Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

FDA Announces Precertification Program For Digital Health Tools

Posted on October 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

The FDA has recruited some the world’s top technology and medical companies to help it pilot test a program under which digital health software could be marketed without going through the through the agency’s entire certification process.

The participants, which include Apple, Fitbit, Johnson & Johnson, Samsung and Roche, will give the agency access to the measures they’re using to develop, test and maintain their software, and also how they collect post-market data.

Once armed with this information, the FDA will leverage it to determine the key metrics and performance indicators it uses to see if digital health software meets its quality standards.

Companies that meet these new standards could become pre-certified, a status which grants them a far easier path to certification than in the past. This represents a broad shift in the FDA’s regulatory philosophy, “looking first at the software developer digital health technology developer, not the product,” according to a report previously released by the agency.

If the pilot works as planned, the FDA is considering making some significant changes to the certification process. If their processes pass muster, pre-certified companies may be allowed to submit less information to the FDA than they currently must before marketing a new digital health tool.  The agency is also considering the more radical step of allowing pre-certified companies to avoid submitting a product for premarket review in some cases. (It’s worth noting that these rules would apply to lower-risk settings.)

The prospect of pre-certifying companies does raise some concerns. In truth, the argument could be made that digital health software should be regulated more tightly, not less. In particular, the mobile healthcare world is still something of a lawless frontier, with very few apps facing privacy, security or accuracy oversight.

The fact is, it’s little wonder that physicians aren’t comfortable using mobile health app data given how loosely it can be constructed at times, not to mention the reality that it might not even measure basic vital signs reliably.

It’s not that the healthcare industry isn’t aware of these issues. about a year ago, a group of healthcare organizations including HIMSS, the American Medical Association and the American Heart Association came together to develop a framework of principles dressing app quality. Still, that’s far short of establishing a certification body.

On the other hand, the FDA does have a point when it notes that a pre-certification program could make it easier for useful digital health tools to reach the marketplace. Assuming the program is constructed well, it seems to me that this is a good idea.

True, it’s pretty unusual to see the FDA loosen up its certification process – a fairly progressive move for a stodgy agency – while the industry fails to self-regulate, but it’s a welcome change of style. I guess digital health really is changing things up.

 

Will Medical Device Makers Get Interoperability Done?

Posted on September 20, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Most of the time, when I think about interoperability, I visualize communication between various database-driven applications, such as EMRs, laboratory information systems and claims records. The truth is, however, that this is a rather narrow definition of interoperability. It’s time we take medical device data into account, the FDA reminds us.

In early September, the FDA released its final guidance on how healthcare organizations can share data between medical devices and other information systems. In the guidance, the agency asserts that the time has come to foster data sharing between medical devices, as well as data exchange between devices and information systems like the ones I’ve listed above.

Specifically, the agency is offering guidelines to medical device manufacturers, recommending that they:

  • Design devices with interoperability in mind
  • Conduct appropriate verification, validation and risk management to ensure interoperability
  • Make sure users clearly understand the device’s relevant functional, performance and interface characteristics

Though these recommendations are interesting, I don’t have much context on their importance. Luckily, Bakul Patel has come to the rescue. Patel, who is associate director for digital health the FDA‘s Center for Devices and Radiological Health, offered more background on medical device interoperability in a recent blog entry.

As the article points out, the stakes here are high. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system,” Patel writes. Put another way, in non-agency-speak, incompatibilities between devices and information systems can hurt or even kill patients.

Unfortunately, device-makers seem to be doing their own thing when it comes to data sharing. While some consensus standards exist to support interoperability, specifying things like data formats and interoperability architecture design, manufacturers aren’t obligated to choose any particular standard, Patel notes.

Honestly, the idea of varied medical devices using multiple data formats sounds alarming to me. But Patel seems comfortable with the idea. He contends that if device manufacturers explain carefully how the standards work and what the interface requires, all will be well.

All told, If I’m understanding all this correctly, the FDA is fairly optimistic that the healthcare industry can network medical devices on the IoT with traditional information systems.

I’m glad that the agency believes we can work this out, but I’d argue that such optimism may be premature. Patel’s assurances raise a bunch of questions for me, including:

  • Do we really need another set of competing data exchange standards to resolve, this time for medical device interoperability?
  • If so, how do we lend the consensus medical device standards with consensus information system standards?
  • Do we need to insist that manufacturers provide more-consistent software upgrades for the devices before interoperability efforts make sense?

Hey, I’m sure medical device manufacturers want to make device-to-device and device-to-database data sharing as simple and efficient as possible. That’s what their customers want, after all.

Unfortunately, though, the industry doesn’t have a great track record even for maintaining their devices’ operating systems or patching industrial-grade security holes. Designing devices that handle interoperability skillfully may be possible, but will device-makers step up and get it done anytime soon?

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!

IBM Watson Partners With FDA On Blockchain-Driven Health Sharing

Posted on January 16, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

IBM Watson Health has partnered with the FDA in an effort to create scalable exchange of health data using blockchain technology. The two will research the exchange of owner-mediated data from a variety of clinical data sources, including EMRs, clinical trial data and genomic health data. The researchers will also incorporate data from mobiles, wearables and the Internet of Things.

The initial project planned for IBM Watson and the FDA will focus on oncology-related data. This makes sense, given that cancer treatment involves complex communication between multispecialty care teams, transitions between treatment phases, and potentially, the need to access research and genomic data for personalized drug therapy. In other words, managing the communication of oncology data is a task fit for Watson’s big brain, which can read 200 million pages of text in 3 seconds.

Under the partnership, IBM and the FDA plan to explore how the blockchain framework can benefit public health by supporting information exchange use cases across varied data types, including both clinical trials and real-world data. They also plan to look at new ways to leverage the massive volumes of diverse data generated by biomedical and healthcare organizations. IBM and the FDA have signed a two-year agreement, but they expect to share initial findings this year.

The partnership comes as IBM works to expand its commercial blockchain efforts, including initiatives not only in healthcare, but also in financial services, supply chains, IoT, risk management and digital rights management. Big Blue argues that blockchain networks will spur “dramatic change” for all of these industries, but clearly has a special interest in healthcare.  According to IBM, Watson Health’s technology can access the 80% of unstructured health data invisible to most systems, which is clearly a revolution in the making if the tech giant can follow through on its potential.

According to Scott Lundstrom, group vice president and general manager of IDC Government and Health Insights, blockchain may solve some of the healthcare industry’s biggest data management challenges, including a distributed, immutable patient record which can be secured and shared, s. In fact, this idea – building a distributed, blockchain-based EMR — seems to be gaining traction among most health IT thinkers.

As readers may know, I’m neither an engineer nor a software developer, so I’m not qualified to judge how mature blockchain technologies are today, but I have to say I’m a bit concerned about the rush to adopt it nonetheless.  Even companies with a lot at stake  — like this one, which sells a cloud platform backed by blockchain tech — suggest that the race to adopt it may be a bit premature.

I’ve been watching tech fashions come and go for 25 years, and they follow a predictable pattern. Or rather, they usually follow two paths. Go down one, and the players who are hot for a technology put so much time and money into it that they force-bake it into success. (Think, for example, the ERP revolution.) Go down the other road, however, and the new technology crumbles in a haze of bad results and lost investments. Let’s hope we go down the former, for everyone’s sake.

FDA Weighs In On Medical Device Cybersecurity

Posted on January 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

In the past, medical devices lived in a separate world from standard health IT infrastructure, typically housed in a completely separate department. But today, of course, medical device management has become much more of an issue for health IT managers, given the extent to which such devices are being connected to the Internet and exposed to security breaches.

This has not been lost on the FDA, which has been looking at medical device security problems for a long time. And now – some would say “at long last” – the FDA has released final guidance on managing medical device cybersecurity. This follows the release of earlier final guidance on the subject released in October 2014.

While the FDA’s advice is aimed at device manufactures, rather than the health IT managers who read this blog, I think it’s good for HIT leaders to review. (After all, you still end up managing the end product!)

In the guidance, the FDA argues that the best way to bake cybersecurity protections into medical devices is for manufacturers to do so from the outset, through the entire product lifecycle:

Manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.

Specifically, the agency is recommending that manufacturers take the following steps:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices
  • Know assess and detect the level of risk vulnerabilities pose to patient safety
  • Establish a process for working with cybersecurity researchers and other stakeholders to share information about possible vulnerabilities
  • Issue patches promptly, before they can be exploited

The FDA also deems it of “paramount” importance that manufacturers and stakeholders consider applying core NIST principles for improving critical infrastructure cybersecurity.

All of this sounds good. But considering the immensity of the medical device infrastructure – and the rate of its growth – don’t expect these guidelines to make much of an impact on the device cybersecurity problem.

After all, there are an estimated 10 million to 15 million medical devices in US hospitals today, according to health tech consultant Stephen Grimes, who spoke on biomedical device security at HIMSS ’16. Grimes, a past chair of the HIMSS Medical Device Security Task Force, notes that one 500-bed hospital could have 7,500 devices on board, most of which will be networked. And each networked monitor, infusion pump, ventilator, CT or MRI scanner could be vulnerable to attack.

Bottom line, we’re looking at some scary risks regardless of what manufacturers do next. After all, even if they do a much better job of securing their devices going forward, there’s a gigantic number of existing devices which can be hacked. And we haven’t even gotten into the vulnerabilities that can be exploited among home-based connected devices.

Don’t get me wrong, I’m glad to see the FDA stepping in here. But if you look at the big picture, it’s pretty clear that their guidance is clearly just a small step in a very long and complicated process.

The Senate is Promoting Healthcare Innovation – How Organizations Can Keep Pace – Breakaway Thinking

Posted on April 20, 2016 I Written By

The following is a guest blog post by Mark Muddiman, Engagement Manager at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mark Muddiman
On March 9, 2016 the Senate Committee on Health Education Labor and Pensions (HELP) approved S.1101, better known as the Medical Electronic Data Technology Enhancement for Consumers’ Health (MEDTECH) Act. As HIMSS reports, the bill aims to limit the regulatory oversight of “low-risk” medical device software, while simultaneously making a clear distinction of the FDA’s reach of authority.

But how do you define “low-risk” when it comes to a person’s health?

The answer might surprise you. These items are deemed low-risk by the MEDTECH act and will no longer require oversight:

  • administrative, operational, or financial records software used in healthcare settings
  • software for maintaining or encouraging a healthy lifestyle unrelated to medical treatment
  • electronic patient records, excluding software for interpreting or analyzing medical image data
  • software for clinical laboratory testing, excluding software for interpreting or analyzing test data
  • software that provides medical recommendations and the basis for those recommendations to healthcare professionals, excluding software for acquiring, processing, or analyzing medical images or signals

Regulations serve a purpose in ensuring that the devices used do not put patients at risk, and some fear that the loosening of these restrictions could be problematic. But the number of policies vendors were previously required to abide by was staggering. There is little value in subjecting vendors or healthcare leaders to such stringent policies with software and devices that are unlikely to lead to increased risk or an adverse event. Unnecessary regulation ultimately restricts patient access to the most current technology and impedes more successful clinical outcomes.

As HIMSS further clarified, the MEDTECH act still allows the FDA to oversee medical software if it considers the product “reasonably likely to cause serious adverse consequences.” The congressional summary goes on to note that the FDA may assess a software function for safety and effectiveness if the medical device has multiple functions. For example, mobile applications do not need supervision if integrated by a vendor unless they become linked to something of medium or high risk such as medication administration. In short, vendors get the freedom they need to explore new avenues, but the FDA doesn’t cede total control and retains an option that can be interpreted broadly enough to intervene when needed. In this sense, the MEDTECH act finds a middle ground using a risk-based approach to focus oversight where it’s needed most.

Key players in the industry have supported the bill; Health IT Now and the American Medical Informatics Association (AMIA) both praised the passage of the act, while major vendors including Athenahealth, IBM, and McKesson strongly supported the push to pass the bill. Undoubtedly, the passing of the MEDTECH act was great news for vendors.

The benefits to patients and vendors are clear, but what about healthcare providers and administrators?

CIOs and CMIOs already have their hands full in keeping pace with a seemingly endless set of transformations in health IT. Now the senate is aiming to quicken innovation and promote shorter times for technology to reach the market, inevitably resulting in a faster rate at which organizations must adopt that technology. Some providers likely viewed the passage of the act with an exasperated palm to the face. The frustration is real; the move to ICD-10 occurred less than seven months ago, not to mention many organizations have implemented EHRs but are focusing on optimization to improve their ROI.

Simply put, there is no end in sight to new technologies arriving in healthcare, and there will not be a slowdown anytime soon. Healthcare organizations must proactively plan a long-term adoption strategy that accounts for continual enhancements in technology, with a focused ability to quickly bring staff to a high level of proficiency. Those that achieve such agility will be able to leverage the best technology to offer the highest standards of care.

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Security Concerns Threaten Mobile Health App Deployment

Posted on January 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Healthcare organizations won’t get much out of deploying mobile apps if consumers won’t use them. And if consumers are afraid that their personal data will be stolen, they’ve got a reason not to use your apps. So the fact that both consumers and HIT execs are having what I’d deem a crisis of confidence over mHealth app security isn’t a good sign for the current crop of mobile health initiatives.

According to a new study by security vendor Arxan, which polled 815 consumers and 268 IT decision-makers, more than half of consumer respondents who use mobile health apps expect their health apps to be hacked in the next six months.

These concerns could have serious implications for healthcare organizations, as 76% of health app users surveyed said they would change providers if they became aware that the provider’s apps weren’t secure. And perhaps even more significantly, 80% of consumer health app users told Arxan that they’d switch to other providers if they found out that the apps that alternate provider offered were better secured. In other words, consumer perceptions of a provider’s health app security aren’t just abstract fears — they’re actually starting to impact patients’ health decision making.

Perhaps you’re telling yourself that your own apps aren’t terribly exposed. But don’t be so sure. When Arxan tested a batch of 71 popular mobile health apps for security vulnerabilities, 86% were shown to have a minimum of two OWASP Mobile Top 10 Risks. The researchers found that vulnerable apps could be tampered with and reverse-engineered, as well as compromised to provide sensitive health information. Easily-done hacks could also force critical health apps to malfunction, Arxan researchers concluded.

The following data also concerned me. Of the apps tested, 19 had been approved by the FDA and 15 by the UK National Health Service. And at least where the FDA is concerned, my assumption would be that FDA-tested apps were more secure than non-approved ones. But Arxan’s research team found that both FDA and National Health Service-blessed apps were among the most vulnerable of all the apps studied.

In truth, I’m not incredibly surprised that health IT leaders have some work to do in securing mobile health apps. After all, mobile health app security is evolving, as the form and function of mHealth apps evolve. In particular, as I’ve noted elsewhere, mobile health apps are becoming more tightly integrated with enterprise infrastructure, which takes the need for thoughtful security precautions to a new level.

But guidelines for mobile health security are emerging. For example, in the summer of last year, the National Institute of Standards and Technology released a draft of its mobile health cybersecurity guidance, “Securing Electronic Records on Mobile Devices” — complete with detailed architecture. Also, I’d wager that more mHealth standards should emerge this year too.

In the mean time, it’s worth remembering that patients are paying close attention to health apps security, and that they’re unlikely to give your organization a pass if they’re hacked. While security has always been a high-stakes issue, the stakes have gotten even higher.

Healthcare Faces Massive Cybersecurity Risks

Posted on December 27, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

When a consumer publication like The Washington Post — hardly an insider journal of computing — picks out your industry and slams it for having poor cybersecurity, you know something’s amiss.

The newspaper has just published a report, following a year-long cybersecurity investigation, arguing that healthcare is one of the most vulnerable industries in the U.S., making it a tasty target for terrorists, black-hat hackers and criminals.

It’s rather embarrassing, but it’s hard to argue with the Post’s conclusion that healthcare data security isn’t what it could be. A few data points:

* Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.

* Providers are making careless use of such public cybertools;  the paper cites the example of the University of Chicago medical center, which at one point operated an unsecured Dropbox site for new residents managing care through their iPads (with a single user name and password published online, yet!)

* According to Post research, open source system OpenEMR “has scores of security flaws that make it easy prey for hackers”

* In perhaps the scariest example, the paper notes that clinicians routinely work around cybersecurity measures to get their job done.

Another factor contributing to cybersecurity holes is confusion about the FDA’s position on security. While the agency actually wants vendors to update FDA-approved device interfaces and systems, vendors often believe that the FDA bars them from updating device software, the Post found.

That leaves devices, especially defibrillators and insulin pumps, open to attacks. Researchers have been able to find these devices, linked to the web in the clear, simply by using a specialized search engine.

As wireless medical devices and smartphones, iPads and Android devices creep into the mix, cybersecurity vulnerabilities are likely to get worse, not better.  I wonder whether we’ll need to see a cybersecurity disaster take place before the industry catches up to, say, financial services?

GINA, Runtastic, and The Future of Patient Engagement: Around HealthCare Scene

Posted on August 19, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

EMR and HIPAA

Worried about HIPAA? Don’t Forget GINA

If remember HIPAA regulations wasn’t hard enough when it comes to EMR security, a new factor is being brought to the table: GINA. GINA, which stands for Genetic Information Non-Discrimination Act, primarily aimed at the workplace. The purpose of GINA is to prevent employers from requesting or obtaining any genetic information concerning an employee at any time. This post discusses GINA, and possible issues that may be related to it.

Hospital EMR and EHR

Medicare’s New Requirement for Evidence-based Order Sets

This is a guest post by Sean Benson, co-founder of ProVation Medical. He discusses the new changes to Medicare’s Conditions of Participation for hospitals that recently went into effect. These changes were small, but significant, and Benson clears up things that might be confusing, and clarifies the new requirements.

5 Mistakes Healthcare Vendors Make in Tracking Customer Satisfaction

The company, KATALUS Advisors, focuses quite a bit on helping healthcare vendors interact with their clients. Chris O’Neal, Managing Partner at KATALUS Advisors, recently created a list of the top 5 mistakes that he sees healthcare vendors make in tracking customer satisfaction. He mentions the importance of customer satisfaction, and how “savvy” vendors are finding ways to avoid this pitfalls.

Smart Phone Health Care

Runtastic Makes Tracking Exercise Easier and More Fun

As a follow up to a recent post about apps for runners, this post has a review of another great running app, Runtastic. The app has tons of features, including a 3D Google Earth view of completed workouts. The basic app is free to download, however, upgrades and exercise plans are available for a fee.

FDA Approves Voice Guided Epinephrine Injector: Auvi-Q

Many people are plagued with allergies, and at times, have to rely on an epinephrine injector to save their lives. However, when an allergic reaction happens, the victim may not be able to use the injector themselves. As a solution, the FDA has recently approved an epi pen, called the Auvi-Q, which provides step by step audio on how to use the injector and save a life.

EHR and EMR Videos

GetWellNetwork Unveils the Future of Patient Engagement Video

GetWellNetwork released a video recently which illustrates how innovations in IPC will improve outcomes for patients for hospitals by becoming a part of everyday life. IPC has been implemented in over 20,000 hospital beds across the US and GetWellNetwork has been leading the way for IPC.

New mHealth App Certification – The Next CCHIT Like Mistake

Posted on January 17, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I first heard about the new Secure, Branded App Store for Hospitals and Healthcare called Happtique in early December on Techcrunch. At its core, I think it’s an interesting idea to try and filter through what the article claims are “23,000 mobile health apps available for iOS and Android.” Helping physicians and hospital administrators filter through these apps could be valuable. Plus, most hospital administrators would love a way to have a phone that was limited on which apps it could download.

Well, it seems that the company has shifted gears a little bit. As Brian Dolan from Mobi Health News reported, Happtique is taking the first steps to setting up a certification for mobile health apps.

Happtique, a healthcare-focused appstore, announced plans to create a certification program that will help the medical community determine which of the tens of thousands of health-related mobile apps are clinically appropriate and technically sound. The company has tapped a multi-disciplinary team to develop the “bona fide mHealth app certification program” within the next six months. The program is open to all developers and will be funded by developer application fees.

It will certify apps intended to be used by both medical professionals and patients.

While I think that providing some way for people to filter through the large number of mobile apps, I think certification is a terrible way to go about it. Many people know I’ve written many an article about CCHIT pre-EHR incentive money and how screwed up the CCHIT EHR certification was for the industry. I think it’s just as bad news for Happtique to create a certification for the mobile health industry.

Turns out that Happtique seems to have agreed with this idea back in October 2010 where they said in a MobiHealthNews interview, “We are not in the business of opining whether an app is ‘good’ or ‘bad’ though. That’s not our role. Apple doesn’t do that and others don’t either. If the FDA indicates that an app is a medical device and needs to be regulated, well, that’s a different situation and we can take it out of the store.” Seems they’ve seen a different business opportunity.

They have a couple recognizable names on their board to create their certification including Howard Luks and Dave deBrokart (better known as e-Patient Dave), but I believe they’re going to find that it’s an impossible task. First, because they won’t have the breadth of knowledge needed to create certification requirements for every type of mHealth app. Second, what value will the certification really provide? Third, how do you make the certification broad enough to apply to all 20,000+ apps while still providing meaning to those using a very specific mHealth app? Plus, I’m sure there are many other issues I haven’t thought of yet.

The problem with these certification ideas is that they start with great intentions, but always end up bad.