Securing electronic healthcare records: A mobile-based biometric authentication approach
Introduction
Disruptive innovation in Industry 4.0 technologies have changed the traditional way in which healthcare services are developed and delivered. The healthcare industry has transitioned through various phases during the last 50 years, from Healthcare 1.0 to Healthcare 4.0. During the healthcare 1.0 era, provision was physician-centered, where doctors manually maintained the healthcare records of patients. Over time, healthcare records were replaced by electronic records, during the Healthcare 2.0 era [1]. As the electronic storage of patient records became standardized, the Healthcare 3.0 era introduced a more patient-centered approach, with the advent of Wearable Devices (WDs) and other smart technologies [2]. Later, Electronic Healthcare Record (EHR) systems were introduced to store patient records electronically in a database so that they could be accessed from anywhere and by anyone, with granted access, using the Internet [3]. More recently, during the Healthcare 4.0 era, remote patient monitoring [4] has been introduced, bringing many advantages such as real-time monitoring and early detection of patient illnesses [5].
Real-time monitoring uses electronic devices, such as WDs and Mobile Devices (MDs), to access patient data from anywhere and at any time [6]. Improved internet connectivity and reductions in MD costs have made e-healthcare more readily accessible to patients [7]. In the e-healthcare domain, patients can easily access healthcare services without needing to visit the hospital. Patients can remotely check their vital statistics, with doctors being able to quickly update patient information using MDs. A communication channel is established between various entities such as the healthcare provider, patient and doctor. They create a bridge of trust, improving the accuracy in patient diagnosis, allowing better co-ordination between entities, such as the Cloud Server (CS), patient and doctor [8]. The communication of medical diagnosis reports from hospital staff to patients is easily coordinated and communicated, providing faster and more reliable patient care. Mobile devices, tablets and wearable devices are used to monitor and obtain the vital signals of patients, which are then used by doctors for prognosis. At the same time, patients are able to obtain information about different aspects of their healthcare which helps in improving the overall quality of care provided [9].
As digitally-enabled healthcare provision becomes the norm, healthcare providers must transition from delivering hospital-centered care to home-centered care, with applications now being available to monitor patients inside the hospital, as well as at home using WDs [10]. A large variety of WDs are now available, including health trackers, Google smart glass and smartwatches [11], which are being used by patients to monitor daily activities and measure personal data, such as blood pressure, heart rate, Electrocardiogram (ECG) and breath analysis. Currently-available WDs are delivered as wireless devices that are placed directly on to the patient’s body [12]. After, the patient synchronizes their MD with the WD for real-time monitoring [13]. The MD collects the patient’s data from the WD and sends it to the CS via the internet. However, this can be prone to many attacks, including Man-In-the-Middle (MIM), replay, impersonation, CS compromise attack, privileged insider attack and Denial of Service (DoS) attack [14]. Mutual authentication is challenging to execute the process between the user and CS. To solve the above issues and to minimize security threats, we use a session key to secure communication between the user/MD and CS, storing all patient details, such as WD identity, biometric and security credentials.
As security concerns increase, maintaining the privacy of patient data is now, more than ever, of utmost importance for preserving the integrity of stored healthcare data [15]. In this regard, EHRs are now being used by healthcare providers to store patient data [13]. Patient data is accessed using a patient-centered approach [16], where the patient can grant access to doctor(s) or hospital staff. If the patient wishes to share specific data with a doctor or hospital staff then they can grant additional access rights to those required. In cases of emergency, a notification can be sent to an emergency contact stored on the patient’s mobile device to e.g., call an ambulance to get immediate attention from the caregiver [13].
Motivated by the aforementioned, this paper proposes a biometric-based authentication approach for mobile devices. Biometric inputs are taken from the biometric template of the mobile device and then stored on the CS. The CS then generates a session key for the user. The user can store the identity of the WD, biometric details, security credentials and the session key in their MD. To achieve this, we use Elliptic Curve Cryptography (ECC), Symmetric encryption/decryption and Modular exponentiation to calculate a cost. The patient’s identity and biometric data is stored on the CS during initial registration, which is then used to access data during the login process. The MD obtains real-time patient data which is used to improve the quality of care provided to the patient. We further propose an algorithm based on access control mechanism. This provides a detailed description of the access rights for caregivers, such as Admin, Patients and Doctors. Security dialogues are used to satisfy security requirements. The security of the proposed approach is analyzed using a formal verification tool, AVISPA, which analyzes various known and unknown attacks such as replay and MIM attack. This authentication approach is verified using multiple performance evaluation parameters, including as-communication and computation costs. We also describe the HLPSL file for every entity, such as the CS and user. In the HLPSL file, the role of each entity is defined and executed with the help of back-ends, such as On-the-fly Model-Checker (OFMC) and Constraint-logic-based Attack Searcher (CL-ATSE).
Traditional healthcare systems are delivered as doctor-centered tools where doctors can access all patient data at any time. This approach lacks privacy for the patient, with data being viewed in real-time through one communication channel, which creates the possibility of attack. To solve this problem, we propose a mobile-based system that provides protection against various types of attack, delivering a more reliable and patient centered service.
The main contributions of this paper include: (1) a mobile-based approach to secure EHRs against various known attacks using biometric-based authentication; (2) an algorithm to make healthcare systems more patient-centered and reliable; (3) proposed security dialogues that satisfy security requirements, like mutual authentication, confidentiality, anonymity and scalability; (4) a formal security verification method using the AVISPA tool; this tool is used to reinforce the security of the proposed approach, with outcomes guaranteeing that the proposed approach withstands impersonation, replay and MIM attacks; and (5) the proposed approach achieves a high level of security with less computation and communication costs, as compared to other existing state-of-the-art schemes.
The rest of this paper is organized as follows. Section 2 discusses the state-of-the-art work carried out by various international researchers. Section 3 highlights the research questions addressed in this paper. In Section 4 and 5, the proposed approach is presented to secure electronic healthcare records in Healthcare 4.0 Environment together with the proposed algorithms. Section 6 presents the execution of security dialogues. Section 7 provides details on the security analysis completed with requirements and resistance of attacks being identified and, in Section 8, protection of the proposed approach against various types of attacks is described. Section 9 presents the results obtained using various performance metrics, such as communication and computation cost. Section 10 describes the formal security verification of the proposed approach and finally, in Section 11, conclusions are drawn on the proposed approach.
Section snippets
Related work
This section presents comparison of the state-of-the art security schemes currently available. Ali et al. [25] proposed a novel three factor-based authentication protocol using the WMSN environment for monitoring healthcare provision. They analyzed Amin’s [31] scheme and found that few security features were available, such as impersonation attack. To overcome this, Ali’s [25] scheme proposed to provide resistance against impersonation attack. They also used BAN Logic and the AVISPA tool for
Research questions
The questions studied in our research are presented in Table 2. In a traditional healthcare system, patient data is managed using a doctor-centered approach. To solve this problem, we designed an algorithm to make the healthcare system more patient-centered. Similarly, in real-time monitoring, a patient’s vital signs are transferred through a single communication channel that increases the possibility of attack. To secure EHRs, we propose security dialogues that provide protection against
Proposed approach
In this section, the execution of the proposed approach is introduced. We divide this into three parts: System Architecture, Security dialogues and Algorithm. First, we describe the system’s architecture, consisting of two actions: (1) User Registration and (2) User Login. Second, we present the security dialogues which are communicated between the different entities of the system, such as patient and CS; this process is also divided into two phases: (1) User Registration and (2) Login and
Admin working
Algorithm 1 shows the process of the admin. First, the EHR sends a request for access rights to the CS. The CS can grant access to the patient and/or doctor. During the initialization phase, Admin staff have the right to read, write, add and remove the user, as per admin requirements. Second, admin can check the identity of the patient IDp, and their biometric data Bi. If both values match, then the user is successfully verified. After, the admin can add the patient to the CS and take
Security dialogues
Table 3 shows the notation and description of each symbol used during the user registration phase, and login and authentication phase.
Fig. 4 illustrates the user registration phase. First, the user registers their personal data, including identity, biometric data and MD identity on to the CS. The user inputs their identity using their biometric data. This generates a random nonce Ru and encrypts the data before sending it to the CS. The CS then generates a random number Rcs and computes the Xu,
Security analysis
Security is required to maintain the privacy of the user throughout their experience. In this study, we completed an analysis of security concerns and provided required requirements for the privacy and security of the user. Requirements, such as mutual authentication, confidentiality, anonymity, scalability and perfect forward security, are now introduced.
Resistance to attacks
In a wireless medium, the possibility of an attack occurring is high. Resistance against attacks is the first priority of any scheme. In this section, we introduce protection against various types of attack, including integrity, DoS, cloud server compromise, Replay, Man-in-the-middle, impersonation, privileged insider and the stolen mobile device attack.
Performance analysis
In this section, we evaluate and compare the performance parameters of the proposed approach with other state-of-the-art schemes using parameters, such as communication and computation cost.
Formal security verification using AVISPA tool
In this section, we demonstrate that the proposed approach is secure using analysis through the AVISPA tool [38]. This approach is widely used for analyzing whether a security approach is safe or unsafe to use. AVISPA provides a GUI and has four back-ends: (1) OFMC, (2) SAT-based Model-Checker (SATMC) checker, (3) CL-ATSE, and (4) Tree Automata-based on Automatic Approximations for the Analysis of Security Protocols (TA4SP) checker.
High-Level Protocol Specification Language (HLPSL) has two
Conclusion
In this paper, we propose a mobile-based approach to securing electronic healthcare records. The approach is divided into seven parts. The first discussed the system’s architecture, while the second described the security dialogues of the proposed approach. In the third part, we described the algorithm for granting access rights to patients, doctors and admin staff. The fourth part described the ability of the proposed approach to resist attacks, fulfilling security requirements. Then, security
Authors Statement
In future, we will explore the application of the proposed approach in a tactile internet environment.
Please find the revised manuscript entitled “Securing Electronic Healthcare Records: A Mobile-based Biometric Authentication Approach” towards a submission for Journal of Information Security and Applications.
We have carefully incorporated all the comments of the reviewers.
We hope reviewers will be satisfied from our response.
As background information, we would like to mention that this is an
Declaration of Competing Interest
None.
References (38)
- et al.
Fog computing for healthcare 4.0 environment: opportunities and challenges
Comput Electr Eng
(2018) - et al.
Blockchain-based electronic healthcare record system for healthcare 4.0 applications
J Inf Secur Appl
(2020) - et al.
An exhaustive survey on security and privacy issues in healthcare 4.0
Comput Commun
(2020) - et al.
A provably secure password-based anonymous authentication scheme for wireless body area networks
Comput Electr Eng
(2018) - et al.
Securing electronics healthcare records in healthcare 4.0 : a biometric-based approach
Comput Electr Eng
(2019) - et al.
A new smartSMS protocol for secure SMS communication in m-health environment
Comput Electr Engi
(2018) - et al.
An efficient ECC-based provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor networks
Comput Electr Eng
(2018) - et al.
A robust and anonymous patient monitoring system using wireless medical sensor networks
Future Gener Comput Syst
(2018) - et al.
Hierarchical key management scheme for securing mobile agents with optimal computation time
Procedia Engineering
(2012) Design of cloud security in the EHR for indian healthcare services
J King Saud Univ
(2017)
BinDaaS: blockchain-based deep-learning as-a-service in healthcare 4.0 applications
IEEE Trans Netw Sci Eng
The AVISPA tool for the automated validation of internet security protocols and applications
International conference on computer aided verification
Ensuring privacy and security in e- health records
2018 International conference on computer, information and telecommunication systems (CITS)
The yoking-proof-based authentication protocol for cloud-assisted wearable devices
Pers Ubiquitous Comput
FAAL: Fog computing-based patient monitoring system for ambient assisted living
2017 IEEE 19th International conference on e-health networking, applications and services (Healthcom)
Tactile internet and its applications in 5g era: a comprehensive review
Int J Commun Syst
Blockchain-based remote patient monitoring in healthcare 4.0
2019 IEEE 9th International conference on advanced computing (IACC)
Smart contract privacy protection using ai in cyber-physical systems: tools, techniques and challenges
IEEE Access
Remote patient monitoring: a comprehensive study
J Ambient Intell Humaniz Comput
Cited by (38)
Enhancing eID card mobile-based authentication through 3D facial reconstruction
2023, Journal of Information Security and ApplicationsImplementation of two factor authentication using face and iris biometrics
2023, Blockchain Technology Solutions for the Security of IoT-Based Healthcare SystemsFuzzy-assisted machine learning framework for the fog-computing system in remote healthcare monitoring
2022, Measurement: Journal of the International Measurement ConfederationCitation Excerpt :Gadgets can do essential analyses independently, without the need for bulky cloud services, thanks to fog computing or computing capabilities. Besides storage capacity, the fog provides several advantages, including self-service connectivity, network aggregation and monitoring, virtualization, low-cost technologies, and improved safety [8]. For patients, fog IoT-based medical services can have a massive effect on improving their quality of life.
Influence and implementation of Industry 4.0 in health care
2022, Artificial Intelligence and Industry 4.0Amalgamation of blockchain and IoT for smart cities underlying 6G communication: A comprehensive review
2021, Computer CommunicationsPrivacy in electronic health records: a systematic mapping study
2024, Journal of Public Health (Germany)