Happtique suspends mhealth app certification program after software developer exposes security shortcomings

https://www.youtube.com/watch?v=Rch8tJbUeTY

Updated Less than two weeks after Happtique approved the first set of mobile health apps as part of its certification program, it has suspended the program. The announcement posted on its website follows a blog post by Harold Smith III, the CEO of Monkton Health, which develops health IT software, which raised concerns over how data was protected by two apps certified by Happtique.

Among the security issues uncovered by Smith were usernames and passwords stored in plain text and data stored and sent in plain text.

With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?

Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.

Data security is part of the criteria for the certification program. Among the other criteria the apps are supposed to meet are: that the app operates as intended, protects user privacy and contains credible content.

Happtique posted a statement on its website:

Last week, a developer raised concerns about the testing results for one of the HACP standards. After fully vetting the issue with our technical testing partner Intertek, we are not satisfied that current testing methodologies appropriately evaluate our standards and performance requirements. As a result, we are re-evaluating the testing methodologies for the HACP and believe the responsible next step is to suspend the certified app registry pending this further review.

While this program is an important first step toward transparency and accountability in the health app marketplace, maintaining a comprehensive certification program is an iterative process. We will continue to work with industry stakeholders to review and revise the standards and testing methodologies as necessary in order to strengthen this program for the future. Thank you for your ongoing support and feedback.

It’s a disappointing and embarrassing start to a program that was designed to boost physicians’ confidence in apps to a point where they would feel comfortable prescribing them to patients. Its own website points out that there are more than 40,000 apps claiming to be for mobile health, and that 78 percent of smartphone users won’t download apps they don’t trust.

The certification program relies on application fees to fund the program. A certification program would certainly help add more credibility to mobile health apps, but it doesn’t work well if it appears that people are just paying for a rubber stamp. Hopefully, a revised certification program will include more rigorous vetting. Happtique might do well to add Harold Smith to its certification team.

Update Sergey Oreshko, the CEO of MyNetDiary, which produced the Diabetes Tracker app — one of the apps Smith wrote about — said in an email that it “already addressed the reported vulnerabilities, including credentials encryption and secure communications over HTTPS, in response to a request for comment. He added that the app update is “already available” on the iPhone App Store.