While medical apps share technical features with the commercial apps that have become ubiquitous on smartphones and tablet computers, special considerations go into the development of health apps. Thus, developers of health apps need to understand the clinical perspective, which encompasses health professionals' workflow, user interface experience, and interoperability. Security and privacy are also key issues--not to mention navigating the relevant FDA regulations.

These considerations are important because nearly half of clinicians today use apps to collect data by the bedside, according to the HIMSS Mobile Technology Survey published in 2012. And 19% of smartphone owners have at least one health app on their phone, with diet, exercise, and weight apps being most frequently downloaded, according to the Pew Internet & American Life Project reported in its Mobile Health 2012 Survey. 

Health apps exist along a continuum, ranging from those designed solely for consumer use to those incorporated into a patient treatment plan. FDA recently released guidance on mobile medical applications, defining a mobile medical app as any app that is "used as an accessory to a regulated medical device" or that can "transform a mobile platform into a regulated medical device." The mHIMSS Roadmap is another source of information for medical app developers.

Combining custom hardware with smartphone software, mobile ECG technology from AliveCor (San Francisco) is an example of a product requiring FDA approval. And a platform for collaborative medical imaging developed by Nephosity Inc. (San Francisco) needed FDA approval because it needed to provide images viewable on Apple iPads that feature the same quality as those that clinicians can see over a monitor. Such apps fall under FDA oversight, but the agency also says, "We intend to apply this oversight authority only to those mobile apps whose functionality could pose a risk to a patient's safety if the mobile app were to not function as intended." 

Clinical Perspective

While a software developer or engineer should not be expected to have a medical background, the design of an app to be used by a healthcare provider or patient needs to take into account not only such standard app attributes as user interface visuals and ease of use but also those attributes that fit into the workflow of care. To this end, clinicians should be involved in the app development process.

The optimal user experience includes limiting, not maximizing, key data elements. Less and more-meaningful data are the formula for success. 

Workflow considerations also dictate the sequencing of data entry points and the layout of the transmitted information. David Albert, cofounder and CMO of AliveCor, remarks that ECG reads on the go filled an obvious need for clinicians wanting to diagnose arrhythmias and other abnormalities. In scores of cases, he adds, a device was present on an airplane or in a restaurant where a doctor did not have access to a traditional ECG.

"You have to understand how people work and integrate whatever you're designing into their workflow," Albert says. "If you're going to have them change their workflow, to adapt their workflow in order to adopt your app or device, that is hogwash."

AirStrip Technologies has developed a suite of technologies that can be used to enable clinicians to remotely monitor everything from the fetal health of expectant mothers to patients' vital signs and EMR data. In the past, such information would have been verbally communicated over the phone or transmitted as a still chart. Now, however, the use of an app on a smartphone or tablet represents an improvement, comments Bernhard Kappe, president of Pathfinder Software (Chicago). "Where are the things where you can apply mobile to it? The trick is to get the patient tools and analytic tools to them when and where they need it," Kappe adds.

Recruiting the services of behaviorists to improve adherence to app utilization standards is also crucial to the success of a medical app. For example, Michael Pan, CEO of Nephosity, relies on a group of doctor advisers that includes his brother, radiologist John Pan. Because the company's app did not fit the needs of clinicians' workflows, the team advised the company's founders to redo their first prototype. Such input, along with gamification to optimize adherence, is a necessary aspect of designing a quality medical app.

Another aspect is interoperability. With so many IT systems and applications in the healthcare sector, concerns about the ability to amass data is taking a back seat to integrating data from many sources, whether they come from other apps, devices, or electronic records. 

Security Considerations

When asked what he considers the biggest mistake a medical app developer can make, Jack Walsh, program manager for mobility at ICSA Labs (Mechanicsburg, PA), answers, "Addressing security as an afterthought. The developer needs to talk to the enterprise it's developing the app for in order to optimally address security issues." While this advice might sound basic, Walsh notes, "it is important to use application program interfaces recommended by the operating system platform manufacturer." 

Once an app has been developed, security gaps can persist. "While it is not common practice yet, submitting medical apps to third-party testing entities is the best way to ensure security compliance," Walsh comments. "When new versions include substantial changes, they too should undergo third-party security testing. This testing need not be as comprehensive as the baseline test but could include different random numbers of test cases." 

Many enterprises have addressed security concerns by implementing bring your own device (BYOD) policies. However, most mobile device management consultants would agree that the best security lies in software-based fixes. 

While app coding is relatively easy, ensuring security is not. Thus, as self-developed apps become more common among healthcare institutions, providers, and medical industry commercial entities, stakeholders should maintain a keen awareness of security concerns and not depend on enterprise IT policies to act as the finger in the dike. "BYOD is hard to change" Walsh says. "And ad networks in apps create an additional layer of security risk that must be examined as well. Coding for apps is a relatively new field. Privacy remains a fundamental concern."

Security really comes down to understanding the security vulnerabilities in the app design using a top-down approach, explains Matt Wright, senior software engineer at Stratos Product Development (Seattle). "Start off with an initial architecture and then define the points in your system where you are vulnerable to attack. Each of these vulnerabilities can be addressed with a security measure. The important thing to remember here is that security is an iterative process, and your analysis should be refined alongside the design."

Privacy

"A fundamental distinction needs to be made between security and privacy," states Anita Fineberg, an attorney and consultant with expertise in mobile health app patient privacy. "There can be security without privacy but there can be no privacy without security. Privacy is an individual's right to control his or her information. Security is the means of safeguarding the information." Potential privacy risks associated with the use of mobile devices include unencrypted personal health information, unsecured wireless communications from monitors, lack of functionality to prevent comingling of such hospital data as patient personal health information and the app user's personal data, the lack of technical support or enforcement of minimum password requirements, the failure to block untested or unapproved apps, and the absence of remote wipe or delete/lockdown functions to protect data in the event that the device is lost. 

Some of these issues are already taken care of with the hardware and software that Apple is employing, remarks Nephosity's Michael Pan. Helpful features include the the ability of Apple laptops, iPhones, and iPads to remotely lock and wipe when they are lost. For example, if doctors lose their iPads, they can log into the iCloud from another device and erase the iPad's information remotely. In addition, it is important to use the secure form of HTML for any kind of Web coding, according to Pan. And the Advanced Encryption Standard AES-256 should be used to secure all data stored on a disk.

Several privacy considerations should be foremost in developers' minds when they design mobile health apps, according to Fineberg. First, they should understand that they are accountable for their conduct and code. Second, they should maintain transparency when implementing systems to protect health information. Third, they should limit the collection and storage of information to that required for the function and security of the app. Fourth, they should obtain meaningful consent where required. And fifth, they should consider the timing of user notice and consent. 

--David Lee Scher, MD, with Chris Newmarker