Patient Family Binding and Authentication Scheme with Privacy Protection for E-Health System

communication


Introduction
Before the emergence of the E-health system, disease monitoring and condition analysis of patients must be carried out in hospital, which means that patients should often take time from work to go to hospital for medical examination. However, limited medical resources do not allow a large number of patients to receive treatment in time, which undoubtedly brings a lot of inconveniences and risks. Especially in recent years, cardiovascular diseases have become the biggest killer threatening human health because they cannot be detected in time, and patients miss the best time of treatment. Nowadays, as people' living standards rise, people gradually realize the importance of health and they need a better E-health system in modern society. In this context, the E-health system is growing increasingly with the goal to reduce risks of death and implement real-time disease monitoring. e E-health system adopts advanced Internet of ings (IoT) technology and digital visualization mode, which makes limiting medical resources possible to be shared by more people. Generally, after mutual authentication between the patient and the medical server, the monitor devices close to or carried by the patient can transmit the real-time data (such as blood pressure, blood sugar, heart rate) to the medical server. After data have been received from the patient, the medical server will establish an electronic medical record (EMR) for each patient in order to provide data support for doctors to track a patient's condition [1]. e EMR includes doctor's orders, operation records, nursing records, which is helpful for doctors to control the diseases. e E-health system is very intelligent to realize real-time health monitoring and provide effective reference value for doctors for diagnosis.
In the era of big data, privacy protection attracts people. Apart from patients who do not want their information to be abused, the medical server also does not want its data to be stolen. In the actual medical activities, medical institutions often use the E-health system to collect a large amount of medical-related data for diagnosis. ese data cover all the basic information of patients with high confidentiality requirements, such as physical and disease information, family address, medical insurance, personal account. However, the monitor devices are connected wirelessly, which means these confidentiality data are transmitted in open network and will threaten the security of information greatly. Lots of sensitive data are transmitted on a public channel where the adversary may intercept the useful data by passive attack. Furthermore, the adversary may forge the EMR and forward the false EMR to the medical server; then, the medical server may draw incorrect conclusion and send a wrong diagnosis to the patient. And when this least expected thing happens, the patient may suffer more pains, even lose his life. e message transmitted on public (insecure) networks is extremely vulnerable, in order to ensure the security of transmission in E-health system, a lot of schemes have been proposed [1,2]. Zhang et al. proposed a dynamic authentication scheme for the E-health system [1] in 2018. In their paper, both patients and family members can register in the E-health system, but the authors did not clarify how family members login the system, it would be difficult to solve the problem of binding between family members and patients. If the family members log by using the same authentication scheme as the patient, it will be difficult for the server to distinguish the family member from the patient. In 2019, Karthigaiveni and Indrani [2] proposed an efficient authentication mechanism based on two-factor authentication, and they claimed that their scheme needs less computational cost. However, they also do not mention the involvement of family members.
In the former proposed E-health system scheme, the majority of schemes often consider the secure communication between patients and medical servers but neglect the important effect of family members in the E-health system. When family members want to care about the patient's condition, it is necessary for family members to participate in the E-health system. erefore, how to let family members join the E-health system under the premise of ensuring secure communication is a problem worthy of in-depth study. In addition, family members and patients should have different rights in the E-health system. In the system, patients can upload, modify, and delete their own medical data and view doctors' diagnosis results. On the other hand, family members can view the patient's medical data and doctor's diagnosis results on the basis of the patient's authorization but cannot upload, modify, or delete the data.
In this study, we propose a patient family binding and authentication scheme with privacy protection for the E-health system, and the environment of the system is shown in Figure 1. e E-health system consists of patients, family members, and medical server. Our scheme contains a registration phase for patient, a binding phase for family member, and an authentication phase for the family member. Considering that there are already a lot of authentication schemes between patient and medical server, so our scheme is mainly introduced for family member authentication and focuses on solving the problem of patientfamily member binding. Finally, the contributions of our scheme are as follows: (i) We propose a binding scheme for the family member, which can bind the patient and the family member so that the family member can participate in the treatment process of the patient. (ii) In our scheme, authentication between family member and medical server does not require the participation of patients. (iii) One patient may have several family members that need to participate in the E-health system. In our scheme, the increase in the number of family members does not incur additional costs to the medical server. (iv) e binding phase in our scheme between patient and their family members does not require the participation of medical server, which avoid the cost on remote information transmission. Moreover, because the only use of lightweight secures hash function, bytes connection and exclusive-or, our scheme has high-performance. (v) Our scheme provides strong privacy protection for the E-health system, where it ensures the security of critical message. e rest of our work is organized as follows: e related works are briefly analyzed in Section 2. We describe our proposed scheme in Section 3. In Section 4, we analyze the security of the proposed scheme. Section 5 discusses the performance comparison between ours and other schemes. In the end, Section 6 gives the conclusion.

Related Work
In this section, we will discuss related works for the E-health system. A number of authentication schemes [3][4][5] have been proposed for E-health system. In 1976, Diffie and Hellman [6] proposed a method to setup session key named Diffie-Hellman key exchange. On the basis of their scheme, many research articles [7][8][9] are proposed. Following that, several authentication schemes for E-health system have been developed.
A remote authentication scheme for health care has been introduced by Das and Goswami [10]. However, in 2015, Amin et al. [11] indicated several vulnerabilities of Das et al.'s scheme [10], for example, Das et al.'s scheme [10] is vulnerable to user impersonation attack and user anonymity problem. To isolate such problems, they offered a user mutual authentication scheme for E-health. However, Aghili et al. [12] discovered that the scheme of Amin et al. [11] was vulnerable to Dos attacks. Later, Aghili et al. further presented a lightweight authentication scheme-based threefactor E-health system in 2019.
In order to overcome security aws in the Session Initiation Protocol (SIP) authentication procedure, Yeh et al. [13] o ered a secure authentication scheme based on Elliptic Curve Cryptography (ECC). Although, authors mentioned that their authentication procedure is shown to be more suitable for SIP applications. Unfortunately, Farash et al. [14] pointed that the authentication procedure presented by Yeh et al. [13] in 2016, cannot resist user impersonation and oline password guessing attack, if the information in the smart card is stolen. As a remedy, they [14] further o ered an authentication scheme for SIP-based ECC, which can provide the user anonymity and untraceability.
Mohit et al. [15] suggested a cloud computing for health care system in 2017, they proved that their scheme is more secure. In 2018, Zhang et al. [16] presented a dynamic authentication scheme for E-health system. Nevertheless, Aghili et al. [12] argued that Zhang et al.'s scheme is vulnerable to several attacks. To x this, they further proposed lightweight authentication scheme by using three-factor scheme for E-health systems. en 2017, Al-Saggaf et al. [17] introduced an authentication scheme for remote user by using smart cards, but according to Chen and Zhang [18], it fails to resist some secure attacks. To overcome these drawbacks, they put forward a biometric authentication scheme for E-health system, and proved that the scheme can satisfy the security requirements.
Wu et al. [19] designed a new authentication system which added the pre-computing method.
e author claimed that their scheme will be more secure and e cient for Telecare Medicine Information Systems (TMIS). Although Wu et al.'s scheme is more secure than previous schemes, He et al. [20] declared that the method proposed by Wu et al. [19] had some security problems and proposed their improved solution. However, Wei et al. [21] pointed that neither Wu et al.'s [19] nor He et al.'s [20] scheme guarantee security and e ciency in the authentication scheme based on two-factor scheme. en they o ered an improved scheme and demonstrated the scheme is more secure and e cient.
After that, Yan et al. [22] suggested a secure authentication scheme which can be used on TMIS. ey found that Tan [23] scheme cannot resist the Dos attack, and proposed their scheme to enhance security. However, Mir and Nikooghadam [24] showed that the method introduced by Yan et al. [22] still has some security faults. en, an improved key agreement scheme based on biometrics for E-health services was presented by Mir and Nikooghadam [24] and the authors have shown that the solution is suitable for E-health services. But in 2019, Mehmood et al. [25] declared that there are some security aws in Omid et al.'s scheme [24], and Omid et al.'s methods were susceptible to user impersonation attack. To x all this, they o ered a robust and e cient authentication scheme for E-health system. Unfortunately, Hosseini Seno and Budiarto [26] declared that Mehmood et al.'s [25] scheme is unsecure during the login and authentication process and they proposed a new scheme.
In 2019, Karthigaiveni and Indrani [2] introduced an e cient scheme with smart card and password by using Elliptic Curve Cryptography, and showed that their methods not only have better security but also have well computational cost. However, Chatterjee [27] scrutinized Kar et al.'s scheme [2] and declared some security defects in their scheme which lacks mutual authentication between the client and server. In 2020, Chatterjee [27] proposed an improved authentication scheme for health care applications. e author claimed that the scheme has higher security and e ciency.
In the past decade, many authentication protocols have been proposed to ensure system security. Regretfully, the former proposed schemes, which are about E-health system, mainly focus on improvement of security and e ciency but neglect the important e ect of family members in the E-health system. e binding of family members can better serve patients and can improve the e ciency of diagnosis and providing binding and authentication service for family members can make the E-health system more practical. Furthermore, the E-health system should have good access control and excellent database performance.
Family member Family member can obtain partical permissions a er authorization.

Patient
Sick at home, Connect with family and doctor through the Ehealth system.

Doctor
Analyze the data transmitted by patients and family member.

Medical server
Adversary Eavesdropping channel information, may cause some damage to the system.

Our Proposed Scheme
In order to ensure the security and efficiency of the E-health system operation, we propose a patient family binding and authentication privacy protection scheme. Our proposed scheme consists of three phases: registration phase for patient, binding phase for family member, and authentication phase for family member. By our scheme, family members can pay attention to the patient's medical data in time. e notations used in the proposed scheme are given in Table 1. Detailed descriptions of our scheme are as follows.

Registration Phase for Patients.
In this phase of our scheme, a new patient PT will register with the medical server MS. e patient PT's authentication information is stored in the database of the medical server MS and a smart card, and the medical server MS issues the smart card to the patient PT. e detailed steps of the registration phase for patient are presented in Figure 2.
Step R1: firstly, the patient PT chooses identity ID PT and password PW PT which he/she can remember easily. en, he/she generates a random number r PT and uses it to calculate M 1 � h(ID PT ‖PW PT ‖r PT ). Next, patient PT respectively masks the identity ID PT of patient and password PW PT of patient with a random number r PT by computing R PT � h(ID PT ⊕ PW PT )⊕r PT . en, let M 1 , r PT as a registration request message, the patient PT sends it to MS via secure channel.
Step R2: upon receipt of the request from the patient PT, the medical server MS firstly selects two identify labels id PT , id FM for the patient and family member, respectively. en the medical server MS uses PT ′ s request information M 1 and MS's master key s to calculate SC PT � h(M 1 � � � �s). Afterwards, the medical where ID MS is identity information of medical server MS. en the medical server uses SC FM and SC PT to calculate L FM � SC FM ⊕ SC PT , and uses SC PT , PT ′ s random number r PT to calculate C PT � r PT ⊕ SC PT . Next, the medical server chooses g where g is a generator of Z * P and P is a large prime. Finally, the medical server MS writes MID PT , MID FM , SC PT , id FM , g into its database and stores ID MS , C PT , NID PT , NID FM , L FM , g into a smart card. en the medical server MS sends the smart card which includes ID MS , C PT , NID PT , NID FM , L FM , g} to the patient PT.
Step R3: the patient PT writes R PT into the smart card. After that, the registration phase for the patient is completed.

Binding Phase for Family Members.
e binding of patient and family member can help the family member securely participate in the E-health system by performing the following steps. Figure 3 presents the detailed description of the binding phase.
Step A1: the patient PT chooses a secret information k and sends to family member in secure channel (for example, face to face).
Step A2: upon reception of the information k, the family member FM chooses his/her identity ID FM , password PW FM , then generates a random number r FM , and uses the information k received from the patient PT to compute I FM � k⊕r FM . After that FM sends I FM to the patient PT.
Step A3: when receiving the message I FM , patient PT inserts his/her smart card into the terminal card reader and inputs his/her identity ID PT and password PW PT in the smart card. Next, the smart card calculates After that, the smart card generates authorization information Auth PT � h(k‖M 2 ‖M 3 ), and sends M 2 , M 3 , Auth PT to the family member.
Step A4: after receiving information M 2 , M 3 , Auth PT from patient PT, the family member FM verifies whether the equation FM } into he/she's smart card. Else, end the scheme.

Authentication Phase for Family Members.
If a family member has completed the binding with a patient, he/she can log in to the medical server through the authentication phase. And a session key SK is negotiated by medical server MS and family member FM. Figure 4 presents the detailed description of the authentication phase. Cryptographic one-way hash function s Master key of medical server P Large prime number g Step C1: rstly, the family member FM inputs his/ her identity ID FM and password PW FM into the smart card and calculates N ″ h(ID FM PW FM )⊕M FM . Next, the smart card generates a random number x and uses the information stored in it to calculate X g x and Auth FM h(id FM ′ N ″ X), and then sends id FM ′ , Auth FM , X to the medical server MS.

Patient
Medical server  Figure 3: Details of the binding phase.
Family member Medical Server

Security and Communication Networks 5
Step Step C4: on receiving Auth sk from the family member FM, the medical server MS computes sk ′ � h(N ′′′ ⊕Q) and checks the correctness of the Auth sk by comparing it with h(id FM ′ ‖N ′′′ ‖sk ′ ). If the values are same, the medical server MS accepts the session key sk ′ . If the checking of Auth sk fails, the session will be terminated.
Finally, after the session key is negotiated, the family member FM and the medical server MS get sk and sk ′ , respectively. e security proof process is as follows:

Security Analysis
In this section, we give a security analysis of our patient-family member binding scheme by using the real-or-random (RoR) model. In addition, we discuss the security of possible attacks.

Security Model.
In this section, we use the random-orreal model [28] to prove that our authentication scheme is secure. e definitions of the model are presented as follows: Participants: using U and Sto respectively represent the set of user and the set of server. e set of all participants P is the union of U ∪ S. We use U i and S j to represent the i-th member of U and the j-th member of S.
Partnering: let the symbol Π S j authenticate in the scheme and obtain the same no-null session identification (si d), then these two instances are called partner instances. Freshness: in order to ensure freshness, there are two conditions needed to be met. First, the two partner instances can successfully negotiate a session key without being queried Reveal query. Second, the two partner instances can be only simulated by one of CorruptSC or CorruptDB query. Adversary: an adversary A which in this model runs in polynomial time, and was given the attack ability by accessing the following queries: S j ): this query models passive attack in which the adversary A can obtain the message transmitted between instance Π and its partner instance. (ii) Send(P, M): this query models active attack, such as replay attacks, impersonation attacks in which the adversary A may intercept or modify the massage sent to P. e adversary A also can send a message M to P and can receive the output message.
S j ): this query allows A to gain the session key obtained by Π S j ) and its partner after the current authentication. If this session key has not been defined or A has initiated a Test query for the session key that needs to be guessed, then an empty result (⊥) is returned. Otherwise, A will receive the session key. Semanticsecurity: if the adversary successfully guesses the value of b by nonnegligible advantage, the scheme fails to provide semantic security. To distinguish between the random number and the session key, the adversary can use the above-mentioned queries to increase the advantage of guessing. Let A dv AKE be the advantage of A in breaking the semantic security of the scheme. We use the notion Suc to denote the event that adversary successfully guesses the value of b. If A dv AKE is small enough to be ignored, then we say that our scheme is secure under the RoR model.

Formal Security Analysis
Theorem 1. Let q s , q h , and q t be the time of Send queries, Hash queries, guessing the master key s of medical server MS. And l is the length of s. us, we have Here, I 1 and I 2 denote uniformly distributed dictionaries of user identity and user password. en, the |H|, |I 1 | and |I 2 | denote the range size of hash function, I 1 and I 2 .
Proof. A series of games Gm i (0 < � i < � 4) are completed in the proof to prove the security of our proposed scheme. In each game, Pr[Suc i ](0 < � i < � 4) represents the probability that the adversary successfully guesses a correct value of b in each Gm i .
Gm 0 : this starting game models a real attack scenario in RoR model by the adversary A. We have (3) In addition, all the random oracles are simulated. e adversary can take Test query one time to guess the bit b. us, In summary, for the Case 1, combining (2)- (6) and (8), we have And for the Case 2, combining (2)-(8), we have Security and Communication Networks e adversary A can choose one of case as the Gm 3 . us, we have A dv AKE (A) < � Max q s /|I 1 | · |I 2 |, q t / 2 l } + q 2 h /2 · |H| + q 2 s /2 l . In summary, the adversary cannot obtain additional advantage of guessing the correct coin b through the above games. us, it can be proved that our patient-family member binding scheme provides semantic security in RoR model.

Discussion on Possible Attacks.
In this section, we discuss the strong privacy protection mechanism of our scheme against the most common attacks in E-health system.

Resist Smart Card Loss Attack.
In this attack, the adversary could capture the message stored in a smart card and want to calculate important private data with that information. In our scheme, the adversary can capture information M FM , id FM ′ from family member FM ′ s smart card and the information R PT , ID MS , C PT , NID PT , NID FM , L FM } from the patient PT ′ s smart card. After adversary obtaining smart card information M FM , id FM ′ , the adversary wants to calculate the value of Auth FM . But due to the absence of a necessary values N ′′ , the adversary cannot derive Auth FM to pass authentication. Furthermore, even if the adversary has also obtained the patient PT ′ s smart card information R PT , ID MS , C PT , NID PT , NID FM , L FM , the adversary cannot derive N ′′ � L FM ⊕MID FM without MID FM . So, the adversary cannot guess the value of sk � h(N ′′ ⊕Q ′ ) without N ′′ . e adversary cannot obtain the useful information to guess session key through the smart card attack. us, our scheme could provide security and against the stolen smart card attack successfully.

Resisting Off-Line Guessing Attack.
Assuming that the adversary intercepted the data I FM , M 2 , M 3 , Auth PT from binding phase, the Auth FM , id FM , X, M MS , Y from authentication phase, which transmitted over the insecure channel, attempted to launch an off-line guessing attack. However, none of the above data can be used to calculate ID PT , PW PT or ID FM , PW FM . Moreover, the identity and password always appear in pairs of the equations, and our scheme could ensure the anonymity for patient and family member. So, the adversary cannot obtain the identity and password of the patient and the family member. Since the private key s of the medical server is a high-entropy random number and is protected by a one-way hash function, the adversary cannot guess it. us, the off-line guessing attack cannot threaten our proposed scheme.

Resisting Replay Attack.
In our scheme, if the adversary captures the message id FM ′ , Auth FM , X and replays it to medical server MS, the medical server MS will use the received X to calculate Q * � X y , then send Y and M * MS , which is calculated by Q * to the adversary. But in the next step, the adversary needs to use the message M * MS to calculate Auth sk . Because the calculation of Auth sk � h(id FM ′ ‖N ′′ ‖sk) requires sk and the calculation of , and the random number x will refresh in every session. e adversary cannot get the value of x. Similarly, if the adversary captures the message Auth sk and replays it to medical server MS, it will not be authenticated by the medical server MS, because the value of sk � h(N ′′ ⊕Q ′ ) is calculated by N ′′ and Q ′ , the random number in Q ′ will change every time. e adversary also cannot pass the medical server's authentication. Obviously, the medical server MS and family member FM can resist the replay attack. us, the replay attack cannot threaten our proposed scheme.

Resisting Man-in-the-Middle
Attack. In our proposed scheme, the session key sk is established in the authentication phase between the family member and the medical server. If the adversary interrupts the authentication request id FM ′ , Auth FM , X and computes a new request id ′ * FM , Auth * FM , X * to cheat the medical server, it will not successfully pass the medical server MS ′ s authentication, because the adversary cannot calculate the message Auth FM � h(id ′ ‖N ′′ ‖X) which is computed by N ′′ . And same as the adversary intercepts the authentication message M MS , Y or Auth sk , he/she also cannot calculate the message to pass the authentication without N ′′ . erefore, our scheme can resist man-in-themiddle attack.

Resisting Privileged Insider
Attack. e insider attack means that the insider of system can access to obtain user-sensitive information. In our scheme, the adversary obtains the data MID PT , MID FM , SC PT , id FM in the medical server database through privileged insider attack. In the authentication phase, the calculation of N ′′′ � L FM ′ ⊕MID FM requires L FM ′ � SC FM ′ ⊕SC PT , but the adversary only has the data SC PT . So, the adversary cannot derive L FM ′ . Cause the adversary just has the data MID FM , the adversary cannot drive N ′′′ � L FM ′ ⊕MID FM . erefore, our scheme can resist the privileged insider attack.

Perfect Forward Secrecy.
is security feature can ensure security even if an adversary obtains all past session keys. As can be seen from our scheme, the session key is e sk is protected by the N ′′ and Q ′ . e data Q ′ � X y � Y x is updated after each communication.
Even if the adversary A knows the past session key, he/she is still impossible to compute the new session key of our scheme.
erefore, our scheme can provide the perfect forward secrecy.

Performance Comparison
In this section, we compare the computation cost and function of our patient-family member binding scheme with other related authentication schemes [29][30][31][32][33]. Our proposed scheme has two main phases: (1) binding phase and (2) authentication phase. We use the computational cost (total time to perform all operations) to compare the performance. In order to evaluate the computational cost, let the following notions to represent time complexity: (i) T ha : time for performing a one-way hash operation (ii) T sy : time for performing a symmetric encryption/ decryption operation (iii) T ec : time for performing an elliptic curve scalar point multiplication operation (iv) T o : time for performing an elliptic curve scalar addition operation (v) T em : time for a modular exponentiation operation We evaluate the computation cost by using MIRACL C/ C++ Library. e system used 64 bit Windows 10 operating system (CPU:2.3 GHz, RAM:8 GB). Based on the above system requirements, we get the average computation time of each cryptographic operation: T ha ≈ 0.057ms, T sy ≈ 0.187ms, T ec ≈ 1.37ms, T o ≈ 0.91ms, and T em ≈ 1.89ms.
In Table 2, we show the computational cost of the related schemes [29][30][31][32][33] and ours in the registration phase and authentication phase. During the evaluating process, due to the small amount of calculation, we can ignore the XOR and string concatenation. In registration phase, computational cost of ours needs 8T ha whereas other related schemes which were proposed by Zhang et al. [29], Qu et al. [30], Qi and Chen [31], Karuppiah et al. [32], and Irshad et al. [33], respectively are 3T ha , 3T ha + 2T ec + 1T o , 3T ha , 4T ha , and 4T ha + 1T sy + 1T ec . We observe that Qu et al.'s scheme and Irshad et al.'s scheme requires more computational cost during the registration phase, because of T ec /T sy in their calculation. e methods used in Zhang et al.'s scheme, Qi-Chen's scheme and Kar et al.'s scheme have lower costs during the registration phase. As we have known, in the key agreement scheme, the scheme only needs to be registered once, but authentication phase will be run multiple times. erefore, the computational cost of the registration phase has little effect on the overall scheme. During the authentication phase, computational cost of our scheme needs 9T ha + 4T em , which costs less than other related schemes which were proposed by Zhang et al. [29], Qu et al. [30], Qi and Chen [31], Karuppiah et al. [32], and Irshad et al. [33]. Finally, the total computational cost of above schemes as follows: (i) Zhang et al. [29]: 14T ha + 2T sy + 6T ec � 9.39(ms) (ii) Qu  In summary, our scheme has a great advantage on total costs which only needs 17T ha + 4T em � 8.52(ms). Our scheme has the best performance with low computational cost as compared with the other related schemes [29][30][31][32][33]. And more performance comparison of each scheme is shown in Figures 5-7.
In Figure 5, the two graphs respectively represent the time cost in the registration phase and the authentication phase of all schemes. In the left graph, we can see that in the registration phase, the computational cost of the Qu et al.  Figure 6 shows the total time cost of those schemes and Figure 7 shows the comparison of computation cost of our proposed scheme with related schemes. From Figure 7, we can know that the number of users increases, our scheme still has good performance.
In summary, our scheme shows better performance which needs lower computational cost than other related schemes.
We compare the proposed scheme with other related schemes in terms of different security attacks and parameters in Table 3. Zhang et al.'s [29] scheme cannot provide several security features such as fail to resist the stolen verifier attack [34]. Qu et al.'s [30] scheme focuses on preventing the impersonation attack but suffers from the off-line guessing attack and reply attack. Qi and Chen's [31] scheme ignores the user anonymity and suffers insider attack [32]. Karuppiah et al.'s scheme [32] cannot provide perfect forward security and cannot resist impersonation attack. Irshad et al.'s scheme [33] can resist most attacks but suffers impersonation attack [35].
Furthermore, compared with the scheme [29][30][31][32][33], our proposed scheme not only realizes the secure communication between the family member and the medical server, but also realizes advanced security attributes and strong security attack protection.

Future Works.
We propose a binding scheme for the family member, which can bind the patient and the family member so that the family member can participate in the treatment process of the patient. In our paper, patients can only authorize one family member per binding phase. When multiple family members need to bind at the same time, a batch binding scheme is needed. Moreover, more and more scenarios use biometric authentication. In order to make it more convenient for patients and their families to complete the binding and the authentication, it is necessary to design a scheme that uses biometric characteristics to complete the  [29] 3T ha 11T ha + 2T sy + 6T ec 14T ha + 2T sy + 6T ec 9.39 Qu and Tan [30] 3T ha + 2T ec + 1T o 13T ha + 9T ec + 5T o 16T ha + 11T ec + 6T o 21.442 Qi and Chen [31] 3T ha 12T ha + 6T ec 15T ha + 6T ec 9.075 Karuppiah et al. [32] 4T ha 15T ha + 4T em 19T ha + 4T em 8.63 Irshad et al. [33] 4T ha + 1T sy + 1T ec 17T ha + 11T ec + 4T sy 21T ha + 5T sy + 12T ec 18  authentication. In the future, we will conduct further studies on batch binding and biometric authentication.

Conclusion
In this paper, through reviewed the previous papers, we find that most systems only consider the secure communication between the patient and the medical server, but ignore the important role of family member in the E-health system. In order to overcome this problem, we propose a patient family binding and authentication scheme with privacy protection for E-health system. In our scheme, not only patients can bind family member freely, but also the family member can timely process the diagnosis result when the patient is inconvenient. In addition, the increasing the number of family members will not cause additional burden on the medical server. Consequently, our scheme is proved to be efficient and secure.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
Y: means can resist the attack successfully or provide the security property, N: means cannot resist the attack successfully or cannot provide the security property, and R: means not refereed.