Healthcare Cyber Security 2026: Trans-Tasman Lessons | Insicon Cyber

The recent cyber security incident affecting New Zealand's ManageMyHealth platform serves as a critical reminder that healthcare organisations across Australia and New Zealand face increasingly sophisticated cyber threats. With over 126,000 patients potentially affected, this breach highlights the urgent need for healthcare providers to strengthen their security posture.

Rather than focusing on what went wrong, this article examines the key lessons healthcare organisations can learn and provides actionable recommendations to strengthen cyber resilience across the sector.

Understanding the Evolving Threat Landscape

Healthcare data remains one of the most valuable targets for cybercriminals in the Asia-Pacific region. The National Cyber Security Centre's latest Cyber Threat Report reveals that more than 40% of incidents in 2024/25 had criminal or financial motivations, representing a significant increase from previous years.

What makes healthcare particularly vulnerable? Medical records contain comprehensive personal information including identification documents, addresses, dates of birth, and sensitive health data. This information has substantial value on the dark web and can be exploited for identity theft, financial fraud, insurance fraud, and extortion.

The ManageMyHealth incident demonstrates that attackers are specifically targeting healthcare organisations with relatively modest ransom demands, suggesting they view Australian and New Zealand healthcare providers as viable, accessible targets. This trend is likely to continue and accelerate throughout 2026.

Building Strong Security Foundations

The good news is that many successful attacks exploit basic security gaps that can be addressed through systematic improvements. Healthcare organisations that prioritise fundamental security hygiene significantly reduce their attack surface.

Email Security and Domain Protection

Email remains a primary attack vector for phishing, credential harvesting, and initial access. Implementing robust email authentication protects both your organisation and your patients from sophisticated email-based attacks.

Essential email security measures:

• Deploy DMARC at enforcement level (p=reject) with subdomain protection (sp=reject) to prevent email spoofing
• Implement strong DKIM signatures with 2048-bit keys minimum
• Configure SPF records correctly and review regularly
• Enable DNSSEC across all domains and subdomains to prevent DNS hijacking
• Defensively register your primary domain across major TLDs (.com, .net, .org, .com.au) to prevent brand impersonation

Access Control and Authentication

Weak access controls represent one of the most common vulnerabilities exploited in healthcare breaches. Strong authentication and access management are fundamental to protecting patient data.

Key access control improvements:

• Mandate multi-factor authentication (MFA) for all systems, particularly patient portals and administrative interfaces
• Implement the principle of least privilege, ensuring users have only the access they need
• Conduct regular access reviews and remove dormant accounts promptly
• Monitor and log all access to sensitive patient information
• Implement strong password policies and consider passwordless authentication where feasible

Proactive Vulnerability Management

Attackers actively scan for known vulnerabilities and unpatched systems. A systematic approach to vulnerability management significantly reduces your organisation's exposure to opportunistic attacks.

Establish a robust vulnerability management programme:

• Conduct regular vulnerability assessments and penetration testing, particularly for patient-facing systems
• Maintain a comprehensive asset inventory including all systems that handle patient data
• Implement a structured patch management process with clear timelines for critical vulnerabilities
• Prioritise remediation based on risk, focusing on internet-facing systems and those handling sensitive data
• Monitor security advisories and threat intelligence relevant to your technology stack

Building Operational Resilience

Beyond prevention, healthcare organisations must be prepared to respond effectively when incidents occur. Operational resilience ensures your organisation can maintain critical services and recover quickly from cyber incidents.

Reliable Backup and Recovery

A comprehensive backup strategy is your last line of defence against ransomware and data loss. Recent case studies demonstrate that organisations with robust, tested backups recover significantly faster and avoid paying ransoms.

Backup best practices:

• Follow the 3-2-1 rule: three copies of data, on two different media types, with one copy offsite
• Implement immutable backups that cannot be encrypted or deleted by attackers
• Test restoration procedures regularly, ensuring backups are actually recoverable
• Increase backup frequency for critical systems, aiming for Recovery Point Objectives (RPO) of hours, not days
• Ensure backups include configuration data and system state, not just patient records

Incident Response Planning

The speed and effectiveness of your initial response to a cyber incident can dramatically impact the overall damage. A well-rehearsed incident response plan ensures your team can act decisively under pressure.

Essential incident response components:

• Develop and document a comprehensive incident response plan specific to your organisation
• Establish clear roles and responsibilities, including 24/7 contact information
• Conduct regular tabletop exercises to test your response procedures
• Maintain relationships with external incident response specialists, legal counsel, and forensic investigators
• Understand your legal obligations under the Privacy Act 2020 (NZ) and Privacy Act 1988 (AU) for breach notification
• Prepare communication templates for patients, staff, regulators, and media

Governance and Continuous Improvement

Effective cyber security requires ongoing commitment from leadership and integration into organisational governance structures. Security is not a one-time project but a continuous process of assessment, improvement, and adaptation.

Leadership and Board Engagement

Board and executive leadership play a crucial role in establishing security culture and ensuring adequate resources are allocated to protect patient data.

Governance recommendations:

• Establish board-level oversight of cyber security risk
• Receive regular reporting on security posture, incidents, and risk metrics
• Ensure adequate budget and staffing for security functions
• Include cyber security in enterprise risk management frameworks
• Consider cyber security insurance as part of risk transfer strategy

Third-Party Risk Management

Healthcare organisations increasingly rely on third-party vendors for critical services. The NCSC reports that supply chain attacks targeting third-party suppliers are an increasing trend across the sector.

Managing third-party risk:

• Conduct security assessments of vendors before engagement
• Include security requirements and audit rights in vendor contracts
• Regularly review vendor security posture, particularly for critical service providers
• Maintain an inventory of all third parties with access to patient data
• Understand your shared responsibility model for cloud and SaaS services

Building Security Awareness

Technical controls alone are insufficient. Healthcare staff at all levels must understand their role in protecting patient data and recognising potential threats.

Cultivating security awareness:

• Provide regular security awareness training for all staff, not just IT personnel
• Conduct simulated phishing exercises to test and improve staff vigilance
• Make security training relevant to healthcare contexts with real examples
• Establish clear reporting channels for suspected security incidents
• Foster a culture where security concerns can be raised without fear of blame

Taking Action: A Practical Roadmap

Improving cyber security can feel overwhelming, particularly for resource-constrained healthcare organisations. The key is to start with high-impact, foundational controls and build systematically from there.

We recommend prioritising improvements in this order:

1. Immediate priorities (0-30 days): Enable MFA on all systems, implement DMARC enforcement, conduct a rapid vulnerability assessment of patient-facing systems, and verify your backup restoration process actually works.
2. Short-term improvements (30-90 days): Deploy DNSSEC, conduct penetration testing, review and update your incident response plan, implement enhanced monitoring and logging, and assess third-party vendor security.
3. Medium-term goals (3-6 months): Establish ongoing vulnerability management processes, conduct tabletop exercises, implement security awareness training programme, and develop comprehensive security metrics and reporting.
4. Ongoing maturity (6+ months): Build threat intelligence capabilities, achieve relevant certifications (ISO 27001, HITRUST), integrate security into development processes, and establish regular third-party security assessments.

Understanding Your Regulatory Obligations

Healthcare organisations in Australia and New Zealand operate under specific privacy and security obligations that require prompt action when breaches occur.

• In New Zealand, the Privacy Act 2020 requires organisations to notify the Privacy Commissioner and affected individuals when a privacy breach causes or is likely to cause serious harm. Recent regulatory guidance emphasises that healthcare organisations must have appropriate safeguards in place proportionate to the sensitivity of the information they hold.
• In Australia, the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 establishes similar obligations. Healthcare providers must assess whether breaches are likely to result in serious harm and notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals.

Both jurisdictions are increasing scrutiny of healthcare data security practices. The recent ManageMyHealth incident resulted in immediate government review and will likely influence future regulatory expectations across the Trans-Tasman region.

Looking Forward: The Path to Resilience

The threat landscape facing healthcare organisations will continue to evolve throughout 2026 and beyond. Ransomware groups are becoming more sophisticated, attack methods are diversifying, and the value of healthcare data continues to attract criminal attention.

However, organisations that take a systematic, risk-based approach to cyber security can significantly reduce their exposure. The measures outlined in this article represent proven practices that demonstrably improve security outcomes.

Most importantly, cyber security is not solely a technology challenge. It requires commitment from leadership, engagement from staff across the organisation, and integration into core business processes. Healthcare organisations that treat security as a strategic imperative, rather than a technical burden, are best positioned to protect the patients who trust them with their most sensitive information.

How Insicon Cyber Can Help

At Insicon Cyber, we are experienced in helping healthcare organisations across Australia and New Zealand strengthen their cyber security posture. Our team understands the unique challenges facing the healthcare sector, from legacy systems to regulatory compliance, and we deliver practical, risk-based solutions that work in real-world healthcare environments.

Our services include:

• Comprehensive cyber security assessments and health checks
• Strategic cyber security planning and roadmap development
• Vulnerability assessments and autonomous penetration testing
• Incident response planning and tabletop exercises
• Security awareness training for healthcare staff
• Ongoing virtual CISO (vCISO) services
• InfoSec (ISO 27001) compliance support

Don't wait for a breach to take action. Contact Insicon Cyber today to discuss how we can help your organisation build a stronger, more resilient security posture.

References and Further Reading

• New Zealand National Cyber Security Centre Cyber Threat Report 2024/25
  https://www.ncsc.govt.nz/insights-and-research/cyber-threat-reports/
• Office of the Australian Information Commissioner - Notifiable Data Breaches
  https://www.oaic.gov.au/privacy/notifiable-data-breaches
• NZ Privacy Commissioner - Privacy Act 2020
  https://www.privacy.org.nz/
• RNZ - ManageMyHealth hack: New Zealand's worst cybersecurity incidents
  https://www.rnz.co.nz/news/national/583243/managemyhealth-hack-new-zealand-s-worst-cybersecurity-incidents
• NZ Herald - ManageMyHealth breach: Patients at risk of identity theft, extortion
  https://www.nzherald.co.nz/nz/managemyhealth-breach-patients-at-risk-of-identity-theft-extortion-experts/MPZ5I676E5B2HHKKDM3TFB5TE4/