Securing electronic healthcare records: A mobile-based biometric authentication approach

Abstract

In the Healthcare 4.0 era, recent breakthroughs in emerging and disruptive technologies, such as Artificial Intelligence (AI), machine learning and robotics, have significantly changed the way in which healthcare services are delivered to patients. Advancements in patient monitoring systems and wearable devices have created more powerful and flexible real-time remote patient observation. Healthcare provision has experienced remarkable improvements facilitated by cloud computing and wireless technologies, while wireless sensor networks now play an important role in mobile technologies for e-healthcare. In this paper, we propose a mobile-based healthcare system for the Healthcare 4.0 era. The proposed approach enables patients to self-authenticate, using their own mobile and wearable devices, establishing a session key between owned devices. After mutual authentication, the cloud server verifies each user. The security of the approach is described through the AVISPA tool. We analyze the embedded security and functionality which improves the healthcare system and calculate the relative communication and computation costs. Results show that the proposed approach provides greater security compared to other state-of-the-art schemes.

Introduction

Disruptive innovation in Industry 4.0 technologies have changed the traditional way in which healthcare services are developed and delivered. The healthcare industry has transitioned through various phases during the last 50 years, from Healthcare 1.0 to Healthcare 4.0. During the healthcare 1.0 era, provision was physician-centered, where doctors manually maintained the healthcare records of patients. Over time, healthcare records were replaced by electronic records, during the Healthcare 2.0 era [1]. As the electronic storage of patient records became standardized, the Healthcare 3.0 era introduced a more patient-centered approach, with the advent of Wearable Devices (WDs) and other smart technologies [2]. Later, Electronic Healthcare Record (EHR) systems were introduced to store patient records electronically in a database so that they could be accessed from anywhere and by anyone, with granted access, using the Internet [3]. More recently, during the Healthcare 4.0 era, remote patient monitoring [4] has been introduced, bringing many advantages such as real-time monitoring and early detection of patient illnesses [5].

Real-time monitoring uses electronic devices, such as WDs and Mobile Devices (MDs), to access patient data from anywhere and at any time [6]. Improved internet connectivity and reductions in MD costs have made e-healthcare more readily accessible to patients [7]. In the e-healthcare domain, patients can easily access healthcare services without needing to visit the hospital. Patients can remotely check their vital statistics, with doctors being able to quickly update patient information using MDs. A communication channel is established between various entities such as the healthcare provider, patient and doctor. They create a bridge of trust, improving the accuracy in patient diagnosis, allowing better co-ordination between entities, such as the Cloud Server (CS), patient and doctor [8]. The communication of medical diagnosis reports from hospital staff to patients is easily coordinated and communicated, providing faster and more reliable patient care. Mobile devices, tablets and wearable devices are used to monitor and obtain the vital signals of patients, which are then used by doctors for prognosis. At the same time, patients are able to obtain information about different aspects of their healthcare which helps in improving the overall quality of care provided [9].

As digitally-enabled healthcare provision becomes the norm, healthcare providers must transition from delivering hospital-centered care to home-centered care, with applications now being available to monitor patients inside the hospital, as well as at home using WDs [10]. A large variety of WDs are now available, including health trackers, Google smart glass and smartwatches [11], which are being used by patients to monitor daily activities and measure personal data, such as blood pressure, heart rate, Electrocardiogram (ECG) and breath analysis. Currently-available WDs are delivered as wireless devices that are placed directly on to the patient’s body [12]. After, the patient synchronizes their MD with the WD for real-time monitoring [13]. The MD collects the patient’s data from the WD and sends it to the CS via the internet. However, this can be prone to many attacks, including Man-In-the-Middle (MIM), replay, impersonation, CS compromise attack, privileged insider attack and Denial of Service (DoS) attack [14]. Mutual authentication is challenging to execute the process between the user and CS. To solve the above issues and to minimize security threats, we use a session key to secure communication between the user/MD and CS, storing all patient details, such as WD identity, biometric and security credentials.

As security concerns increase, maintaining the privacy of patient data is now, more than ever, of utmost importance for preserving the integrity of stored healthcare data [15]. In this regard, EHRs are now being used by healthcare providers to store patient data [13]. Patient data is accessed using a patient-centered approach [16], where the patient can grant access to doctor(s) or hospital staff. If the patient wishes to share specific data with a doctor or hospital staff then they can grant additional access rights to those required. In cases of emergency, a notification can be sent to an emergency contact stored on the patient’s mobile device to e.g., call an ambulance to get immediate attention from the caregiver [13].

Motivated by the aforementioned, this paper proposes a biometric-based authentication approach for mobile devices. Biometric inputs are taken from the biometric template of the mobile device and then stored on the CS. The CS then generates a session key for the user. The user can store the identity of the WD, biometric details, security credentials and the session key in their MD. To achieve this, we use Elliptic Curve Cryptography (ECC), Symmetric encryption/decryption and Modular exponentiation to calculate a cost. The patient’s identity and biometric data is stored on the CS during initial registration, which is then used to access data during the login process. The MD obtains real-time patient data which is used to improve the quality of care provided to the patient. We further propose an algorithm based on access control mechanism. This provides a detailed description of the access rights for caregivers, such as Admin, Patients and Doctors. Security dialogues are used to satisfy security requirements. The security of the proposed approach is analyzed using a formal verification tool, AVISPA, which analyzes various known and unknown attacks such as replay and MIM attack. This authentication approach is verified using multiple performance evaluation parameters, including as-communication and computation costs. We also describe the HLPSL file for every entity, such as the CS and user. In the HLPSL file, the role of each entity is defined and executed with the help of back-ends, such as On-the-fly Model-Checker (OFMC) and Constraint-logic-based Attack Searcher (CL-ATSE).

Traditional healthcare systems are delivered as doctor-centered tools where doctors can access all patient data at any time. This approach lacks privacy for the patient, with data being viewed in real-time through one communication channel, which creates the possibility of attack. To solve this problem, we propose a mobile-based system that provides protection against various types of attack, delivering a more reliable and patient centered service.

The main contributions of this paper include: (1) a mobile-based approach to secure EHRs against various known attacks using biometric-based authentication; (2) an algorithm to make healthcare systems more patient-centered and reliable; (3) proposed security dialogues that satisfy security requirements, like mutual authentication, confidentiality, anonymity and scalability; (4) a formal security verification method using the AVISPA tool; this tool is used to reinforce the security of the proposed approach, with outcomes guaranteeing that the proposed approach withstands impersonation, replay and MIM attacks; and (5) the proposed approach achieves a high level of security with less computation and communication costs, as compared to other existing state-of-the-art schemes.

The rest of this paper is organized as follows. Section 2 discusses the state-of-the-art work carried out by various international researchers. Section 3 highlights the research questions addressed in this paper. In Section 4 and 5, the proposed approach is presented to secure electronic healthcare records in Healthcare 4.0 Environment together with the proposed algorithms. Section 6 presents the execution of security dialogues. Section 7 provides details on the security analysis completed with requirements and resistance of attacks being identified and, in Section 8, protection of the proposed approach against various types of attacks is described. Section 9 presents the results obtained using various performance metrics, such as communication and computation cost. Section 10 describes the formal security verification of the proposed approach and finally, in Section 11, conclusions are drawn on the proposed approach.