Re: [nhshackday] nhs app review process

27 views
Skip to first unread message

Rob Dyke

unread,
May 10, 2013, 6:31:00 PM5/10/13
to nhsha...@googlegroups.com, carl
Discussed this a subject a number of times on BCS Primary Health mailing list when this subject comes up in other news channels (I'll find some references) ... I'm usually pointed at DSCNs 14 & 18, or, more recently, the EU MMD processes. It'd be these things, along with other evidence, that the NHS apps store people will use in assessing clinical safety (I've seen the some what more detailed process diagram, having been involved in the development of the accreditation process).

Personally I'd rather see the code ... then again, people who have seen my dev efforts would say I'm not the best person to be reviewing code.

And while Linus & Raymond lead us too believe that with many eyes, all bugs are shallow, many of the best exploits have been made against code developed, reviewed, committed (by people much more talented than the most l33t devs on this list) and accepted as safe for years...

Just sayin....

Rob
--
Rob Dyke, Tactix4.
Sent while out and about, so you might reach me 07833 450022

carl <carl.r...@openhealthcare.org.uk> wrote:
Dear Everyone/NHS England/Maureen Baker

I came across the app review process http://apps.nhs.uk/review-process/ this morning

I'm very interested in understanding how it's possible to assess the safety of an app without inspecting the source code (as they do in the aviation industry)

I'd love to hear your thoughts on this and discuss further

Best wishes, Carl



drcjar

unread,
May 11, 2013, 1:09:11 AM5/11/13
to nhsha...@googlegroups.com
thanks Rob

I'm a bit confused about how dscns 14 and 18 eu mmd might cause it to be that its possible to assess the safety of an app without code review.. could you elaborate? or were you just explaining the rationale of the decision makers involved for the process?

re para 3... what does 'many of the best exploits' mean? the majority? how is bestness of exploits measured? do you know of any good references for this?

finally, and perhsps most surprisingly and challengingly to my world view, you suggest that there exist developers in the world better than the best developers on this list and that even they write code that gets exploited... that really is food for thought.

best, Carl
--
You received this message because you are subscribed to the Google Groups "nhshackday" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nhshackday+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Rob Dyke

unread,
May 11, 2013, 6:12:08 AM5/11/13
to nhsha...@googlegroups.com
Source code inspection related article (previously posted to NHSHD) Lawyer Karen Sandler's heart condition means she needs a pacemaker to ward off sudden death. Instead of trusting that the vendor will create a flawless platform for the device to operate, Sandler has demanded to see the device's source code.  (via slashdot.) Alternative cultural reference... did anyone watch Elementary S01E21 "A Landmark Story" in which a pacemaker is hacked to deliver a fatal electric shock? Or how about this story: Insulin pump hack delivers fatal dosage over the air.

DSCN14 makes it the responsibility of the developer/vendor bringing software to market to have appropriate systems/processes in place to ensure quality and clinical safety. DSCN 18 asks the healthcare purchaser to conduct a risk assessment when adopting / implementing such software. Code review under NDA / escrow could be part of the acceptance process. So the code does not have to be open for an appropriate review to have taken place. The DSCNs don't enforce any particular process on anyone either. EU MMD legisation categorises software as medical device into different risk bands. The lowest risk category (into which the apps.nhs.net offering seems to all fall into) is self certification of compliance with legislation. You all know this of course from the recent discussion on this list about EU MMD and the presentation I shared from the MHRA....

With the apps in the store being mainly advice and guidance apps at this time, I'm pretty happy with the review and acceptance process as the team are addressing the quality of content issues appropriately. The biggest weakness in many health apps being the quality of the content... as your friend Jeremy Wyatt has pointed out a few times (e.g. here http://j.mp/10MPicO )

As for 'many of the best exploits' - this is a wholly arbitrary count of a wholly personal categorization of any exploit I've seen. Current favs include the Debian SSH / SSL bug (http://j.mp/15XK4Uz) and another similar that I can't seem to find right now (damm you google!)


--
Rob Dyke

Director, Tactix4
Office: +44 (0)845 003 9159
Mobile: +44 (0)783 345 0022
Web: tactix4.com @tactix4 LinkedIn


From: "drcjar" <drc...@gmail.com>
To: nhsha...@googlegroups.com
Sent: Saturday, 11 May, 2013 6:09:11 AM

Kenny

unread,
May 14, 2013, 2:39:58 PM5/14/13
to nhsha...@googlegroups.com, nhsha...@googlegroups.com
Rob

Our attached acute trust has just published Bugbuster 3000 in the Apple app store, but this hasnt been through the apps.nhs.uk testing and review process. How can we ensure that only apps that have been reviewed are used in a clinical setting?

Kenny

Sent from my IPAD

Rob Dyke

unread,
May 14, 2013, 2:53:42 PM5/14/13
to nhsha...@googlegroups.com
Bugbuster 3000 ... isn't that a character from the Terminator series of films?

https://itunes.apple.com/es/app/bugbuster-3000/id626651598?l=en

So this is an advice app for clinicians. apps.nhs.uk is for patients, aiming "to make it simpler for people to find safe and trusted apps to help them manage their health". I understand that apps for clinicians may come in a later stage of this initiative ...

Can we ensure that only reviewed apps are used in a clinical setting? And we can't. There are more than 7 apps for healthcare professionals (8 now including BugBanger700000 from your Acute Trust) in the iFruitCake store and the Commissioning Board can't review all of them.

Your Acute now has some app code ... wouldn't it be great this is was open so it could be used as a framework for others to develop and extend or localise with guidelines from another organisation...


--
Rob Dyke

Director, Tactix4


From: "Kenny" <kennyken...@gmail.com>
To: nhsha...@googlegroups.com
Cc: nhsha...@googlegroups.com
Sent: Tuesday, 14 May, 2013 7:39:58 PM
Reply all
Reply to author
Forward
0 new messages