Strengthening access controls and network defences in healthcare

Government & Critical Infrastructure
A regional healthcare provider needed to better understand the security risks across its internal systems. With critical patient data and clinical operations at stake, an internal penetration test revealed gaps in account access, system segregation, and monitoring that could have left them exposed to compromise.
Problem

Critical access weaknesses increased risk of lateral movement

The network allowed SMB relay attacks, which could let an attacker move laterally between systems. Several accounts had excessive privileges, opening the door to domain admin escalation. MFA was technically enabled but not consistently enforced, and with no Conditional Access Policies or audit logging in place, login anomalies could go unnoticed. A separate patient portal also contained an IDOR vulnerability that exposed appointment data through simple URL manipulation.

Solution

System-wide hardening and stronger enforcement of access protocols

We helped the organisation review all privileged accounts and tighten Group Policy settings across Active Directory. Clinical and admin systems were segmented, and the guest Wi-Fi network was isolated to limit crossover risk. MFA was enforced across the board, Conditional Access Policies were implemented, and legacy protocols were disabled. The vulnerable portal was patched and a security scanning step was introduced to the deployment process to prevent similar issues from reoccurring.

Results

The organisation now meets compliance expectations with a more resilient setup

The work done helped the provider build resilience into its systems without compromising patient care. With clearer audit trails, enforced MFA, and tighter user access protocols, the business is now more confident in its compliance with My Health Record security standards and the Australian Privacy Principles, while continuing to deliver essential care across the region.

Start a conversation

Reach out to chat about your goals, challenges, or just to get a fresh perspective on your IT. Our team is ready to listen.