Xcertia, a standards and guidelines body for mobile apps, today announced the draft release of  its updated Privacy and Security Guidelines, a document consisting of practical and descriptive advice for health app designers.

The group has opened the draft up for comment from stakeholders and industry members for the next 45 days, Chuck Parker, managing director at Xcertia, said here at the Connected Health Conference in Boston. These suggestions will be incorporated into the final version of the document, which he said will be released in February at HIMSS19 in Orlando, Florida.

Xcertia is a collaborative organization backed by the American Medical Association, American Heart Association, DHX Group and HIMSS that was first launched at 2016’s Connected Health Conference. Earlier this year it announced the formation of a Guidelines Work Group as well as the formation of a strategic alliance with the Consumer Technology Association, both of which were intended to inform the construction of these and other advisory documents.

“[The latest guidelines are] a result of a new set of things we are doing within the Xcertia organization — that is, actually bringing together workgroups and creating a workgroups structure,” Parker said today during a press event. “We’re going to be doing this process on an annual basis. Since this time last year, we’ve had things from Europe like GDPR. We’ve also had legislation presented in California that’s going to be fairly complex and fairly restrictive.”

Why it matters

As connected devices and mobile health apps proliferate across consumer and provider audiences alike, the focus on privacy and security regarding patient health data has grown. Considering, the threats and legally-binding requirements change with each passing month, an open, available resource for app developers could be paramount.

“The guidelines themselves are very descriptive activities about how you implement the process of security or privacy. We look at what is actually implementable,” Parker said. “Privacy has some fairly well documented activities with HIPAA, with HITECH, with GDPR, with COPA, some very defined activities with those on the privacy side. Security, on the other hand, … is an ever-evolving activity. You look at the two-factor authentication process. Not to get too technical, but in that process of our guidelines we do get down to the very descriptive [level] on what it is a company needs to implement.”

What’s the trend

There’s plenty of evidence that health and fitness apps are behind the curb when it comes to privacy and security. In February, for instance, an investigation found that many health apps were insecure and did not conform to GDRP’s specifications, while a more recent investigation found similar issues among mental health apps. This year has also seen Strava, Polar, and others make headlines for potential exploitations of their GPS tracking features.