Mia Md Raihan, Shahriar Hossain, Valero Maria, Sakib Nazmus, Saha Bilash, Barek Md Abdul, Faruk Md Jobair Hossain, Goodman Ben, Khan Rumi Ahmed, Ahamed Sheikh Iqbal
Department of Computer Science at Marquette University, WI, USA.
Department of Information Technology at Kennesaw State University, GA, USA.
Smart Health (Amst). 2022 Dec;26. doi: 10.1016/j.smhl.2022.100349. Epub 2022 Oct 8.
Protecting personal health records is becoming increasingly important as more people use Mobile Health applications (mHealth apps) to improve their health outcomes. These mHealth apps enable consumers to monitor their health-related problems, store, manage, and share health records, medical conditions, treatment, and medication. With the increase of mHealth apps accessibility and usability, it is crucial to create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity or another business associate. The Health Insurance Portability and Accountability Act (HIPAA) provides guidelines to the app developers so that the apps must be compliant with required and addressable Technical Safeguards. However, most mobile app developers, including mHealth apps are not aware of HIPAA security and privacy regulations. Therefore, a research opportunity has emerged to develop an analytical framework to assist the developer to maintain a secure and HIPAA-compliant source code and raise awareness among consumers about the privacy and security of sensitive and personal health information. We proposed an Android source code analysis framework that evaluates twelve HIPAA Technical Safeguards to check whether a mHealth application is HIPAA compliant or not. The implemented meta-analysis and data-flow analysis algorithms efficiently identify the risk and safety features of mHealth apps that violate HIPAA regulations. Furthermore, we addressed API level checking for secure data communication mandated by recent CMS guidelines between third-party mobile health apps and EHR systems. Experimentally, a web-based tool has been developed for evaluating the efficacy of analysis techniques and algorithms. We have investigated 200 top popular Medical and Health & Fitness category Android apps collected from Google Play Store. We identified from the comparative analysis of the HIPAA rules assessment results that authorization to access sensitive resources, data encryption-decryption, and data transmission security is the most vulnerable features of the investigated apps. We provided recommendations to app developers about the most common mistake made at the time of app development and how to avoid these mistakes to implement secure and HIPAA-compliant apps. The proposed framework enables us to develop an IDE plugin for mHealth app developers and a web-based interface for mHealth app consumers.
随着越来越多的人使用移动健康应用程序(mHealth应用)来改善健康状况,保护个人健康记录变得愈发重要。这些mHealth应用使消费者能够监测与健康相关的问题、存储、管理和共享健康记录、医疗状况、治疗情况及用药信息。随着mHealth应用的可访问性和可用性不断提高,代表涵盖实体或其他业务伙伴创建、接收、维护或传输受保护健康信息(PHI)至关重要。《健康保险流通与责任法案》(HIPAA)为应用开发者提供了指导方针,以使应用必须符合规定的和可解决的技术保障措施。然而,包括mHealth应用在内的大多数移动应用开发者并不了解HIPAA的安全和隐私法规。因此,出现了一个研究机会,即开发一个分析框架,以协助开发者维护安全且符合HIPAA的源代码,并提高消费者对敏感和个人健康信息的隐私及安全的认识。我们提出了一个安卓源代码分析框架,该框架评估十二项HIPAA技术保障措施,以检查mHealth应用是否符合HIPAA规定。所实施的元分析和数据流分析算法能有效识别违反HIPAA法规的mHealth应用的风险和安全特征。此外,我们还针对第三方移动健康应用与电子健康记录(EHR)系统之间近期CMS指南所要求的安全数据通信进行了API级别检查。通过实验,开发了一个基于网络的工具来评估分析技术和算法的有效性。我们调查了从谷歌应用商店收集的200款最受欢迎的医疗及健康与健身类安卓应用。从对HIPAA规则评估结果的比较分析中我们发现,访问敏感资源的授权、数据加密解密以及数据传输安全是被调查应用中最易受攻击的特征。我们向应用开发者提供了关于应用开发时最常见错误的建议,以及如何避免这些错误以实现安全且符合HIPAA的应用。所提出的框架使我们能够为mHealth应用开发者开发一个集成开发环境(IDE)插件,并为mHealth应用消费者开发一个基于网络的界面。
