Creating a certification program to simply have a certification program, is a false choice. Which is why, I am skeptical of Happtique at this point in time.
Over the last year Happtique has been building buzz around certification for mHealth Apps. They have enlisted the help of the Association of American Medical Colleges in reviewing content. Right before HIMSS 2013, they finally released their standards and pricing. Their pitch is:
The Happtique Health App Certification Program (HACP) is intended to help healthcare providers and consumers easily identify medical, health and fitness apps that deliver credible content, contain safeguards for user data and function as described.From what myself and others seem to gather - Happtique is trying to position itself to be the commercial version of CCHIT for mHealth. Now, seeing how much of a disappointment EHRs have been (And to me, specifically with interoperability), that bar is quite low. Just take a gander of the #EHRBacklash tag on Twitter. Anyone selling medical software will tell you the hesitancy of a doc to pickup a new piece of medical software and start using it.
Seemingly everyone on Twitter is falling over themselves about how great of an idea "certification" is for mHealth Apps. Which begs the question, is there such a problem out there with mHealth Apps that we need a certification program at this point? Are we "treating the patient" before there are any symptoms? Does getting a certification mean a piece of software is of any value?
I'd say, yes there is a need - but are we covering those bases?
There are two main issues I see with Happtique's certification process. The biggest I see at the moment is their pricing structure and the other is security. I also question the model, the Blue Ribbon Panel, and operability.
Show me the moneyHapptique's website claims that each version (update) of an App needs to be certified and the certification cost is $2,500 - $3,000. (Which, oddly enough wasn't behind a paywall yesterday).
Now, the world I am familiar with in certifying software is FIPS Certification. FIPS 140-2 is a standard put out by NIST to ensure that your software follows guidelines to produce secure software.
Ideally, you pay for FIPS certification once (and it carries a hefty price tag) to certify your cryptographic modules. This includes data at rest and data in transit.
That is it. If you update your product, add new features, you don't go through certification. But, if you update your cryptography, you have to go through certification again.
What Happtique apparently is proposing to do, is double, triple, quadruple, and so on dip into developers pockets to keep their product certified. From what is published, lets look at drchrono.
Note: Happtique has said they "Pricing strategy hasn't been established" as of yet so this is apparently "conjecture" at this point, but reading their website and press release, they contradict the pricing strategy statement.drchrono has put out 14 updates to their iPad App in the last year. Using the published model for Happtique, drchrono would pay them $42,000 in total for certification. But, has drchrono changed their "core" code which handles data at rest and data in transit? Probably not.
So, what value is Happtique presenting to its potential clients it wishes to certify? What value is it to drchrono for their 14 updates of their EHR? What is the ROI for any App going through the process?
$3,000 an update maybe chump change for GE Healthcare or Quest Diagnostics, but an innovative Silicon Valley startup - it is hiring an intern for a month. It is hiring someone to perform PEN testing on their product. It is buying ad space. Imagine if drchrono had an Android client with 14 updates going out a year - they'd be spending $84,000 a year on Happtique certification.
What if your App fails certification? Is it another $3,000? What is you fail a single item on the list? Is it another $3,000?
If the pricing structure isn't complete (Which I still find hard to believe), it was premature to release anything at all. Happtique has left room for interpretation in their offering, which causes confusion for their intended audience which is already inundated with red tape.
Now, securityHapptique has listed seven standards for their security piece of the product, from detecting malicious code to encryption. If we get back to my previous topic, once the security is proven, what good is going through certification again? If nothing changes in managing security, data at rest, and data in transit within your product, then - what are you getting out of Happtique? What is their return on your investment?
From what I can discern from their website and standards, there isn't a whole lot going on to actually test the product to verify it is secure. Now, I could be wrong and I'll gladly say I am wrong if I am, but this is a major missing piece.
If we want to prove that mHealth Apps are secure, what actual security checks are being done besides checking for malicious code? As attacks on mobile devices get more sophisticated mHealth products will become major targets for common attacks - what is Happtique doing to help mitigate this?
Is the model wrong?
I also wonder - is this method of certification incorrect? Consider the Consumer Reports model. Consumer Reports purchases everything they test themselves and relies on those who want the results to foot the bill.
It boils down to, who is Happtique really serving? If the people they are certifying are paying for certification, they are the clients of Happtique. The people wanting the seal of approval from Happtique aren't the clients in this case. The incentive is for Happtique to approve products with their current model, it isn't for Happtique to provide unbiased results.
Now, some will say "This is how medical certification works!" Well, just because we've been doing something one way in medicine for decades, doesn't mean it is the correct way to do it. Out of control costs are proof enough that medicine is fundamentally flawed in their approaches at the moment.
The Blue Ribbon Panel
Part of Happtique's marketing has been assembling a Blue Ribbon Panel to develop these standards.
The panel is listed as containing
- Howard J. Luks, M.D., M.S. (Chair)
- Franklin A. Shaffer, EdD., RN, FAAN
- Shuvo Roy, Ph.D.
- Dave deBronkart (known as e-Patient Dave)
You can read the bios of these accomplished individuals here.
I point out this Panel because, there is something missing. Dr. Shaffer is an accomplished physician and knows certification. Dr. Luks is an accomplished physician that is involved with social media. Dr. Roy is involved with medical devices, and Dave is an awesome advocate for patients.
Now, these guys are good at what they do. Where are security experts? Where are the mobile developers that actually develop mobile products?
Managing a certification program for nurses is an entirely different ballgame from managing a certification program for software. My point being: I wouldn't go to an orthopedic surgeon for a stomach virus. Only one of the four sections of standards put forth by Happtique have anything to do with the actual medical field. Operability, privacy, and security are all related to computing in general - why is the security experts and devs missing from the panel? Simply baffling.
Happtique's website says:
Along with input from health care and information technology organizations and representatives of key Federal agencies
One of the biggest things I also have trouble with is their operability standards. Happtique isn't saying they will validate EKG Apps actually work correctly and produce the correct results. That is up to 510(k) certification by the FDA.
So, again - what value is this certification process? If you are FDA certified, what is the point of getting certified by Happtique?
All in all, not badI'd like to be clear: Happtique's standards aren't bad by any means - in fact many items they list are a great starting ground. Honestly, some things are things that everyone should be doing building software, they are great guidelines to build a foundation off of - from mHealth to even plain old utilities. But to be fair, there are some that I don't see much value in.
mHealth is in its infancy still and introducing more costs into the healthcare market "just because" is a terrible reason to do so.
All I ask is, if I have an mHealth App, what ROI does Happtique provide?
I hope this helps foster a discussion, mHealth needs to move forward and we need the right framework to do so not just a framework.