The medical industries are integrated with information technology with mobile devices and wireless communication. The advent of mobile healthcare systems can benefit patients and hospitals, by not only providing better quality of patient care, but also by reducing administrative and medical costs for both patients and hospitals. Security issues present an interesting research topic in wireless and pervasive healthcare networks. As information technology is developed, many organizations such as government agencies, public institutions, and corporations have employed an information system to enhance the efficiency of their work processes. For the past few years, healthcare organizations throughout the world have been adopting health information systems (HIS) based on the wireless network infrastructure. As a part of the wireless network, a mobile agent has been employed at a large scale in hospitals due to its outstanding mobility. Several vulnerabilities and security requirements related to mobile devices should be considered in implementing mobile services in the hospital environment. Secure authentication and protocols with a mobile agent for applying ubiquitous sensor networks in a healthcare system environment is proposed and analyzed in this paper.
Today’s society is rapidly moving toward an aged society. The rapid changes in modern styles provide ongoing opportunities to build new markets and industries. Radio frequency identification (RFID) systems can be applied to many industries, and include many potential applications such as manufacturing, supply chain management, access control, inventory control, e-passports, pharmacies, and hospital management. RFID has the advantages of low cost and convenience in identifying an object with non-lineof- sight reading.
Ubiquitous technologies based on mobile devices and sensor nodes are able to manage healthcare information with small sensors and devices. As information technologies are rapidly developed, e-healthcare systems are currently being realized. Recently, the trend in healthcare systems has moved toward u-healthcare systems because of smart equipment and devices with low computing power. RFID is an automated data-capture technology that uses low-power radio waves to communicate between readers and tags
. RFID technology is also applicable to u-healthcare systems to reduce manual handling errors, monitor patient’s medical information accurately, maintain efficient processes, and track patients’ location. To utilize this system, new problems should be solved such as security, authentication, and safety
. Advanced technologies and existing medical technologies should be combined properly to meet the requirements for service efficiency, accuracy, and clinical significance. This kind of fusion technology is called a ubiquitous healthcare system. It should be noted that uhealthcare systems improve and enrich the quality of life. This comes about by the improvement of constraints and medical treatments by connecting a lot of devices with medical treatment. Any security vulnerability may cause a leakage of personal information. Therefore, security protocols should be prepared and taken into consideration prior to the implementation of a u-healthcare system. The owner of personal information can also be threatened by hackers and malicious attackers
. For this reason, the Department of Health and Human Services (HHS) in the United States has recently issued “an interim final rule regulating when and how patients must be notified if their healthcare information has been exposed in a security breach by hospitals, physician offices, and other healthcare organizations”. Health Insurance Portability and Accountability (HIPAA) is an act introduced in 1996 to protect a patient’s rights to medical history. A research group on healthcare is working on developing expertise in several areas and is planning to integrate these in 3G and 4G networking. The hospital information system today integrates individually optimized sections including nurses, other staff, and patients. The remainder of this paper is organized as follows. Section I is the introduction. Section II summarizes related work on the application of RFID related to security issues. Section III presents the analyses of the u-healthcare system, reviews the analysis of the protocol, and discusses various security and privacy issues such as associated attacks. Finally, Section IV provides the conclusions.
II. RELATED WORK
Information related to healthcare services is very confidential and sensitive. Healthcare systems are divided into several part systems in hospitals. Therefore, a divided security mechanism is required to integrate different types of security. In general, we should consider the characteristics of wireless communication between a user’s tag and mobile agent, in addition to the wired connection between a mobile device and database. Generally speaking, firewall and traffic analysis can be used for the protection of sensible information from non-authorized attacks over the Internet protocol. Such attacked can be induced by authentication and security problems in this situation
. Healthcare staff members increasingly require medical data to be delivered in real time to support their decision making process. The adoption of mobile devices allows this process to occur concurrently. Privacy is an important aspect of pervasive and ubiquitous computing systems, and, in particular, pervasive healthcare. Moncrieff et al.
have presented a design framework for implementing privacy measures in ubiquitous computing environments, and have demonstrated its application to pervasive healthcare. Sun et al.
have contributed a detailed discussion on the privacy and security issues in e-healthcare systems and viable techniques for these addressing issues. Furthermore, they demonstrated the design challenge in the fulfillment of conflicting goals through an example scenario, where a wireless body sensor network is leveraged, and an optimized solution is proposed to overcome the conflict. Boukerche and Ren
introduced the technique of trust evaluation without a centralized trust management authority and proposed a novel trust evaluation model that can efficiently calculate the trustworthiness of mobile healthcare devices and dynamically manage medical nodes. Markovic et al.
considered the issues of mobile healthcare security and employ cryptographic techniques to address possible vulnerabilities. They make use of symmetrical cryptographic methods to protect data confidentiality, and asymmetrical cryptographic algorithms such as public key infrastructure (PKI) and digital signature techniques to achieve data integrity.
III. ANALYSES OF U-HEALTHCARE SYSTEM
At the initial model of the u-health system, a mhealthcare system is designed as an enhancement of the ehealthcare system supported by wireless electronic medical record (EMR) access.
depicts the concept of the network topology for the u-healthcare system. It represents a brief network topology for a virtual hospital. This network will be modified and extended based on the security and protocol requirements
. To overcome additional vulnerabilities, wireless architecture with embedded security modules should be designed with an essential requirement for wireless EMR access. In particular, a patient’s privacy is very important in a hospital information system (HIS) environment. The information should be secured permanently, either when it is transmitted or stored in databases. Security issues could occur with sharing information among interconnected hospitals. Secure access of electronic health record (EHR) with distributed topology units should be also considered. Healthcare networks based on electronic or mobile devices are established by connecting general clinics, hospitals, and national/private medical centers. However, health information which is stored in a healthcare center is usually accessible only to authorized staff of that center in traditional healthcare systems
. To improve medical service quality in hospitals and enhance safety control for patients, integration of RFID technologies into medical industries has recently been progressively evolving. Effectively merging RFID techniques with the existing HISs is occurring gradually
. Yao et al.
has reviewed the literature on RFID applications in healthcare based on a formal research framework and has identified current opportunities, potential benefits, and adoption barriers. Wang et al.
demonstrated the RFID infrastructure of Taipei Medical University Hospital. This architecture shows how data was collected, processed, stored, and transformed into useful information for medical services in the hospital. Yu et al.
provided the u-healthcare system with real-time technologies, which a great deal of security precautions. He also described differences between e-healthcare systems and u-healthcare systems, as shown in
U-healthcare systems may bring unlimited convenience to the customers and staff of hospitals. However, security vulnerabilities can be found and would be attacked by skilled hackers. Security breaches may result in a loss of data or leakage of personal information unless hospital information systems are designed with security features. However, many organizations commit the mistake of neglecting the security aspect because security features do not generate any visible return on investment for them. As shown in
, at the end of the network topology, a mobile device and wireless access point are utilized to implement interaction of transmitted information between the end device and the database servers through the network. An authentication server is located in the middle of the data transmission for access control in the authentication process. To identify security vulnerabilities and threats, security solutions and compact protocol design should be suggested to mitigate all kinds of risks
shows the structure of the secure layer and its characteristics.
To mitigate the aforementioned problems, we analyzed a security mechanism that protects EMRs and is suitable for ubiquitous medical service. The mechanism consists of numerous security measures such as authentication and a cryptographic algorithm. According to the structure of the security level, the measures can be categorized into three security layers: authentication based on the network, authentication based on the application, and database protection.
Difference between e-healthcare and u-healthcare networks.
Difference between e-healthcare and u-healthcare networks.
Example of topology of ubiquitous healthcare system.
The wired equivalent privacy (WEP) protocol was designed to provide the same level of privacy as a wired network. Due to the low complexity of security concerns over the WEP standard, many researchers continue to debate whether WEP alone is sufficient for HIPAA transmission security or not. Consequently, a healthcare delivery organization should use a combination of WEP and other security protocols for wireless networks. In order to avoid potential security breaches such as authentication and privacy protection, the existing healthcare agent architecture should be considered for some special security requirements. The wireless public area network is the connection of servers. The relevant enabling technologies for wireless public area networks are Bluetooth and ZigBee. They are a set of high level communication protocols that use low power resources. The use of RFID is increasing for healthcare systems and patient monitoring systems as well. Deploying RFID technology in the healthcare industry for promoting patient’s data and records in the hospital is a complex issue since it involves technological, economic, social, and administrative factors.
summarizes the major barriers, benefits, and attacks from the collected literature
Structure of secure layer for services.RFID: radio frequency identification, NFC: near field communication, IPSec: Internet protocol security, SSL: secure socket layer, EMR: electronic medical record.
Structure of secure layer for services. RFID: radio frequency identification, NFC: near field communication, IPSec: Internet protocol security, SSL: secure socket layer, EMR: electronic medical record.
Benefits of, barriers to, and attacks on RFID applications in healthcare systems.RFID: radio frequency identification.
Benefits of, barriers to, and attacks on RFID applications in healthcare systems. RFID: radio frequency identification.
- A. Authentication Based on Network
As a first step toward security, well-organized authentication processes based on the network should be prepared against various threats, especially for wireless networks. In recent years, hospitals have also introduced wireless communication systems. However, not many hospitals are aware of the security issues because their working process is mainly focused on emergencies rather than security. This may result in a security problem such as information leakage.
describes a topology of ubiquitous healthcare systems. When a mobile agent attempts to connect to Wi-Fi protected access (WPA2)-Enterprise architecture, they must investigate the 802.1X/EAP process. This process has several steps: After the mobile agent establishes an association to the access point (AP), the remote authentication dial in user service (RADIUS) server initiates server-side authentication with the supplicant. In this authentication, the server sends its certificate to the mobile agent and requests that the user reply with the certificate of the mobile agent. Next, the mobile agent starts the client-side authentication by sending its authentication information to the server. After these steps, the mobile agent has proven its credentials in order to be allowed on the network. After authentication is completed, authentication is needed in order to make sure that matching encryption keys are installed on the mobile agent and access point. Negotiation to exchange the advanced encryption standard/counter mode CBC-MAC protocol (AES/CCMP) encryption key is carried out by robust security network (RSN) which is used for communications in a WPA2 network. Once the AES-CCMP encryption keys are successfully installed on both the AP and mobile agent, secure data will be transmitted across the WLAN. There are three methods that offer mutual security levels. To select the proper method, compatibility with the hospital environment should be analyzed. Extensible authentication protocol-message digest5 (EAP-MD5) should not be employed because it has weak security features.
Comparison of u-healthcare network and IPv6.IPSec: Internet protocol security, AH: authentication header, ESP: encapsulating security payload.
Comparison of u-healthcare network and IPv6. IPSec: Internet protocol security, AH: authentication header, ESP: encapsulating security payload.
To apply the EAP-transport layer security (TLS) protocol to a wireless network, implementation of the WLAN standard is required. WPA2 is one of the standards in which EAP-TLS can be implemented. Also, WPA2 employs AES-CCMP to overcome the vulnerabilities of other wireless communication standards
. Huang et al.
presented a healthcare system hierarchical network architecture for wireless sensor networks. When IPv6 over IEEE 802.15.4 is implemented into sensor nodes, furthermore, biomedical sensor positioning is a foundational and crucial subject for detecting the location of elderly or chronic patients at any place, at any time. The global positioning system, multi-dimensional scaling, or radio frequency identification techniques can be also applied to biomedical sensor systems.
depicts a comparison of u-healthcare network and IPv6 network bases
- B. Authentication Based on Application
A user’s authorization should be authenticated by a webbased authentication process for accessing the EMR even though the user connects to the network through network authentication.
The security guidance is republished by HIPAA in the US. To understand the prevailing regulations surrounding the protection of healthcare information in the US, it is important to have a basic understanding of the HIPAA Act of 1996. Specifically, HIPAA defines privacy as an individual’s interest in limiting who has access to his or her personal healthcare information and specifies that security measures must encompass all the administrative, physical, and technical safeguards in an information system
. According to recent studies, two-factor authentication has been reported. These are the usual authentication methods based on a challenge-response handshake and session key agreement during the authentication process. Secure communication with a session key can communicate with confidentiality
Key sizes giving equivalent security.ECC: elliptic curve cryptography.
Key sizes giving equivalent security. ECC: elliptic curve cryptography.
Xiao et al.
presented distributed architecture of a health agent system and its resource access flow control and agent interaction model with a security policy in health agents. Misik
reported on healthcare wireless sensor networks implemented using 802.15.4 beacon-enabled technology, in which security processors are implemented with low power microcontrollers.
In this setting, he proposed using elliptic curve cryptography (ECC) for key distribution in order to decrease energy consumption compared to the better known RSA algorithm. Recently, ECC has been demonstrated as computationally lightweight, yet its security is comparable to that of RSA. For the same security level, ECC has much smaller key sizes compared to RSA, as shown in
The use of the mobile device in the hospital environment provides an opportunity to offer better services for patients and staff. Mobile technology offers many advantages for improving patient information management and reducing the costs of processing time of medical information. We analyzed the issues of security related to privacy and comparison of e-healthcare and u-healthcare system and privacy. Neither a symmetric nor an asymmetric cryptographic deployment is necessary with the lightweight algorithm in a user’s device. In future work, we will develop a test bed with an RFID system embedded in a ubiquitous healthcare system to estimate the performance and related problems and improve the security of a pervasive and mobile healthcare system.
This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (grant no. 2012- 0007896)
Park Y. J.
Kim Y. B.
“On the accuracy of RFID tag estimation functions”
Journal of Information and Communication Convergence Engineering
“Security and privacy in RFID and applications in telemedicine”
IEEE Communications Magazine
“Security recommendations for implementation in distributed healthcare systems”
in Proceedings of the 42nd Annual IEEE International Carnahan Conference on Security Technology
Pateriya R. K.
“The evolution of RFID security and privacy: a research survey”
in Proceedings of the International Conference on Communication Systems and Network Technology
“A framework for the design of privacy preserving pervasive healthcare”
in Proceedings of the IEEE International Conference on Multimedia and Expo
New York: NY
“Privacy and emergency response in ehealthcare leveraging wireless body sensor networks”
IEEE Wireless Communications
“A secure mobile healthcare system using trust-based multicast scheme”
IEEE Journal on Selected Areas in Communications
“Secure mobile health systems: principles and solutions” in M-health: Emerging MobileHealth Systems
New York, NY
Su C. J.
Chen B. J.
“Ubiquitous community care using sensor network and mobile agent technology”
in Proceedings of the 7th International Conference on Autonomic & Trusted Computing
Huang Y. M.
Hsieh M. Y.
Chao H. C.
Hung S. H.
Park J. H.
“Pervasive, secure access to a hierarchical sensor-based healthcare monitoring architecture in wireless heterogeneous networks”
IEEE Journal on Selected Areas in Communications
“Securing the communications of home health care systems based on RFID sensor networks”
in Proceedings of the 8th Annual Communication Networks and Services Research Conference
Chu C. H.
“The use of RFID in healthcare: Benefits and barriers”
in Proceedings of the IEEE International Conference on RFID-Technology and Applications
Wang S. W.
Chen W. H.
Ong C. S.
Chuang Y. W.
“RFID application in hospitals: a case study on a demonstration RFID project in a Taiwan hospital”
in Proceedings of the 39th Annual Hawaii International Conference on System Sciences
Yu W. D.
“A web-based wireless mobile system design of security and privacy framework for u-Healthcare”
in Proceedings of the 10th International Conference on e-health Networking, Applications and Services
“Security in pervasive health care networks: current R&D and future challenges”
in Proceedings of the 11th International Conference on Mobile Data Management
Kansas City: MO
Chien H. Y.
“Varying pseudonyms-based RFID authentication protocols with DOS attacks resistance”
in Proceedings of the IEEE Asia-Pacific Services Computing Conference
Hung C. C.
Huang S. Y.
“On the study of a ubiquitous healthcare network with security and QoS”
in Proceedings of the IET International Conference on Frontier Computing: Theory, Technologies and Application
“Integrating RFID with wireless sensor networks for inhabitant, environment and health monitoring”
in Proceedings of the 14th IEEE International Conference on Parallel and Distributed Systems
Chu C. H.
“The use of RFID in healthcare: benefits and barriers”
in Proceedings of the IEEE International Conference on RFID: Technology and Applications
“Medical record privacy and security in a digital environment”
Phan R. C. W.
“Cryptanalysis of a new ultralightweight RFID authentication protocol—SASI”
IEEE Transactions on Dependable and Secure Computing
“Developing a security protocol for a distributed decision support system in a healthcare environment”
in Proceedings of the 30th ACM/IEEE International Conference on Software Engineering
“Enforcing patient privacy in healthcare WSNs using ECC implemented on 802.15.4 beacon enabled clusters”
in Proceedings of the 6th Annual IEEE International Conference on Pervasive Computing and Communications
Hong Kong, China