Public hospital electronic medical record systems are highly vulnerable to hacking and ransomware attacks, because they use default or easy to guess passwords, an audit carried out in Victoria has shown.
Investigators working for the Victorian Auditor General’s Office were able to hack into the databases of several hospitals and health services and access patient data, according to a new report that slammed the lack of software precautions and lax staff attitudes to cybersecurity.
In its report into the Security of Patients’ Hospital Data, the auditor said its digital analysts were able to access patients data when they attempted to hack the servers of healthcare providers such as the Royal Children’s Hospital, Barwon Health and the Royal Victorian Eye and Ear Hospital.
They were able to get into databases because staff and administrators used weak password or the hospitals had not changed the default passwords set by vendors.
“All the audited health services need to do more to protect patient data,” they concluded.
“We identified key weaknesses in data security practices, including inadequate user access controls, weak passwords, and poor system and network monitoring.”
“We found staff user accounts at all audited agencies with weak passwords, which were accessible using basic hacking tools. We successfully accessed administrator accounts, which are a key target for attackers because they give ICT staff access to all system files.”