Secure Remote Health Monitoring with Unreliable Mobile Devices

As the nation's healthcare information infrastructure continues to evolve, new technologies promise to provide readily accessible health information that can help people address personal and community health concerns. In particular, wearable and implantable medical sensors and portable computing devices present many opportunities for providing timely health information to health providers, public health professionals, and consumers. Concerns about privacy and information quality, however, may impede the development and deployment of these technologies for remote health monitoring. Patients may fail to apply sensors correctly, device can be stolen or compromised (exposing the medical data therein to a malicious party), low-cost sensors controlled by a capable attacker might generate falsified data, and sensor data sent to the server can be captured in the air by an eavesdropper; there are many opportunities for sensitive health data to be lost, forged, or exposed. In this paper, we design a framework for secure remote health-monitoring systems; we build a realistic risk model for sensor-data quality and propose a new health-monitoring architecture that is secure despite the weaknesses of common personal devices. For evaluation, we plan to implement a proof of concept for secure health monitoring.


Introduction
The nation has an urgent need to build a national healthcare information infrastructure (NHII) that provides health information to all who need to make sound decisions about health [1]. Readily accessible and reliable health information would greatly improve everyone's ability to address personal and community health concerns. Health emergencies also require prompt and authoritative information about the situation to be readily available to those involved. Fortunately, present information technology brings us the hope that significant improvements in the public' health and wellbeing are not only possible but close at hand.
Wearable and implantable medical sensors and portable computing devices present many opportunities for providing timely health information to health providers, public health professionals, and consumers [2]. By supplying real-time health information, or extensive measurements collected continuously, a sensor-based health-monitoring system complements the current healthcare information infrastructure, which is based on relatively static, sparsely collected information in the patient's medical records. A remote health-monitoring system may help to reduce the cost of healthcare [3] and to simultaneously improve the quality of the healthcare; patients may spend less time in the hospital and yet have more detailed health data, measured by wearable sensors as they go about their daily activities; caregivers can more quickly react to the medical emergencies of elders; trainers can analyze a trainee's fitness level; consumers can maintain their own health and wellness.
Privacy and information quality, however, are two major concerns in the development and deployment of remote health-monitoring systems [4,5]. To be viable, any such system must provide usable devices that respect patient privacy while also retaining data quality required for the medical purpose it serves. There are many opportunities for the data to become lost, damaged, forged, or exposed: patients may fail to apply sensors correctly, leading to medically incorrect readings; the patient's device may be misplaced, stolen, or compromised, causing the medical data stored in the device to be divulged [6]; the sensor data may travel across multiple devices and networks before it is presented to the medical team. The problem is especially challenging, given the difficulty of hardening low-cost sensors and the personal devices that collect, process, and forward the medical data, and given that all such devices will communicate over wireless networks. When such a system is compromised, the consequences may be dire. Incorrect sensor data, whether it is inaccurate, manipulated, delayed, or originating from the wrong patient, can lead to incorrect diagnosis or inappropriate treatments. When the data is used for medical research or epidemiological studies, public health can be endangered. When the data is inappropriately disclosed, it may expose the patient's medical problems, and details of treatments underway. Insufficient data integrity may cause health professionals to mistrust the data and may make them reluctant to use devices that may, otherwise, be beneficial to patient health. Insufficient protection of patient privacy may reduce the patients' willingness to wear medical sensors, or even inspire them to cause the sensors to report incorrect data, again reducing the health benefit of these technologies.
The problem is difficult due to the lack of control over the situation at the patient's end. Correct application of sensors and proper configuration of the device depend on the patient's ability and diligence. Education helps, but people make mistakes and many fail to implement security practices [7]. The problem becomes harder when the hardware or software components are integrated into a personal device such as a cellular phone, a PDA, or a smart watch. Such devices have limited security features and are vulnerable to unauthorized access; some security mechanisms (like TPM [8,9]) may be too restrictive and difficult to use. The use of dedicated devices, however, would be costly, has limited flexibility, and may reduce patient participation.
In this paper, we will address these issues by designing a framework for secure remote health-monitoring systems. Given the time available (one year), we will focus most on the data-quality issues. Specifically, we want to (i) build a realistic risk model for sensor-data quality, by interacting with health professionals, (ii) develop protocols and mechanisms for data protection and quality assurance, and (iii) propose a new health-monitoring architecture that is secure despite the weaknesses of common personal devices. For evaluation, we will implement a proof of concept for secure health monitoring.

Risk Analysis
First, we define some terminology.
(i) Medical Sensor Data. Data generated by sensors that can directly describe some physiological condition of a person or can describe the context of the person or the situation, such as movement, location, temperature, or noise level.
(ii) Monitoring Software. A software component that performs health-monitoring tasks at the patient's end; it controls sensors, collects medical sensor data from sensors, processes the data, and reports the data to the server.
(iii) Monitoring Device. A portable device that can be connected to the Internet through a wireless connection and can communicate with wearable sensors through short-range wireless connection; the monitoring software runs within the monitoring device.
(iv) Patient. The person whose medical condition is monitored by the health-monitoring system, who wears the sensors and carries the monitoring device; the monitoring device may be owned by the patient and used for other nonmedical purposes.
(v) Provider. The party who deploys the health-monitoring system and collects the medical sensor data of the patient, based on which it provides health services to the patient such as medical diagnosis [10], emergency response, or fitness training; examples include physicians, nursing homes, or personal trainers.
To design a secure health-monitoring system, we first need to understand what determines the quality of the medical sensor data and how we can quantify the degree of the data quality. Specifically, we want to identify factors that affect the data quality and then analyze to what extent they influence the data quality. Others have described overall security challenges in health-monitoring systems [4], and initial ideas for protecting health-data integrity [11], but an in-depth and realistic analysis of the problem is lacking in the literature.
As a preliminary analysis, we recently identified eleven factors that can affect the quality of medical sensor data [5] (see next section for detail). To ensure or evaluate the data quality of a health-monitoring system, one should take these factors into account. Without knowledge of physiology and practical concerns, however, it is difficult to quantify to what extent each factor will contribute to the data quality.

Quality Control Framework
In this section, we design a quality-control framework based on the risk analysis in the previous section. The framework is a set of processes that ensure, verify, and evaluate the data quality.
To design a quality-control framework, we first analyzed the health-monitoring system as a sequence of processes, assigned related factors to each process, and then identified possible methods for the quality control of individual factors. Figure 1 illustrates our analysis. Medical sensing begins with sensing the physiology of the patient (sense process). Each sensor generates sensor data at a certain rate and transmits them to the device through a wireless connection (transfer process). The monitoring device collects data from sensors, processes them as needed (collect process), and then forwards them to the provider (transfer process). Upon receiving the data from the device, the provider's server evaluates the validity of the data (verify process) and then presents the data to the provider. When it presents the data, the server also presents the level of the data quality to the provider (assess process). Figure 1 lists the factors that are related to each Journal of Biomedicine and Biotechnology 3 process. For each factor, the possible methods for quality control are shown. In the following, we discuss our analysis in more detail. (For brevity, we skip the factors that are selfexplanatory.) (i) Accuracy. The accuracy of a sensor depends on its design and manufacturer (i.e., sensor profile), the time since the latest calibration, and the age of the sensor. The data quality depends on the accuracy expressed by the expected error bound.
(ii) Granularity. The quality of sensor data also depends on the level of detail that a sensor can provide.
(iii) Application. The data quality also depends on correct application of the sensor to the body; if the sensor is not correctly applied to the body, it generates incorrect sensor data. If the patient is responsible for the application, the quality of sensor application depends on the patient's ability and diligence. The patient's ability depends on the education, age, and prior experience. When a sensor is incorrectly applied, the data is likely to deviate from the range of values that are considered reasonable as a physiological value. We call this reasonableness of the medical data soundness. The soundness of data includes physiological soundness and contextual soundness; we explain these in more detail below where we explain the verification process.
(iv) Synchronization. It is often medically necessary to collect multiple sensor readings of different modalities, and a health professional can derive a medical condition from their combination. For the combination to be useful, the sensor readings should be temporally synchronized. If sensors cannot time-stamp each data, the device should do so, but it should also make sure that the sensor data is sampled at that moment (i.e., not replayed by an adversary). The data quality depends on the granularity of the synchronization.
(v) Information Loss by Aggregation. Communication is costly. To save the amount of information to be sent, the device can aggregate sensor readings before sending (e.g., reporting the average per minute). However, every aggregation loses some information in data, and the quality of data depends on the amount of information lost by the aggregation.
Most factors related to sense, collect, and transfer processes are syntactic (except sensor application); they depend little on the semantics of the medical data. For example, one can protect message integrity without knowing the meaning of the data contained in the message. However, medical data has rich semantics that can determine what data is sound as medical data. The verification process exploits the semantics of the medical sensor data to verify if the data is appropriate, useful, or acceptable for the purpose of health monitoring.
(i) Patient Authentication: patient authentication verifies whether the sensors are monitoring the right person. Biometric data (e.g., fingerprint [12]) is simple and accurate but its permanence can raise a privacy issue [13]. We can also compare the data with the patient's past data or the medical profile (e.g., disease or weakness) to verify the patient's identity. The data quality depends on the likelihood that we are monitoring the right person.
(ii) Physiological Soundness: a physiological data cannot take arbitrary values. One can check if the value falls in a reasonable range (range check), if it is coherent with the known probability distribution (probability distribution), if its temporal change exhibits a reasonable behavior (autocorrelation), or if sensor values of different modalities accord with the known correlations between them. (Such an anomaly can also signify a medical problem of the patient, and the verification methods can also apply to the problem of anomaly detection. However, such "emergency detection" is outside the scope of this work).
(iii) Contextual Soundness: like physiological soundness, we can verify the data quality by comparing the medical data with some context data such as body movement, location, or temperature. For example, the acceptable values for heartrate or blood pressure are different when the patient is running or sleeping.
When quality verification fails, the quality of incoming data becomes uncertain. Even if all the verifications succeed, there are many opportunities for data to become incorrect (see Figure 1). To deal with the uncertainty, the providers need to know how much they can trust the data and what is causing the problem. The assessment process takes all the factors into account, judges the current level of the data quality, and presents that judgment to the provider.
Prior work on data integrity in health-monitoring systems focused on detecting packet loss [14], improving false positives using sensor correlation [15], or categorizing the data quality into four discrete states based on observed error and lack of data [16]. Giani et al. [11] proposed a broad range of methods for data validation, but only basic concepts were proposed. Compared to prior work, our approach provides a generic framework for the quality control of a healthmonitoring system. DS theory has many uses; for example, it was recently used for evaluating the performance of intrusion detection systems (IDS) [17]. While they simply combined the partial judgments that are provided by existing IDS schemes, our future work will actually define belief functions for each factor and also explore other possibilities for combining partial results, seeking methods that fit better to healthmonitoring applications.

Architecture
So that patients need not to carry a dedicated monitoring device, we want to leverage the mobile device they already carry-their cellphone. Mobile phones are increasingly powerful, effectively personal computing devices with substantial computation, storage, and networking capabilities. Furthermore, they are increasingly able to sense location  (GPS), motion (accelerometer), light, proximity, temperature, sound (microphone), and video (camera). The use of existing devices has advantages in deployment cost and usability [18].
On the contrary, turning a personal device to a healthmonitoring device also has challenges. First, personal devices are diverse in software platform and security mechanism. The developer must adapt to the wide variety of features (and varying degrees of security) on mobile platforms such as Windows Mobile, Mac OS X, and Symbian. Although some future platforms may have strong security support such as a TPM [8,9], a TPM may not allow the patient to install monitoring software without going through a complicated platform-certification process.
To address these challenges and yet still leverage the patient's mobile phone as a platform, we design a novel architecture that decouples the monitoring component from the personal device. Suppose that the health provider distributes small health-monitoring units (HMUs) to patients and asks them to keep the unit plugged into the device through a common interface such as SD card, miniUSB, or SIM card. (Although not all current phones have expansion slots, and GSM phones only have one SIM-card interface, we imagine next-generation mobile phones that have a standard expansion slot of similar form factor and capability to these examples). The HMU can store secret keys and compute some cryptographic functions (as SIM card can do in today's GSM phones). As shown in Figure 2, the unit can authenticate sensors (authenticator) and verify the authenticity of sensor data forwarded by the monitoring software (auditor). When needed, it aggregates sensor data before sending to the provider (fusor). The HMU adds message authentication codes to messages sent to the provider, and, without HMU, the device cannot prove authenticity of the sensor data to the provider. The HMU makes the healthmonitoring portable from device to device, easy to manage, and hard to compromise; there are many opportunities for adversaries to access the device through software attacks [6], while it requires a hardware attack to compromise the HMU [19].
Journal of Biomedicine and Biotechnology 5

Implementation Plan
To evaluate the potential for our approach in real applications, we plan to implement the framework using current mobile-phone and smart-card technology. For test platform, we will use G1 and Nexus One Android-based phones. For monitoring unit, we consider Giesecke and Devrient (G&D) smart card [20]. The software running within the monitoring unit will be implemented as a Java applet for the JavaCard platform. Collected data will be sent to the central server via 3G network.
As an application, we plan to implement Sleep Actigraphy using accelerometer readings to measure the patient's sleep pattern. In addition to security analysis, we plan to evaluate the feasibility of the platform in terms of energy consumption and usability.

Conclusion
Although advances of information technology and mobile computing present many opportunities for providing timely health services, the use of unreliable devices for remote health monitoring opens vulnerabilities for privacy and information quality. In this paper, we provided risk analysis and present a framework for secure remote healthmonitoring systems. We also designed a health monitoring architecture that leverages a special monitoring unit that plays the central role of the security by providing critical security services including authentication, audit, key management, and data fusion. In future, we plan to implement the framework and evaluate in a real setting.