Protecting health information on mobile devices

Abstract

Mobile applications running on devices such as smart phones and tablets will be increasingly used to provide convenient access to health information to health professionals and patients. Also, patients will use these devices to transmit health information captured by sensing devices in settings like the home to remote repositories. As mobile devices become targets of security threats, we must address the problem of protecting sensitive health information on them. We explore key threats to data on mobile devices and develop a security framework that can help protect it against such threats. We implemented this framework in the Android operating system and augmented it with user consent detection to enhance user awareness and control over the use of health information. Our framework can be used to enforce security policies that govern access to sensitive health data on mobile devices. Physicians and patients using our framework can install third-party healthcare applications with the guarantee that sensitive medical information will not be sent without their knowledge even when these applications are compromised. We describe the key mechanisms implemented by our framework and how they can enforce a security policy. We also discuss our early experience with the framework.