A Framework for mHealth App Security and Privacy Analysis

移动医疗应用程序安全和隐私分析框架

• 批准号: 10325277
• 负责人: Sheikh Iqbal Ahamed
• 金额: $ 25.61万
• 依托单位: UBITRIX INTERNATIONAL, INC.
• 依托单位国家: 美国
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-09-15 至 2023-08-31
• 项目状态: 已结题
• 来源: https://reporter.nih.gov/project-details/10325277
• 关键词: Address; Adoption; Android; Apple; Area; Awareness; Behavior; Businesses; Car Phone; Code; Communication; Communities; Data; Data Security; Development; Devices; Early Diagnosis; Effectiveness; Ensure; Environment; FDA approved; Future; Goals; Guidelines; Health; Health Insurance Portability and Accountability Act; Health Personnel; Healthcare; Knowledge; Medical; Medical History; Mobile Health Application; Monitor; Outcome; Patients; Phase; Policies; Privacy; Privatization; Provider; Regulation; Reporting; Research; Research Personnel; Risk; Secure; Security; Source Code; System; Techniques; Testing; Vendor; base; computerized data processing; cost effectiveness; data exchange; data privacy; data sharing; design; flexibility; handheld mobile device; health data; improved; mHealth; mobile application; phase 1 study; prototype; remote health care; sensor; support tools; tool; transmission process; web based interface

Abstract: With the increased use of mobile health apps to improve health outcomes, protecting private health data is becoming increasingly important. Researchers estimate there are over 300,000 mHealth apps in existence, and some relate to HIPAA covered entities or their business associates. With patients’ increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that are compliant with HIPAA privacy and security rules. About 25% of healthcare providers suffer from data breaches violating HIPAA policies, caused by using mobile devices that come preloaded with mHealth apps. This results in lawsuits, and loss of confidence among health providers and patients. Earlier research has focused on security of mobile devices, but not checking further how apps store or transfer data securely before being used by remote health care providers or users. Most mobile app developers including mHealth apps are not aware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to check mHealth apps’ security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We propose to develop a framework to analyze mHealth apps for HIPAA security and privacy compliance. The framework will allow users who have no knowledge of HIPAA or app security to receive an assessment of security and privacy risks per HIPAA guidelines. Initially based on Android Studio, the tool will test the source code of mHealth applications for potential data security breaches related to HIPAA before posting for the marketplace. The tool will further address API level checking for secure data communication mandated by recent CMS guidelines between third party mobile health apps and EHR systems. The analysis framework will also address heterogeneous health data and enable providers to remain compliant with HIPAA administrative and operational guidelines. We propose to perform two acceptance tests on the prototype based on partnering with HIPAA experts and medical doctors and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. The proposed tool will further enable the development of data breach checking for iOS mHealth apps and adoption and integration by large scale EHR vendors in the future.

摘要：随着移动健康应用程序的使用增加以改善健康结果，保护 私人健康数据变得越来越重要。研究人员估计已经结束了 存在300,000个MHealth应用程序，有些与HIPAA涵盖的实体或其业务有关 同事。随着患者对数据可访问性和应用数据共享的日益渴望，这至关重要 确保患者将其受保护的健康信息（PHI）传输到合规性的应用 使用HIPAA隐私和安全规则。大约25％的医疗保健提供者遭受了数据的困扰 违反违反HIPAA政策的行为，该政策是由于使用预装的移动设备而引起的 MHealth应用程序。这导致诉讼以及卫生提供者和 患者。较早的研究重点是移动设备的安全性，但没有进一步检查 在远程医疗保健提供者或用户使用之前，请牢固地存储或传输数据。 包括MHealth应用在内的大多数移动应用程序开发人员都不知道HIPAA安全性和隐私 法规。这创造了开发静态和动态代码分析工具的市场机会 对于MHealth应用程序开发人员，因此他们的开发产品符合HIPAA安全性和隐私 指南。目前，缺乏检查MHealth应用程序安全性的分析框架 遵循适用的HIPAA技术安全和隐私指南的隐私风险。我们 提出开发一个框架以分析MHealth应用程序的HIPAA安全性和隐私性 遵守。该框架将允许对HIPAA或APP Security不了解的用户来 根据HIPAA准则，获得对安全性和隐私风险的评估。最初基于 Android Studio，该工具将测试MHealth应用程序的源代码，以确保潜在数据安全 在发布市场之前，与HIPAA有关的漏洞。该工具将进一步解决API 级别检查最近CMS指南规定的安全数据通信 政党移动健康应用程序和EHR系统。分析框架也将解决 异构健康数据，并使提供者能够遵守HIPAA管理 和运营指南。我们建议对基于原型的两个接受测试进行两项接受测试 与HIPAA专家和医生以及营利性EHR供应商合作 检测健康数据安全损耗的工具的有效性。提出的工具将进一步 启用iOS MHealth应用程序和采用的数据泄露检查的开发以及 将来大规模EHR供应商集成。