IT Support for Aged Care Providers

Aged care IT support means keeping clinical systems, resident records and connectivity running across facilities and homes — to a standard the strengthened Aged Care Quality Standards now expect. Get it wrong and you risk a data breach, a downgraded Star Rating, and care staff locked out at handover. Get it right and the technology becomes invisible.

Since 1 July 2025, residential and home care providers have operated under the new Aged Care Act and a strengthened set of Quality Standards. The compliance bar moved, and a lot of it now lands squarely on IT. This is a practical look at what aged care providers in Melbourne actually need from their technology, and where most of them are exposed.

Why aged care is a harder IT problem than it looks

On paper an aged care provider looks like any other mid-sized organisation: staff, devices, email, a few line-of-business systems. In practice it is one of the more demanding environments we support. You have a 24/7 operation where downtime affects vulnerable people, a workforce with high turnover and patchy device literacy, some of the most sensitive personal data in the country, and a regulator that can publish your performance as a Star Rating for families to read.

Residential and home care providers also run differently from each other. A residential facility is a fixed site — nurses’ stations, medication rooms, Wi-Fi that has to reach every wing including the ones with thick brick walls built in 1975. Home care is a distributed workforce: support workers driving between clients across the suburbs, logging visits on a phone or tablet, needing reliable mobile access to care plans without carrying paper. The IT looks similar from the outside and is genuinely different underneath.

The compliance layer: Quality Standards, Star Ratings and the portals

The strengthened Aged Care Quality Standards put more explicit weight on governance, information management and the security of personal information. Standard 2 (the organisation) and the governance expectations around it mean a provider’s board and management are now accountable for how information is handled and protected — and “we outsourced it to an IT company” is not an answer the Aged Care Quality and Safety Commission accepts. The accountability stays with the provider.

Practically, that means your IT arrangements need to be documented, your access controls need to be defensible, and you need to be able to show how resident information is kept secure. If you can’t produce that on request, you have a governance gap, not just a technical one.

Star Ratings raise the stakes again. Compliance, quality measures, staffing and residents’ experience feed into a public rating on My Aged Care. Systems that don’t capture data accurately — or go down during a quality audit period — can quietly drag the numbers that families use to choose a provider. The link between “our IT is reliable” and “our rating holds up” is more direct than most boards realise.

Then there are the portals. My Aged Care, the provider portals, the Government Provider Management System and the data submissions that flow through them all depend on the right people having the right access, secure sign-in, and accurate records at the source. When a staff member leaves and their access isn’t revoked, or when the wrong person can see the wrong client’s record, that is an IT and identity problem with a compliance consequence.

Clinical and care management systems

The system at the centre of an aged care provider’s day is its clinical or care management platform. In the Australian market that usually means one of AlayaCare, Leecare, Manad Plus or Telstra Health’s iCareHealth — plus medication management, rostering and finance systems hanging off the side.

Whether these are cloud-hosted or run on a server in the comms room, the IT job is the same: they must be available, fast, backed up, and reachable from wherever care happens. A nurse at a medication round or a support worker in a client’s lounge room cannot wait for a system to load. We treat these platforms as the priority for monitoring, patching and uptime, and we build the network and connectivity around keeping them responsive.

A residential provider in Box Hill we work with runs its clinical records in the cloud and its rostering separately. The risk wasn’t the software — both vendors run solid platforms — it was everything underneath: a single internet service with no failover, a flat network where a compromised reception PC could reach the medication system, and backups nobody had ever tested. None of that is the clinical vendor’s responsibility. It’s the MSP’s, and it’s where the real exposure sits.

Protecting highly sensitive resident data

Aged care providers hold a concentration of sensitive information that makes them a deliberate target: health records, medication histories, cognitive assessments, next-of-kin details, financial and Centrelink information, and increasingly the data of family members too. Under the Privacy Act and the Australian Privacy Principles, much of this is “sensitive information” attracting the highest level of protection, and a breach is reportable to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.

The sector’s risk profile has worsened. Healthcare and aged care are consistently among the most-breached sectors in OAIC reporting, and attackers know these organisations often run lean IT with older systems and a workforce that’s easy to phish. The cyber insurance market has noticed too — premiums and the controls insurers demand both reflect the elevated risk.

The defensive baseline we hold aged care clients to is the Australian Cyber Security Centre’s (ACSC) Essential Eight: application control, patching applications and operating systems quickly, configuring Microsoft Office macro settings, hardening user applications, restricting administrative privileges, multi-factor authentication, and regular tested backups. None of this is exotic. Most of the breaches we’re called in after would have been stopped or contained by getting the Essential Eight genuinely in place rather than half-done. If you want the staged version, we’ve written up how to reach Essential Eight maturity in 90 days.

Backups deserve their own mention. A tested, isolated backup is the difference between a ransomware incident being a bad week and being an existential event for a provider that can’t access medication records. We cover the discipline behind this in our guide to backup and disaster recovery for Melbourne businesses, and it applies double in aged care.

Connectivity, devices and a 24/7 operation

Connectivity that doesn’t drop at handover

A residential facility needs Wi-Fi that actually reaches every resident room, nurses’ station and medication room, and an internet connection that doesn’t take the clinical system offline when the single NBN service has a wobble. Redundant connectivity — a second link that fails over automatically — is not a luxury in a 24/7 care setting. We design facility networks with coverage and failover as the starting point, not an afterthought, and we segment the network so that resident, staff, clinical and guest traffic are properly separated.

Devices for mobile care staff

Home care support workers and roaming clinical staff need phones and tablets that are secured, enrolled and managed centrally. If a device is lost between a client visit in Ringwood and the next in Croydon, you need to remotely wipe the resident data on it within minutes — not discover it’s been sitting in someone’s glovebox unencrypted. Mobile device management through Microsoft Intune, enforced encryption, and conditional access tying sign-in to a managed device are the controls that make a fleet of field devices defensible.

Identity for a high-turnover workforce

Aged care has significant staff churn — agency staff, casuals, people moving between providers. Every starter needs the right access on day one and every leaver needs it gone the same day. Manual, ad-hoc account management is where access creep and orphaned accounts come from, and orphaned accounts are how breaches happen months after someone’s left. We run identity properly: standardised onboarding and offboarding, role-based access so a kitchen hand can’t see clinical notes, and conditional access in Microsoft 365 enforcing MFA and blocking risky sign-ins. Get identity right and a large slice of your risk disappears.

24/7 uptime expectations

Care doesn’t stop at 5pm, so neither can support. A system outage at 2am during a medication round is a clinical problem, not just an IT ticket. TechAssist runs a 24/7 network operations centre from our Tecoma office in Melbourne’s east, with a sub-15-minute response on P1 critical issues and same-business-day on-site across Melbourne metro. For a sector where downtime touches vulnerable people, those response times are the point, not a marketing line.

What good aged care IT support actually covers

TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk handling resident data. We price per user on a fixed monthly basis with no hourly billing for in-scope work, which matters in a sector that has to budget tightly and can’t absorb surprise IT bills. Our cybersecurity services and broader managed IT services are built to carry this kind of regulated, always-on workload.

Frequently asked questions

Do the strengthened Aged Care Quality Standards require specific IT controls?

They don’t prescribe particular products, but the governance and information-management expectations mean providers must be able to show that resident information is kept secure and access is controlled. In practice that points straight at Essential Eight controls, MFA, managed identity and tested backups — and the accountability stays with the provider, not the IT vendor.

Is our clinical software vendor responsible for security and backups?

Only for their platform. AlayaCare, Leecare, Manad Plus and iCareHealth secure and back up their own service, but everything around it — your network, devices, identity, email, and any data you hold outside their system — is yours to protect. That gap is exactly where most incidents happen and where an MSP earns its keep.

What happens if we have a data breach?

If the breach is likely to cause serious harm, it’s notifiable to the OAIC and to affected individuals under the Notifiable Data Breaches scheme, usually within 30 days of becoming aware. Having tested backups, logging and an incident response plan ready is what turns a breach from a crisis into a managed event.

Can you support providers with both residential facilities and home care?

Yes. The two models need different network and device designs but the same underlying disciplines — identity, data protection and uptime. We build for both, including the mobile-device and connectivity needs of a distributed home care workforce.

Where to start

If you’re an aged care provider unsure whether your IT would stand up to a Quality audit or a breach, the honest first step is an assessment: where your sensitive data lives, how access is controlled, whether your backups actually restore, and where the Essential Eight gaps are. Most providers we assess have two or three serious exposures they didn’t know about. Get in touch with TechAssist and we’ll give you a straight read on where you stand and what to fix first.

Allied health clinics carry the same privacy and security obligations as a GP practice, usually with a fraction of the budget and no in-house support. Good allied health IT support keeps your clinical software running, your telehealth stable, and your patient records protected to the standard the Privacy Act and AHPRA expect.

Physiotherapy, psychology, occupational therapy, dietetics, podiatry and speech pathology clinics all sit in the same regulatory bucket. They handle health information, so they are covered by the Privacy Act regardless of turnover — the usual $3 million small-business exemption does not apply to health service providers. A two-room psychology practice in Camberwell has the same baseline obligations as a 40-clinician group. That trips a lot of owners up, so it is worth getting the IT side right from the start.

What allied health clinics actually run

Most allied health practices in Melbourne run on cloud-based practice-management software, not a server in the back room. The common platforms — Cliniko, Halaxy, Nookal, Power Diary and Coreplus — handle appointments, clinical notes, invoicing, Medicare and DVA claiming, and increasingly NDIS billing.

Because these are SaaS products, the vendor secures the application and database. Your obligations do not disappear, though. You still own the devices, accounts, clinic network, integrations and the backup of anything outside the platform — and that half is where most incidents happen. The recurring weak spots we find: unpatched, unencrypted laptops with a saved Cliniko login; shared reception accounts with no multi-factor authentication; booking widgets, payment terminals and SMS reminders that touch patient data without being configured properly; and assessment reports or scanned referrals sitting in a Downloads folder or on a USB stick. That last one is the data that gets lost.

Telehealth that actually holds up

Telehealth went from optional to core during the pandemic and has not gone back. Psychology and speech pathology run a large share of sessions over video, and the problem is almost never the platform — it is the clinic’s internet and the practitioner’s setup.

Reliable telehealth comes down to a few unglamorous things: a business-grade connection with enough upload bandwidth, a 4G or 5G failover so a session does not drop when the NBN has a wobble, Quality of Service on the router so video is prioritised over a background 2 GB update, and a decent headset and webcam. We have seen practitioners blame Coreplus or Halaxy for dropouts when the real fault was a consumer router and a single connection carrying four concurrent sessions. Upload speed is the number that matters and the one most retail plans bury — if you run more than two or three sessions at once, size it deliberately.

My Health Record and secure messaging

My Health Record connectivity

Eligible allied health providers can connect to My Health Record to view shared health summaries, discharge summaries, pathology and imaging. Connecting requires conformant software (most major platforms support it), an HPI-O for the organisation, HPI-I numbers for practitioners, and a NASH PKI certificate to authenticate the connection. The NASH certificate has to be installed and renewed correctly or the connection silently stops working — a task for someone who has done it before, not a practice manager guessing at midnight.

Secure messaging with Argus and Medical-Objects

Secure messaging through Argus or Medical-Objects is how allied health clinics exchange referrals, assessment reports and correspondence with GPs and specialists in an encrypted, point-to-point way. If you accept referrals from GP clinics, they will often expect you to be reachable on one of these networks. Getting the directory listing, software integration and message routing right is a setup job that removes a privacy risk fax and ordinary email both carry.

Privacy, AHPRA and your legal obligations

Two regimes matter here, and they overlap. The Privacy Act 1988 and the Australian Privacy Principles apply to every health service provider, with no turnover threshold. Health information is sensitive information and attracts the highest level of protection. Under the Notifiable Data Breaches scheme, an eligible breach involving patient records must be assessed and, where it is likely to cause serious harm, reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals. A lost laptop full of psychology case notes is exactly what that scheme exists for.

Separately, AHPRA and the National Boards set professional obligations on registered practitioners — physiotherapists, psychologists, occupational therapists, podiatrists and speech pathologists — including keeping accurate clinical records and protecting confidentiality. The controls that satisfy the Privacy Act are the same ones that meet those obligations: access control, encryption, retention and a record of who accessed what.

None of this requires gold-plating. The Australian Cyber Security Centre (ACSC) Essential Eight is a sensible baseline, and most clinics can implement the meaningful parts — multi-factor authentication, patching, application control and backups — without a large spend. We cover the practical version in our guide to healthcare IT support, the OAIC and My Health Record, and the broader picture in our cybersecurity services.

Multi-practitioner access control

Most allied health clinics grow by adding practitioners, and access control is usually what gets left behind. The principle is simple: each person has their own login, sees only what their role requires, and loses access the day they leave. In practice:

• Individual accounts in Cliniko, Nookal or whichever platform you run — never a shared “reception” login that three people use.
• Multi-factor authentication on every account that touches patient data, including the practice-management platform and Microsoft 365 mailboxes.
• Role-based permissions so a casual admin cannot export the entire client database.
• A leaver process that disables accounts immediately. Locum and contractor physios who rotate through clinics are a particular risk if access is never revoked.

If your clinic runs on Microsoft 365, conditional access policies let you enforce MFA and block sign-ins from unexpected locations without making life painful for staff. We walk through that in our piece on conditional access policies in Microsoft 365.

NDIS and Medicare billing

Billing is where allied health gets operationally messy, because a single clinic might invoice Medicare, DVA, private health funds, NDIS plan managers, self-managed participants and the agency itself. Cliniko, Halaxy, Nookal, Power Diary and Coreplus all handle Medicare and DVA claiming through integrated channels, and most now support NDIS invoicing. The IT job is making sure those integrations are configured and authenticated correctly, and that the financial data — which is also personal information — is backed up and access-controlled like everything else. Incorrect NDIS claiming is not just an accounting problem; it can become a compliance issue.

Backup of patient data

“It’s in the cloud, so it’s backed up” is the most dangerous assumption in allied health IT. SaaS platforms protect against their own infrastructure failing. They do not protect you from a staff member deleting a client record, a compromised account wiping data, or a billing dispute cutting off your access. A proper backup position covers three things:

1. Practice-management data. Where the platform allows export or third-party backup, take it. Know how to get your patient and clinical data out if you ever need to.
2. Microsoft 365. Email, OneDrive and SharePoint need a dedicated backup — Microsoft’s retention is not a backup, and referrals live in mailboxes.
3. Local files and devices. Anything on the reception PC or a practitioner’s laptop needs to be backed up and, ideally, not stored there at all.

Knowing your recovery targets matters too — how long you could operate if the system went down (RTO) and how much data you could lose (RPO). Our backup and disaster recovery overview covers how to set those.

A Melbourne example

A multidisciplinary allied health clinic in Box Hill we work with — physio, podiatry, dietetics and psychology under one roof — came to us after a near-miss. A practitioner’s laptop was stolen from a car. It had a saved login to their practice-management system and a folder of exported assessment reports on the desktop — none of it encrypted, no MFA on the account. They had no clear way to know what was on the device or whether the OAIC needed notifying.

We rebuilt the basics: full-disk encryption on every device, MFA across the practice-management platform and Microsoft 365, conditional access to block unexpected sign-ins, a real Microsoft 365 backup, and a policy of not storing patient files locally. Their My Health Record and Argus connections were configured and documented so renewals do not get missed. The clinic now has a defensible position if a device goes missing again.

Frequently asked questions

Does the Privacy Act apply to my small allied health clinic?

Yes. Health service providers are covered by the Privacy Act and the Australian Privacy Principles regardless of turnover. The $3 million small-business exemption does not apply to organisations that provide a health service and hold health information, so even a solo psychology or physiotherapy practice is covered.

What does My Health Record connection require?

Conformant practice-management software, an HPI-O for the organisation, HPI-I numbers for practitioners, and a NASH PKI certificate. The NASH certificate must be installed correctly and renewed on time, or the connection stops working without an obvious error.

Do I really need to replace fax for referrals?

Secure messaging through Argus or Medical-Objects is the appropriate way to exchange referrals and reports with GPs and specialists. It is encrypted point-to-point, it is what referring clinics increasingly expect, and it removes the privacy risk fax and ordinary email both carry.

Getting it right without overspending

None of this is exotic. Allied health clinics do not need an enterprise security budget — they need the basics done properly and kept that way: encrypted devices, MFA everywhere, a real backup, sound access control, and the My Health Record and secure messaging connections maintained by someone who has done it before. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. We support healthcare practices across Melbourne metro on per-user fixed monthly pricing, with same-business-day on-site when a clinic needs hands on the ground. If yours is running on goodwill and a consumer router, get in touch and we will tell you plainly what to fix first.