Insurance brokers hold client money, financial records and personal data, and operate under an AFSL with real ASIC obligations. Good insurance broker IT support keeps your broking platform running, protects the trust account from email fraud, and gets the security controls in place that your own cyber insurer now expects.
General insurance brokers sit in an awkward spot. You are a small business by headcount but you carry the data risk of a financial institution and the payment-fraud exposure of a conveyancer. You handle premium funds in trust, you hold years of client financial and personal information, and you answer to ASIC for how the business is run. The IT underneath all of that is usually a couple of cloud platforms, Microsoft 365 and whatever the last broker set up. That gap is where the trouble starts.
What general insurance brokers actually run
Most Australian broking offices run on a dedicated broking platform rather than a generic CRM. The common ones are WinBEAT, Sunrise (and the SCTP transaction platform behind it), Insight, and the broader ebix stack that several of these sit within. These handle policy administration, quoting, the insurer transaction interface, client records, claims and the all-important trust-account and premium-funding reconciliation.
Some platforms are cloud-hosted; others still run as on-premises or hybrid installs with a database server in the office. Either way, the vendor secures the application, but you own the devices, the accounts, the network, the integrations and the backup of everything outside the platform. The recurring weak spots we find in broking offices: shared logins on reception machines, no multi-factor authentication on Microsoft 365, the broking database backed up to a USB drive that has not been tested in two years, and bank details for premium payments sitting in email threads anyone can read.
Cluster and network group requirements
Most independent brokers belong to a cluster or network group — Steadfast, AUB, Insurance Advisernet and similar. Membership is not just buying power; it increasingly comes with technology and security expectations. Network groups push standardised platforms, single sign-on into their portals, data feeds back to head office, and in some cases minimum cyber-security requirements you have to attest to. If you join or change groups, the IT migration — platform data, mailbox records, document history — needs to be planned, not improvised over a weekend. We treat that as a project with a rollback plan, because losing seven years of client correspondence mid-migration is not recoverable.
AFSL, ASIC and the obligations behind the IT
Holding an Australian Financial Services Licence (AFSL) brings general conduct obligations under the Corporations Act, and ASIC expects licensees to have adequate technological resources and risk-management systems. That is deliberately broad, but the practical reading is clear: you need systems that keep accurate records, protect client data, and let the business keep operating when something fails. ASIC’s own guidance on cyber resilience and outsourcing makes the point that you cannot contract away responsibility — if your IT or your software vendor has a problem, the obligation to your clients is still yours.
Record-keeping is the concrete part most brokers underestimate. You are expected to retain client files, advice records, policy documentation and trust-account records for years, and to be able to produce them. That makes backup and retention a compliance matter, not just an IT nicety. A broking database you cannot restore is a record-keeping failure waiting to be discovered at the worst time.
Client financial and personal data under the Privacy Act
Brokers hold a dense file on every client: names, addresses, dates of birth, financial details, claims history, sometimes health information for certain covers, and bank account details for premium payments. That is exactly the kind of personal and sensitive information the Privacy Act 1988 and the Australian Privacy Principles are built around.
If your business turns over more than $3 million you are squarely covered, and even smaller brokers are caught where they trade in personal information or provide certain services. Under the Notifiable Data Breaches scheme, a breach involving client data that is likely to cause serious harm must be assessed and reported to the Office of the Australian Information Commissioner (OAIC) and the affected clients. A compromised mailbox full of client financial records is precisely the scenario that scheme exists for — and for a broker, it is also a conversation with your AFSL obligations and your network group.
Business email compromise: the threat aimed straight at brokers
Of every risk on this page, this is the one that takes brokers down. Business email compromise (BEC) is where an attacker gets into a mailbox — usually through a phished password with no MFA — watches the email flow, and then redirects money. For a broker, the targets are obvious: premium payments from clients, refunds, and movements in and out of the trust account.
The classic version: a client emails about paying their premium, the attacker (sitting silently in your mailbox or theirs) replies with “updated” bank details, and the money lands in a mule account. By the time anyone notices, it is gone. The variant aimed at the trust account is worse, because the sums are larger and the reconciliation is monthly, so the theft can sit hidden for weeks.
The defences are unglamorous and they work:
- MFA on every mailbox, enforced, with no exceptions for the principal who finds it annoying. Most BEC starts with a password that worked because nothing else was in the way.
- Conditional access in Microsoft 365 to block sign-ins from unexpected countries and flag impossible-travel logins.
- A verbal verification rule for any change to payment details — phone the client on a known number, never the number in the email. This is policy, not technology, but it is the single most effective control.
- Email security that catches lookalike domains and external-sender warnings, plus mailbox-rule auditing so an attacker quietly forwarding your mail gets caught.
We go deeper on this in our guide to business email security, phishing and BEC. For a broker handling trust money, it is the first thing to fix.
Cyber insurance underwriting expectations — yes, for brokers too
There is a particular irony in brokers being underprepared for their own cyber-insurance application. The same underwriting questions you help clients answer now land on your desk, and they have hardened considerably. Insurers will not write a policy — or will price it punitively — without evidence of baseline controls.
The questions you can expect:
| Underwriting control | What insurers expect to see |
|---|
| Multi-factor authentication | MFA on email, remote access and admin accounts — increasingly a hard precondition |
| Backups | Regular, tested, with at least one copy isolated from the network |
| Email filtering | Advanced filtering against phishing and malicious attachments |
| Endpoint protection | Modern EDR, not just legacy antivirus |
| Patching | Operating systems and software kept current |
| Staff awareness | Phishing training and a documented incident response plan |
These map almost exactly onto the Australian Cyber Security Centre (ACSC) Essential Eight. If you implement the meaningful parts of the Essential Eight, you answer most of the underwriting questionnaire honestly and in the affirmative — which both gets you covered and lowers the premium. We cover this overlap for SMEs in our cyber insurance guide for Australian SMEs, and the controls themselves in our Essential Eight compliance work. Answering “yes” to a control you do not actually have is a fast way to have a claim declined, so it pays to make the answers true.
Document management and the renewals workflow
Broking runs on documents — schedules, certificates of currency, closings, endorsements, claims correspondence — and on a renewals cycle that never stops. The renewals workflow is where document management, email and the broking platform all have to work together, and where things fall through when the IT is loose.
A sound setup keeps client documents in the broking platform or a structured SharePoint library, not scattered across personal mailboxes and a Downloads folder. It means a broker who leaves does not take the only copy of a client’s history with them, and a renewal does not get missed because the reminder lived in one person’s inbox. If you run on Microsoft 365, getting Microsoft 365 configured properly — shared mailboxes, sensible SharePoint structure, retention policies — is what turns a pile of email into a system the next person can pick up. It also makes the record-keeping side of your AFSL obligations far easier to satisfy.
A Melbourne example
A general insurance broking firm in Hawthorn we work with — eight staff, member of a national cluster group, running WinBEAT and Microsoft 365 — came to us after a close call. A client emailed about paying a commercial property premium. What none of them knew was that the client’s mailbox had been compromised; the attacker replied from the real address with new bank details. The broker’s accounts person nearly paid it. What stopped her was an old habit of phoning to confirm anything over a few thousand dollars — and the new account did not match.
It rattled them, because the firm had no MFA on Microsoft 365, no conditional access, and a broking database backed up to a single drive plugged into the server. We rolled out MFA across every mailbox, conditional access to block overseas sign-ins, advanced email filtering with external-sender warnings, and proper monitored backups of both Microsoft 365 and the WinBEAT data with an isolated copy. We documented a payment-verification policy so the “phone to confirm” habit became a rule rather than one person’s caution. When their cyber-insurance renewal came round, they could answer the questionnaire truthfully for the first time, and the premium reflected it.
Frequently asked questions
Does the Privacy Act apply to a small insurance broker?
If you turn over more than $3 million a year, yes, directly. Smaller brokers can still be covered depending on what they do with personal information. Given the volume of client financial and personal data a broker holds, and the AFSL and ASIC obligations sitting alongside it, the sensible approach is to operate as though the Australian Privacy Principles apply regardless — the controls are the same ones your cyber insurer and network group already expect.
What is the biggest IT risk for a broking firm?
Business email compromise aimed at premium payments and the trust account. An attacker in a mailbox with no MFA can quietly redirect client money before anyone notices. MFA on every account, conditional access, and a strict phone-to-verify rule for any change of bank details are the controls that stop it.
Will better IT lower our cyber insurance premium?
Usually, yes. Insurers price on the controls you can evidence — MFA, tested backups, email filtering, endpoint protection and patching. Implementing the Essential Eight lets you answer the underwriting questionnaire honestly and in the affirmative, which improves both your ability to get covered and the price.
We’re switching cluster groups — what about the IT?
Treat it as a planned migration, not a weekend job. Platform data, mailbox records, document history and any single sign-on into the group’s portals all need to move cleanly, with a rollback position if something goes wrong. Losing years of client correspondence mid-migration is not recoverable, so it is worth doing methodically.
Getting it right without overspending
None of this is exotic. A broking firm does not need a bank’s security budget — it needs the basics done properly and kept that way: MFA on every account, conditional access, tested and isolated backups of both the broking platform and Microsoft 365, advanced email filtering, and a payment-verification rule that everyone actually follows. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. We support professional services firms across Melbourne metro on per-user fixed monthly pricing, with same-business-day on-site when you need hands on the ground. Our IT support for professional services and cybersecurity services are built for exactly this kind of business. If your broking office is running on goodwill and no MFA, get in touch and we will tell you plainly what to fix first.
Financial planning firms sit on a pile of sensitive client data — tax file numbers, super balances, estate details, bank accounts — under an AFSL, the Privacy Act and ASIC’s watch. Good financial planning IT support keeps Xplan and your platforms running, locks down email against payment fraud, and gives you a defensible security position when a licensee audit or a breach lands.
The risk profile is specific. Advisers move money on client instruction, hold years of sensitive records they are legally required to retain, and increasingly run their whole practice through cloud financial-planning software and CRM. That combination — money, sensitive data and email — is exactly what attackers target. Getting the IT right is not a nice-to-have for a planning firm; it is part of meeting your obligations as a licensee.
What sits behind an AFSL
If you provide personal financial advice you operate under an Australian Financial Services Licence, either your own or as an authorised representative of a dealer group. ASIC’s licensing obligations under the Corporations Act require you to have adequate resources and risk-management systems, and ASIC has been explicit that this includes cyber resilience. The RI Advice case made the point clearly — a licensee was found to have breached its obligations by failing to have adequate cyber-security risk management across its authorised representatives. Cyber is not treated as separate from your licence conditions; it is part of them.
For most planning firms that means you need to be able to show, not just assert, that you have controls in place: access management, multi-factor authentication, patching, backups, an incident response plan and oversight of the third parties handling client data. The Australian Cyber Security Centre (ACSC) Essential Eight is the sensible framework to anchor that against, and it maps cleanly onto what ASIC expects a well-run licensee to do. We cover the practical rollout in our guide to Essential Eight compliance in 90 days.
The Privacy Act and sensitive financial data
Planning firms hold some of the most sensitive personal information there is. The Privacy Act 1988 and the Australian Privacy Principles apply to most advice businesses, and the data you hold — tax file numbers, financial position, health information gathered for insurance advice — attracts a high level of protection. TFNs carry their own handling rules on top of the APPs.
Under the Notifiable Data Breaches scheme, a breach involving client financial records that is likely to cause serious harm must be assessed and, where required, reported to the Office of the Australian Information Commissioner (OAIC) and to affected clients. A compromised adviser mailbox full of statements of advice and identity documents is precisely the scenario that scheme exists for. The practical defence is unglamorous: encrypt devices, control access, keep a record of who can see what, and back everything up. We walk through breach obligations in more detail in our overview of our cybersecurity services.
The software stack: Xplan, CRM and platform integrations
Most Melbourne planning practices run on a financial-planning platform plus a CRM plus a stack of integrations into investment platforms. The common tools are Xplan (Iress), AdviserLogic and Midwinter for advice generation, modelling and statements of advice, sitting alongside CRM and document management. Those connect outward to platforms such as HUB24, Netwealth, BT Panorama and the major fund administrators, and inward to your Microsoft 365 environment.
Because the core tools are SaaS, the vendor secures the application. Your obligations do not disappear. You still own the accounts, the devices, the network, the data feeds and the backup of anything outside the platform. The recurring weak spots we find in advice firms:
- Shared or generic logins to Xplan or the CRM, instead of an individual account per adviser and support staff member.
- No multi-factor authentication on the practice-management platform or on Microsoft 365, so a single phished password gives an attacker the lot.
- Platform data feeds and document integrations configured once and never reviewed, with credentials that outlast the staff who set them up.
- Statements of advice, fact-finds and scanned ID documents sitting in a Downloads folder or a personal OneDrive rather than the managed system.
The IT job is making each of those integrations authenticated, monitored and owned, and making sure access is tied to individuals so it can be revoked the day someone leaves.
Email security and business email compromise
This is the single biggest financial risk a planning firm carries, and it deserves its own section. Business email compromise is where an attacker gets into — or convincingly impersonates — a mailbox and uses it to redirect money. For an advice firm the danger is payment and rollover instructions: a client emails asking to redeem an investment or change their nominated bank account, the adviser actions it, and the instruction was never really from the client. Or the attacker is inside the adviser’s mailbox, watching, and inserts fraudulent account details at the moment a genuine payment is due.
The controls that actually reduce this risk are layered:
- MFA on every mailbox, enforced through conditional access, so a stolen password alone is not enough. Our piece on conditional access policies in Microsoft 365 covers how to do this without making sign-in painful.
- Mailbox monitoring and alerting on the inbox rules attackers create to hide their tracks — auto-forwarding and “move to RSS feeds” rules are classic tells.
- A hard process rule: any change to client bank details or any payment instruction received by email is verified by a phone call to a known number, never to the number in the email.
- SPF, DKIM and DMARC configured so attackers cannot easily spoof your domain to your clients.
The technology stops most of it. The verbal-verification process catches what gets through. We go deeper on this in our article on business email security, phishing and BEC.
MFA, conditional access and identity
Identity is the perimeter for a cloud-based advice firm. Multi-factor authentication on every account that touches client data is the non-negotiable baseline — Microsoft 365, the planning platform, the CRM and the investment platforms. Conditional access then lets you go further: block sign-ins from outside Australia, require a managed and compliant device, and step up verification for risky logins. For a firm where a single mailbox compromise can move client money, this is the control that earns its keep. It also aligns with the zero-trust thinking we explain in our zero-trust security model overview.
Data retention and client portals
Advice firms have to keep records, and keep them a long time. Under the Corporations Act and ASIC’s rules, advice documents — including statements of advice and records of the advice given — must generally be retained for at least seven years, and fee disclosure and ongoing-service records carry their own retention requirements. That is a long time to keep sensitive data safe, searchable and recoverable.
The IT implications are straightforward but easy to neglect. Retained records need to live in managed, backed-up systems, not on a departed adviser’s laptop. Microsoft 365 retention is not a backup — it protects against some accidental deletion but will not save you from a compromised account wiping data or a malicious deletion. A dedicated backup of email, OneDrive and SharePoint is essential, and our data backup and recovery service is built around exactly this. Knowing your recovery targets — how long you could operate without systems (RTO) and how much data you could lose (RPO) — turns “we have backups” into something you can actually rely on.
Client portals are increasingly how firms share statements of advice, fact-finds and annual reviews securely instead of by email attachment. A properly configured portal — whether built into your platform or layered on Microsoft 365 — reduces the BEC risk and gives clients a defined place to upload identity documents. The catch is that a portal is only as secure as the identity controls behind it, which brings us back to MFA.
Where APRA CPS 234 flows down to you
Most standalone advice firms are not APRA-regulated. But the moment you serve, or sit inside the supply chain of, an APRA-regulated entity — a super fund, an insurer, an RSE licensee — their obligations under APRA CPS 234 start to flow down to you. CPS 234 requires regulated entities to manage the information-security capability of third parties that handle their data, which means they will push contractual security requirements onto their advice partners and service providers. In practice that shows up as security questionnaires, evidence requests and clauses requiring you to maintain defined controls and notify them of incidents. If you receive feeds from or share data with a regulated platform, expect this. We unpack the standard in our explainer on information security and CPS 234, and being Essential Eight aligned puts you in a strong position to answer those questionnaires honestly.
A Melbourne example
A boutique financial planning firm in Hawthorn we work with — four advisers and a handful of support staff running Xplan and Microsoft 365 — came to us after a close call. A client emailed asking to redirect a six-figure redemption to a new bank account. The email was genuine-looking and came from the client’s real address, but the client’s own mailbox had been compromised, and the account details were the attacker’s. The adviser nearly actioned it; a junior staff member happened to phone the client about something unrelated and the fraud unravelled by luck.
We rebuilt the foundations: MFA enforced through conditional access on every account, geographic sign-in restrictions, mailbox-rule alerting, SPF, DKIM and DMARC on their domain, and a documented process that every bank-detail change or payment instruction is verbally verified on a known number. We added a real Microsoft 365 backup covering their seven-year retention obligations and moved client documents out of personal OneDrives into a managed, access-controlled portal. The firm now relies on process and controls rather than luck.
Frequently asked questions
Does ASIC require financial planning firms to have cyber security?
Effectively, yes. ASIC’s licensing obligations require an AFSL holder to have adequate risk-management systems and resources, and ASIC has made clear — including through the RI Advice case — that this covers cyber-security risk management. A planning firm that cannot demonstrate basic controls across its advisers is exposed on its licence obligations, not just its data.
How long do we have to keep client advice records?
Advice documents such as statements of advice generally must be kept for at least seven years under the Corporations Act and ASIC’s rules, and fee disclosure and ongoing-service records carry their own retention requirements. Those records need to live in managed, backed-up systems for the full period, not on individual devices.
What is the biggest IT risk for an advice practice?
Business email compromise on payment and rollover instructions. Because advisers move money on client instruction, a compromised or spoofed mailbox can redirect funds before anyone notices. MFA, mailbox monitoring and a strict verbal-verification rule for any bank-detail change are the controls that matter most.
Does APRA CPS 234 apply to us if we are not APRA-regulated?
Not directly, but it flows down. If you handle data for, or sit in the supply chain of, an APRA-regulated entity such as a super fund or insurer, CPS 234 requires them to manage your information security. Expect security questionnaires and contractual control requirements as a condition of working with them.
Getting it right without overspending
A planning firm does not need an enterprise security budget — it needs the right controls done properly and kept that way: MFA and conditional access everywhere, hardened email with a verbal-verification process for payments, individual logins across Xplan and your CRM, a real backup that meets your retention obligations, and the discipline to be able to answer a licensee or CPS 234 questionnaire honestly. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma — no offshore helpdesk. We support professional services firms across Melbourne metro on per-user fixed monthly pricing, with sub-15-minute response on critical issues and same-business-day on-site when you need hands on the ground. If your practice is running on saved passwords and goodwill, get in touch and we will tell you plainly what to fix first.
Allied health clinics carry the same privacy and security obligations as a GP practice, usually with a fraction of the budget and no in-house support. Good allied health IT support keeps your clinical software running, your telehealth stable, and your patient records protected to the standard the Privacy Act and AHPRA expect.
Physiotherapy, psychology, occupational therapy, dietetics, podiatry and speech pathology clinics all sit in the same regulatory bucket. They handle health information, so they are covered by the Privacy Act regardless of turnover — the usual $3 million small-business exemption does not apply to health service providers. A two-room psychology practice in Camberwell has the same baseline obligations as a 40-clinician group. That trips a lot of owners up, so it is worth getting the IT side right from the start.
What allied health clinics actually run
Most allied health practices in Melbourne run on cloud-based practice-management software, not a server in the back room. The common platforms — Cliniko, Halaxy, Nookal, Power Diary and Coreplus — handle appointments, clinical notes, invoicing, Medicare and DVA claiming, and increasingly NDIS billing.
Because these are SaaS products, the vendor secures the application and database. Your obligations do not disappear, though. You still own the devices, accounts, clinic network, integrations and the backup of anything outside the platform — and that half is where most incidents happen. The recurring weak spots we find: unpatched, unencrypted laptops with a saved Cliniko login; shared reception accounts with no multi-factor authentication; booking widgets, payment terminals and SMS reminders that touch patient data without being configured properly; and assessment reports or scanned referrals sitting in a Downloads folder or on a USB stick. That last one is the data that gets lost.
Telehealth that actually holds up
Telehealth went from optional to core during the pandemic and has not gone back. Psychology and speech pathology run a large share of sessions over video, and the problem is almost never the platform — it is the clinic’s internet and the practitioner’s setup.
Reliable telehealth comes down to a few unglamorous things: a business-grade connection with enough upload bandwidth, a 4G or 5G failover so a session does not drop when the NBN has a wobble, Quality of Service on the router so video is prioritised over a background 2 GB update, and a decent headset and webcam. We have seen practitioners blame Coreplus or Halaxy for dropouts when the real fault was a consumer router and a single connection carrying four concurrent sessions. Upload speed is the number that matters and the one most retail plans bury — if you run more than two or three sessions at once, size it deliberately.
My Health Record and secure messaging
My Health Record connectivity
Eligible allied health providers can connect to My Health Record to view shared health summaries, discharge summaries, pathology and imaging. Connecting requires conformant software (most major platforms support it), an HPI-O for the organisation, HPI-I numbers for practitioners, and a NASH PKI certificate to authenticate the connection. The NASH certificate has to be installed and renewed correctly or the connection silently stops working — a task for someone who has done it before, not a practice manager guessing at midnight.
Secure messaging with Argus and Medical-Objects
Secure messaging through Argus or Medical-Objects is how allied health clinics exchange referrals, assessment reports and correspondence with GPs and specialists in an encrypted, point-to-point way. If you accept referrals from GP clinics, they will often expect you to be reachable on one of these networks. Getting the directory listing, software integration and message routing right is a setup job that removes a privacy risk fax and ordinary email both carry.
Privacy, AHPRA and your legal obligations
Two regimes matter here, and they overlap. The Privacy Act 1988 and the Australian Privacy Principles apply to every health service provider, with no turnover threshold. Health information is sensitive information and attracts the highest level of protection. Under the Notifiable Data Breaches scheme, an eligible breach involving patient records must be assessed and, where it is likely to cause serious harm, reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals. A lost laptop full of psychology case notes is exactly what that scheme exists for.
Separately, AHPRA and the National Boards set professional obligations on registered practitioners — physiotherapists, psychologists, occupational therapists, podiatrists and speech pathologists — including keeping accurate clinical records and protecting confidentiality. The controls that satisfy the Privacy Act are the same ones that meet those obligations: access control, encryption, retention and a record of who accessed what.
None of this requires gold-plating. The Australian Cyber Security Centre (ACSC) Essential Eight is a sensible baseline, and most clinics can implement the meaningful parts — multi-factor authentication, patching, application control and backups — without a large spend. We cover the practical version in our guide to healthcare IT support, the OAIC and My Health Record, and the broader picture in our cybersecurity services.
Multi-practitioner access control
Most allied health clinics grow by adding practitioners, and access control is usually what gets left behind. The principle is simple: each person has their own login, sees only what their role requires, and loses access the day they leave. In practice:
- Individual accounts in Cliniko, Nookal or whichever platform you run — never a shared “reception” login that three people use.
- Multi-factor authentication on every account that touches patient data, including the practice-management platform and Microsoft 365 mailboxes.
- Role-based permissions so a casual admin cannot export the entire client database.
- A leaver process that disables accounts immediately. Locum and contractor physios who rotate through clinics are a particular risk if access is never revoked.
If your clinic runs on Microsoft 365, conditional access policies let you enforce MFA and block sign-ins from unexpected locations without making life painful for staff. We walk through that in our piece on conditional access policies in Microsoft 365.
NDIS and Medicare billing
Billing is where allied health gets operationally messy, because a single clinic might invoice Medicare, DVA, private health funds, NDIS plan managers, self-managed participants and the agency itself. Cliniko, Halaxy, Nookal, Power Diary and Coreplus all handle Medicare and DVA claiming through integrated channels, and most now support NDIS invoicing. The IT job is making sure those integrations are configured and authenticated correctly, and that the financial data — which is also personal information — is backed up and access-controlled like everything else. Incorrect NDIS claiming is not just an accounting problem; it can become a compliance issue.
Backup of patient data
“It’s in the cloud, so it’s backed up” is the most dangerous assumption in allied health IT. SaaS platforms protect against their own infrastructure failing. They do not protect you from a staff member deleting a client record, a compromised account wiping data, or a billing dispute cutting off your access. A proper backup position covers three things:
- Practice-management data. Where the platform allows export or third-party backup, take it. Know how to get your patient and clinical data out if you ever need to.
- Microsoft 365. Email, OneDrive and SharePoint need a dedicated backup — Microsoft’s retention is not a backup, and referrals live in mailboxes.
- Local files and devices. Anything on the reception PC or a practitioner’s laptop needs to be backed up and, ideally, not stored there at all.
Knowing your recovery targets matters too — how long you could operate if the system went down (RTO) and how much data you could lose (RPO). Our backup and disaster recovery overview covers how to set those.
A Melbourne example
A multidisciplinary allied health clinic in Box Hill we work with — physio, podiatry, dietetics and psychology under one roof — came to us after a near-miss. A practitioner’s laptop was stolen from a car. It had a saved login to their practice-management system and a folder of exported assessment reports on the desktop — none of it encrypted, no MFA on the account. They had no clear way to know what was on the device or whether the OAIC needed notifying.
We rebuilt the basics: full-disk encryption on every device, MFA across the practice-management platform and Microsoft 365, conditional access to block unexpected sign-ins, a real Microsoft 365 backup, and a policy of not storing patient files locally. Their My Health Record and Argus connections were configured and documented so renewals do not get missed. The clinic now has a defensible position if a device goes missing again.
Frequently asked questions
Does the Privacy Act apply to my small allied health clinic?
Yes. Health service providers are covered by the Privacy Act and the Australian Privacy Principles regardless of turnover. The $3 million small-business exemption does not apply to organisations that provide a health service and hold health information, so even a solo psychology or physiotherapy practice is covered.
What does My Health Record connection require?
Conformant practice-management software, an HPI-O for the organisation, HPI-I numbers for practitioners, and a NASH PKI certificate. The NASH certificate must be installed correctly and renewed on time, or the connection stops working without an obvious error.
Do I really need to replace fax for referrals?
Secure messaging through Argus or Medical-Objects is the appropriate way to exchange referrals and reports with GPs and specialists. It is encrypted point-to-point, it is what referring clinics increasingly expect, and it removes the privacy risk fax and ordinary email both carry.
Getting it right without overspending
None of this is exotic. Allied health clinics do not need an enterprise security budget — they need the basics done properly and kept that way: encrypted devices, MFA everywhere, a real backup, sound access control, and the My Health Record and secure messaging connections maintained by someone who has done it before. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. We support healthcare practices across Melbourne metro on per-user fixed monthly pricing, with same-business-day on-site when a clinic needs hands on the ground. If yours is running on goodwill and a consumer router, get in touch and we will tell you plainly what to fix first.