NIST looks for public comment on mobile app vetting draft guidance

The National Institute of Standards and Technology is accepting public comment on draft guidance regarding vetting of third-party software for mobile devices.

The Draft Special Publication 800-163, Technical Considerations for Vetting 3rd Party Mobile Applications, states emulated and virtual environments are useful for vetting mobile apps given the ability to test various configurations and allow for automated testing and examination of an app.

Vetting is a process for assessing security, reliability and performance to ensure an app is acceptable for use in an expected situation. The guidance document provides key technical assurance points to help companies begin implementing a vetting process. The public comment period began on Aug. 18 and will conclude on Sept. 18.

The federal initiative comes as mHealth apps and devices are proliferating at high numbers and expanding well beyond initial fitness and health realms. Lawmakers, regulatory agencies and privacy organizations are expressing concerns about app data security and data sharing, and whether particular apps should fall under the same regulations as medical devices.

Some people, including former U.S. Food and Drug Administration officials, believe the FDA should exempt most health and wellness apps from premarket review and define basic technical standards to spur innovation, according to a Wall Street Journal column. Others, including a New York Sen. Chuck Schumer (D), believe stricter oversight and regulations is warranted and describes the potential for data sharing without consumer consent a "privacy nightmare."

This NIST document notes that the proposed guidance should not be used as a step-by-step guide for software vetting, but "highlights those elements that are particularly important to be considered before mobile apps are approved as 'fit-for-use,'" adding that the focus is how to vet apps once a platform choice has been made.

The document offers up a slew of key recommendations from ensuring an understanding of the security and privacy risks presented by an app and a establishing a plan for mitigating such risks, to providing longer assurance of the app through its lifecycles and providing mobile apple security and privacy training for employees.

Those wishing to provide comment can complete a form and email it to NIST with "Comments on Draft SP 800-163" as the subject line.

To learn more:
- read the NIST guidance document

Related Articles:
Why usability and design are critical to mobile medical app building
4 tips to build successful mHealth apps
Health attorneys: 3 steps mHealth start-up developers must take
Ex-FDA staffers: Agency should exempt most mHealth apps from premarket review