The legal obligations you have if you own, operate, or have direct interests in critical infrastructure assets are outlined in the Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act also outlines how the government can support you if an incident occurs that impacts your critical infrastructure asset.
In the healthcare and medical sector, critical hospitals with general intensive care units are subject to the following regulatory obligations:
- Provide operational and ownership information to the register of critical infrastructure assets.
- Report cyber incidents.
- Notify third-party data storage or processing providers that the provider is storing or processing business critical data for a critical infrastructure asset.
Some hospitals, known as ‘designated hospitals’, must also implement and comply with a critical infrastructure risk management program.
The SOCI Act also includes Government Assistance measures. These measures outline how the Government can help industry respond to cyber security incidents. These measures only apply to incidents that will cause serious harm to Australia’s prosperity, national security, or defence.
The healthcare and medical sector includes stakeholders who provide health care or produce, distribute or supply medical supplies.
Healthcare and medical critical infrastructure assets
Currently, only critical hospitals with a general intensive care unit are considered to be healthcare and medical sector critical assets.
Some hospitals are listed as “Designated hospitals” in Schedule 1 of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023.
