A Framework for mHealth App Security and Privacy Analysis

移动医疗应用程序安全和隐私分析框架

• 批准号: 10325277
• 负责人: Sheikh Iqbal Ahamed
• 金额: $ 25.61万
• 依托单位: UBITRIX INTERNATIONAL, INC.
• 依托单位国家: 美国
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-09-15 至 2023-08-31
• 项目状态: 已结题
• 来源: https://reporter.nih.gov/project-details/10325277
• 关键词: Address; Adoption; Android; Apple; Area; Awareness; Behavior; Businesses; Car Phone; Code; Communication; Communities; Data; Data Security; Development; Devices; Early Diagnosis; Effectiveness; Ensure; Environment; FDA approved; Future; Goals; Guidelines; Health; Health Insurance Portability and Accountability Act; Health Personnel; Healthcare; Knowledge; Medical; Medical History; Mobile Health Application; Monitor; Outcome; Patients; Phase; Policies; Privacy; Privatization; Provider; Regulation; Reporting; Research; Research Personnel; Risk; Secure; Security; Source Code; System; Techniques; Testing; Vendor; base; computerized data processing; cost effectiveness; data exchange; data privacy; data sharing; design; flexibility; handheld mobile device; health data; improved; mHealth; mobile application; phase 1 study; prototype; remote health care; sensor; support tools; tool; transmission process; web based interface

Abstract: With the increased use of mobile health apps to improve health outcomes, protecting private health data is becoming increasingly important. Researchers estimate there are over 300,000 mHealth apps in existence, and some relate to HIPAA covered entities or their business associates. With patients’ increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that are compliant with HIPAA privacy and security rules. About 25% of healthcare providers suffer from data breaches violating HIPAA policies, caused by using mobile devices that come preloaded with mHealth apps. This results in lawsuits, and loss of confidence among health providers and patients. Earlier research has focused on security of mobile devices, but not checking further how apps store or transfer data securely before being used by remote health care providers or users. Most mobile app developers including mHealth apps are not aware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to check mHealth apps’ security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We propose to develop a framework to analyze mHealth apps for HIPAA security and privacy compliance. The framework will allow users who have no knowledge of HIPAA or app security to receive an assessment of security and privacy risks per HIPAA guidelines. Initially based on Android Studio, the tool will test the source code of mHealth applications for potential data security breaches related to HIPAA before posting for the marketplace. The tool will further address API level checking for secure data communication mandated by recent CMS guidelines between third party mobile health apps and EHR systems. The analysis framework will also address heterogeneous health data and enable providers to remain compliant with HIPAA administrative and operational guidelines. We propose to perform two acceptance tests on the prototype based on partnering with HIPAA experts and medical doctors and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. The proposed tool will further enable the development of data breach checking for iOS mHealth apps and adoption and integration by large scale EHR vendors in the future.

摘要：随着越来越多地使用移动健康应用程序来改善健康结果，保护 研究人员估计，私人健康数据正变得越来越重要。 现有 300,000 个移动医疗应用程序，其中一些与 HIPAA 涵盖的实体或其业务相关 随着患者对数据可访问性和应用程序数据共享的需求不断增加，这一点至关重要。 确保患者将受保护的健康信息 (PHI) 传输到合规的应用程序 根据 HIPAA 隐私和安全规则，大约 25% 的医疗保健提供者受到数据的困扰。 由于使用预装的移动设备而导致违反 HIPAA 政策的行为 移动医疗应用程序会导致诉讼，并使医疗服务提供者和机构失去信心。 早期的研究主要集中在移动设备的安全性上，但没有进一步检查如何实现。 应用程序在远程医疗保健提供者或用户使用之前安全地存储或传输数据。 大多数移动应用程序开发人员（包括移动医疗应用程序）都不了解 HIPAA 安全和隐私 这为开发静态和动态代码分析工具创造了市场机会。 对于移动医疗应用程序开发人员来说，他们开发的产品符合 HIPAA 安全和隐私要求 目前，缺乏一个分析框架来检查移动医疗应用程序的安全性。 遵循适用的 HIPAA 技术安全和隐私准则的隐私风险。 建议开发一个框架来分析移动医疗应用程序的 HIPAA 安全和隐私 该框架将允许不了解 HIPAA 或应用程序安全性的用户。 最初根据 HIPAA 指南接受安全和隐私风险评估。 Android Studio，该工具将测试 mHealth 应用程序的源代码以确保潜在的数据安全 在发布到市场之前，该工具将进一步解决与 HIPAA 相关的违规问题。 最近的 CMS 指南强制要求第三方之间进行安全数据通信的级别检查 该分析框架还将解决各方移动健康应用程序和电子病历系统的问题。 异构健康数据并使提供商能够保持符合 HIPAA 管理要求 我们建议对基于原型的进行两次验收测试。 与 HIPAA 专家、医生、营利性 EHR 供应商以及 所提议的工具将进一步提高检测健康数据安全漏洞的工具的有效性。 促进 iOS 移动医疗应用程序数据泄露检查的开发和采用 未来将由大型 EHR 供应商进行整合。