Privacy Preserved Medical Service Provider Selection in Cloud-based WBAN

Continuous health status monitoring of the persons equipped with Wireless Body Area Network (WBAN) is one of the key emerging technologies in the area of e-healthcare. In this technology, WBANs and Medical Service Providers (MSPs) are connected via a cloud infrastructure, where WBAN continuously uploads the present readings of physiological parameters via base station such as smart phone, smart watch, etc. Cloud analyzes the physiological parameters and whenever any medical emergency of the user is detected, it checks the infrastructural parameters including the location information of all MSPs connected to it and ﬁnds the most appropriate MSP to handle the medical emergency. This MSP selection task has to be performed eﬃciently so that the medical treatment of the user can start as early as possible. In the existing works, a trusted third party, namely, trusted authority (TA) actively participates in the MSP selection process, which may take undue advantages. The aim of the work in this paper is to remove the role of TA during MSP selection process. However, TA will participate in the system setup phase such that it cannot obtain any advantage in compromising the MSP selection task. The proposed scheme has been scrutinized through an adversary model and simulated using ProVerif tool to verify the security and privacy.

Keywords Smart Healthcare · MSP Selection · Security and Privacy · MDRQ · Homomorphic Encryption

Introduction
In a smart society, one natural expectation is that, if a person experiences any sudden medical abnormality, the medical emergency event should be automatically detected and thereafter reported instantly so that medical treatment could be given at the earliest. The advancements in wireless sensor technologies and bio-sensors that can be implanted in human body made these demands a reality through the use of WBAN and cloud. These are used for reading the physiological parameters continuously by WBAN and monitoring this private health information (PHI) of human in a periodic and regular intervals by cloud [1], [2], [3].
In WBAN, responding to a medical emergency is one of the fundamental aim [2]. However, appropriate MSP selection during emergency is also another very important task, as it can provide most appropriate treatment as per patient's need. Lacking proper treatment may put the patient's life at risk. Abnormality of one or more physiological readings of users are analyzed by the cloud, and an emergency is triggered if a combination of physiological readings is not in the normal range. In this situation, the CS helps the Medical User (MU) to select an appropriate MSP based on the nature of emergency. However, there are many security and privacy implications that may restrict this technology for adoption in real life. The MUs, who wish to access this service, have to put almost entire details of their physiological data to the platform, which is outside of their privacy range. This can become a vital security and privacy risk for the users. Therefore, the task of automatic MSP selection that preserves the security and privacy of user is very important in e-healthcare. As per our knowledge, this automatic MSP selection problem has been addressed only in [4]. In this work, the authors have used a third party i.e., trusted authority (TA), which they have considered as fully trusted. However, in this work, the internal agents of TA can access the medical information of the users, which in turn can be misused, and that will put the users in a security and privacy risk. This paper proposes a framework for MSP selection in medical emergency, where the TA is utilized only to setup the system. This framework ensures that an internal agent of TA cannot access any medical information of the user even if the TA participates in setting up the system. Following is the summary of the contributions in this paper: I. In the event of emergency, the MSP whose attributes matches most closely with the requirements of MU needs to be selected. In view of this, we have proposed a secure and privacy preserved framework for MSP selection in response to medical emergency of MU, where MU's PHI and location information privacy is preserved.
II. Our proposed framework handles the single point of failure problem, and prevents the third party from taking any advantage in compromising security and privacy. III. Emergency signal is generated whenever the PHI reading is outside the normal range. We have identified false positive emergency signal in [4]. We have designed the proposed framework, which is free from this problem. IV. Security and privacy of the proposed framework has been formally analyzed using suitable adversarial model, which ensures the required security and privacy of the proposed framework.
Rest of the paper has been organized as follows. Related works are briefed in Section 2. Next, our proposed framework has been described in Section 3. Security and privacy of the proposed framework has been analyzed in Section 4. In Section 5, performance of the proposed framework has been analyzed and compared with the scheme proposed in [4]. Finally, the work has been concluded in Section 6.

Related Works
Several articles [1], [2], [5] [6], [7] have discussed different aspects of WBAN. In particular, S. Movassaghi et al. [1] have discussed in details the IEEE 802.15.6 specifications for WBAN. X. Liang et al. [8] proposed a privacy-preserved emergency call scheme without considering MSP selection problem. K. Zhang et al. [9] have proposed a privacy-preserved priority-based health data aggregation scheme for cloud-assisted WBAN. They have emphasized in the process of aggregation and classification of health data. Q. Huang et al. [10] proposed a secure collaboration and health data sharing scheme. The authors in this work have considered only the privacy preserved collaboration between the users suffering from similar kinds of symptoms, and how they can share the health data among themselves. J. Sun et al. [11] have proposed a privacy-preserved emergency response system in which they assume that a pre-decided primary physician will always access all the health records directly from the WBAN implanted to the user. Chun-Ta Li et al. [12] have proposed a secure cloudassisted architecture. In this work also, pre-defined medical care providers can directly access and process the medical data of the user. Shin-Yan Chiou et al. [13] proposed an approach to allow medical staff to quickly attend the user during an emergency. In response to an accident notification, the server immediately alerts the pre-defined medical staff for necessary treatment. A cloud-assisted privacy preserved mobile health monitoring system (CAM) has been proposed by H. Lin et al. in [14]. In their work, the patient monitoring program has been modeled as a binary decision tree based on the ranges of the physiological parameters. More specifically, the attribute vector of this measurement is uniquely mapped to a binary bit block with multi-dimensional range query (MDRQ) [15], [16]. Thus, the authors in this work have considered only the emergency detection using MDRQ scheme. We have observed that none of the schemes proposed in [8], [9], [10], [11], [12], [13], [14] considers the MSP selection problem, and they have emphasized on other aspects of medical emergency. The work proposed by W. Yu [4] considers the secure and privacy preserved MSP selection problem. In this work, the authors have used a centralized third party, namely, Trusted Authority (TA), which is considered as fully trusted. However, the curious internal agents of TA have the scope to compromise the health privacy of the medical users. Moreover, this scheme has the problem of false positive emergency report, which may panic an user. This has been proved in Claim 1.
Claim 1: The scheme proposed by W. Yu [4] generates false positive emergency alert.
Proof : In [4], [14] the authors have used the MDRQ tree as depicted in Fig. 1 The result illustrates that the current health status of MU is not normal, i.e., emergency, which is not correct. Hence, the proposal of W. Yu [4] generates false positive emergency alert. Thus our claim is proved. As we can see that except the work by W. Yu [4], none of the existing works [8], [9] [10], [11], [12], [13], [14] have discussed the problem of secure and privacy preserved MSP selection problem in case of medical emergency. Unfortunately, the scheme proposed by W. Yu in [4] has the privacy leakage problem. This motivates us to design a security and privacy preserved framework to handle the MSP selection problem.

Our Proposal
In this section, we present our proposed framework. There are mainly four components, namely, TA, CS, MUs and MSPs. TA is used only during system initialization process, CS is the computing facilitator, MU is equipped with ) and sends C 1 values for all the ids indexed by I i along with A ← g a to CS securely 4. CS computes private and public key pair P R CS , P CS , and sends P CS to TA securely 5. TA generates private and public key pair M S, M S ′ ← g M S for master secret 6. TA sends P CS , r, δ i , M S to MU, and P CS , M S ′ to MSP securely

Emergency Detection Phase
In this phase, it is checked whether the current reading of MU health parameters are in normal/abnormal range, and the MU is alerted whenever the reading found to be in abnormal range. The proposed framework has been designed such that the computation for detecting the medical status is performed in CS without leaking any sensitive MU information to it. This process is performed through Algorithm 2. MU transforms the present reading of i th PHI by adding δ i received from TA. It then generates the set S h ′ i = {id ′ |id ′ ∈ S pathi } collecting the IDs in the path from root to the corresponding transformed PHI value node in MDRQ tree similar to [4]. MU then randomly generates private key β, nonce N , and computes its public key P K M U . Now, for all which are integrity information for CS, and N is used for authentication. MU then encrypts the nonce value N and Index of PHI I i to form E P CS (N I i ). MU sends all the computed C ′ 1 , C ′ 2 along with P K M U , E P CS (N I i ) to CS. Then, CS verifies integrity of the information received from MU using equation 1.
CS stops if the integrity verification is unsuccessful. Otherwise, CS checks for medical emergency using equation 2. If CS obtains only $ i.e., abnormal value as the output during comparison between all C 1 and C ′ 1 , it alerts the MU with E P K M U (N ). MU then decrypts N and does the validity check to confirm the emergency.
Algorithm 2 for emergency detection phase 1. MU transforms PHI using δ i , and generates the set MU randomly generates β, nonce N, and computes public key to CS 5. CS verifies the integrity using equation 1, and stops on unsuccessful integrity verification 6. CS checks for medical emergency using equation 2 7. If CS does not find any value 'Normal 'as output during comparison between all C 1 and C ′ 1 Then CS alerts MU with E P K M U (N ) MU decrypts N and checks validity of the decrypted N to detect emergency event

MSP Selection Phase
This is an important phase of the proposed framework. In this phase, a particular MSP which has the closest infrastructural match with the requirements of concerned MU is selected in such a way that any third party other than the selected MSP and MU cannot compromise privacy of the user. Algorithm 3, illustrates the MSP selection process. In this algorithm, we use fully homomorphic operations to add or multiply two encrypted values and partial homomorphic operation to multiply a scalar quantity with an encrypted value to form another encrypted value [17], [18], [19]. MU first generates invertible matrices P, Q of size 3 × 3 and n × n, respectively, and their inverse matrices P −1 , Q −1 . It conceals its location using P −1 , and attributes using Q −1 to form C L U and C Au illustrated in equations 3 and 4, respectively.
MU then encrypts its location and attributes in E Lu and E Au respectively. After this, MU computes it's signature H and the ciphertexts E P K M U (P ), E P K M U (Q), and then sends these along with C Lu , E Lu , C Au , E Au to CS. Now, every MSP receives the signature H 1 and P, Q, P K M U , N, H broadcasted by CS. Each MSP first checks the integrity and verifies whether the received information are from correct MU and CS or not. After successful integrity verification, the MSP generates private and public key pair P R M SP , P K M SP . MSP then conceals its location in C Ls and attributes in C As using equations 5 and 6, respectively.

MU encrypts its location in
then the integrity of E P K M U (P ) , E P K M U (Q) , P K M U , N using H, M S ′ , and stops on unsuccessful integrity 7. MSP generates private and public key pair 11. MSP encrypts Cs ← E P CS (C Ls , E Ls , C As , E As , N, T ), and sends Cs to CS 12. CS decrypts Cs to obtain C Ls , E Ls , C As , E As , N, T 13. CS compares N received from MU with the N received from MSP and if they differ then discards the MSP response. 14. CS obtains E P K M U d 2 1 using equations 7 and 8, and obtains E P K M U d 2 2 using equations 9 and 10 15. CS computes E P K M U d 2 1 + d 2 2 using equation 11, and E P K M U (Fs) using equation 12 x 2 , x 3 , N ), and sends this to selected MSP 19. If MU did not send E P K M SP (x 1 , x 2 , x 3 , N ) to any MSP and there is at least one unverified tuple Then Repeat from Step 18.
MSP then encrypts its location and attributes, and uploads these along with N to CS. CS decrypts these and compares the decrypted value of N with the value of N received from MU in current session. If this verification is unsuccessful, CS discards this particular MSP response. For every valid MSP response, CS separately computes the encrypted square distance between MU and MSP locations, and squared attribute distance between MU and MSP using equations 7, 8, 9 and 10.
Then, for every MSP response, E P K M U d 2 1 and E P K M U d 2 2 are separately combined by CS to form encrypted summation of d 2 1 and d 2 2 using equation 11. CS also computes the encrypted MSP selection information E P K M U (F s ) for the minimum d 2 1 + d 2 2 value using appropriate homomorphic operation through the process similar to [4] illustrated in equation 12.
Next, CS sends the encrypted distance information for each MSP and the encrypted MSP selection information to MU. Upon receiving these, MU selects one unverified tuple , T } and decrypts d 2 1 +d 2 2 . If the decrypted d 2 1 + d 2 2 value matches with the value of the decrypted F s , MU further verifies that the response from CS is not forged, by decrypting If it matches, MU encrypts and sends it's location and nonce value through E P K M SP (x 1 , x 2 , x 3 , N ) to the selected MSP. The selected MSP decrypts the MU location (x 1 , x 2 , x 3 ), and nonce value N . MSP then attends the MU after comparing the currently received N with the nonce N received previously. If the verification of the tuple selected is unsuccessful and there are still one or more unverified tuples available, MU repeats this for another unverified tuple. Finally, MU stops if either it discovered a correct tuple and sends it's encrypted location information to the corresponding MSP or there is no unverified tuple available. Fig. 3 gives sketch of emergency detection and MSP selection.

Security and Privacy Analysis
The proposed framework has been formally verified through appropriate random oracle model for its privacy. Also, we have analyzed the robustness of the proposed framework in terms of security and privacy by simulating the proposed framework using the well accepted formal verification Tool ProVerif [23], [24]. Moreover, We informally verify various other known attacks and checks the stability of the proposed framework against these attacks. Prior to the analysis, we introduce the threat model, which we have considered for the formal security and privacy verification of the proposed framework.

Threat Model
In the threat model, TA and CS are assumed to be honest but curious. Therefore, their adversarial objective is to know the medical status and/or location of the user. However, both TA and CS will follow the protocol rules. Adversary is capable of performing the following: -Can eavesdrop the communication link between different entities.
-Can intercept one or more messages over one or more communication links, and try to obtain any sensitive information.

Privacy Analysis through Random Oracle Model
In this section, we use a random oracle model [20], [21] to scrutinize the privacy of the proposed framework. In this analysis, a random oracle O has been defined that can execute the following functionalities: The random oracle O is assumed to efficiently accomplish any computational task given a protocol instance i. Adversary A can use O to obtain the PHI readings and/or the location information of MU used in the protocol instance i.
Theorem 1: Proposed framework preserved privacy of MU. Proof : We design a game G for the adversary A. In this game, A will be given a set of completed protocol instances I, and the MDRQ tree used in I. There is an upper bound t for the duration of G, during which A has to finish the game and return the values of some parameters to the judges J . For sufficiently large value of k, this quantity is negligible. For computing correct PHI in m 8 , O has to correctly compute the matrix Q from m 3 , which is encrypted using the public key P K M U . Hence, the success depends on the hardness assumption of the encryption scheme used for encrypting matrix Q. The similar argument can be used in case of m 7 and m 10 . Assuming the hardness property of the encryption schemes, the probability that none of these values cannot be guessed is (1−2 −d1 )×(1−2 −d2 )×(1−2 −d3 ), where d 1 is the total length of all the values in matrix Q, d 2 is total length of all the values in matrix P , and d 3 is the total length of the location parameters x 1 , x 2 , x 3 . Therefore, the probability that O can successfully compute any one parameter among m 2 , m 7 , m 8 , m 10 correctly is

Formal Security Verification using ProVerif
In order to prove that a protocol is correct, the symbolic model, also known as Dolev-Yao model [22] is usually used. This symbolic model is an abstract model, which helps to build automatic verification tools. Many such tools are used in practice. ProVerif [25], AVISPA [26], and Tamarin [27], etc. are few such examples of symbolic models. We have used ProVerif to prove that our proposed framework is secure. The verification summary of Initialization phase and Emergency Detection phase is shown in the following rectangular box: The results, shown in the above boxes, conclude that the proposed framework satisfy the security properties that we aim to achieve.

Informal Security Analysis of the Proposed Framework
Here, we informally analyze the security and privacy of the proposed framework with the assumption that TA and CS are curious. We prove that our proposed framework fulfills the security and privacy requirements through the following claims and their proofs.
Claim 1 : Proposed framework preserves privacy of MU Proof: In medical emergency, the framework should not reveal any private information of MU. However, the location of MU can be revealed to the selected MSP only after completion of the MSP selection task. MU embeds its current PHI values in C ′ 1 through the id values generated using MDRQ tree. C ′ 1 uses hash function to hide these id values. Due to the pre-image resistance property of hash functions, any adversary A including CS and TA cannot retrieve the id values. Thus, PHI information of MU is safe. PHI and location information of MU are concealed in matrix P, Q, and also they are encrypted using the public key of MU, P K M U = g β (Equations 3, 4, 5, 6) to obtain C Lu , C Au C Ls , C As . We see that, A cannot obtain the location of MU from C Lu due to the hardness of solving the integer factorization problem. Similarly, A cannot obtain the PHI values of MU from C Au . A may also try to obtain the location and/or PHI values from the ciphertexts C Ls and/or C As . However, based on the hardness assumption of cryptanalyzing the encryption algorithm, there is negligible probability that A can obtain the location and PHI values exploiting the ciphertexts C Ls and/or C As . Similarly, A cannot obtain the attribute and location information of MSPs. TA may try to correctly generate d 2 1 to find the distance between MU and MSPs by guessing the location of MU, (x 1 , x 2 , x 3 ). The probability of correct guess is 2 −b1 · 2 −b2 · 2 −b3 = 2 −(b1+b2+b3) , where b 1 , b 2 , b 3 are sizes of x 1 , x 2 , x 3 respectively. Therefore, the probability of guessing the MU location is negligible. Thus, the proposed framework preserves privacy of MU.
Claim 2 : The proposed framework preserves integrity requirement. Proof: In the emergency detection phase, CS verifies the integrity of the received information from MU using equation 1. Suppose, the adversary A is trying to change C ′ 1 into C ′′ 1 to wrongly predict the emergency of MU. Therefore, it has to generate correct C ′ 2 value for which the integrity verification would be correct. Since A does not have correct secret key β, it can try to generate C ′′ 2 ← g 1 C ′′ 1 +β ′ +N +I i using some guessed secret key β ′ . Moreover, A has to use the same public key P K M U . Otherwise, the emergency prediction will not be for the actual MU, and which in turn, will not fulfill the objective of A.
However, if β = β ′ , for same public key P K M U , g 1 +β+N +I i . Therefore, the integrity verification will be failed. A may try to guess correct β. However, the probability of correct guess is negligible considering β is sufficiently large. Thus, A cannot be successful to break the integrity. Similarly, in MSP selection phase, the MSP and MU verify integrity of the messages communicated between them through CS. In all these cases, A without having the secret key β, cannot break the integrity. Therefore, the proposed framework preserves the integrity requirement.

Claim 3 :
The proposed framework is secure against replay attack Proof: The adversary A can try to replay a message. For example, an MSP can attempt to replay the value of an old C s for which the MSP was selected in an old session for the same user. However, the CS will reject this message as the value of N used in this message is not same as the value used in the current session. In emergency detection phase, old alert can be replayed by an outside attacker, which will be rejected by MU as the value of N used in the replayed message will not be the same with the value of N used in the current session. Similarly, any replayed message will be rejected by the respective entities responsible for verification of the messages before their acceptance. Thus, the proposed framework is secure against replay attack.

Claim 4 :
The proposed framework is secure against message forgery attack by the adversaries including CS Proof: In message forgery attack, the intended recipient receives a fabricated message instead of original message. As an example, the adversaries including CS may try to create a forged message E P K M U (P ) , E P K M U (Q) , P K M U , N, H, H 1 and broadcast this message to all MSPs. However, this message will not be accepted. Because the outside adversaries neither have the master secret key M S nor the secret key of CS. Therefore, the advantage in generating the signatures H, H 1 are negligible. Having the secret key, CS can generate the valid signature H 1 . However, it cannot generate the valid signature H as it does not have the secret key M S. Therefore, the proposed framework provides protection against forgery attack.

Claim 5 :
The proposed framework is secure against power leakage attack Proof: In this type of attacks, attacker attempts to make MU unnecessarily engage in computations that drains the limited power of MU. As the battery power of MUs is limited, malicious agents may try to send fake Emergency alerts in the Emergency Detection Phase to drain the power by involving MU in unnecessary computations. In the proposed framework, MU uses nonce value N to detect any such attempt. MU sends this value to CS after encryption using the secret key of CS. Therefore, only the CS can decrypt this value and use this value to send the alert message. Since the outside adversaries do not have the secret key, they cannot decrypt N . These adversaries can guess a value and send that value as the alert message. However, the probability of guessing a value such that the corresponding value of N will be correct is negligible.Therefore, MU will reject the fake alerts, and will not perform any further computations. This can prevent the power leakage due to fake alerts.

Performance Analysis of Proposed Framework
In this section, we analyze the performance of the proposed framework in terms of security, computation and communication requirement. We then compare the performance of our proposed framework with the framework proposed in [4]. We use only [4] for the comparison because this is the lone existing work, which handles the MSP selection problem.

Security and Privacy
A summary of comparative security features present in the current work and in [4] is given in Table 2. From this comparison, we can conclude that the proposed framework in this paper has outperformed the work in [4].

Computation
We first compute the number of operations used by the entities present in the proposed framework in this paper. Table 3 illustrates this computation.  Table 3 shows that MU needs to perform many computations in case of an emergency. However, this computations have ensured the security and privacy of the proposed framework.

Phase wise Time Comparison
Based on the number of operations performed by every component, we have computed the execution time of the proposed framework using Intel Core 2, 1.83 GHz CPU. We plot the time taken by different phases of our proposed framework and the scheme proposed in Yu's framework [4]. The time comparison for emergency detection phase, and MSP selection phase are shown in Fig. 4 and 5 respectively. To ensure more security and privacy, computation in MSP selection phase in the proposed framework is higher compared to the scheme proposed in [4], as it is illustrated through the graph in Fig. 5. However, in the emergency detection phase, our framework performs much better than the scheme in [4], as illustrated in Fig. 4.

Communication
In this section, comparison of number of communications that take place for MU has been provided. Assumptions on number of bits of different elements, that are used for communication, are as shown in the Table 4. The number of communications for MU in our proposed framework and the scheme in [4] are shown in Fig. 6. We observe that our proposed framework always takes much lower communication overhead for MU than it's counterpart in Yu's framework [4].

Conclusion
In this work, we have identified that a trusted third party is being utilized to select an appropriate MSP for a medical user in medical emergency. However, the internal agents of the third party may be curious and hence the privacy of MU can be leaked through this component. Moreover, if this component is failed, the entire system will suffer one point failure problem. Therefore, we have proposed a privacy preserved MSP selection framework, which can avoid these problems. Analysis in this paper reveals that the proposed framework outperforms the existing work in terms of security and privacy. However, in our proposed framework, the devices implanted in MU needs to perform more computations. As the future work, we will try to reduce this computation overhead.

Compliance with Ethical Standards
Funding: This study was funded by SERB, DST, Govt. of India (project grant number EEQ/2020/000039).