# A Framework for mHealth App Security and Privacy Analysis

> **NIH NIH R41** · UBITRIX INTERNATIONAL, INC. · 2021 · $256,079

## Abstract

Abstract: With the increased use of mobile health apps to improve health outcomes, protecting
private health data is becoming increasingly important. Researchers estimate there are over
300,000 mHealth apps in existence, and some relate to HIPAA covered entities or their business
associates. With patients’ increasing desire for data accessibility and app data sharing, it is critical
to ensure that patients transmit their Protected Health Information (PHI) to apps that are compliant
with HIPAA privacy and security rules. About 25% of healthcare providers suffer from data
breaches violating HIPAA policies, caused by using mobile devices that come preloaded with
mHealth apps. This results in lawsuits, and loss of confidence among health providers and
patients. Earlier research has focused on security of mobile devices, but not checking further how
apps store or transfer data securely before being used by remote health care providers or users.
Most mobile app developers including mHealth apps are not aware of HIPAA security and privacy
regulations. This creates the market opportunity to develop static and dynamic code analysis tools
for mHealth app developers, so their developed products meet HIPAA security and privacy
guidelines. Currently, there is a lack of an analysis framework to check mHealth apps’ security
and privacy risks following the applicable HIPAA technical security and privacy guidelines. We
propose to develop a framework to analyze mHealth apps for HIPAA security and privacy
compliance. The framework will allow users who have no knowledge of HIPAA or app security to
receive an assessment of security and privacy risks per HIPAA guidelines. Initially based on
Android Studio, the tool will test the source code of mHealth applications for potential data security
breaches related to HIPAA before posting for the marketplace. The tool will further address API
level checking for secure data communication mandated by recent CMS guidelines between third
party mobile health apps and EHR systems. The analysis framework will also address
heterogeneous health data and enable providers to remain compliant with HIPAA administrative
and operational guidelines. We propose to perform two acceptance tests on the prototype based
on partnering with HIPAA experts and medical doctors and for-profit EHR vendors along with the
effectiveness of tools for detecting health data security breaches. The proposed tool will further
enable the development of data breach checking for iOS mHealth apps and adoption and
integration by large scale EHR vendors in the future.

## Key facts

- **NIH application ID:** 10325277
- **Project number:** 1R41GM146313-01
- **Recipient organization:** UBITRIX INTERNATIONAL, INC.
- **Principal Investigator:** Sheikh Iqbal Ahamed
- **Activity code:** R41 (R01, R21, SBIR, etc.)
- **Funding institute:** NIH
- **Fiscal year:** 2021
- **Award amount:** $256,079
- **Award type:** 1
- **Project period:** 2021-09-15 → 2023-08-31

## Primary source

NIH RePORTER: https://reporter.nih.gov/project-details/10325277

## Citation

> US National Institutes of Health, RePORTER application 10325277, A Framework for mHealth App Security and Privacy Analysis (1R41GM146313-01). Retrieved via AI Analytics 2026-05-24 from https://api.ai-analytics.org/grant/nih/10325277. Licensed CC0.

---

*[NIH grants dataset](/datasets/nih-grants) · CC0 1.0*