Is that health app safe to use? A new framework aims to provide an answer

A new framework for assessing the privacy, technical security, usability and clinical assurance and safety of digital health technologies has been created by the American College of Physicians (ACP), the American Telemedicine Association (ATA) and ORCHA, the Organization for the Review of Care and Health Applications.

The Digital Health Assessment Framework is intended to be an open framework, accessible for anyone to use, to support the adoption of high-quality digital health technologies and help healthcare professionals and patients make better-informed decisions about which digital health tools – including mobile apps and web-based tools – best suit their needs.

“Although it’s designed specifically for the needs and requirements of the US market, the Framework doesn’t try to reinvent the wheel. It recognizes and points to relevant existing US regulations, and applies several leading international standards and frameworks, ISO 82304-2 in Europe, Digital Technology Assessment Criteria (DTAC) and NICE evidence standards framework in the UK, and DiGA in Germany,” said Tim Andrews, COO, ORCHA.

About the framework

With more than 86 million Americans already using a health or fitness app, digital health brings new possibilities for the healthcare industry.

Yet, in a field of 365,000 products, where the vast majority fall outside of existing regulations, such as the medical device regulations, federal laws and government guidance, there has been no clear way to determine if a product is safe to use.

Healthcare professionals and patients are essentially left to their own devices, depending on third-party research such as that performed by Mozilla, which recently tested – and largely found wanting – the privacy protections of 32 mental health and prayer apps, or that by researcher Alissa Knight, who found egregious security vulnerabilities in 30 popular mHealth apps that could allow attackers to access patient records.

“There are literally hundreds of health apps and devices for patients and clinicians to choose from, and our goal is to provide confidence that the health and wellness tools reviewed in this Framework meet quality, privacy and clinical assurance criteria in the U.S.,” noted Ann Mond Johnson, CEO of the ATA.

ORCHA has already assessed a number of products against the framework, and the ACP has announced the launch of a pilot test of a database of digital health tools reviewed against the framework.

Feedback from the ACP pilot, as well as input from digital health technology companies, healthcare professionals, consumers, and other stakeholders will continue to help improve the framework, which will be updated regularly to reflect changes in clinical practice, the latest guidelines and best practices.

How the apps are assessed

As noted before, the apps are assessed across four categories, by answering questions such as:

  • Does the privacy policy clearly state that user data will not be used or shared with other parties except as described in the privacy policy, without express consent of the user?
  • Does the privacy policy inform the user of where the data is stored and how it is protected in storage and transmission?
  • Is that health app safe and clinically effective?
  • Can it be used by users with disabilities or impairments?
  • Can it be personalized or customized?
  • Has the app been developed with app and data security in mind?
  • Has its attack surface been limited?

“While a high scoring app is not guaranteed to be effective or safe or a poorly scoring app is not necessarily ineffective or unsafe, it does mean that the app has taken more or less care over the apps compliance with these key standards than other similar apps,” the organizations involved said.

“In the critical area of health and care, we believe that developers should take compliance with standards extremely seriously. No matter how good the user experience of an app might be, if the app is not safe and robust or its treatment of often sensitive health data is not clear and correct, it should be treated with caution.”




Share this