A Framework for mHealth App Security and Privacy Analysis

PROJECT SUMMARY/ABSTRACT
With the increased use of mobile health (mHealth) apps to improve health outcomes, protecting
private health data is becoming increasingly important. These mHealth apps are offered by
healthcare providers and used by patients for various reasons such as paying bills, scheduling
appointments, sending messages to providers, accessing lab results, and viewing prescriptions
and medical records. With patients’ increasing desire for data accessibility and app data sharing,
it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that
comply with HIPAA privacy and security regulations. Unfortunately, about 25% of healthcare
providers suffer from data breaches violating HIPAA policies caused by using mobile devices that
come with mHealth apps. These breaches result in lawsuits and loss of confidence among health
providers and patients. Earlier research has focused on mobile device security but has not
checked further how apps store or transfer data securely before being used by remote healthcare
providers or users. A total of 303,867 complaints have been received in the HHS.gov until July
2022 [95], which indicates that most developers, including mHealth apps developers, are unaware
of HIPAA security and privacy regulations. This creates the market opportunity to develop static
and dynamic code analysis tools for mHealth app developers, so their developed products meet
HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to
check mHealth apps’ security and privacy risks following the applicable HIPAA technical security
and privacy guidelines. We have developed a framework to analyze mHealth apps for HIPAA
security and privacy compliance for Android. The tool is available both as a web-based interface
for users without knowledge of HIPAA or app security and as a plugin with Android Studio to
enable health app developers to test source code for potential data security breaches related to
HIPAA before posting to the marketplace. In addition, the tool addresses API level checking for
secure data communication mandated by recent Centers for Medicare & Medicaid Services
(CMS) guidelines between third-party mobile health apps and EHR systems. The analysis
framework also addresses heterogeneous health data and enables providers to comply with
HIPAA administrative and operational guidelines. We have performed two acceptance tests on
the prototype based on partnering with HIPAA experts, medical doctors, and for-profit EHR
vendors along with the effectiveness of tools for detecting health data security breaches. In Phase
II, we propose a commercial product mSPAiOS as a mHealth HIPAA checker by extending the
framework for iOS mHealth apps security and privacy assessment, plugin support for xCode
environment, and performance evaluation of the product by at least 3 for-profit organizations/EHR
vendors. The proposed tool has the potential to capture the market of the HIPAA-compliant
assessment as a unique product that is not provided by any existing tools.

Grant Number: 5R42LM014356-03
NIH Institute/Center: NIH
Principal Investigator: Sheikh Ahamed