024 for providers

We do not interpret the Quality Standards. We set up the IT systems an aged-care provider needs to operate compliantly against them, and we keep those systems audit-ready and resilient.

For an aged-care provider client, the work usually breaks into three streams. The Microsoft 365 stream covers identity, retention labels, conditional access, audit logging, DLP, and the licence uplift where the existing tier cannot carry the audit posture. The device and integration stream covers modern device management for both shared care-area devices and mobile home-care devices, and the integration discipline that makes the clinical platform, the workforce platform, and the finance system operate as a coherent information environment rather than four siloed ones. The resilience stream covers backup, tested recovery, an incident-response capability for the kind of ransomware event that hits this sector regularly, and the cyber-controls baseline (Essential Eight or close to it) that reduces the likelihood of an incident in the first place.

The interpretation of the Standards, the design of the provider’s clinical-governance framework, and the assessment of whether any particular control satisfies any particular Standard remain with the provider’s clinical and governance leadership. Our boundary is explicit. We handle the machinery. They handle the interpretation.

Providers that did the IT catch-up work before 1 November 2025 are now operating in a steady rhythm. Providers that deferred it are working through the catch-up against the active audit cycle, which is harder. The Commission’s audit cadence does not pause for IT remediation projects, and the threat actors do not pause for governance frameworks. Better to be ahead of both.

Primary sources

• Strengthened Aged Care Quality Standards, Department of Health, Disability and Ageing. Accessed 5 May 2026.
• Information management practice guide, Aged Care Quality and Safety Commission. Accessed 5 May 2026.
• Aged Care Act 2024 (Cth), available via Federal Register of Legislation.
• Privacy Act 1988 (Cth), in particular the Notifiable Data Breaches scheme provisions, available via Federal Register of Legislation.