Security for Pervasive Health Monitoring Sensor Applications

1
Security for Pervasive Health Monitoring Sensor
Applications

• Krishna Venkatasubramanian and Sandeep K. S.
  Gupta
• Ira A. Fulton School of Engineering
• Department of Computer Science and Engineering
• Arizona State University
• Tempe, Arizona
• sandeep.gupta_at_asu.edu

2
IMPACT Research

• Use-inspired research in pervasive computing
  wireless sensor networking

• Goal
• Pervasive Health monitoring
• Evaluation of medical applications
• Features
• Secure, Dependable and Reliable data collection,
  storage and communication
• Sponsor

• Goal
• Evaluation of crisis response management
• Features
• Theoretical model
• Performance evaluation
• Access control for crisis management
• Sponsor

Medical Devices, Mobile Pervasive Embedded Sensor
Networks
BOOK Fundamentals of Mobile and Pervasive
Computing, Publisher McGraw-Hill  Dec. 2004
3
Pervasive Healthcare
4
Motivation Challenges

• Motivation
• By 2050 over 20 of population will be above 65.
  (US Department of Health )
• Possible Consequences
• Acute shortage of medical professionals.
• Decline in quality of medical care.
• Increase in medical costs.
• Automated continuous monitoring of patients can
  reveal problems at an early stage leading to
  better control.
• Challenges
• Integration of diverse technologies (micro
  macro computing entities), for health
  monitoring.
• Health management systems should be safe,
  dependable, secure and scalable system.

5
Pervasive Computing Healthcare
Pervasive Healthcare
Pervasive Computing
Use Pervasive Computing for day-to-day healthcare
management (monitoring treatment), made
possible by development of biomedical sensors
Personalized computing power available
everywhere, by embedding computing in users
environment.
BSN

• Features
• Merger of Physical and Virtual Space
• Uses computing entities which are
• - tiny/ cheap
• - specialized
• - unsupervised
• - interconnected

• Features
• Extends BSN with embedded medical sensors
• No time space restrictions for healthcare
• Better coverage and quality of care to all.

Overview
Some Applications
Sports Health Management
Assisted Living
Disaster Relief Management
Medical Facility Management
GOAL Enable independent living, general
wellness and disease management.
6
Context Awareness

• Medical Context
• Aggregate of 4 base contexts.
• Each physiological event has to be characterized
  by all 4 base contexts for accurate
  understanding on patients
• health.
• A contextual template can be created for
  specific physiological events for future
  reference.

Physiological (EKG, Perspiration, Heart Rate)
Context Processor
Spatial (Home, Gym, Office, Hospital, Park)
Medical Context
Aggregate Context
Temporal (Morning, Evening, Night)
Sensor Network

• Challenges
• How to determine the aggregate medical context
  from the four base contexts?
• How to create a contextual template for a
  patient?

Environmental (Humidity, Temp)
Base Context
7
Ayushman
8
Ayushman A Pervasive Healthcare System
Sanskrit for long life
Environmental Sensors (Temperature etc)

• Project _at_ IMPACT Lab, Arizona State University
• Goal To provide a dependable, non-intrusive,
  secure, real-time automated health monitoring.
• Scalable and flexible to be used in diverse
  scenarios from home based monitoring to disaster
  relief, with minimal customization.

Internet
Stargate Gateway
External Gateway
Central Server
Medical Sensors (EKG, BP) controlled By Mica2
motes
Medical Professional
Home/Ward Based Intelligence
Body Based Intelligence
Medical Facility Based Intelligence
Vision

• To provide a realistic environment (test-bed) for
  testing communication
• protocols and systems for medical
  applications. 

K. Venkatasubramanian, G. Deng, T. Mukherjee, J.
Quintero, V Annamalai and S. K. S.
Gupta, "Ayushman A Wireless Sensor Network Based
Health Monitoring Infrastructure and Testbed",
In Proc. of IEEE DCOSS June 2005
9
Ayushman Middleware Architecture
10
Ayushman Remote Medical Monitoring

• Testbed consists of medical devices interfaced
  using Crossbow motes to a PDA.
• Medical devices integrated include BP monitor
  (Suntech), EKG monitor (Vernier), Gait Monitor
  (MicaZ based sensors) and TelosB based
  environment sensor

BP and EKG Monitoring

• Supports query based and continuous data
  collection.
• System Constrainst
• Low reliability
• Lack of bandwidth
• Low memory for processing.

Gait Monitoring
11
Ayushman Client Screen Shot
Patient Details
Current Sensor Value
Sensor Values Trend
Query Result Archived Data
Location of Server
12
Other Similar Projects

• Proactive Health Project _at_ Intel
• Developing sensor network based pervasive
  computing systems
• Managing daily health and wellness of people at
  homes
• Proactively anticipate patients need and improve
  quality of life.
• Code Blue Project Sensor network based health
  monitoring
• _at_ Harvard
• Developing sensor network based medical
  applications for
• Emergency Care
• Disaster Management
• Stroke patient rehabilitation
• AMON Project _at_ ETH, Zurich
• Developing multi-functional wearable health
  monitor
• E.g. BP, pulse, SpO2, ECG, Temperature
• Aware Project _at_ the Center Pervasive Healthcare,
• University of Aarhus, Denmark.
• Applying context aware computing to hospital
  scenarios

13
Biosensor Networks
14
Biomedical Sensors (Biosensors)
Inter-Pulse-Interval (V1)
Inter-Pulse-Interval (V1)
?
EKG
EKG
Inter-Pulse-Interval (V2)


Inter-Pulse-Interval (V2)
PPG
PPG
?

• Physiological Values (PV) Measure Stimuli from
  body e.g EKG, PPG (Photoplethysymograph)
• PVs are universally collectable, vary with time
  and can have similar values in one human being

• Biomedical Sensor Platforms
• In-vivo sensors
• Are primarily at experimental stage
• Measure one stimuli
• Wearable sensors
• Groups of sensors packaged together
• Products available
• Have wireless capability

• Generic Sensors
• Measure environmental stimuli
• Can perform wireless communication
• Used in medical monitoring projects, Code Blue _at_
  Harvard
• Mica2, MicaZ, TelosB

Nano-scale Blood Glucose level detector Developed
_at_ UIUC
Mica2 based EKG sensor
AMON Wearable Health Monitor

• Properties
• Small form factor
• Limited processor, memory, communication
  capabilities
• Form large networks within body for energy-
  efficiency

Life Shirt Ambulatory Monitoring
15
Biosensor Net Security Energy-Efficiency

• Security
• Healthcare systems collect sensitive medical data
  from a patient.
• Patients privacy is a legal requirement (HIPAA).
• Health information of a person can be taken
  advantage of.

• Attacks
• Fake emergency warnings.
• Prevent legitimate emergency warnings
• Battery power depletion
• Tissue heating

• Energy-Efficient Topologies
• Biosensors have limited capabilities
• Topological formations helps in reducing energy
  consumption
• Many topologies possible Cluster, Tree
• Cluster is one of the most energy-efficient
  topologies HCB00.
• Security and Topology
• Topology formation
• Not traditionally secured
• Open systems to attacks during topology
  formation. Example Sinkholes
• Securing topology formation a must

16
Physiological Value Based Security
17
PVS Physiological Value based Security
ECG, Heart/Pulse Rate

• Principle Idea Use PVs as security primitives in
  biomedical sensor networks
• Hide cryptographic keys
• Authenticate and secure biosensor communication
• Examples
• Blood Pressure, Heart Rate, Glucose level
• Temporal variations in different PVs.
• Combination of multiple PV
• PVs values at two location slightly different
• Use Error Correction Codes like Majority Encoding
  for correction

Blood Pressure

Blood Glucose
Easier and safe key generation
Cheaper key distribution
Sensors
18
Aspects of Physiological Values
Required Properties of Physiological Values
FOUND Inter-Pulse-Interval (IPI), Heart Rate
Variation (HPV) FUTURE QUEST Find Others

• Universal
• Should be measurable in everyone
• Distinctive
• Should be able to differentiate 2 individuals
• Random
• To prevent brute-force attacks
• Time variant
• If broken, the next set of values should not be
  guessable.

Physiological Certificate

• Cert MAC (Key, Data), ? Where ? Key ? PV
• hides the actual Key used for computing the
  Message Authentication Code (MAC) over the data
  for integrity protection.

19
PV Based Communication
Measure Pre-defined PV _at_ Sender PVs Receiver PVr
Generate Random Key _at_ sender
Randkey
Cert MAC(Randkey, Data) , ? where ? PVs ?
Randkey
Compute Physiological Certificate with Key Rand
on Data
Send Message
ltData, Cert, ?gt
Receiver message
Unhide RandKey using PVr and ? from the Cert
RandKey PVr ? Cert. ?
RandKey ECC(RandKey) Cert MAC
(RandKey, Data) ?
Correct RandKey, verify certificate by computing
MAC
Error Correction Code used ? Majority Encoding
Juels99,CVG03
20
Choosing Physiological Values

• Identified PVs
• Inter-Pulse-Interval (IPI) PZ06.
• Heart Rate Variation (HRV) BZZ05
• PV Distinctiveness Testing
• Performance evaluation criteria
• False Rejection Rate (FRR)
• False Acceptance Rate (FAR)
• FAR and FRR increased if two PVs lack
  synchronicity.
• Randomness of PVs verified using Chi-Square Test.
  
• Interference possible
• Drastic difference between PVs of two people will
  prevent un-wanted communication

PV1
PV0
HRV
HRV
Encoder
Encoder
I1
Io
128 bits
Hamming Distance
128 bits
lt 22 bits (same person)
? 90 bits (different person)
Radio-range for
Intended communication
Interference
21
Advantage of Using PV Based Security
Traditional Secure Biosensor Network Communication
S
R
BS
Topology Formation
Key Distribution
Secure Communication

• Unsecured
• Cluster
• Linear

• Use distributed keys

• Diffie Hellman (ECC)
• Pre-deployed Keys
• Random Key Assignment

PV based Secure Biosensor Network Communication
S
R
BS
Secure Topology Formation
Secure Communication

• PV based security
• Centralized Cluster Formation
• Distributed Cluster Formation

• Use PV for sensor-sensor secure communication

Key Distribution Completely Eliminated VERY
EFFICIENT
22
Secure Cluster Formation
23
Cluster formation Security Flaws
LN3
LN1
LN2
Traditional Cluster Formation Technique
SN1
SN2
SN3
SN4
SN5
SN6
Weaker signal
Flaws in Traditional Cluster Formation
Malicious Node

• Hello-Flood Attack
• Leads to the formation of Sinkholes
• The sinkhole can now mount selective forwarding
  attacks on the sensor in its cluster.
• Reason
• All solicitations supposed to be from LN only.
• Each LN is assumed to be trustworthy.

LN1
LN2
SN1
SN3
SN2

• Problem
• Traditional cluster formation protocol is not
  secure.

24
Secure Cluster Formation

• PV based inter-sensor communication
• NO explicit key distribution

• Keying Structure
• Pair-wise unique master Key Km shared by BS and
  each sensor.
• Km pre-deployed.
• Derive 2 keys from Km for each node X in the
  network
• KX-BS H (Km, 1)
• KBS-X H (Km,2)
• H is a secure on-way hash function.
• Symmetric cryptography used as asymmetric
  expensive

• Assumptions
• Wireless Medium NOT Trusted
• Base Station Trustworthy
• Physical compromise of sensors not possible
  (ambulatory patient)
• Jamming not considered
• Leader Nodes identified apriori cluster formation

Memory Footprint TinySec 16.5KB Elliptic Key
Cryptography 163bit key 35KB

• Clusters are temporary topologies.
• Leader Nodes rotated at regular intervals.
• Secure cluster formation protocol need to run
  every time clusters are formed

25
Centralized Cluster Formation
Base Station
Nc
Message Complexity Solicitations N Relays
Np, p M Reply N Total O(N)
NA
NB
Nc
NA
NB
NC
N4
N3
N1
N2
Solicitation (N3 ? ) N3, MAC(KN3 BS, N3),
Cert N3
Relay (NC? BS) N3, MAC(KN3 BS, N3), Cert
N3, NC, SS, MAC(KNC BS, NC SS)
Relay (NB? BS) N3, MAC(KN3 BS, N3), Cert
N3, NB, SS, MAC(KNB BS, NB SS)
Reply (BS ? N3) NC, MAC(KBS N3, NC)
Use Nonce with each message for freshness
26
Distributed Cluster Formation
NC
NA
NB
Message Complexity Solicitations M Reply N
Total Msgs O(N)
N1
N3
N2
N4
Solicitation (NB ? ) NB, Cert NB
Reply (N3 ? NB) N3, NB, Cert N3, NB
Reply (N2 ? NB) N3, NB, Cert N3, NB
Use Nonce with each message for freshness
27
Security Analysis
28
Prototype Implementation
Promiscuous Listener
Logical Setup

• Implementation on Mica2 motes.
• Promiscuous listener used to see workings of the
  protocol.
• Attacked the setup,
• Spoofed LN
• Spoof SN
• Attacks Thwarted

BS
LN
LN
Smaller memory footprint than TinySec (16.5KB) as
crypto routines directly instead of through
TinySec, minimizing overhead. (Only MAC routines
used)
Spoofed LN
SN
SN
Distributed
Spoofed SN
Centralized
Actual Setup
File Sizes
Clusters
SN
LN
LN
LN
LN
Base Station
29
Conclusions and Future Work

• Biosensor Network Management using secure
  energy-efficient topology construction.
• Use of Physiological Values for establishing
  session keys between biosensors, for example
  Inter-Pulse Interval and Heart-Rate Variation.
• Prototyped protocol using Mica2 motes and tested
  resiliency by actively attacking it.
• Future Work
• Expand the set of Physiological Values used for
  securing biosensor communication.
• Incorporate PVs into the implementation and
  evaluate efficiency

30
Communication Scheduling for PVS

• PVs unpredictable vary with time
• At a given time PVs measured at co-located
  sensors are similar

• For communication necessary to follow schedule
  for efficient functioning
• At MT, both sender receiver measure a
  pre-decided PV
• At ST, sender and receiver communicate using the
  PV measured in the MT before

Sender Sequence
1
3
7
Receiver Sequence
6,9
7

Solicitation Time (ST)
Measurement Time (MT)
Broadcast (used for solicitations)

• Schedule is computed apriori by BS, based on
  network topology and communication requirements,
  and distributed to sensors
• Every communication requires a new measurement of
  PV, old values are NEVER reused

31
Feasibility

• Single PV for all sensors ?
• All sensors cannot be expected to measure same
  PV.
• Need enough PVs to allow senders and receivers to
  choose the one they have in common.
• Multiple stimuli Measurement
• Multi-modal wearable monitoring devices available
• Vivago WristCare (Wrist Wearable) patient
  activity, skin temperature, skin conductivity
  (http//www.istsec.fi/eng/Etuotteet.htm)
• AMON (Wrist Wearable) EKG, Blood Pressure, SpO2
  LA02
• Life Shirt (Smart Clothes)- EKG, perspiration,
  posture, SpO2 (http//www.vivometric.com)
• For in-vivo sensors, such capabilities are not
  yet available to the best of our knowledge.
• Powering sources
• Power-paper cells which can be printed
  (http//www.powerpaper.com)
• Battery made of fiber that can be woven AGS05
• Body movement and heat ASG05
• Flexile solar cells, textile coils, even Bike
  dynamo ASG05

32
References

• Juels99 Ari Juels and Martin Wattenberg. A
  fuzzy commitment scheme. 1999.
• SGW01 Loren Schwiebert, Sandeep K. S. Gupta,
  Jennifer Weinmann et al., Research Challenges in
  Wireless Networks of Biomedical Sensors, The
  Seventh Annual International Conference on Mobile
  Computing and Networking, pp 151-165, Rome Italy,
  July 2001.
• HCB00 Wendi Rabiner Heinzelman, Anantha
  Chandrakasan, and Hari Balakrishnan,
  Energy-Efficient Communication Protocol for
  Wireless Microsensor Networks, Proceedings of the
  33rd International Conference on System Sciences
  (HICSS '00), January 2000.
• CVG03 Sriram Cherukuri, Krishna K.
  Venkatasubramanian, Sandeep K. S. Gupta, BioSec
  A Biometric Based Approach for Securing
  Communication in Wireless Networks of Biosensors
  Implanted in the Human Body, in International
  Conference on Parallel Processing Workshops,
  2003, October 6-9, 2003, Kaohsiung, Taiwan.
• KW03 Chris Karloff and David Wagner, Secure
  Routing in Wireless Sensor Neworks Attacks and
  Countermeasures, In Proceeding of IEEE
  International Conference on Communication month,
  July, 2003, Anchorage.
• LA02 Paul Lukowicz et al., AMON A Wearable
  Computer for High Risk Patients, In Proc. of 6th
  IEEE International Symposium on Wearable
  Computers, 2002

33
References (contd..)

• BZZ05 Shu-Di Bao and Y. -T. Zhang and
  Yuang-Ting Zhang, Physiological Singal Based
  Entity Authentication for Body Area Sensor
  Networks and Mobile Healthcare Systems, In Proc.
  of the IEEE 27th Conference on Engineering in
  Medicine and Biology", Sept, 2005, China
• PZ06 Carmen C. Y. Poon, Yuan-Ting Zhang, A
  Novel Biometric method for Secure Wireless Body
  Area Sensor Network for Telemedicine and
  M-Health, IEEE Communications, April 2006.
• ASG05 Fabrice Axisa et al., Flexible
  Technologies and Smart Clothing for Citizen
  Medicine, Home Healthcare and Disease Prevention,
  In IEEE Trans on Info. Tech. in Biomedicine,
  9(3), 2005
• LG04 K. Van Laerhoven and H. -W. Gellersen,
  Spine versus Porcupine a Study in Distributed
  Wearable Activity Recognition, In Proc. of 8th
  International Symposium on Wearable Computers,
  2004, Arlington, VA.
• MWS04 David J. Malan, Matt Welsh, and Michael
  D. Smith, A Public-Key Infrastructure for Key
  Distribution in TinyOS Based on Elliptic Curve
  Cryptography, 1st IEEE International Conference
  on Sensor and Ad Hoc Communications and Networks,
  2004