Towards Automated Computational Auditing of mHealth Security and Privacy Regulations

2021 ACM SIGSAC Conference on Computer and Communications Security (CCS ’21)

    Posted On: Nov. 13, 2021    
Author(s):

Brian Tung, Zhiyuan Yu, Ning Zhang


Abstract:

The growing complexity of our regulatory environment presents us with a hard problem: how can we determine if we are compliant with an ever-growing body of regulations? Computational legal auditing may help, as computational tools are exceptionally good at making sense of large amounts of data. In this research, we explore the possibility of creating a computational auditor that checks if mobile health (mHealth) apps satisfy federal security and privacy regulations. In doing so, we find that while it is challenging to convert open-ended, generally applicable, complicated laws into computational principles, the use of non-legal, authoritative, explanatory documents allows for computational operationalization while preserving the open-ended nature of the law. We test our auditor on 182 FDA/CE-approved mHealth apps. Our research suggests that the use of non-legal, authoritative, guidance documents may help with the creation of computational auditors, a promising tool to help us manage our ever-growing regulatory responsibilities.


Citation:

Brian Tung, Zhiyuan Yu, Ning Zhang. 2021. Towards Automated Computational Auditing of mHealth Security and Privacy Regulations. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS ’21). ACM, New York, NY, USA, 3 pages. https://doi.org/10.1145/3460120.3485342