BACKGROUND
An emerging trend is the development of smartphone applications, which act as an interface to medical devices connected to the Internet. Many of these devices, along with their smartphone applications, have been approved by the United States Food and Drug Administration (FDA) for use in medical settings. Furthermore, device manufacturers are expected to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. As a result, manufacturers are required to implement safeguards to protect a patient’s personal and medical information.
OBJECTIVE
Previous research has shown that smartphone applications produce residual data, which can have security and privacy implications. Hence, there is the potential that the residual data generated by smartphone applications that interact with medical devices is potentially putting patient information at risk. This study investigates residual data recovered from a smartphone application, which interacts with a medical device, from the perspective of Security and Privacy violations within HIPAA.
METHODS
This study includes a controlled experiment to investigate the residual data generated by Android and iOS smartphone applications that accompany seven FDA-approved medical devices. The devices and their smartphone applications were used for five days in a test environment. The smartphone applications were then processed using industry-accepted mobile forensic toolkits to retrieve resident residual artifacts. Once the processing was complete, the data extractions were analyzed for patient information as well as medical device interactions.
RESULTS
The analysis of the Android and iOS smartphone applications revealed that data related to the test patient, and their use of the medical device could be retrieved from three out of the four applications. These three applications store patient and device data in plaintext, including passwords. However, analysis of the fourth application evaluated in this experiment has shown that while the iOS version stores information in plaintext, the Android version appears to encrypt artifacts containing patient and therapy details.
CONCLUSIONS
While all the medical devices included in the controlled experiment are cleared by the FDA, and all the manufacturers claim to be HIPPA compliant; the devices and applications used in this study demonstrate that it is possible to recover plaintext patient-specific and device information from the smartphone applications that interface with these devices.