Health and aged care cyber security chief retires amid growing digital risks

The Department of Health and Aged Care’s chief information security officer (CISO), David Lang, has retired, ending a more than 30-year career in the Australian public service at a time when cyber security risks across the health and aged care sectors are rapidly increasing.

Lang joined the department in September 2024, moving from Services Australia, where he served as national manager for cyber governance, policy and engagement. In that role, he worked on strengthening cyber governance frameworks and improving security across major government service platforms.

During his time as CISO at the Department of Health and Aged Care, Lang oversaw elements of the department’s cyber security uplift work, part of broader efforts across government to strengthen the protection of sensitive health and personal data.

The department confirmed Lang’s retirement and has begun recruiting for a permanent replacement.

In the meantime, Deputy CISO Matt Newman has stepped into the role in an acting capacity while the recruitment process is underway.

Announcing his retirement on LinkedIn, Lang reflected on a career spanning multiple areas of government service.

“I’ve been incredibly fortunate to work across service delivery, law enforcement, election delivery and cyber security — a career that’s been interesting, challenging, varied, and a real privilege,” he wrote.

Digital risks rising across health and aged care

Lang’s departure comes at a time when cyber security is becoming a growing concern across the health and aged care sectors.

Health systems and aged care providers hold large volumes of sensitive personal and medical information, making them attractive targets for cyber criminals. At the same time, the sector is becoming increasingly digital, with providers relying on electronic care records, cloud-based systems, connected devices and remote monitoring technologies.

The ongoing digital transformation of health and aged care is creating opportunities for improved care delivery and operational efficiency. However, it is also expanding the potential attack surface for cyber threats.

Government agencies have been working to strengthen cyber resilience through security uplift programs and centralised capabilities aimed at improving threat detection, prevention and response.

For aged care providers already navigating workforce shortages, regulatory reform and increasing consumer expectations, cyber security is emerging as another critical operational risk.

The appointment of a new CISO will play a key role in continuing the department’s efforts to safeguard the digital infrastructure that underpins Australia’s health and aged care systems.