The proposed bill aims to protect Australian infrastructure from “sophisticated cyber security attacks”, and includes enhanced cyber security obligations for what have been deemed systems of national significance.

A primary element of the bill is the requirement for critical infrastructure, such as hospitals with an ICU, to have an updated risk management program.

Speaking to the Parliamentary Committee on Intelligence and Security on Wednesday, St Vincent’s Health group CEO Toby Hall said the ICU at the Toowoomba hospital made no profit, and additional costs from the proposed requirements placed the facility in jeopardy.

“We would probably choose to close down the ICU, which would put more pressure on the public system and change the activity, because, with the size of the hospital – it’s a regional hospital – it actually makes no profit,” Mr Hall said.

“We operate it from a mission point of view. So it would be an additional cost impact.

“We largely run the same systems across the hospitals, but it would be a choice … of whether we carry on running under the critical infrastructure, because it creates such a cost impost that it would actually take a hospital to a point where it’s losing money to operate with an ICU.”

According to Mr Hall, the Department of Home Affairs said there would be an establishment cost of $8.5 million and an ongoing cost of $6 million per annum for hospitals, which St Vincent’s facilities “simply cannot afford”.

“We are operated on very low margins,” Mr Hall said.

“We’ve had restricted elective surgeries and core delivery of critical infrastructure to the government, and to be asked to drop earnings by what is roughly seven per cent has a hugely significant impact for us.

“Whilst we’re very happy to provide the critical infrastructure and support, that needs to be funded by someone, and I think it would be very difficult to ask non-profit organisations to pick up a price that’s quite so high.”

Mr Hall said St Vincent’s already ran “significant cybersecurity programs and risk management programs”.

“No-one’s immune from (cyber attacks), but we certainly do that right across the board for all our facilities,” he said.

Representatives from critical industries and government agencies gave evidence on the proposed new laws at a public hearing on Wednesday.

“Australia’s security outlook has never been more uncertain, and so it’s critical that government and industry are working hand in glove to identify and counter sophisticated cyber attacks,” PJCIS chair Senator James Paterson said.