The Rush to Smart Phone Apps … An OOOPSIE Perhaps?

by Howard Nevin on 29/10/12 at 8:21 pm

First, I am not singling anyone or any company out. Second, I wouldn’t know where to begin with the first items anyway. Third the rush to generate smart phone apps and their counterparts for tablets may – MAY — have had a warning shot or two fired across their bows people are choosing to ignore, or may simply be unaware of. While this article talks about smart phone medical apps, that is a subject of some interest to businesses with health “centers” (e.g., nurses offices or clinics), and I use the medical arena as a metaphor for a broader business context.

There are over 40,000 + (who knows the REAL number) medical apps out there now. Only ONE that I am aware has received U.S. Government Food & Drug Administration (FDA) Approval. On 7/19/11, the FDA issued a press release that indicated, “The U.S. Food and Drug Administration today announced it is seeking input on its proposed oversight approach for certain mobile applications specific to medicine or health care called mobile medical applications (“apps”) that are designed for use on smartphones and other mobile computing devices. This approach encourages the development of new apps, focuses only on a select group of applications and will not regulate the sale or general consumer use of smartphones or tablets. “

The Press release continued: “Today, mobile medical applications or “mobile medical apps,” include a variety of functions, ranging from monitoring calorie intake, helping people maintain a healthy weight, and allowing doctors to view a patient’s radiology images on their mobile communications device. According to Research2Guidance 2010, 500 million smartphone users worldwide will be using a health care application by 2015.” (Personally, I think that number is low.)

The FDA indicated, “Our draft approach calls for oversight of only those mobile medical apps that present the greatest risk to patients when they don’t work as intended.”

The draft approach was for a “relatively” small subset. BUT, if people are using medical apps to manage or monitor aspects of their lifestyle, for example, there is an interesting line that gets drawn in the sand. The line may be hard to see. But it IS there: When does something simple and innocuous impact or threaten your life? When it’s wrong or you misuse it.

In August, the U.S. General Accountability Office (GAO) issued report GAO-12-816, “MEDICAL DEVICES – FDA Should Expand Its Consideration of Information Security for Certain Types of Devices,” and in September 2012, issued report GAO-12-757, “INFORMATION SECURITY – Better Implementation of Controls for Mobile Devices Should Be Encouraged.” The former report did NOT specifically address mobile devices/apps, the latter report did, and on pages 17-21, the report articulates a range of possible vulnerabilities and security issues. Marry them up and you have an interesting picture.

I mention this since there may be several levels of potential liability here. You see those ads for all those law firms ready to sue someone for you? Try malfunctioning “harmless” apps that provide wrong information because the apps are out of date, or the user has not loaded a new version. Try apps that integrate into that medical device “subset” the FDA has defined and about which it noted (section II of the “draft guidance”): “As is the case with traditional medical devices, mobile medical apps can pose potential risks to public health.” Or consider apps that are mis-constructed and inadvertently “leak” personally identifiable information of personal health information to a social media site in violation of a number of federal laws. The FDA was clear in its draft focus: “a ‘mobile medical app’” is a mobile app that meets the definition of ‘device” in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) 4; and either: is used as an accessory to a regulated medical device; or transforms a mobile platform into a regulated medical device.’” That list is expansive, even generically (by type of device).

There are a lot of standards and that come to play here from a variety of sources, and it really is in the best interests of the developer, the individual and corporate user, and the industry as a whole to REALLY get a grip on these requirements, and ensure compliance. That will make everyone feel better … and decrease the likelihood of something bad-to-tragic happening.

All that said, it might not be a bad idea to apply the same level of “caution” to the myriad of business apps that are popping up. Some are personal convenience, some are enterprise. With all the social media meshing going on, some app could inadvertently put embarrassing info out there in for all to see without your knowing it, for example, or maybe impact your business. Check one wrong box in an app and you may have NO idea or control over where that info goes. How about inadvertently violating Sarbanes Oxley or one the many SEC regs or the Trade Secret Law and Economic Espionage Act of 1996? Think that can’t happen? One major chip manufacture put in a collaboration product many years back and suddenly its plans were getting delivered OUTSIDE the company … all by error.

The simpler obvious analog is email addresses. I ALWAYS double check ALL addressees … NOW. I still make a mistake from time to time if I am in a hurry, though – and all thankfully minor. Stupid error, potentially devastating result.

Currently, I know of and have advised a firm planning to build a power-med app. Monstrous market for that specific app — even in its “subset area.” The firm is being extraordinarily cautious – there are really serious and compelling issues to be addressed since so many lines (laws, etc.) get crossed in just that one app. Caution is prudent. Haste makes lawsuits. In one discussion alone, we identified five classes of people who could sue if something went wrong. That didn’t dampen enthusiasm … it provoked greater caution.

SO … the suggestion is simple: from a business perspective (again – I used medical as an example, only) really check out what you might be getting into, test a broad range of permutations of use, verify the “security” or integrity of the app, and still proceed carefully and with oversight.

If you are building apps, be sure you are in-bounds with the statutory, regulatory, and policy items that exist and change from time to time and may affect your efforts. If you are selling to the Feds, state and local government, you can be sure there are such items. And based on what you are doing (commercial or not) check the GAO from time to time (www.gao.gov) — it is often the herald of things to come. It’s findings have a way of becoming pieces of legislation.

About The Author: Howard Nevin is a Partner at Technology Driven Transformation Strategies. This firm helps business leaders build high-impact companies. http://tdtstrategies.com/