Best Practice and Medical Director Ransomware — What GPs Need to Know

General practice management software — including Best Practice, Medical Director, Genie, and Zedmed — is increasingly being targeted by ransomware attacks specifically designed to encrypt clinical databases. These are not opportunistic attacks. Criminals research their targets, know which practice management software is most commonly used by Australian GPs, and time their attacks for maximum disruption and pressure to pay.

What Happens During an Attack on a GP Practice

In a typical attack, ransomware is delivered through a phishing email opened by a receptionist or administrative staff member. The malware spreads through the practice network silently, typically overnight, and encrypts the clinical database files, the appointment system, the document management system, and any locally connected backup drives. When staff arrive in the morning, the practice management software will not open. Every computer may show a ransom demand screen. Appointments cannot be accessed. Patient records are unavailable. Clinical staff cannot work effectively.

The Real Cost of a Ransomware Attack on a Medical Practice

The ransom itself is rarely the largest cost. Total costs typically include: IT recovery and forensic investigation ($10,000 to $50,000), locum medical and reception staff while systems are restored, lost billing revenue during the outage (which can be days to weeks), Privacy Act mandatory notification costs if patient data was stolen, potential OAIC investigation, and reputational impact from patients learning their records were involved in a cyberattack. A single ransomware attack on a Melbourne GP practice typically costs $15,000 to $100,000 in total — often far more than the ransom demanded.

Your Privacy Act Obligations After an Attack

Modern ransomware groups typically steal data before encrypting it — meaning a ransomware attack is simultaneously a data breach. If patient health records are involved, you have mandatory notification obligations under the Privacy Act's Notifiable Data Breaches scheme. You must notify the OAIC and potentially notify each affected patient. Failing to notify when required carries significant penalties and increases regulatory scrutiny. This obligation applies regardless of whether you pay the ransom or restore from backup.

The Single Most Important Protection

Maintain at least one backup copy that is completely isolated from your practice network — a cloud backup service that your practice computers cannot reach and therefore ransomware cannot encrypt. Test this backup regularly by actually restoring a test file. Cloud backup services like Azure Backup, Veeam, or Backblaze provide versioned backups that allow restoration to a point before the attack occurred. IntrusionX works with Melbourne GP practices to implement comprehensive protection including isolated backups, endpoint detection, email security, and staff awareness training. Contact us for a free practice security assessment.

Staff as the First Line of Defence

Clinical and reception staff in GP practices are the primary targets for phishing attacks — they process a high volume of external emails from patients, specialists, hospitals, and suppliers. A single click on a malicious attachment can deliver the ransomware that encrypts the entire practice. Practical phishing awareness training — showing staff exactly what fake AHPRA, PHN, or software vendor emails look like — is a high-impact and affordable investment. Brief, regular awareness reminders are more effective than annual training events that staff quickly forget.

Vendor Remote Access Security

Clinical software vendors and IT support companies often use remote access tools to provide support and updates to practice systems. This remote access, if not properly secured, can be exploited by attackers to gain initial access to your network. Ensure that any remote access to your practice systems requires multi-factor authentication, is only active when a support session is in progress (not permanently open), and is logged so you have a record of every access. Never allow unscheduled remote access without first calling the vendor back on their official number to confirm the request is genuine. IntrusionX can review and secure your practice's remote access arrangements as part of a full security assessment.