Privacy Issues in IoHT
IoHT fulfils the health needs of the people. However, public Internet-connected smart healthcare devices are vulnerable to various security and privacy-related attacks. Some of the privacy issues of IoHT are discussed below [19-24].
- • Failure of data protection mechanisms: Data protection mechanisms use different “encryption algorithms” to protect the stored data as well as transmitted data. However, some of them are vulnerable to various types of attacks, such as “replay,” “man-in-the-middle,” “impersonation” and other forms of data disclosure attacks. Therefore, the confidentiality (privacy) of data in transit as well as the data at rest is at risk. The sensitive healthcare information of patients may be disclosed to unauthorized third parties, which may further raise privacy concerns.
- • Lack of data transparency: In an IoHT communication environment, the health data are stored at the servers (i.e., cloud servers). Sometimes, it may cause data transparency issues (for instance, who is the owner of data and where the data are stored). Moreover, there is also a possibility that the data may be exposed during the “data transferring procedure.”
- • Chances of unauthorized usage: In an IoHT communication environment, since the health-related data are stored at the servers (i.e., cloud servers), it is possible that the service providers re-sell the patients’ data to some advertising agencies. Because service providers may get some incentives through the secondary usage of data, it is important to make clear agreements among the customers (patients or relatives of patients) and the service providers that contain important specifications, such as “who can access their data,” “when it can be used” and “where and how it can be used.”
- • Failure of legal protection: Sometimes, “ambiguous data” flow in an instantaneous manner through different regions which creates problems in the enforcement of privacy laws. This may lead to a loss of “legal protection of privacy” if some provider stores the health data in the cloud. Therefore, all legislation for the stored data should be followed.
- • Lack of skilled staff: In an IoHT environment, the healthcare data stored over the servers (i.e., cloud servers) are managed and administered by the concerned technical staff. Sometimes, the technical staff is not skilled enough or lacks knowledge. Therefore, there is a requirement to conduct rigorous training for such employees to make them aware of various security attacks and privacy breaches of healthcare data.
Threat Model, Security and Privacy Requirements and Various Attacks in IoHT
In this section, we present a “threat model” related with data security and privacy in the IoHT environment. Furthermore, we discuss different security and privacy requirements along with possible attacks in IoHT environments [18, 25].
The widely used “Dolev-Yao (DY) threat model”  is also applicable for the security and privacy considerations in an IoHT environment [27, 28]. As per the guidelines of the DY model, any two communicating entities (parties) communicate over an insecure/public channel in which end-point communicating entities (for example, different health data users, smart healthcare monitoring devices and fog/cloud servers) are not trustworthy. An existing adversary may seize, update or delete the messages sent during the communication. Moreover, an adversary can inject fake messages during the communication. Apart from that, they can physically capture some smart healthcare devices and extract the required sensitive information from their memory in an IoHT environment [29, 30] using some sophisticated techniques, such as power analysis attacks . They can manufacture other duplicate malicious nodes for some unauthorized tasks (i.e., routing attacks and blackhole attacks) using the extracted information of captured devices. These manufactured malicious devices can be directly deployed in the network to launch routing attacks [31-33]. During the successful execution of routing attacks, data packets may be lost, dropped, modified or delayed by the attacker nodes. Therefore, the intended recipient may not get the required information on time, which is a very serious issue in an IoHT communication environment. The current de facto standard model to design an “authenticated key- exchange scheme” is “Canetti and Krawczyk’s adversary model (popularly, known as the CK-adversary model)” [34, 35]. Under the CK-adversary model, it is assumed that an adversary can compromise the “private keys” and “session keys.” The security techniques used require an assurance that if somehow the “secret information” is disclosed (for example, long-term private keys or session keys), it should have a minimum effect on the security of other non-compromised nodes of the communicating network . In addition, in a smartphone/smart card-based security protocol, the smartphone/ smart card of a legitimate registered user in an IoHT environment may be stolen or lost, which can be further utilized to extract the secret information from its memory by the execution of the steps of “power analysis attacks” as discussed in [29, 30] to mount other potential attacks, such as impersonation and offline guessing attacks.
Security and Privacy Requirements in IoHT
In this section, we provide various security and privacy requirements in an IoHT environment that are listed below [3, 19-24, 37]. 
consists of different types of entities, such as devices (for example, smart healthcare devices), fog/cloud servers, gateways and various service providers, which can follow the steps of a “mutual authentication and key establishment process.”
- • Non-repudiation: This property assures that the communicating entity does not refuse the validity of something (i.e., transmitted message). It provides the “proof of the data origin along with its integrity”. Therefore, it becomes difficult to deny “who has sent the message” or “from where a message came.” Further, it can be classified into two categories:
- • Non-repudiation of origin: It confirms the genuineness of the sender (i.e., a message was transmitted by a legitimate party).
- • Non-repudiation of destination: It assures the genuineness of the receiver (i.e., a message was received by a legitimate party).
- • Authorization: This property assures that only the authentic parties (i.e., smart healthcare devices) in an IoHT environment can provide information to other parties (i.e., doctors).
- • Freshness: This property also assures the freshness of the exchanged information in order to avoid the re-transmutation of old messages by the existing attacker/hacker.
- • Availability: It assures only the affiliated network services should be made reachable to “legitimate parties” even in case of a “denial-of-ser- vice (DoS)” attack in an IoHT environment.
- • Third-party protection: It assures the protection of various resources (i.e., healthcare data) against the damage done by third parties (i.e., service providers of IoHT) .
- • Forward secrecy: This property provides assurance of the “forward secrecy” of exchanged messages. It means that if an IoHT device leaves the communication, it must no longer have access to the future messages in the communication environment.
- • Backward secrecy: This property provides assurance of the “backward secrecy” of exchanged messages. It means that if an IoHT device joins (recently deployed) a network, it must not have access to the previously exchanged messages.
Different Types of Attacks in IoHT Environment
Various potential attacks are possible in an IoHT environment that can be conducted by passive or active attackers : 
analysis, an adversary can know which party is communicating with which one and for how long.
- • Replay attack: This attack occurs when an attacker captures (records) the exchanged messages at one place and later on re-sends them to misdirect the recipient.
- • Man-in-the-middle (М1ТМ) attack: In a MITM attack, an attacker can capture the exchanged messages, and later on he/she may try to delete or modify the intercepted messages before forwarding them to the recipient.
- • Impersonation attack: In an impersonation attack, an attacker can successfully compute (identify) the identity of one of the “authorized communicating entities,” and later on the adversary may send a modified message or a completely fake message on behalf of the impersonating party to other communicating parties so that the destinations believe that the messages originated from genuine sources.
- • Denial-of-service (DoS) attack: A DoS attack occurs when an attacker performs some malicious tasks to prevent the legitimate users from accessing the resources of the communication environment (i.e., data resources). There is another variant of DoS attack which is called a “distributed DoS (DDoS)” attack, which can be conducted through multiple attacker machines (i.e., botnets). The examples include various types of flooding attacks (i.e., “Hypertext Transfer Protocol [HTTP] DDoS attack”  and “Transmission Control Protocol [TCP] SYN flood attack” [41, 42]) which consume the resources (i.e., bandwidth and memory) of the target (i.e., web servers) very quickly. A SYN flood is considered as a form of DoS attack in which an attacker first transmits “a succession of SYN requests to a target’s system in an attempt to consume enough server resources in order to make the system unresponsive to legitimate traffic.” The HTTP DDoS attacks happen “when legitimate HTTP requests are initiated in large numbers” .
- • Malware attack: Malware attacks are conducted through the execution of malicious script in a remote system. This helps the attacker to perform unauthorized tasks (for instance, stealing information, encryption of sensitive information and hijacking of the shell of a smart healthcare device). Examples of malware include “trap door,” “logic bomb,” “viruses,” “worms,” “adware,” “ransomware,” “Trojan virus” and “spywares” .
- • A “trap door” acts as “a secret entry point into a program that permits someone that is aware of the trapdoor to gain access without going through the typical security access mechanisms.” A logic bomb is treated as a code that is embedded in some authentic programme which can be set to explode once specific conditions are satisfied. A “Trojan horse” becomes a convenient, or apparently useful, program or command mechanism consisting of hidden code that, when invoked, executes some convenient unwanted or dangerous activity. A virus is considered a code that can contaminate other codes (programmes) by altering them, whereas a worm spreads itself from a system to another system. Ransomware is considered as a form of malware with the ability to encrypt a victim’s files containing sensitive and confidential information. The attacker then requests a ransom from the victim in order to reinstate access to the data based on satisfactory payment . Adware is treated as unwanted software that is developed in order to throw- various advertisements up on the victim’s screen (most often w-ithin a web brow'ser). Adware helps the attacker in generating revenue for the developers maintained by an attacker by “involuntarily displaying online advertisements in the user interface of the software or on a screen that pops up in the user’s face during the installation process” . Finally, spyware is treated as “unwanted software that penetrates a victim’s computing device, steals the victim’s Internet usage data and sensitive information” .
- • Database attack: In an IoHT environment, database-related attacks are quite possible on the database maintained by the healthcare server(s). For example, “Structured Query Language (SQL) injection attacks” and “Cross- Site Scripting (XSS) attacks” may be possible. A SQL injection attack is treated as “an approach that is used by an attacker to inject malicious code into existing SQL statements” . On the other side, an XSS attack is a kind of injection, which helps an attacker to “inject malicious scripts into otherwise benign and trusted websites” .
- • Privileged-insider attack: Although the system is considered as trusted, a privileged insider user may act as an attacker, who has access to the secret credentials of the various entities of the network. The privileged insider user, being the attacker, may misuse the extracted secret information to conduct other unauthorized activities (i.e., offline password guessing attacks, impersonation attacks and session key compromise attacks). This kind of attack sometimes becomes fatal in the system and it requires a strong mechanism to protect against “privileged attacks” [2, 9,48].
- • Physical stolen of smart healthcare devices: As mentioned in the “threat model” discussed in Section 5.4.1, the physical stealing of smart healthcare devices is possible by an attacker since the devices cannot be monitored 24/7. Later on, the attacker can easily extract the credentials from these stolen devices by using the “power analysis attacks” as explained in [29, 30]. The extracted credentials can be further utilized to launch other malicious attacks in an IoHT environment (i.e., “illegal session key computation,” “impersonation attacks,” etc. [2, 48,49]).
-  Confidentiality: Sometimes, it is also called “privacy.” This property provides assurance that the transmitted data should be protected against anyform of unauthorized disclosure. In case of confidentiality, the privacy ofdata in transit and data at rest matters a lot. • Integrity: The integrity property assures “the integrity of the exchangedmessages.” It means that the content of the received messages should notcontain any unauthorized insertion of information or deletion of information. Furthermore, it should not be modified by any unauthorized party during the communication. • Authentication: The authentication property assures the validation of identities of the communicating entities. For instance, the sending and receivingparties first verify their identities mutually, and then they start their communication securely via the established session keys. An IoHT environment
-  Eavesdropping: It is also called a “sniffing or snooping attack.” Such anattack occurs when an attacker eavesdrops on the exchanged messages. Italso forms the base for other types of attacks (i.e., data disclosure attack). • Traffic analysis: It is another method of message interception in whichexamination of the intercepted messages is done to find out which kind ofcommunication is going on in the communication environment. By traffic