Microsoft 365 Security for Medical Practices | Cybersecurity Guide 2026

# Microsoft 365 Security for Medical Practices: 10 Settings Your Practice Manager Should Check Today

Microsoft 365 is now the backbone of communication for many medical practices in Australia. Clinics rely on Outlook, Teams and SharePoint to manage sensitive patient information — making Microsoft 365 security critical for privacy and compliance.

In this guide, we explain the essential Microsoft 365 security settings every medical practice should implement, including MFA, conditional access, email protection and compliance with the Australian Privacy Act and RACGP cybersecurity guidelines.

Why Microsoft 365 Security Matters for Medical Practices

Healthcare is one of the most targeted industries for cyber attacks. Medical practices store highly sensitive personal information including patient records, identification documents and clinical notes.

Without proper Microsoft 365 security configuration, clinics may be vulnerable to phishing attacks, account compromise and data breaches — putting both patients and the practice at risk of Privacy Act violations and RACGP accreditation issues.

Most medical practices in Perth run on Microsoft 365. Email, patient correspondence, appointment scheduling, staff calendars, file sharing — it's all sitting inside your M365 tenant. But the default security settings that come out of the box aren't built for healthcare. They're built for general business use, and they leave gaps that matter when you're handling Medicare numbers, health records, and sensitive patient data.

Here are 10 Microsoft 365 security settings that every practice manager should verify — or have their IT provider verify — before your next accreditation review.

1. Multi-Factor Authentication (MFA) for Every User

This one isn't optional anymore. The RACGP's IT security standards explicitly require MFA, and assessors check for it.

Every user account — GPs, nurses, reception, practice manager — should have MFA enabled. That means logging in requires both a password and a second verification step (usually a phone app notification or SMS code).

What to check: Go to the Microsoft 365 admin centre → Active users → Multi-factor authentication. Every account should show "Enforced", not "Disabled" or "Enabled" (enabled means it's turned on but the user hasn't completed setup).

Common mistake: Practices enable MFA for doctors but leave reception accounts without it. Attackers know this. Reception accounts often have access to patient contact details, appointment systems, and shared mailboxes — they're valuable targets.

2. Security Defaults or Conditional Access

Microsoft offers two approaches to enforce baseline security: Security Defaults (free, one-click) and Conditional Access (more granular, requires M365 Business Premium or Azure AD P1).

Security Defaults enforces MFA for all users, blocks legacy authentication protocols, and requires MFA for admin actions. For most small-to-mid practices, this is the right starting point.

Conditional Access lets you create specific rules — for example, requiring MFA only when staff log in from outside the clinic network, or blocking access from countries you don't operate in. If you're a larger practice or multi-site, this gives you more control.

What to check: Azure Active Directory → Properties → Manage Security Defaults. If Conditional Access policies aren't configured, Security Defaults should be turned on.

3. External Email Forwarding Rules

This is one of the most common attack vectors in healthcare. An attacker compromises a staff member's email account and sets up a forwarding rule that silently copies every incoming email to an external address. Patient referrals, pathology results, Medicare correspondence — all quietly exfiltrated.

What to check: In Exchange Admin Centre → Mail flow → Rules, look for any rules that forward email externally. Also check individual mailbox settings — attackers often create inbox rules at the user level, not the admin level.

Better approach: Block automatic external forwarding entirely at the tenant level. Your IT provider can set an outbound mail flow rule that prevents any user from auto-forwarding emails outside the organisation. If someone legitimately needs to forward emails externally (rare in a medical practice), it can be whitelisted on a case-by-case basis.

4. Admin Account Separation

Are your practice's day-to-day email accounts the same ones with admin access to Microsoft 365? If your practice manager reads email and manages the tenant from the same account, a single compromised password gives an attacker the keys to everything.

Best practice: Create a separate admin account (e.g., admin@yourpractice.com.au) that's only used for M365 administration. It shouldn't have a mailbox, shouldn't be used for daily work, and should have a strong unique password with MFA. Day-to-day accounts should have standard user permissions only.

5. Shared Mailbox Access Controls

Medical practices commonly use shared mailboxes — referrals@, reception@, accounts@ — and over time, access to these mailboxes accumulates. Staff members who left six months ago might still have access. Locum doctors from last year might still be connected.

What to check: Exchange Admin Centre → Shared mailboxes → Click each one → Members. Remove anyone who no longer works at the practice. Review every three months at minimum.

6. SharePoint and OneDrive Sharing Settings

By default, Microsoft 365 allows users to share files with anyone — including people outside your organisation — via a link. That's convenient for general business, but it's a compliance risk when you're storing clinical documents, staff rosters with personal details, or practice financials.

What to check: SharePoint Admin Centre → Policies → Sharing. Set external sharing to "Existing guests" or "Only people in your organisation" unless you have a specific reason to allow broader sharing. If your practice shares documents with external parties (e.g., accountants, insurers), use named guest access rather than anonymous links.

For OneDrive: The same sharing settings apply. Staff shouldn't be able to create "anyone with the link" shares for files containing patient information.

7. Email Authentication (SPF, DKIM, DMARC)

Email spoofing — where someone sends an email that appears to come from your practice but doesn't — is a common phishing technique. Patients, referring doctors, and staff can all be targeted with fake emails that look legitimate.

Three DNS records protect against this:

• SPF — tells receiving mail servers which servers are authorised to send email on behalf of your domain
• DKIM — adds a cryptographic signature to your outgoing emails so recipients can verify they haven't been tampered with
• DMARC — tells receiving servers what to do with emails that fail SPF or DKIM checks (quarantine or reject them)

What to check: Ask your IT provider if all three are configured for your domain. Most M365 tenants have SPF set up, fewer have DKIM, and many still don't have DMARC. All three should be in place.

8. Mobile Device Management

Staff check practice email on their phones. That's fine — but what happens if a phone is lost or stolen? Without Mobile Device Management (MDM), there's no way to remotely wipe practice data from a lost device.

What to check: Microsoft 365 includes basic MDM through Intune (available in Business Premium). At minimum, enable the ability to remotely wipe company data from mobile devices. Require a PIN or biometric lock on any device accessing practice email. Block access from devices that don't meet your security requirements.

9. Audit Logging

If something goes wrong — a data breach, an unauthorised access, a suspicious login — you need to be able to investigate. Microsoft 365 audit logging tracks who accessed what, when, and from where. But it needs to be turned on, and the default retention period is only 180 days.

What to check: Microsoft Purview → Audit → Verify that audit logging is enabled. Consider extending the retention period if your licence allows it. For RACGP accreditation and potential breach investigations, 12 months of logs is a reasonable target.

10. Backup (Because Microsoft Doesn't Do It for You)

This catches a lot of practice managers off guard. Microsoft's service agreement makes it clear: they're responsible for keeping the M365 service running, but you're responsible for your data. If a staff member accidentally deletes a shared mailbox, if ransomware encrypts your SharePoint files, or if a departing employee clears their OneDrive — Microsoft's recovery options are limited and time-bound.

What to check: Do you have a third-party backup solution for M365? Tools like Veeam, Datto, or AvePoint can back up your mailboxes, SharePoint sites, OneDrive files, and Teams data to an independent location. If you don't have one, your practice data is one incident away from permanent loss.

---

Common Microsoft 365 Security Mistakes in Medical Clinics

After auditing Microsoft 365 environments across Perth medical practices, these are the most common security gaps we find:

• No MFA enabled — the single biggest risk factor for account compromise
• Global admin accounts shared — multiple staff using the same admin login with no audit trail
• No backup of Microsoft 365 data — assuming Microsoft handles backup (they don't)
• Old scan-to-email devices using basic authentication — legacy scanners and MFPs bypassing modern security
• External sharing wide open — SharePoint and OneDrive links accessible to anyone
• No DMARC configured — leaving the practice domain open to email spoofing

Every one of these is fixable. Most can be resolved in a single session with your IT provider.

Where to Start

If your practice hasn't reviewed its M365 security settings recently, start with MFA (item 1) and external forwarding rules (item 3). These two changes alone close the most common attack paths we see in Perth medical practices.

For a broader review, download our cybersecurity compliance checklist — it covers these M365 settings alongside the full range of IT security controls that RACGP assessors look for.

Need help reviewing your practice's Microsoft 365 configuration? Get in touch — we support medical practices across Perth and WA, and we know what healthcare-specific security looks like in practice, not just in theory.

---

How SkyComm Secures Microsoft 365 for Medical Practices

At SkyComm, we manage Microsoft 365 security for medical practices across Perth and Western Australia. Our healthcare-focused configuration includes:

• Multi-factor authentication deployment for all users
• Conditional access policies tailored to clinic workflows
• Microsoft Defender email protection against phishing and malware
• Compliance with RACGP and Privacy Act requirements
• Backup and disaster recovery for Microsoft 365 data
• Audit logging and compliance monitoring

This ensures clinics maintain strong cybersecurity while meeting healthcare compliance expectations.

This guide is based on SkyComm's experience securing Microsoft 365 environments for medical practices across Perth and Western Australia.

SkyComm is Perth's specialist medical IT support provider. We provide managed IT services, cybersecurity, and clinical software support for GP clinics, dental practices, specialists, and allied health across Western Australia.