Data Transmission and Access Protection of Community Medical Internet of Things

On the basis of Internet of Things (IoT) technologies, Community Medical Internet of Things (CMIoT) is a new medical information system and generatesmassivemultiple types ofmedical data which contain all kinds of user identity data, various types ofmedical data, and other sensitive information. To effectively protect users’ privacy, we propose a secure privacy data protection scheme including transmission protection and access control. For the uplink transmission data protection, bidirectional identity authentication and fragmented multipath data transmission are used, and for the downlink data protection, fine grained access control and dynamic authorization are used. Through theoretical analysis and experiment evaluation, it is proved that the community medical data can be effectively protected in the transmission and access process without high performance loss.


Introduction
The rapid economic development has led to the deterioration of the natural environment upon which the survival of people's health is under unprecedented threat.Various nonpredictability diseases have sprung up on patients.Therefore, the demands on medical services are also growing rapidly.However, limited traditional medical service resources and uncertainty treatment time urge people to begin to look for better health services to make up for the lacking of available medical resources.
Paper [1] addressed a cardiac function in real-time monitoring system that can measure heart rate and other vital sign data and serve data to the medical center for treatment via Bluetooth or wireless networking technologies.Zhang et al. mentioned that obtaining data by remote sleeping monitoring could effectively help doctors diagnose disease and adjust the pillow without affecting sleep [2].Chen et al. 's AIWAC [3], Zhang et al. 's iDoctor [4], and Wan et al. 's Healthcare [5][6][7] are also some typical application cases of "smart healthcare" using Internet of Things (IoT) technologies.As a specific "smart healthcare" implementation, Community Medical Internet of Things (CMIoT) is a kind of Internet of Things (IoT) application in the medical field.
In CMIoT, due to the huge amount of heterogeneous medical data, extensive medical data sources, and various identification information which involves user privacy, once medical data are lost or tampered, some privacy leakages resulting in catastrophic loss will occur.How to ensure the security of such data has been always the focus of academic research.Mni proposed that today's medical development should take a new information technology way.He pointed out the key technologies in the medical field and analyzed and presented various models about medical data from generation to storage [8].Chen et al. [9] and Jing et al. [10] also addressed some relevant security threats and their corresponding countermeasures in wireless communication networks.
In the study of the security of IoTs, we must take into account the particularity of CMIoT.In CMIoT, the uplink data transmission occurs between the server and the medical sensors, and the interaction behavior involving the downlink

Related Works
Since the concept of IoT is proposed, some scholars have tried to design its security privacy protection methods.Encryption is a common way of privacy protection.Popular encryption methods, for example, DES and RSA, are used in many information systems and also can be used in CMIoT.However, we must consider that there are many low speed, small capacity transmission nodes in CMIoT.Ning and Xu [15] considered a variety of secure factors of IoT and believed that there would be a trade between privacy strength and specific business needs.Namely, it needs us to customize privacy policies moderately on the basis of business needs as much as possible to protect users' privacy.Therefore, some methods of data disorder with low configuration requirements are also preferentially used to encrypt sensitive data.
2.1.General Methods.Lamport [16] first proposes a safe way Hash function.After that, Ding et al. [17] proposed a kind of authentication protocol based on Hash function.Maeda et al. [18] proposed two schemes based on reencryption in which one is to use the reencryption authentication to prevent location privacy from leaks, and another is to use a one-time reencryption to make RFID tags anonymous.Wu et al. [19] introduced the data protection methods using lightweight cryptographic algorithms and a kind of ONS query mechanism under the condition of encrypted search query in most IoT applications.Song et al. [20] studied the secure and reliable transmission scheme SPS based on IoT.They presented a cooperative transmission mechanism and the rate selection algorithm based on the channel state in order to transmit data effectively and reliably.
A secure transmission method which would be fit on the IoT has been mentioned in [14].The trusted third party would be adopted while two parties would be authenticating, and therefore the scheme would be not universal in terms of the complex web environment.In secure IoT model, there is a common problem in the application; for example, a variety of mixed-format electronic medical records and other patient data in CMIoT are involved.However, the methods which we have discussed above cannot fit the field.When the data are transferred or accessed, data attacking and data leaking will cause our privacy information to be illegally obtained.
Taking into account the special natures of CMIoT, in [21], the privacy data is divided into two categories such as enforcing data privacy and user privacy over outsourced database service so as to achieve the classified protection of user privacy information.In a large number of electronic archives security and privacy protection schemes, Hong [22] proposed a very effective protection scheme for electronic health records based on SOA with SSL, WS-Security, and personal access control technology.Venkatasubramanian et al. [23] proposed a key agreement PSKA based on physiological signal information and provided a guarantee for secure communication between nodes in wireless body area network.

Transmission Protection.
In CMIoT, data is mostly transmitted through wireless communication and is easier to be intercepted.Both Atzori et al. [24] and Medaglia and Serbanati [25] mentioned that the tag carried by the user is scanned by the reader without being aware of it and extremely easy to cause personal privacy leak.The information is easy to be attacked when it is transferred between the local server and the remote server.In view of the limited capacity of the sensor or communication system, the method of data privacy protection is mostly based on the lightweight encryption algorithm [26].Du et al. [27] proposed a probabilistic key sharing scheme suitable for WSNS, and however if the probability of the same communication key between any two nodes was , the security would be not guaranteed.About authentication before transmission, some schemes, for example, Hwang and Yeh's [11] two-way authentication scheme between nodes, Peyravian and Jeffries's [12] authentication scheme based on Hash function, Wang et al. 's [13] two-way anonymous password authentication scheme, and Kothmayr et al. 's [28] endto-end two-way authentication mechanism for IoT based on DTLS protocol using the existing public key encryption algorithm, have been proposed.However, in these methods, there were no three-session process, and they are vulnerable to middle attacks.Groce and Katz [29] studied and proposed a protocol that could be proved to be secure in the general model, and however there was no assumption of a trusted third party and the protocol was not universal.Forsström et al. [30] studied the security issues of intelligent terminals in the IoT through a variety of heterogeneous network architectures, and a distributed verification system based on MediaSense platform was proposed to ensure the security of the communication between smart terminals.Unfortunately, for all these IoT security transmission models, there are some problems in their application, for example, many kinds of mixed-format data including users' electronic medical record and so on in CMIoT.In our previous paper [31], a kind of simple secure fragmented multipath data transmission model was addressed.

Access Control.
As a kind of storage media which cannot be controlled by users, cloud storage access needs to be ensured legally.In CMIoT, a large number of diagnostic data of patients are generated each day and stored in the cloud server so that the access control faces new challenges.Users such as patients, doctors, and nurses can use mobile terminals for personal medical data queries including query for privacy data.Most of the data in the server are not encrypted.We need to ensure that users' access to the medical data storage server will not disclose patients' privacy data.Access control mechanism can authorize legitimate users to access specific resources while denying access of illegal users.The authorization methods are generally divided into two categories including access control model and encryption mechanism.
In the access control model, different roles are divided according to the specific access policies.When data is accessed, the system can be controlled to be accessed or not through the role of the visitor.The encryption data in the cipher mechanism can only be encrypted by the authorized person having the corresponding key.Pirretti et al. [32] put forward that, in the encryption scheme based on attributes, the user attribute and the time stamp for this attribute were added.The disadvantage of the scheme is that users need to regularly apply to the certification center for the reuse of private keys, and before the end of time, user permissions cannot be revoked.On the basis of the attribute-based scheme, Bethencourt et al. [33] put forward the cipher-text strategy in which the identity of a user is represented as a collection of attributes related to the access control structure of encrypted data, so that users can decrypt them according to the attribute set related to user's identity.ABE cipher-text access control was addressed in [34] using dynamic changed strategies, and however the execution efficiency is not high and the cost of a single execution is very large.Yuen et al. [35] proposed the identity as the encryption base for encrypting users to resist information leakage, and Beato et al. [36] proposed a user identity  as the identity of the public key for encrypting the user's privacy information stored in the OSN network or shared with other users.All of them need to be improved in terms of efficiency and security.
In the study of the security of IoTs, we must take into account the particularity of CMIoT.In CMIoT, the uplink data transmission occurs between the server and the medical sensors, and the interaction behavior involving the downlink data transmission takes place between the server and the terminals.An important feature is that the data amount is huge and relatively concentrated.And the data are very relevant to users.There is no complete and feasible method to ensure the data security of CMIoT.

Architecture of Community Medical Internet of Things
Similar to general IoT application systems, as shown in Figure 1, the hierarchical structure of CMIot has four layers: sensing/executing layer, data transmission layer, information integration layer, and application system layer.The CMIoT is achieved in one community, as shown in Figure 2. In the CMIoT, all medical data are collected by the medical sensors, for example, RFID reader, blood pressure sensor, blood oxygen sensor, blood glucose sensor, heart rate sensor, ECG sensor, and camera, which belong to some place such as home, community public area, community health center, or hospital.These sensor nodes and some mesh nodes work in the low-power ZigBee transmission mode and form a wireless sensor network (WSN).
When a person needs to collect his or her sign data, the identity data in the RFID card can be read by the RFID reader, and the medical data can be collected by the medical sensors.These data are sent to the mesh node connected with the RFID read and medical sensors.Then, the mesh node encapsulates them together and, after security processing, sends them toward the nearest other mesh node or gateway.The gateway is network protocol conversion node which can convert ZigBee mode to WiFi mode.It transmits the medical data to the nearest community routers.The communication link is built among the mesh nodes, gateway node, router nodes, and the database server of cloud data center through wireless network.In the end, the application server of data center provides the resolved data to users with mobile terminals or PC terminals.Data transmission integrates a variety of communication means.Sensors in one place establish the local communication via wireless self-organized network, and data in the gateway are transmitted through wireless wide area network or mobile network.

Symbol Definition and Multipath Transmission Model.
Using slice model, medical data are transferred in split fragments through multiple paths as shown in Figure 3.The data transmission from sensors to cloud storage is a complicated process.As shown in Notations, some data transmission symbols are defined and will be used in Figure 3.

Region Network Initialization.
Before the medical data are transmitted, the CMIoT needs to complete some initial operations including networking, registration, and bidirectional authentication.
(i) Networking.It happens in the ZigBee wireless sensor network of one place.According to the mesh network architecture, the sensor nodes and sink nodes form a regional WSN.As shown in Figure 3, the sensor nodes  1 and  2 connect with the sink node  1 , and the sink nodes  1 ,  2 ,  3 are interconnected.Otherwise,  2 and  3 also connect with the gateway node  which is a protocol conversion gateway for converting ZigBee mode to WiFi mode.Therefore, the region network is a regional ZigBee WSN composed of some nodes where {  } are senor nodes, {  } are sink nodes, and  is a gateway node.
(ii) Node Registration.When  registers at the server node ,  delivers the Hash value of password PW  to , and then  contrasts it to the password dictionary for authentication.Many gateway nodes' passwords constitute a password dictionary.
(iii) Bidirectional Authentication.In order to guarantee the authenticity of the gateway node and server node, the CMIoT   needs to set up Bidirectional Authentication (BDA) between  and , as shown in Figure 4.
(iv) Key Agreement. and  negotiate and generate a symmetric key  - according to the key agreement mechanism, and both of them securely store  - so that they can encrypt and decrypt the important transmission data later.

Key Agreement Mechanism.
After completing the bidirectional authentication between  and , they need to generate a shared key.This happens when the gateway is restarted.
The key generation process in the key agreement mechanism (KAM) is elaborated as follows.
Step 1.A large prime number  is selected by  and , and  is selected as a generator for the multiplicative group  *  .
Step 2.  chooses a secret integer , and calculates and sends  to .
Step 3.  selects a secret integer , and calculates and sends  to .
Step 6.  receives and decrypts {   (  ),   ,   } and then returns  to , and the two parties share the same key  - , which is used to complete the key sharing.

Fragmented Multipath Data Transmission.
According to the abovementioned,  and  have accomplished their bidirectional authentication and commonly share the session key  - .To ensure the security of the data transmission process,  encrypts the the data to be transmitted by a shared key and divides the cipher text into fragments to transfer through selected multiple different paths.The fragmented multipath data transmission (FMPDT) includes multipath data encryption and cipher-text transmission, described as follows.
Step 1. Assuming that the user's medical information is  composed of various identification and sign data sensed by sensors such as   ( = 1, . . ., ), it is received by the sink node   and represented as follows: where one senor is a RFID reader which can get the ID value ID() for a person  and other sensors are medical sensors which can collect the sign data.
Step 2. After being encrypted with the key  which is the data encryption/decryption key shared by all the sensor nodes, all sink nodes, and the gateway node in the regional ZigBee WSN, it becomes Step 3.For the cipher-text  of a complete medical information in  1 , it is sent to  2 or  3 .Then,  2 or  3 can transmit it to the gateway node .
Step 4. After receiving the cipher-text package,  will decrypt it and get the plain-text: Step 5.  uses the key  - to encrypt , and the obtained cipher text is Step 6. C is divided into sub-data packets  1 ,  2 , . . .,   by .For every one of the sub-data packets,  adds a session number Seq and subpacket identification  and gets the subdata packets as follows: where Seq and  are used to restore the data by  and are also used to prevent replay attacks.Then, in order to verify the validity of   received by the server node , using the Hash function () with keys,  calculates the message authentication code: Finally, on each selected path,  sends the message Step 7.For every received sub-data packet   = ⟨  , Seq, , ℎ⟩,  will authenticate the message according to the authentication code.In other words,  will determine whether the following condition is established: If that condition is not established,   will be discarded.This can ensure the validity of the data packet.Or according to Seq, , after checking the list of received packets and finding the same one,  will reject   in order to avoid the replay attacks.
Step 8.After receiving all of the sub-data packets {  |  = 1, 2, . . ., } with the same Seq from the same ,  will reorganize them and get the complete cipher text: Step 9.Then,  decrypts  to recover the data : Eventually,  extracts the medical data from  and stores them in the database according to a certain rule (e.g., encrypted storage, slice storage).

Access Control
In order to protect the security and integrity of the patient's medical privacy data storage and share those data conveniently, the corresponding access medical privacy data are needed to be dynamically managed using hierarchical and dynamic authorization.In the open network environment, the access control of medical data mainly includes the following: (i) Allowing the legitimate users (patients, doctors, and nurses) to access their own data (ii) Preventing the illegal users from illegally accessing medical privacy data (iii) Preventing the unauthorized access from legitimate users to other user's medical privacy data (iv) Sharing locally the medical privacy data, allowing patients to understand their health status in a timely manner, and allowing healthcare workers to follow up the patient's condition, so as to promote the health and rapid development of the medical field.
Figure 5: Abstract access control model.  →   represents that, between two different roles, for example, a user   in   = ⟨, , [  ,    ]⟩ authorizes a role   = ⟨, , [,   ]⟩ to a user   to access the data which   can access in the role   , and the validity period is from  to   ;
dr represents that when a user request accessing the data in the storage server, according to the set of user's roles and the set of access permissions, the server will determine whether the user data request is reasonable and whether or not to return the user data.
In practical applications, the difference of users and the actual operating environment need to be taken into account.Assuming that, for the user set , there are two patients (e.g.  ∈  and   ∈ ) and two doctors or nurses (e.g.  ∈  and   ∈ ),   and   are treated in the medical institution where   and   works, and   and   are responsible for the two patients' condition tracking and nursing.As users in CMIoT, patients, doctors, and nurses send their data access request of medical data to the storage server with mobile terminals or PC terminals, and the storage server verifies the request legitimacy and return data if legal.Figure 6 shows the data access methods and authorizations of patients, doctors, and nurses.  sends his or her data request to the storage server with terminals so as to access personal basic information and medical data from the storage server.  can also authorize   and   to the medical data of   .The authorization between patients and doctors is a manyto-many mode.A patient may authorize a number of doctors or nurses for medical data access and disease tracking, and a doctor or nurse can also accept more than one patient's authorization at the same time.The authorization has an authorization cycle.Once the authorization expires, the doctor or nurse will not be able to view the patient's medical data.When the medical data are accessed by different users, as shown in Figure 5, the cloud storage server will verify the user's permissions according to the user's roles {  } and returns the corresponding data  to the user according to the data request dr.This can be implemented through dynamic authorization as shown in Figure 7.At the authorization stage, in order to ensure the security, patients are not allowed to directly authorize the access permission to medical staff.Roles and permissions are bound as the patient authorization data to be written to the server through the third party data platform and are sent to medical staff so that he or she can access the specified data from the cloud storage server according to the roles and permissions.

Dynamic Authorization
During medical data access, different roles have different access permissions.However, a role can provide other roles with access permissions through dynamic authorization.Assuming that the role  1 is one of the roles which a patient or a designated administrator   has been assigned for a validity period [ 1 ,    1 ], and   has the permission of direct access to his or her own or manageable medical data, as shown in Figure 8, the nurse   and the doctor   without the role  1 cannot directly access those data.That means that   and   need an authorization.Therefore,   can authorize the role  2 to   for a validity period →  2 ), and further,   can authorize the role  3 to   for a validity period [ 3 ,    3 ] →  3 ) so that the nurse has the same permissions.It needs to be explained here: . The mechanism provides a great convenience for medical staffs in a certain period of time and makes the unauthorized medical staffs unable to view the patient data so as to avoid the risk of patient medical data being stolen.This greatly protects the privacy of the patient's medical data in two aspects.One is the operation permission control of medical privacy data.Different levels of users have different permissions for different sensitive data.The other one is the dynamic management of user access permissions.In case that a doctor is authorized by a patient, he or she can access the patient's electronic medical record, the history of medical information and image information, etc.

Experiments and Analysis
In CMIoT, some medical sensors and devices are deployed indoors at home, and some ones are deployed in public area such as community public area, community health center, or hospital.In our test, they gather some information about people's medical data including blood pressure, blood oxygen, blood glucose, heart rate, and ECG (electrocardiograph) data  ≥ 10 times each day.After packaging those data, the gateway will split them into some fragments and send them to different wireless routers so that the latter can transmit them father to the cloud storage server in the community health center with the wireless communication link.In the meantime, users such as patients, doctors, nurses, and managers can access the medical data in the cloud storage server given in a specified role with some specified permissions.

Security Analysis.
For the data transmission protection in CMIoT, its security includes WSN security, authentication security, key agreement security, and fragmented multipath transmission security.
(i) WSN Security.In the WSN, the ZigBee protocol stack defines the security for MAC, network, and application layers and provides a security mechanism of symmetric key; for example, in ZStack-CC2530-2.3.0-1.4.0,AES-128 with a configurable key , which is an efficient symmetric Rijndael packet encryption/decryption algorithm designed by Daemen and Rijmen, is supported if the Z-stack encryption algorithm is switched on.AES does not use the Feistel structure (as used in DES).Instead, it uses three different reversible uniform transformation layers: linear mixing layer, nonlinear layer, and key addition layer.In the protocol stack, with AES-128, it can avoid the interference of the same device and prevent the other devices from listening.If the AES encryption algorithm is used, all the devices in the network need to open the algorithm, and the key in each device must be the same.This ensures the secure transmission of data in WSN, since the data without encryption, or without encryption using the same key, will not be identified by the WSN nodes.
(ii) Authentication Security.Before the medical data are transmitted,  has an authentication with .If the bidirectional authentication does not entirely pass,  will refuse to receive data so as to prevent fake gateway nodes from forging transmission data, and equally,  will refuse to send data so as to avoid the phishing of the pseudo-server node.Even if attackers steal the password table in , they cannot crack the password because of the unidirectional characteristic of Hash function.Therefore, it can effectively ensure the identity authentication for  and .
As shown in Table 1 where √ represents that the security condition is met, from the implementation process, the above protocol takes advantage of Hash function and MAC to become more efficient than Wang's public key algorithm.MAC function is not referred in Peyravian's research, and therefore Peyravian's protocol cannot prevent gateway nodes forging.Ma's protocol cannot prevent dictionary attacking due to the data characteristic despite various attacking means.
(iii) Key Agreement Security.In order to prevent the attacker from intercepting a party data and forging new data for transmission when the two parties exchange data, the threeway handshake is brought into the key agreement process for ensuring the correctness of the final key agreement.In Table 2, √ represents that the security condition is met.KAM guarantees the security of the key used to encrypt and decrypt the medical data.
(iv) Fragmented Multipath Transmission Security.Compared to any single-path transmission mechanism, the fragmented multipath transmission can effectively increase the difficulty of the attacker to obtain the complete data.It provides security in two ways.On the one hand, the data is encrypted transmission.On the other hand, the data is fragmented transmission.After the server receives the data, the data packet can be compared with the message authentication code.If they are the same one, then the data will be added in the reorganization data packet, otherwise discarded, so as to ensure the correctness and security of the data received.Assuming the attacker has the ability to fake packets and the probability of intercepting a single packet is  (0 <  < 1), for the singlepath mechanism and multipath () mechanism, the probability of the loss and forgery of data packet is  and   , obviously   < , and the security of multiplex transmission is ensured much more.
6.1.2.Performance Impact.The above encrypted fragmented multipath transmission can be used to protect the uplink data.As for the downlink data between access clients and the server , this method is equally applicable.Of course, the clients also need to complete some initialization processes such as registration, bidirectional authentication, and key agreement, and after that, the server transfers the accessed data to the client by the encrypted fragmented multipath transmission.Whether it is uplink data or downlink data, due to the use of encryption and fragmentation, in the protection of data security at the same time, it is bound to increase the delay of data transmission.The extent of its impact will be discussed as follows.
The encrypted fragmented multipath transmission provides a certain security for CMIoT.In order to test its effectiveness, we designed some experiments as shown in Table 3.In Scheme 1 which is a plain-text transmission without any security protection, no encryption measure is used, and data is transmitted in plain text without fragments in the information integration layer.In Scheme 2 which is a G-S symmetric encrypted nonfragmented transmission, after being encrypted in  using a symmetric cryptography, the data is sent to  as a complete packet in the information integration layer, and in Scheme 3 which is a G-S asymmetric encrypted nonfragmented transmission, an asymmetric cryptography is used.Schemes 4-7 adopt the fragment mechanism for the encrypted message.In Scheme 4, which is a G-S symmetric encrypted fragmented transmission, and Scheme 6, which is an s- + -G-S symmetric encrypted fragmented transmission, the symmetric cryptography is put into use in  and , and they are recommended.On the contrary, in Scheme 5, which is a G-S asymmetric encrypted fragmented transmission, and Scheme 7, which is an s- + -G-S asymmetric encrypted fragmented transmission,  and  make use of the asymmetric cryptography.Another difference is that, in Scheme 4 and Scheme 5, for sensor nodes, sink nodes, and , data transmission between them does not use the symmetric encryption, which is used in Schemes 6 and 7.
Asymmetric cryptography provides higher security (e.g., RSA, EIGamal, LUC, Rabin, and DSA).However, they have lower speed.In our experiments, for the 256-bit key of RSA, the time taken to encrypt and decrypt 128-bit data on a desktop computer (Processor: Intel i5-6200U 2.3 GHz) is, respectively, about 989 ns and 2,971 ns.It should be noted that the 256-bit key of RSA is not the main stream.By comparison, asymmetric cryptography, such as DES, IDEA, GOST, Blowfish, RC-4, RC-5, CAST-128, and AES, has higher speed; for example, for the 128-bit key of AES, the time taken to encrypt and decrypt 128-bit data on a desktop computer is, respectively, about 5 ns and 3 ns.Another significant difference is that the length of the encrypted data changes.The lengths of plain text and cipher text are the same using AES encryption (iii) Through the dynamic authorization mechanism, patients can register an authorization code on the medical data so that once some medical staffs have the same authorization code, they can access those data within the authorized permissions and effective time limitation.
Beyond that, during users' access to medical data, it is also necessary to attach the secure transmission problem of uplink and downlink data to much weight.Any message transmitted on the link also can be protected using the encrypted fragmented multipath transmission mechanism.This will bring a certain degree of delay in the server and clients.

Performance Impact.
In one community of 10,000 users, each day there are 100 different types of sign data which need to be collected for 10 times, and in one year, the total amount of collected data is 365 × 10,000 × 100 × 10 = 3.65 × 10 9 .There are also a lot of diagnostic data generated every day.These data will be authorized to users for access operations such as query, modification, and deletion.At the same time of bringing some security, the fine grained access control scheme also increases the response time of users to access data in the server with mobile or PC terminals.Especially in the download link, the CMIoT needs to choose an appropriate access authorization granularity so that the data can be accessed efficiently.In our experiments, the grains could be divided according to user, type of sign data, or record of sign and diagnostic data.In particular, the test involves 100 records per query.As shown in Table 4 and Figure 10, there is a larger difference for the response time of different grains.It can be seen that if the record is taken as a unit of granularity, the response time is very large when the number of accessing users is large.It is not acceptable in actual applications.Even if the type is taken, when the number of users in the operation at the same time is great to a certain extent, the performance of the system will drop a lot.
Therefore, the multidimension grain size needs to be an option.In other words, the data can be authorized by a coarser granularity, and then on another finer granularity, the authorization can be refined.After a series of tests, for the grain divided by user and then divided by type as shown Table 5, the response time is about 0.1 ms for 1,000 accessing users.And for the grain divided by user-type-record which can achieve a more detailed authorization management, it is about 0.4 ms for 1,000 accessing users.

Conclusions and Future Works
In this paper, we design the data transmission protection and access control scheme for privacy protection in CMIoT.For the transmission protection, we summarize three aspects such as authentication, communication key agreement, and multipath security transmission.Considering the security problems that might exist in the communication process, we improve the traditional key agreement algorithm to enhance the key negotiation security.Furthermore, we increase the multipath transmission mechanism so that it would become more difficult for the attacker to obtain complete data without affecting server data receiving.Finally, we analyze the security of the method inferred to the full text.In order to ensure the security of medical data in the cloud storage server, an access control method with authorization is used.This scheme

Figure 1 :Figure 2 :
Figure 1: Hierarchical structure of community medical Internet of Things.

Figure 3 :
Figure 3: Multipath transmission model of medical data.
Scheme.In the cloud storage environment of CMIoT, the access control policy of medical privacy data mainly includes the following:(i)After a patient   logs on the cloud storage server, he or she may view his or her own medical data, that is, personal information, medical data, electronic medical record, PACS image information, etc.In other words,   has some roles {  } which   owns, and in these roles,   can complete some specified operations.(ii) After a doctor   or a nurse   logs on the cloud server,   or   can view their own account information and track the given patients' medical data.Under normal circumstances,   or   can only manage   's or   's own personal data without permissions to access a patient's medical data.(iii) Once the patient   authorizes an access permission to   or   by the authorization code (i.e.,   selects some  ∈ {  } from   own roles {  } and authorizes them to   or   ),   or   can view and track the medical data of   through   's or   's own account in a certain authorization validity period [,   ]. (iv) In the same way,   or   can also authorize its own authorized roles to other users.

Table 3 :
Delay of different transmission schemes.

Table 4 :
Response time of different grains.