A research team from the University of West Florida Center for Cybersecurity has developed a new platform that evaluates the effectiveness of thousands of mobile applications in securing users’ personal information.
Support Local Stories. Support Public Media.
Dr. Hossain Shahriar, associate director and professor for the Center for Cybersecurity, and his graduate students have been working on the project for a couple of years.
“We call this platform a HIPAA Checker,” said Dr. Shahriar. “It's HIPAA, which is Health Insurance Portability and Accountability Act.”
HIPAA is a federal law aimed at protecting the privacy and security of patient health information.
According to Shahriar, the healthcare industry is increasingly relying on mobile apps for patient use, but the health sector also has been susceptible to data breaches that have exposed sensitive health and identity-related information about millions of people.
“One good example would be I’m putting my body weight and the medications I’m taking in a form, and this is part of the app,” he began. “And after submitting the form, the app is storing in plain text and then what is happening, it is sending a copy to a server. So the hacker in between can take that piece.”
Shahriar says end-to-end data encryption is required, and it’s one of the things they check for.
“The next time it goes out of the device or from the app control, it is still encrypted, so any random hacker still cannot understand that. So, that’s the basic concept here. That is part of one of the HIPAA technical rules.”
Once identified, app vulnerabilities can be fixed on the backend, but the goal of the new HIPAA Checker platform is to identify and address any security flaws early in the development process.
“Basically, before the application gets released publicly, we give the opportunity for the developer to find the bugs or vulnerabilities, so that the data breach can be prevented,” said Abdul Barek, a graduate research assistant in UWF’s intelligent systems and robotics doctoral program.
Barek has been the lead student developer on the project since its inception. He says the HIPAA Checker software analyzes the apps and produces a numeric score based on their compliance with privacy laws. The lower the number, the better.
To demonstrate, Barek highlights an app that has a HIPAA risk score of 30, “And this score has some levels, like low, medium, high, critical.”
Additionally, the risk level is color-coded, and a score of 30 shows as orange, in the medium range.
“If it is in a green zone, then we can say, probably, that the app is good, but if this meter shows a kind of red zone, then we can say that this app may have some (vulnerabilities) and the developer needs to fix it fast,” Barek explained.
The project has been funded by a two-year $545,000 National Institutes of Health Small Business Technology Transfer grant that Shahriar received in 2023 in partnership with Ubitrix, Inc. Phase one of the project involved the analysis of 300 Android applications. The NIH grant has allowed the project to become much bigger in scope.
“Now, we’re charged to develop a larger-scale platform that can support not only Android, but also (iOS) or Apple device apps, which we have done...and then web applications and traditional applications,” said Dr. Shahriar.
Project member Md Bajlur Rashid specialized in working with iOS. Other project members include Md Mostafizur Rahman, ABM Kamrul Riad, and Md Abdur Rahman.
Shahriar added that the platform has not just been used to run security risks for medical information, but it can also perform general security checks.
“For example, we did one scanning for the Uber App, which is a Fortune 500 company. We found some bugs with them,” he explained. “So this is the fun part of doing a project that is really useful in the real world.”
While Shahriar’s team at the Center for Cybersecurity and their partners explore the possibilities, including development of Large Language (or AI-based) modules, the tool is already available for public access and testing.
“So, you can go to hipaachecker.health,” he stated. “That’s the domain name, and it’s easy to remember, and it will point to that deployed website, and then you can upload or tell the web address.”
The platform is primarily for professional app developers, but Shahriar says individuals can use it, too, and have peace of mind that with the appls they use their health data is secure.
