R42LM014356
Project Grant
Overview
Grant Description
A framework for mHealth app security and privacy analysis - project summary/abstract
With the increased use of mobile health (mHealth) apps to improve health outcomes, protecting private health data is becoming increasingly important. These mHealth apps are offered by healthcare providers and used by patients for various reasons such as paying bills, scheduling appointments, sending messages to providers, accessing lab results, and viewing prescriptions and medical records.
With patients' increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their protected health information (PHI) to apps that comply with HIPAA privacy and security regulations. Unfortunately, about 25% of healthcare providers suffer from data breaches violating HIPAA policies caused by using mobile devices that come with mHealth apps. These breaches result in lawsuits and loss of confidence among health providers and patients.
Earlier research has focused on mobile device security but has not checked further how apps store or transfer data securely before being used by remote healthcare providers or users. A total of 303,867 complaints have been received in the HHS.GOV until July 2022 [95], which indicates that most developers, including mHealth apps developers, are unaware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines.
Currently, there is a lack of an analysis framework to check mHealth apps' security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We have developed a framework to analyze mHealth apps for HIPAA security and privacy compliance for Android. The tool is available both as a web-based interface for users without knowledge of HIPAA or app security and as a plugin with Android Studio to enable health app developers to test source code for potential data security breaches related to HIPAA before posting to the marketplace.
In addition, the tool addresses API level checking for secure data communication mandated by recent Centers for Medicare & Medicaid Services (CMS) guidelines between third-party mobile health apps and EHR systems. The analysis framework also addresses heterogeneous health data and enables providers to comply with HIPAA administrative and operational guidelines.
We have performed two acceptance tests on the prototype based on partnering with HIPAA experts, medical doctors, and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. In phase II, we propose a commercial product MSPAIOS as a mHealth HIPAA checker by extending the framework for iOS mHealth apps security and privacy assessment, plugin support for Xcode environment, and performance evaluation of the product by at least 3 for-profit organizations/EHR vendors.
The proposed tool has the potential to capture the market of the HIPAA-compliant assessment as a unique product that is not provided by any existing tools.
With the increased use of mobile health (mHealth) apps to improve health outcomes, protecting private health data is becoming increasingly important. These mHealth apps are offered by healthcare providers and used by patients for various reasons such as paying bills, scheduling appointments, sending messages to providers, accessing lab results, and viewing prescriptions and medical records.
With patients' increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their protected health information (PHI) to apps that comply with HIPAA privacy and security regulations. Unfortunately, about 25% of healthcare providers suffer from data breaches violating HIPAA policies caused by using mobile devices that come with mHealth apps. These breaches result in lawsuits and loss of confidence among health providers and patients.
Earlier research has focused on mobile device security but has not checked further how apps store or transfer data securely before being used by remote healthcare providers or users. A total of 303,867 complaints have been received in the HHS.GOV until July 2022 [95], which indicates that most developers, including mHealth apps developers, are unaware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines.
Currently, there is a lack of an analysis framework to check mHealth apps' security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We have developed a framework to analyze mHealth apps for HIPAA security and privacy compliance for Android. The tool is available both as a web-based interface for users without knowledge of HIPAA or app security and as a plugin with Android Studio to enable health app developers to test source code for potential data security breaches related to HIPAA before posting to the marketplace.
In addition, the tool addresses API level checking for secure data communication mandated by recent Centers for Medicare & Medicaid Services (CMS) guidelines between third-party mobile health apps and EHR systems. The analysis framework also addresses heterogeneous health data and enables providers to comply with HIPAA administrative and operational guidelines.
We have performed two acceptance tests on the prototype based on partnering with HIPAA experts, medical doctors, and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. In phase II, we propose a commercial product MSPAIOS as a mHealth HIPAA checker by extending the framework for iOS mHealth apps security and privacy assessment, plugin support for Xcode environment, and performance evaluation of the product by at least 3 for-profit organizations/EHR vendors.
The proposed tool has the potential to capture the market of the HIPAA-compliant assessment as a unique product that is not provided by any existing tools.
Awardee
Funding Goals
TO MEET A GROWING NEED FOR INVESTIGATORS TRAINED IN BIOMEDICAL INFORMATICS RESEARCH AND DATA SCIENCE BY TRAINING QUALIFIED PRE- AND POST-DOCTORAL CANDIDATES, TO CONDUCT RESEARCH IN BIOMEDICAL INFORMATICS, BIOINFORMATICS AND RELATED COMPUTER, INFORMATION AND DATA SCIENCES, TO FACILITATE MANAGEMENT OF ELECTRONIC HEALTH RECORDS AND CLINICAL RESEARCH DATA, TO PREPARE SCHOLARLY WORKS IN BIOMEDICINE AND HEALTH, TO ADVANCE BIOCOMPUTING AND BIOINFORMATICS THROUGH PARTICIPATION IN FEDERAL INITIATIVES RELATING TO BIOMEDICAL INFORMATICS, BIOINFORMATICS AND BIOMEDICAL COMPUTING, AND TO STIMULATE AND FOSTER SCIENTIFIC AND TECHNOLOGICAL INNOVATION THROUGH COOPERATIVE RESEARCH DEVELOPMENT CARRIED OUT BETWEEN SMALL BUSINESS CONCERNS AND RESEARCH INSTITUTIONS, THROUGH SMALL BUSINESS INNOVATION RESEARCH (SBIR) AND SMALL BUSINESS TECHNOLOGY TRANSFER (STTR) GRANTS.
Grant Program (CFDA)
Awarding / Funding Agency
Place of Performance
Wisconsin
United States
Geographic Scope
State-Wide
Related Opportunity
Analysis Notes
Amendment Since initial award the End Date has been extended from 08/31/25 to 08/31/26 and the total obligations have increased 116% from $788,794 to $1,706,791.
Ubitrix International was awarded
Project Grant R42LM014356
worth $1,706,791
from the National Library of Medicine in September 2021 with work to be completed primarily in Wisconsin United States.
The grant
has a duration of 5 years and
was awarded through assistance program 93.879 Medical Library Assistance.
The Project Grant was awarded through grant opportunity PHS 2022-2 Omnibus Solicitation of the NIH for Small Business Technology Transfer Grant Applications (Parent STTR [R41/R42] Clinical Trial Not Allowed).
SBIR Details
Research Type
STTR Phase II
Title
A Framework for mHealth App Security and Privacy Analysis
Abstract
PROJECT SUMMARY/ABSTRACT With the increased use of mobile health (mHealth) apps to improve health outcomes, protecting private health data is becoming increasingly important. These mHealth apps are offered by healthcare providers and used by patients for various reasons such as paying bills, scheduling appointments, sending messages to providers, accessing lab results, and viewing prescriptions and medical records. With patients’ increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that comply with HIPAA privacy and security regulations. Unfortunately, about 25% of healthcare providers suffer from data breaches violating HIPAA policies caused by using mobile devices that come with mHealth apps. These breaches result in lawsuits and loss of confidence among health providers and patients. Earlier research has focused on mobile device security but has not checked further how apps store or transfer data securely before being used by remote healthcare providers or users. A total of 303,867 complaints have been received in the HHS.gov until July 2022 [95], which indicates that most developers, including mHealth apps developers, are unaware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers, so their developed products meet HIPAA security and privacy guidelines. Currently, there is a lack of an analysis framework to check mHealth apps’ security and privacy risks following the applicable HIPAA technical security and privacy guidelines. We have developed a framework to analyze mHealth apps for HIPAA security and privacy compliance for Android. The tool is available both as a web-based interface for users without knowledge of HIPAA or app security and as a plugin with Android Studio to enable health app developers to test source code for potential data security breaches related to HIPAA before posting to the marketplace. In addition, the tool addresses API level checking for secure data communication mandated by recent Centers for Medicare and Medicaid Services (CMS) guidelines between third-party mobile health apps and EHR systems. The analysis framework also addresses heterogeneous health data and enables providers to comply with HIPAA administrative and operational guidelines. We have performed two acceptance tests on the prototype based on partnering with HIPAA experts, medical doctors, and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. In Phase II, we propose a commercial product mSPAiOS as a mHealth HIPAA checker by extending the framework for iOS mHealth apps security and privacy assessment, plugin support for xCode environment, and performance evaluation of the product by at least 3 for-profit organizations/EHR vendors. The proposed tool has the potential to capture the market of the HIPAA-compliant assessment as a unique product that is not provided by any existing tools.
Topic Code
NLM
Solicitation Number
PA22-178
Status
(Ongoing)
Last Modified 7/21/25
Period of Performance
9/15/21
Start Date
8/31/26
End Date
Funding Split
$1.7M
Federal Obligation
$0.0
Non-Federal Obligation
$1.7M
Total Obligated
Activity Timeline
Transaction History
Modifications to R42LM014356
Additional Detail
Award ID FAIN
R42LM014356
SAI Number
R42LM014356-162315516
Award ID URI
SAI UNAVAILABLE
Awardee Classifications
Small Business
Awarding Office
75NL00 NIH National Library of Medicine
Funding Office
75NL00 NIH National Library of Medicine
Awardee UEI
WHEJK7V2JDM5
Awardee CAGE
7U2L0
Performance District
WI-90
Senators
Tammy Baldwin
Ron Johnson
Ron Johnson
Budget Funding
| Federal Account | Budget Subfunction | Object Class | Total | Percentage |
|---|---|---|---|---|
| National Library of Medicine, National Institutes of Health, Health and Human Services (075-0807) | Health research and training | Grants, subsidies, and contributions (41.0) | $788,794 | 100% |
Modified: 7/21/25