A Framework for mHealth App Security and Privacy Analysis

移动医疗应用程序安全和隐私分析框架

• 批准号: 10325277
• 负责人: Sheikh Iqbal Ahamed
• 金额: $ 25.61万
• 依托单位: UBITRIX INTERNATIONAL, INC.
• 依托单位国家: 美国
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-09-15 至 2023-08-31
• 项目状态: 已结题
• 来源: https://reporter.nih.gov/project-details/10325277
• 关键词: Address; Adoption; Android; Apple; Area; Awareness; Behavior; Businesses; Car Phone; Code; Communication; Communities; Data; Data Security; Development; Devices; Early Diagnosis; Effectiveness; Ensure; Environment; FDA approved; Future; Goals; Guidelines; Health; Health Insurance Portability and Accountability Act; Health Personnel; Healthcare; Knowledge; Medical; Medical History; Mobile Health Application; Monitor; Outcome; Patients; Phase; Policies; Privacy; Privatization; Provider; Regulation; Reporting; Research; Research Personnel; Risk; Secure; Security; Source Code; System; Techniques; Testing; Vendor; base; computerized data processing; cost effectiveness; data exchange; data privacy; data sharing; design; flexibility; handheld mobile device; health data; improved; mHealth; mobile application; phase 1 study; prototype; remote health care; sensor; support tools; tool; transmission process; web based interface

Abstract: With the increased use of mobile health apps to improve health outcomes, protecting private health data is becoming increasingly important. Researchers estimate there are over 300,000 mHealth apps in existence, and some relate to HIPAA covered entities or their business associates. With patients’ increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that are compliant with HIPAA privacy and security rules. About 25% of healthcare providers suffer from data breaches violating HIPAA policies, caused by using mobile devices that come preloaded with mHealth apps. This results in lawsuits, and loss of confidence among health providers and patients. Earlier research has focused on security of mobile devices, but not checking further how apps store or transfer data securely before being used by remote health care providers or users. Most mobile app developers including mHealth apps are not aware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to check mHealth apps’ security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We propose to develop a framework to analyze mHealth apps for HIPAA security and privacy compliance. The framework will allow users who have no knowledge of HIPAA or app security to receive an assessment of security and privacy risks per HIPAA guidelines. Initially based on Android Studio, the tool will test the source code of mHealth applications for potential data security breaches related to HIPAA before posting for the marketplace. The tool will further address API level checking for secure data communication mandated by recent CMS guidelines between third party mobile health apps and EHR systems. The analysis framework will also address heterogeneous health data and enable providers to remain compliant with HIPAA administrative and operational guidelines. We propose to perform two acceptance tests on the prototype based on partnering with HIPAA experts and medical doctors and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. The proposed tool will further enable the development of data breach checking for iOS mHealth apps and adoption and integration by large scale EHR vendors in the future.

摘要：随着越来越多地使用移动的健康应用程序来改善健康结果， 私人健康数据正变得越来越重要。研究人员估计， 现有300，000个mHealth应用程序，其中一些与HIPAA覆盖的实体或其业务相关 合伙人随着患者对数据可访问性和应用程序数据共享的需求日益增加， 确保患者将其受保护的健康信息（PHI）传输到合规的应用程序 遵守HIPAA隐私和安全规则。约25%的医疗保健提供商遭受数据 因使用预装的移动的设备而导致违反HIPAA政策的违规行为 移动健康应用。这导致诉讼，以及医疗服务提供者之间的信心丧失， 患者早期的研究集中在移动的设备的安全性上，但没有进一步检查如何安全 应用程序在被远程医疗保健提供者或用户使用之前安全地存储或传输数据。 大多数移动的应用程序开发人员，包括mHealth应用程序，都不了解HIPAA安全和隐私 规定这为开发静态和动态代码分析工具创造了市场机会 为mHealth应用程序开发人员，使他们开发的产品符合HIPAA安全和隐私 指南目前，缺乏一个分析框架来检查mHealth应用程序的安全性 遵守适用的HIPAA技术安全和隐私准则。我们 建议开发一个框架，分析移动健康应用程序的HIPAA安全和隐私 合规该框架将允许不了解HIPAA或应用程序安全性的用户 根据HIPAA指南接受安全和隐私风险评估。最初基于 Android Studio，该工具将测试mHealth应用程序的源代码，以确保潜在的数据安全性 在发布到市场上之前，与HIPAA相关的违规行为。该工具将进一步解决API 对第三方之间最近CMS指南规定的安全数据通信进行级别检查 党的移动的健康应用程序和EHR系统。分析框架还将解决 异构健康数据，并使提供商能够保持符合HIPAA管理 和业务准则。我们建议对原型进行两次验收测试， 与HIPAA专家、医生和营利性EHR供应商合作，沿着 检测健康数据安全漏洞的工具的有效性。拟议的工具将进一步 为iOS移动健康应用程序开发数据泄露检查并采用， 在未来的大规模EHR供应商的集成。