Continuing the discussion from Manage My Health cybersecurity breach 31 Dec 2025:
Tangentially related to this topic, a question has recently been burning a hole in my mind as the nominal ‘owner’ of a couple of APIs through which HNZ exposes some patient information:
When assessing suitability of a requestor to gain access to our APIs for a stated purpose, should we also consider how/if that requestor might also propagate the information gleaned via our APIs?
E.g. if we issue API credentials to a PMS vendor for the express purpose of sharing a clinical data point with a specific application of theirs, is it our concern to ask whether they might have an undeclared process which then disseminates this information to other systems, or makes it available for other entities in some manner?
…or should we require them to stick to the explicitly stated use-case at the time, and ask that any future changes in intent must first be re-negotiated?
…and if so, how would we possibly audit or police this? Wave the Health Information Privacy Code at them?
Health NZ isn’t currently in a position to do much more than a checkbox review of intended use-cases for external organisations wishing to consume data via our APIs, so we’re investing a lot in good faith agreements.