Aura Software Security managing director Andy Prow said the hacker, who called himself "Mister Saint", appeared to be a prankster and made no attempt to gain access to patient data.
"But this highlights the security risks ... general practice should really take this as a warning."
As repositories of highly sensitive information, medical clinics were prime targets for hackers looking for kudos, he said.
Karori Medical Centre was among several practices that had their websites emblazoned with the cheeky message: "Hacked by Mister Saint".
Centre manager Jo Douglas said the bogus links were removed as soon as they were discovered last week and patient confidentiality was never compromised.
"The website is an information site only and it is totally separate to our patient record database."
However, Mr Prow, whose company advises police and the TAB on Internet security, said medical professionals should realise that anything on their PC or laptop could be fair game to hackers.
Cross-site scripting (XSS) allows hackers to inject code into web pages viewed by others and create "a gateway" into their computers, allowing them to steal confidential information or make changes.
The real danger was not from graffiti artists like Mister Saint, but from hackers who did not leave any clues during an attack, he said.
"Doctors need to be aware of every click of the mouse and think about how they are handling patient records."
Security precautions, including passwords, firewalls and encryption, were basic requirements.
According to New Zealand Doctor magazine, all the websites attacked had obtained articles from the private online health information service Family Doctor, which is run by Auckland GP Dion Martley. Dr Martley was overseas and not available for comment.
Medical Association spokesman Mark Peterson, who chairs the GP Council, said there had been a huge push from the Health Ministry toward electronic patient records and for more sharing of that information among agencies.
"While the possibility of someone going in there with malicious intent to access individual patients' records is a remote possibility, we can't be complacent."
Most practices now employed IT managers to look after their computer systems at quite considerable expense, he said.
Privacy Commissioner Marie Shroff said businesses and government agencies were obliged to store personal information securely.
"That responsibility is higher where the information is sensitive or is given in a relationship of trust and confidence ... .
"If there are vulnerabilities that are highlighted by particular incidents, people should take note and assess the robustness of their systems in light of those incidents."
http://www.stuff.co.nz/4627267a23918.html
aya² wae mamang saint...
keep on fighting brother
VIVA INDONESIAN CODER TEAM