4 Steps for Aged Care Providers to Build Cyber Resilience

Public concerns around topical crisis, such as a global pandemic, creates an environment of opportunity for cyber predators. Hackers often leverage hysteria as an opportunity for targeting vulnerable individuals through data phishing scams.


The pandemic impact on the aged care sector in particular has proven to be an ideal target for cyber attacks in the midst of heavy media coverage. The industry’s workers and residents have been at the forefront of The Cyber Risk Implications of the COVID-19 Outbreak.

Why is the aged care sector especially venerable to cyber risks?

  • Lack of protective measures:
    Providers who have fallen victim to cyber attacks are often found to be lacking the infrastructure required to protect their devices. Technology utilised is often found to be outdated and not equipped with adequate security software.

  • Lack of monitorisation:
    Aged care providers are often not equipmed with adequate and sufficient staffing to oversee the usage of internet usage and shared computing facilities.

  • Access to sensitive information:
    Aged care centers hold valuable resident information. Many providers have low security protocols surrounding their technology which makes an ideal environment for hackers to gain access to: medical records, next of kin contacts, and even retirement/financial details.

Top cyber threats faced by aged care providers:

Aged care providers have reported a sharp rise in malicious emails, web sites and social engineering attacks – many of which are disguised pandemic-related advice or services. This information is often dressed as official communication from the government healthcare sector in an attempt to pose as a legitimate source.
As reported in the Herjavec Group 2019 report, the top threats facing the Aged Care industry include:
  •  ‒    Internal Actors, whether accidental or complicit  
  •  ‒    Technologically enabled medical devices
  •  ‒    Targeted ransomware attacks

The targeting of aged care providers and its workers are being carried out by Advanced Persistent Threat (APT) groups who engage in cyber espionage. Other forms of cyber-attacks currently include:
  • Coronavirus phishing that prey specifically on the fears of the vulnerable members of the public
  • Scam websites: themed around  pandemic misinformation and requesting of personal data
  • Exploitation of leading corporate VPNs with major vulnerabilities

How can aged care providers help protect themselves against cyber attacks?

Aon can help facilities create, manage and test the following 4 key areas of building cyber resilience:



As COVID-19 continues to test the resiliency of the Australian aged care industry providers remain exposed to cyber-attacks.
Providers can undertake a series of steps to help reduce the odds of becoming the next victim of a cyber breach.

Aon’s experienced aged care team recommends the following considerations be built into your cyber security posture for your aged care facility:

  1. 1. Develop a clear Incident Response Plan:

    A vital measure of cyber resilience is to have (and practice) a clear Incident Response Plan. When revising Incident Response Plans, aged care providers should consider the following:

    • Relationships with digital forensics providers
    • Integration of cyber insurance
    • Conducting test runs of plans and processes
    • Preparedness of ransomware attacks and other cyber-breaches

  2. 2. Educate staff and residents:

    Many common cyber breach attempts could be avoided if aged care providers enforce the following:

    • Ensure management enforce that all devices, remote or on-site, be pre-installed with the most current versions of systems and applications
    • Equip all technological devices with reputable ransomware protection software
    • Practice clearing cookies and login credentials between every use on communal devices to avoid third party penetration of your network
    • Training staff to be able to identify and report potential phishing attempts
    • Communicate a clear understanding of Virtual Private Network (VPN) when working remotely
    • Ensure workers understand fallback measures for phone-based / off-net communication, and understand the importance of Multi-Factor Authentication (MFA)

  3. 3. Conduct testing on Business Continuity Plans to identify digital weaknesses across the business:

    • Perform scanning, analysis and testing for vulnerabilities in the environment.
    • Providers must have a holistic approach to identifying, analysing, remediating and tracking weaknesses across the environment

    Contact Aon for more information on creating a tailored Business Continuity Plan for your aged care provider.

  4. 4. Optimise restricted access controls:

    Limiting accessibility according to the user requirements can help manage the exposure of critical information. Aged care providers should ensure sufficient restricted access to systems, networks, applications and data across all devices in the facility. Providers are to consider:

    • Reviewing MFA and other critical identity and access management (IAM) controls
    • Moving Remote Desktop Protocols (RDP) behind the VPN
    • Identifying RDP users and monitor login locations


Aon Complimentary Digital Health Check

Aon can assist you in the identification of gaps within your business that are susceptible to cyber threats. Our team of professionals can assess the risk and provide you with tactile solutions to help mitigate them.

Contact us for a complimentary cyber risk health check where an Aon consultant will highlight the potential cyber risks your aged care provider could be facing.

Our team of cyber experts can offer the following services to aged care providers:

  • How to develop a comprehensive incident response plan
  • How to best analyses the dark/deep web’s impact to your aged care facilit
  • Redoubling your efforts on assessing risks to core technologies utilised throughout the practice
  • How to ensure restricted access controls and mechanisms are optimise
  • Tools of measuring the effectiveness of BCP in place
  • Methods of conducting efficient employee training


© 2020 Aon Risk Services Australia Limited ABN 17 000 434 720 AFSL 241141

Aon Risk Services Australia Limited (Aon) has taken care in the production of this document and the information contained in it has been obtained from sources that Aon believes to be reliable. Aon does not make any representation as to the accuracy of the information received from third parties and is unable to accept liability for any loss incurred by anyone who relies on it. The recipient of this document is responsible for their use of it.

Helpful resources


Cyber Risk Implications of the COVID-19 Outbreak

Maintaining Cyber Resilience in the COVID-19 World

Aon’s 2020 Cyber Security Risk Report

Cyber Security & Risk Management Leader’s Guide to Promoting Cyber Resiliency During The COVID-19 Crisis

COVID-19 Planning & Response Toolkit