A Review on Body Area Networks Security for Healthcare

1 Institute of Computing Technology, Chinese Academy of Sciences (CAS), Beijing 100190, China 2 Graduate University of CAS, Beijing 100049, China 3 CAS/CUHK Research Centre for Biosensors and Medical Instruments, Institute of Biomedical and Health Engineering (IBHE), Shenzhen Institute of Advanced Technology (SIAT), Shenzhen 518055, China 4 The Key Laboratory of Health Informatics of CAS, Shenzhen 518055, China 5 The Joint Research Centre for Biomedical Engineering, The Chinese University of Hong Kong, Shatin, NT, Hong Kong


Introduction
Body area networks (BANs) seamlessly connect miniaturized and low-power devices and biosensors that are worn on or implanted in human body.The development of BANs is emerging as one of the main research trends, particularly to collect and jointly process biological data for continuous and long-term monitoring of health conditions [1][2][3][4].Since medical and health data are private and sensitive information that are protected by law in many countries, for example, by the Health Information and Portability Accountability Act (HIPAA) in the USA [5], the European Union Directive 2002/58/EC in Europe [6], and Law of the People's Republic of China on Medical Practitioners in China [7], the security of data transmission within BANs must be addressed in order for them to be widely used in real-life health applications.
Although BANs share some common features with generic wireless sensor networks (WSNs), it is anticipated that the two networks should have very different security schemes.WSNs have many constraints, such as low computation capability, small memory, and limited energy resources, and the security issues of them have been previously addressed in literatures [8].SPINS is a suite of security protocols optimized for sensor networks, where the base station accesses nodes using source routing [9].Differed from SPINS, Undercoffer et al. [10] proposed another protocol that relies upon broadcasts and provides a mechanism for detecting certain types of aberrant behaviours.TinySec is the first fully implemented link layer security architecture for WSNs [11].It generated secure packets by encrypting data using a group key shared among sensor nodes and calculating a message integrity code (MIC) for the whole packet, including the header.
These security methods that were proposed or implemented for WSNs are not optimal, if not impractical, for BANs, which require a security solution that consumes even less energy and memory space than generic WSNs.
(1) Energy Consumption.Unlike generic WSNs, sensors of BANs are placed on or implanted in human body and powering the sensors will at the same time dissipate heat and cause adverse effects to the human tissues around them.Moreover, small sized battery of biosensors can only carry a limited amount of energy and, in some cases, cannot be recharged conveniently.Meanwhile, both communication and computation operations consume a lot of energy [12].Broadly speaking, the existing security solutions required a great deal of communication and computation operations and the large amount of energy dedicated for these operations makes them unrealistic for BANs, particularly considering applications that demand real-time data exchange and transmission.
(2) Memory Occupation.The size of biosensors and medical devices has to be small enough to avoid disturbing the daily life of the user, and thus the memory of these entities in BANs is extremely limited.For example, in the SmartDust project, TinyOS consumes about 3500 bytes of memory, leaving only 4500 bytes for security and applications, which is insufficient for the current security algorithms [8].
In order to satisfy the above requirements, characteristics of BANs should be taken into account when developing the communication protocols as well as the respective security solutions based on these protocols.Regarding the communication protocol, the communication distance of BANs should be less than the height of the human body (about 2.5 meters).Moreover, the positions of biosensors of BANs are relatively stationary, even though their relative positions may change due to body movement.Considering these characteristics will help developing a lightweight communication protocol suitable for BANs.
BANs will also incorporate a smaller quantity of sensors per network compared to generic WSNs, but multiple BANs will have to be set up securely and independently in close proximity.BANs will have access to their own biological and behavioural data as well as biocommunication channels.These resources should be utilised to formulate an optimal solution for BANs.For example, physiological data can be used to generate keys for confidentiality and authentication and the human body can be used as secure channel to distribute keys.
In short, security methods for BANs should not be directly adopted from existing approaches.In this paper, we intend to summarize the efforts made thus far on designing security approaches for BANs.The rest of the paper is organized as follows.Security threats and requirements of BANs are presented in Section 2. We then discussed the security methods of IEEE standard 802.15 communication protocols in Section 3. Public key cryptography (PKC) and symmetric key encryption (SKE) for BANs are, respectively, summarized in Section 4. Key management in BANs, specifically for symmetric keys, is discussed in Section 5. Finally, conclusions are drawn in Section 6.

Security Threats and Requirements
For BANs that are used for health applications, they must be protected from impostor nodes or devices that (1) eavesdrop health information (2) access health information without authorisation (3) fabricate identity to verify authentication (4) deny health information that had been sent or received, and (5) alter health information.To cope with these security threats, the research of security requirements of BANs must include five intertwined areas: confidentiality, authorization, authentication, nonrepudiation, and integrity control [13].
2.1.Confidentiality.To prevent any personal health information from being eavesdropped by the attacker, the genuine sensors should not transmit the health information in plain text within a BAN.The confidentiality of health information can be assured by incorporating encryption operations.

Authorization.
Authorization mechanism ensures that only authorized entities can be involved in providing information to communicated entities but unauthorized entities cannot.An authorization mechanism can assign the access privileges and limit free access.Without an effective authorization mechanism, the attacker can easily access the health information without any constraints.

2.3.
Authentication.Authentication, one of the most important security primitives, includes entity authentication and data authentication.Entity authentication is a security mechanism that guarantees that entities are who they claim to be.Data authentication allows a receiver to verify that the data really was sent by the claimed sender and prevents an intruder or unauthorized entity to report false health data or give harmful instructions to the biosensors or medical devices of a BAN, and it can be implemented by digital signature using PKC or by MIC using SKE.

Nonrepudiation.
Nonrepudiation assures that an entity cannot deny facts transmitted or receiving any message in BANs.That is to say, all operations of the sender and receiver of health information can be monitored.Furthermore, the attacker can be traced and captured if any nonrepudiation evidence is recorded in communications.Operations of digital signature and digital certificate can provide nonrepudiation for the transmission process of health information in BANs.

Integrity Control.
There is a danger that health information will be modified, deleted, and replaced during transmission by a hostile entity or a device error in BANs.Incomplete or wrong health information may result in life-threatening consequences to the owner of BANs.The integrity control is absolutely necessary where any alteration of health information can be detected by communication entities.The calculation of message digest or MIC can check information integrity.Using PKC can also provide integrity protection.However, this often requires out-of-band channels to authenticate the public keys.

Security Methods in Existing Communication Protocols
Some of the developers of BANs had already applied three standard communication protocols that sponsored by the IEEE standards committee for WSN communications [14][15][16]: IEEE 802.15.1 (Bluetooth) [17], IEEE 802.15.3 (ultra wideband, UWB) [18] and IEEE 802.15.4 (Zigbee) [19], and the draft of communication protocol of IEEE 802.15.6 has been developed specifically for BANs recently.Security issues of these standards are summarized as follows.
3.1.IEEE 802.15.1 (Bluetooth).Four different entities are used for maintaining security at the link layer: a public address which is unique for each user, two secret keys, and a random number which is different for each new transaction.
The initialization key is used as the link key during the initialization process when no combination or unit keys have been defined and exchanged or when a link key is lost.
The initialization key protects the transfer of initialization parameters.The key is derived from a random number, a personal identification number (PIN) code, or the public address.The PIN can be a fixed number stored in Bluetooth units that do not have a man-machine interface (MMI).Alternatively, the PIN can be selected arbitrarily by the user and entered in units with an MMI.The limitation of using PIN code to generate the initialization key is that the fixed PIN code is easily attacked by brute force attacking, and entering PIN codes are impractical because nearly all biosensors in a BAN do not have an MMI, especially for the implanted biosensors.Therefore, the security solution in Bluetooth is unsuitable for BANs although how to implement authentication and encryption is described in detail in the specification of Bluetooth.

802.15.3 (UWB)
. UWB supports communications with either no security or strong cryptography.A device operating in no security shall not perform any cryptographic operations on medium access control (MAC) frames, while devices operating in strong security use symmetric key cryptography to protect frames using encryption and integrity.The standard supports the protection of command, beacon and data frames using 128-bit advanced encryption standard (AES) security suite and key management.To prevent replay of old messages, a strictly increasing time token is included in the beacon.A device may reject as invalid a received beacon with a time token less than or equal to the current time token.
The UWB protocol describes no details about authentication, authorization, and nonrepudiation.

802.15.4 (Zigbee).
The cryptographic mechanism in the standard of [19] is based on symmetric-key cryptography.The requirements of security are data confidentiality, data authenticity, and replay detection.It has 8 security levels, which include encryption and authentication, as well as combined encryption and authentication with different security attributes in MAC sublayer.The security solution of Zigbee does not consider the two most important aspects in symmetric-key cryptography: key generation and distribution.The security level of the standard is therefore unknown, and it strongly relies on which security attribute is selected, the randomness of the key in use, and whether  [20].At present, the latest standardization of TG6 draft (IEEE P802.15-10-0245-06-0006) [21] suggests that there are three security levels between nodes and hubs in the secured communication of BANs: unsecured communication, authentication but not encryption, authentication, and encryption.The security service in this draft mainly focused on the key generation, key distribution, and message authentication, the key generation and distribution are based on Diffie-Hellman key exchange method and preshared association, and the MIC is used to authenticate message.The AES has been proposed as cipher function in this draft.

Summary.
To summarize, the security approaches used in existing communication protocols (i.e., Bluetooth, UWB, and Zigbee) are unsuitable for BANs applications given the threats and requirements of BANs security outlined in Section 2. Therefore, researchers of TG6 have already considered some security requirements of BANs and developed the draft of new communication protocol for this purpose.However, the draft did not refer to every security requirement of BANs and thus these threats have not been resolved completely.The security methods in these communication protocols were summarized in Table 1.

Key Cryptography in BANs
4.1.Public Key Cryptography in BANs.Selecting an appropriate cryptographic method is crucial because all security services have to be ensured by cryptography.Both PKC and SKE have been proposed for BANs security, and there is no consensus so far which should be used.The state-of-theart PKC and SKE are summarized in this section and next section, respectively.
PKC is developed based on some mathematical problems where the direct operation is straightforward while the reverse operation is computationally hard.PKC makes use of these problems to generate the public key from the private key but protect the private key from being known when disclosing the public key.Compared with SKE, one of the most attractive features of PKC is that it does not require a secured channel for the initial distribution of keys.
Two most popular mathematic problems used in PKC are the integer factorization problem, from which the wellknown RSA cryptosystem [22] is derived, and the discrete logarithm problem, which the more recent elliptic curve cryptography (ECC) [23,24] is based on.Both RSA and ECC are widely used in traditional network security for authentication and encryption but commonly believed to be impractical for WSNs due to the requirements on computational intensity, code and data size, processing time, and power consumption.Nevertheless, recent studies demonstrated that most operations of RSA and ECC are feasible for WSNs or even BANs after optimizing the expensive large integer operations, especially multiplication, exponentiation, and reduction, for improving the speed of public and private keys generation while reducing the memory occupation and energy consumption.
For example, Gura et al. [25] implemented ECC and RSA on two 8-bit microcontrollers (Atmel ATmegal128 at 8 MHz) by a new algorithm that reduces the number of memory accesses to accelerate multiple-precision multiplication.On an Atmel ATmegal128 at 8 MHz without hardware acceleration, they were able to perform an RSA-1024 operation with exponent e = 2 16 + 1 in 0.43 second using 542 bytes of data memory and 1,073 bytes of code and a 160-bit ECC point multiplication in 0.81 second using 282 bytes of data memory and 3,682 bytes of code.Malan et al. [26] implemented ECC for a WSN on a 8-bit, 7.3828-MHz MICA2 mote by optimizing the algorithms for addition and multiplication of points, conversion of integers to nonadjacent form, and generation of pseudorandom numbers.Public and private keys are generated within 34.2 seconds and 0.23 second, respectively, and occupied just over 1 KB of SRAM and 34 KB of ROM.
Wander et al. [27] reduced the amount of data exchanged in a typical Internet-based secure sockets layer (SSL) handshake to conserve energy.By doing so, they were able to implement authentication and key exchange protocols of PKC on an Atmel ATmega128 L low-power microcontroller.The energy cost of their key exchange protocol of RSA-1024 is 15.4 mJ in client and 304 mJ in server, while the one by elliptic curve digital signature algorithm with 160-bit keys (ECDSA-160) is 22.3 mJ either client or server.
A hybrid multiplication method [28] has been proposed by Wang et al. for accelerating exponentiation in RSA and ECC by reducing the number of memory accesses in conventional multiprecision multiplication.On MICAz motes with 4 KB RAM, the method used 15,832 byte for code and 3,224 byte for data to perform 1024-bit RSA public and private key operation in 0.79 s and 21.5 s, respectively.The method also completed a 160-bit ECC signature generation and verification in 1.3 s and 2.8 s on MICAz motes, respectively, and in 1.60s and 3.30 s on TelosB motes.
Uhsadel et al. [29] observed that over three quarters of the processing time for elliptic curve operations were spent on modular multiplication.Therefore, they presented an optimized arithmetic algorithm that can complete a modular multiplication for a 160-bit standard compliant elliptic curve (secp160r1) on 8-bit microcontrollers in 0.37 ms and thereby significantly reduced the processing time and lowered the energy consumption of ECC in sensor networks.This brings the vision of implementing PKC for BANs with all its benefits for key distribution and authentication a step closer to reality.
Other researchers proposed integrating ECC into the security protocols of WSNs or BANs.For instance, TinyECC, a configurable library for ECC operations in WSNs, is implemented [30], and its flexibility allowed it to be integrated into sensor network applications by developers.Tan et al. [31] developed protocols using ECC based on identity-based encryption-Lite (IBE-Lite) for BANs.
In conclusion, the speed of the public and private key generation or signature generation and verification have been significantly reduced; however, the memory and power requirement of these operations are still found to be unaffordable to biosensors of BANs.Moreover, RSA and ECC are also considerably slow for encrypting and decrypting large volumes of health data in practice.

Symmetric Key Cryptography in BANs.
In contrary, using SKE for BANs security is preferred because it needs fewer resources (e.g., in terms of memory and computation capacities).Different from using public key for encryption and private key for decryption in PKC, encryption key and decryption key are the same in SKE.In this section, we will introduce several symmetric cryptographic algorithms that can be used for BANs.
Rivest cipher 4 (RC4) was designed by Ronald Linn Rivest.It generates a pseudorandom stream of bits (a keystream) and combines these bits with the plaintext using bitwise exclusive-or for encryption and decryption.Rivest cipher 5 (RC5) is a block cipher notable for being more secure than RC4 but at an expense of speed, simplicity, and efficiency.In order for using RC5 in sensor networks, the RC5 system architecture has been recently investigated for developing a high-performance design in terms of encryption throughput [32].The architecture, designed with a pipeline technique, was able to increase the encryption throughput by over 80% when compared to related work.
The AES, which has been proposed to be used in IEEE standard 802.15.3, is a new encryption standard adopted by the US government to replace the previous data encryption standard (DES).The AES comprises three block ciphers, AES-128, AES-192, and AES-256.The AES algorithm has been recently implemented in a BAN node [33].
Noticing that traditional symmetric cryptographic algorithms such as RC5 and Skipjack are not designed for the 8-bit computing devices used in sensor networks; a new cryptographic algorithm HIGHT has been proposed and evaluated [34].HIGHT is designed with a 64-bit block length and 128-bit key length, which are suitable for low-cost, lowpower, and ultralight implementation.It uses a 32-round iterative structure, which is a variant of the generalized Feistel network.When implemented on MICA2, HIGHT is found to consume less power than RC5 on TinySec while operate at a similar speed and take up a reasonable memory size.KATAN/KTANTAN is a new family of very efficient hardware-oriented block ciphers [35].KATAN is composed of three block ciphers, with 32-, 48-, or 64-bit block size, and KTANTAN contains the other three ciphers with the same block sizes.It has better performance than other lightweight algorithms in [36,37].
The feasibility of various cryptographic algorithms (e.g., RC4, RC5, MD5, IDEA), including key setup time, memory occupation, encryption and decryption time, and so forth, has also been investigated for sensor networks on an Atmel Atmegal28 L 8-bit, 7.3728 MHz microprocessor [38].The 128-bit key setup time of RC4 is only 5.09 milliseconds while RC5 is 17.39 milliseconds.The data memory of RC4 and RC5 is 0 bytes while the program memory of RC4 and RC5 is 428 bytes and 5,808 bytes, respectively.For a 128byte plaintext, the encryption time of RC4 and RC5 is about 10 milliseconds and 60 milliseconds, while the decryption time of them is about 5 milliseconds and 40 milliseconds.Amongst different algorithms, the RC4 showed the best cryptographic processing time and power dissipation.Therefore, Zhang et al. [39] presented a simple, lightweight, and robust protocol based on RC4 and achieved data confidentiality, authentication, integrity with low overhead and simple operations.The protocol is considered to be suitable for BANs security.
These cryptographic algorithms can be summarized in Table 2.

Symmetric Key Management in BANs
Key management is the hardest part of cryptography in reality.The two most important aspects of key management are key generation and distribution.As aforementioned, asymmetric key generation in PKC is based on some hard mathematical problems and does not require a secured channel for key distribution.On the other hand, key generation algorithms of SKE are less computation expensive, but the distribution of the symmetric key requires a secured channel or method.In this section, we will review key generation and distribution for SKE in BANs.

General and Biometric-Based Symmetric Key Generation.
Symmetric keys for data encryption or entity authentication are random binary sequences (BSs).In theory, hardware random number generators based on some physical process with inherent randomness should be used as a seed to generate a true random BS; however, the process of the truly random BS generation using this method is rather complicated and slow.Two most commonly used methods for generating random and pseudorandom BSs are to convert from random source signals and to calculate by mathematical algorithms (e.g., linear congruential generator), respectively.
For example, error of the received bits, which is randomly distributed and uncorrelated from one sensor to another, has been proposed to be used to generate cryptographic pseudorandom numbers for nodes of WSNs [40].Latif et al. [41] also presented a method for generating BSs for sensor networks by converting from a digital received signal strength indicator (RSSI) of a communication packet, and the RSSI is the measurement of the power present in a received radio signal.The benefit of these methods is that they have low communication operating costs and do not require additional hardware; however, the randomness of the resulted BSs that are generated from the error of the received bits depends on the quality and frequency of communication.If RSSI is to be used, all nodes except the base station must change their positions from time to time such that different RSSI are read to generate random BSs.Neither methods are suitable for BANs since the error of the received bits in BANs is uncertain and the position of nodes in BANs is relatively stationary.
On the other hand, biological data are potentially random source signals.It has been observed that the last binary digit of biological data often fluctuate with certain degree of randomness and therefore has been proposed to be used to generate seeds for calculating pseudorandom numbers for cryptography [42].Features extracted from the frequency domain of physiological signals such as electrocardiogram (ECG) and photoplethysmogram (PPG) [43,44] and those from static biological features such as fingerprint images [45] have also been evaluated for the generation of authentication or encryption keys for BANs.
The greatest advantage of generating random keys from biological and physiological signals for BANs with a healthcare application is that these data are already available to the BANs and by making use of them, addition costs required for key generation can be minimised.In addition, compared to password-based authentication or encryption, using keys that are generated from static biometric features also have the advantage of being impossible to be forgotten or lost, and using keys that are generated from dynamic biometric features have advantage of time variant.

Symmetric Key Distribution
. Key distribution is central to symmetric cryptography.Predistribution of symmetric secret keys is possibly a practical approach to protect BANs communications.Another practical method is the deterministic pairwise key predistribution scheme (DPKPS) that has been implemented on the MICAz sensor platform.The scheme only consumes an extremely small amount of energy, 17.23 µAh, and memory space, about 2 KB flash memory and 69 bytes RAM, to compute and exchange a pairwise key between two sensor nodes [46].Key predistribution is however relatively inflexibile as the biosensors will have to dispatch keys in advance.Adding new biosensor to an existing network thus becomes difficult.
A method of using asymmetric keys to protect the distribution of symmetric key has been presented for mobile ad hoc networks [47].Although the idea can be adopted for BANs, the additional cost is high.

Key Distribution via Biochannels.
Since nodes of BANs are placed in or on the human body, they are inherently linked by pathways which we named biological channels (biochannels) [48].Biochannels are commonly referred to the voltage-gated channels that allow the exchange of selected ions across the otherwise impermeable cell membrane.In this context, we use bio-channel to denote any biological conduit that is part of the human body and enables the transfer of exogenous or endogenous information.Information can be transmitted by methods such as volume conduction on the human body.
Another challenging research direction that makes use of biochannels to implement SKE in BANs is to simultaneously generate symmetric random keys from dynamic biometric features obtained at multiple nodes of a BAN so as to bypass the problem of key distribution.There are features (e.g., interpulse intervals, IPIs) common to multiple physiological signals such as ECG and PPG [48].These features have been recently studied for the generation of random keys in BANs, and the performance of these keys is perfect but the costs are quite low.At present, it is still difficult to obtain exactly the same random BS from two signals.Therefore, fuzzy commitment (FC) [49] has been proposed to match the pair of similar but inexact BSs.Considering the limitations of bit strings and order invariance of FC, Juels et al. [50] proposed fuzzy vault (FV) to be used on datasets of an arbitrarily order.Since FC cannot handle vectors that do not have the same number of features or vectors with features that are not aligned in the same order, FV has been used to develop a symmetric key distribution method in BANs [44].Nevertheless, the computation of generating a number of random chaff points by the sender and calculating the secret key by the receiver for FV require a large amount of energy and memory space.Implementation of the method on the resource-constrained BANs is technically challenging.
Since not every sensor node in a BAN can collect the same signal or be composed of some common features, more work have to be carried out in this area to develop a low-cost and reliable method for distributing keys to all sensors in order to use SKE for securing BANs.

Conclusions
In conclusion, BANs need a security mechanism that combined their characteristics and security requirements to deal with the potential attackers.The draft of communication protocol of IEEE 802.15.6 has proposed some strategies for security of BANs.Both PKC and SKE have their pros and cons for BANs security.However, the SKE is more preferable because of resource constraints of BANs.Key management is one of the most important aspects in BANs security yet there has not been a perfect method for key distribution.
BANs are anticipated to have significant impact on current personal healthcare monitoring systems by changing the way how patients are diagnosed and treated.Although the development of the BANs for health applications is only at an early stage, securing the collection and transmission of data collected by the biosensors or medical devices of BANs must be addressed without delay.Future directions of development of BANs should carefully consider the unique characteristics of and resources already available to this kind of network for deriving an optimal solution, including the communication protocol and the respective security scheme they used.

Table 1 :
The summarization of security methods in these communication protocols.Although the above three communication protocols are currently most frequently used by developers of BANs, they are not optimized solutions as they did not fully consider the constraints and security requirements of BANs.
In view of this, IEEE 802.15.6 Task Group 6 (TG6) has been formed with an aim to develop a communication standard optimized for low-power devices and operations on, in, or around the human body (but not limited to humans) to serve a variety of applications including medical, consumer, electronics or personal entertainment

Table 2 :
The summarization of cryptographic algorithms.