Towards Automated Computational Auditing of mHealth Security and Privacy Regulations

Abstract

The growing complexity of our regulatory environment presents us with a hard problem, how can we determine if we are compliant with an ever-growing body of regulations? Computational legal auditing may help, as computational tools are exceptionally good at making sense of large amounts of data. In this research, we explore the possibility of creating a computational auditor that checks if mobile health (mHealth) apps satisfy federal security and privacy regulations. In doing so, we find that while it is challenging to convert open-ended, generally applicable, complicated laws into computational principles, the use of non-legal, authoritative, explanatory documents allows for computational operationalization while preserving the open-ended nature of the law. We test our auditor on 182 FDA/CE-approved mHealth apps. Our research suggests that the use of non-legal, authoritative, guidance documents may help with the creation of computational auditors, a promising tool to help us manage our ever-growing regulatory responsibilities.

Publication
ACM Conference on Computer and Communications Security (CCS)
Zhiyuan Yu
Zhiyuan Yu
Ph.D. Candidate at Washington Unviersity in St. Louis