Happtique recently announced the suspension of their App Certification Program after health IT expert Harold Smith, CEO of Monkton Health, disclosed several security flaws in apps he had randomly selected for evaluation from Happtique’s first round of “certified” apps. Coming nearly two years after they announced their intention to create a certification program for health apps, these findings were an embarrassing setback for a program that was intended to help patients and clinicians feel confident about their app selections.
More importantly, they highlight the difficulty of curating the tens of thousands of medical and health apps now available. App certification sounds like a great idea in principle. However, it is a one-size-fits-all solution; it sets an arbitrary bar that lacks clear meaning for the patients and healthcare professionals using these apps.
What would be a better approach to help patients and healthcare professionals navigate this space? A do-it-yourself framework in which the end-users can assess whether a particular app is the right tool for their clinical situation.
The problem with certification
When Happtique announced its certification criteria, one of the most striking features of the document was its depth and detail. Its 18 pages are chock full of complicated standards, substandards, and sub-substandards.
Performance Requirements for Standard S7
• S7.01 App Publisher certifies that any app that collects, stores and/or transmits user financial data for any purpose, including payment processing, or the app directs to any website for the purpose of collecting and/or processing of financial information, including any third party website, shall comply with any and all applicable Federal and state laws, rules and regulations, and private sector regulatory best practices guidelines and initiatives regarding data security requirements (e.g., Section 5 of the FTC Act, Fair Credit Reporting Act, Gramm-Leach-Bliley Act, Payment Card Institute Data Security Standards, the SANS Institute’s security policy templates, and standards and best practices guidelines for the financial services industry provided by BITS, the technology policy division of the Financial Services Roundtable).
Its this complexity, which in some ways is a strength, that makes it inaccessible to the end-user. When a patient or healthcare professional is evaluating a Happtique-certified app, what does that mean to them?
I’d argue not much. And after taking the time to read the certification criteria, its apparent that they don’t help users assess whether the app is the right choice for their specific health condition or clinical situation.
Another issue is that this process is very resource intense. Happtique took a year and a half to certify 16 apps from 10 developers. Similarly, the NHS Health Apps Library, which evaluates apps to ensure they are clinically safe, launched in March 2013 with about 70 apps; nearly a year later, its at about 100 apps. But these certified apps are a drop in the bucket compared to the nearly 50,000 apps in the iOS App Store Health/Fitness and Medical sections alone. These kinds of intensive programs are simply not scalable. And in a pay-for-certification model, it’s not necessarily the best that become certified but rather those with sufficiently deep pockets.
Finally, it’s worth considering examples outside of the app world such as health-related websites. The HONcode is a set of guidelines and principles to essentially certify that health information online can be trusted. Many sites do subscribe to it. However, when I search for HONcode certified sites using the keyword “hypertension,” I have to wonder whether its presence on the Mayo Clinic or WebMD sites is really what makes users trust those sites. I’d suspect that the reputation of the site’s proprietor as well as recommendations from trusted individuals matter a lot more. That begs the question – how successful can a voluntary certification regime be if those apps that are already trusted are generally the ones that sign up?
If not certification, then what?
A certification program like that proposed by Happtique is not a panacea for all that ails the medical and health app world. Simply labeling an app as “certified” is not nearly enough to help a patient or clinician judge whether a specific app is the right choice for them – that depends on the expectations and values of the end user as well as the specific clinical context.
There are some situations where parts of this program could be useful. For apps that store particularly sensitive information, a third-party assessment of an app’s security and privacy features could be helpful. This type of evaluation is far more limited and focused than what Happtique was proposing.
They will also need to what resources are available to them to make the best decision possible. Peer review, like that done by iMedicalApps, will continue to be a valuable resource. Recommendations from professional societies, insurers, and peers will also be important; for patients, the recommendations provided by their physician will be critical. The bottom line, though, is that none of these resources alone is sufficient on its own – its the end-user that has to put it all together and make an informed assessment of the app’s utility in their specific context.
In a market defined by a low barrier to entry and minimal startup costs, the reality is that the number of apps will far outpace any centralized evaluation mechanism. Much like in any other market, health and medical app consumers will generally find themselves in a buyer beware situation. As such, developing a basic app literacy will be important for patients and healthcare professionals to make choices that will improve care and outcomes.