An audit of 4 out of 15 NSW Local Health Districts (LHDs) by the state’s Auditor-General found they failed to meet minimum cyber security requirements, leaving clinical systems vulnerable to attacks that could disrupt healthcare delivery.

The report, completed in July 2025 but withheld until 19 December to allow remedial action, found only one Local Health District has an incomplete cyber security plan. The remaining audited Local Health Districts do not have a cyber security plan at all.

"NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in Local Health Districts," the report states. It does not name the four LHDs that were audited.

Auditor-General Bola Oyetunji presented the report confidentially to Parliament on 9 July 2025. "I determined that it was not in the public interest to make the report public at that time," Oyetunji said in an addendum.

The five-month delay allowed NSW Health to establish a taskforce and progress responses to recommendations before public disclosure.

“Systemic non-compliance with NSW Government cyber security requirements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats,” the report warns.

"Local Health Districts are not adequately prepared to respond effectively to cyber security incidents. This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services."

Clinical staff routinely disregard cyber security controls, creating what the report describes as "normalisation of non-compliance" driven by tensions between clinical urgency and security protocols.

The audit observed multiple violations across all audited districts, including storing patient information outside secure systems and leaving computers logged in when unattended.

"Despite being aware of clinical staff's systemic non-compliance with cyber security controls, the audited Local Health Districts have not undertaken work to assess the effectiveness of the controls," the report states.

"eHealth NSW has not clearly defined and communicated its roles and the expected roles of Local Health Districts for cyber security," according to the report.

The report found Local Health Districts spent an average $A421,000 on cyber security in 2023-24, representing just two per cent of ICT expenses against a benchmark of nine per cent.

None of the audited districts demonstrated consideration of cyber controls beyond minimum requirements, despite handling large volumes of sensitive personal and health information.

"NSW Health reported that healthcare is the most breached industry in Australia, and health data is 50 times more valuable than credit card data on the dark web," the report notes.

Business continuity and disaster recovery plans do not adequately address cyber security incidents, leaving districts unprepared for attacks that could compromise patient care.

The report found eHealth NSW conducted its first-ever test of the overall NSW Health cyber security incident response plan in October 2024, but it excluded clinical involvement.

"Clinicians did not participate in the exercise and were not consulted on the findings or recommendations resulting from the exercise," the report states.

NSW Health's 2024 attestation to Cyber Security NSW aggregated compliance across 32 organisations, obscuring risks within individual Local Health Districts.

"The attestation obscures the cyber security risks that exist for each Local Health District," the report warns. "NSW Health and Cyber Security NSW may not fully understand cyber security risk in this part of the health system."

The audit made six recommendations for implementation by December 2025, including collating and validating compliance information, finalising cyber security roles and developing clear guidance for balancing clinical service delivery with security requirements.

NSW Health Secretary Susan Pearce accepted all recommendations. "NSW Health is committed to ensuring that our system is safe from cyber security threats and that the sensitive information we hold is safeguarded," Pearce said in her response.

A dedicated Cyber Security Uplift Program has been established to enhance cyber resilience and ensure compliance with the NSW Cyber Security Policy and Security of Critical Infrastructure Act 2018.

After the report is presented to the NSW Parliament, it is usual for the entity’s Audit and Risk Committee/Audit Risk and Improvement Committee to monitor progress in implementing recommendations.

In addition, it is the practice of NSW Parliament’s Public Accounts Committee to conduct reviews or hold inquiries into matters raised in performance audit reports. The reviews and inquiries are usually held 12 months after the report is received by the NSW Parliament. These reports are available on the NSW Parliament website.

The report is available at: https://www.audit.nsw.gov.au/our-work/reports/cyber-security-in-local-he...