Eastern Health includes the Box Hill and Maroondah Hospitals and the organisation was forced to shut down IT systems following the attack which, it said, occurred on Tuesday.
It has more than 50 facilities under its management and looks after the clinical needs of three-quarters of a million people.
A statement from the organisation said: "Late on Tuesday, Eastern Health has experienced a cyber incident.
"It is important to note, patient safety has not been compromised.
"Category 1 Elective Surgery will continue as planned. However, the incident has impacted our ability to undertake less urgent (Category 2 and 3 Elective Procedures) which will be postponed to a later date."
"We apologise for the inconvenience this may cause. We thank our staff, patients and their families for patience during this situation and we will keep them informed."
Commenting on the incident, Rick McElroy, principal cyber security strategist at VMware Carbon Black, said: "The cyber attack across Melbourne’s hospitals only serves to highlight the vulnerability of Australia’s healthcare sector to attacks.
"While the attack methods may vary, most cyber criminals are motivated by a financial incentive. Given the critical nature of data at healthcare organisations, they are often a prime target for attacks, as cyber criminals know patient care is on the line and organisations are more apt to pay."
McElroy said his firm had observed cyber criminals who were looking to get hold of patient data, which they could later sell on the dark web for a profit and also disrupting operations as leverage during a ransomware attack.
"On the dark web, we have found everything from protected health information to COVID-19 test results as well as opportunities to join ransomware affiliate groups, making it easily accessible to millions of cyber criminals who previously didn’t have the tools to carry out these attacks," he said.
"The Australian Cyber Security Centre recently released a cyber security report for the health sector which found that ransomware is the most significant cyber crime threat to the Australian health sector.
"Ransomware-as-a-service has risen in popularity providing cyber criminals with the necessary tools to carry out these types of attacks - this has created the opportunity for millions to easily target healthcare organisations."
McElroy said for healthcare organisations, understanding the evolving threat landscape was only half the battle.
"There are three things to keep in mind to help stay one step ahead of attackers: next-generation anti-virus, endpoint protection and IT tracking tools. Endpoint protection platforms should incorporate defences for each phase of ransomware attacks: the delivery, propagation, and encryption stages. It’s important for organisations to ensure they can easily provision access to new users while maintaining data privacy, compliance, and security practices.”
Another security professional, Tyler Moffitt who works as a security analyst for Webroot, said: "The frequency and sophistication of cyber attacks on critical infrastructure continues to increase so there is no room for complacency.
"A key to being resilient in the face of attacks is to be prepared for a situation in which defences and systems are compromised, and this is especially important when dealing with essential services such as hospitals.
"The roles that proper training and access control play in cyber resilience can't be under-estimated as they go beyond obvious components like security tools and good back-up practices.
"It's evident that criminal groups are seeking to create as much disruption as possible with no industry sectors being off-limits. Organisations must regularly audit their systems to ensure all areas of their digital infrastructure are prepared for these potential attacks."
James Bergl, vice-president for the Asia-Pacific at cyber security and data back-up company. Datto, said: "This latest attack on Eastern Health Victoria proves that healthcare organisations need to be on high alert this year.
"Given the pandemic, it's no surprise that the healthcare industry has been a major target for cyber criminals. The consequences are higher for healthcare organisations that can't risk downtime due to the critical services they provide for patients.
"There's been a significant uptick in cyber crime, particularly malware, ransomware and phishing attacks. Cyber criminals recognise that many organisations are vulnerable at the moment and it's critical that stringent IT hygiene is carried out.
"What's worrying is that most attacks on the industry are caused by basic cyber hygiene issues such as a lack of patching. Healthcare institutions maintain strict hygiene standards in their operations, but this is not extending into their IT infrastructure.
"Cyber hygiene such as maintaining back-ups is critical in the sector in order to combat against future crippling cyber attacks."
Aaron Bugal, global solutions engineer at security firm Sophos, said: "The healthcare sector has always been critical to our lives, but over the past year its significance has increased dramatically as Australia fights against the pandemic.
"Sadly, this hasn't stopped cyber criminals targetting the sector. We regularly see healthcare top the OAIC's half-yearly reports for the most breached sector, so the warning signs are definitely there.
"While details of the attack on Eastern Health are still unclear, it serves as another reminder for the industry to improve its cyber resilience by investing in cyber security infrastructure to thwart attacks as well as cyber-awareness training for all employees.
"This latest attack, which has forced hospitals offline and surgeries to be cancelled, shows that cyber criminals know no boundaries and will do anything to wreak havoc. Healthcare organisations must leave no stone unturned to protect their technology infrastructure."