Skip to main content
SpringerLink
Log in

Securing the Access to Electronic Health Records on Mobile Phones

  • Conference paper
Biomedical Engineering Systems and Technologies (BIOSTEC 2011)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 273))

Abstract

Mobile phones are increasingly used in the e-health domain. In this context, enabling secure access to health records from mobile devices is of particular importance because of the high security and privacy requirements for sensitive medical data. Standard operating systems and software, as they are deployed on current smartphones, cannot protect sensitive data appropriately, even though modern mobile hardware platforms often provide dedicated security features. Current mobile phones are prone to attacks by malicious software, which might gain unauthorized access to sensitive medical data.

In this paper, we present a security architecture for the protection of electronic health records and authentication credentials that are used to access e-health services. Our architecture is derived from a generic solution and tailored specifically to current mobile platforms with hardware security extensions. Authentication data are protected by a trusted wallet (TruWallet), which leverages trusted hardware features of the phone and isolated application environments provided by a secure operating system. A separate application environment is used to provide runtime protection of medical data. Furthermore, we present a prototype implementation of TruWallet on the Nokia N900 mobile phone. In contrast to commodity systems, our architecture enables healthcare professionals to securely access medical data on their mobile devices without the risk of disclosing sensitive information.

An earlier version of this paper has been published in [11].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aggarwal, M., Vennon, T.: Study of BlackBerry proof-of-concept malicious applications. Technical Report White paper, SMobile Global Threat Center (January 2010)

    Google Scholar 

  2. Agreiter, B., Alam, M., Hafner, M., Seifert, J.P., Zhang, X.: Model driven configuration of secure operating systems for mobile applications in healthcare. In: Proceedings of the 1st International Workshop on Mode-Based Trustworthy Health Information Systems (2007)

    Google Scholar 

  3. Akinyele, J.A., Lehmann, C.U., Green, M.D., Pagano, M.W., Peterson, Z.N.J., Rubin, A.D.: Self-protecting electronic medical records using attribute-based encryption. Cryptology ePrint Archive, Report 2010/565 (2010), http://eprint.iacr.org/2010/565

  4. Alves, T., Felton, D.: TrustZone: Integrated hardware and software security. Technical report, ARM (July 2004)

    Google Scholar 

  5. Anderson, J.P.: Computer security technology planning study. Technical Report ESD-TR-73-51, AFSC, Hanscom AFB, Bedford, MA, AD-758 206, ESD/AFSC (October 1972)

    Google Scholar 

  6. Android Open Source Project. Project website (2010), http://www.android.com

  7. Apple Inc. iOS website (2010), http://www.apple.com/iphone/ios4

  8. Azema, J., Fayad, G.: M-ShieldTMmobile security technology: making wireless secure. Texas Instruments White Paper (February 2008), http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf

  9. Benelli, G., Pozzebon, A.: Near Field Communication and Health: Turning a Mobile Phone into an Interactive Multipurpose Assistant in Healthcare Scenarios. In: Fred, A., Filipe, J., Gamboa, H. (eds.) BIOSTEC 2009. CCIS, vol. 52, pp. 356–368. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  10. Brygier, J., Fuchsen, R., Blasum, H.: PikeOS: Safe and secure virtualization in a separation microkernel. Technical report, Sysgo (September 2009)

    Google Scholar 

  11. Dmitrienko, A., Hadzic, Z., Löhr, H., Sadeghi, A.-R., Winandy, M.: A security architecture for accessing health records on mobile phones. In: Proceedings of the 4th International Conference on Health Informatics (HEALTHINF 2011), pp. 87–96. SciTePress (2011)

    Google Scholar 

  12. EMSCB Project Consortium. The European Multilaterally Secure Computing Base (EMSCB) project (2005-2008), http://www.emscb.org

  13. Fraim, L.: SCOMP: A solution to the multilevel security problem. IEEE Computer, 26–34 (July 1983)

    Google Scholar 

  14. Gajek, S., Löhr, H., Sadeghi, A.-R., Winandy, M.: TruWallet: Trustworthy and migratable wallet-based web authentication. In: The 2009 ACM Workshop on Scalable Trusted Computing (STC 2009), pp. 19–28. ACM (2009)

    Google Scholar 

  15. Gardner, R.W., Garera, S., Pagano, M.W., Green, M., Rubin, A.D.: Securing medical records on smart phones. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Medical and Home-Care Systems, SPIMACS 2009, pp. 31–40. ACM (2009)

    Google Scholar 

  16. Google Android. Security and permissions (2010), http://developer.android.com/intl/de/guide/topics/security/security.html

  17. Han, D., Park, S., Lee, M.: THE-MUSS: Mobile U-Health Service System. In: Fred, A., Filipe, J., Gamboa, H. (eds.) BIOSTEC 2008. CCIS, vol. 25, pp. 377–389. Springer, Heidelberg (2008)

    Google Scholar 

  18. Hildon Application Framework. Project website (2010), http://live.gnome.org/Hildon

  19. Iozzo, V., Weinmann, R.-P.: Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN (March 2010), http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2own/

  20. Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A VMM security kernel for the VAX architecture. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 2–19. IEEE Computer Society, Technical Committee on Security and Privacy (May 1990)

    Google Scholar 

  21. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, Big Sky, MT, USA. ACM Press (October 2009)

    Google Scholar 

  22. Kostiainen, K., Dmitrienko, A., Ekberg, J.-E., Sadeghi, A.-R., Asokan, N.: Key Attestation from Trusted Execution Environments. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 30–46. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  23. Kostiainen, K., Ekberg, J.-E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: ASIACCS 2009: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 104–115. ACM (2009)

    Google Scholar 

  24. Liedtke, J.: On microkernel construction. In: Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP 1995), Copper Mountain Resort, Colorado (December 1995); Appeared as ACM Operating Systems Review 29.5

    Google Scholar 

  25. Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 29–42. USENIX Association (2001)

    Google Scholar 

  26. Lua. Project website (2010), http://www.lua.org

  27. Maemo. Project website (2010), http://maemo.org

  28. Microsoft. Windows mobile website (2010), http://www.microsoft.com/windowsmobile

  29. Open Kernel Labs. OKL4 project website (2010), http://okl4.org

  30. Paros. Project website (2010), http://www.parosproxy.org

  31. Picciotto, J., Epstein, J.: Trusting X: Issues in building Trusted X window systems –or– what’s not trusted about X? In: 14th National Computer Security Conference (1991)

    Google Scholar 

  32. Selhorst, M., Stüble, C., Feldmann, F., Gnaida, U.: Towards a Trusted Mobile Desktop. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 78–94. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  33. Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: a fast capability system. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP 1999), Kiawah Island Resort, near Charleston, Sout Carolina, pp. 170–185 (December 1999); Appeared as ACM Operating Systems Review 33.5

    Google Scholar 

  34. Sunyaev, A., Leimeister, J.M., Krcmar, H.: Open security issues in german healthcare telematics. In: Proceedings of the 3rd International Conference on Health Informatics, HEALTHINF 2010, pp. 187–194. INSTICC (2010)

    Google Scholar 

  35. Symbian Foundation Community. Project website (2010), http://www.symbian.org

  36. The OpenTC Project Consortium. The Open Trusted Computing (OpenTC) project (2005-2009), http://www.opentc.net

  37. Felton, D., Alves, T.: TrustZone: Integrated Hardware and Software Security (July 2004), http://www.arm.com/pdfs/TZ%20Whitepaper.pdf

  38. Trusted Computing Group. TPM Main Specification, Version 1.2 rev. 103 (July 2007), http://www.trustedcomputinggroup.org

  39. Vennon, T.: Android malware. A study of known and potential malware threats. Technical Report White paper, SMobile Global Threat Center (February 2010)

    Google Scholar 

  40. Vouyioukas, D., Kambourakis, G., Maglogiannis, I., Rouskas, A., Kolias, C., Gritzalis, S.: Enabling the provision of secure web based m-health services utilizing xml based security models. Security and Communication Networks 1(5), 375–388 (2008)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security (HGI), Ruhr-University Bochum, Bochum, Germany

    Alexandra Dmitrienko, Zecir Hadzic, Hans Löhr & Marcel Winandy

  2. Center for Advanced Security Research Darmstadt (CASED), Technische Universität Darmstadt, Darmstadt, Germany

    Ahmad-Reza Sadeghi

Authors
  1. Alexandra Dmitrienko
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zecir Hadzic
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hans Löhr
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Marcel Winandy
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IST - Technical University of Lisbon, Av.Rovisco Pais, 1, 1049-001, Lisbon, Portugal

    Ana Fred

  2. Departament of Systems and Informatics, Polytechnic Institute of Setúbal – INSTICC, Rua do Vale de Chaves - Estefanilha, 2910-761, Setúbal, Portugal

    Joaquim Filipe

  3. Institute of Telecommunications, Av. Rovisco Pais, 1, 1049-001, Lisboa, Portugal

    Hugo Gamboa

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dmitrienko, A., Hadzic, Z., Löhr, H., Sadeghi, AR., Winandy, M. (2013). Securing the Access to Electronic Health Records on Mobile Phones. In: Fred, A., Filipe, J., Gamboa, H. (eds) Biomedical Engineering Systems and Technologies. BIOSTEC 2011. Communications in Computer and Information Science, vol 273. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29752-6_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29752-6_27

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29751-9

  • Online ISBN: 978-3-642-29752-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation