Healthcare Practitioner's identities have been fraudulently created / used in NZ




Here in NZ, we have a real example of a fake, Mental Health – Healthcare Practitioner delivering health services within a DHB to patients – this lasted for over 6 months before it was discovered!

Waikato DHB

NZ Herald




Healthcare Practitioners regularly share User Accounts

This bad practice nullifies the usefulness of any access audit and encourages shared account passwords to remain set and unchanged permanently, even after staff who have used the account leave the organisation.

Healthcare Practitioners often use weak passwords

With too many separate individual user accounts issued, one for each and every system; passwords are often kept overly simple in order for them to be remembered. Too many passwords, makes the job of managing them appropriately too hard for most people.

Healthcare Practitioners regularly use the same passwords across multiple systems.



This bad practice means that if one third party system is hacked, then so are all other systems (where the Provider has used that same password).


Extended password policies are frustrating for Healthcare Practitioners

New Zealand urgently needs a verified, trusted source of e-Identity for all Healthcare Practitioners

The good news is that it is possible to achieve. Using existing NZ based building blocks, with a little further – system to system connectivity.

Chains of Trust’ can be established between existing, authoritative sources of identity (RealMe) and credentialing for Healthcare Practitioners. Each type of Healthcare Practitioner is registered with a Regulatory Authority who maintain current lists of Practitioners  who are authorised to deliver Healthcare services. The solution is to link these registers in real-time to verified electronic identities, and to be able to offer this linked information out, to any approved service which appropriately needs to use this information.

Who cares?

Well, we all should, but some of us are more motivated than others. The general public appear to place an implicit trust in Healthcare Providers; and the vast majority of them deserve this. – However, there are elements of fraudulent behaviour which have a detrimental cost to public trust and pose a real threat to patient’s health.

Public concerns involve issues of knowing who has had access to their health records; the privacy and security of their stored information. Being accountable to this, requires system administrators and auditors to be able to trust audit data showing them who has obtained access, but if that data is flawed then their audit processes are far less meaningful, they’re poorly founded.

Providers who are legitimately trying to provide the best service possible to patients are hampered by the current complexity of access, too many passwords, too much complexity in remembering and managing them etc, difficulty and overheads involved in obtaining access to new systems etc. – This needs to be greatly simplified for them, while providing a higher level of access security and identity assurance.

While these are concerns, there are real issues of responsibility and accountability at play too: All operations of regulated and non-regulated health professionals under the Health Practitioners Competency Assurance Act (2003) are the responsibility of the Health and Disabilities Commissioner. His office is responsible for ensuring the health and safety of members of the public who receive health service, and that they are delivered by people who are both competent and safe-to-practice.

Ensuring that people who deliver these services are who they say they are, and are suitability credentialed is a core, basic requirement. This is currently executed inconsistently – simply because the supporting systems do not currently empower the Regulatory Authorities to do it better. The systems are there, and it is time that a linked, chain of trust approach is applied to these identities and credentials. – That is what HealtheID has been designed to provide.

For a live demo of HealtheID – get in touch: