Secure eHealth-Care Service on Self-Organizing Software Platform

There are several applications connected to IT health devices on the self-organizing software platform (SoSp) that allow patients or elderly users to be cared for remotely by their family doctors under normal circumstances or during emergencies. An evaluation of the SoSp applied through PAARwatch/self-organizing software platform router was conducted targeting a simple user interface for aging users, without the existence of extrasettings based on patient movement. On the other hand, like normal medical records, the access to, and transmission of, health information via PAAR watch/self-organizing software platform requires privacy protection. This paper proposes a security framework for health information management of the SoSp.The proposed framework was designed to ensure easy detection of identification information for typical users. In addition, it provides powerful protection of the user’s health information.


Introduction
Self-organization is a process in which the structure and functionality (pattern) of a system at the global level emerge solely from numerous interactions among the lower-level components without any external or centralized control.The system components interact in a local context, either by means of direct communication or through environmental observations, without reference to a global pattern [1].
The self-organizing software platform (SoSp) is a platform designed to actualize the self-organizing function of communication devices [2].A SoSp is combined IT health devices.Such devices are designed to automatically interact with the physical environment and users based on the necessities and the surroundings of the users [3], for example, wearable healthcare, medical devices, watches, and bicycles, with ubiquitous computing allowing users to take care of their health needs easily regardless of their location or time and to cope with certain types of emergencies.The SoSp and its applications are practical products of IT convergence research for health improvement and are intended to be utilized by elderly users or patients.Ordinarily, people can check their health through periodic measurements and transmit their biosignals to their family doctors.During an emergency, they can call their doctors by pressing an emergency button and transmit their biosignals to them immediately regardless of their location or time [4,5].
In this paper, an essential security framework to maintain, access, and transmit health information, such as an electrocardiogram (ECG) or other biosignals, is proposed.As sensitive private data, health information needs to be kept secure and should be accessed only by authorized persons.In addition, the users should be identified when their biosignals are acquired and accessed.The proposed framework was designed to ensure easy detection of verification information without the burden of using a smartcard or memorized password, particularly to patients or elderly users.However, it provides powerful protection of health information and a unique identity verification of biometric recognition [6].
The rest of this paper is organized as follows: Section 2 describes previous work related to this topic.Section 3 presents a brief review of the SoSp and its requirements of health information management.The proposed security framework for health information management applied on the SoSp is presented in Section 4. A security analysis and overhead estimation are then demonstrated in Section 5. Finally, some concluding remarks and areas of future work are provided in Section 6.

Related Works
Research on biometric authentication is actively being conducted as a means for password replacement [7].Biometric features (fingerprints, faces, irises, hand geometries, palmprints, etc.) can be neither lost nor forgotten.They are neither copied nor shared easily [8].In addition, they are extremely difficult to forge or distribute.Because they maintain their uniqueness, they are difficult to guess [9].As powerful mobile devices and the internet are continuously developing, biometric authentication is being grafted into them [10].Mobile biometric authentication using face and voice recognition simultaneously on a Nokia N900 mobile device was also introduced [11].An authentication system using multiple biometrics such as face and hand features has also been studied [12,13].
However, it is a significant issue how to preserve and to transmit the information for biometric authentication securely as well as the additional cost to adopt the device to acquire biometric data [14].On the other hand, function creep, which refers to biometric data used outside of the original purpose, exists [15][16][17].These days, personal information being sold or passed around without proper consent is a series issue.The unique and permanent nature of biometric information adds a more serious dimension to such a breach of confidentiality, that is, unlike passwords, fingerprints or retinal patterns cannot be changed when an identity theft is suspected [18].A case involving Emilio Calatayud in the United States shows that systems containing an aggregation of identifiable personal information can be abused [19].When patients use smartcards or barcodes to protect their privacy, managing such cards and barcodes against theft or loss becomes a double burden.Using cryptography to protect health information can generate complexity in the application, for example, the choice of whose information to encrypt (pharmacist, pharmacy, or group of pharmacies) and which public keys to use [20].In [9], an efficient biometric-based authentication scheme for a telecare medicine information system (TMIS) with a nonce was proposed.When users are cared for using a TMIS, their mobile devices are connected to the TMIS through a public network, for example, the Internet.The goal is to overcome Internet security risks [20,21].
On the other hand, the authors in [22] proposed a framework for security management in a self-organized mobile ad hoc network based on the assumption that individual nodes are themselves responsible for their own security level.However, in a network where health information is delivered, authentication and authorization should be further stressed because a node can be misused by another entity, that is to say, another person.The authors in [23] proposed a security protocol for self-organizing data storage through periodic verification.A self-organizing trust model was studied to trust the communications among nodes in P2P systems [24].
Researches into the security of the acquisition and transmission of health information have been conducted.However, there has been no research regarding health information management on internet of things (IoT) [25], especially on SoSp network.

Health Information Management on SoSp
3.1.Domain Description.Figure 1 shows a SoSp domain used to manage health information.The whole environment can be divided into several small spaces such as rooms or floors.Such spaces, called unit spaces, are the basic units for assessing location awareness.Communication devices are divided into stationary nodes and mobile nodes.A node means a communication device that is implemented in hardware.Mobile nodes are characterized through low-speed operations and can be attached to a person or physical mobile object in the form of small tags with limited H/W (e.g., 8-bit MCU, 4 K of SRAM, and a coin battery) and communication functionality.Unlike RFID tags, however, mobile nodes can communicate bidirectionally.In Figure 1, a mobile node is a mobile selforganizing software platform router (SoSpR) implemented on a smartphone.It provides a text message connection, emergent calls, and a fixed SoSpR agent.Stationary nodes attached to ceilings or walls of the unit spaces, for example, the fixed SoSpR shown in Figure 1, are characterized by highspeed operations with powerful H/W (e.g., an Arm Cortex A8 MCU with 512 MB of SDRAM, an 8 GB SDCard, and an IEEE 802.15.4 transceiver) compared with a mobile node.They are intended to function as location references and communication access for mobile nodes.A stationary node has a wired network for communication between stationary nodes and a wireless (sensor) network for communication between mobile nodes.The communication between stationary and mobile nodes is limited to a single hop.This approach can help minimize the network congestion and delay problems that take the form of a broadcast storm, packet replication, or routing table overflow in a multihop ad hoc sensor network [26,27].
Figure 2 shows the SW stack of the SoSpR for health information management on the SoSp network [4].The SW stack is composed of three parts: transportation for real-time streaming of health data, coordination for interaction, and user interface.The transportation part consists of messaging middleware, service broker and discovery, service routing, data processing, and simulation.Messaging middleware supports streaming transmission through publish and subscribe service.In Figure 2, Service Broker & Discovery creates or searches for new services.The coordination part provides cooperation among distributed services based on the consensus, group management, leader election, and presence protocol.This paper focuses on a security module of the SoSpR and distributed personal health record storage.[4] states the service and its infrastructure, which can monitor patients or the aged at home in real-time and transmit the data monitored to their doctors using mobile technology [28].One of the applications is the control of medicine dispersal.Not only the service and its infrastructure can reduce the user's medical expenses, but also they can improve the interaction between patients and doctors.

Healthcare via SoSp. Connected Patient in Home
The SoSp as a self-organizing middleware platform for real-time biosignal transmission acquires various biosignals (e.g., ECG streaming data) from their measuring devices,    transmits them to the SoSpR, and saves them in safe storage in real-time.Several devices can receive the signals from the SoSpR and display them.That is to say, the devices operated and managed by patients or the aged can interact with each other on the SoSp network and provide context-aware services for healthcare without any presetting.A flexible handover while moving and a predefined protocol can be used to handle emergencies.Figure 1 shows the SoSp domain for health information management [4].
(1) When a patient or elderly user, wearing an ECG sensor, WBAN-Hub, and PAAR watch, presses the emergency button in the PAAR watch, the PAAR watch notifies the mobile SoSpR (e.g., a smartphone) of the emergent state through bluetooth low energy (BLE) communication.
(2) The mobile SoSpR sends an SMS to a predefined person such as a doctor, medical team worker, or other family members.
(3, 4) When a doctor receives the emergency SMS, they request the biosignal of the patient or elderly user from a fixed SoSpR near in space 2, shown in Figure 1, if necessary.
(5) The fixed SoSpR in space 2 delivers a request to the fixed SoSpR, which can provide streaming service of the biosignal of the patient or elder user in space 1.
(6) The fixed SoSpR in space 1 sends a message to a WBAN-Hub allowing it to start measuring the ECG signal of the patient or elderly user.(7) As WBAN-Hub measures the ECG signal, it sends the signal data to the fixed SoSpR in space 1 using a push-pull streaming pattern [29]. ( The biosignal is saved in a private storage network and simultaneously sent to the client device that requested the signal.If the client device is a smartphone, the signal is transmitted through WiFi using a publish-subscribe pattern [30].If the devices cannot be accessed through WiFi, the signal is sent to the fixed SoSpR near the devices using a pushpull streaming pattern. (9, 10) Other authorized medical team workers or family members can monitor the biosignal of the patient or elderly user using a tablet PC, desktop PC, or TV located near the fixed SoSpR, which provides streaming service.

Requirements of Health Information Management on
SoSp.At the domain handling the health information including the biosignal, privacy protection, authentication, and authorization are very important.This section describes the domain requirements for health information management on the SoSp including the security requirements.
The overlay network constructed by the SoSp is vulnerable to the same threats as any wireless network.However, the SoSp has the following additional threats and vulnerabilities owing to its basic nature [22].
(i) There is a lack of central administration, and neither central control nor prior contact is assumed.(ii) The routing mechanisms are more vulnerable than in conventional networks because each node can act as a relay.(iii) In terms of cooperation, if a node does not respect the cooperation rules, that is, it is selfish, the performance of the network can be severely affected.(iv) There is a variation in memory and computation resources, in which many of the nodes are expected to be low-priced consumer electronics with cheap and slow computation capability and a limited storage size.(v) Finally, there is an energy constraint during operation, in which many of the nodes are expected to operate on battery power.Sleep or standby modes are used to conserve energy, during which they may not be reachable.A sleep deprivation torture (exhausting the battery power) attack may be implemented by attackers.
These threats place great demand for flexibility of the security system because one must be capable of tailoring the range of supplied security services toward a wide variety of network topologies and application requirements, rather than fixing them.Further, each application imposes cost, performance, complexity, flexibility, and ease-of-use constraints, which affect the feasibility of a particular security solution [31].
In addition, node security, secure information handling, authentication, and authorization are needed.In particular, easy human computer interaction (HCI) and an efficient and simple sequence of security mechanisms should be seriously considered for elderly users and patients.
A security framework for health information management on the SoSp was proposed that satisfies the requirements mentioned in this section.

Security Framework for Health Information
Management on SoSp 4.1.System Architecture.Figure 3 shows the proposed system architecture of security framework for health information management on the SoSp.The health information of the patients, authorization information of the doctors who can access the information, and the biometric recognition information of the patients and doctors are saved in secure storage.Biometric recognition devices can be equipped in a PAAR watch [4] worn by the patients or doctors.Multiple biometric recognition devices can be equipped in one PAAR watch.Through such devices, biometric recognition information, such as fingerprint, face, voice, and iris information, can be easily acquired.Several types of biometric recognition information can be combined to improve the exactness of verification.

Service Management.
The fixed SoSpR, which loads the streaming service of a biosignal, can provide streaming service for mobile nodes or devices that have registered for a service subscription.However, data leakage during transmission is one weak point in an overlay network because there is no central server that manages all of the nodes providing streaming service, or the paths that the data are delivered upon.Any security scheme should be lightweight so that it does not cause a delay in streaming.
Figure 4 shows the security scheme used to protect health information delivered on the SoSp.
When a doctor requests the streaming of a patient's biosignal, he/she issues one ID of the patient, id temporary , and send ID patient , which is composed of id temporary and the issuing timestamp, T, to the mobile SoSpR of the patient directly.Consider ID patient = id temporary || . ( If the issuing time is 2014-01-20 15:30, T will be a string of 201401201530.When the biosignal of the patient is  patient , and the ID of the equipment used to measure the biosignal is ID source , the streaming data includes the XOR results of  patient , ID source , and ID patient .Consider (2) An XOR operation is very fast and lightweight.
If the destination identity, ID node , is added, Only the node whose identity is ID node can know  patient ⊕ ID source ⊕ ID patient .This prevents eavesdropping during transmission in an overlay network and ensures exact delivery to the destination.In addition, only the doctor who knows ID source and ID patient can see  patient .Therefore, when cooperative medical treatment is needed, the doctor notifies the medical team members of ID source and ID patient through another communication channel, not the SoSp network.ID source is permanent and ID patient is temporary.Because ID patient is a temporary identity issued by a doctor, anonymity is guaranteed and the patient's privacy is protected.The issuing time, T, prohibits a relay attack.

Authentication and Authorization.
Figure 5 shows a sequence diagram of health information management on the SoSp.Verification information on the biometric recognition for the patient, family doctor, and medical team should be registered in advance.Verification of the family doctor or medical team is done every time they are requested to access the patient's health information.They should be verified periodically while accessing and monitoring the biosignal of the patient because of the limited effective verification time.The verification of the patient is done each time their biosignal is measured, and the information is kept in private storage.
During an emergency, the patient can call his/her family doctor by pushing the emergency button on his/her PAAR watch.The family doctor requests the biosignal of his/her patient in real-time, who is verified simultaneously.The biosignal is measured and transmitted to both the family doctor and the private storage.When the family doctor requests cooperation of the medical team, the medical team can obtain the patient's state from the streaming server through the verification procedure.
The strong points of the proposed security framework for health information management on the SoSp are its exact verification capability using biometric recognition, secure protection of data and its simple and convenient user interface.

Evaluation
5.1.Framework Analysis.This section analyzes whether the proposed framework satisfies the requirements of health information handling on the SoSp.

Lack of Central Administration.
All nodes on the SoSp should route and search for services for users without a central administration through a central server.However, it overcomes a single point of failure of the central server, the centralized burden of processing, and the nonscalability.The performance of the SoSp with mobile nodes is better than a centralized environment [32].The proposed framework manages important data such as the biometric authentication and the biosignal of the patients or elderly users for periodic check-ups on the private storage network.This framework provides a safe deposit of private information.

Routing Mechanisms.
In the framework, fixed SoSpRs are connected through a wired network.Mobile nodes have a one-hop connection to fixed SoSpRs.This simple scheme lessens the side effects of routing on the SoSp.

Cooperation. Cooperation among the nodes on the
SoSp is under implementation.There are many nodes providing the same services in the SoSp network.The SoSp network will be implemented in such a way that the service group is reorganized by isolating any selfish nodes [33][34][35][36].

Performance Variation in Memory and Computation
Resources.Based on an XOR operation, the security framework does not cause a delay in real-time streaming.We limit the operations to an XOR because it is a lightweight operation [37].Therefore, there is no problem stemming from performance variations in the node resources in the SoSp network.

Energy-Constrained
Operation.Most types of wireless networks have limited computational power such that they cannot perform operations over large finite fields [37].An XOR operation has been evaluated as having good operations and can be used for wireless network coding.

Security Analysis
5.2.1.Node Security.SoSpRs do not maintain the health information of users.All of the data are processed at the RAM of the SoSpRs.It is infeasible to acquire data that passes the SoSpRs.In the proposed security framework, the node security is less focused.Instead, the security scheme covers the overall security for the health information handling on the SoSp.

Secure Information Handling.
A health information handling service is only served to the clients who are authenticated.In addition, only the person who knows the ID of a patient can see his/her health data.
According to the streaming patterns in the SoSp network, health information is protected in the following manner.
(1) Push-pull transmission between the WBAN-Hub and a fixed SoSpR.
Because the fixed SoSpR receives  patient ⊕ ID source ⊕ ID patient and transmits it, the SoSpR cannot know  patient .
(2) Push-pull transmission between fixed SoSpRs.When there is no SoSpR that provides streaming service, the biosignal is relayed to the SoSpR, which can provide the service.In this case, the SoSpR that relays the signal cannot know  patient because it does not know ID source ⊕ ID patient .(3) Publish-subscribe transmission between a fixed SoSpR and various devices such as a tablet PC, desktop PC, or TV.
The proposed security framework only allows a one-hop connection between the fixed SoSpR and the end nodes.Of course, the end nodes should subscribe to the service.This lessens the security threat caused by a multihop connection.

Easy HCI.
Identification by a password is not suitable because the process memorizing the password and its input is somewhat burden for a patient or elderly user, particularly during an emergency [38].Because biometric authentication is easy, it is a good HCI instead of password identification.

Efficient and Simple Security
Mechanism.An efficient and simple sequence is another important security mechanism for a patient or elderly user.The security mechanism should be fast and cooperate simply with the HCI.A selforganizing platform is characterized by no presettings or central management.The proposed security framework does not require any complex sequences that the users should follow or participate in.

Exact Identification and Authentication.
Biometric authentication is secure because the biometric data are unique and are hard to copy or falsify.A password can be easily leaked or cracked [38].

Authentication and Authorization.
The proposed framework provides a strict authorization for the health data.Only the doctors or medical team members who are authenticated and authorized can access the data of the patient or elderly user.
Today, many security incidents from loose authentication procedures have occurred [39].In the proposed framework, all users are identified through their biometric authentication.Because biometric data are unique, they are difficult to copy or modify.The biometric method is also easy for patients and elderly users to use.

Estimation of Performance and Overhead.
The performance of the proposed framework and the overhead imposed on the SoSp by the framework are estimated as follows.
(i) The performance of the biometric authentication added to the real-time streaming service of biosignals One type of biometric authentication, fingerprint verification, is loaded onto smartphones.Highperformance SW products for fingerprint verification of smartphone users have been developed [40].Under the SoSpR prototype with Exynos5 Octa Cortex-A15 1.6 Ghz quad core and Cortex-A7 quad core CPU, 2 GB LPDDR3 RAM, the XOR overhead of 4 B and 8 B were negligible (∼0 sec); the unit of data streaming is 3 B at current state.It may therefore not be a problem to use such biometric verification on the SoSp in near future.In the proposed framework, a storage server is used to keep the biometric data for authentication safe and conduct a heavy authentication procedure.Therefore, biometric authentication does not cause a delay in real-time service.
(ii) The performance of the XOR operation when streaming data are created and streaming data are restored at the destination.Because an XOR operation is sufficiently lightweight to be used as a wireless network packet [37], realtime streaming is not affected seriously by an XOR operation at the source or destination of the streaming data.
Because biometric authentication and XOR operations are extra modules for the SoSp, some overhead exists when adopting them.However, they overcome the overhead in the following way.
(iii) Biometric authentication is exact, not copy-prone, and unmodifiable.It is easy for a patient or elderly user to adopt, especially during an emergency.
(iv) An XOR operation is simple and lightweight.When such an operation is applied to health information, the information is hidden without the need for complex cryptography.
In addition, even though the streaming data are revealed, it is difficult to know whose data belongs to which ID patient .Anonymity guarantee is another strong point of the proposed security framework.

Conclusion and Future Works
This paper proposed an essential security framework of the SoSp to maintain, access, and transmit health information such as a biosignal.As sensitive and private data, health information needs to be kept securely, and should be strictly accessible only by the authorized persons.
The proposed security framework requires mutual authentication between the patient or elderly user and the medical team through biometric authentication.In addition, it protects the privacy of the patient or elderly worker with a temporary anonymous ID issued by the family doctor or doctor in charge.Through a simple and lightweight operation, that is, an XOR, the biosignal is hidden.The signal can be recovered only by those persons who know the temporary ID, ID patient , and the ID of the device measuring the biosignal, ID source .
The proposed security framework is under implementation.After implementation, the framework will be tuned according to the upgraded SoSp to improve its performance and reduce the overhead.In addition, node security, particularly the SoSpR, will be intensively considered.
o o org ga a an n nizing middlew f f o o o org ga a an n nizing middlew f f----o o

Figure 1 :
Figure 1: Domain description of SoSp for health information management [4].

Figure 2 :
Figure 2: SW stack of SoSpR for health information management on SoSp [4].

Figure 4 :
Figure 4: Health information protection on SoSp.

of biometric recognition information 1 .Figure 5 :
Figure 5: Secure health information management on SoSp.
System architecture of security framework for health information management on SoSp.
*. Send ID patient