Two recent articles - one in the Washington Post entitled Health-care Apps of Smartphones Pit FDA Against Tech Industry and one in the Wall Street Journal entitled There's a Medical App for That-Or Not - have raised the spectre of how smartphone medical apps imply an imminent trainwreck between today's rapid-pace innovation and last century's slower-going FDA regulation.
What's the real question?
As I note in Get to Market Now!, new innovations and technologies emerge on average every 6 months while new or revised regulations take 12-14 years. Today, there are over 13,000 medical apps available for you and me; another 5,000 are available just for physicians and healthcare providers. By the time you finish reading this post, another medical app will have been published.
From a business perspective, the thought of FDA dragging down innovation to the rate of regulation is frightening. And while there is also the need to protect the public - and physicians - from medical apps that are unreliable, faulty, and just plain poor, is new regulation the answer? Is treating a $1.99 app like an MRI the answer? Innovation wouldn't stop. The price would just go up. Instead of paying $1.99, you'd just pay $1,990 for the app.
So, assuming that's not our goal, then what's the answer? Well, maybe we should step back from racing to find an answer, and reframe the question. Afterall, there's no point in arguing over the answer if we're not all answering the same question.
I suggest the real question has little to do with speeding innovation, keeping the public safe, enabling informed healthcare consumers, or making healthcare professionals more efficient. Those are all wonderful points, but they are not the core question behind how to, or even whether, we should regulate a medical app.
The real question is simpler: How do we - as a society - ensure that patients and healtcare providers can rely upon the health data used/maintained in a medical app?
Think about it. Would you want one of the regular updates to an app on your smartphone to corrupt all the previous data you had in it?
In today's video game market, data corruption is a painful reality becoming more and more common - patches and updates to games increasingly have to be withdrawn and redone because they accidentally corrupted and destroyed people's previous game data. It's too late for those consumers whose data files were destroyed.
"Well, sure," you say, "but those are game files. I mean, come on." And then think about it: is that what you want for your smartphone health app? You'd be hard-pressed to find a patient or a physician okay with running that risk for all their health data. Are you okay with all your health data and trends over the past year being wiped out while an update to your app is downloaded as you sit at Starbucks sipping that latte?
So this is the core question: how do we ensure that data entered into a medical app stays trustworthy?
And if we reframe it in this way, then we can cast about for already existing regulations, controls and tools. And yes, we already have them.
Today's Medical App Controls
I see four significant controls available today. The first two are pure market-driven, the second two are more "guiding hand" industry best practice combined with existing regulation:
1. Consumer reviews. Admittedly, there are some drawbacks to this as we don't know if the person writing the review is knowledgeable, and sites that rely on consumer reviews are usually fairly easy to game. So, consumer reviews are not a stand-alone control, only a piece of the control puzzle.
2. Product liability litigation. Yes, it's coming if not already occurring. Face it, if you can find a lawyer able to beat a restaurant for serving too hot a cup of coffee, you can find a lawyer able to beat a medical app for allowing your medical data to become corrupt. Still, because it can take up to two years for such product liability litigation to emerge, this is not a preventative except in the long, long-term. Product liability litigation is only another piece of the control puzzle. If nothing else, right now, medical app makers will want to include some level of documented risk assessment to patient data as part of their development process, otherwise, expect to defend why you didn't when you sit before the court in 18 months.
3. Software quality control practices. Great in theory, often poor in practice. The reality is that often companies cut quality control in order to rush products to market. When a medical app can be written and quality checked by the same person all in the span of a 14-hour day, software quality control is not a stand-alone data integrity control to rely upon. Nonetheless, I'd argue it is still a part of today's control puzzle. Everything from ISO to CMM should be on the table here, and it'd be nice if we could start to see some sort of reference by medical app makers to the software quality coding method used to make their app and its inevitable updates.
4. Part 11. Yes, I said it. 21 CFR 11 Electronic Records; Electronic Signatures. Now, before you bring up the spectre of "validate everything" (and trust me, as a recovering "validate everything" addict, I've got a lot of personally painful, embarrasing stories), I'm discussing how Part 11 (and the EU's Annex 11) are interpreted and enforced today. Today, Part 11 is all about data integrity - ensuring that data that is trustworthy. And isn't that the core question we just defined above?
So if a medical app provider can show that his/her medical app maintains data with integrity (i.e., is Part 11 compliant), isn't that enough for the vast majority of the 18,000+ medical apps out there?
Coincidentally, Sweden's Medical Products Agency just released a guide to the EU's medical device directives that discusses controls, risks, and expectations for medical software - including medical apps. Download a PDF of Sweden's guide here. It's approach seems quite reasonable. Makers of medical apps are to conduct a risk assessment of their app that includes risk to the patient (see control #2 above), and be able to demonstrate that the app meets its intended performance goals (see controls #3 and #4 above). Finally, the guide notes that smartphones and tablets, etc., will never be considered (and regulated as) medical devices unless they are specifically converted to be a medical device.
If only we in the States could be so reasonable....