Health Monitoring System for Nursing Homes with Lightweight Security and Privacy Protection

With the rapid growth of aged population in China, it is urgent to design a safe and effective monitoring system for the nursing homes. An optimized scheme and high performance security and privacy protection for monitoring system have already become the focus studied especially. So this paper proposed a health monitoring system with lightweight security and privacy protection for nursing homes. Dual-band RFID, virtual routing location algorithm, and diet and exercise data collection based on RFID were adopted to obtain the location and health information. And that fused a mobile authentication protocol based on Hash function to realize security access and privacy protection, which can improve security and reduce the complexity of calculation and the implementation cost compared with the typical authentication protocols. The experiment results show that the ratio of relative networkdelayisbelow35%.Thesystemhasstrongreal-time,highsecurity,morecomprehensivedata,andlowercostofcomputation andcommunication.Itcansatisfytherequirementsofhealthmonitoringfornursinghomes.


Introduction
It is estimated that China will enter the aging society.How to provide more comprehensive pension services becomes more and more urgent.As families and community can only provide limited elderly services, a tendency to meet the rocketing demands is to promote healthy monitoring system for nursing homes.As environment in nursing homes is complex, managers cannot focus on every one of the elderly people.So the challenge is to provide location service and health service in the event of dangerous conditions [1][2][3][4][5].With the rapid development of monitoring technology, RFID get more attention due to its advantage, such as unique identification, moveable identification, multitargets identification, and good environmental adaptability.In a word, a safe and effective monitoring system based on RFID for the nursing homes will be required urgently.
Existing monitoring systems based on RFID usually lack an optimized scheme of data collection and privacy protection.For example, in the aspect of data collection, some are operating in a single frequency band, transmitting collection-data via line, even short of effective location algorithm and health data collection.As we known, there are obvious disadvantages in wireline monitoring system, such as routing restriction, the lack of flexibility, and highcost.In terms of operation of frequency, RFID systems can be divided into four categories: low frequency (LF), high frequency (HF), ultra-frequency (UHF), and microwave, which have different properties.Due to low power, strong penetrating in RFID LF system, moveable identification, and multitargets identification in other RFID systems, how to realize the combination of the two advantages is a worthy topic [6][7][8][9][10].Findings indicated that healthy diet and sufficient and regular exercises not only contribute to reduce and resist chronic diseases, but also promote physical and psychological health of elderly people.So to establish a system that can gather diet and exercise information and do some

System Description
The section mainly focuses on two aspects as follows: on the one hand, the architecture of this system is proposed, and the frequency selectivity of the RFID system, workflow, and communication mode are described in detail.On the other hand, the more detailed function requirements are analyzed from vertical and horizontal aspects.In the vertical aspect, the system is divided into monitoring subsystem and service subsystem.Security and privacy are discussed from the horizontal aspect.Security mode is embedded into every subsystem, such that a unified secure design makes sure that the monitoring system runs well.
2.1.Architecture.This system conforms to the IOT concept, which contains three layers, the perceptual layer, the network layer, and the application layer [3,7].The perceptual layer is at the most front-end of information collection and includes location nodes, other data collection nodes, sticking tags, and RFID wristbands.Then the information collected is uploaded to the back-end serve by ZigBee network with tree topology in the network layer.Finally, the system uses .NET+MYSQL technologies to realize the development of the whole system, including monitoring subsystem, service subsystem, and web service.Its design architecture is shown in Figure 1.
According to different requirements, we choose two kinds of nodes for data collection.Location node is designed to collect the location information, and the collection node is for another data collection.Each node communicates with CC2530 module by RS485 bus.Then ZigBee network formed by CC2530 modules will transmit the whole data to the backend server.
Every location node and RFID wristbands work together in two phases: activation phase and communication phase.125 KHz band is selected to activate passive part in a RFID wristband, and 433 MHz band is for communication between one node and the active part of a wristband.Compared with a single frequency band, the Dual-band RFID system combines the advantage of low frequency and high frequency effectively: low power and strong penetrating in LF system, moveable identification, and multitargets identification in HF system.According to the structure of antenna in a location node, it can also be divided into single-channel mode and dual-channel mode, which suit for different areas to be located.Every collection node mainly communicates with sticking tags, which follows the EPC standards.Desktop RFID reader with 433 MHz frequency band is selected for collection node to collect diet data, part of exercise data, and other service data.
In the system, tags or wristbands, any one of RFID reader, and back-end service are connected with each other by wireless network: RFID or ZigBee.This quite suits the monitoring system, but it also brings a problem.The wireless channel is prone to attacks such as replay attack, counterfeit attack, and tracking attack.So security and privacy should be paid adequate attention.

Function Module.
The monitoring system mainly contains monitoring subsystem and service subsystem according to the actual function from the vertical aspect.Each subsystem combines with RFID wristbands to realize all-around automatically monitoring management.Security and privacy are designed to resist attacks from the horizontal aspect.The detailed functions are shown in Figure 2.
Monitoring subsystem offers a safe and secure environment for the nursing homes residents.All residents in the nursing homes wear RFID wristbands that can help the staff monitor their locations.So, when dangers occur, the staff can quickly locate and provide appropriate help [5][6][7].The specific function is analyzed as follows.(1) Area location: this module is mainly used for location Query for the residents wearing RFID wristbands.Or use the module to achieve a certain period of time statistics.
(2) Low-battery warning: the module can monitor the consuming situation of battery for the RFID wristbands.A warning signal is transmitted to the staff when the battery capacity is below the threshold.
(3) Detection time: calculate the detection time in some dangerous and privacy areas, such as bathrooms and toilets.For example, a resident wearing a RFID wristband stays in these areas longer than normal; it is very likely that an emergency has happened.
(4) Track record: record the daily activities of the residents wearing the RFID wristbands, and then provide the information for health assessment or other requirements.
Service subsystem is designed to offer health service and others and collect diet and exercise data which partly reflects the health of residents in the nursing homes.Concrete analysis is as follows.
(1) Diet data based on RFID: the diet data for every resident in the nursing homes are collected by the collection node, tricking tags, and RFID wristband.
The back-end serve will record the data and compare with the standard.
(2) Exercise data based on RFID: the exercise data comes from three kinds of activities: the usage of athletic facilities, the usage of indoor recreational area, and outdoor-activities.All the exercise data and diet data are supported to help professionals to access health status for every resident in nursing homes.
(3) Other service data: the module is for other data services: querying relational information for every resident, sending blessing on holiday, reminding the resident to take medicine, and so on.
Security and privacy are designed to defend all the subsystems from threats.It can be detailed as follows.
(1) Resistance to Counterfeit Attacks.It prevents attackers from counterfeit RFID tags or readers, illegal access to personal information of the resident, guardian information and sensitive data, and so on.
(2) Resistance to Tracking Attacks.It prevents attackers from gaining traces of activity by tracking location information, threatening their person and property.
(3) Resistance to Replay Attacks.In an extreme case, the attacker may obtain relevant information.It prevents it from being reproduced by using this information, thereby illegally passing the authentication (4) Mutual Authentication.It aims to achieve the tag, reader, and the back-end server mutual authentication between the three.
Security design will be embedded above the various subfunctional modules and unified security design to ensure that all functional modules are safe.The next step will be a detailed analysis of key technologies and the authentication protocol in the security module.

Key Technologies
As mentioned, the system is divided into monitoring subsystem and service subsystem from the vertical aspect.The area location module is very important and supports the other modules.And that diet data and exercise data are the important parts of service subsystem.So in this section we will focus on the key technologies on these modules: area location, diet data, and exercise data collection.

Area Location Based on RFID.
According to the structure characteristics of the monitoring area in nursing homes, it can be divided into different areas, such as indoor gymnasium area, diet area, indoor-recreation area, and access and entrance area.The system is designed to provide a more flexible, easily configurable deployment model.So we can deploy the location node according to actual size of areas to be monitored and other requirements.The actual physical location is known when the location node has been deployed.In this section we will talk about the process of data acquisition of one location node and the location algorithm.
The location nodes mainly work together with RFID wristbands; then the workflow of one single location node and RFID wristband is shown in Figure 3.
The process of data acquisition consists of two phases: namely, activate phase and communication phase.In the trigger phase, the location node sets control parameters and initiates readers at first.Then the RFID reader (location node) will scan RFID tags (RFID wristbands) in its coverage area.Finally, when the searched tag ID matches the ID stored in memory, the communication can begin.In the communication phase, the RFID reader starts to receive data after authenticating successfully.If the data is a distress signal or warning signal, then give priority to transmit; otherwise transmit the location data in the order queue.
The location data mainly contains location array, which comes from the virtual routing location algorithm.In the following parts, we will simply describe the basic concepts about the algorithm.The algorithm uses ZigBee and RFID technology to form the RFID wireless network; the coverage is far away.As we known, the read-write distance of RFID reader is relatively close.So we assume that the tag to be located has the same physical location with the RFID reader.As the resident wearing RFID wristband moves in the RFID wireless network, the wristband will transmit a location array to back-end server.The principle of the algorithm is shown in Figure 4.
Assuming that the coordinates of all readers are already known, then the coordinate of the tag can be gotten by the algorithm.As shown in Figure 4, the solid line is the actual route the tag selected and the dotted line is the virtual route, which is calculated by the algorithm.For example, the actual route of the tag can be the same as the virtual route as shown below:  A location array is chosen to realize the progress of the algorithm.It contains three parameters: the ID of the tag, the reading time, and the ID of the reader.The following formula can be used.
⟨  ,   ,   ⟩ = ⟨tag , time , reader ⟩ . ( As shown is formula (2), the location array is expressed by ⟨  ,   ,   ⟩;   is the ID of the th tag.  is the ID of the th reader.And   is the time when the th RFID reader starts to communicate with the th tag.Location arrays are firstly categorized according to   and then according to   .Finally, we can get the coordinate of th RFID reader as the coordinate of th tag at the time of   .The algorithm is simple and effective, fully in line with the needs of area location for the nursing homes.

Health Data Based on RFID.
In this section we will build a module to collect diet and exercise data automatically based on RFID and do some statistical analysis.Diet and exercise data is usually very complex, but there still has certain regularity and periodicity for collective life environment in nursing homes.Based on this application background, a simplified model for diet and exercise data collection is designed as follows.
Diet area is divided into selection-area and settlementarea.In selection-area, plates and bowls sticking with tags establish the one-to-one relationship between each tag and the food in its plate or bowl.The settlement-area mainly contains RFID readers and displays.With the help of sticking tags, RFID readers, and wristbands, the subsystem can realize settlement and diet data collection quickly and automatically.Next, we will introduce the progress of data analysis in the ) . ( is the daily intake of nutrients,   express the th nutrient intake from the th food.Add the elements in the same column for array , and get a new array  = (V 1 , V 2 , . . ., V  ); V  is the th nutrient you has been absorbed. = ( 1 ,  2 , . . .,   ) is the standard value of nutrients.Comparing the  with , a result that whether you get the sufficient nutrients or not will be offered to the residents and staff.
The system classifies exercises as indoor-entertainment, outdoor-activities, and exercise on athletic facilities.Formula (4) as below is used to calculate the amount of exercises daily simplify.
As shown in formula (4),  = 3,  = {1, 2, 3} represent indoor-entertainment, outdoor-activities, and exercise on athletic facilities, respectively.  is the weight value of the amount of the whole exercises.The sum amount of th exercises daily is   , and the sum of all kinds of exercise is calculated by formula (4), noted by .The specific progress of calculation is shown in Table 1.
According to the health status of the elderly and special needs, daily exercise standards are designed when the elderly checked in the nursing home.And the standard for comparison, to determine the amount of the daily exercise, is appropriate or not.

Security and Privacy
As before, security and privacy are very important for the wireless system, and security mode is embedded into every subsystem.So a mobile authentication protocol based on Hash function is designed in this section.The procedure and implementation of the protocol are discussed as follows.

Proposed Protocol.
Based on a one-way Hash function, this paper proposed a mutual authentication for information protection.It is depicted in Figure 5.The symbols in the protocol are described as follows: () is the Hash function of .ID  is the identification number of the tag and is stored in the tag.ID  is the identification number of the RFID reader and is stored in the reader.(ID   , (ID   )) and (ID   , (ID   )) are stored in the DataBase.The authentication flow of the protocol is shown in Figure 5.
(1) The RFID reader generates a random number   and sends (Query,   ) to the tag.

Protocol Performance Analysis.
The following will analyze security performances of the proposed protocol from four aspects.
(1) Resistance to Counterfeiting Attacks.The protocol can effectively exploit the one-way of Hash function.The attackers cannot analyze the identification numbers of the tag or the reader by intercepting data.So the system has the ability to resist counterfeiting attacks.
(2) Resistance to Tracking Attacks.The tag, the reader, and the DataBase will generate random numbers; the response data are changing in each certification process.So attackers are unable to obtain location information, thus avoiding tracking attacks.
(3) Resistance to Replay Attacks.The random numbers of the tag, the reader, and the DataBase are changed during each authentication process, so that the previous authentication information cannot be used to complete the replay attacks.
(4) Two-Way Authentication.Firstly, the reader authenticates the tag by judging whether   1 =  1 .Then the DateBase verifies the security of the tag and the reader by the received ( 2 ,  3 ,  4 ,   ,   ).Finally, the reader authenticates the DataBase by the formula   5 =  5 .And the tag verifies that the formula   3 =  3 is true and authenticates the Reader and the DataBase.
On the basis of security considerations, the protocol proposed also effectively reduces the calculation of the tag, reducing tag costs and the use of energy consumption, as shown in Table 2.In Table 2,  is the Hash function,  is the random function,  is the total number of tags, and "-" is not Hash function, random function, and so on [18][19][20].
As shown in Table 2, this authentication protocol fully considers the new problems brought by the wireless transmission of the mobile RFID system compared with the classical protocol.The proposed protocol balances the computational protocol at the tag, the reader, and the DataBase while providing strong security which can resist various types of attacks, obtain dual-authentication, and decrease computational complexity.All these performances make the proposed the system be appropriate for the nursing homes usage.

Performance Testing and Related Work
The following will analyze the performance and related work to verify the feasibility and superiority of the system.Firstly, we will build the test environment, testing the system's network delay characteristics and then analyze the related work of the system and compare it with the common monitoring system.

Performance Testing.
Because the indoor layout of the nursing home is similar to the laboratory, we choose the second floor laboratory to carry out system testing.The monitoring rooms are divided into 201 room, 202 room, 203 room, 204 room, 205 room, 206 room, the lobby, and server room, as shown in Figure 6.
As shown in Figure 6, the RFID node 1 and node 2 are located in the lobby area.The node 3 is arranged at the entrance of the room 201.Moreover, node 4 is located at the 203 entrance of the room 203, node 5 at the room 205, node 8 at the room 206, node 7 at the room 204, and node 6 at the room 202.The coordinate node is arranged at the server room and connected with the back-end server.The distance between the location nodes is 6-8 meters, and the nodes that are far away from the server communicate with their nearest nodes as the parent node.We use packet sniffer and hardware timers to test the system.Assume that the data acquisition interval is 5 s and 100 times for each node during the test.The average network delay for each node is shown in Figure 7.
From Figure 7, we can see that the network latency of nodes 1, 2, 3, and 6 is close to each other.In the network topology, these nodes are single-hop nodes, and the actual physical location is closer to the coordinator node.Node 4 and node 7 are close to each other.In the network topology, they are two-hop nodes.Node 5 and node 8 are three-hop nodes and the network delay is relatively large.Therefore, the system topology design has some impact on the network delay, but overall, adding a security authentication protocol increases the system's average network latency.[19,20] and the simulation show that the implementation of the protocol time is about 500-550 ms, but many monitoring systems data acquisition time is about 5-60 s.So here 5 s is chosen as the sampling interval; we discuss the relative network latency and the average network delay divided by the sampling interval, as shown in Figure 8.
Figure 8 shows that, compared with the sampling interval, the relative network delay for the proposed system with lightweight security and privacy protocol is less than 35%, so the authentication protocol does not affect the system realtime data collection but can greatly improve system security and privacy.In the experimental environment, we collected a week of diet and exercise data from a tester, as shown in Tables 3 and  4.
In Table 3 the reference value comes from daily intake of dietary nutrient values for Chinese residents aged 60 years and over.The nursing home provides a basic diet menu similar to the one provided each week, which facilitates the collection of diet data.In Table 4 the reference value can be adjusted according to the previous exercise and health status.We can see that week of diet and exercise data have certain regularity and periodicity to reflect the elderly's diet and exercise status, which can monitor the health of the elderly.

Related Work.
There are a lot of monitoring systems, but few ones are in line with the needs of nursing homes in all aspects.Reference [21] introduces a remote monitoring system for the tower clusters, which focuses on industrial data transmission and is not suitable for the elderly monitoring.In [22], a remote monitoring system based on intelligent fiber structure is proposed.The system uses the liquid core optical fiber structure based on ARM and GPRS to communicate.The cost is high and cannot be applied to the nursing home monitoring system.References [23,25] all use video for data acquisition.Reference [23] uses the pyroelectric infrared sensor and the video monitor to carry on the multitarget tracking.But its calculation and communication complexity are high, and the data acquisition is not comprehensive.In [24], a wireless network life-monitoring system for the nursing home is proposed, which uses the wireless sensor network to collect the basic health data but lacks the consideration of security and privacy protection.Specific analysis and comparison are shown in Table 5.
Compared with the monitoring system shown in Table 5, the system has four characteristics: high real-time monitoring, small network delay; comprehensive data collection, involving location information, diet, and exercise data collection; security and privacy protection mechanism embedded in the module design; the use of lightweight mobile security architecture, computing, and low communication cost.

Conclusion
According to the characteristics and needs of the nursing home, this paper designed a health monitoring system with lightweight security and privacy protection, which is focused on vertical and horizontal aspects: health data collection and security and privacy protection.From the vertical aspect, RFID dual-frequency band, virtual route location algorithm, and diet and exercise data acquisition based on RFID are adopted in the health data collection.From the horizontal aspect, a lightweight RFID authentication protocol based on Hash function is embedded into each collection module, which has high security and low computation cost.Through the performance analysis and testing, we can see that the system has characteristics of high security, high real-time, and high data comprehensive and low computational and communication complexity and fully meets the needs of health monitoring system for the nursing homes.

Figure 5 :
Figure 5: The authentication flow of the protocol.

3 to the tag. ( 8 )
The tag receives the data   3 and compares it to the data  3 which is stored in tag earlier.If   3 =  3 , then the tag authenticates both the Reader and the DataBase.

Figure 7 :
Figure 7: The average network delay of each node.

Table 1 :
Exercise data based on RFID.Five categories of the essential nutrients in body are chosen as the main parameters to analyze, which are proteins, fats, carbohydrates and trace elements, vitamins, and minerals.Based on a nutrient criterion proposed by China and the special requirements for the elderly, a daily meal nutrition supplement standards are designed.Compared with the standards, the system will judge whether the daily diet is reasonable and then put forward some suggestions.Finally, a mathematical model is built to detail the progress.Let the amount of common food in nursing homes as . take 1 to 5, respectively, as protein, fat, vitamins, energy, minerals, and inorganic salts.  is the value of th nutrient in th food, and {  } ∈ ;   is the value of daily intake of th nutrient in th food, and {  } ∈ .  = 1; the formula indicates that the th nutrient contained in the th food is ingested.The daily intake of nutrients is shown in formula (3).

Table 2 :
Protocol performance analysis.The tag receives the data, generates a random number   , and then uses the received number and calculates 1 = (  ‖   ),  2 = (ID  ) ⊕ 1 , and  3 = (ID  ‖   ‖   ). 3 is stored in the tag and ( 1 ,  2 ,  3 ,   ) are sent to the reader.(3) Using the received random number   and its generated random number   , the reader calculates   1 = (  ‖   ).Then it makes a judge whether   1 is equal to the received variable  1 .if   1 =  1 , the tag is authenticated.And then Query is sent to the DataBase.(4) After receiving the Query, the DataBase generates a random number   and sends it to the reader.(5) Using the received   and its own numbers   and ID  , the reader calculates the following numbers:  4 = (ID  ) ⊕ (  ‖   ) and  5 = (ID  ‖   ‖   ). 5 is stored in the reader and ( 2 ,  3 ,  4 ,   ,   ) are sent to the DataBase.(6) When the DataBase receives the data, it will carry on the following three steps.The first step is to authenticate the reader: it calculates   (ID  ) =  4 ⊕ (  ‖   ) to meet the requirement of (ID   , (ID   )), which are stored in the DataBase.And if   (ID  ) = (ID   ), the reader is authenticated.In the second step, it calculates   (ID  ) =  2 ⊕ (  ‖   ).If   (ID  ) = (ID   ), the tag is authenticated.The third step calculates   5 = (ID   ‖   ‖   ) and   3 = (ID   ‖   ‖   ) and sends (  3 ,   5 ) to the reader.(7) The reader compares the received data   5 with the data  5 , which is stored earlier.If   5 =  5 , then the reader authenticates the DataBase and sends

Table 3 :
Week of diet data from a tester.

Table 4 :
Week of exercise data from a tester.

Table 5 :
Comparison of related system performance.