NSW Health is not effectively managing cyber security risks to clinical systems used across Local Health Districts, according to a performance audit released today by the NSW Auditor-General.
The report, Cyber security in Local Health Districts, examines whether systems critical to healthcare delivery are adequately protected from cyber threats. It concludes that Local Health Districts have failed to meet minimum NSW Government cyber security requirements that have been in place since 2019.
In the Auditor-General’s foreword, the report notes that governments’ growing dependence on interconnected digital systems has significantly increased exposure to cyber security incidents, including data theft, privacy breaches and disruptions to essential services. Such incidents, the Auditor-General warns, have the potential to undermine public trust and interrupt healthcare delivery.
The audit was completed in July 2025 but was initially presented to Parliament on a confidential basis. The Auditor-General determined it was not in the public interest to release the findings immediately, allowing NSW Health time to respond to the recommendations before public release. The report was formally tabled for publication on 19 December 2025.
Since receiving the confidential report, NSW Health has established a taskforce and begun progressing actions in response to the audit’s recommendations.
The audit found that Local Health Districts are not adequately prepared to respond to cyber security incidents. Widespread non-compliance with NSW Government cyber security requirements, including deficiencies in incident response planning, business continuity arrangements and disaster recovery processes, means districts could not demonstrate they are resilient to cyber threats.
The report warns that these shortcomings increase the risk that a preventable cyber incident could disrupt access to healthcare services or compromise sensitive patient information.
It also found that eHealth NSW has not clearly defined or communicated its cyber security role, or the responsibilities of Local Health Districts. This lack of clarity has resulted in confusion about which cyber risks districts are responsible for managing, including the identification and protection of “crown jewel” ICT assets that are critical to healthcare delivery.
According to the Auditor-General, Local Health Districts’ ability to manage cyber security risks has been further constrained by insufficient support, coordination and oversight from eHealth NSW.
The audit makes several recommendations, including that the Ministry of Health collate and validate information on compliance with the NSW Cyber Security Policy, clearly define and communicate cyber security roles and responsibilities across the NSW Health system, and that eHealth NSW provide clearer guidance and support to Local Health Districts.
It also recommends that Local Health Districts design and implement fit-for-purpose cyber security risk management frameworks to improve preparedness and resilience against cyber threats.
