Fake doctors are becoming a problem we need to solve

This episode of Out-Of-Pocket is brought to you by…

Get the complete, usable patient data layer your workflow needs—without replacing your existing systems. Predoc is an AI-native healthcare data provider that transforms fragmented records into clean, auditable, and normalized patient histories. With Predoc, curated patient data is delivered directly to where your organization needs it, so you can begin building a clinical source of truth and intelligence.

See how your org can benefit from curated medical data at https://www.predoc.ai.

–

‍If you’re trying to get in front of decision makers in healthcare, we got lots of sponsorship options (content, events, tattoo on my body, etc.)

Deepfakes are really that deep

During the hackathon, a few different teams came up to me and asked for my consent to use my voice during their demos. I spoke a consent phrase into ElevenLabs, and suddenly I was listening to a computer sounding exactly like me saying “I am God, and I can help you triage the patient”. It was a weird demo lol.

Technology is getting really good at faking audio, images, and even video now. Every identity verification process is now currently at risk, but one particular area that I’ve been watching has been the use of fake doctors. 

IMO this is a problem that needs a fix sooner than later. And solving it might open interesting new use cases or startup ideas.

Quick Reminder: Healthcare 101 + Our Software Eng Conference

A lot of generalist AI companies are very attracted to healthcare because it's a huge market and a lot of tedious work. But most struggle because they don't understand how the industry works.

Excited to announce Healthcare 101 is back 7/13 - 7/24 (virtually)! I will teach you all of the different weird incentives and players in the space, which took me 10 years to figure out

You will be able to answer questions like:

- "why don't practices pay for anything"

- "what does health insurance care about"

- "why don't people get paid for making patients healthy"

-  "why are there so many acronyms for everything jesus christ (JC)"

And we just sent out the first wave of invites to our Healthcare Software Engineering conference (that’s nautical themed for some reason). Ship It applications are due soon, if you want to come to a small intimate conference focused on building things in healthcare you should apply.

If you hate big conferences where they talk about nothing…this might be your speed.

Back to our programming on the fake doctors.

The fake doctor problem

Despite what the internet says, a lot of people really trust doctors. They view a medical professional endorsing something or giving advice with a level of seriousness.

But that’s also why it can be so lucrative to fake being a doctor and exploit that trust.

For example, here’s a doctor with a social media following talking about how a fake TikTok account was claiming to be her practice, offering telemedicine appointments for $200 over zoom but they had to pay upfront. Hilariously the scammers even talk about how the patient can submit that as a superbill to UnitedHealth for reimbursement. It wouldn’t be believable if it was in-network.

Or here’s one where Eric Topol was listed as an author of a paper that he had nothing to do with. Imagine being a postdoc grinding 80-hour weeks praying your PI remembers your name when the author list goes out, while Eric Topol is somewhere yelling "WHO YOUUUUU??”

I also learned recently from a doc friend that you can basically call in a prescription to any pharmacy using a doctor’s NPI and it’s almost never checked if you’re actually the doctor calling it in. Some people abuse this lack of verification. Obvi this doesn’t work for things like controlled substances, but still seems like an incredibly lax system.

More recently, lot of the shadier peptide and GLP-1 companies were using affiliate marketers that essentially flooded facebook ads with fake doctors. Are you telling me “Dr. Tuckr Carlzyn MD” is not legit? I can’t believe who click on these vote.

So we’d want some kind of system where:

• A patient can know it's a real doctor they’re talking to
• Platforms can know it’s a real doctor they’re onboarding/pushing ads for
• Doctors can know that people aren’t using their likeness in ways they didn’t endorse

But aside from just limiting scams, I do think the ability for physicians to verify who they are in a secure way can open some new opportunities too.

NPIs aren’t cutting it, some potential fixes?

National Provider Identifiers (NPIs) were designed in 2004 as billing identifiers, not identity credentials. So anyway they became used as identity credentials. The entire registry is publicly searchable and downloadable, physicians frequently use it to login to things or do actions only a doctor theoretically should be doing. 

So NPIs aren’t cutting it since they’re easily used by anyone. If we really wanted to make sure that someone was a physician, we’d want the following:

• Identity proofing - determining that this is a real human named Jane Smith with this date of birth and this government ID.
• Credential issuance and binding - This person is somehow bound to these credentials about her and they are verifiably signed by their respective issuers. It’s not just enough to start every social media post with “As a doctor”. The MD degree is bound to Dr. Jane Smith and the med school digitally signs off on this. 
• Authentication and signing when an action takes place: Jane Smith just signed this prescription with her verified credential. 

There’s a few different ways you could implement this.. 

A public key infrastructure style security for physicians: Every physician gets a tamper-proof digital signature stored on their phone or a hardware key - basically an unforgeable stamp they use to sign prescriptions, clinical notes, papers, anything where it matters that it's really them. The receiving party can instantly verify the signature and if it ever gets compromised, it can be revoked and replaced.

The DEA already requires this for controlled substance prescriptions via EPCS - we just haven't extended it to everything else. Many people that work at large companies use a Yubikey, Okta, or some equivalent. Just bring back beepers and throw a fingerprint scanner in them.

A wallet of verified credentials. Instead of one identifier doing all the work, physicians would hold a digital wallet full of separately issued credentials - "MD" from their med school, "board certified in cardiology" from ABIM, "licensed in California" from the state board, "in good standing" from their hospital, “based” form from me. 

Each one is signed by the actual issuer and can be revoked if status changes (license suspended, privileges lost, etc.), and physicians can share just the parts that matter for a given context. In this case you can prove you're board-certified without revealing where you went to school, in a real way not the “I trained in Baltimore” way. The EU has an eID wallet framework that’s currently rolling out which looks like this for different IDs.

A real-time licensing and status API. Instead of all the wonky cryptographic stuff, just make one standardized API that pulls together state board status, DEA registration, OIG exclusion lists, and board certification into a single real-time check. Companies like Verifiable, Medallion, and CertifyOS are already building this for hospitals doing credentialing, but it's sold internally rather than as open infrastructure. 

Making it publicly queryable with rate limits would let any pharmacy, telehealth platform, journal, or social media site verify a physician's status in real time. The payer and provider customers aren’t tech-literate enough to game the rate limits or know what that means, don’t worry.

–

The open question is who should be implementing this? Should this be where organizations like CAQH or the state licensing boards step in? Would it make more sense for private companies like CLEAR, ID.me, Yubikey etc. who could provide the digital signature?

Realistically it will be different parts of the above + a government mandate. The EPCS rollout for controlled substances sorta solved this problem but it took 10+ years to roll out and really only hit critical mass after the government forced participants in Medicare Part D to use it in 2021. 

An even more complex identity management system? GTA 6 will be out, Jesus will come back, and the California high speed rail will happen before that does.

New ideas modern identity opens up

If you implement a new identity system where you can determine individual characteristics about a doctor without revealing their identity to the platform or users, you might actually be able to do cool new interesting things.

• Verified “ask a doc” platforms - Patients can pay for an opinion knowing it's actually from a board-certified specialist in the relevant field. The r/AskDocs subreddit already does this, but there’s no payment mechanism associated with this. With an identity layer you could enable a transaction without the doc revealing who they are but you know it’s a doc with the right specialty.

• Anonymous-but-verified whistleblowing for hospital safety issues, drug side effects physicians are noticing, or research misconduct. You can prove a complaint came from someone relevant, but not reveal who they are. Or you could create a “Glassdoor for hospitals” where docs that do shifts at various hospitals can write reviews if they can verify they worked there. Why should this be limited to the med school group chats??
• Making record sharing easier. When a doc needs records from another provider to treat a patient today, it's a fax + medical release form + "please call our records department between 9 and 11am on Tuesdays" sitch. When I worked at healthcare companies, we’d call practices to collect records on behalf of another doctor and they’d assure we were a scam. Having a transferable credential to make it clear it’s a doc + allowing them to bestow that authority to third parties would make records collection way easier.
• Prediction markets but specifically for certain kinds of docs. Let’s say you wanted to create a prediction market on whether a certain CPT code is going to get approved, but you wanted to limit it to just cardiologists. Today it would be quite hard to do that, but with verification systems you could lock certain markets to specific types of docs. If people can gamble on war, we should at least be able to gamble on G2211 (our war).
• Killing the password rotation hellscape. Docs have to sign into the computer like a hundred times a day, rotate their passwords every 90 days, and do other IT cucking rituals. This is both annoying AND then people just put the current password on post-it notes defeating the entire purpose. Using digital identities connected to a piece of hardware would allow people to more quickly use different systems, provide a better audit trail of who’s using the systems and when, and lead to better security. 
• Just fixing the f***ing NPI mess. We just need separate identifiers between individuals and organizations. It’s so silly that a building and a doc can both have an NPI, it makes everything so confusing. 

There are probably other kinds of use cases I can’t think of, but tell me ideas you have.

Will this even solve anything?

Idk man nothing improves and no ideas are worth pursuing. Just hang it up.

So I don’t think patients are going to look at whether the doctor they’re seeing has a verified cryptographic signature. But what I do think this can do is put pressure on the platforms to verify if someone is saying they’re a certain doctor is actually one. 

If you’re using ads with a doctor giving an endorsement, or you’re publishing a paper with a doctor, or you’re making a TikTok account claiming you’re a doctor…then the platform should have an easy way to verify that at scale.

Fake doctors are an issue we should start taking more seriously now because I have a feeling this is only going to get worse. Impersonating doctors was always bad, but the impact was relatively limited to a handful of patients.

Social media platforms + AI deepfakes to make this a scale problem very quickly, which were already seeing with the fake doctors in ads. Clinicians should be pushing for this so they don’t get their identities used for something they’re not involved in.

Rather than try to police individual companies, it might make more sense to fix this upstream with a better identity layer for docs. Curious who’s working on this problem!

Thinkboi out,

Nikhil aka. “someone should steal MY identity and fix my life”

‍Thanks to Colin Durant for reading drafts of this

Twitter: @nikillinit

IG: @outofpockethealth

Other posts: outofpocket.health/posts

{{sub-form}}

If you're enjoying the newsletter, do me a solid and shoot this over to a friend or healthcare slack channel and tell them to sign up. The line between unemployment and founder of a startup is traction and whether your parents believe you have a job.