Creating a certification program to simply have a certification program, is a false choice. Which is why, I am skeptical of Happtique at this point in time.
Over the last year Happtique has been building buzz around certification for mHealth Apps. They have enlisted the help of the Association of American Medical Colleges in reviewing content. Right before HIMSS 2013, they finally released their standards and pricing. Their pitch is:
The Happtique Health App Certification Program (HACP) is intended to help healthcare providers and consumers easily identify medical, health and fitness apps that deliver credible content, contain safeguards for user data and function as described.From what myself and others seem to gather - Happtique is trying to position itself to be the commercial version of CCHIT for mHealth. Now, seeing how much of a disappointment EHRs have been (And to me, specifically with interoperability), that bar is quite low. Just take a gander of the #EHRBacklash tag on Twitter. Anyone selling medical software will tell you the hesitancy of a doc to pickup a new piece of medical software and start using it.
Seemingly everyone on Twitter is falling over themselves about how great of an idea "certification" is for mHealth Apps. Which begs the question, is there such a problem out there with mHealth Apps that we need a certification program at this point? Are we "treating the patient" before there are any symptoms? Does getting a certification mean a piece of software is of any value?
I'd say, yes there is a need - but are we covering those bases?
There are two main issues I see with Happtique's certification process. The biggest I see at the moment is their pricing structure and the other is security. I also question the model, the Blue Ribbon Panel, and operability.
Show me the money
Happtique's website claims that each version (update) of an App needs to be certified and the certification cost is $2,500 - $3,000. (Which, oddly enough wasn't behind a paywall yesterday).Now, the world I am familiar with in certifying software is FIPS Certification. FIPS 140-2 is a standard put out by NIST to ensure that your software follows guidelines to produce secure software.
Ideally, you pay for FIPS certification once (and it carries a hefty price tag) to certify your cryptographic modules. This includes data at rest and data in transit.
That is it. If you update your product, add new features, you don't go through certification. But, if you update your cryptography, you have to go through certification again.
What Happtique apparently is proposing to do, is double, triple, quadruple, and so on dip into developers pockets to keep their product certified. From what is published, lets look at drchrono.
Note: Happtique has said they "Pricing strategy hasn't been established" as of yet so this is apparently "conjecture" at this point, but reading their website and press release, they contradict the pricing strategy statement.drchrono has put out 14 updates to their iPad App in the last year. Using the published model for Happtique, drchrono would pay them $42,000 in total for certification. But, has drchrono changed their "core" code which handles data at rest and data in transit? Probably not.
So, what value is Happtique presenting to its potential clients it wishes to certify? What value is it to drchrono for their 14 updates of their EHR? What is the ROI for any App going through the process?
$3,000 an update maybe chump change for GE Healthcare or Quest Diagnostics, but an innovative Silicon Valley startup - it is hiring an intern for a month. It is hiring someone to perform PEN testing on their product. It is buying ad space. Imagine if drchrono had an Android client with 14 updates going out a year - they'd be spending $84,000 a year on Happtique certification.
What if your App fails certification? Is it another $3,000? What is you fail a single item on the list? Is it another $3,000?
If the pricing structure isn't complete (Which I still find hard to believe), it was premature to release anything at all. Happtique has left room for interpretation in their offering, which causes confusion for their intended audience which is already inundated with red tape.
Now, security
Happtique has listed seven standards for their security piece of the product, from detecting malicious code to encryption. If we get back to my previous topic, once the security is proven, what good is going through certification again? If nothing changes in managing security, data at rest, and data in transit within your product, then - what are you getting out of Happtique? What is their return on your investment?From what I can discern from their website and standards, there isn't a whole lot going on to actually test the product to verify it is secure. Now, I could be wrong and I'll gladly say I am wrong if I am, but this is a major missing piece.
If we want to prove that mHealth Apps are secure, what actual security checks are being done besides checking for malicious code? As attacks on mobile devices get more sophisticated mHealth products will become major targets for common attacks - what is Happtique doing to help mitigate this?
Is the model wrong?
I also wonder - is this method of certification incorrect? Consider the Consumer Reports model. Consumer Reports purchases everything they test themselves and relies on those who want the results to foot the bill.
It boils down to, who is Happtique really serving? If the people they are certifying are paying for certification, they are the clients of Happtique. The people wanting the seal of approval from Happtique aren't the clients in this case. The incentive is for Happtique to approve products with their current model, it isn't for Happtique to provide unbiased results.
Now, some will say "This is how medical certification works!" Well, just because we've been doing something one way in medicine for decades, doesn't mean it is the correct way to do it. Out of control costs are proof enough that medicine is fundamentally flawed in their approaches at the moment.
The Blue Ribbon Panel
Part of Happtique's marketing has been assembling a Blue Ribbon Panel to develop these standards.
The panel is listed as containing
- Howard J. Luks, M.D., M.S. (Chair)
- Franklin A. Shaffer, EdD., RN, FAAN
- Shuvo Roy, Ph.D.
- Dave deBronkart (known as e-Patient Dave)
You can read the bios of these accomplished individuals here.
I point out this Panel because, there is something missing. Dr. Shaffer is an accomplished physician and knows certification. Dr. Luks is an accomplished physician that is involved with social media. Dr. Roy is involved with medical devices, and Dave is an awesome advocate for patients.
Now, these guys are good at what they do. Where are security experts? Where are the mobile developers that actually develop mobile products?
Managing a certification program for nurses is an entirely different ballgame from managing a certification program for software. My point being: I wouldn't go to an orthopedic surgeon for a stomach virus. Only one of the four sections of standards put forth by Happtique have anything to do with the actual medical field. Operability, privacy, and security are all related to computing in general - why is the security experts and devs missing from the panel? Simply baffling.
Happtique's website says:
Along with input from health care and information technology organizations and representatives of key Federal agencies
But who?
Operability
One of the biggest things I also have trouble with is their operability standards. Happtique isn't saying they will validate EKG Apps actually work correctly and produce the correct results. That is up to 510(k) certification by the FDA.
So, again - what value is this certification process? If you are FDA certified, what is the point of getting certified by Happtique?
All in all, not bad
I'd like to be clear: Happtique's standards aren't bad by any means - in fact many items they list are a great starting ground. Honestly, some things are things that everyone should be doing building software, they are great guidelines to build a foundation off of - from mHealth to even plain old utilities. But to be fair, there are some that I don't see much value in.mHealth is in its infancy still and introducing more costs into the healthcare market "just because" is a terrible reason to do so.
All I ask is, if I have an mHealth App, what ROI does Happtique provide?
I hope this helps foster a discussion, mHealth needs to move forward and we need the right framework to do so not just a framework.
Tweet #HIMSS
Harold,
ReplyDeleteYou've raised some really good questions here, including some that we have spoken to Happtique about - but generally speaking I think there's a lot to like in the overall business model and opportunity it presents for developers.
I think this is worth of an entire blogpost over at ACT (actonline.org) but here's my short take:
1. Happtique needs to refine and define what will require you to undergo (and pay for) certification for an update. I think it's logical we will hear more about this in the future.
2. ROI - I think the biggest upside for developers from the Happtique model is the ability to be compensated for apps through health providers and insurance systems; hopefully at a much higher point of sale than the 0.99 cents we get from a casual app in the iTunes store.
3. Price - Again, I think we need to embrace the notion that medical apps are going to be held to a higher standard and therefore we can charge more for them. Yes, the price is equal to an intern, but that cost will be built into an app that you can charge more for.
4. Certification Model - Here's the reality, hospital legal teams operate from a posture of defense with a frosting of fear on top. If Happtique and others provide a way for us to get apps into hospital systems and through the legal guards, then I am willing to pay the price.
5. Blue ribbon panel - I know a bit more about this. It's clear that we in the developer community are not the only audience for this announcement. They need to speak to the larger healthcare community - including those you note are fed up with some of the EHR problems. But Happtique has done homework around privacy. They spent quite a bit of time with us at ACT and other mobile privacy and security experts talking about the issues you raise. So it's not seen on the blue ribbon panel, but I can verify they did put some effort into it.
I've had good conversations with the people at Happtique, and I know some of the leadership there on a personal level - they are pretty standup folks. But you've raised some great points. I am happy to make sure Happtique hears you loud and clear, and ensure that this and other mHealth efforts are partnerships between care providers and developers.