A comparative study on HIPAA technical safeguards assessment of android mHealth applications

Protecting personal health records is becoming increasingly important as more people use Mobile Health applications (mHealth apps) to improve their health outcomes. These mHealth apps enable consumers to monitor their health-related problems, store, manage, and share health records, medical conditions, treatment, and medication. With the increase of mHealth apps accessibility and usability, it is crucial to create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity or another business associate. The Health Insurance Portability and Accountability Act (HIPAA) provides guidelines to the app developers so that the apps must be compliant with required and addressable Technical Safeguards. However, most mobile app developers, including mHealth apps are not aware of HIPAA security and privacy regulations. Therefore, a research opportunity has emerged to develop an analytical framework to assist the developer to maintain a secure and HIPAA-compliant source code and raise awareness among consumers about the privacy and security of sensitive and personal health information. We proposed an Android source code analysis framework that evaluates twelve HIPAA Technical Safeguards to check whether a mHealth application is HIPAA compliant or not. The implemented meta-analysis and data-flow analysis algorithms efficiently identify the risk and safety features of mHealth apps that violate HIPAA regulations. Furthermore, we addressed API level checking for secure data communication mandated by recent CMS guidelines between third-party mobile health apps and EHR systems. Experimentally, a web-based tool has been developed for evaluating the efficacy of analysis techniques and algorithms. We have investigated 200 top popular Medical and Health & Fitness category Android apps collected from Google Play Store. We identified from the comparative analysis of the HIPAA rules assessment results that authorization to access sensitive resources, data encryption–decryption, and data transmission security is the most vulnerable features of the investigated apps. We provided recommendations to app developers about the most common mistake made at the time of app development and how to avoid these mistakes to implement secure and HIPAA-compliant apps. The proposed framework enables us to develop an IDE plugin for mHealth app developers and a web-based interface for mHealth app consumers.