Privacy-preserving scheme using secure group communication for m-healthcare information systems

— The expeditious growth of the wearable and implantable body sensors and wireless communication technologies have provided both inspiration and motivation for increasingly development of m-healthcare information systems as a promising next generation e-health system. In m-healthcare systems, the authorized mobile patients with the same disease symptoms can constitute a social group to share their health condition and medical experience. The privacy of social communication transferred over open wireless channels is an essential system requirement. Furthermore, the m-healthcare system on contrary to the traditional e-Health system allows mobile patients to move across distinguished location domains during different time periods. The mobility of patients considerably increases the cost of key management in terms of communication overhead if it is addressed with a naïve solution such as treating as a leave in the old location and a new join in the visited location. This paper proposes a privacy-preserving scheme, which maintains the secrecy of patients’ personal health information using secure group communication in m-healthcare information systems while supporting mobility of patients. The scheme is highly scalable, and treats patients’ mobility with the minimum rekeying cost, as such efficiently preserve secrecy of communication between patients associated with a social group. The security properties of the proposed scheme as well as its performance based on simulation experiments are evaluated. The experimental results demonstrate that the proposed scheme outperforms the existing solution in terms of communication overhead.


Introduction
The definition of e-health system is loose; the term refers to electronic health records (EHR) and tele-consultation [1], but has recently expanded to include the various mobile apps used to aid diagnosis and monitor patients' conditions [2] [3] [4]. The e-healthcare industry has changed the way of patient's healthcare and contributes in improving the quality of patient care by reducing the cost [5]. There are several categories of healthcare applications such as prevention, healthcare maintenance and check-ups; home healthcare monitoring; personalized healthcare monitoring; and incidence detection and management [6] [7] [8].
The healthcare system consists of several electronic tools including software systems and hardware devices [9]. These systems are increasingly becoming a distributed service involving stakeholders and resources who may be physically far from each other [10] [11] [12]. Multiple healthcare entities need to interact but do not necessarily have complete knowledge of each other. Collaboration mechanisms is required in order to permit (a) on demand formation of collaboration groups, (b) the ability for qualified strangers to join a collaboration group, (c) the ability to operate in a totally distributed setting without a central administration, and (d) guarantees of privacy and security control by the users of the collaboration system [13].
The ubiquity of mobile devices and considerable development of the wearable and implementable body sensors are undeniable because they have brought new possibilities to everyday life [14,15] [16]. A research conducted by Cisco systems forecasted the global mobile data traffic rate will tremendously grow in future due to a rapid proliferation of wireless communications and emergence of computationally fast portable devices [17]. These advances increasingly envision m-healthcare systems as a potential application of pervasive computing to improve healthcare quality and efficiency [18]. The m-healthcare systems extend the traditional centralized healthcare information system where the patient are generally assumed to stay in hospital and receive precise medical treatment from professional physicians into decentralized, and self-sponsored way. The health sensors are planted in, on or around the patient body to collect patient's personal health information (PHI) such as blood pressure, blood glucose level, and temperature level and forward them to a PDA device. Then the PDA device serving as a gateway report these patients' personal health information (PHI) to the remote m-healthcare center.
In m-healthcare information systems, the mobile patients who have the same symptoms and diseases are allowed to search, recognize and socially interact with each other in the range of their communication without the intervention of a trusted third body for mutual support and relief. However, it brings about a series of challenges, especially how to preserve privacy of the patient's personal health information from various attack such as eavesdropping and tampering [19] [20] [21]. The main issue is that only the eligible patients of the social group and the related medical professionals must have access the patient's personal healthcare information during the data sharing in the distributed m-healthcare computing system [22] [23] [24]. It is due to the fact that most patients are concerned about each kind of unauthorized disclosure of their personal health information, which put them in trouble [25] [26] [27]. In order to deliver securely the content of the social group only to the eligible recipients, a privacy preserving key management scheme must be implemented in mobile body area networks (BAN). This key management scheme generates a common traffic key (TEK) and shares it between all participants in a social group for encrypting and decrypting PHI. The TEK must be updated whenever any changes occur in the social group membership in order to restricts access to the old group content by a new joining patient (i.e. to satisfy backward secrecy) as well as future group content by a leaving existing patient (i.e. to satisfy forward secrecy) [28].
Patients can exploit the possible benefit of wearing wireless body sensor and moving across distinguished location domains during different time periods. The m-healthcare information system needs to ensure the mobile patient receives the information regardless of its mobility. Patients' mobility poses a new challenge for securing m-healthcare system which is how to deliver the keying materials to moving patient while changing his location and still remaining in the social group session [29]. Patient mobility may result in extra generation of keying materials since the member is not recognized as an eligible member of the social group in the new area. As the body area networks suffer from the resources scarcity such as bandwidth limitation [30] [31], multiple rekeying messages in m-healthcare systems causes service latency. Therefore, the key management scheme must deal not only with the dynamic membership (join or leave) in a healthcare social group, but also with the dynamic patient location (mobility). While several attempts have been carried out to address the patient privacy issues lying in m-healthcare system such as [21]  To address patient privacy issues lying in m-healthcare systems, this paper proposes a privacy-preserving scheme using secure group communication for m-healthcare information systemss, called SEGUE. In the proposed model, a more practical situation of wireless mobile networks is considered in social networks where patients traverse among areas outdoors taking consideration body area networks scarcity particularly in terms of bandwidth limitation. The system handles the mobility of the patients and seamless transfer of medical information about their patients to the healthcare center (hospitals, clinics, general practitioners). In this way the patients can interact with their healthcare providers remotely and access to medical services through this distributed and multi-server based application environment.

Related work
One of the theoretically distinctive elements of the healthcare information system context is privacy of patients' information and their credential during the authentication process and information transfer [39]. There exist a series of attempts for authorized access control of patients' personal health information [33] [37], [38]. They mainly studied the data secrecy in different modules of eHealth systems using either secure peer to peer communication or rarely secure group communication. However, the challenging problem of privacy preserving in respect to patients' mobility in m-healthcare social networks has not receive enough attention. Once a patient register at its local healthcare provider, a set of sensors associated to diseases he is suffering from is planted in, on or around the body to monitor and collect personal health information such as blood pressure, blood glucose level, temperature level. The patient's sensors communicate with devices such as smartphone or PDA which consists of application that allows performing the m-healthcare system functionalities, and then send this information to base stations. It is conventionally assumed that BANs are established at home or hospital and protected with by some studied security mechanism for sensor networks such as [53] [54]. The sensors forward the collected data to the health provider gateway that acts as an information aggregator. Then, the aggregator forwards the data to the health provider server via communication networks.
The m-healthcare system receives the gathered information. It analyses the collected information and sends warnings and appropriate medical records to the medical staffs. In emergency cases, the m-healthcare system can directly provide the medical status of a patient and route to the hospital, allowing physicians to prepare for treatment in advance of the arrival of the patient. The real-time communication cannot tolerate any kind of delay or loss. The infrastructure should be reliable to provide guarantee services whether the centralized management is available or not.
In m-healthcare social group, the mobile patients suffering from the same diseases and living in the neighborhood are allowed to constitute a social group and obtain mutual support physiologically and psychologically from each other in. This is due to that they usually visit the same health provider and physician for treating their diseases located in the same vicinity.

Security and performance requirements
It is essential to understand the security requirements in an eHealth system before integrating appropriate security mechanisms. By knowing the nature of the applications, we can develop a comprehensive and strong security technique to protect the system from possible security threats. Several security services which are required to secure the eHealth systems are explained as follows: Confidentiality: This service protects information so that only authorized patient can access the content. Confidentiality can be achieved using cryptography algorithms to encrypt data. In eHealth systems, sensitive information about the status of patient's health is transferred or stored in the system. The eavesdropping attack can be carried out with an adversary in order to abuse information for malicious activity. The use of a cryptography key can encrypt the patient information and physicians' advice. Thus, confidentiality is the essential security service in any secure eHealth system.
Authentication: This service verifies the authenticity of each entity communicating in the eHealth system in order to ensure the entity is that as it claims to be. In secure systems, a registration process verifies patient identities before providing system access. After registration, users can use passwords or keys to prove their identities. Many users are usually involved in an m-healthcare system may need to join and leave a social group. Thus, an authentication security service is necessary to prevent ineligible users from having access to the system.

Integrity:
This security service ensures that group communication between patients, third parties, and physicians are not altered by an adversary when transmit over insecure networks. Lack of data integrity allows an adversary to modify the patient's information before it reach to the destination, which can be harmful in case of life-critical events.
In contrast to peer to peer communication, group communication requires to meet miscellaneous criteria to achieve security, efficiency, and scalability. The following criterion must be considered during design of a m-healthcare social networks in order to preserve the secrecy of patients' health information, and to provide system efficiency and scalability.
Backward secrecy: A patient who wishes to join a social group must be prevented from having access to the previous information and keying materials.
Forward secrecy: A patient who leaves a social group must not have access to any future information and keying materials.
Communication overhead: updating keying materials regarding any changes in group membership should not induce a high number of messages, especially for dynamic groups.
1-affects-n phenomenon: a single membership change in m-healthcare social network must not result in a rekeying process that affects the entire group members to update the traffic encryption key (TEK).
Scalability: the solution should be capable to scale the scope of key management to the large and widely distributed groups.

Secure m-healthcare social network implementation
A security domain is a logical or physical environment with common security and privacy protection regulations, principles and rules [55]. A security domain in m-healthcare social networks can be a group of mobile patients possessing the same diseases symptom associated with a primary physician and alternative physicians located in different health providers within the same area or vicinity and obey the same privacy mechanism.
This scheme divides the whole focused m-healthcare system domain (i.e. within a city) into the various areas. Each area contains various groups of patients. Each group involves a primary doctor and alternative doctors who can remotely handle his/her case and intervene in case of emergency, nurses and medical students. System administrator whose role is to assign doctors and medical students to patients. The assignment can be changed over time. The purpose of this division is to enable the patient to move from one area to another which are under regular medical monitoring. Figure 3 illustrates the whole domain which is divided into the six areas. Each area is managed by an area manager deployed into the center of the area (sub group manager), which is responsible for collecting the personal health information from local patients' devices, and transmitting into the healthcare providers. The responsibility of area manager is to upload and distribute the traffic key between its local patients. In this distributed healthcare social networks, private personal health information and key updating materials are transmitted by the area managers and the traffic key (TEK) is updated by domain key manager. An example of patients' mobility is illustrated in Figure 3, where the moving patient Patient1 is moved between area 1, 2, and 3. The patients which have the same color belong to the same medical treatment and suffering from the same disease. The device attached with them is under the same work mode i.e. monitoring the same set of physiological characteristics. For more simplicity, the notations used throughout this paper are described in Table 1. Message m is encrypted with symmetric key K Message (or data) m which is encrypted with the symmetric key K.

Secure m-healthcare social network architecture
Our scheme ensures the privacy property in m-healthcare information system, which considers the mobility of patients and physicians in and outside of the hospital or between some particular health unit centers (area). The proposed scheme not only considers the hospital space but also the extension to remote patients. The proposed scheme is based on an efficient key management scheme, which can reduce the number of secured connections which is established among the nodes composing the network.  This scheme adopts a two tier hierarchical approach with a common traffic key shared between all entities of a mhealthcare social network similar to [48,57]. The first level is the domain level, which consists of the main key manager of the m-healthcare system referred to as domain key manager (DKM) for initial authentication procedure and managing the traffic encryption key. The second level is comprised of a number of manageable health provider centers (or areas) where each one is managed by an area key manager (AKM) independently. The areas are indeed made by dividing the domain into a number of administratively scoped regions, which can be defined logically or physically. The responsibility of AKM is to distributes the TEK between its local patients. In this distributed healthcare social networks, patients' personal health information and keying materials are transmitted automatically by the area key managers.
In this architecture, a domain can be viewed as a city, or vicinity which consists of a group of health providers. Areas can be viewed as eHealth subsystem which operate under the governance of bigger eHealth administrator systems and follow the goals and objective of the bigger. The aim of placing members in areas is to achieve scalable and efficient management, particularly when there are changes in the group membership due to join, leave or move event. since the rekeying process is localized within the area, the 1-affects-n phenomenon is alleviated. Figure 4 shows the main components involved in this scheme architecture.
The role of DKM is to ensure the management of the TEK triggered due to join or leave a patient to or form m-healthcare social networks. The DKM is responsible to manage the domain, and closely operates with AKMs in regards to key management. The AKM is responsible for key management within its area and operates under control of the DKM. When an AKM receives a message from the DKM, it plays a role of a proxy and sends the message to the patients residing in the area under its control. Furthermore, the management of patients' mobility are delegated to AKMs to omit the burden of authentication phase at the DKM. The AKMs are allowed to verify moving members, update and deliver the keying materials. Each AKM maintains a patient encryption key mobile owner list (PMOL) to keep track of moving members and reduce the need for rekeying when a moving patient return back the area where has previously been visited.
The following assumption are considered during the design of the proposed scheme.
• All cryptography keys specified in Section 4.2 are already established at initial group setup. • All key managers (i.e. DKM and AKM) are trustworthy and reliable and all members trust them.
• The AKM has capability of deriving PEKi without involving the DKM.
• Implicit use of member authentication mechanism such as RSA or message authentication codes (MACs) to verify the authenticity of each patient who joins the social network. • Availability of secure storage of cryptographic keys for all group communication entities.
• Availability of secure mechanism for managing the PMOL.
• Sensor nodes are able to perform symmetric encryption. • Each sensor node is able to keep a list of remote third parties, which is pre-established during the initialization phase.
Due to the symmetric structure the body sensors for medical care's such as ECG are generally deployed on patients to monitor the vital signs. The patients suffering from the same disease are connected within a same social group, and they have not permission to enter or see the communication of other social groups. In this way each social group is secured with its own TEK. In order to preserve backward and forward secrecy, the TEK must be updated whenever a patient joins the social group or leave it. Three cases of rekeying are distinguished as follows: • Join rekeying: when a new patient joins a healthcare function, a new AEKi and TEK must be generated and distributed to the group members. The scenario is shown in action (1) in Figure 4.
• Move rekeying: when a mobile patient changes its location from one area to another, the TEK is not changed but the AEKj in the new area may be changed. This scenario is depicted as action (2) in Figure 4.
• Leave rekeying: when a patient leaves the healthcare function, the TEK is generated and delivered to the remaining social group members. The AEK is also updated in area which their AEKs are still valid and carried by the leaving mobile patient. This scenario is illustrated by action (3) in Figure 4.

Mobility key management
The AKM uses a key derivation function like PRF-HMAC-SHA-256 [59] to generate PEKi of a new patient joining the healthcare social group. While PRF-HMAC-SHA-256 provides secure pseudo random functions suitable for generating keying materials, its goal is to ensure the packets are authentic and not modified in transit. All AKMs require to use the same PRF-HMAC-SHA-256 in order to achieve a coordination throughout the domain for deriving the same PEK in all areas. Using the same PRF enables the AKMs to generate a unique PEKi specific for patient Pi. To generate the PEKi, each AKM uses the Formula 1 as follows: In Formula 1, DEK is generated with the DKM and shared between all AKMs, is the identity of patient, IDG is the identity of the social group that the patient interested in joining, and Text contains other security parameters corresponding to the member. This authentication mechanism enables all the AKMs to verify the PEK presented by a moving patient independent from the DKM. Figure 2 depicts the verification a moving patient in area j by derivation and comparison of its PEKi. The advantages of using this mechanism are as follows: (1) the bottleneck on the DKM is mitigated for managing mobility of dynamic members as the DKM is not swarmed with the multitude singling messages for authentication of moving members.
(2) the resource constraint mobile devices do not undergo heavy computing process during authentication phase in the visited area, and (3) the management of moving members are distributed between all AKMs, which result in saving enormous bandwidth utilization during rekeying process.

List maanagement
An important concept used as part of the mobility protocol design is a managing list(s) referred as PEK Mobile Owner List (PMOL). This list enables each AKM to keep track of mobile patient who may accumulate the keying materials in the visited areas. The advantage of use of this list is to avoid frequent rekeying in visited areas that may cause disruption in social group communication. Each AKM in a domain securely maintains its own PMOL and stores the information of patients who move out its managing area. The AKM logs identity of the moving member , identity of group communication IDG joined by the member, identity of the area the that a member is moving to in PMOL.
Another list called MemL maintained with AKMs contains the information of current patients residing in the area. The information in MemL is used by key managers in a domain in order to locally handle the update of keying materials within the area upon any membership changes occur in the m-healthcare social group.

Patient joining protocol to existing social group
A patient Pi located in area i sends a join request message signed with its private key to AKMi through a secure channel such as SSL[60] [61] or TLS [62]. On receipt of join request, AKMi verifies the member's request. If the member is authorized to join the healthcare session, AKMi informs the DKM and concurrently generates a new AEKi and PEKi and then send to the patient Pi protected under public key of the patient.

Patient mobility protocol
This protocol describes the mobility of a patient Pi from area i to area j with provision of backward secrecy in the visited area. Figure 6 outlines the flow of the mobility protocol in algorithmic form. The following operations are executed upon a patient mobility.

Existing patient leaving protocol from the social group
When a patient Pi leaves the social group treatment, it informs its AKMi. Upon receiving the message, AKMi decrypts and checks the message, and subsequently encrypts and sends it to the DKM. In order to achieve forward secrecy at area i, AKMi updates the AEKi. The DKM removes the information of departure Pi from the social group session. The new TEK is generated and distributed along with departing Pi information throughout the domain.
Upon receiving the new TEK, AKMi sends the new_TEK and new_AEK to residue patients in area i encrypted with each patient PEKi excluding the leaving patient Pi. AKMi removes Pi from MemLi. The leaving patient might have visited other areas inside the domain and accumulated information of each visited area. Therefore, the Pi knows all the AEKs used in previously visited areas. Thereby, the AEKs of these areas must be refreshed. In other areas at (t ≠ i) where the patient Pi has previously visited them or is in the PMOLt, AKMt (t ≠ i) must update the AEKt and send it along with the new TEK to its members in its area at encrypted with the PEKt of each patient Pt. Moreover, AKMt removes information of the leaving patient Pi from its PMOLt. Other AKMq sends a multicast message containing the new TEK protected under AEKq to all patients residing in area q. Figure 8 depicts an example of a patient leaving.

Result and analysis
The proposed scheme is compared with a secure eHealth system described in literature namely, Mat Kiah et al. [37] (for simplicity called herein TSGC). The TSGC proposed a secure telemedicine system using decentralized group key management with a common TEK for the whole collaborated members. However, it did not consider the mobility of patients which may occur between different clinical units while remaining in the social group session. Thus, the mobility of a patient is treated as a leave in the old area and a join in the new area.

General comparison
The generic comparison of the proposed scheme SEGUE and the TSGC scheme are summarized in Table 2 in terms of number of rekeying messages when any membership changes occur in the m-healthcare social network. In Table 2, the number of patients residing in area i, and the number of areas in the domain are respectively denoted by ni, and |Ap|. From Table 2, both schemes require two messages to update the keying materials when a patient joins a social group. The TSGC shows considerable overhead when patients move between areas in a m-healthcare domain due to the lack of mechanism for managing mobility. Thus, the rekeying load at the core network significantly increases especially in dynamic mobile environments where the patients change their location frequently, which leads to the lack of scalability.
Moreover, the TSGC requires to manage mobility events in synchronization with the DKM. Thus, the centralized DKM must be involved in the generation of TEK and auxiliary keys, which makes the TSGC slower than the proposed scheme. This is due to the fact that the signaling messages should traverse a long path to the DKM that may be far from the AKMs.
In the proposed scheme, The AKMj can derive PEKi of each mobile patient independent of the DKM and the old AKMi. Thus, patient mobility is managed with minimal services latency.
The SEGUE shows more overhead when a patient leaves the social group. Because when a patient leaves the social group, not only the AEKi of the area where he leaves the group must be updated by using unicast messages, but also the AEKt of the areas where the patient has previously visited and is still valid must be refreshed. But, the TSGC just needs to update the AEK of the area where the leave event occurs.

Simulation model
The implementation of the proposed scheme has been carried out in the network simulator NS3 [63]. The NS3 is a discrete event network simulator which provides an environment to develop and implement network scenario. This section presents the simulation model and some results obtained through several simulation experiments. A two tiers distribution hierarchy with distinct five clinical units was designed for the proposed scheme. One DKM within the first tier is responsible for governing all AKMs as well as managing the common TEK for the whole group. Each area in the second tier is managed by an AKM.
The patients join to the healthcare social group according to Poisson process with inter arrival rate λ, and each patient's membership duration follows an exponential distribution with a mean duration 1 time units [64], [65]. All inter arrivals are independent and identically distributed. The average number of concurrent members in the group is defined as ρ given by ⁄ .
The session time was assumed for 30 minutes. All patients enter the healthcare social group through any of the areas with an inter-arrival average λ equal to 10 seconds. Once a patient joins the group, its membership duration follows an exponential distribution with a mean duration 1 µ ⁄ time unit equal 15 minutes. In order to study the impact of group size variation as one of the scalability requirements on the scheme performance, both parameters the inter arrival rate and membership duration respectively vary [5sec : 75sec] and [10 min : 25 min] in separate experiments. The patient remains in each area for a determined time, and then moves to the other areas with the same probability of selection. The velocity of members is set constant for all experiments equal to 5 m/s.

Communication overhead
This requirement satisfies the bandwidth consumption of the wireless networks and devices. The high number of messages transmitted either by unicast or multicast during performing rekeying process consume enormous network bandwidth, which result in delays in distributing the keying materials and disruption in the m-healthcare social networks services.
It can clearly be observed from Figure 9, and Figure 10 that the TSGC induces high number of rekeying messages than the SEGUE due to the lack of a protocol intended for managing mobile patients. Lack of strategy for handling the mobility event significantly increases the rekeying messages overheads particularly in the group with big size. Both Figures 9 and 10 obviously depict that the ratio of rekeying messages has increased when the group population rise up due to either the increase of inter arrival rate or increase of membership duration. The proposed scheme SEGUE has introduced the use of mobility list as to record the track of moving members such that the old area induces null communication overhead in mobility event and the visited area retains the communication overhead at minimum level. As a result, this mechanism improves bandwidth efficiency of the system while satisfying backward secrecy.

1-affects-n phenomenon
The 1-affects-n phenomenon refers to the number of patients affected by a rekeying process due to single changes in healthcare social group membership. This requirement satisfies the scalability of the healthcare system for the large group size, which is more critical for wireless mobile environments. The high number of patients in the social group involved in rekeying process on each event is a hurdle for the scheme to scale the scope of key management to very large m-healthcare social networks. Due to the intuitive characteristics of body area networks in terms of wireless bandwidth limitation, high affected members consume enormous wireless resources which results in failure in receiving the keying materials updates by some members on each event while contributing to delays in distributing the social group content.
It can easily be seen from Figure 11, and Figure 12, the TSGC shows the high number of affected patients who need to receive the new keying materials during an event. The reason is that the TSGC does not provide any protocol for mobility event and treats such an event as a leave in the old area and a join in the visited area. Thus, the entire group members are influenced twice. The average number of member affected by rekeying processes increases in this scheme significantly when the group size grows up.  Figure 11. Impact of inter arrival variation on 1-affects-n behavior overhead.
The average of affected member in the SEGUE is less than the TSGC due to the use of mobility list for keeping track of moving members, which eliminates the needs of performing rekeying process in the old area. Thus, the patients residing in the old area are not affected by the mobility event. Moreover, the rekeying process is performed in the visited area as long as either the mobile patient is not on the mobility list of the AKM of the visited area or its join time is after the last update time of the AEK of visited area.

Conclusion
The m-healthcare information system can greatly improve the benefit of patients and hospitals, not only providing better quality of patient care, but also providing a decentralized, and organized way that the authorized patients to socially interact with each other in order to share their health conditions and medical experience for mutual support and comfort. However, it brings about series of security challenges, especially how to preserve the secrecy of patients' personal health information from various attacks in the wireless mobile network where the mobile patients can change their locations during different time periods while remaining in the session. In this paper, a new privacy-preserving scheme has been proposed using secure group communication to maintain secrecy of patients' personal health information transferred over m-healthcare systems. Meanwhile, the mobility of patients between different areas of a healthcare domain has been taken into consideration and treated with the minimum rekeying messages. The proposed scheme used a managing list called PMOL for effectively performing key management and authentication phase, as well as avoiding renewing the TEK during move events. By delegating the authentication phase of mobile patients to the intermediate AKMs, the domain key manager of a m-healthcare system is given scalability and preserved from bottleneck because of reducing the signaling loads at the core domain. Simulation results depicted the SEGUE far outperforms pervious schemes in terms of rekeying overhead and number of affected patients by rekeying process.

Acknowledgement
The authors would like to acknowledge the financial support of eScience fund 01-01-03-SF0786.