Essential Eight: What It Means for a Small Imaging Practice

The Australian Signals Directorate’s Essential Eight is a set of baseline cybersecurity strategies designed to protect organisations from the most common cyber threats. For large hospitals and health networks, compliance teams are often already across this. But for smaller, independent diagnostic imaging practices, the framework can feel abstract — or worse, like something that only applies to “big” organisations.

It applies to you too, and here’s why it matters.

What Is the Essential Eight?

The Essential Eight is a prioritised set of mitigation strategies that, when implemented together, make it significantly harder for adversaries to compromise your systems. It was developed by the Australian Signals Directorate (ASD) and is increasingly referenced in healthcare cybersecurity guidance.

The eight strategies are:

1. Application Control — Only allow approved applications to run on your workstations and servers
2. Patch Applications — Keep all applications, especially internet-facing ones, up to date
3. Configure Microsoft Office Macro Settings — Restrict or disable macros unless genuinely needed
4. User Application Hardening — Disable or configure Flash, ads, and Java in browsers
5. Restrict Administrative Privileges — Limit who has admin-level access, and review it regularly
6. Patch Operating Systems — Apply security patches to operating systems within defined timeframes
7. Multi-Factor Authentication (MFA) — Require MFA for all remote access and privileged accounts
8. Regular Backups — Maintain and test offline backups of important data

Each strategy has four maturity levels: ML0 (not implemented), ML1, ML2, and ML3. Most small practices should be targeting at least ML1 across all eight, with critical controls like MFA and patching at ML2 or higher.

Why Imaging Practices Are at Risk

Radiology practices are attractive targets for several reasons:

• High-value data: Medical imaging data and patient records have significant black-market value
• Legacy systems: PACS and modality workstations often run older operating systems and are infrequently patched
• Complex integrations: HL7, DICOM, and RIS/PACS integrations create multiple potential attack surfaces
• Flat networks: Many practices have poorly segmented networks where a compromised workstation can reach clinical systems

A single ransomware event can take a practice offline for days or weeks, destroy patient trust, and trigger mandatory breach notification under the Privacy Act.

The Practical Implications for a Small Practice

Application Control

Full application whitelisting can be complex to implement in a busy imaging environment, but at minimum, you should ensure that:

• Staff workstations cannot install arbitrary software
• Your RIS, PACS, and modality vendor software is locked down and managed by your IT provider
• Any new software requires approval before deployment

Patching

This is where most small practices fall short. Common failure modes:

• PACS or modality vendors discouraging patching without their sign-off, leading to months-long delays
• No formal patch management process — patches applied “when we remember”
• Workstations excluded from patch cycles because “it might break something”

You need a process. Work with your IT provider to define a patch window (e.g. monthly for applications, within 48 hours for critical OS patches) and hold your vendors accountable if they block timely patching.

Multi-Factor Authentication

If your staff can access your RIS, PACS portal, or any clinical system remotely without MFA, that’s a significant gap. This is one of the highest-value controls you can implement and it’s rarely as disruptive as people fear.

Modern MFA options (Microsoft Authenticator, hardware tokens, SMS — in decreasing order of security) can be deployed quickly. Your IT provider should be able to roll this out within a day for most practice sizes.

Backups

The classic backup failure pattern in small practices: backups are configured, running, and never tested. Until a restore is needed.

Essential Eight ML1 requires that you can actually restore from backup within a defined timeframe. You should be testing restoration quarterly at minimum. Offsite or cloud-based backups are important, but so is having an offline copy that ransomware cannot reach and encrypt.

Getting to Maturity Level 1

For a typical small imaging practice with 5–20 staff and a mix of clinical and administrative systems, reaching ML1 across all eight strategies is achievable within 3–6 months with the right IT partner.

The sequence we recommend:

1. Audit current state — understand where you sit on each control today
2. MFA first — quick win, high value, low disruption
3. Patch management process — establish cadence and accountability
4. Backup testing — verify you can actually recover
5. Privilege review — remove unnecessary admin rights
6. Application hardening — tackle browser and macro settings
7. Application control — more complex, plan carefully with your vendor

The Compliance Context

While the Essential Eight isn’t currently mandated for private imaging practices under Australian law, it’s increasingly referenced in:

• Cyber insurance policy requirements
• Medicare billing agreement obligations
• State-based health department IT standards
• DIAS accreditation guidance (indirectly, through data security requirements)

Getting ahead of this now is significantly easier than retrofitting after an incident — or after it becomes a formal compliance obligation.

---

RADops provides cybersecurity and IT operations consulting for diagnostic imaging practices. If you’d like to assess your current Essential Eight posture, get in touch.