Protecting health information on mobile devices

Mobile applications running on devices such as smart phones and tablets will be increasingly used to provide convenient access to health information to health professionals and patients. Also, patients will use these devices to transmit health information captured by sensing devices in settings like the home to remote repositories. As mobile devices become targets of security threats, we must address the problem of protecting sensitive health information on them. We explore key threats to data on mobile devices and develop a security framework that can help protect it against such threats. We implemented this framework in the Android operating system and augmented it with user consent detection to enhance user awareness and control over the use of health information. Our framework can be used to enforce security policies that govern access to sensitive health data on mobile devices. Physicians and patients using our framework can install third-party healthcare applications with the guarantee that sensitive medical information will not be sent without their knowledge even when these applications are compromised. We describe the key mechanisms implemented by our framework and how they can enforce a security policy. We also discuss our early experience with the framework.

[1]  Sasikanth Avancha,et al.  A privacy framework for mobile health and home-care systems , 2009, SPIMACS '09.

[2]  Bryan D. Payne,et al.  Improving host-based computer security using secure active monitoring and memory analysis , 2010 .

[3]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.

[4]  William Yurcik,et al.  A statistical analysis of disclosed storage security breaches , 2006, StorageSS '06.

[5]  David Lansky,et al.  An Architecture for Privacy in a Networked Health Information Environment , 2008, Cambridge Quarterly of Healthcare Ethics.

[6]  Randy H. Katz,et al.  BINDER: An Extrusion-Based Break-In Detector for Personal Computers , 2005, USENIX Annual Technical Conference, General Track.

[7]  Manoj R. Sastry,et al.  Protecting Patient Records from Unwarranted Access , 2009 .

[8]  Yuval Elovici,et al.  Securing Android-Powered Mobile Devices Using SELinux , 2010, IEEE Security & Privacy.

[9]  Roxana Geambasu,et al.  Keypad: an auditing file system for theft-prone devices , 2011, EuroSys '11.

[10]  Michael K. Reiter,et al.  Password hardening based on keystroke dynamics , 1999, CCS '99.

[11]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[12]  Matthew Green,et al.  Securing medical records on smart phones , 2009, SPIMACS '09.

[13]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[14]  Jon Friedman,et al.  Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses , 2008, Inf. Knowl. Syst. Manag..

[15]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[16]  Chris Ford,et al.  Designing for Performance , 2007 .

[17]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[18]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[19]  Kang G. Shin,et al.  On Mobile Viruses Exploiting Messaging and Bluetooth Services , 2006, 2006 Securecomm and Workshops.