Essential Eight for medical practices: a practical IT readiness guide
A plain-language guide to the ACSC Essential Eight for GP and specialist practices. What the eight mitigation strategies mean in practice terms, why they now matter for accreditation and cyber insurance, what maturity levels are, and where to start.
Puntos clave
- The Essential Eight is a set of eight baseline cyber mitigation strategies published by the Australian Cyber Security Centre (ACSC). It was designed for Microsoft Windows environments, which describes most general practices.
- For a medical practice, the point of the Essential Eight is protecting patient data and keeping the practice running: the same outcomes accreditation, cyber insurers, and the Privacy Act already expect of you.
- The eight strategies are application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
- Maturity levels run from Maturity Level Zero (gaps) up to Maturity Level Three (a well-resourced, targeted adversary). Most small practices should aim for a consistent Maturity Level One across all eight before reaching higher.
- A sensible starting order for a practice is MFA, then backups, then patching and admin privileges, because those give the largest risk reduction for the least disruption.
- Always confirm the current requirements against the ACSC guidance at cyber.gov.au, because the model and its maturity definitions are updated over time.
Why the Essential Eight matters to a medical practice
A general practice runs on data. Appointment histories, clinical notes, scripts, referrals, pathology and imaging results, Medicare and billing details: all of it lives in your practice management system, your email, and increasingly in cloud services. That data is exactly what attackers want, and healthcare is a repeat target because the information is valuable and downtime is painful.
The Essential Eight is a set of eight baseline cyber mitigation strategies published by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate. It was designed for Microsoft Windows environments, which describes most practices, and it exists to make the common attacks harder: ransomware, stolen passwords, malicious email attachments, and unpatched software being exploited.
For a practice, the Essential Eight matters for three practical reasons that have nothing to do with box ticking:
- Patient-data risk. A breach or ransomware event can expose sensitive health information and shut down clinical care. The Essential Eight targets the most common ways that happens.
- Accreditation expectations. Practice accreditation increasingly expects evidence that you manage information security and protect health information. The Essential Eight is a widely understood way to describe and demonstrate that.
- Cyber insurance. Insurers now ask detailed questions before they quote or pay out. Multi-factor authentication, patching, and tested backups (all part of the Essential Eight) are frequently on those questionnaires.
The Essential Eight is guidance, not legislation, and it is mandated for many federal government entities rather than for private practices. But because it maps so closely to protecting patient data under the Privacy Act and the Australian Privacy Principles, most practices treat it as a sensible target. Confirm the current detail against the official ACSC guidance at cyber.gov.au, because the model is updated over time.
The eight strategies in plain practice terms
The eight strategies fall loosely into three goals: stop malicious code running, limit the damage if something gets in, and make sure you can recover. Here is what each one means for a practice, without the jargon.
1. Application control
Goal: stop unapproved programs from running. Application control means only software your practice has approved is allowed to execute on your computers. If a staff member is tricked into downloading a malicious program, or ransomware tries to launch, application control blocks it because it is not on the approved list.
In practice this is usually configured by your IT provider on managed devices. For a small practice it can feel like the hardest of the eight to implement well, which is why it often comes later in the journey rather than first.
2. Patch applications
Goal: close known holes in your software. Attackers exploit known weaknesses in everyday applications: web browsers, PDF readers, Office, and clinical or line-of-business software. Patching applications means applying vendor security updates promptly, and removing software that is no longer supported.
For a practice, the priority applications are the ones exposed to the internet or handling untrusted content: browsers, email clients, and document readers. Old, unsupported software is a common weak point and should be replaced or retired.
3. Configure Microsoft Office macro settings
Goal: stop booby-trapped documents. Macros are small automated scripts inside Office documents. They are occasionally useful, but they are also a classic delivery method for malware hidden in an attachment. This strategy means macros are disabled unless there is a demonstrated business need, macros from the internet are blocked, and any that are allowed are limited and monitored.
Most practices do not genuinely need macros in day-to-day documents, so this is often a low-friction win.
4. User application hardening
Goal: shrink the attack surface in everyday tools. Hardening means turning off risky features that most practices never use. Common examples include blocking web browsers from running certain legacy content, and disabling unneeded features in Office and PDF readers. Fewer active features means fewer ways in.
This is mostly a configuration exercise handled centrally, not something individual staff need to manage.
5. Restrict administrative privileges
Goal: limit who can make deep changes. Administrator accounts can install software, change settings, and reach sensitive parts of a system. If an attacker compromises an admin account, the damage is far greater than with a standard user. This strategy means only the people who genuinely need admin rights have them, admin accounts are separate from everyday accounts, and privileged access is reviewed regularly.
In many practices, staff have ended up with more access than their role requires, often just because it was convenient at setup. Tightening this is one of the highest-value changes you can make.
6. Patch operating systems
Goal: close known holes in Windows itself. The same logic as patching applications, applied to the operating system. Security updates for Windows (and any server operating systems) should be applied promptly, and operating systems that are no longer supported by the vendor should be replaced, because they stop receiving security fixes entirely.
Practices sometimes keep an old machine running because it drives a particular piece of equipment. Those unsupported devices deserve special attention, isolation, or replacement.
7. Multi-factor authentication
Goal: make a stolen password not enough. Multi-factor authentication (MFA) requires a second proof of identity in addition to a password, such as a code from an app or a hardware key. Because so many breaches start with a stolen or guessed password, MFA is one of the single most effective controls available.
For a practice, prioritise MFA on email, remote access (including any remote desktop or VPN), cloud services, and clinical systems that support it. This is usually the first thing to turn on and the one insurers ask about most.
8. Regular backups
Goal: be able to recover. Regular backups of important data, software, and configuration mean that if ransomware encrypts your systems or hardware fails, you can restore and keep caring for patients. The critical details are that backups are performed regularly, that at least one copy is kept offline or otherwise protected so ransomware cannot reach it, and that restoration is actually tested.
An untested backup is a hope, not a plan. The most common and painful discovery during an incident is that backups existed but could not be restored. Trucell covers this in more depth on the backup and recovery page.
What maturity levels mean
The Essential Eight is not simply on or off. The ACSC describes maturity levels that reflect how completely and consistently you have implemented each strategy, measured against increasingly capable attackers.
- Maturity Level Zero. There are weaknesses in your implementation that could be exploited. This is where many organisations start before any deliberate work.
- Maturity Level One. A baseline aligned to attackers using widely available, commodity techniques. This is the realistic first target for most small and medium practices.
- Maturity Level Two. Aligned to attackers investing more time and capability, for example putting more effort into bypassing controls and stealing credentials.
- Maturity Level Three. Aligned to a well-resourced and adaptive adversary who is specifically targeting you.
Two points matter for practices. First, the ACSC recommends implementing all eight strategies to the same level before increasing any one of them, because attackers look for the weakest link. Pushing backups to a high standard while leaving MFA off does not give you balanced protection. Second, the exact definitions of each maturity level are revised over time, so a target you set a year ago may be described differently today. Always check the current definitions at cyber.gov.au or ask your IT provider to confirm against the latest version.
For most GP and specialist practices, a sensible goal is a consistent Maturity Level One across all eight, then a considered decision about whether your risk profile justifies going further.
Where to start
Not sure where your practice sits today? Take the free Essential Eight readiness self-check: eight quick questions, an instant score, and a plain-English list of the gaps to close first.
You do not implement all eight at once, and you should not try. Sequence the work so that the biggest risk reductions come first and the more disruptive changes come once you have momentum. A practical order for a practice:
- Turn on multi-factor authentication. Start with email, remote access, and cloud services, then clinical systems that support it. This is high impact and usually quick.
- Prove your backups. Confirm backups are running, that a protected copy exists offline or as immutable storage, and then actually perform a test restore. Do not assume; verify.
- Get patching under control. Establish that Windows and key applications receive security updates promptly, and make a list of anything unsupported that needs replacing.
- Reduce administrator privileges. Review who has admin rights, remove what is not needed, and separate admin accounts from everyday logins.
- Harden Office macros and applications. Disable macros unless there is a real need, block internet-sourced macros, and turn off risky legacy features.
- Introduce application control. Usually the last of the eight for a small practice, and typically done with your IT provider on managed devices.
Alongside the technical steps, keep a simple written record of what you have done, when, and who is responsible. That record is what turns good practice into evidence you can show an accreditation surveyor or an insurer, and it makes the next review far easier.
The Essential Eight sits inside broader practice security work: staff awareness, secure email and messaging, device management, and incident response planning. If you want a structured way to assess where you stand and plan the next steps, Trucell’s Essential Eight readiness resources and our GP and medical practice IT support service are built for exactly this. The goal is not a certificate on the wall. It is a practice that keeps caring for patients even on a bad day.
A note on scope
This is general guidance, not compliance or legal advice. The Essential Eight is a technical baseline, not a law, and implementing it does not by itself make your practice compliant with the Privacy Act, the Australian Privacy Principles, state health-records legislation, or your accreditation standards. Requirements and maturity-level definitions change over time. Confirm the current detail against the official ACSC Essential Eight guidance, your accreditation body, your insurer, and a suitably qualified adviser before relying on it.
Preguntas frecuentes
Respuestas rápidas a las preguntas que más hacen los compradores sobre este tema.
What is the ACSC Essential Eight?
The Essential Eight is a set of eight baseline mitigation strategies published by the Australian Cyber Security Centre (ACSC) to help organisations protect Microsoft Windows systems against common cyber threats. The eight are application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. It is guidance, not law, but it has become a widely used baseline in Australian healthcare.
Does a GP or specialist practice have to implement the Essential Eight?
The Essential Eight is mandated for many Australian federal government entities, not private practices. For a general practice it is not a direct legal obligation, but it is increasingly used as a practical benchmark by accreditation processes, cyber insurers, and health-sector security guidance. Because it maps closely to protecting patient data under the Privacy Act, most practices treat it as a sensible target rather than an optional extra. Confirm any specific requirement against your accreditation body, insurer, and the current ACSC guidance.
What are Essential Eight maturity levels?
Maturity levels describe how completely and consistently you have implemented each of the eight strategies against increasingly capable attackers. They run from Maturity Level Zero, where there are exploitable gaps, through Maturity Level One, Two, and Three, which is aligned to a well-resourced and targeted adversary. The ACSC recommends implementing all eight to the same level rather than pushing one strategy far ahead of the others. Check cyber.gov.au for the current maturity-level definitions, as they are revised periodically.
Where should a small medical practice start with the Essential Eight?
Start with the strategies that reduce the most risk for the least disruption: turn on multi-factor authentication for email, remote access, and clinical systems; confirm you have tested, offline or immutable backups and that you have actually restored from them; then get on top of operating system and application patching and reduce the number of staff with administrator rights. Application control and macro hardening usually come next, often with help from your IT provider.
Is the Essential Eight the same as being HIPAA or Privacy Act compliant?
No. The Essential Eight is a technical baseline for reducing cyber risk. HIPAA is a United States framework and does not apply to Australian practices. In Australia your obligations sit under the Privacy Act and the Australian Privacy Principles, plus any state health-records law and your accreditation standards. The Essential Eight supports those obligations by protecting the systems that hold patient data, but implementing it does not by itself make you compliant with any specific law. Treat it as one input to compliance, and confirm your legal obligations with a suitably qualified adviser.

