Estia Health drives Zero Trust security overhaul

Australia’s second-largest residential aged care provider Estia Health is using Zero Trust principles to enable “precise, context-aware access” for anyone interacting with its systems or networks.

Image credit: Estia Health

Estia Health supports more than 10,000 residents annually across nearly 100 aged care homes.

Delivering that care and support requires a workforce of over 14,000 employees and casual roles, alongside a broad ecosystem of visiting doctors, allied health professionals and specialists.

This story is part of the 2026 iTnews State of Security report. Read it for free here.

This dynamic workforce, combined with the need to safeguard sensitive personal and health data.

For Estia Health’s head of information security, Tharaka Perera, addressing that complexity requires a firm commitment to Zero Trust.

According to Perera, it all starts with identity.

“Identity is our fundamental pillar – making sure everyone has a unique identity so we know who is accessing what,” Perera said. 

“From there, we look at the role and determine what they can and can’t access.”

The constantly changing nature of the workforce means Estia Health has simplified role-based access management by standardising access profiles across similar job functions.

“It is a journey we are constantly refining,” Perera said. 

“We continuously monitor access to see what is actually being used, and if it’s not, we revoke it. That ongoing feedback loop helps us improve the model.”

The organisation has a unique family code of ‘A family where everyone belongs’, and Perera has adapted this sentiment by ensuring every application within the technology stack is accessible through single sign-on provided by Okta.

“We operate on the principle of one user, one identity,” Perera said. 

“Any application not integrated into that ecosystem effectively creates a back door, so we don’t allow it.”

Beyond identity, data forms the second pillar of Estia Health’s Zero Trust strategy.

While structured data within core systems can be secured through role-based controls, Perera said unstructured data, such as files stored across shared environments, presents a more complex challenge.

“We are streamlining our data risk management program so we can apply classification-based controls when people access data,” Perera said. 

“Historically, data risk management has been quite manual, but emerging technologies, particularly those leveraging AI, are helping us achieve better outcomes with less effort.”

Regulatory requirements add another layer of complexity, particularly restrictions on offshore access to certain types of data. This further influences how Estia Health approaches its third Zero Trust pillar: endpoints.

“We need to ensure that endpoints reside in Australia and have appropriate security controls in place so that we know they are a trusted endpoint,” Perera said.

While in an ideal scenario all access would occur only fully managed devices, the nature of the Estia Health workforce and interaction with visiting care professionals makes this unachievable. However, Perera said Estia Health did enforce baseline standards before granting access, coupled with clear communication regarding Estia Health’s controls and expectations.

“Even for visiting doctors, we want to make sure that they access systems from a fully patched device,” Perera said. 

“The best security controls are those that people understand and support. We try to keep people aware of the things we are doing, and why.”

By aligning identity, data, and endpoint controls, Estia Health is working towards a mature Zero Trust model that enables precise, context-aware access decisions. 

“And our end game is to connect these three dots so that we can accurately profile access and then enforce the necessary policies, ensuring the right person gets access to the right data at the right time, while leaving an audit trail so we can trace who did what,” Perera said.