Public hospital electronic medical record systems are highly vulnerable to hacking and ransomware attacks, because they use default or easy to guess passwords, an audit carried out in Victoria has shown.

Investigators working for the Victorian Auditor General’s Office were able to hack into the databases of several hospitals and health services and access patient data, according to a new report that slammed the lack of software precautions and lax staff attitudes to cybersecurity.

In its report into the Security of Patients’ Hospital Data, the auditor said its digital analysts were able to access patients data when they attempted to hack the servers of healthcare providers such as the Royal Children’s Hospital, Barwon Health and the Royal Victorian Eye and Ear Hospital.

They were able to get into databases because staff and administrators used weak password or the hospitals had not changed the default passwords set by vendors.

“All the audited health services need to do more to protect patient data,” they concluded.

“We identified key weaknesses in data security practices, including inadequate user access controls, weak passwords, and poor system and network monitoring.”

“We found staff user accounts at all audited agencies with weak passwords, which were accessible using basic hacking tools. We successfully accessed administrator accounts, which are a key target for attackers because they give ICT staff access to all system files.”

The report also found that staff awareness of data security was low, which increased the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located.

“We exploited these weaknesses in all four audited agencies and accessed patient data to demonstrate the significant and present risk to the security of patient data and hospital services,” they said.

“The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”

The auditors made 14 recommendations, that included mandatory training in data security for all healthcare staff, policies that require all staff to use uncrackable passwords and routine use of cybersecurity controls such as multi‐factor authentication.

They also advised an urgent review of which staff are given access to patient databases.