Happtique Halts Its mHealth App Certification Program

12-15-2013 4-51-25 PM

Happtique, a startup working to build an app store of secure, clinically vetted mHealth apps, has suspended its certification program less than a month after unveiling the first round of certified apps. Shortly after the unveil, independent app developer and security expert Harold Smith published security vulnerabilities he discovered in some of the apps that had earned Happtique’s certification.

MyNetDiary, a diabetes tracker that helps patients keep track of their glucose readings, stores usernames and passwords in unencrypted flat files, a direct violation of Happtique’s published security guideline, which states.

Usernames and passwords are collected and transmitted only when using encryption between the client app and the server.

Smith also found that, “User glucose readings are stored, sent, all in plain text. This means anyone could steal the data, by either stealing your phone or hijacking your WiFi connection.” This also directly conflicts with Happtique’s security standard:

The App Publisher has certified that it has implemented reasonable administrative, physical, and technical safeguards to protect users’ personal information from unauthorized disclosure or access.

MyNetDiary was not the only app to turn up concerning security vulnerabilities. TacticoHealth5, a fitness app that tracks lab results, weight loss, and physical fitness goals, also stores usernames and passwords in unencrypted flat files. In addition, Smith found that “all of the user ePHI which was entered was stored in an unencrypted, in plain text, in an SQLite database.” This was another violation of Happtique’s published certification standards, which say:

If the app collects, stores and/or transmits information that constitutes PHI as defined by HIPAA, HITECH, and the rules thereunder, App Publisher certifies that it uses requisite efforts to maintain and protect the confidentiality, integrity, and availability of individually identifiable health information that is in electronic form (e.g., ePHI).

The news comes as a blow to Happtique, which has taken a slow road to bringing a long-promised product to market. Happtique was launched as a spinoff of Greater New York Health Association Ventures with the idea of a mobile health app marketplace in November 2010, with an initial marketplace launch targeted for mid-2011. Since then, the startup has been working to develop its certification process and define its business model. Both have undergone several revisions.

In early 2013, Happtique announced its long-awaited certification standard that would verify that apps were designed with clinically sound content and following acceptable security standards.

Happtique responded to this latest news by announcing that it will suspend the certification program while it conducts a review. In an announcement posted on the certification page, Happtique says:

Last week, a developer raised concerns about the testing results for one of the HACP standards. In response, we are re-evaluating the testing methodologies for the HACP and believe the responsible next step is to suspend the certified app registry pending this further review.

  • travisjgood

    I guess it’s good that Happtique is at least paying attention and looking into this. More disturbing is the lack of response from MyNetDiary and Tactio. Has there been a response from them?

    Part of my confusion about the Happtique certification is that it requires apps to comply with HIPAA breach notification rules if the apps store PHI; this is in section S4.05 of the certification. I’m assuming apps can hedge on this by saying “we don’t store ePHI”, which begs the question of what does Happtique-certified even mean?

  • Lt.Dan

    Harold Smith updated his original post with news that he went to the Tactio booth at the mHealth summit to find out why they never responded to his emails. They told him that the app version in the iTunes store is not the certified version, and that they would be publishing the certified version sometime in January.

    It sounds like they’ve still got some kinks to work out of their certification testing process at Happtique. Their published certification standards seem well thought out, but if the certification is going to mean anything to anyone then they need to ensure people trust that they’re properly testing before approving apps.

↑ Back to top

Founding Sponsors

Platinum Sponsors