The proliferation of mobile devices has changed the way that individuals access digital information with desktop applications now performed seamlessly in mobile applications. Mobile applications related to healthcare, finance/banking, etc., have highly sensitive data where unsecure access could have serious consequences. This chapter demonstrates an approach to Role-Based Access Control (RBAC) for mobile applications that allows an information owner to define who can do what by role, which is then enforced within a mobile application's infrastructure (UI, API, server/database). Towards this objective, the chapter: motivates the usage of RBAC for mobile applications; generalizes the structure and components of a mobile application so that it can be customized by role; defines a configurable framework of locations where RBAC can be realized in a mobile application's infrastructure; and, proposes an approach that realizes RBAC for mobile security. To demonstrate, the proposed RBAC approach is incorporated into the Connecticut Concussion Tracker mobile application.
TopIntroduction
The proliferation of mobile devices in all aspects of daily living has fundamentally altered the way that individuals interact with mobile applications. Evidence includes: the worldwide shipments of 1.9 billion phones and 230 million tablets outpacing PC/laptop sales (300 million estimate) (Gartner, 2015; Cisco, 2014); a report of smartphone usage in the U.S. where 64% of adults own a Smartphone, 42% own a Tablet, and 32% own an e-reader (Pew Research Center, 2012; Smith, 2015); and, predictive statistics that tablet users will surpass 1 billion worldwide in 2015 (eMarketer, 2015) and total devices will exceed 12.1 billion by 2018 (Radicati, 2014). Mobile applications now span a broad spectrum of complexity, including games, social networking, email, web browsing, financial management, health and fitness, pharmaceutical, etc. For both personal and business usage, there is a need to protect secure information ranging from protected health information (PHI) and personally identifiable information (PII) to confidential work product that is displayed, accessed, modified, and stored. Mobile health (mHealth) applications in healthcare and fitness are numerous and diverse: tracking medications (myCVS (CVS Pharmacy, 2015), MedWatcher (2012), etc.); personal health records (PHR) (CAPZULE PHR (Capzule, 2012), MTBC PHR (2011), etc.); fitness applications that work with phones and wearables (Cohen, 2015); Apple’s HealthKit app (iOS 9, 2014) and the Google Fit fitness tracker (Google Play, 2013), to track activity, heart rate, blood pressure, etc. (Kelly, 2014); and, Apple’s ResearchKit (Apple, 2015), an open source framework for mobile applications to support medical research. Patients also seek to have access via their mobile devices to the electronic medical records (EMRs) utilized by medical providers and health information technology (HIT) systems that contain medical testing results (Care360, 2014) or results from imaging testing (My Imaging Records App, 2013). All of these systems must adhere to the Health Insurance Portability and Accountability Act (HIPAA) (HHS.gov, 2013) for the security, availability, transmission, and release of a patient's medical information.