Community pharmacies run on systems that have to be available the moment a customer hands over a script, store sensitive health data the Privacy Act takes seriously, and connect to half a dozen government and supplier networks at once. Good pharmacy IT support keeps the dispensary, the retail front and the claiming all running together, securely.
If you own or manage a retail pharmacy, your IT is not a back-office convenience. A dispensing terminal that freezes, a SafeScript lookup that times out, or a server that goes down on a Saturday morning translates directly into a queue of patients you cannot serve and prescriptions you cannot legally fill. This is operational, clinical and regulatory all at once, and most generic “computer guys” do not understand the stack.
What actually runs in a community pharmacy
A typical suburban pharmacy is running more integrated software than most small businesses twice its size. The dispensing system is the heart of it. Depending on the banner group and the pharmacist’s history, that is usually one of:
- FRED Dispense or the newer cloud-capable FRED NXT
- Z Software (ZDispense)
- Minfos
- Aquarius
- Simple Retail or another integrated retail POS platform
That dispensing system does not sit on its own. It has to talk to electronic prescription services, the real-time prescription monitoring database, My Health Record, your wholesaler ordering, your retail point of sale, your label printers and your dose-administration-aid packing. When the underlying network, server or workstation has problems, all of that wobbles at once. The pharmacist usually notices first, at the worst possible moment.
A pharmacy in Box Hill we work with runs FRED NXT in the dispensary and an integrated retail POS at the front counter, with a single on-premise server tying them together and a secondary internet service on standby. That setup is normal now, not gold-plated. The dependencies are real, so the infrastructure underneath them has to be treated as critical, not as something you replace when it finally dies.
Electronic prescriptions, SafeScript and My Health Record
Three external systems sit close to the centre of day-to-day dispensing, and all three depend on a stable internet connection and correctly configured workstations.
Electronic prescriptions (eRx and the token / Active Script List)
Paper scripts have largely given way to electronic prescriptions delivered through the eRx Script Exchange (and, where still in play, MediSecure). A patient presents an SMS or email token, or you pull their Active Script List, and the script flows straight into the dispensing software. When the connection to the prescription exchange drops, dispensing slows to a crawl and staff fall back to manual workarounds that introduce errors. Reliable connectivity and a tested failover path are not optional here.
Real-time prescription monitoring (SafeScript Victoria)
In Victoria, SafeScript is mandatory for supplying monitored medicines. Pharmacists are required to check it, and a slow or broken connection to SafeScript is not just an inconvenience, it sits in the middle of a legal obligation. The integration runs through the dispensing software and a browser, so DNS, certificates and browser configuration all matter. We have seen “it’s just the internet” turn out to be an expired certificate or a security setting blocking the lookup.
My Health Record
Uploading dispense records to My Health Record relies on your NASH PKI certificate, correct HPI-O configuration and a healthy connection to the Healthcare Identifiers service. Certificates expire. When they do, uploads silently fail and nobody notices until there is a problem. Part of competent pharmacy IT is tracking those expiry dates and renewing them before they bite.
Claiming through the Pharmacy Programs Administrator
Beyond dispensing revenue, pharmacies claim for programs administered by the Pharmacy Programs Administrator (PPA) through its portal — MedsCheck, Dose Administration Aids, staged supply, and the various professional programs that come and go. Claiming depends on accurate records out of your dispensing and patient management systems, and on PRODA access for the staff who lodge claims.
The IT angle is unglamorous but real: PRODA accounts tied to individuals who have since left, multi-factor authentication that nobody can reset, and software that has not been updated to the current program rules. When claiming breaks at month-end, it is real money sitting unclaimed. Keeping access, identity and software current is part of the job.
Protecting health and payment data under the Privacy Act
This is where pharmacies are exposed in a way most retailers are not. You hold two categories of data that attract serious obligations: health information and payment card data.
Health information is sensitive information under the Privacy Act 1988, and the usual small-business turnover exemption does not apply to it. A pharmacy that turns over well under the $3 million threshold is still an APP entity because it provides a health service and holds health records. In plain terms: there is no turnover threshold that lets a pharmacy off the hook. You are covered by the Australian Privacy Principles and the Notifiable Data Breaches scheme regardless of size, and the Office of the Australian Information Commissioner (OAIC) is the regulator if something goes wrong.
That means a stolen laptop, a ransomware hit that exposes patient records, or a misconfigured backup sitting in a public cloud bucket can each be a notifiable breach. The practical controls are not exotic: encrypted devices, properly segmented networks so the public-facing retail Wi-Fi cannot reach the dispensary server, tight access control, multi-factor authentication on email and remote access, and patched systems. Most of this maps cleanly onto the Essential Eight, which is the framework we use as the baseline for healthcare clients. If you want the wider clinical-records picture, our guide to healthcare IT support, the OAIC and My Health Record goes deeper on the obligations.
On the payment side, taking card payments brings PCI DSS obligations through your bank and payment provider. Integrated EFTPOS and properly maintained terminals do most of the heavy lifting, but the surrounding network still has to be kept clean.
Where the retail POS and the dispensary have to meet
The thing that makes pharmacy IT distinct from a standard shopfront is that the retail and clinical sides are genuinely fused. A customer collecting a prescription often buys front-of-shop items in the same transaction. Stock, pricing, promotions, loyalty and scheduled-medicine handling all flow between the POS and the dispensing system.
When that integration is healthy, the counter is fast and the pharmacist is not retyping anything. When it is not — mismatched product files, a POS that has lost its link to the dispensing database, a pricing update that did not sync — staff start working around the system, and that is where errors and lost margin creep in. Getting this right is a mix of vendor coordination and solid local infrastructure, and it is exactly the kind of thing a generic break-fix provider tends to shrug at.
Uptime, backups and ransomware resilience
A pharmacy cannot trade when its core systems are down. That makes three things non-negotiable: reliable uptime, recoverable backups, and a genuine plan for ransomware.
Uptime
Uptime is about removing single points of failure. A pharmacy that depends on one ageing server, one internet connection and one power outlet is one bad morning away from closing the dispensary. Sensible measures — a properly specified and monitored server, a UPS, a secondary internet service that fails over automatically, and proactive monitoring that flags a failing disk before it dies — keep the doors open. Our managed IT services are built around catching these problems before they become outages, with same-business-day on-site cover across Melbourne metro when something does need hands on it.
Backups
Your dispensing database is the record of every supply you have made. It has to be backed up, the backups have to be tested, and at least one copy has to be off-site and out of reach of anything that compromises the main system. An untested backup is a hope, not a plan. We work to clear recovery objectives so you know how much data you could lose and how long you would be down — the detail is in our piece on RTO versus RPO.
Ransomware resilience
Healthcare is a favourite target for ransomware crews precisely because the data is sensitive and the pressure to pay is high. Resilience means layered defences — email security to stop the phishing that usually starts it, endpoint protection, network segmentation, multi-factor authentication everywhere, and immutable off-site backups so that even if the main systems are encrypted, you can rebuild. Our cybersecurity services and 24/7 NOC at Tecoma are geared to exactly this: catch the intrusion early, contain it, and have a recovery path that does not involve paying criminals.
What good pharmacy IT support looks like in practice
The difference between a provider who understands pharmacies and one who does not shows up in the small things: knowing that a SafeScript timeout might be a certificate, not the NBN; knowing that a failed My Health Record upload usually traces back to NASH PKI; understanding that the dispensing vendor and the IT provider have to coordinate rather than blame each other.
| Need | Generic IT provider | Pharmacy-aware IT support |
|---|
| Dispensing software issues | “Call the vendor” | Coordinates with FRED, Minfos, Z, etc. and fixes the infrastructure side |
| SafeScript / eRx outages | Checks the internet, stops there | Checks certificates, DNS, browser config and failover |
| Privacy / data breach | Unaware health data has no turnover threshold | Builds to OAIC and Essential Eight from day one |
| Uptime | Reactive, fixes it after it breaks | Monitored, with failover and same-day on-site |
| Backups | “There’s a backup running” | Tested, off-site, immutable, with known recovery objectives |
TechAssist is a Melbourne-based MSP founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk — and a sub-15-minute response on critical issues. For a pharmacy, that response time is the difference between a brief hiccup and a closed dispensary. We work with healthcare clients across the metro on per-user fixed monthly pricing, so a busy month does not turn into a surprise IT bill.
Frequently asked questions
Does the Privacy Act apply to a small pharmacy?
Yes. Because a pharmacy provides a health service and holds health records, it is an APP entity under the Privacy Act regardless of turnover. The small-business exemption that applies to many businesses under $3 million does not cover the handling of health information, so the Australian Privacy Principles and the Notifiable Data Breaches scheme apply to you.
Can you support FRED, Minfos, Z Software and Aquarius?
We support the infrastructure, network, workstations, servers and security those systems run on, and we coordinate directly with the dispensing vendor for application-level issues. Most “the dispensing system is slow” calls turn out to be infrastructure or connectivity problems, which is squarely our remit.
What happens to dispensing if our internet goes down?
Electronic prescriptions, SafeScript and My Health Record all need connectivity, so an outage hits dispensing hard. We design pharmacies with a secondary internet service that fails over automatically, so a single ISP fault does not stop you trading. It is one of the first things we check on a new pharmacy site.
How quickly can you get someone on-site?
We offer same-business-day on-site support across Melbourne metro, backed by a sub-15-minute response on critical issues from our Tecoma NOC and CBD office. For a pharmacy with a down dispensary, getting hands on it the same day matters.
Talk to a Melbourne MSP that knows pharmacies
If your current provider treats your dispensary like an ordinary office network, you are carrying more risk than you should — clinically, financially and under the Privacy Act. We build pharmacy IT around the systems you actually run, the regulators you actually answer to, and the uptime your patients depend on. Get in touch and we will walk through your dispensing, claiming, security and backup setup, and tell you straight where the gaps are.
Good veterinary IT support keeps a clinic running when a dog is crashing on the table and the imaging suite, the lab interface and the practice management system all have to work at once. For Melbourne vets, that means fast, redundant infrastructure built around ezyVet or RxWorks, DICOM storage that doesn’t choke, and backups you can actually restore.
Veterinary practices are deceptively IT-heavy. A two-vet clinic in Box Hill runs more clinical systems than most law firms twice its size: practice management, digital radiography, in-house pathology analysers, a payment terminal, a pet-insurance claims workflow and a reminder engine pinging clients about C5 vaccinations. When any one of those stalls, the waiting room backs up and revenue stops. This post walks through what proper IT support for a vet clinic looks like and where most setups fall over.
Practice management software is the spine — treat it that way
Everything in a clinic hangs off the practice management system (PMS). In Australian small-animal practice you’ll typically see ezyVet, RxWorks, VisionVPM, Provet Cloud or ASAP. They split roughly into two camps, and that split decides your whole infrastructure design.
- Cloud-hosted (ezyVet, Provet Cloud): the application lives in the vendor’s data centre and you reach it through a browser. Your local burden shifts to internet reliability, DNS and endpoint health.
- Server- or workstation-based (RxWorks, VisionVPM, ASAP): the database sits on a box in your back room or comms cupboard. That server’s health, patching and backups become your single biggest risk.
The mistake we see most often is treating the PMS like ordinary office software. A vet’s database is open and being written to from the moment the first consult starts until the last record is saved at night. If that server has a failing disk, an out-of-date SQL instance or a backup that hasn’t completed in three weeks, the clinic is one bad morning away from losing patient history, drug records and accounts receivable. Knowing which PMS you run, how it stores data and what the vendor is and isn’t responsible for is the first job of any competent managed IT services provider.
Cloud PMS doesn’t mean “not your problem”
Clinics on ezyVet sometimes assume the cloud vendor handles everything. The vendor handles their servers. They do not handle your internet dropping out mid-consult, your Wi-Fi blackspot in the second consult room, or a phishing email that hands over the login to your entire patient database. The boundary matters, and someone needs to own your side of it.
Imaging, DICOM and the large-file problem
Digital radiography is where vet IT gets genuinely demanding. A single digital X-ray series is large, and CT or ultrasound studies are larger again. These come off the modality as DICOM files and need to land somewhere fast, stay accessible for review, and remain retrievable years later for re-presentations and medico-legal reasons.
Two things tend to break:
- Network throughput. If your imaging workstation pushes studies across a tired 1Gb switch shared with everything else, the radiographer waits while the image loads. Gigabit cabling to the imaging room, a decent switch and proper segregation of imaging traffic fixes this. Wireless is the wrong place to move DICOM studies — keep the modality and review station on wired connections.
- Storage that fills silently. Imaging archives grow relentlessly and don’t shrink. A clinic that bought a server with 2TB three years ago is often surprised to find imaging has quietly eaten it. Storage planning has to account for years of accumulation, not the first six months.
Most Melbourne clinics we work with keep DICOM on local fast storage for immediate access, with a second copy replicated off-site so a dead drive or a flooded comms cupboard doesn’t erase a patient’s imaging history. That overlaps heavily with how we approach data backup and recovery generally — imaging is just backup with bigger files and longer retention.
In-house lab integrations
In-house pathology — IDEXX or Heska haematology and biochemistry analysers, in particular — is one of the most rewarding integrations to get right and one of the most fiddly. When it works, the vet orders a panel in the PMS, runs the sample, and results flow straight back onto the patient record. When it doesn’t, someone is hand-typing results off a printout, which wastes clinical time and introduces transcription errors.
These integrations usually run over a small piece of middleware or a direct network link between the analyser and the PMS. The failure points are dull but real: a changed IP address after a router swap, a Windows update that resets a service, a firewall rule that quietly blocks the analyser. Whoever supports the clinic needs to understand that the analyser is a networked device with its own quirks, not just “the machine in the lab”. Getting it documented — IP, port, service, vendor contact — means a five-minute fix instead of a half-day outage.
Appointments, reminders, payments and insurance claims
The front-of-house systems are what clients actually see, so when they break the clinic looks unprofessional even if the clinical side is fine.
Appointment and reminder systems
Online booking and automated reminders (SMS and email for vaccinations, parasite prevention, dental checks and post-op follow-ups) are usually built into the PMS or bolted on through an integration. The IT job here is keeping the integration authenticated and the messages actually sending — expired API tokens and misconfigured email authentication (SPF, DKIM, DMARC) are the usual reason reminders silently stop going out. A clinic often doesn’t notice for weeks, by which point recall revenue has already been lost.
Payments and pet-insurance claims
Payment terminals need a stable network path and shouldn’t share a flat network with clinical systems — card data and patient records living on the same undivided LAN is poor practice. Pet-insurance claims, increasingly lodged through GapOnly or direct insurer portals, depend on the front desk having reliable connectivity and the PMS integration working. None of it is glamorous, but a frozen terminal at checkout on a Saturday morning is exactly the kind of thing that makes a client never come back.
Protecting client data and payment information
Vet clinics hold more sensitive data than they realise: client names, addresses, phone numbers, payment details and, increasingly, linked finance arrangements. Under the Privacy Act, a business turning over more than $3 million a year is covered by the Australian Privacy Principles, and many established multi-vet practices and animal hospitals sit above that line. Even below it, a clinic taking payment card data has obligations, and a breach of client financial information is a reputational disaster regardless of turnover.
The Office of the Australian Information Commissioner (OAIC) runs the Notifiable Data Breaches scheme. If a clinic suffers a breach likely to cause serious harm — say a ransomware crew exfiltrates the client database — it may be legally required to notify affected clients and the OAIC. The practical defence is the same set of controls we’d put in front of any SME holding sensitive data: multi-factor authentication on the PMS and email, current patching, properly configured backups, network segmentation between clinical, payment and guest Wi-Fi, and staff who can recognise a phishing email. We build these along the Australian Cyber Security Centre’s Essential Eight model, which is the most sensible baseline for a small clinic that can’t justify an enterprise security team. Our broader approach to cybersecurity services applies the same controls without drowning a five-person practice in process.
Reliable Wi-Fi across every consult room
A vet on a tablet updating a record at the patient’s side, an imaging cart roaming between rooms, the front desk, the kennels out the back — they all need coverage, and a single consumer router by the reception desk won’t deliver it. Concrete walls, stainless steel cages and the metal-heavy fit-out of a treatment area all eat Wi-Fi signal.
The fix is business-grade access points placed for actual coverage rather than convenience, on separate networks for clinical use, payments and a guest/client SSID. A clinic in Footscray we worked with had constant dropouts on tablets in the back treatment area; the cause was a single overloaded access point trying to cover a building it was never going to reach. Two properly positioned access points and a clean network design ended the complaints. This is the sort of thing that’s hard to fix remotely and is why on-site technical support matters for clinics — someone has to physically walk the building with a signal meter.
After-hours and emergency uptime
A daytime-only general practice and a 24-hour animal hospital are completely different IT problems. An emergency and critical-care hospital cannot have its PMS down at 2am when a critical patient comes through the door — there’s no “we’ll sort it tomorrow”. That demands redundant internet (a primary connection plus a 4G/5G failover), a server or cloud setup designed so a single failure doesn’t stop clinical work, and IT support that answers the phone at 2am rather than a ticket queue opening at nine.
TechAssist is a Melbourne-based MSP with a 24/7 Network Operations Centre in Tecoma in the eastern suburbs, which is the part of our service that matters most to a clinic running overnight. We target a sub-15-minute response on critical (P1) issues and same-business-day on-site across Melbourne metro, and all 13 of our engineers are Australian-employed rather than offshore — so an after-hours emergency reaches someone who knows your clinic, not an overseas script reader. For a clinic running overnight, that responsiveness is the difference between a brief blip and a night spent on paper.
Backups you have actually tested
Backups are where vet IT most often turns out to be quietly broken. The pattern is familiar: a backup was configured years ago, nobody checks it, and the day the server dies everyone discovers it stopped completing months earlier. A backup that has never been test-restored is a guess, not a safeguard.
For a clinic, a sound backup posture means a local copy for fast restores, an off-site or cloud copy that survives fire, theft or ransomware, and immutable backups that an attacker can’t encrypt or delete. It also means knowing your RTO and RPO — how quickly you need to be back up, and how much data you can afford to lose — because those numbers drive the whole design. We test-restore client backups rather than assuming they work, and that single discipline catches more disasters than any firewall.
What this looks like as a managed service
Pulling it together, here’s how the major risks map to what a clinic actually needs from IT support.
| Clinic system | Main risk | What good support provides |
|---|
| Practice management (ezyVet, RxWorks, VisionVPM, Provet Cloud, ASAP) | Database loss, server failure, vendor-boundary confusion | Patched, monitored infrastructure; tested backups; clear ownership of your side |
| Digital imaging / DICOM | Slow loads, storage filling, lost imaging history | Wired gigabit to imaging, capacity planning, off-site replication |
| In-house lab analysers | Broken integration after a change or update | Documented network config, fast reconnection, vendor coordination |
| Reminders, payments, insurance claims | Silent failures, frozen terminals, lost recall revenue | Monitored integrations, segmented payment network, stable connectivity |
| Client and payment data | Breach, ransomware, OAIC notification | MFA, Essential Eight controls, segmentation, staff awareness |
| Wi-Fi and after-hours uptime | Blackspots, single points of failure, 2am outages | Business-grade APs, redundant internet, 24/7 response |
The clinics that have the least IT drama are the ones that treat it as core infrastructure — funded, monitored and supported properly — rather than something to deal with when it breaks. Per-user fixed monthly pricing, the model we use, makes that predictable: support for the whole clinic for a known monthly figure, with no hourly bill arriving every time a vet calls about a frozen screen.
Frequently asked questions
Do you support both cloud and server-based veterinary practice management systems?
Yes. Cloud platforms like ezyVet and Provet Cloud need solid internet, DNS and endpoint security on your side. Server-based systems like RxWorks, VisionVPM and ASAP need patching, monitoring and tested backups on the server itself. We support both, and the design differs accordingly.
How do you handle the large file sizes from digital X-ray and CT?
DICOM imaging lives on fast local storage on a wired gigabit connection for immediate review, with a second copy replicated off-site for retention and disaster recovery. We plan storage for years of accumulation, because imaging archives only ever grow.
Can poor Wi-Fi in our consult rooms actually be fixed?
Usually, yes — and it almost always needs someone on-site. Consumer routers can’t cover a clinic with concrete walls and metal fit-outs. Business-grade access points placed for real coverage, on segmented networks, resolve nearly every blackspot complaint we’re called about.
What happens if our system goes down after hours?
Our 24/7 NOC in Tecoma means an after-hours emergency reaches an Australian engineer, not a ticket queue. For 24-hour animal hospitals we also design redundancy — failover internet and resilient server or cloud setups — so a single failure doesn’t stop clinical work overnight.
Talk to us about your clinic
If your clinic is in Melbourne and your PMS, imaging or Wi-Fi has been more trouble than it should be, we can help. We work with healthcare and professional-services clients across Melbourne metro and understand the specific demands of a veterinary fit-out. Get in touch and we’ll walk through where your current setup stands and what it would take to make it boringly reliable.
Aged care IT support means keeping clinical systems, resident records and connectivity running across facilities and homes — to a standard the strengthened Aged Care Quality Standards now expect. Get it wrong and you risk a data breach, a downgraded Star Rating, and care staff locked out at handover. Get it right and the technology becomes invisible.
Since 1 July 2025, residential and home care providers have operated under the new Aged Care Act and a strengthened set of Quality Standards. The compliance bar moved, and a lot of it now lands squarely on IT. This is a practical look at what aged care providers in Melbourne actually need from their technology, and where most of them are exposed.
Why aged care is a harder IT problem than it looks
On paper an aged care provider looks like any other mid-sized organisation: staff, devices, email, a few line-of-business systems. In practice it is one of the more demanding environments we support. You have a 24/7 operation where downtime affects vulnerable people, a workforce with high turnover and patchy device literacy, some of the most sensitive personal data in the country, and a regulator that can publish your performance as a Star Rating for families to read.
Residential and home care providers also run differently from each other. A residential facility is a fixed site — nurses’ stations, medication rooms, Wi-Fi that has to reach every wing including the ones with thick brick walls built in 1975. Home care is a distributed workforce: support workers driving between clients across the suburbs, logging visits on a phone or tablet, needing reliable mobile access to care plans without carrying paper. The IT looks similar from the outside and is genuinely different underneath.
The compliance layer: Quality Standards, Star Ratings and the portals
The strengthened Aged Care Quality Standards put more explicit weight on governance, information management and the security of personal information. Standard 2 (the organisation) and the governance expectations around it mean a provider’s board and management are now accountable for how information is handled and protected — and “we outsourced it to an IT company” is not an answer the Aged Care Quality and Safety Commission accepts. The accountability stays with the provider.
Practically, that means your IT arrangements need to be documented, your access controls need to be defensible, and you need to be able to show how resident information is kept secure. If you can’t produce that on request, you have a governance gap, not just a technical one.
Star Ratings raise the stakes again. Compliance, quality measures, staffing and residents’ experience feed into a public rating on My Aged Care. Systems that don’t capture data accurately — or go down during a quality audit period — can quietly drag the numbers that families use to choose a provider. The link between “our IT is reliable” and “our rating holds up” is more direct than most boards realise.
Then there are the portals. My Aged Care, the provider portals, the Government Provider Management System and the data submissions that flow through them all depend on the right people having the right access, secure sign-in, and accurate records at the source. When a staff member leaves and their access isn’t revoked, or when the wrong person can see the wrong client’s record, that is an IT and identity problem with a compliance consequence.
Clinical and care management systems
The system at the centre of an aged care provider’s day is its clinical or care management platform. In the Australian market that usually means one of AlayaCare, Leecare, Manad Plus or Telstra Health’s iCareHealth — plus medication management, rostering and finance systems hanging off the side.
Whether these are cloud-hosted or run on a server in the comms room, the IT job is the same: they must be available, fast, backed up, and reachable from wherever care happens. A nurse at a medication round or a support worker in a client’s lounge room cannot wait for a system to load. We treat these platforms as the priority for monitoring, patching and uptime, and we build the network and connectivity around keeping them responsive.
A residential provider in Box Hill we work with runs its clinical records in the cloud and its rostering separately. The risk wasn’t the software — both vendors run solid platforms — it was everything underneath: a single internet service with no failover, a flat network where a compromised reception PC could reach the medication system, and backups nobody had ever tested. None of that is the clinical vendor’s responsibility. It’s the MSP’s, and it’s where the real exposure sits.
Protecting highly sensitive resident data
Aged care providers hold a concentration of sensitive information that makes them a deliberate target: health records, medication histories, cognitive assessments, next-of-kin details, financial and Centrelink information, and increasingly the data of family members too. Under the Privacy Act and the Australian Privacy Principles, much of this is “sensitive information” attracting the highest level of protection, and a breach is reportable to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.
The sector’s risk profile has worsened. Healthcare and aged care are consistently among the most-breached sectors in OAIC reporting, and attackers know these organisations often run lean IT with older systems and a workforce that’s easy to phish. The cyber insurance market has noticed too — premiums and the controls insurers demand both reflect the elevated risk.
The defensive baseline we hold aged care clients to is the Australian Cyber Security Centre’s (ACSC) Essential Eight: application control, patching applications and operating systems quickly, configuring Microsoft Office macro settings, hardening user applications, restricting administrative privileges, multi-factor authentication, and regular tested backups. None of this is exotic. Most of the breaches we’re called in after would have been stopped or contained by getting the Essential Eight genuinely in place rather than half-done. If you want the staged version, we’ve written up how to reach Essential Eight maturity in 90 days.
Backups deserve their own mention. A tested, isolated backup is the difference between a ransomware incident being a bad week and being an existential event for a provider that can’t access medication records. We cover the discipline behind this in our guide to backup and disaster recovery for Melbourne businesses, and it applies double in aged care.
Connectivity, devices and a 24/7 operation
Connectivity that doesn’t drop at handover
A residential facility needs Wi-Fi that actually reaches every resident room, nurses’ station and medication room, and an internet connection that doesn’t take the clinical system offline when the single NBN service has a wobble. Redundant connectivity — a second link that fails over automatically — is not a luxury in a 24/7 care setting. We design facility networks with coverage and failover as the starting point, not an afterthought, and we segment the network so that resident, staff, clinical and guest traffic are properly separated.
Devices for mobile care staff
Home care support workers and roaming clinical staff need phones and tablets that are secured, enrolled and managed centrally. If a device is lost between a client visit in Ringwood and the next in Croydon, you need to remotely wipe the resident data on it within minutes — not discover it’s been sitting in someone’s glovebox unencrypted. Mobile device management through Microsoft Intune, enforced encryption, and conditional access tying sign-in to a managed device are the controls that make a fleet of field devices defensible.
Identity for a high-turnover workforce
Aged care has significant staff churn — agency staff, casuals, people moving between providers. Every starter needs the right access on day one and every leaver needs it gone the same day. Manual, ad-hoc account management is where access creep and orphaned accounts come from, and orphaned accounts are how breaches happen months after someone’s left. We run identity properly: standardised onboarding and offboarding, role-based access so a kitchen hand can’t see clinical notes, and conditional access in Microsoft 365 enforcing MFA and blocking risky sign-ins. Get identity right and a large slice of your risk disappears.
24/7 uptime expectations
Care doesn’t stop at 5pm, so neither can support. A system outage at 2am during a medication round is a clinical problem, not just an IT ticket. TechAssist runs a 24/7 network operations centre from our Tecoma office in Melbourne’s east, with a sub-15-minute response on P1 critical issues and same-business-day on-site across Melbourne metro. For a sector where downtime touches vulnerable people, those response times are the point, not a marketing line.
What good aged care IT support actually covers
| Area | What it looks like done properly |
|---|
| Clinical systems | AlayaCare, Leecare, Manad Plus or iCareHealth monitored, patched and prioritised for uptime; integrations and backups tested |
| Data protection | Essential Eight aligned, MFA everywhere, tested isolated backups, OAIC breach readiness |
| Connectivity | Full-coverage Wi-Fi, redundant internet with failover, segmented networks per facility |
| Devices | Intune-managed phones and tablets, enforced encryption, remote wipe for lost field devices |
| Identity | Same-day onboarding/offboarding, role-based access, conditional access on Microsoft 365 |
| Support model | 24/7 NOC, defined P1 response times, same-day on-site, documented for governance evidence |
TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk handling resident data. We price per user on a fixed monthly basis with no hourly billing for in-scope work, which matters in a sector that has to budget tightly and can’t absorb surprise IT bills. Our cybersecurity services and broader managed IT services are built to carry this kind of regulated, always-on workload.
Frequently asked questions
Do the strengthened Aged Care Quality Standards require specific IT controls?
They don’t prescribe particular products, but the governance and information-management expectations mean providers must be able to show that resident information is kept secure and access is controlled. In practice that points straight at Essential Eight controls, MFA, managed identity and tested backups — and the accountability stays with the provider, not the IT vendor.
Is our clinical software vendor responsible for security and backups?
Only for their platform. AlayaCare, Leecare, Manad Plus and iCareHealth secure and back up their own service, but everything around it — your network, devices, identity, email, and any data you hold outside their system — is yours to protect. That gap is exactly where most incidents happen and where an MSP earns its keep.
What happens if we have a data breach?
If the breach is likely to cause serious harm, it’s notifiable to the OAIC and to affected individuals under the Notifiable Data Breaches scheme, usually within 30 days of becoming aware. Having tested backups, logging and an incident response plan ready is what turns a breach from a crisis into a managed event.
Can you support providers with both residential facilities and home care?
Yes. The two models need different network and device designs but the same underlying disciplines — identity, data protection and uptime. We build for both, including the mobile-device and connectivity needs of a distributed home care workforce.
Where to start
If you’re an aged care provider unsure whether your IT would stand up to a Quality audit or a breach, the honest first step is an assessment: where your sensitive data lives, how access is controlled, whether your backups actually restore, and where the Essential Eight gaps are. Most providers we assess have two or three serious exposures they didn’t know about. Get in touch with TechAssist and we’ll give you a straight read on where you stand and what to fix first.
Allied health clinics carry the same privacy and security obligations as a GP practice, usually with a fraction of the budget and no in-house support. Good allied health IT support keeps your clinical software running, your telehealth stable, and your patient records protected to the standard the Privacy Act and AHPRA expect.
Physiotherapy, psychology, occupational therapy, dietetics, podiatry and speech pathology clinics all sit in the same regulatory bucket. They handle health information, so they are covered by the Privacy Act regardless of turnover — the usual $3 million small-business exemption does not apply to health service providers. A two-room psychology practice in Camberwell has the same baseline obligations as a 40-clinician group. That trips a lot of owners up, so it is worth getting the IT side right from the start.
What allied health clinics actually run
Most allied health practices in Melbourne run on cloud-based practice-management software, not a server in the back room. The common platforms — Cliniko, Halaxy, Nookal, Power Diary and Coreplus — handle appointments, clinical notes, invoicing, Medicare and DVA claiming, and increasingly NDIS billing.
Because these are SaaS products, the vendor secures the application and database. Your obligations do not disappear, though. You still own the devices, accounts, clinic network, integrations and the backup of anything outside the platform — and that half is where most incidents happen. The recurring weak spots we find: unpatched, unencrypted laptops with a saved Cliniko login; shared reception accounts with no multi-factor authentication; booking widgets, payment terminals and SMS reminders that touch patient data without being configured properly; and assessment reports or scanned referrals sitting in a Downloads folder or on a USB stick. That last one is the data that gets lost.
Telehealth that actually holds up
Telehealth went from optional to core during the pandemic and has not gone back. Psychology and speech pathology run a large share of sessions over video, and the problem is almost never the platform — it is the clinic’s internet and the practitioner’s setup.
Reliable telehealth comes down to a few unglamorous things: a business-grade connection with enough upload bandwidth, a 4G or 5G failover so a session does not drop when the NBN has a wobble, Quality of Service on the router so video is prioritised over a background 2 GB update, and a decent headset and webcam. We have seen practitioners blame Coreplus or Halaxy for dropouts when the real fault was a consumer router and a single connection carrying four concurrent sessions. Upload speed is the number that matters and the one most retail plans bury — if you run more than two or three sessions at once, size it deliberately.
My Health Record and secure messaging
My Health Record connectivity
Eligible allied health providers can connect to My Health Record to view shared health summaries, discharge summaries, pathology and imaging. Connecting requires conformant software (most major platforms support it), an HPI-O for the organisation, HPI-I numbers for practitioners, and a NASH PKI certificate to authenticate the connection. The NASH certificate has to be installed and renewed correctly or the connection silently stops working — a task for someone who has done it before, not a practice manager guessing at midnight.
Secure messaging with Argus and Medical-Objects
Secure messaging through Argus or Medical-Objects is how allied health clinics exchange referrals, assessment reports and correspondence with GPs and specialists in an encrypted, point-to-point way. If you accept referrals from GP clinics, they will often expect you to be reachable on one of these networks. Getting the directory listing, software integration and message routing right is a setup job that removes a privacy risk fax and ordinary email both carry.
Privacy, AHPRA and your legal obligations
Two regimes matter here, and they overlap. The Privacy Act 1988 and the Australian Privacy Principles apply to every health service provider, with no turnover threshold. Health information is sensitive information and attracts the highest level of protection. Under the Notifiable Data Breaches scheme, an eligible breach involving patient records must be assessed and, where it is likely to cause serious harm, reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals. A lost laptop full of psychology case notes is exactly what that scheme exists for.
Separately, AHPRA and the National Boards set professional obligations on registered practitioners — physiotherapists, psychologists, occupational therapists, podiatrists and speech pathologists — including keeping accurate clinical records and protecting confidentiality. The controls that satisfy the Privacy Act are the same ones that meet those obligations: access control, encryption, retention and a record of who accessed what.
None of this requires gold-plating. The Australian Cyber Security Centre (ACSC) Essential Eight is a sensible baseline, and most clinics can implement the meaningful parts — multi-factor authentication, patching, application control and backups — without a large spend. We cover the practical version in our guide to healthcare IT support, the OAIC and My Health Record, and the broader picture in our cybersecurity services.
Multi-practitioner access control
Most allied health clinics grow by adding practitioners, and access control is usually what gets left behind. The principle is simple: each person has their own login, sees only what their role requires, and loses access the day they leave. In practice:
- Individual accounts in Cliniko, Nookal or whichever platform you run — never a shared “reception” login that three people use.
- Multi-factor authentication on every account that touches patient data, including the practice-management platform and Microsoft 365 mailboxes.
- Role-based permissions so a casual admin cannot export the entire client database.
- A leaver process that disables accounts immediately. Locum and contractor physios who rotate through clinics are a particular risk if access is never revoked.
If your clinic runs on Microsoft 365, conditional access policies let you enforce MFA and block sign-ins from unexpected locations without making life painful for staff. We walk through that in our piece on conditional access policies in Microsoft 365.
NDIS and Medicare billing
Billing is where allied health gets operationally messy, because a single clinic might invoice Medicare, DVA, private health funds, NDIS plan managers, self-managed participants and the agency itself. Cliniko, Halaxy, Nookal, Power Diary and Coreplus all handle Medicare and DVA claiming through integrated channels, and most now support NDIS invoicing. The IT job is making sure those integrations are configured and authenticated correctly, and that the financial data — which is also personal information — is backed up and access-controlled like everything else. Incorrect NDIS claiming is not just an accounting problem; it can become a compliance issue.
Backup of patient data
“It’s in the cloud, so it’s backed up” is the most dangerous assumption in allied health IT. SaaS platforms protect against their own infrastructure failing. They do not protect you from a staff member deleting a client record, a compromised account wiping data, or a billing dispute cutting off your access. A proper backup position covers three things:
- Practice-management data. Where the platform allows export or third-party backup, take it. Know how to get your patient and clinical data out if you ever need to.
- Microsoft 365. Email, OneDrive and SharePoint need a dedicated backup — Microsoft’s retention is not a backup, and referrals live in mailboxes.
- Local files and devices. Anything on the reception PC or a practitioner’s laptop needs to be backed up and, ideally, not stored there at all.
Knowing your recovery targets matters too — how long you could operate if the system went down (RTO) and how much data you could lose (RPO). Our backup and disaster recovery overview covers how to set those.
A Melbourne example
A multidisciplinary allied health clinic in Box Hill we work with — physio, podiatry, dietetics and psychology under one roof — came to us after a near-miss. A practitioner’s laptop was stolen from a car. It had a saved login to their practice-management system and a folder of exported assessment reports on the desktop — none of it encrypted, no MFA on the account. They had no clear way to know what was on the device or whether the OAIC needed notifying.
We rebuilt the basics: full-disk encryption on every device, MFA across the practice-management platform and Microsoft 365, conditional access to block unexpected sign-ins, a real Microsoft 365 backup, and a policy of not storing patient files locally. Their My Health Record and Argus connections were configured and documented so renewals do not get missed. The clinic now has a defensible position if a device goes missing again.
Frequently asked questions
Does the Privacy Act apply to my small allied health clinic?
Yes. Health service providers are covered by the Privacy Act and the Australian Privacy Principles regardless of turnover. The $3 million small-business exemption does not apply to organisations that provide a health service and hold health information, so even a solo psychology or physiotherapy practice is covered.
What does My Health Record connection require?
Conformant practice-management software, an HPI-O for the organisation, HPI-I numbers for practitioners, and a NASH PKI certificate. The NASH certificate must be installed correctly and renewed on time, or the connection stops working without an obvious error.
Do I really need to replace fax for referrals?
Secure messaging through Argus or Medical-Objects is the appropriate way to exchange referrals and reports with GPs and specialists. It is encrypted point-to-point, it is what referring clinics increasingly expect, and it removes the privacy risk fax and ordinary email both carry.
Getting it right without overspending
None of this is exotic. Allied health clinics do not need an enterprise security budget — they need the basics done properly and kept that way: encrypted devices, MFA everywhere, a real backup, sound access control, and the My Health Record and secure messaging connections maintained by someone who has done it before. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. We support healthcare practices across Melbourne metro on per-user fixed monthly pricing, with same-business-day on-site when a clinic needs hands on the ground. If yours is running on goodwill and a consumer router, get in touch and we will tell you plainly what to fix first.