Health app industry self-policing and ‘trusted sourcing’ credibility at stake?
Updated below. Last week, after Happtique announced its ‘Inaugural Class’ of 19 certified apps [TTA 2 Dec]–certified on their standards of operability, privacy, security and content–a young HIT software developer, Harold Smith III, discovered some major security flaws in two of them: MyNetDiary’s Diabetes Tracker and TactioHealth5. User names and passwords were stored in plain text files–not encrypted–and Mr. Smith then subjected them to a ‘man in the middle attack’ (MITM) which he explains as “…where a nefarious source intercepts your communication from the App to the server. They decrypt the SSL connection, pull out your data, and send the data on to the server.” Both failed. Worse, the ePHI (ePersonal Health Information) of both were not sent in a secured way and not stored in secure, encrypted files. After advising both companies of the problems (including one of these companies in person at the mHealth Summit), as well as Happtique, and receiving no satisfactory response after days passed, Mr. Smith went public Tuesday and Wednesday on his blog mHealth and Mobile Development. Both articles deserve careful reading. Our readers with software development background will appreciate 1) his meticulousness and 2) his ire not only at Happtique but their validator, Intertek, at the poor technical quality of their vetting; the non-techies like your Editor will appreciate the clarity of his writing.
Small blog, big impact today. Happtique has suspended its certification program (website notice) and on its website now has revised certification standards. Regarding the credibility of Mr. Smith, MedCityNews in Stephanie Baum’s article identifies him as CEO of Monckton Health, a HIT software product development company. He’s also an app developer with serious chops; his public LinkedIn profile indicates that he was the developer and owner of RxmindMe, a med reminder app for iOS sold to Walgreens, and is currently a senior architect for Fixmo, a Canadian/US mobile security and data compliance company which works for the Department of Defense. This Editor would make the reasonable assumption that he’s au courant on hacker tricks-of-the-trade.
Happtique was warned in March. Mr. Smith publicly critiqued Happtique’s program in his blog on 2 March–nine months ago. He questioned the absence of a security expert on the development panel. He made multiple, understandable points. Yet according to his post yesterday and this Editor’s direct confirmation with him today (13 Dec), his concerns weren’t addressed when he contacted Happtique directly, nor when a third party did likewise .
It’s a stumble for the ‘trusted sourcing’ concept. “It’s a disappointing and embarrassing start to a program that was designed to boost physicians’ confidence in apps to a point where they would feel comfortable prescribing them to patients” Ms. Baum maintains–especially one with a hefty application fee, reportedly $3,000. This is also another stumble for Happtique as a company. While they have done the right thing–suspend the program–hastily revising and reposting their certification standards looks like a slapdash fix. When their Unique Selling Proposition (USP) is that ‘Happtique certified apps are secure, private and do what they claim to do’, this ‘uh-oh’ discovery cuts straight to their credibility. The company took great pains in developing their certification standards and review process over nearly two years. Yet within less than ten days after announcement, it was back to the drawing board. (If I represented a company which applied, I’d ask that my fee be refunded.) Unfortunately, the company’s other latest news has not been happy, with major changes in direction and management. None of this is atypical for an early-stage company, but it appears to be another Everest of trust for health apps to scale when it comes to both consumer and professional confidence.
We also invite Happtique to directly comment on this article and/or to contact this Editor.
MyNetDiary: In an update to Ms. Baum’s article today (13 Dec), the CEO of MyNetDiary states that the reported vulnerabilities have been addressed and that the update is already available on the iPhone App Store. (It is not available for Android per their website)
Hat tips to reader Sandeep Pulim, MD of PointofCare360 via LinkedIn and Lois Drapin