Monday, March 11, 2013

Time to hack medicine

CommonWell is a new "idea" being pushed by the six largest EHR vendors, sans Epic. The idea is "interoperability" - which is in itself a bit strange because one of the "certification" standards behind EHR certification was "interoperability." I use quotes on interoperability and certification for EHR, because as we know they are a complete joke.

Just no

The amusing part about CommonWell is, and by amusing I mean sad, the words "open" don't appear anywhere in the announcement. Open frameworks. Open standards. The word, does not exist.

What is being proposed is just another locked in, vendor specific standard which does not solve the issues in health care. Now that we are digitizing, we need to share data. Now, a vendor can store the data any which way they want. A flat file, relational database, MongoDB - but we must have open API access to interface with the data.

Any proposals or working groups that fail to create open standards is a failure from the start.

Real innovation

What sparked this blog post was reading this article about Phillips crazy expensive lightbulbs. $60 lightbulbs? Are you insane?

Well, maybe - but as with any technology, early adopters pay through the nose. Remember the first cell phones? $3995 for an hour of talk time. Now, you can get cell phones for free.

Back to Phillips

If you read through the Phillips article, you'll see what Phillips did. Well, they didn't do it at first, but someone figured out how to. Two people reverse engineered the API Phillips Hue lightbulbs and wrote their own Apps for Hue. Brilliant. 

Phillips caught on to this and has now decided to open up the API for developers - because - it drives adoption. Even more brilliant. 

So, here we are and we see the free market driving product development. Phillips realized "hey people want this" and delivered. 

EHR vendors, heavily subsidized by tax dollars shoved a product down the throats of doctors (who, didn't really care because hey it was free to them) - which now we realize was a bit of a "woops."

CommonWell talks the talk about interoperability - but they fail to start to address the real issues facing EHR. There are 300 plus vendors for EHR platforms. 300. If we want medical HealthIT to evolve, they ALL need to operate on the same, open standard.

Just imagine

Now, open your eyes to what we could actually accomplish if we had open standards for EHR. We could access data. We could perform analytics on patients. Patients could OWN their data. But instead, our health information, the most important information to our physical well being, is locked up in a proprietary database - which we ourselves paid for.

Imagine if the Silicon Valley innovator could build a product on top of the EHR to figure out who is the highest risk to develop diabetes. The highest risk to have a stroke. What if your taking of your Prevacid once a day was automatically sent back to your doctors EHR so he knew if you were being honest. 

The possibility is there and is real, only if CommonWell actually wants to improve health care.

And yes.

I realize Hue is a closed standard, but it is more to the point of the matter. Phillips realized the demand and adoption of their product could be heavily improved by providing open access to their product.

Hey, EHR vendors, take a hint.

Saturday, March 2, 2013

What is Happtique's value proposition?

I'd like to start off this blog by saying - I don't find certification a bad thing. But, I think certification has to be a ROI for all parties involved. And if you read to the end, you'll see what I think about Happtique's standards.

Creating a certification program to simply have a certification program, is a false choice. Which is why, I am skeptical of Happtique at this point in time.

Over the last year Happtique has been building buzz around certification for mHealth Apps. They have enlisted the help of the Association of American Medical Colleges in reviewing content. Right before HIMSS 2013, they finally released their standards and pricing. Their pitch is:
The Happtique Health App Certification Program (HACP) is intended to help healthcare providers and consumers easily identify medical, health and fitness apps that deliver credible content, contain safeguards for user data and function as described.
From what myself and others seem to gather - Happtique is trying to position itself to be the commercial version of CCHIT for mHealth. Now, seeing how much of a disappointment EHRs have been (And to me, specifically with interoperability), that bar is quite low. Just take a gander of the #EHRBacklash  tag on Twitter. Anyone selling medical software will tell you the hesitancy of a doc to pickup a new piece of medical software and start using it.

Seemingly everyone on Twitter is falling over themselves about how great of an idea "certification" is for mHealth Apps. Which begs the question, is there such a problem out there with mHealth Apps that we need a certification program at this point? Are we "treating the patient" before there are any symptoms? Does getting a certification mean a piece of software is of any value?

I'd say, yes there is a need - but are we covering those bases?

There are two main issues I see with Happtique's certification process. The biggest I see at the moment is their pricing structure and the other is security. I also question the model, the Blue Ribbon Panel, and operability.

Show me the money

Happtique's website claims that each version (update) of an App needs to be certified and the certification cost is $2,500 - $3,000. (Which, oddly enough wasn't behind a paywall yesterday).

Now, the world I am familiar with in certifying software is FIPS Certification. FIPS 140-2 is a standard put out by NIST to ensure that your software follows guidelines to produce secure software.

Ideally, you pay for FIPS certification once (and it carries a hefty price tag) to certify your cryptographic modules. This includes data at rest and data in transit.

That is it. If you update your product, add new features, you don't go through certification. But, if you update your cryptography, you have to go through certification again.

What Happtique apparently is proposing to do, is double, triple, quadruple, and so on dip into developers pockets to keep their product certified. From what is published, lets look at drchrono.
Note: Happtique has said they "Pricing strategy hasn't been established" as of yet so this is apparently "conjecture" at this point, but reading their website and press release, they contradict the pricing strategy statement. 
drchrono has put out 14 updates to their iPad App in the last year. Using the published model for Happtique, drchrono would pay them $42,000 in total for certification. But, has drchrono changed their "core" code which handles data at rest and data in transit? Probably not.

So, what value is Happtique presenting to its potential clients it wishes to certify? What value is it to drchrono for their 14 updates of their EHR? What is the ROI for any App going through the process?

$3,000 an update maybe chump change for GE Healthcare or Quest Diagnostics, but an innovative Silicon Valley startup - it is hiring an intern for a month. It is hiring someone to perform PEN testing on their product. It is buying ad space. Imagine if drchrono had an Android client with 14 updates going out a year - they'd be spending $84,000 a year on Happtique certification.

What if your App fails certification? Is it another $3,000? What is you fail a single item on the list? Is it another $3,000?

If the pricing structure isn't complete (Which I still find hard to believe), it was premature to release anything at all. Happtique has left room for interpretation in their offering, which causes confusion for their intended audience which is already inundated with red tape.

Now, security

Happtique has listed seven standards for their security piece of the product, from detecting malicious code to encryption. If we get back to my previous topic, once the security is proven, what good is going through certification again? If nothing changes in managing security, data at rest, and data in transit within your product, then - what are you getting out of Happtique? What is their return on your investment?

From what I can discern from their website and standards, there isn't a whole lot going on to actually test the product to verify it is secure. Now, I could be wrong and I'll gladly say I am wrong if I am, but this is a major missing piece.

If we want to prove that mHealth Apps are secure, what actual security checks are being done besides checking for malicious code? As attacks on mobile devices get more sophisticated mHealth products will become major targets for common attacks - what is Happtique doing to help mitigate this?

Is the model wrong?

I also wonder - is this method of certification incorrect? Consider the Consumer Reports model. Consumer Reports purchases everything they test themselves and relies on those who want the results to foot the bill. 

It boils down to, who is Happtique really serving? If the people they are certifying are paying for certification, they are the clients of Happtique. The people wanting the seal of approval from Happtique aren't the clients in this case. The incentive is for Happtique to approve products with their current model, it isn't for Happtique to provide unbiased results.

Now, some will say "This is how medical certification works!" Well, just because we've been doing something one way in medicine for decades, doesn't mean it is the correct way to do it. Out of control costs are proof enough that medicine is fundamentally flawed in their approaches at the moment.

The Blue Ribbon Panel

Part of Happtique's marketing has been assembling a Blue Ribbon Panel to develop these standards.

The panel is listed as containing
You can read the bios of these accomplished individuals here.

I point out this Panel because, there is something missing. Dr. Shaffer is an accomplished physician and knows certification. Dr. Luks is an accomplished physician that is involved with social media. Dr. Roy is involved with medical devices, and Dave is an awesome advocate for patients. 

Now, these guys are good at what they do. Where are security experts? Where are the mobile developers that actually develop mobile products? 

Managing a certification program for nurses is an entirely different ballgame from managing a certification program for software. My point being: I wouldn't go to an orthopedic surgeon for a stomach virus. Only one of the four sections of standards put forth by Happtique have anything to do with the actual medical field. Operability, privacy, and security are all related to computing in general - why is the security experts and devs missing from the panel? Simply baffling.

Happtique's website says:
Along with input from health care and information technology organizations and representatives of key Federal agencies
But who?


One of the biggest things I also have trouble with is their operability standards. Happtique isn't saying they will validate EKG Apps actually work correctly and produce the correct results. That is up to 510(k) certification by the FDA. 

So, again - what value is this certification process? If you are FDA certified, what is the point of getting certified by Happtique? 

All in all, not bad

I'd like to be clear: Happtique's standards aren't bad by any means - in fact many items they list are a great starting ground. Honestly, some things are things that everyone should be doing building software, they are great guidelines to build a foundation off of - from mHealth to even plain old utilities. But to be fair, there are some that I don't see much value in.

mHealth is in its infancy still and introducing more costs into the healthcare market "just because" is a terrible reason to do so.

All I ask is, if I have an mHealth App, what ROI does Happtique provide?

I hope this helps foster a discussion, mHealth needs to move forward and we need the right framework to do so not just a framework.