Privacy-Preserving Authentication and Key-Management Protocol for Health Information Systems
Mukesh Soni and Dileep Kumar Singh
The term ‘smart city’ refers to the advancement in people’s lifestyles, where traditional systems and facilities are enhanced for further effectuality, sustainability and flexibility with the help of technologies and diverse categories of Internet of things (IoT) sensors to gather tremendous data from different devices. These collected data are analysed to manage assets, resources and services efficiently to improve the city’s operations, such as the administration of movement and carriage systems, infrastructure, healthcare systems and crime detection. This increases the protection, efficiency, throughput and superiority of life for the advantage of its populations. So, smart cities are better than normal cities as they are safer .
Smart city components include streetlights, traffic management, infrastructure, grid sector, healthcare and so on. These apparatuses make the municipalities smart and effectual by improving the quality of services, such as remote data storage/ access/transmission, while reducing overall costs. Healthcare refers to the maintenance or improvement of the health of people by the prevention or avoidance, detection, treatment, recovery or cure of any kind of physical and mental problems in any way possible. There are health professionals who provide different healthcare treatments for various problems. The smart healthcare component of smart cities has been introduced because traditional healthcare systems are facing diverse challenges .
Challenges in Traditional Healthcare Systems
Traditional healthcare systems face major challenges in providing low-cost and quality healthcare facilities. These difficulties are also intensified by the growing aged population, which leads to a mass of long-lasting diseases, increasing the need for healthcare facilities . It is tough to get appropriate healthcare amenities in remote areas due to limited resources, such as an insufficient number of physicians to meet the needs of the citizens . Moreover, hospitals may sometimes make errors while supervising infectious diseases, and even sometimes patients are given the incorrect medication. Due to these challenges, the existing healthcare structure must change into a modern healthcare system which is intelligent, sustainable and efficient. The smart healthcare concept involves various entities and technologies like sensors and wearable components while using information and communications technology (ICT).
Smart healthcare is defined as the technology that provides better diagnostic tools, devices, efficient resources and services. Hence, it leads to improved treatment for patients and advances the quality of life for anyone and everyone. With quick and productive innovation in transmission technology and semiconductor tools, IoT- based smart healthcare is not an idea, but real-life experience. Sensing devices collect clients’ important data and transmit them via diverse channels to the cloud level for managing, storage space and judgement-making or information mining .
Elements of smart healthcare are on-body sensors, hospitals and emergency response groups. A smart healthcare system revolves around, but is not limited to, sensors that are installed close to the patient’s body area or in the adjacent ecosystem to know the location, motion and variations in critical signals of patients. Distinct body sensors obtain various biological symptoms like blood pressure, heart rate, blood sugar, pulse rate, brain activity and temperature, while sensors deployed in the environment, such as the home and clothes, are utilized to examine the patient’s movements or behaviours. These sensors are conceived to be very portable and even run in situations that may have limited processing infrastructure support. Analysing the output data obtained from such sensors gives an estimate of certain kinds of
FIGURE 3.1 Overview of a smart healthcare system.
motions that the machine has undergone, such as changes, tilt, shake, cycle and rotate .
The mix of cloud computing and IoT for smart healthcare is shown in Figure 3.1, and significantly improves healthcare services, providing a system for continuous monitoring. The patients’ health data composed by the sensors are transferred to a medical database. The cloud is used as the data storage, offering flexible storage and processing infrastructure. Thus, medical physicians can do realistic analyses through both kinds (online and offline) of investigations of data. The cloud data centre is common and accessed by healthcare providers, scientists, government organizations, insurance businesses and patients. By facilitating effective cooperation amongst the diverse involved entities, the medical procedures, such as diagnosis and emergency medical response, are advanced, thus significantly refining the efficacy of healthcare. It greatly changes the healthcare facilities of hospitals and health organizations [7, 8].
Challenges in Smart Healthcare
A range of challenges are faced while trying to implement a sustainable healthcare system. If these challenges are solved, this could benefit the society and economy. IoT helps in the administration of key and non-critical procedures with the ambition of making our lives easier and safer. It leads to an enormously positive impression on our lives. Nevertheless, with these benefits, IoT structures have additionally received undesirable observations from spiteful users and attackers who intend to use flaws inside IoT arrangements for their individual benefit, discussed as security attacks, such as distributed denial of service (DDoS) and man-in-the-middle attacks. Delicate health data can be exposed to various safety attacks and threats at separate stages while detecting, saving or transferring data. Many smart healthcare methods have been suggested to examine medical situations of victims in real time with the speedy growth of wearable biosensors and radio transmission technologies. Nevertheless, several protection difficulties have arisen in these structures due to various security requirements [7-9]. Key management is an important problem in authentication mechanisms, as users and the server should verify each other in a public environment. Specifically, users send some parameters to the server to prove their authenticity, and the server also sends some values to users as a response confirmation and to prove the server’s genuineness for mutual authentication. Therefore, it is crucial for the server and users to trust each other in a shared network. In this situation, users and the server confirm their authenticity based on a session key with a short period of validity through key management. Possible protection risks associated with smart healthcare structures are as follows [10, 11], and Figure 3.2 provides an outline of these threats from adversaries.
- • Passive: This can be portrayed as an intruder spying via a public channel. The challenger scrutinizes the sent packets to obtain intelligence concerning the target (e.g., customers, structure, transmitting objects) instead of trying to damage the system or revise the communicated data (i.e., active attack). Examples of such attacks are side channel attacks, eavesdropping and traffic analysis.
- • Active: An adversary attempts to alter the transmitted data by intruding in the structure. The challenger would insert phony statistics and potentially distort data in the system. Examples of such attacks are denial of service (DoS), brute force and masquerading.
Chapter structure: In Section 3.2, we give a literature survey of existing authentication mechanisms for medical applications. In Section 3.3, we suggest a lightweight user verification and key-management protocol for medical users to achieve privacy. Section 3.4 presents execution analysis to understand the efficiency of the suggested scheme. We conclude this chapter in Section 3.5.
Literature Survey of Authentication and Key-Management Protocol in a Health Information System
Telecare medicine information systems (TMIS) provide healthcare delivery services via a public network, i.e., the Internet. Patients send their health data using medical devices from their home via this network. Doctors make diagnoses and send results via a public channel. Thus, it becomes crucial to look at the security risks associated with a public network. Hence, sensitive information could be attacked by adversaries. Thus, the need for authenticated and secure communication to deal with various security challenges in this area.
In 2012, Wu et al.  offered a secure validation method for TMIS using Advanced Encryption Standard (AES), hash functions and discrete logarithmic problems to improve the security of the mechanism. The usage of these functions adds the precomputing mechanism within the communication process and stores the computed values in advance in a smart card to reduce the computational time during the authentication process. When these values are required, they are extracted from the smart card efficiently, ensuring a high level of security, and it is more practical for TMIS environments to avoid the time-consuming and high-cost computations. He et al.  pointed out that the system  cannot resist impersonation and insider attacks, and they proposed an advanced authentication scheme using similar cryptographic primitives to overcome the vulnerabilities found in Ref. .
In 2012, Wei et al.  suggested that both schemes [12, 13] failed to achieve two- factor authentication, which should be achieved by smart card-based authentication schemes. Researchers in Ref.  presented an improved authentication technique to enhance efficiency and satisfy the protection constraints of two-factor verification, but it is vulnerable to an offline password-guessing attack when the client’s smart card is missing, as described in Zhu . Further, Zhu  suggested a method to overcome the discussed weakness by improving the method’s strengths against various security threats.
In 2012, Chen et al.  presented an economical client verification system for unidentified interaction in TMIS to overcome security flaws of dynamic ID-based schemes. However, Lin  illustrated that the design in Ref.  fails to comply with client secrecy due to dictionary and password-guessing attacks. Therefore, Lin  proposed an unidentified dynamic ID-based scheme based on the RSA algorithm to remove these flaws. Cao and Zhai  also found that, in Ref. , an intruder can identify a user by a common connection attack or an offline identity-guessing attack. Besides, the scheme in Ref.  needs a large amount of computational capacity to verify a permitted client or reject an illicit client on the server-side.
In 2013, Guo et al.  presented a new Chebyshev chaotic maps-based password- validated key agreement through smart cards using Chebyshev chaotic maps to create the session key between a client and the server. The study showed that their procedure could give secrecy, resist numerous attacks and fulfil protection needs. The survey in Ref.  proved that chaotic map function is more effective than a modular exponential function. Thus, Guo et al.’s system is more appropriate for
TMIS than the schemes based on conventional cryptography, but Hao et al.  found that the scheme in Ref.  suffers from an inability to offer privacy and the ineffectiveness of the dual-secret keys, leading to a failure of protection of user secrecy. Therefore, they  proposed a new chaotic map-based verification system, but it is still vulnerable to a stolen smart card attack, as clarified in Ref. .
In 2016, Li et al.  presented a safe identity and chaotic maps-based client verification and key arrangement system; nevertheless it is susceptible to impersonation and password-guessing attacks, and it does not offer client secrecy, convenient smart card cancellation or safety to the session key as discussed in Ref. . To deal with these threats, Madhusudhan et al.  proposed a robust verification system using chaotic maps, and its computational resources are reasonable while confirming a client. In 2018, Radhakrishnan et al.  proposed an RSA-based confirmation method for TMIS to deal with different security threats, but its computation and storage costs are high in the system. Further, Dharminder et al.  showed that  is vulnerable to linkability problems, as well as insecure to password-guessing and stolen smart card issues. Thus, Dharminder et al.  proposed a different protected RSA- based authentication mechanism to advance the user verification system. However, we notice that RSA is not a lightweight cryptographic primitive, and it increases the execution time in Ref.  while sending medical data. Besides, the scheme  is designed using public key cryptography (i.e., RSA), leading to insecurity against public key attacks. Ultimately, the authentication protocol should be secure and efficient while considering the personal data protection of medical users. Hence, we propose a privacy-preserving lightweight verification and key-management system for medicinal clients.