Challenges With Developing Secure Mobile Health Applications: Systematic Review.
TL;DR: While mHealth app development organizations might overlook security, the findings can help them to identify the weaknesses and improve their security practices, and the proposed conceptual framework can act as a practice guideline for practitioners to enhance secure m health app development.
Abstract: Background: Mobile health (mHealth) apps have gained significant popularity over the last few years due to their tremendous benefits, such as lowering health care costs and increasing patient awareness. However, the sensitivity of health care data makes the security of mHealth apps a serious concern. Poor security practices and lack of security knowledge on the developers’ side can cause several vulnerabilities in mHealth apps.
Objective: In this review paper, we aimed to identify and analyze the reported challenges concerning security that developers of mHealth apps face. Additionally, our study aimed to develop a conceptual framework with the challenges for developing secure apps faced by mHealth app development organizations. The knowledge of such challenges can help to reduce the risk of developing insecure mHealth apps.
Methods: We followed the systematic literature review method for this review. We selected studies that were published between January 2008 and October 2020 since the major app stores launched in 2008. We selected 32 primary studies using predefined criteria and used a thematic analysis method for analyzing the extracted data.
Results: Of the 1867 articles obtained, 32 were included in this review based on the predefined criteria. We identified 9 challenges that can affect the development of secure mHealth apps. These challenges include lack of security guidelines and regulations for developing secure mHealth apps (20/32, 63%), developers’ lack of knowledge and expertise for secure mHealth app development (18/32, 56%), lack of stakeholders’ involvement during mHealth app development (6/32, 19%), no/little developer attention towards the security of mHealth apps (5/32, 16%), lack of resources for developing a secure mHealth app (4/32, 13%), project constraints during the mHealth app development process (4/32, 13%), lack of security testing during mHealth app development (4/32, 13%), developers’ lack of motivation and ethical considerations (3/32, 9%), and lack of security experts’ engagement during mHealth app development (2/32, 6%). Based on our analysis, we have presented a conceptual framework that highlights the correlation between the identified challenges.
Conclusions: While mHealth app development organizations might overlook security, we conclude that our findings can help them to identify the weaknesses and improve their security practices. Similarly, mHealth app developers can identify the challenges they face to develop mHealth apps that do not pose security risks for users. Our review is a step towards providing insights into the development of secure mHealth apps. Our proposed conceptual framework can act as a practice guideline for practitioners to enhance secure mHealth app development.
Citations
More filters
TL;DR: The Sm@rtEven application has proven to be a valuable tool for following patients remotely, especially during the pandemic, and enables patients to be followed over long distances and over time, minimizing any discomfort.
Abstract: Telemedicine is the combination of technologies and activities that offer new remote ways of medical care. The Sm@rtEven application project is a remote assistance service that follows patients affected by lower limb fractures surgically treated at Galeazzi Orthopedic Institute (Milan, Italy). The Sm@rtEven application aims to evaluate the clinical conditions of patients treated for lower limb fracture after discharge from hospital using remote follow-up (FU). The project is not a substitute for traditional clinical consultations but an additional tool for a more complete and prolonged view over time. The Sm@rtEven application is installed on patients’ smartphones and is used daily to communicate with healthcare personnel. In the first protocol, patients had to complete different tasks for 30 days, such as monitoring the load progression on the affected limb, the number of steps during the day, and body temperature and completing a questionnaire. A simplified protocol was proposed due to the pandemic and logistical issues. The revised protocol enrolled patients after more than 30 days of their operation, prioritized the rehabilitation phase, and required patients to use the app for fewer days. After an initial phase of correct use, a reduction in patient compliance was gradually reported in the first protocol. However, patient compliance in the second protocol remained high (96.25%) in the recording of all the required parameters. The Sm@rtEven application has proven to be a valuable tool for following patients remotely, especially during the pandemic. Telemedicine has the same value as traditional clinical evaluations, and it enables patients to be followed over long distances and over time, minimizing any discomfort.
5 citations
TL;DR: A Blockchain-based healthcare security ontology (HealthOnt) that offers coherent and formal information models to treat security threats of traditional and blockchain-based applications and can support the iterative process of SRM and can be continually updated when new security threats, vulnerabilities, or countermeasures emerge.
Abstract: Blockchain is gaining traction for improving the security of healthcare applications, however, it does not become a silver bullet as various security threats are observed in blockchain-based applications. Moreover, when performing the security risk management (SRM) of blockchain-based applications, there are conceptual ambiguities and semantic gaps that hinder from treating the security threats effectively. To address these issues, we present a blockchain-based healthcare security ontology (HealthOnt) that offers coherent and formal information models to treat security threats of traditional and blockchain-based applications. We evaluate the ontology by performing the SRM of a back-pain patient’s healthcare application case. The results show that HealthOnt can support the iterative process of SRM and can be continually updated when new security threats, vulnerabilities, or countermeasures emerge. In addition, the HealthOnt may assist in the modelling and analysis of real-world situations while addressing important security concerns from the perspective of stakeholders. This work can help blockchain developers, practitioners, and other associated stakeholders to develop secure blockchain-based healthcare applications in the early stages.
4 citations
TL;DR: In this article , the authors performed an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps, which revealed important data privacy issues such as unnecessary permissions, insecure cryptography implementations and leaks of personal data and credentials in logs and web requests.
Abstract: An increasing number of mental health services are offered through mobile systems, a paradigm called mHealth. Although there is an unprecedented growth in the adoption of mHealth systems, partly due to the COVID-19 pandemic, concerns about data privacy risks due to security breaches are also increasing. Whilst some studies have analyzed mHealth apps from different angles, including security, there is relatively little evidence for data privacy issues that may exist in mHealth apps used for mental health services, whose recipients can be particularly vulnerable. This paper reports an empirical study aimed at systematically identifying and understanding data privacy incorporated in mental health apps. We analyzed 27 top-ranked mental health apps from Google Play Store. Our methodology enabled us to perform an in-depth privacy analysis of the apps, covering static and dynamic analysis, data sharing behaviour, server-side tests, privacy impact assessment requests, and privacy policy evaluation. Furthermore, we mapped the findings to the LINDDUN threat taxonomy, describing how threats manifest on the studied apps. The findings reveal important data privacy issues such as unnecessary permissions, insecure cryptography implementations, and leaks of personal data and credentials in logs and web requests. There is also a high risk of user profiling as the apps' development do not provide foolproof mechanisms against linkability, detectability and identifiability. Data sharing among third parties and advertisers in the current apps' ecosystem aggravates this situation. Based on the empirical findings of this study, we provide recommendations to be considered by different stakeholders of mHealth apps in general and apps developers in particular. [...]
4 citations
TL;DR: In this article , the authors discuss the implementation of transcranial electric stimulation (tES) digital trials by performing a systematic scoping review and strategic process mapping, evaluate methodological aspects of tES digital trial designs, and provide Delphi-based recommendations for implementing digital trials using tES.
3 citations
TL;DR: It is observed from this article that communication in hospitals through EHR template is user friendly, safe and possible within the hospital and to outside facilities for effective paperless management of patients.
Abstract: Background: Communication of patient information in a healthcare setting in previous years was based on documented information on paper records carried from one location to another. However, with the introduction of electronic health records (EHRs), communications are now conducted electronically via installed and connected computer systems that are networked together. Inadequate communication of patients’ information can deter patients’ health and threaten their lives, putting them in unnecessary danger.Objective: The objective of this study was to design a standard EHR template model of communication for tertiary hospital that can be used in communicating patients’ information between various departments involved in the management of patients without carrying papers around or tossing Patients or their relatives up and down.Method: The research adopts soft system methodology (SSM) with communication concepts from knowledge management, combining observations with various practical information to make a conclusion based on past experiences through a process of inductive reasoning, a communication model was developed that can be used as a template for hospitals to upgrade/integrate paper-based patient information management to electronic based in a bid to enhance patient care and information management.Results: The developed communication template model has been designed to be adopted for use in a bid to manage patients’ information electronically in all tertiary hospitals and other hospitals that may so desire its use.Conclusion: It is observed from this article that communication in hospitals through EHR template is user friendly, safe and possible within the hospital and to outside facilities for effective paperless management of patients.
2 citations
References
More filters
TL;DR: A new qualitative method for building conceptual frameworks for phenomena that are linked to multidisciplinary bodies of knowledge based on grounded theory method and redefines the key terms of concept, conceptual framework, and conceptual framework analysis.
Abstract: In this paper the author proposes a new qualitative method for building conceptual frameworks for phenomena that are linked to multidisciplinary bodies of knowledge. First, he redefines the key terms of concept, conceptual framework, and conceptual framework analysis. Concept has some components that define it. A conceptual framework is defined as a network or a “plane” of linked concepts. Conceptual framework analysis offers a procedure of theorization for building conceptual frameworks based on grounded theory method. The advantages of conceptual framework analysis are its flexibility, its capacity for modification, and its emphasis on understanding instead of prediction.
970 citations
"Challenges With Developing Secure M..." refers background in this paper
...Jabareen [71] defined a conceptual framework as “a network, or a plane of interlinked concepts that together provide a comprehensive understanding of a phenomenon or phenomena....
[...]
TL;DR: SLRs appear to have gone past the stage of being used solely by innovators but cannot yet be considered a main stream software engineering research methodology, such as often failing to assess primary study quality.
Abstract: Context: In a previous study, we reported on a systematic literature review (SLR), based on a manual search of 13 journals and conferences undertaken in the period 1st January 2004 to 30th June 2007. Objective: The aim of this on-going research is to provide an annotated catalogue of SLRs available to software engineering researchers and practitioners. This study updates our previous study using a broad automated search. Method: We performed a broad automated search to find SLRs published in the time period 1st January 2004 to 30th June 2008. We contrast the number, quality and source of these SLRs with SLRs found in the original study. Results: Our broad search found an additional 35 SLRs corresponding to 33 unique studies. Of these papers, 17 appeared relevant to the undergraduate educational curriculum and 12 appeared of possible interest to practitioners. The number of SLRs being published is increasing. The quality of papers in conferences and workshops has improved as more researchers use SLR guidelines. Conclusion: SLRs appear to have gone past the stage of being used solely by innovators but cannot yet be considered a main stream software engineering research methodology. They are addressing a wide range of topics but still have limitations, such as often failing to assess primary study quality.
836 citations
22 Sep 2011
TL;DR: This paper conceptualizes the thematic synthesis approach in software engineering as a scientific inquiry involving five steps that parallel those of primary research.
Abstract: Thematic analysis is an approach that is often used for identifying, analyzing, and reporting patterns (themes) within data in primary qualitative research. 'Thematic synthesis' draws on the principles of thematic analysis and identifies the recurring themes or issues from multiple studies, interprets and explains these themes, and draws conclusions in systematic reviews. This paper conceptualizes the thematic synthesis approach in software engineering as a scientific inquiry involving five steps that parallel those of primary research. The process and outcome associated with each step are described and illustrated with examples from systematic reviews in software engineering.
634 citations
Additional excerpts
...results for this review [25]....
[...]
TL;DR: The state of the art of continuous practices is reviewed to classify approaches and tools, identify challenges and practices in this regard, and identify the gaps for future research, revealing that continuous practices have been successfully applied to both greenfield and maintenance projects.
Abstract: Continuous practices, i.e., continuous integration, delivery, and deployment, are the software development industry practices that enable organizations to frequently and reliably release new features and products. With the increasing interest in the literature on continuous practices, it is important to systematically review and synthesize the approaches, tools, challenges, and practices reported for adopting and implementing continuous practices. This paper aimed at systematically reviewing the state of the art of continuous practices to classify approaches and tools, identify challenges and practices in this regard, and identify the gaps for future research. We used the systematic literature review method for reviewing the peer-reviewed papers on continuous practices published between 2004 and June 1, 2016. We applied the thematic analysis method for analyzing the data extracted from reviewing 69 papers selected using predefined criteria. We have identified 30 approaches and associated tools, which facilitate the implementation of continuous practices in the following ways: 1) reducing build and test time in continuous integration (CI); 2) increasing visibility and awareness on build and test results in CI; 3) supporting (semi-) automated continuous testing; 4) detecting violations, flaws, and faults in CI; 5) addressing security and scalability issues in deployment pipeline; and 6) improving dependability and reliability of deployment process. We have also determined a list of critical factors, such as testing (effort and time), team awareness and transparency, good design principles, customer, highly skilled and motivated team, application domain, and appropriate infrastructure that should be carefully considered when introducing continuous practices in a given organization. The majority of the reviewed papers were validation (34.7%) and evaluation (36.2%) research types. This paper also reveals that continuous practices have been successfully applied to both greenfield and maintenance projects. Continuous practices have become an important area of software engineering research and practice. While the reported approaches, tools, and practices are addressing a wide range of challenges, there are several challenges and gaps, which require future research work for improving the capturing and reporting of contextual information in the studies reporting different aspects of continuous practices; gaining a deep understanding of how software-intensive systems should be (re-) architected to support continuous practices; and addressing the lack of knowledge and tools for engineering processes of designing and running secure deployment pipelines.
350 citations
"Challenges With Developing Secure M..." refers background in this paper
...Scopus is considered the largest indexing system that provides the most comprehensive search engine, among other digital libraries [73]....
[...]
22 Sep 2008
TL;DR: A new paradigm -- the Compliance Budget -- is presented as a means of understanding how individuals perceive the costs and benefits of compliance with organisational security goals, and a range of approaches that security managers can use to influence employee's perceptions are identified.
Abstract: A significant number of security breaches result from employees' failure to comply with security policies. Many organizations have tried to change or influence security behaviour, but found it a major challenge. Drawing on previous research on usable security and economics of security, we propose a new approach to managing employee security behaviour. We conducted interviews with 17 employees from two major commercial organizations, asking why they do or don't comply with security policies. Our results show that key factors in the compliance decision are the actual and anticipated cost and benefits of compliance to the individual employee, and perceived cost and benefits to the organization. We present a new paradigm -- the Compliance Budget - as a means of understanding how individuals perceive the costs and benefits of compliance with organisational security goals, and identify a range of approaches that security managers can use to influence employee's perceptions (which, in turn, influence security behaviour). The Compliance Budget should be understood and managed in the same way as any financial budget, as compliance directly affects, and can place a cap on, effectiveness of organisational security measures.
294 citations
"Challenges With Developing Secure M..." refers background in this paper
...een differently based on developers and an organisation’s size [54]. The research on security practice indicates that many security incidents are mainly caused by human, rather than technical failure [55]. Developers with low motivation were found to be one of the most frequently cited causes of software development project failure [56]. Xie et al. [57] present the reasons that make software developer...
[...]