Abstract
As smartphones and smartphone applications are widely used in a healthcare context (e.g., remote healthcare), these devices and applications may need to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. In other words, adequate safeguards to protect the user’s sensitive information (e.g., personally identifiable information and/or medical history) are required to be enforced on such devices and applications. In this study, we forensically focus on the potential of recovering residual data from Android medical applications, with the objective of providing an initial risk assessment of such applications. Our findings (e.g., documentation of the artifacts) also contribute to a better understanding of the types and location of evidential artifacts that can, potentially, be recovered from these applications in a digital forensic investigation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Krebs, P., Duncan, D.T.: Health app use among US mobile phone owners: a national survey. J. Med. Internet Res. mHealth uHealth 3(4), (2015)
Perna, G.: The State of Mobile Health in Today’s Practice (2018). https://www.physicianspractice.com/article/state-mobile-health-todays-practice
Soti Inc.: US Consumer Survey: Physicians Using Mobile Apps Seen as a Major Differentiator Amongst US Patients (2019). https://www.globenewswire.com/news-release/2019/06/06/1865254/0/en/U-S-Consumer-Survey-Physicians-Using-Mobile-Apps-Seen-as-a-Major-Differentiator-Amongst-U-S-Patients.html
Baumgart, D.C.: Digital advantage in the COVID-19 response: perspective from Canada’s largest integrated digitalized healthcare system. NPJ Dig. Med. 3(1), 1–4 (2020)
Neubeck, L., Hansen, T., Jaarsma, T., Klompstra, L., Gallagher, R.: Delivering healthcare remotely to cardiovascular patients during COVID-19: a rapid review of the evidence. Eur. J. Cardiovasc. Nurs., 1474515120924530 (2020)
Moorhead, S.A., Hazlett, D.E., Harrison, L., Carroll, J.K., Irwin, A., Hoving, C.: A new dimension of healthcare: systematic review of the uses, benefits, and limitations of social media for health communication. J. Med. Internet Res. 15(4), (2013)
Healthcare Information and Management Systems Society. 2019: HIMSS Cybersecurity Survey (2019)
United States Government Accountability Office: FDA Should Expand Its Consideration of Information Security For Certain Types of Devices (2012)
United States Food and Drug Administration. Cybersecurity (2019). https://www.fda.gov/medical-devices/digital-health/cybersecurity
British Broadcasting Corporation: NHS ‘Could Have Prevented’ WannaCry Ransomware Attack (2017). https://www.bbc.com/news/technology-41753022
Van Devender, M.S., Glisson, W.B., Benton, R., Grispos, G.: Understanding de-identification of healthcare big data. In: 2017 Americas Conference on Information Systems (AMCIS 2017), Boston, USA (2017)
Flynn, T., Grispos, G., Glisson, W.B., Mahoney, W.: Knock! Knock! Who is there? Investigating data leakage from a medical Internet of Things hijacking attack. In: 53rd Hawaii International Conference on System Sciences, Maui, Hi, USA (2020)
United States Government: The Health Insurance Portability and Accountability Act. United States Government (1996)
United States Government: Security Standards: Administrative Safeguards (2007)
United States Government: Code of Federal Regulations - Title 45: Public Welfare, p. 738 (2007)
Grispos, G., Glisson, W.B., Cooper, P.: A bleeding digital heart: identifying residual data generation from smartphone applications interacting with medical devices. In: 52nd Hawaii International Conference on System Sciences, Maui, Hi, USA (2019)
Withings: BPM Connect (2019). https://www.withings.com/us/en/bpm-connect
iHealth: Wireless Gluco-monitoring System (2019). https://ihealthlabs.com/glucometer/wireless-smart-gluco-monitoring-system/
Shetty, R., Grispos, G., Choo, K.-K.R.: Are you dating danger? An interdisciplinary approach to evaluating the (in)security of android dating apps. IEEE Trans. Sustain. Comput. (2017, in Press)
Plachkinova, M., Andrés, S., Chatterjee, S.: A taxonomy of mHealth apps–security and privacy concerns. In: 2015 48th Hawaii International Conference on System Sciences (2015). IEEE
Wang, Y., Streff, K., Raman, S.: Smartphone security challenges. Computer 45(12), 52–58 (2012)
Grispos, G., Glisson, W.B., Pardue, J.H., Dickson, M.: Identifying user behavior from residual data in cloud-based synchronized apps. In: Conference for Information Systems Applied Research, vol. 8, no. 2, pp. 4–14 (2014)
Grispos, G., Bastola, K.: Cyber autopsies: the integration of digital forensics into medical contexts. In: 2020 IEEE 33rd International Symposium on Computer-Based Medical Systems (CBMS). IEEE (2020)
Malasri, K., Wang, L.: Securing wireless implantable devices for healthcare: ideas and challenges. IEEE Commun. Mag. 47(7), 74–80 (2009)
Li, C., Zhang, M., Raghunathan, A., Jha, N.K.: Attacking and defending a diabetes therapy system. In: Burleson, W., Carrara, S. (eds.) Security and Privacy for Implantable Medical Devices, pp. 175–193. Springer, New York (2014). https://doi.org/10.1007/978-1-4614-1674-6_8
Glisson, W.B., Andel, T., Campbell, M., Jacobs, M., Mayr, J., McDonald, T.: Compromising a medical mannequin. In: 21st Americas Conference on Information Systems, Puerto Rico, USA (2015)
Sun, W., Cai, Z., Li, Y., Liu, F., Fang, S., Wang, G.: Security and privacy in the medical Internet of Things: a review. Secur. Commun. Netw. (2018)
Williams, P.A., McCauley, V.: Always connected: the security challenges of the healthcare Internet of Things. In: IEEE 3rd World Forum on Internet of Things, Reston, VA, USA (2016)
Classen, J., Wegemer, D., Patras, P., Spink, T., Hollick, M.: Anatomy of a vulnerable fitness tracking system: dissecting the fitbit cloud, app, and firmware. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2(1), 1–24 (2018)
Fereidooni, H., Frassetto, T., Miettinen, M., Sadeghi, A.-R., Conti, M.: Fitness trackers: fit for health but unfit for security and privacy. In: 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, Philadelphia, PA, USA (2017)
Wood, D., Apthorpe, N., Feamster, N.: Cleartext data transmissions in consumer IoT medical devices. In: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy. ACM (2017)
Miller, S., Glisson, W.B., Campbell, M., Sittig, S.: Risk analysis of residual protected health information of android telehealth apps. In: Twenty-Fifth Americas Conference on Information Systems, Cancun, Mexico (2019)
Kharrazi, H., Chisholm, R., VanNasdale, D., Thompson, B.: Mobile personal health records: an evaluation of features and functionality. Int. J. Med. Inf. 81(9), 579–593 (2012)
Azfar, A., Choo, K.-K.R., Liu, L.: Forensic taxonomy of popular Android mHealth apps. In: 21st Americas Conference on Information Systems, Puerto Rico, USA (2015)
Hoog, A.: Android Forensics: Investigation, Analysis and Mobile Security for Google Android, Syngress (2011)
Hoog, A., Strzempka, K.: iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices, Syngress (2011)
Grispos, G., Storer, T., Glisson, W.B.: A comparison of forensic evidence recovery techniques for a windows mobile smart phone. Digit. Invest. 8(1), 23–36 (2011)
Levinson, A., Stackpole, B., Johnson, D.: Third party application forensics on apple mobile devices. In: 44th Hawaii International Conference on System Sciences, Kauai, HI, USA (2011)
Al Mutawa, N., Baggili, I., Marrington, A.: Forensic analysis of social networking applications on mobile devices. Digit. Invest. 9, S24–S33 (2012)
Anglano, C.: Forensic analysis of WhatsApp Messenger on Android smartphones. Digit. Invest. 11(3), 201–213 (2014)
Grispos, G., Glisson, W.B., Storer, T.: Using smartphones as a proxy for forensic evidence contained in cloud storage services. In: 46th Hawaii International Conference on System Sciences, Hawaii, USA (2013)
Grispos, G., Glisson, W.B., Storer, T.: Recovering residual forensic data from smartphone interactions with cloud storage providers. In: Choo, K.-K.R., Ko, R. (eds.) The Cloud Security Ecosystem, pp. 347–382. Syngress, Boston (2015)
Oates, B.J.: Researching Information Systems and Computing. Sage, Thousand Oaks (2005)
Statscounter: Mobile Operating System Market Share Worldwide (2019). https://gs.statcounter.com/os-market-share/mobile/worldwide
United States Department of Health and Human Services Office for Civil Rights: HIPAA Administrative Simplification - 5 CFR Parts 160, 162, and 164 (2013)
United States Department of Health and Human Services: HIPAA Security Guidance (2006)
Acknowledgments
This research was financially supported by the Nebraska Research Initiative (NRI). The statements, opinions, and content included in this publication do not necessarily reflect the position or the policy of the NRI, and no official endorsement should be inferred.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Grispos, G., Flynn, T., Glisson, W.B., Choo, KK.R. (2021). Investigating Protected Health Information Leakage from Android Medical Applications. In: Perakovic, D., Knapcikova, L. (eds) Future Access Enablers for Ubiquitous and Intelligent Infrastructures. FABULOUS 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 382. Springer, Cham. https://doi.org/10.1007/978-3-030-78459-1_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-78459-1_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78458-4
Online ISBN: 978-3-030-78459-1
eBook Packages: Computer ScienceComputer Science (R0)