A Framework for mHealth App Security and Privacy Analysis

移动医疗应用程序安全和隐私分析框架

• 批准号: 10760047
• 负责人: Sheikh Iqbal Ahamed
• 金额: $ 78.88万
• 依托单位: UBITRIX INTERNATIONAL, INC.
• 依托单位国家: 美国
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-09-15 至 2025-08-31
• 项目状态: 未结题
• 来源: https://reporter.nih.gov/project-details/10760047
• 关键词: Address; Algorithms; Android; Apple; Appointments and Schedules; Area; Awareness; Behavior; Businesses; Cellular Phone; Code; Collaborations; Computer software; Data; Data Security; Dedications; Development; Devices; Effectiveness; Environment; Evaluation; FDA approved; Guidelines; Health; Health Insurance Portability and Accountability Act; Health Personnel; Health protection; Healthcare; International; Java; Knowledge; Language; Link; Marketing; Medical; Medical History; Medical Records; Methods; Mobile Health Application; Monitor; Names; Online Systems; Outcome; Patients; Performance; Phase; Play; Plug-in; Policies; Privacy; Privatization; Probability; Production; Programming Languages; Protocols documentation; Provider; Pythons; Regulation; Reproduction; Research; Research Personnel; Risk; Sample Size; Secure; Security; Side; Small Business Technology Transfer Research; Source Code; Techniques; Testing; United States Centers for Medicare and Medicaid Services; Universities; Vendor; computerized data processing; data communication; data exchange; data interoperability; data sharing; electronic health record system; encryption; evaluation/testing; handheld mobile device; health data; improved; mHealth; mobile application; non-compliance; prevent; prototype; remote health care; seal; sensor; smartphone application; success; supply chain; support tools; tool; transmission process; virtual; web based interface; web site

PROJECT SUMMARY/ABSTRACT With the increased use of mobile health (mHealth) apps to improve health outcomes, protecting private health data is becoming increasingly important. These mHealth apps are offered by healthcare providers and used by patients for various reasons such as paying bills, scheduling appointments, sending messages to providers, accessing lab results, and viewing prescriptions and medical records. With patients’ increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that comply with HIPAA privacy and security regulations. Unfortunately, about 25% of healthcare providers suffer from data breaches violating HIPAA policies caused by using mobile devices that come with mHealth apps. These breaches result in lawsuits and loss of confidence among health providers and patients. Earlier research has focused on mobile device security but has not checked further how apps store or transfer data securely before being used by remote healthcare providers or users. A total of 303,867 complaints have been received in the HHS.gov until July 2022 [95], which indicates that most developers, including mHealth apps developers, are unaware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to check mHealth apps’ security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We have developed a framework to analyze mHealth apps for HIPAA security and privacy compliance for Android. The tool is available both as a web-based interface for users without knowledge of HIPAA or app security and as a plugin with Android Studio to enable health app developers to test source code for potential data security breaches related to HIPAA before posting to the marketplace. In addition, the tool addresses API level checking for secure data communication mandated by recent Centers for Medicare & Medicaid Services (CMS) guidelines between third-party mobile health apps and EHR systems. The analysis framework also addresses heterogeneous health data and enables providers to comply with HIPAA administrative and operational guidelines. We have performed two acceptance tests on the prototype based on partnering with HIPAA experts, medical doctors, and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. In Phase II, we propose a commercial product mSPAiOS as a mHealth HIPAA checker by extending the framework for iOS mHealth apps security and privacy assessment, plugin support for xCode environment, and performance evaluation of the product by at least 3 for-profit organizations/EHR vendors. The proposed tool has the potential to capture the market of the HIPAA-compliant assessment as a unique product that is not provided by any existing tools.

项目摘要/摘要 随着移动健康（MHealth）应用程序的增加来改善健康结果，保护 私人健康数据变得越来越重要。这些MHealth应用程序由 医疗保健提供者，患者出于各种原因，例如支付账单，安排时间安排 约会，向提供商发送消息，访问实验室结果并查看处方 和病历。随着患者对数据可访问性和应用数据共享的渴望， 至关重要的是要确保患者将其受保护的健康信息（PHI）传递给应用程序 遵守HIPAA隐私和安全法规。不幸的是，约有25％的医疗保健 提供者遭受数据中断违反HIPAA政策的数据中断，原因是使用移动设备引起的 随附MHealth应用程序。这些呼吸导致诉讼和健康之间的信心丧失 提供者和患者。较早的研究重点是移动设备安全，但没有 在远程医疗保健使用之前，进一步检查了应用程序如何安全地存储或传输数据 提供者或用户。直到7月，HHS.GOV总共收到了303,867个投诉 2022 [95]，表明大多数开发人员（包括MHealth应用程序开发人员）都不知道 HIPAA安全和隐私法规。这创造了开发静态的市场机会 和MHealth应用程序开发人员的动态代码分析工具，因此他们的开发产品满足 HIPAA安全和隐私指南。目前，缺乏分析框架 遵循适用的HIPAA技术安全检查MHealth应用程序的安全性和隐私风险 和隐私指南。我们已经开发了一个框架来分析HIPAA的MHealth应用程序 Android的安全性和隐私合规性。该工具既可以作为基于网络的接口 对于不了解HIPAA或App Security的用户以及Android Studio的插件 使Health应用程序开发人员能够测试源代码，以了解与 HIPAA发布到市场之前。此外，该工具解决了API级检查 最近由医疗保险和医疗补助服务中心要求的安全数据通信 （CMS）第三方移动健康应用程序和EHR系统之间的指南。分析 框架还解决了异构健康数据，并使提供者能够遵守 HIPAA行政和运营指南。我们已经对 基于与HIPAA专家，医生和营利性EHR合作的原型 供应商以及用于检测健康数据安全休息的工具的有效性。在阶段 ii，我们通过扩展 iOS MHealth应用程序安全和隐私评估的框架，XCode的插件支持 至少3个营利性组织/EHR对产品的环境和性能评估 供应商。提出的工具有可能捕获符合HIPAA的市场 评估是任何现有工具未提供的独特产品。