Security and Privacy for Mobile Health-Care ( mHealth ) Systems

Fast and secure access to patients’ records helps to save lives with timely treatment in emergency situations. Therefore, anywhere-anytimeaccessible online health-care or medical systems play a vital role in daily life. Advances in (wireless) communications and computing technologies have lent great forces to migrating health-care systems from the paper based to the EHR (electronic health record) based, giving rise to increased efficiency in human operations, reduced storage costs and medical errors, improved data availability and sharing, etc. Unfortunately, such convenience also comes with concerns, which should be carefully addressed. For example, medical or health record privacy is a major concern to the patients and becomes the major barrier in the deployment of the EHR-based health-care systems. It is observed that privacy and security breaches have already penetrated every aspect of our activities and living environment including health care, financial, voting, e-commerce, military, etc. Thus, there is an urgent need for the development of architectures assuring privacy and security that are imperative to safeguarding confidential information wherever it digitally resides. Despite the paramount importance, little progress has been introduced by researchers in the design of security and privacy architectures for the EHR-based health-care system. In particular, two extremely critical issues are rarely touched in the research realm: health information privacy and sharing. Health information privacy (or medical record privacy) refers to the confidentiality and access restrictions of patients’ protected health information (PHI) which contains sensitive and personal information such as disease history and undergoing treatment. There are good reasons for keeping the records private and limiting the access to only minimum-necessary information: an employer may decide not to hire someone with psychological issues, an insurance company may refuse to provide life insurance when aware of the disease history of a patient, a person with certain types of disease may be discriminated by the health-care provider, and so on. However, fundamental developments of health-care systems have threatened the confidentiality of medical records and patient privacy [1], one of which is the exponential increase in the use of computers and automated information systems for health records. Computers (connected to a network) are now commonly used by the health-care providers to store and retrieve patients’ electronic health records (EHRs).

[1]  Charles C. Palmer,et al.  Security in an autonomic computing environment , 2003, IBM Syst. J..

[2]  Gail-Joon Ahn,et al.  A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[3]  Joonsang Baek,et al.  Public Key Encryption with Keyword Search Revisited , 2008, ICCSA.

[4]  Chien-Ding Lee,et al.  A Cryptographic Key Management Solution for HIPAA Privacy/Security Regulations , 2008, IEEE Transactions on Information Technology in Biomedicine.

[5]  Pradeep Kumar Ray,et al.  The Need for Technical Solutions for Maintaining the Privacy of EHR , 2006, 2006 International Conference of the IEEE Engineering in Medicine and Biology Society.

[6]  G. Stevens A Brief Summary of the Medical Privacy Rule , 2002 .

[7]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[8]  Roberto J. Bayardo,et al.  Data privacy through optimal k-anonymization , 2005, 21st International Conference on Data Engineering (ICDE'05).

[9]  Bo-Yin Yang,et al.  GAnGS: gather, authenticate 'n group securely , 2008, MobiCom '08.

[10]  Carmela Troncoso,et al.  On the Impact of Social Network Profiling on Anonymity , 2008, Privacy Enhancing Technologies.

[11]  Yuguang Fang,et al.  Privacy and emergency response in e-healthcare leveraging wireless body sensor networks , 2010, IEEE Wireless Communications.

[12]  Marco Casassa Mont,et al.  A flexible role-based secure messaging service: exploiting IBE technology for privacy in health care , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[13]  Yuguang Fang,et al.  Cross-Domain Data Sharing in Distributed Electronic Health Record Systems , 2010, IEEE Transactions on Parallel and Distributed Systems.

[14]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[15]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[16]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[17]  Andrew C. Simpson,et al.  Towards secure Grid‐enabled healthcare , 2005, Softw. Pract. Exp..

[18]  Bogdan Warinschi,et al.  Secure Proxy Signature Schemes for Delegation of Signing Rights , 2010, Journal of Cryptology.

[19]  Ulrich Sax,et al.  Position Paper: Wireless Technology Infrastructures for Authentication of Patients: PKI that Rings , 2005, J. Am. Medical Informatics Assoc..

[20]  Franco Zambonelli,et al.  A survey of autonomic communications , 2006, TAAS.

[21]  Reza Curtmola,et al.  Medical Information Privacy Assurance: Cryptographic and System Aspects , 2002, SCN.

[22]  Kenneth G. Paterson,et al.  Identity-based cryptography for grid security , 2005, First International Conference on e-Science and Grid Computing (e-Science'05).

[23]  Kevin Fu,et al.  Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security , 2008, HotSec.

[24]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[25]  Andrew C. Simpson,et al.  Delegation in a Distributed Healthcare Context: A Survey of Current Approaches , 2006, ISC.

[26]  Florian Hess,et al.  Efficient Identity Based Signature Schemes Based on Pairings , 2002, Selected Areas in Cryptography.

[27]  Thomas Sandholm,et al.  Policy administration control and delegation using XACML and Delegent , 2005, The 6th IEEE/ACM International Workshop on Grid Computing, 2005..

[28]  Tadayoshi Kohno,et al.  Privacy-Preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs , 2008, USENIX Security Symposium.

[29]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[30]  Sheng Zhong,et al.  Body sensor network security: an identity-based cryptography approach , 2008, WiSec '08.

[31]  Yuguang Fang,et al.  HCPP: Cryptography Based Secure EHR System for Patient Privacy and Emergency Healthcare , 2011, 2011 31st International Conference on Distributed Computing Systems.

[32]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[33]  Mihir Bellare,et al.  Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions , 2005, Journal of Cryptology.

[34]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[35]  Yuguang Fang,et al.  Preserving Privacy in Emergency Response Based on Wireless Body Sensor Networks , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[36]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: improved definitions and efficient constructions , 2006, CCS '06.

[37]  Jun Wang,et al.  Extending the security assertion markup language to support delegation for Web services and grid services , 2005, IEEE International Conference on Web Services (ICWS'05).

[38]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[39]  Lin Zhong,et al.  A phone-centered body sensor network platform cost, energy efficiency & user interface , 2006, International Workshop on Wearable and Implantable Body Sensor Networks (BSN'06).

[40]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[41]  Steven Tuecke,et al.  X.509 Proxy Certificates for Dynamic Delegation , 2004 .

[42]  Reihaneh Safavi-Naini,et al.  Dynamic k-Times Anonymous Authentication , 2005, ACNS.