Disciplines
Health Information Technology
Abstract (300 words maximum)
Protecting personal health records is becoming increasingly important as more people use Mobile Health applications (mHealth apps) to improve their health outcomes. These mHealth apps enable consumers to monitor their health-related problems, store, manage, and share health records, medical conditions, treatment, and medication. With the increase of mHealth apps accessibility and usability, it is crucial to create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity or another business associate. The Health Insurance Portability and Accountability Act (HIPAA) provides guidelines to the app developers so that the apps must be compliant with required and addressable Technical Safeguard rules. However, most mobile app developers, including mHealth apps are not aware of HIPAA security and privacy regulations. Therefore, a research opportunity has emerged to develop an analytical framework to assist the developer to maintain a secure and HIPAA-compliant source code and raise awareness among consumers about the privacy and security of sensitive and personal health information. We proposed an Android source code analysis framework that evaluates twelve HIPAA Technical Safeguards to check whether a mHealth application is compliant or not. The implemented meta-analysis and data-flow analysis algorithms are efficient in identifying the risk and safety features for evaluating mHealth apps HIPAA violations. Furthermore, we addressed API level checking for secure data communication mandated by recent CMS guidelines between third-party mobile health apps and EHR systems. Experimentally, a web-based tool has been developed for evaluating the efficacy of analysis techniques and algorithms. We have investigated more than 200 top popular Medical and Health & Fitness category Android apps collected from Google Play Store. We identified from the comparative analysis of the HIPAA rules assessment report that authorization to access sensitive resources, data encryption-decryption, and data transmission security is the most vulnerable features of the investigated apps. We recommend to app developers the most common mistake done at the time of app development and how to avoid these mistakes to implement secure and HIPAA-compliant applications. The proposed framework enables us to develop an IDE plugin for mHealth app developers and a web-based interface for mHealth app consumers.
Academic department under which the project should be listed
Information Technology
Primary Investigator (PI) Name
Dr. Hossain Shahriar
Included in
HIPAAChecker: A Web Based Application on HIPAA Technical Safeguards Assessment of Android mHealth Applications
Protecting personal health records is becoming increasingly important as more people use Mobile Health applications (mHealth apps) to improve their health outcomes. These mHealth apps enable consumers to monitor their health-related problems, store, manage, and share health records, medical conditions, treatment, and medication. With the increase of mHealth apps accessibility and usability, it is crucial to create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity or another business associate. The Health Insurance Portability and Accountability Act (HIPAA) provides guidelines to the app developers so that the apps must be compliant with required and addressable Technical Safeguard rules. However, most mobile app developers, including mHealth apps are not aware of HIPAA security and privacy regulations. Therefore, a research opportunity has emerged to develop an analytical framework to assist the developer to maintain a secure and HIPAA-compliant source code and raise awareness among consumers about the privacy and security of sensitive and personal health information. We proposed an Android source code analysis framework that evaluates twelve HIPAA Technical Safeguards to check whether a mHealth application is compliant or not. The implemented meta-analysis and data-flow analysis algorithms are efficient in identifying the risk and safety features for evaluating mHealth apps HIPAA violations. Furthermore, we addressed API level checking for secure data communication mandated by recent CMS guidelines between third-party mobile health apps and EHR systems. Experimentally, a web-based tool has been developed for evaluating the efficacy of analysis techniques and algorithms. We have investigated more than 200 top popular Medical and Health & Fitness category Android apps collected from Google Play Store. We identified from the comparative analysis of the HIPAA rules assessment report that authorization to access sensitive resources, data encryption-decryption, and data transmission security is the most vulnerable features of the investigated apps. We recommend to app developers the most common mistake done at the time of app development and how to avoid these mistakes to implement secure and HIPAA-compliant applications. The proposed framework enables us to develop an IDE plugin for mHealth app developers and a web-based interface for mHealth app consumers.