Authenticated Privacy Preserving Pairing-Based Scheme for Remote Health Monitoring Systems

The digitization of patient health information has brought many benefits and challenges for both the patients and physicians. However, security and privacy preservation have remained important challenges for remote health monitoring systems. Since a patient’s health information is sensitive and the communication channel (i.e. the Internet) is insecure, it is important to protect them against unauthorized entities. Otherwise, failure to do so will not only lead to compromise of a patient’s privacy, but will also put his/her life at risk. How to provide for confidentiality, patient anonymity and un-traceability, access control to a patient’s health information and even key exchange between a patient and her physician are critical issues that need to be addressed if a wider adoption of remote health monitoring systems is to be realized. This paper proposes an authenticated privacy preserving pairing-based scheme for remote health monitoring systems. The scheme is based on the concepts of bilinear paring, identity-based cryptography and non-interactive identity-based key agreement protocol. The scheme also incorporates an efficient batch signature verification scheme to reduce computation cost during multiple simultaneous signature verifications.


Introduction
The traditional healthcare systems are plagued by many problems and challenges.These problems and challenges include: diagnoses being written illegibly on paper, physicians not being able to easily access patient health information (PHI), and limitations on time, space, and personnel for monitoring patients.Similarly, the current health care systems-structured and optimized for reacting to crisis and managing illness-are facing new challenges: a rapidly growing population of elderly and rising healthcare spending [1] [2].As more and more people enter an elder age, the risk of developing certain chronic and debilitating diseases is significantly higher [3] [4].Furthermore, if aged populations prefer to live alone they do require long-term monitoring for better independent life [5].Clearly, innovative strategies are needed to tackle the existing problems and to cater to the healthcare needs of an aging population in addition to sustaining the trend towards an independent lifestyle focusing on personalized non-hospital based care [6].With recent advancements in telecommunication technology however, opportunities exist to improve the current state of the healthcare systems to minimize some of these problems and provide more personalized service [7] [8].
The recent technological advances in sensors, low-power integrated circuits, and wireless communications have enabled the design of low-cost, miniature, lightweight, and intelligent physiological sensor nodes.These sensors capable of sensing, processing, and communicating one or more vital signs, can be seamlessly integrated into wireless personal or body area networks (WPANs or WBANs) for health monitoring [9].A WBAN contains a number of portable, miniaturized, and autonomous sensor nodes (in-body or/and on-body nodes) that monitors patients under natural physiological states without constraining their normal activities.The gateway (e.g.PC or mobile phone) of the WBAN is responsible for data collection, processing and overall WBAN management.
These networks promise to revolutionize healthcare by allowing inexpensive, non-invasive continuous health monitoring with almost real-time updates of medical records via the Internet.Remote health monitoring systems typically collect patient readings and then transmit them to a remote server for storage and later examination by the healthcare professionals.However, the different usage scenarios of remote health monitoring systems ranging from pre-hospital, in-hospital, ambulatory and in-home monitoring have resulted in diverse security and privacy concerns [10] [11].Also, due to the sensitive nature of some of the remotely electronically collected PHI combined with the insecure nature of the communication channels, there is need to prevent unauthorized access to and use of the PHI by both active and passive adversaries.Otherwise, failure to do so will not only put a patient's privacy in jeopardy, but also her life will be at risk.Hence there is need for new schemes to protect against privacy violation in remote health monitoring environments.
Many security protocols to enhance privacy and security in remote health monitoring systems have been put forward by researchers.Huang et al. [12] proposed an identity-based authentication and context privacy preservation scheme in wireless health monitoring system.They adopted identity-based encryption to protect the confidentiality of PHI.However, Huang et al.'s scheme does not achieve patient identity privacy and is also prone to password guessing attacks on the physician's side [13].Layouni et al. [14] proposed a privacy protection protocol for remote monitoring of medical care.They applied symmetric encryption and RSA algorithm to complete the encryption and authentication for PHI.Hasque et al. [15] proposed a secure u-healthcare sensor networks using public key based scheme.In their scheme, they adopted asymmetric encryption for confidentiality protection.Yang et al. [16] presented a password-based authentication scheme for healthcare delivery systems.The rationale behind their scheme is to allow patients to authenticate to healthcare providers using longterm short passwords.Sadly, password-based authentication systems are vulnerable to dictionary attacks.The U.S. government has also established stringent regulations to ensure that the security and privacy of PHI is properly protected [17].Clearly, the issues of patient identity and data privacy have not been fully explored in the existing literature.
In this paper an authenticated privacy preserving paring-based scheme for wireless health monitoring systems is proposed.The proposed scheme consists of three parties (see Figure 1 below), namely; the gateway of patient WBAN, the Electronic Health Record (EHR) database in Health Monitoring Server (HMS) and the physician.In the proposed scheme, all communications between the gateway and EHR, EHR and physician and physician with gateway are carried out over an insecure channel (i.e. the Internet).The HMS plays the role of the registration server and system parameter generator (or trusted authority) while the EHR acts as the authentication server.Identity-based cryptography (IBC) encryption is adopted to ensure the secure transmission, receiving, storing and access of PHI.This ensures integrity of PHI which in turn is crucial for accurate diagnoses of a patient by her respective physician.The scheme allows the patient and her physician to establish a secure communication channel via an established session key shared only between the two parties.This is possible because of the concept of non-interactive identity-based key agreement adopted.The analysis will show that the scheme provides confidentiality of a patient's health information, explicit mutual authentication between the patient and her physician, patient anonymity and un-traceability, patient revocation, session key secrecy and resistance against replay attacks.The rest of the paper is organized as follows: in Section 2, we describe some of the preliminary work and notations that are used throughout this paper.In Section 3, a discussion of the proposed scheme including system initialization, Registration of parties and health information transfer is presented.Section 4, presents an analysis that proves that our scheme is efficient and that it achieves many desirable security and privacy preserving properties.Section 5 shows that the proposed scheme has a better performance than Huang et al. and Layouni et al.'s schemes by providing a comparison among the three.Finally, a conclusion is presented in Section 6.

Preliminaries
This section briefly reviews bilinear pairings, the Bilinear Diffie-Hellman problem and the original non-interactive identity-based key agreement protocol.Further, the threat model and notations used throughout the remainder of the paper are introduced.

Notations
Table 1 below presents the notations used throughout the remainder of the paper.

Bilinearity
Let G 1 be an additive group of prime order q and G 2 be a multiplicative cyclic group of the same order.In reality, G 1 is a subgroup of points on an elliptic curve over q Z * and  2 is a subgroup of the multiplicative group of a finite field qk Z * for some q k Z * ∈ .Let  denote a generator of G 1 .Then, there exists an efficient computable bilinear map which has the following properties [18]:  Bilinearity: Given P and Q in G 1 and , R q a b Z * ∈ , we have ( ) ( ) ê , , ab aP bQ P Q = .
 Computability: There exists an efficient algorithm to compute ( )

The Bilinear Diffie-Hellman Assumption
The Bilinear Diffie-Hellman (BDH) problem is to compute ( ) , e G G .

Computational Diffie-Hellman Problem
The CDH problem is given ( ) , , P aP bP for any , q a b Z * ∈ and putting abP is assumed hard.

Non-Interactive Identity-Based Key Agreement
For non-interactive identity-based key agreement protocol, central authority first generates two cyclic groups G 1 and G 2 and the bilinear map to setup the parameters for an identity-based public key system.The central authority also chooses a cryptographic collision free hash function (•): and sends it via a secure channel [19] [20].
With such a setup, any two clients of the same central authority can compute shared key using only the identity of the other participant and their own private key.For two clients with identities, id 1 and id 2 , the shared key is given by Clearly,

Proposed Authenticated Privacy Preserving Scheme
In this section the proposed authenticated privacy preserving paring-based scheme for remote health monitoring systems is presented.The existence of a properly setup and functioning patient WBAN with the gateway of the WBAN responsible for collecting data from the biosensors and analyzing it is presumed.
Based on the analysis, the gateway (equipped with a wireless Ethernet adapter so as to communicate with standard wireless router/switch) sends a summary report about the patient's condition to the health monitoring server periodically.
However, in case the analysis indicates a sudden health deterioration, or a condition that requires immediate attention, it is required that the gateway automatically trigger an emergency signal and send an immediate notification to the health monitoring server so that immediate necessary action can be taken to help the patient.The scheme consists of three parties, namely; the gateway of a patient's WBAN, EHR database in HMS and the physician.Note: from here forth, we refer to a gateway of a patient's WBAN simply as patient for convenience.In the proposed scheme, the HMS plays the role of the registration server and system parameter generator (or trusted authority) while the EHR acts as the authentication server.IBC-encryption is adopted to ensure the secure transmission, receiving, storing and access of PHI.This ensures integrity of PHI which in turn is crucial for accurate diagnoses of a patient by her respective physician.To achieve patient anonymity and un-traceability, privacy preserving technique based on pseudonyms is adopted.These pseudonyms are issued to the patient via a smartcard by trusted authority upon successful registration.
To aid authentication of patients and physicians by EHR, both patients and physicians are required to attach a signature to the message sent to EHR which can be successfully validated by EHR.To reduce computation overhead for EHR during signature validation process, an efficient batch signature verification scheme in which the EHR can simultaneously verify multiple received signatures is adopted [21].The proposed scheme allows the patient and her physician to establish a secure communication channel via an established session key shared only between the two parties.This is possible because of the concept of noninteractive identity-based key agreement which has been adopted.The scheme also allows revocation of patients.This means that in cases of death, service subscription expiration period or upon request by the patient, the trusted authority can easily terminate service provision to the particular patient.The scheme consists of three main phases: system initialization, registration and health information exchange among patient, EHR and physician.First, a discussion of the threat model followed by a summary of notations and then we discuss the phases of our scheme.

Privacy Preserving Properties of the Scheme
There are many threats to a patient's privacy and security in remote health monitoring systems.Some of these threats include: data breach by insiders (i.e.authorized EHR users or staff of the EHR organization), insider curiosity, accidental disclosure and unauthorized intrusion of network system by outsiders (i.e.third parties who act without authorization e.g.hackers) [22].The aim of the proposed scheme is to enhance patient data and identity privacy against both insiders and outsiders.Below is a brief discussion of some of the security and privacy properties of the scheme and why they are important to a patient's data security and identity privacy in remote health monitoring systems.

Confidentiality
In remote health monitoring systems, the disclosure of PHI to unauthorized persons is a serious security and privacy threat.This is because some of PHI can be sensitive.Hence once accessed, such data can be subjected to different misdemeanors such as fraudulent insurance claims by adversaries.In recent past there have been incidents where PHI was disclosed to external parties [23] [24].

Anonymity and Untraceability
Among common privacy requirements, identity and location privacy, i.e. preventing unauthorized parties from learning one's identity and current or past locations, are of paramount importance [25] [26] [27].The recent expansion of electronic and mobile healthcare systems has resulted in an increased demand for patient anonymity.This is because adversaries are now more capable of breaching network systems and achieve unauthorized access to PHI.For example, hackers may intrude into a hospital's network to access PHI or render the system inoperable.Hence patient anonymity and un-traceability would prove vital in such scenarios.

System Initialization
Similar to other identity-based schemes, the proposed one also requires a private key generator (PKG).In the proposed scheme HMS acts as PKG.To initialize the system, HMS runs the following steps.Let G 1 be an additive cyclic group of prime order q, and G 2 be multiplicative cyclic group of same order.Let , , e, , , , , G G q P P H H ⋅ ⋅ and keeps the master secret key s, secret.

Registration
In this section, the registration process of involved parties in the system is discussed.All registrations are carried out by the HMS via a secure channel (see Figure 2).

Physician Registration
To register, D l (doctor/nurse) submits her identity id DL (e.g. an email address or

Patient Registration
Let PT i be a patient seeking medical help from D l .To register, PT i submits her real-ID id PTi to HMS.HMS first validates submitted identity.If the validation is successful, HMS then chooses a family of n un-linkable pseudo-IDs for PT i given by: , , , , , .
PTi j j n PID pid pid pid pid For each pseudo-ID pid j in PID PTi , HMS computes the public key ( ) and the corresponding private key ( ) , such that the families of public and private keys are: { } , , , , , , .
Once PT i completes registration procedures, the HMS issues her with a smartcard.The smartcard is personalized with parameters (i.e.PID PTi , PUB PTi, PRI PTi , id DL , id EHR ) which P can later use to register her gateway to the HMS.Upon arrival at home, PT i passes over the information in the smartcard to the gateway.Since some of the information is sensitive, an assumption is made that, once the gateway gets the parameters, it should erase the information from the memory of the smartcard to avoid security implications that may result in case the smartcard ends up in the hands of an adversary.
With these pseudo-IDs, PT i can constantly change her pseudo-IDs to achieve anonymity and un-traceability during communication process over the remote health monitoring system.The HMS also sends PID PTi to appropriate D l and EHR respectively.
To allow for revocation, the HMS adds an ExpiryDate into pid j for 0 ≤ j ≤ n − 1, such that each of the public keys ( ) Q H pid = is valid only before the specified expiry time t j .After the specified time, the corresponding private key ( ) , , , , , , , j j j n t t t t t t − + −   be the set of life spans for each of the pid j for 0 ≤ j ≤ n − 1, such that t j = t j−1 + Δt, where Δt is a constant value for all pseudo-IDs, meaning that the length of the life span for each of the private keys is the same.Further, suppose that PT i can only use the pseudo-ID sd j , 0 ≤ j ≤ n -1 sequentially (i.e. that pid j+1 can only be used after pid j has expired).This allows D l to request for specific patient health data from EHR.This is possible because D l is also issued with PT i 's pseudo-IDs, hence making it easy for him/her to know which of the pseudo-IDs has expired or which one is the current pid j in the sequence of PT i 's pseudo IDs.
Note: according to [14], a system is said to preserve pseudonimity if data records sent by the patient to the health monitoring server are linkable to each other but not to the patient's real-ID.In the proposed scheme a patient's pseudo IDs are assumed to be un-linkable.In this case an assumption is that the system uses other mechanisms for achieving pseudonimity and not a patient's pseudo-IDs.But since there may be need to reveal a patient's real-ID in cases of apparent abuse of conditions of service via judicial procedure, the proposed scheme assumes that only HMS (trusted authority) should know the relationship between the pseudo-IDs and the real-ID of the patient.As such the scheme can provide conditional privacy for the patient.

Health Information Transfer
Below the following are discussed: 1) patient health information transfer to EHR, 2) patient authentication, health information receiving and storing by the EHR and 3) patient health information request and recovery by the physician (see Figure 3).

Patient Health Information Transfer to HER
To send health information to EHR, PT i carries out the following steps:  Picks an unused valid pseudo-ID pid j and the corresponding private key d j . Using this private key, PT i computes a session key ( ) ( ) ( ) . This key will be used to encrypt the health information and establish a secure channel with D l . Using SK PTi−Dl , the PT i performs IBC-encryption on the health data as ( )  Once the above steps are satisfied, EHR accepts the message as authentic and stores the necessary message components (see Table 2).EHR can then either notify the respective D l of the received PHI or may wait for a message request from D l .

Health Information Access by Physician
To access a patient's health information, D l first gets herself authenticated to EHR by carrying out the following steps:   Note: The protocol above achieves explicit mutual authentication between PT i and D l .It also allows anonymous authentication for the PT i .Furthermore, PT i and D l successfully establish a shared symmetric key SK PTi−Dl that is used for the subsequent communication session.

Analysis
This section analyses desirable properties of the proposed scheme including security and privacy preserving properties.Note that other properties including patient revocation and replay attack have been analyzed in Section 4.

Batch Authentication
In the proposed scheme, the EHR verifies an appended signature to a message to ensure the authenticity of PT i and D l .
This means that for n distinct patients, ( ) , where id l is the identity for physician l.

Patient Service Subscription Validation
To check service subscription validation for PT i , the EHR checks signature ( ) appended to the message.The signature ( ) ⋅ is a pseudo-ID-based signature.Without the private key ( ) , it is infeasible for third parties to forge a valid signature.This is because based on the hardness of the CDH problem in G 1 , it is difficult for someone to derive the private key sH 1 (pid j ) given pid j , P and P pub .Hence the pseudo-ID-based signature is unforgeable and a patient's service subscription validation can be achieved.

Mutual Authentication
The patient and her physician achieves explicit mutual authentication.This is so because, when sending medical advice

Confidentiality
Confidentiality of a PHI entails ensuring that patient health information is not made available or disclosed to unauthorized parties including EHR itself.The proposed scheme achieves confidentiality against both insider and outsider adversaries.This is because the M is stored encrypted in EHR with SK PTi−Dl as, ( ) Given id Dl , pid j , P and P pub .This is the same as solving the BDH.Hence our scheme satisfies the confidentiality property of PHI.

Patient Anonymity and Untraceability
In the proposed scheme, each PT i upon successful registration receives a family of n un-linkable pseudo-IDs given by, { } Since there is no linkage between the pseudo-IDs, our scheme can also achieve untraceability.

Session Key Secrecy
As shown above, computing the session key SK PTi−HPl by adversary means solving the BDH problem in {G 1 , G 2 , ê}. under the random oracle model, solving BDH is infeasible in {G 1 , G 2 , ê}.Hence the session key between i and D l is secure and incomputable by third parties.

Conclusion
This paper has proposed a privacy preserving paring based authentication and key established scheme for wireless health monitoring systems.The proposed scheme is based on bilinear paring, IBC and non-interactive key agreement scheme using bilinearity.In the scheme, patients are only pseudonymously identified hence protecting the patients from negative effects of identity theft such as fraudulent insurance claims by adversaries.However, the scheme achieves conditional privacy, this is so because central authority-health monitoring serverknows the patients' real identity hence in case of apparent abuse via judicial procedure, this real identity can be revealed.The security and privacy preservation analysis has shown that the scheme also achieves confidentiality of PHI, and session key secrecy.While the performance comparison has shown that our Table 3. Performance comparison between proposed scheme against schemes in [13] and [15].
map and  be an arbitrary generator of G 1 .HMS then chooses a random number to EHR via a secure channel (e.g.Transport Layer Security Protocol).HMS then publishes the public system parameters as social security number) to HMS.HMS first validates the submitted identity and if validation is successful it then computes the public key ( ) = for D l .The HMS then sends { } , Dl Dl Q d to D l via a secure channel.

Figure 3 .
Figure 3. Message exchange among patient, EHR and physician.


Once the above steps are satisfied, EHR believes that the request is authentic and forwards the message { }

,
can now analyze M and give necessary and timely medical advice.By checking new PTi T − , D l is able to tell when the information was sent by the PT i .This can help her to estimate a patient's health condition since the time the data was collected by biomedical devices.To send medical advice Advice M to the PT i in response to the received health information M, D l computes PT i first validate timestamp to overcome replay attacks.If validation is successful, PT i proceeds to compute verification code Veri = ?Auth.If the equation holds PT i believes that the message is from legitimate D l and that he/she has established a secure channel.This protects the patient from bogus medical advice which could be life threatening for him/her.PT i can now decrypt C 3 using PTi−Dl as, the medical advice.
distinct physicians.In this case, all the signatures are valid if; to PT i together with encrypted medical advice C 3 and timestamp D l T * as part of the message { } equation holds, then the patient can authenticate the message and trust that it is from the right source otherwise he/she rejects the message.
her real-ID for authentication and message transfer, the patient uses these issued pseudo-IDs.This ensures patient identity privacy protection since the pseudo-IDs reveals nothing about the patient's real-ID to other parties.
then chooses a secret key where M is the PHI and − is last time of message receipt by EHR and ΔT is fixed time interval between successive health information collections.This could help to counter replay attack attempts.If successful, it proceeds to examine piryDate included in pid j to verify the service expiration time. Using public parameters and received values, EHR checks the validity of the

Table 2 .
Patient health information storing by EHR. is aware that each of the patient's pseudo-IDs has an expiry date and that they are used sequentially, when choosing pid j , D l chooses the one that is valid and current.Hence D l can request for specific patient health information from EHR depending on the specified pid j . l Based on the BDH problem on {G 1 , G 2 , ê}, it is infeasible for an adversary to derive SK Dl−PTi given id Dl , pid i , P and P pub .Furthermore, based on the non-interactive identity-based key agreement, only whose private key is d Dl and PT i who has the private key corresponding to H 1 (pid j ) can share this key.Once PT i receive Auth he/she can then check whether −=.
and based on the BDH problem on {G 1 , G 2 , ê}, it is impossible for anyone else except the legit D l to derive SK PTi−Dl .The BDH problem on {G 1 , G 2 , ê} is: compute ( ) − = =

Table 3
below presents a comparison between proposed scheme against Huang et al.'s identity-based authentication and context privacy preservation scheme and Layouni et al.'s privacy-preserving telemonitoring for ehealth scheme.
achieves more privacy preserving properties than Huang et al. and Layouni et al.'s schemes. scheme