A Framework for mHealth App Security and Privacy Analysis

移动医疗应用程序安全和隐私分析框架

• 批准号: 10760047
• 负责人: Sheikh Iqbal Ahamed
• 金额: $ 78.88万
• 依托单位: UBITRIX INTERNATIONAL, INC.
• 依托单位国家: 美国
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-09-15 至 2025-08-31
• 项目状态: 未结题
• 来源: https://reporter.nih.gov/project-details/10760047
• 关键词: Address; Algorithms; Android; Apple; Appointments and Schedules; Area; Awareness; Behavior; Businesses; Cellular Phone; Code; Collaborations; Computer software; Data; Data Security; Dedications; Development; Devices; Effectiveness; Environment; Evaluation; FDA approved; Guidelines; Health; Health Insurance Portability and Accountability Act; Health Personnel; Health protection; Healthcare; International; Java; Knowledge; Language; Link; Marketing; Medical; Medical History; Medical Records; Methods; Mobile Health Application; Monitor; Names; Online Systems; Outcome; Patients; Performance; Phase; Play; Plug-in; Policies; Privacy; Privatization; Probability; Production; Programming Languages; Protocols documentation; Provider; Pythons; Regulation; Reproduction; Research; Research Personnel; Risk; Sample Size; Secure; Security; Side; Small Business Technology Transfer Research; Source Code; Techniques; Testing; United States Centers for Medicare and Medicaid Services; Universities; Vendor; computerized data processing; data communication; data exchange; data interoperability; data sharing; electronic health record system; encryption; evaluation/testing; handheld mobile device; health data; improved; mHealth; mobile application; non-compliance; prevent; prototype; remote health care; seal; sensor; smartphone application; success; supply chain; support tools; tool; transmission process; virtual; web based interface; web site

PROJECT SUMMARY/ABSTRACT With the increased use of mobile health (mHealth) apps to improve health outcomes, protecting private health data is becoming increasingly important. These mHealth apps are offered by healthcare providers and used by patients for various reasons such as paying bills, scheduling appointments, sending messages to providers, accessing lab results, and viewing prescriptions and medical records. With patients’ increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that comply with HIPAA privacy and security regulations. Unfortunately, about 25% of healthcare providers suffer from data breaches violating HIPAA policies caused by using mobile devices that come with mHealth apps. These breaches result in lawsuits and loss of confidence among health providers and patients. Earlier research has focused on mobile device security but has not checked further how apps store or transfer data securely before being used by remote healthcare providers or users. A total of 303,867 complaints have been received in the HHS.gov until July 2022 [95], which indicates that most developers, including mHealth apps developers, are unaware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to check mHealth apps’ security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We have developed a framework to analyze mHealth apps for HIPAA security and privacy compliance for Android. The tool is available both as a web-based interface for users without knowledge of HIPAA or app security and as a plugin with Android Studio to enable health app developers to test source code for potential data security breaches related to HIPAA before posting to the marketplace. In addition, the tool addresses API level checking for secure data communication mandated by recent Centers for Medicare & Medicaid Services (CMS) guidelines between third-party mobile health apps and EHR systems. The analysis framework also addresses heterogeneous health data and enables providers to comply with HIPAA administrative and operational guidelines. We have performed two acceptance tests on the prototype based on partnering with HIPAA experts, medical doctors, and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. In Phase II, we propose a commercial product mSPAiOS as a mHealth HIPAA checker by extending the framework for iOS mHealth apps security and privacy assessment, plugin support for xCode environment, and performance evaluation of the product by at least 3 for-profit organizations/EHR vendors. The proposed tool has the potential to capture the market of the HIPAA-compliant assessment as a unique product that is not provided by any existing tools.

项目总结/摘要 随着越来越多地使用移动的健康（mHealth）应用程序来改善健康结果， 私人健康数据正变得越来越重要。这些mHealth应用程序由 医疗保健提供者和患者出于各种原因使用，例如支付账单、调度 预约、向提供者发送消息、访问实验室结果和查看处方 和医疗记录随着患者对数据可访问性和应用程序数据共享的需求不断增加， 确保患者将其受保护的健康信息（PHI）传输到 遵守HIPAA隐私和安全法规。不幸的是，大约25%的医疗保健 提供商遭受违反HIPAA政策的数据泄露，这些数据泄露是由于使用移动的设备造成的， 移动健康应用这些违规行为导致诉讼和对健康的信心丧失 供应商和患者。早期的研究主要集中在移动终端安全上， 进一步检查了应用程序在被远程医疗保健使用之前如何安全地存储或传输数据 供应商或用户。截至7月，HHS.gov共收到303，867起投诉 2022 [95]，这表明大多数开发人员，包括mHealth应用程序开发人员，都不知道 HIPAA安全和隐私法规。这就创造了静态发展的市场机会 和动态代码分析工具的mHealth应用程序开发人员，使他们开发的产品满足 HIPAA安全和隐私准则。目前，缺乏一个分析框架， 根据适用的HIPAA技术安全检查mHealth应用程序的安全和隐私风险 和隐私准则。我们已经开发了一个框架来分析移动健康应用程序的HIPAA Android的安全和隐私合规性。该工具既可以作为基于Web的界面， 对于不了解HIPAA或应用程序安全性的用户，作为Android Studio的插件， 使健康应用程序开发人员能够测试源代码，以发现与以下内容相关的潜在数据安全漏洞： 在发布到市场之前，先进行HIPAA。此外，该工具还解决了API级别的检查， 最近的医疗保险和医疗补助服务中心要求的安全数据通信 (CMS)第三方移动的健康应用程序和EHR系统之间的指导方针。分析 框架还解决了异构健康数据，使供应商能够遵守 HIPAA管理和操作指南。我们已经进行了两次验收测试， 该原型基于与HIPAA专家、医生和营利性EHR的合作 供应商沿着的有效性的工具，用于检测健康数据的安全漏洞。同相 第二，我们提出了一个商业产品mSPAiOS作为mHealth HIPAA检查器，通过扩展 iOS mHealth应用程序安全和隐私评估框架，xCode插件支持 环境，以及至少3个营利性组织/EHR对产品的性能评估 厂商拟议的工具有可能抓住市场的健康保险责任法案兼容 评估是一种独特的产品，任何现有工具都无法提供。