Benji Crooks, Marketing Director at Public Sector Network, spoke with Alastair McDonald, Director, Strategy & Architecture at Digital Health SA (part of the broader SA Health network), about the operational impact of EMR downtime, balancing clinician access with privacy, and what “success” looks like as the system becomes a larger and more attractive target. Alistair will expand on these themes at Government Cyber Security Showcase South Australia as part of Government Innovation Week South Australia on Wednesday, 10 June 2026, during "Statewide Electronic Medical Records: Health, Uptime and Cyber Risk".
Benji Crooks: Great. So first of all, if you could introduce yourself—your title and the company you work for.
Alastair McDonald: Yeah, I’m Alistair McDonald. I’m the Director of Strategy and Architecture at Digital Health SA, which is part of the broader SA Health network.
Benji Crooks: Would this be the first time you’ve attended Cybersecurity Showcase in South Australia? and what kind of expectations do you have of the showcase?
Alastair McDonald: For me, it’s to get up to speed with current practices in cybersecurity, and to network with peers who are in the space. I want to better understand what we should be doing with respect to SA Health and the medical and other records that we maintain on behalf of our consumers.
Benji Crooks: Excellent—and that’s a really good point, because you’ll be speaking on the panel discussion "Statewide Electronic Medical Records: Health Uptime and Cyber Risk". Could you go into a little bit of what that will be about—what it will be focusing on, and what kinds of things you’ll be talking about with your different peers on the panel?
Alastair McDonald: I think the panel will probably cover a number of things. The three aspects of it in my head are:
First, the electronic medical record is a fundamental tool that we use to deliver safe, effective care in SA Health. It records the administration of patients as they move through our hospital system, and it records medical events and records in relation to procedures and practices in the hospital.
Second, uptime relates to the impact that downtime has on our clinical staff across the system. It becomes a manual and laborious process when staff move onto disaster recovery or business continuity planning—they have to pull out pen and paper, record things manually, and then reconcile it when the system comes back up. There’s a significant business impact there. One of my peers will probably talk to that in more detail—what the risks are and what the practical challenges staff need to deal with.
Then there’s privacy—how we make sure the privacy of consumer and patient medical records is maintained. What are the workforce expectations so staff don’t access a record they’re not consented to look at?
And finally, the cybersecurity aspects: how do we make sure we have the right technology, structures and processes in place to secure the medical record from external people wanting to get hold of it and use it against us.
Benji Crooks: As you spoke about the different risks there—outages and people with personal records—what would you say success looks like for the rollout of the statewide electronic medical records?
Alastair McDonald: There are the “hygiene factors”. Once a person with private information is prepared to share that with you, you need to take that seriously and make sure their privacy is protected at all levels.
So we need procedures in place so our workforce understands the privacy principles, can abide by them, and understands the consequences if they breach them. Unfortunately, we’ve seen instances recently where staff haven’t been in line with that.
More importantly, as the medical record grows, it’s probably a bigger and more interesting target to sophisticated cyber attackers. Ultimately, when you’re maintaining records on behalf of your patients and the health system, you need adequate controls in place to reduce the risk of a cybersecurity incident.
Benji Crooks: How do you balance easy access for clinicians whilst protecting personal data and privacy?
Alastair McDonald: There are a number of layers. There are procedural controls in place. We have a State Records Act that describes how we maintain records. Then there are policies and procedures within SA Health that describe when clinicians can look at a record and when they can’t.
The expectation is that clinicians follow those requirements when they’re entering the system. And if there is an incident, there are proactive and reactive audits that allow us to find out what’s been looked at and why the access was inappropriate.
Benji Crooks: You’re moving from having multiple systems in place for electronic records to one system across the statewide rollout. How does the cybersecurity change?
Alastair McDonald: A lot of the medical records were actually held on paper up until recently. We’ve just completed the statewide rollout. Inevitably, you’ve gone from a situation where there were some electronic medical records, but now they’ve grown in scope and scale across the system.
That requires a heightened sense of security because there’s more data in there—so it’s a bigger target. The standard you need to put in place is the same whether there’s one sensitive record or a million of them. But it’s far easier to protect one piece of information than the size and scale we’ve got now, where there are many servers and probably 30–40,000 staff logging in every day.
So there are more risks: records can be compromised due to staff error or maladministration, and there are more access points for external actors simply because you’ve had to create more pathways for your own staff to access the system.
Benji Crooks: Going from paper records—which obviously come with no cyber risk—to electronic records must introduce cyber risk for the first time. They’ve never been there.
Alastair McDonald: Absolutely. That’s the moment you realise the technology responsibility—and ultimately the cybersecurity responsibility—goes from protecting emails and bureaucratic paperwork to something that is really important.
I see us as custodians for the patient’s medical record. It’s our responsibility to make sure there are adequate controls in place to protect them and significantly reduce the risk of a cybersecurity incident.
Benji Crooks: Finally, ending on your session: what’s one key takeaway you hope the audience will take away from it?
Alastair McDonald: The responsibility for managing the privacy of a medical record as it gets bigger is really a system-wide responsibility.
We have a lot of protocols to ensure healthcare is delivered safely—procedures, handoffs, double checks. We probably haven’t adopted or entrenched the same level of awareness in staff around privacy practice and cybersecurity practices.
For me it’s ongoing education, to make sure the same practices we use to ensure medical procedures are safe and secure are applied to accessing the medical record. Moving records from paper—where they’re not accessible by many people—to electronic formats—where they’re accessible by all staff with system access—creates a significant risk, and it’s also attractive to people outside the system trying to gain access.
Hear Alastair McDonald at Government Cyber Security Showcase South Australia as part of Government Innovation Week South Australia on Wednesday, 10 June 2026. Their session will explore the cyber, privacy and resilience implications of running a single statewide EMR, including availability, incident response and practical lessons from delivery.
Published by
Help your peers
Share what you've learned with fellow public servants
