Title: Security for Pervasive Health Monitoring Sensor Applications
1Security for Pervasive Health Monitoring Sensor
Applications
- Krishna Venkatasubramanian and Sandeep K. S.
Gupta - Ira A. Fulton School of Engineering
- Department of Computer Science and Engineering
- Arizona State University
- Tempe, Arizona
- sandeep.gupta_at_asu.edu
2IMPACT Research
- Use-inspired research in pervasive computing
wireless sensor networking
- Goal
- Pervasive Health monitoring
- Evaluation of medical applications
- Features
- Secure, Dependable and Reliable data collection,
storage and communication - Sponsor
- Goal
- Evaluation of crisis response management
- Features
- Theoretical model
- Performance evaluation
- Access control for crisis management
- Sponsor
Medical Devices, Mobile Pervasive Embedded Sensor
Networks
BOOK Fundamentals of Mobile and Pervasive
Computing, Publisher McGraw-Hill Dec. 2004
3Pervasive Healthcare
4Motivation Challenges
- Motivation
- By 2050 over 20 of population will be above 65.
(US Department of Health ) - Possible Consequences
- Acute shortage of medical professionals.
- Decline in quality of medical care.
- Increase in medical costs.
- Automated continuous monitoring of patients can
reveal problems at an early stage leading to
better control. - Challenges
- Integration of diverse technologies (micro
macro computing entities), for health
monitoring. - Health management systems should be safe,
dependable, secure and scalable system.
5Pervasive Computing Healthcare
Pervasive Healthcare
Pervasive Computing
Use Pervasive Computing for day-to-day healthcare
management (monitoring treatment), made
possible by development of biomedical sensors
Personalized computing power available
everywhere, by embedding computing in users
environment.
BSN
- Features
- Merger of Physical and Virtual Space
- Uses computing entities which are
- - tiny/ cheap
- - specialized
- - unsupervised
- - interconnected
- Features
- Extends BSN with embedded medical sensors
- No time space restrictions for healthcare
- Better coverage and quality of care to all.
Overview
Some Applications
Sports Health Management
Assisted Living
Disaster Relief Management
Medical Facility Management
GOAL Enable independent living, general
wellness and disease management.
6Context Awareness
- Medical Context
- Aggregate of 4 base contexts.
- Each physiological event has to be characterized
by all 4 base contexts for accurate
understanding on patients - health.
- A contextual template can be created for
specific physiological events for future
reference. -
Physiological (EKG, Perspiration, Heart Rate)
Context Processor
Spatial (Home, Gym, Office, Hospital, Park)
Medical Context
Aggregate Context
Temporal (Morning, Evening, Night)
Sensor Network
- Challenges
- How to determine the aggregate medical context
from the four base contexts? - How to create a contextual template for a
patient?
Environmental (Humidity, Temp)
Base Context
7Ayushman
8Ayushman A Pervasive Healthcare System
Sanskrit for long life
Environmental Sensors (Temperature etc)
- Project _at_ IMPACT Lab, Arizona State University
- Goal To provide a dependable, non-intrusive,
secure, real-time automated health monitoring. - Scalable and flexible to be used in diverse
scenarios from home based monitoring to disaster
relief, with minimal customization.
Internet
Stargate Gateway
External Gateway
Central Server
Medical Sensors (EKG, BP) controlled By Mica2
motes
Medical Professional
Home/Ward Based Intelligence
Body Based Intelligence
Medical Facility Based Intelligence
Vision
- To provide a realistic environment (test-bed) for
testing communication - protocols and systems for medical
applications.
K. Venkatasubramanian, G. Deng, T. Mukherjee, J.
Quintero, V Annamalai and S. K. S.
Gupta, "Ayushman A Wireless Sensor Network Based
Health Monitoring Infrastructure and Testbed",
In Proc. of IEEE DCOSS June 2005
9Ayushman Middleware Architecture
10Ayushman Remote Medical Monitoring
- Testbed consists of medical devices interfaced
using Crossbow motes to a PDA. - Medical devices integrated include BP monitor
(Suntech), EKG monitor (Vernier), Gait Monitor
(MicaZ based sensors) and TelosB based
environment sensor
BP and EKG Monitoring
- Supports query based and continuous data
collection. - System Constrainst
- Low reliability
- Lack of bandwidth
- Low memory for processing.
Gait Monitoring
11Ayushman Client Screen Shot
Patient Details
Current Sensor Value
Sensor Values Trend
Query Result Archived Data
Location of Server
12Other Similar Projects
- Proactive Health Project _at_ Intel
- Developing sensor network based pervasive
computing systems - Managing daily health and wellness of people at
homes - Proactively anticipate patients need and improve
quality of life. - Code Blue Project Sensor network based health
monitoring - _at_ Harvard
- Developing sensor network based medical
applications for - Emergency Care
- Disaster Management
- Stroke patient rehabilitation
- AMON Project _at_ ETH, Zurich
- Developing multi-functional wearable health
monitor - E.g. BP, pulse, SpO2, ECG, Temperature
- Aware Project _at_ the Center Pervasive Healthcare,
- University of Aarhus, Denmark.
- Applying context aware computing to hospital
scenarios
13Biosensor Networks
14Biomedical Sensors (Biosensors)
Inter-Pulse-Interval (V1)
Inter-Pulse-Interval (V1)
?
EKG
EKG
Inter-Pulse-Interval (V2)
Inter-Pulse-Interval (V2)
PPG
PPG
?
- Physiological Values (PV) Measure Stimuli from
body e.g EKG, PPG (Photoplethysymograph) - PVs are universally collectable, vary with time
and can have similar values in one human being
- Biomedical Sensor Platforms
- In-vivo sensors
- Are primarily at experimental stage
- Measure one stimuli
- Wearable sensors
- Groups of sensors packaged together
- Products available
- Have wireless capability
- Generic Sensors
- Measure environmental stimuli
- Can perform wireless communication
- Used in medical monitoring projects, Code Blue _at_
Harvard - Mica2, MicaZ, TelosB
Nano-scale Blood Glucose level detector Developed
_at_ UIUC
Mica2 based EKG sensor
AMON Wearable Health Monitor
- Properties
- Small form factor
- Limited processor, memory, communication
capabilities - Form large networks within body for energy-
efficiency
Life Shirt Ambulatory Monitoring
15Biosensor Net Security Energy-Efficiency
- Security
- Healthcare systems collect sensitive medical data
from a patient. - Patients privacy is a legal requirement (HIPAA).
- Health information of a person can be taken
advantage of.
- Attacks
- Fake emergency warnings.
- Prevent legitimate emergency warnings
- Battery power depletion
- Tissue heating
- Energy-Efficient Topologies
- Biosensors have limited capabilities
- Topological formations helps in reducing energy
consumption - Many topologies possible Cluster, Tree
- Cluster is one of the most energy-efficient
topologies HCB00. - Security and Topology
- Topology formation
- Not traditionally secured
- Open systems to attacks during topology
formation. Example Sinkholes - Securing topology formation a must
16Physiological Value Based Security
17PVS Physiological Value based Security
ECG, Heart/Pulse Rate
- Principle Idea Use PVs as security primitives in
biomedical sensor networks - Hide cryptographic keys
- Authenticate and secure biosensor communication
- Examples
- Blood Pressure, Heart Rate, Glucose level
- Temporal variations in different PVs.
- Combination of multiple PV
- PVs values at two location slightly different
- Use Error Correction Codes like Majority Encoding
for correction
Blood Pressure
Blood Glucose
Easier and safe key generation
Cheaper key distribution
Sensors
18Aspects of Physiological Values
Required Properties of Physiological Values
FOUND Inter-Pulse-Interval (IPI), Heart Rate
Variation (HPV) FUTURE QUEST Find Others
- Universal
- Should be measurable in everyone
- Distinctive
- Should be able to differentiate 2 individuals
- Random
- To prevent brute-force attacks
- Time variant
- If broken, the next set of values should not be
guessable.
Physiological Certificate
- Cert MAC (Key, Data), ? Where ? Key ? PV
- hides the actual Key used for computing the
Message Authentication Code (MAC) over the data
for integrity protection.
19PV Based Communication
Measure Pre-defined PV _at_ Sender PVs Receiver PVr
Generate Random Key _at_ sender
Randkey
Cert MAC(Randkey, Data) , ? where ? PVs ?
Randkey
Compute Physiological Certificate with Key Rand
on Data
Send Message
ltData, Cert, ?gt
Receiver message
Unhide RandKey using PVr and ? from the Cert
RandKey PVr ? Cert. ?
RandKey ECC(RandKey) Cert MAC
(RandKey, Data) ?
Correct RandKey, verify certificate by computing
MAC
Error Correction Code used ? Majority Encoding
Juels99,CVG03
20Choosing Physiological Values
- Identified PVs
- Inter-Pulse-Interval (IPI) PZ06.
- Heart Rate Variation (HRV) BZZ05
- PV Distinctiveness Testing
- Performance evaluation criteria
- False Rejection Rate (FRR)
- False Acceptance Rate (FAR)
- FAR and FRR increased if two PVs lack
synchronicity. - Randomness of PVs verified using Chi-Square Test.
- Interference possible
- Drastic difference between PVs of two people will
prevent un-wanted communication
PV1
PV0
HRV
HRV
Encoder
Encoder
I1
Io
128 bits
Hamming Distance
128 bits
lt 22 bits (same person)
? 90 bits (different person)
Radio-range for
Intended communication
Interference
21Advantage of Using PV Based Security
Traditional Secure Biosensor Network Communication
S
R
BS
Topology Formation
Key Distribution
Secure Communication
- Diffie Hellman (ECC)
- Pre-deployed Keys
- Random Key Assignment
PV based Secure Biosensor Network Communication
S
R
BS
Secure Topology Formation
Secure Communication
- PV based security
- Centralized Cluster Formation
- Distributed Cluster Formation
- Use PV for sensor-sensor secure communication
Key Distribution Completely Eliminated VERY
EFFICIENT
22Secure Cluster Formation
23Cluster formation Security Flaws
LN3
LN1
LN2
Traditional Cluster Formation Technique
SN1
SN2
SN3
SN4
SN5
SN6
Weaker signal
Flaws in Traditional Cluster Formation
Malicious Node
- Hello-Flood Attack
- Leads to the formation of Sinkholes
- The sinkhole can now mount selective forwarding
attacks on the sensor in its cluster. - Reason
- All solicitations supposed to be from LN only.
- Each LN is assumed to be trustworthy.
LN1
LN2
SN1
SN3
SN2
- Problem
- Traditional cluster formation protocol is not
secure.
24Secure Cluster Formation
- PV based inter-sensor communication
- NO explicit key distribution
- Keying Structure
- Pair-wise unique master Key Km shared by BS and
each sensor. - Km pre-deployed.
- Derive 2 keys from Km for each node X in the
network - KX-BS H (Km, 1)
- KBS-X H (Km,2)
- H is a secure on-way hash function.
- Symmetric cryptography used as asymmetric
expensive
- Assumptions
- Wireless Medium NOT Trusted
- Base Station Trustworthy
- Physical compromise of sensors not possible
(ambulatory patient) - Jamming not considered
- Leader Nodes identified apriori cluster formation
Memory Footprint TinySec 16.5KB Elliptic Key
Cryptography 163bit key 35KB
- Clusters are temporary topologies.
- Leader Nodes rotated at regular intervals.
- Secure cluster formation protocol need to run
every time clusters are formed
25Centralized Cluster Formation
Base Station
Nc
Message Complexity Solicitations N Relays
Np, p M Reply N Total O(N)
NA
NB
Nc
NA
NB
NC
N4
N3
N1
N2
Solicitation (N3 ? ) N3, MAC(KN3 BS, N3),
Cert N3
Relay (NC? BS) N3, MAC(KN3 BS, N3), Cert
N3, NC, SS, MAC(KNC BS, NC SS)
Relay (NB? BS) N3, MAC(KN3 BS, N3), Cert
N3, NB, SS, MAC(KNB BS, NB SS)
Reply (BS ? N3) NC, MAC(KBS N3, NC)
Use Nonce with each message for freshness
26Distributed Cluster Formation
NC
NA
NB
Message Complexity Solicitations M Reply N
Total Msgs O(N)
N1
N3
N2
N4
Solicitation (NB ? ) NB, Cert NB
Reply (N3 ? NB) N3, NB, Cert N3, NB
Reply (N2 ? NB) N3, NB, Cert N3, NB
Use Nonce with each message for freshness
27Security Analysis
28Prototype Implementation
Promiscuous Listener
Logical Setup
- Implementation on Mica2 motes.
- Promiscuous listener used to see workings of the
protocol. - Attacked the setup,
- Spoofed LN
- Spoof SN
- Attacks Thwarted
BS
LN
LN
Smaller memory footprint than TinySec (16.5KB) as
crypto routines directly instead of through
TinySec, minimizing overhead. (Only MAC routines
used)
Spoofed LN
SN
SN
Distributed
Spoofed SN
Centralized
Actual Setup
File Sizes
Clusters
SN
LN
LN
LN
LN
Base Station
29Conclusions and Future Work
- Biosensor Network Management using secure
energy-efficient topology construction. - Use of Physiological Values for establishing
session keys between biosensors, for example
Inter-Pulse Interval and Heart-Rate Variation. - Prototyped protocol using Mica2 motes and tested
resiliency by actively attacking it. - Future Work
- Expand the set of Physiological Values used for
securing biosensor communication. - Incorporate PVs into the implementation and
evaluate efficiency
30Communication Scheduling for PVS
- PVs unpredictable vary with time
- At a given time PVs measured at co-located
sensors are similar
- For communication necessary to follow schedule
for efficient functioning - At MT, both sender receiver measure a
pre-decided PV - At ST, sender and receiver communicate using the
PV measured in the MT before
Sender Sequence
1
3
7
Receiver Sequence
6,9
7
Solicitation Time (ST)
Measurement Time (MT)
Broadcast (used for solicitations)
- Schedule is computed apriori by BS, based on
network topology and communication requirements,
and distributed to sensors - Every communication requires a new measurement of
PV, old values are NEVER reused
31Feasibility
- Single PV for all sensors ?
- All sensors cannot be expected to measure same
PV. - Need enough PVs to allow senders and receivers to
choose the one they have in common. - Multiple stimuli Measurement
- Multi-modal wearable monitoring devices available
- Vivago WristCare (Wrist Wearable) patient
activity, skin temperature, skin conductivity
(http//www.istsec.fi/eng/Etuotteet.htm) - AMON (Wrist Wearable) EKG, Blood Pressure, SpO2
LA02 - Life Shirt (Smart Clothes)- EKG, perspiration,
posture, SpO2 (http//www.vivometric.com) - For in-vivo sensors, such capabilities are not
yet available to the best of our knowledge. - Powering sources
- Power-paper cells which can be printed
(http//www.powerpaper.com) - Battery made of fiber that can be woven AGS05
- Body movement and heat ASG05
- Flexile solar cells, textile coils, even Bike
dynamo ASG05
32References
- Juels99 Ari Juels and Martin Wattenberg. A
fuzzy commitment scheme. 1999. - SGW01 Loren Schwiebert, Sandeep K. S. Gupta,
Jennifer Weinmann et al., Research Challenges in
Wireless Networks of Biomedical Sensors, The
Seventh Annual International Conference on Mobile
Computing and Networking, pp 151-165, Rome Italy,
July 2001. - HCB00 Wendi Rabiner Heinzelman, Anantha
Chandrakasan, and Hari Balakrishnan,
Energy-Efficient Communication Protocol for
Wireless Microsensor Networks, Proceedings of the
33rd International Conference on System Sciences
(HICSS '00), January 2000. - CVG03 Sriram Cherukuri, Krishna K.
Venkatasubramanian, Sandeep K. S. Gupta, BioSec
A Biometric Based Approach for Securing
Communication in Wireless Networks of Biosensors
Implanted in the Human Body, in International
Conference on Parallel Processing Workshops,
2003, October 6-9, 2003, Kaohsiung, Taiwan. - KW03 Chris Karloff and David Wagner, Secure
Routing in Wireless Sensor Neworks Attacks and
Countermeasures, In Proceeding of IEEE
International Conference on Communication month,
July, 2003, Anchorage. - LA02 Paul Lukowicz et al., AMON A Wearable
Computer for High Risk Patients, In Proc. of 6th
IEEE International Symposium on Wearable
Computers, 2002
33References (contd..)
- BZZ05 Shu-Di Bao and Y. -T. Zhang and
Yuang-Ting Zhang, Physiological Singal Based
Entity Authentication for Body Area Sensor
Networks and Mobile Healthcare Systems, In Proc.
of the IEEE 27th Conference on Engineering in
Medicine and Biology", Sept, 2005, China - PZ06 Carmen C. Y. Poon, Yuan-Ting Zhang, A
Novel Biometric method for Secure Wireless Body
Area Sensor Network for Telemedicine and
M-Health, IEEE Communications, April 2006. - ASG05 Fabrice Axisa et al., Flexible
Technologies and Smart Clothing for Citizen
Medicine, Home Healthcare and Disease Prevention,
In IEEE Trans on Info. Tech. in Biomedicine,
9(3), 2005 - LG04 K. Van Laerhoven and H. -W. Gellersen,
Spine versus Porcupine a Study in Distributed
Wearable Activity Recognition, In Proc. of 8th
International Symposium on Wearable Computers,
2004, Arlington, VA. - MWS04 David J. Malan, Matt Welsh, and Michael
D. Smith, A Public-Key Infrastructure for Key
Distribution in TinyOS Based on Elliptic Curve
Cryptography, 1st IEEE International Conference
on Sensor and Ad Hoc Communications and Networks,
2004