SBIR-STTR Award

With the increased use of mobile health apps to improve health outcomes, protecting private health data is becoming increasingly important. Researchers estimate there are over 300, 000 mHealth apps in existence, and some relate to HIPAA covered entities or their business associates. With patients' increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that are compliant with HIPAA privacy and security rules. About 25% of healthcare providers suffer from data breaches violating HIPAA policies, caused by using mobile devices that come preloaded with mHealth apps. This results in lawsuits, and loss of confidence among health providers and patients. Earlier research has focused on security of mobile devices, but not checking further how apps store or transfer data securely before being used by remote health care providers or users. Most mobile app developers including mHealth apps are not aware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to check mHealth apps' security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We propose to develop a framework to analyze mHealth apps for HIPAA security and privacy compliance. The framework will allow users who have no knowledge of HIPAA or app security to receive an assessment of security and privacy risks per HIPAA guidelines. Initially based on Android Studio, the tool will test the source code of mHealth applications for potential data security breaches related to HIPAA before posting for the marketplace. The tool will further address API level checking for secure data communication mandated by recent CMS guidelines between third party mobile health apps and EHR systems. The analysis framework will also address heterogeneous health data and enable providers to remain compliant with HIPAA administrative and operational guidelines. We propose to perform two acceptance tests on the prototype based on partnering with HIPAA experts and medical doctors and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. The proposed tool will further enable the development of data breach checking for iOS mHealth apps and adoption and integration by large scale EHR vendors in the future.

Public Health Relevance Statement:
Project Narrative The early detection of security and privacy infractions related to HIPAA technical security and privacy requirements can contribute to raising public awareness of health data security issues among mHealth users. HIPAA compliant server-based web interface communication will assure the required privacy, cost-effectiveness, flexibility, and security for the stakeholders, particularly those who may not have knowledge or expertise on HIPAA.

Project Terms:
Adoption; Awareness; Behavior; Communication; Communities; cost effectiveness; Environment; Future; Goals; Health; Health Personnel; Health Care Providers; Healthcare Providers; Healthcare worker; health care personnel; health care worker; health provider; health workforce; healthcare personnel; medical personnel; treatment provider; Patients; Privatization; Research; Research Personnel; Investigators; Researchers; Risk; Testing; Vendor; Privacy; Businesses; Data Security; Data awareness; information security; Healthcare; health care; Guidelines; base; sensor; improved; Area; Phase; Medical; Ensure; Policies; Medical History; Personal Medical History; Personal Medical History Epidemiology; tool; Knowledge; Techniques; System; early detection; Early Diagnosis; HIPAA; Kennedy Kassebaum Act; PL 104-191; PL104-191; Public Law 104-191; United States Health Insurance Portability and Accountability Act; Health Insurance Portability and Accountability Act; Devices; Reporting; Coding System; Code; Regulation; Malus domestica; Apple; Mobile Phones; Car Phone; Provider; data processing; computerized data processing; Effectiveness; Address; Data; Security; Monitor; transmission process; Transmission; Development; developmental; Source Code; design; designing; Outcome; handheld mobile device; mobile device; web based interface; prototype; FDA approved; data exchange; data transfer; data transmission; data sharing; flexibility; flexible; phase 1 study; Phase I Study; Secure; mHealth; m-Health; mobile health; mobile application; mobile app; mobile device application; health data; support tools; Android; Mobile Health Application; Mobile Health App; m-Health app; m-Health application; mHealth app; mHealth application; remote health care; remote care; remote healthcare; data privacy

With the increased use of mobile health (mHealth) apps to improve health outcomes, protecting private health data is becoming increasingly important. These mHealth apps are offered by healthcare providers and used by patients for various reasons such as paying bills, scheduling appointments, sending messages to providers, accessing lab results, and viewing prescriptions and medical records. With patients' increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that comply with HIPAA privacy and security regulations. Unfortunately, about 25% of healthcare providers suffer from data breaches violating HIPAA policies caused by using mobile devices that come with mHealth apps. These breaches result in lawsuits and loss of confidence among health providers and patients. Earlier research has focused on mobile device security but has not checked further how apps store or transfer data securely before being used by remote healthcare providers or users. A total of 303,867 complaints have been received in the HHS.gov until July 2022 [95], which indicates that most developers, including mHealth apps developers, are unaware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to check mHealth apps' security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We have developed a framework to analyze mHealth apps for HIPAA security and privacy compliance for Android. The tool is available both as a web-based interface for users without knowledge of HIPAA or app security and as a plugin with Android Studio to enable health app developers to test source code for potential data security breaches related to HIPAA before posting to the marketplace. In addition, the tool addresses API level checking for secure data communication mandated by recent Centers for Medicare & Medicaid Services (CMS) guidelines between third-party mobile health apps and EHR systems. The analysis framework also addresses heterogeneous health data and enables providers to comply with HIPAA administrative and operational guidelines. We have performed two acceptance tests on the prototype based on partnering with HIPAA experts, medical doctors, and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. In Phase II, we propose a commercial product mSPAiOS as a mHealth HIPAA checker by extending the framework for iOS mHealth apps security and privacy assessment, plugin support for xCode environment, and performance evaluation of the product by at least 3 for-profit organizations/EHR vendors. The proposed tool has the potential to capture the market of the HIPAA-compliant assessment as a unique product that is not provided by any existing tools.

Public Health Relevance Statement:
PROJECT NARRATIVE In this project, we aim to develop a Framework for mHealth App Security and Privacy Analysis called mSPAiOS intended to check the security and privacy of Android and iOS applications. The project is a further extension of our preliminary prototype developed from the STTR Phase I project, where android-based mHealth apps are checked for HIPAA-related technical security and privacy rules at the source code level for app users and developers. The Phase II commercial product aims to further extend the Phase I product by increasing language support for security and privacy checking, providing plugins support for developers in an integrated developed environment for Android and iOS, and testing more production-grade applications that are developed and maintained by at least 3 USA-based health IT companies/vendors. Moreover, this project will advance the secure EHR/EMR vendor integration via API with mHealth apps. The project has further implications of preventing several emerging and existing cyber-attacks that can potentially lead to massive healthcare data breaches, such as ransomware, and supply chain attacks, by detecting and preventing the vulnerabilities early.

Project Terms:
Algorithms; Appointments and Schedules; Awareness; Behavior; Dedications; Environment; Health; Health Personnel; Health Care Providers; Healthcare Providers; Healthcare worker; health care personnel; health care worker; health provider; health workforce; healthcare personnel; medical personnel; treatment provider; Language; Marketing; Medical Records; Methods; Names; name; named; naming; Online Systems; On-Line Systems; online computer; web based; Patients; Play; Privatization; Probability; Production; Programming Languages; Reproduction; Research; Research Personnel; Investigators; Researchers; Risk; seal; Computer software; Software; Testing; United States Centers for Medicare and Medicaid Services; Centers for Medicare and Medicaid Services; Health Care Financing Administration; United States Health Care Financing Administration; Universities; Vendor; Privacy; Businesses; Data awareness; information security; Data Security; health care; Healthcare; Guidelines; evaluation/testing; sensor; improved; Area; Phase; Medical; Java; Pythons; Link; Evaluation; Policies; Sample Size; Personal Medical History; Personal Medical History Epidemiology; Medical History; Collaborations; tool; Knowledge; Side; Protocols documentation; Protocol; Techniques; non-compliance; non-compliant; noncompliance; noncompliant; Performance; success; Health Insurance Portability and Accountability Act; HIPAA; Kennedy Kassebaum Act; PL 104-191; PL104-191; Public Law 104-191; United States Health Insurance Portability and Accountability Act; Devices; Code; Coding System; Regulation; Malus domestica; Apple; Cell Phone; Cellular Telephone; Mobile Phones; iPhone; smart phone; smartphone; Cellular Phone; Provider; data processing; computerized data processing; Effectiveness; preventing; prevent; Address; Data; International; Security; Small Business Technology Transfer Research; STTR; Monitor; transmission process; Transmission; Development; developmental; Source Code; web site; website; Health protection; virtual; Outcome; Plug-in; mobile device; handheld mobile device; web based interface; encryption; prototype; FDA approved; data transfer; data transmission; data exchange; data sharing; Secure; m-Health; mobile health; mHealth; mobile app; mobile device application; mobile application; health data; support tools; Android; Android App; Android Application; Cell Phone Application; Cell phone App; Cellular Phone App; Cellular Phone Application; Smart Phone App; Smart Phone Application; Smartphone App; cell phone based app; iOS app; iOS application; iPhone App; iPhone Application; mobile phone app; smartphone based app; smartphone based application; smartphone application; Mobile Health App; m-Health app; m-Health application; mHealth app; mHealth application; Mobile Health Application; remote care; remote healthcare; remote health care; data interoperability; data communication; supply chain; electronic health record system; EHR system