Medical Internet of Things, also well known as MIoT, is playing a more and more important role in improving the health, safety, and care of billions of people after its showing up. Instead of going to the hospital for help, patients’ health-related parameters can be monitored remotely, continuously, and in real time, then processed, and transferred to medical data center, such as cloud storage, which greatly increases the efficiency, convenience, and cost performance of healthcare. The amount of data handled by MIoT devices grows exponentially, which means higher exposure of sensitive data. The security and privacy of the data collected from MIoT devices, either during their transmission to a cloud or while stored in a cloud, are major unsolved concerns. This paper focuses on the security and privacy requirements related to data flow in MIoT. In addition, we make in-depth study on the existing solutions to security and privacy issues, together with the open challenges and research issues for future work.
Medical Internet of Things is the group of devices connected to Internet, to perform the processes and services that support healthcare. MIoT has emerged as a new technology for e-healthcare that collects vital body parameters of patients and monitors their pathological details by small wearable devices or implantable sensors. MIoT has shown great potential in providing a better guarantee for people’s health and supports a wide range of applications from implantable medical devices to wireless body area network (WBAN).
Generally, the MIoT structure is composed of three layers: the perception layer, the network layer, and the application layer, as shown in Figure
Structure of Medical Internet of Things.
The security and privacy of patient-related data are two indispensable concepts. By data security, we mean that data is stored and transferred securely, to guarantee its integrity, validity, and authenticity, and data privacy means the data can only be accessed by the people who have authorization to view and use it [
The successful development of MIoT must take security and privacy as a core consideration. This paper proceeds as follows. In Section
Although the majority of healthcare organizations do not spend enough resources to protect security and privacy [
Data integrity refers to the fact that all data values satisfy semantic standards without unauthorized tampering. It includes two levels of accuracy and reliability. Data integrity can be divided into four categories, namely, entity integrity, domain integrity, referential integrity, and user-defined integrity, which can be maintained by foreign keys, constraints, rules, and triggers.
Data usability is to ensure that data or data systems can be used by authorized users. Big data brings not only great benefits but also crucial challenges, such as dirty data and nonstandard data. In addition, data corruption or data loss caused by unauthorized access also further destroys data usability.
Audit of medical data access is an effective means to monitor the use of resources and a common measure for finding and tracking abnormal events. In addition, cloud service providers usually play untrusted roles, which require reasonable auditing methods. Audit content generally includes users, cloud service providers, access, and operation records.
Patient information can be subdivided into two categories: general records and sensitive data. Sensitive data, which can also be called patient privacy, include mental status, sexual orientation, sexual functioning, infectious diseases, fertility status, drug addiction, genetic information, and identity information. We need to make sure that the sensitive data is not leaked to unauthorized users, or even if data is intercepted, the information expressed cannot be understood by unauthorized users.
Since MIoT devices do not have sufficient memory, computation, and communication capabilities, they require a powerful and scalable high-performance computing and massive storage infrastructure for real-time processing and data storage. Currently, most MIoT institutions store the collected medical data and deploy their application servers in the cloud. The devices can offload their healthcare tasks to the cloud accordingly. Cloud services through their elasticity and facility to access shared resources and common infrastructure in a ubiquitous and pervasive manner facilitate a promising solution for efficient management of pervasive healthcare data.
Cryptography is a security technology for information exchange and communication in accordance with the agreed rules [
Common model of data encryption and decryption.
General data encryption can be implemented at three levels of communication: link encryption, node encryption, and end-to-end encryption. For any intermediate node in link encryption, the message received from the former link will be decrypted into plaintext and the plaintext will then be encrypted into ciphertext using the secret key of the next link. However, unlike link encryption, node encryption does not allow messages in plaintext form in the network node. Therefore, node encryption can provide high security for network data. When using end-to-end encryption, the message is not decrypted until it is transmitted to the destination. Because messages are always present as ciphertext throughout the transmission, there is no leakage of information even if a node is corrupted.
To secure e-health communications, key management protocols play a vital role in the security process. However, complex encryption algorithms or transmission protocols can greatly affect the transmission rate and even fail to perform data transmission. Furthermore, they need to occupy valuable medical resources which are not available. The tough balance between security protection and system energy consumption needs to be solved with scientific and cautious step. Table
Security and privacy mechanisms and proposals for data encryption.
Proposals | Technologies | Application | Details |
---|---|---|---|
[ | Key management scheme | Resource-constrained nodes | Solving the issue of the limited resources available through strong encryption and authentication means |
[ | Lightweight private algorithm; DES | Data transmission | Strong encryption considering the characteristic of IoT |
[ | Cloud computing | Monitoring the elder’s biological data | Reducing the waste of medical resource |
[ | Authentication scheme | Mobile emergency medical systems | Guaranteeing the confidentiality of sensitive medical data |
Owing to the limited resources available and privacy concerns, security issues have been major obstacles to the e-health applications that provide unobtrusive support for elderly and frail people. Abdmeziem and Tandjaoui [
Considering the characteristics of IoT and privacy protection, Gong et al. [
Li et al. [
The architecture of cloud-assisted wireless body area network in mobile emergency medical care system.
Access control is the means by which a data system defines the identity of a user and the predefined policies which prevent access to resources by unauthorized users [
According to general knowledge, cryptography relies on keys. The size and generation mechanism of secret keys directly affect the security of the cryptosystem. Therefore, for a cryptosystem, key management mechanism determines the security system’s life cycle. Owing to the scalable key management and flexible access control polices, ABE is gradually becoming one sort of mainstream method. Table
Security and privacy mechanisms and proposals for access control.
Proposals | Technologies | Application | Details |
---|---|---|---|
[ | ABE | Access control | Solving the revocation problem of emergency key |
[ | CP-ABE | Medical sensor networks | Supporting complex and dynamic security policies |
[ | ABE | Access control to PHR | Leveraging ABE to encrypt PHR files |
In Health Information Exchange (HIE), patient health information can be shared electronically with explicit authorization of information exchange in an auditable manner. However, existing approaches for authorization in health information systems exhibit several drawbacks in meeting the needs of HIE, with noncryptographic approaches lacking a secure and reliable mechanism for access policy enforcement, while cryptographic approaches being too expensive, complex, and limited in specifying policies. Chandrasekhar et al. [
System components.
Lounis et al. [
Example of emergency intervention.
Lounis et al. [
Cloud servers are not fully trusted. The integrity and consistency of medical data stored in the cloud could be compromised if data corruption or even deletion happens without user’s permission. For security reasons, the data rules are typically specified by the user, so that the server provider does not have direct contact with the source data. In addition, the Trusted Third Party (TTP) with great reputation which provides the unbiased auditing results can be introduced properly, to enable the accountability of the cloud service providers and protect the legitimate benefits of the cloud users [
Over the past decades, many auditing methods have been presented. Several supervised machine learning approaches, such as logistic regression and support vector machine, have been applied to detect suspicious access [
Chen et al. [
Govaert et al. [
For protecting data privacy, sensitive data has to be encrypted before outsourcing, which obsoletes traditional data utilization based on plaintext keyword search. Thus, enabling an encrypted cloud data search service is of paramount importance [
Security and privacy mechanisms and proposals for data search.
Proposals | Technologies | Application | Details |
---|---|---|---|
[ | Symmetric key | Supporting privacy preserving string matching | Providing strong privacy guarantees against attacks from a semihonest adversary |
[ | LKE | Searching over encrypted image | Better estimating of edges using smoothing kernels with edges information |
[ | APKS | Searching over encrypted PHR | Allowing users to obtain query capabilities from localized trusted authorities according to their attributes |
[ | CP-ABE | Searching over encrypted PHR | Supporting both fine-grained access control and multikeyword search |
To achieve rich querying functionality over the encrypted data, Bezawada et al. [
PASS tree example.
To enjoy the elastic resources and lesson computational burden, personal health record (PHR) is gradually transferred to the cloud storage. Miao et al. [
System model of m2-ABKS scheme.
Methods based on kernel regression can restore the image from its downsampled version with low computational cost, but with low quality around edges. Song et al. [
Patient sensitive data can be divided into three categories: explicit identifiers, quasi-identifiers, and privacy attributes. Explicit identifier can uniquely indicate a patient, such as an ID number, name, and cell phone number. A combination of quasi-identifiers can also uniquely indicate a patient, such as age, birth data, and address. Privacy information refers to sensitive attributes of a patient, including illness and income. In the process of data publication, while considering the distribution characteristics of the original data, it is necessary to ensure that the individual attributes of the new dataset are properly processed, so as to protect the patient’s privacy. At present, random perturbation technology and data anonymous technology are usually used to solve these issues such as
After the study of the privacy concerns of sharing patient information between the Hong Kong Red Cross Blood Transfusion Services (BTS) and the public hospitals, Miao et al. [
Many clustering algorithms can be applied in data anonymization for
A general architecture of the longitudinal data anonymization process.
Liu and Li [
Security problems appear with the wide deployment of medical wearable devices. The most severe threat would be the privacy leakage of medical wearable devices data. After collecting data from the smart terminals, data holders of medical wearable devices are willing to share the data with application developers to enrich their services or obtain monetary benefits. The data collected contain abundant privacy information. In addition, when sharing the data recorded by human-carried wearable sensors, some personal information, such as age, height, and weight, may also be submitted under warrant. Therefore, though the original intention of data sharing is always positive, the uncontrolled personal information may raise the risk of privacy disclosure.
In this section, we compare 4 kinds of
For example, as Table
Original data.
Height | Weight | Age | Sensitive data |
---|---|---|---|
172 | 63 | 27 | Time serials |
178 | 75 | 34 | Time serials |
180 | 72 | 26 | Time serials |
185 | 77 | 22 | Time serials |
The data holder cuts the linkage between identity and sensitive data by generalizing the quasi-identifiers before sharing according to
Anonymity result of original data.
Height | Weight | Age | Sensitive data |
---|---|---|---|
| | | Time serials |
| | | Time serials |
| | | Time serials |
| | | Time serials |
Figure
The discriminating rate of 2-anonymity.
In this experiment, the sensitive data of all the records keep invariant. Because of the different combination about the equivalent set, the discriminating rate in each equivalent set would be different. Reasonable assignment of records improves security level of clustering
Any developer in the development of the MIoT security and privacy system will take into account the impact of various factors, to get a better balance among them. In order to achieve a better security environment, several challenges require special attention.
Because of the convenience and low cost, a number of devices and software services rely heavily on wireless networks, such as WiFi, which are known to be vulnerable to various intrusions including unauthorized router access, man-in-the-middle attacks, spoofing, denial of service attacks, brute-force attacks, and traffic injections [
Low-cost devices and software applications based on sensors should follow specific policy and proxy rules to provide services. At present, if we want to provide high-grade security for the sensors, we must apply the high-cost solutions. It is a conflict in MIoT system. Developing different levels of security protocols according to application scenarios, especially lightweight security protocols, is the main task of security protection in the future.
Despite the rapid development of medical information technology, the phenomenon of information island is increasingly serious. The standards of the data gathered from devices of different manufacturers vary widely, which makes it difficult to unify management. However, the information collaboration and sharing among heterogeneous systems of MIoT constitute the inevitable trend of the future. The privatization of patient information could be very detrimental to the security of the MIoT system. Employing general data policies to combine different data could provide more comprehensible information and enhance security and privacy with hierarchical security model.
A variety of medical devices and software applications are applied to improve the quality of medical services and also generate large amounts of data. At present, the importance of data is self-evident. How to effectively protect data security and privacy at all stages of data flow will occupy an important position in future related research. Starting from the security and privacy requirements of MIoT, this paper discusses the security and privacy issues from five technical aspects and presents the challenges of future research. MIoT has been given great attention; however, the related standards and technical specifications are still improving, especially the special application requirements of healthcare, and more successful exploration is needed.
The authors declare that they have no conflicts of interest.
The authors would like to acknowledge the financial support from the National Natural Science Foundation of China (no. 61379145) and the Joint Funds of CETC (Grant no. 20166141B08020101).