Patient data in Victoria's public health system could be easily hacked in a system riddled with weaknesses, an audit has found.
The sector is highly vulnerable to cyber attacks but staff awareness of data security is low with issues around physical security, password management and other access controls, Auditor-General Andrew Greaves said in a report.
"Our testing demonstrated that all the audited health services are vulnerable to attacks that could steal or alter patient data," the report released on Wednesday said.
In two of the agencies, auditors managed to gain access to areas storing critical technology infrastructure, such as servers. And the auditors managed to get into restricted administration and corporate offices of all the agencies.
Some of the agencies were still using default account names and passwords set by manufacturers on key devices including servers, details which are easily found on the internet.
The audit also found the agencies - Barwon Health, Royal Children's Hospital, Royal Victorian Eye and Ear Hospital as well as the department's Digital Health branch and Health Technology Solutions - were not proactive enough and don't take a whole-of-hospital approach to security.
There is also a poor security culture within government departments and the state's water providers lack a strategic approach to managing cybersecurity risks, according to two more reports tabled by the auditor-general.
The auditor-general's office checked out the security of government buildings, focusing on the Department of Health and Human Services and Department of Justice and Community Safety.
It found security infrastructure was adequate but its effectiveness was undermined by human error, enabled by a weak security culture.
"This weak security culture among government staff is a significant and present risk that must be urgently addressed," a separate report said.
"At one site, we accessed discarded, sensitive information too easily.
"There is no statewide oversight or coordination of protective security or any leadership that provides strategic direction on physical security policies and guidelines."
An examination of Victoria's water providers found cybersecurity risks were also lacking in those divisions, exposing control systems to cyber attack, particularly by a trusted insider or an intruder breaching physical security and gaining unauthorised access.
The water boards accepted they needed to improve cybersecurity controls.
All of the audited health services and the department accepted the auditor-general's recommendations on patient hospital data.
In the review of government building security, the audited departments accepted all recommendations and the Department of Premier and Cabinet said it would work to develop a statewide physical security policy.
