Getting the most out of cloud security investment

• Healthcare is now a routine target for ransomware and data extortion, while Australian regulators are increasingly prepared to penalise organisations that don't take reasonable security measures – turning weak cloud posture into a legal, financial and board-level risk.
• Legacy PAS and EMR systems, third-party dependencies, high staff turnover and rapid telehealth expansion create blind spots and integration gaps that traditional security controls can't keep pace with.
• Four practical pillars for resilient cloud in healthcare, paired with an incremental 60-90-day delivery approach that improves security without disrupting care.

Healthcare organisations continue to struggle to realise the benefits of their cloud investments, even after significant spend and effort. With the sector now a routine target for ransomware and data extortion campaigns, the disconnect between cloud adoption and cloud security has become a board-level concern. 

We spoke to Mike Weinstock, Associate Director of Cybersecurity at Datacom, about what resilient cloud solutions really look like in healthcare, why the sector remains so hard to secure, and the practical steps technology leaders can take to make measurable progress.

For CIOs, CTOs and heads of infrastructure in health, the question is less "why cloud?" and more "how do we make our environment measurably safer, more compliant and more recoverable without disrupting care?"

From my perspective, real progress begins when resilient cloud solutions – built on well-architected platforms like Microsoft Azure – are treated as tangible competitive advantages rather than back-office IT concerns. Cyber security, data handling, and system backup and recovery need to be core business capabilities.

Hospitals, research institutions and health services are now routine targets for campaigns that stall clinical systems and compromise sensitive information. High-profile breaches affecting millions of records have shown how quickly attackers can exploit complex estates and legacy platforms that were never designed for today's threat landscape.

In Australia, health organisations must comply with the Privacy Act, the Australian Privacy Principles, and state and territory privacy laws that set clear expectations for protecting personal and clinical data. Regulators are increasingly prepared to investigate and penalise organisations that do not take reasonable security measures, turning weak posture into a legal, financial and board-level risk.

Healthcare's risk profile is a direct result of how its environments have grown over time.

Many organisations operate tightly coupled mixes of legacy patient administration and electronic medical record (EMR) systems, imaging platforms, specialist clinical applications and a growing set of hosted, SaaS and public cloud services. This complexity creates blind spots and integration gaps that are hard to identify, monitor and control at scale.

Third-party platforms and niche providers introduce opaque dependencies, while high staff turnover and constant contractor movement make it difficult to enforce robust governance and access consistently.

Rapid expansion in telehealth, remote monitoring and virtual care models is pushing data and workloads to the edge faster than traditional cybersecurity controls and processes can adapt.

When something goes wrong, technology leaders are not just restoring services. They are managing breach notifications, media scrutiny and questions from boards and ministers.

In this environment, "good" is not a bigger tool stack. It is a pragmatic, outcome-driven approach that technology leaders can measure and defend. For a CIO or CTO, that often means fewer credential-based incidents, faster detection and response, shorter recovery times for EMR and core platforms, and a clearer story for regulators and boards.

Four practical pillars stand out:

Safeguard health data anywhere. Classify, protect and monitor sensitive patient and research data across on-premises, cloud and edge – before, during and after migrations – so data remains protected regardless of where or how it is being accessed.

Strengthen identity as the control plane. Modernise authentication, including controls that determine who can access what, from where and under which conditions. Tighten how privileged accounts are managed to reduce credential-based attacks and prevent attackers from moving beyond a compromised account into other systems.

Keep compliance in motion. Maintain privacy, retention and data location controls as workloads move between public, private and sovereign environments, so your compliance practices stand up to audits and you can produce clear evidence and documentation when required.

Secure systems and devices continuously. Harden legacy systems, SaaS platforms and connected medical devices. Continuously check for misconfigurations and configuration drift – where initially secure settings gradually shift to a less secure state as changes accumulate – across multicloud environments, to reduce the number of systems and entry points exposed to potential attack.

The challenge is moving from ideas to concrete steps without creating new complexity or downtime. In my experience, health organisations that make progress tend to follow a pragmatic, high-impact approach.

Run a targeted security review. 

Review your identity controls, data protection and overall cloud security health against Australian health regulations and digital health expectations – establishing a baseline and surfacing quick wins.

Prioritise a small number of high-impact domains. 

For some, the first 90 days will focus on closing identity and access gaps. For others, network segmentation – separating critical clinical systems from the wider network – around EMR and imaging systems, or stronger protection of high-value data sets, will deliver a better return on risk reduction.

Execute incremental modernisation. 

Deliver changes through 60-90-day work packages that improve security and performance while keeping critical systems online and demonstrating measurable progress to executives and clinical leaders.

Establish healthcare-specific continuous monitoring.

Tune monitoring and response for clinical environments so that emerging risks are detected quickly and addressed before they become incidents.

This gives technology leaders a roadmap they can put into a business case – with clear investment asks and expected outcomes rather than a broad "improve security" mandate.

Datacom has worked with public, private and not-for-profit health providers across Australia and New Zealand, designing and operating cloud solutions aligned with local privacy, data protection and sovereignty requirements

Datacom and Microsoft's Cloud and Infrastructure Report for Healthcare distils what similar organisations are doing to modernise, where they are focusing investment, and which approaches are helping them reduce risk without disrupting care.

Book a free discovery call to pressure-test your roadmap, validate your priorities and uncover practical options for strengthening your organisation's security and resilience.