Professional Documents
Culture Documents
An Internet of Things-Based Health Prescription Assistant and Its Security System Design
An Internet of Things-Based Health Prescription Assistant and Its Security System Design
highlights
article info a b s t r a c t
Article history: Today, telemedicine has a great reputation because of its capacity to provide quality healthcare services to
Received 29 June 2017 remote locations. To achieve its purposes, telemedicine utilizes a number of wireless technologies as well
Received in revised form 30 October 2017 as the Internet of Things (IoT). The IoT is redefining the capacity of telemedicine in terms of improved and
Accepted 12 November 2017
seamless healthcare services. In this regard, this paper contributes to the set of features of telemedicine
Available online 2 December 2017
by proposing a model for an IoT-based health prescription assistant (HPA), which helps each patient to
Keywords: follow the doctors recommendations properly. This paper also designs a security system that ensures user
Internet of things authentication and protected access to resources and services. The security system authenticates a user
Healthcare based on the OpenID standard. An access control mechanism is implemented to prevent unauthorized
Health assistant access to medical devices. Once the authentication is successful, the user is issued an authorization ticket,
Telemedicine which this paper calls a security access token (SAT). The SAT contains a set of privileges that grants the user
Security system access to medical IoT devices and their services and/or resources. The SAT is cryptographically protected
to guard against forgery. A medical IoT device verifies the SAT prior to serving a request, and thus, ensures
protected access. A prototype of the proposed system has been implemented to experimentally analyze
and compare the resource efficiency of different SAT verification approaches in terms of a number of
performance metrics, including computation and communication overhead.
© 2017 Elsevier B.V. All rights reserved.
https://doi.org/10.1016/j.future.2017.11.020
0167-739X/© 2017 Elsevier B.V. All rights reserved.
M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439 423
et al. [4] introduced various IoT-based application scenarios, where Contributions. The contributions of this paper are as follows:
mobile notifications are displayed on a TV screen, different colors
of room lighting are applied for emergency recognition, and a 1. We propose a theoretical framework for an IoT-based HPA
health prescription assistant (HPA) is provided. For more profound and present a detailed architectural model for the HPA.
understanding of the IoT and its application domains, interested 2. We highlight the operation and benefits of the HPA.
readers are referred elsewhere [5–7]. 3. We design a security system that ensures user authentica-
Eventually, the IoT can be thought of as a growing network of tion and protected access to electronic medical records and
physical objects or entities that feature an IP address for Internet medical sensors and actuators.
connectivity, and the correspondence that happens between pairs 4. We provide the details of security components, authoriza-
of such objects and other Internet-enabled gadgets and frame- tion model, operational model, and security access token
works. Introducing automation is feasible in nearly every field, (SAT) verification.
since the IoT comes with a set of benefits, including advanced con- 5. We implement a prototype of the proposed system using IoT
nectivity that goes beyond machine-to-machine scenarios [8]. One devices powered by Contiki operating system.
of the main criteria of the IoT is enabling services provided by any 6. We provide the performance evaluations in terms of var-
network on the World Wide Web to its intended end users and/or ious metrics, including communication and computation
things [4]. This feature of the IoT allows the offering of timely, high- latency, request completion time, and energy consumption.
quality telemedicine and healthcare services to patients via remote
assistance. For example, in the concept of telemedicine, a medical Organization. The rest of this paper is organized as follows. Related
practitioner provides his/her patient with medical services from a work and motivation are presented in Section 2. A background on
distance. The patient might be located in a remote place (the coun- access-control schemes in IoT is provided in Section 3. In Section 4,
tryside, a ship on the ocean, or even in an aircraft). There are many the proposed HPA is presented. Section 5 provides the proposed
places on this planet, particularly in developing countries, where security system. The experiment and evaluations are presented in
access to healthcare services is restricted by distance and a poor Section 6. A comparative discussion on proposed and existing au-
transportation infrastructure. However, in some places, healthcare thorization schemes is presented in Section 7. Finally, we conclude
services are inadequate. In such places, the opportunities and this article in Section 8.
possibilities of distributing medical services by telemedicine can
be accelerated by mobilizing the potential of the IoT [1]. 2. Related work and motivation
Consequently, the IoT could give rise to numerous medical
applications, including remote health monitoring. For example,
The advances in cloud and ubiquitous computing, smart sensors
based on the patients health data, a healthcare service provider
and actuators, and IoT Big data and analytics have made remote
can make a much better diagnosis of the patients condition and
monitoring of patients more feasible. Recently, several research
can recommend the best possible treatment and early interven-
works on wireless healthcare have been proposed, which aimed
tion [9]. Consistency in home treatment and medication by the
at continuous patient monitoring in closed environments, such as
healthcare service provider is another potentially critical applica-
home, office, ambulance, and hospital, as well as in open environ-
tion. Hence, different healthcare devices, sensors, and diagnostic
ments such as athlete health monitoring.
and imaging gadgets can be seen as smart objects constituting a
pivotal part of the IoT. Thus, the technology of wearable sensors
has accelerated the development of new applications and services 2.1. Insecure IoT-based healthcare
used in remote healthcare systems, such as controlling patients
health conditions, through content service applications and by An implementation of autonomous wireless body area network
providing treatment according to the updates [10]. Consequently, for enabling IoT connected healthcare applications was proposed
IoT-based medical services are expected to decrease costs, to build in [21]. The authors in [22] provided a Cloud-IoT based sensing
personal satisfaction, and to improve the client’s experience. From service for health monitoring. The research work [23] presented
the medical service providers point of view, the IoT could diminish an intelligent healthcare framework based on IoT technology to
device downtime through remote procurement. Integration of the provide ubiquitous healthcare to person during his/her workout
IoT into the aforementioned healthcare systems enables a further sessions. To provide an efficient diagnosis, Lomotey et al. [24]
increase in intelligence and interoperability [11], which will result proposed a data acquisition architecture for wearable devices. Ali
in expansion of the IoT at an exponential rate. et al. [25] proposed a healthcare system that analyzes physiological
In a nutshell, IoT-based healthcare [12] is a promising technol- information of patients and suggests diabetes-specific prescrip-
ogy that brings many advantageous applications to reduce costs, tion. We-care [26] proposed an IoT-based healthcare system for
increase quality of life, and improve the efficiency of healthcare elderly people. iDoctor [27] provided a personalized and profes-
services, providing easy and correct action, on time. sionalized medical recommendations based on hybrid matrix fac-
However, in the healthcare system, devices and applications torization. A facial recognition system that enables doctors and
are expected to deal with important private information, includ- caregivers to constantly monitor patients’ feelings remotely and
ing personal healthcare data. Furthermore, such smart devices take appropriate action as required was presented in [28]. The arti-
will be connected to worldwide information networks for access cle [29] provided an energy-aware cyber–physical therapy system,
anytime and anywhere. Subsequently, the IoT healthcare domain which incorporates smart things and devices in both the physical
may become a target. The personal data collected from resource- and cyber world for therapy sensing. The authors in [30] proposed
constrained wearable sensors are thus vulnerable to privacy con- a smart health care framework for monitoring Parkinson’s disease
cerns [13,14]. Additionally, unauthorized access to the medical in smart cities. Sood et al. [31] designed an IoT and fog based
devices can jeopardize patients lives [15–20]. Therefore, misuse of healthcare system to provide a remote diagnosis of Chikungunya
healthcare sensors and actuators or privacy concerns with patients virus based on a user’s health symptoms and surrounding environ-
medical records may restrict people to utilize IoT-based healthcare mental conditions. A healthcare monitoring system using radio-
applications. In this regard, this paper proposes a model for an IoT- frequency identification (RFID) was proposed in [32]. The authors
based HPA and designs of a security system to protect unautho- in [33] designed an IoT-aware architecture for smart healthcare
rized access to the proposed framework. coaching systems. An information acquisition model to enable
424 M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439
real-time data processing and decision making in the telemedicine 3. Background: Access control in IoT
was provided in [34].
The above-mentioned research works enable automatic patient To better understand the DCCapBAC scheme proposed in this
monitoring and provide potential quality of the healthcare without article, we provide a brief overview of the authorization models
compromising with the patient’s comfort. The primary focus of all used in IoT-based systems.
these projects is to achieve a higher degree of efficiency, reliability,
and cost-effectiveness of their systems. Although some of these Access Control List (ACL): The ACL is one of the most common au-
articles mentioned the security issues with electronic medical thorization model [47,48]. Access rights (AR) are centrally specified
records and wearable sensors, none of them embedded security in the ACLs as right = <prov ider , action> and assigned to clients
solutions with their telehealth systems. as a tuple <client , right >. ACLs can be adopted achieving autho-
rization in a centralized system with a small number of clients
2.2. Security constraints in IoT-based healthcare and providers. However, it becomes a complex task to manage and
deploy ACLs with the increasing number of IoT devices.
Security schemes designed for conventional digital systems to
achieve authentication, authorization, and secure communication Role-based Access Control (RBAC): This model [49] proposes an
cannot be applied directly to IoT healthcare systems due to the additional layer to manage access rights in a flexible way . RBAC
resource constraints and distributed architecture of these sys- eliminates direct assignments of rights to clients. Instead, it defines
tems. The medical IoT devices have limited processing power and a set of roles, assigns rights to the roles as <role, right >, and then
memory. Thus, conventional cryptographic techniques that require assigns roles to the clients requesting access as <client , role>.
heavy computations are infeasible. Additionally, these devices op- RBAC minimizes the effort to managing rules. However, the scal-
erate in a low power and lossy network with limited communi- ability of the RBAC models becomes a challenge when it requires
cation bandwidth, and are located at the edge of a network, such to assign roles to a large number of IoT devices and their users.
as home, hospital, and office. Therefore, it is infeasible to utilize
Attribute-based Access Control (ABAC): This model [50] provides
conventional secure protocols primarily designed for centralized
a mechanism for managing huge number of rules – rights, roles,
architecture in distributed IoT healthcare systems. Furthermore,
and clients assignment. ABAC enables the use of a combination of
the IoT healthcare applications require real-time monitoring. How-
various attributes of a requested client such as location, temper-
ever, the resource-intensive security operations may limit medical
sensors and actuators from publishing real-time updates on health ature, time of day, and so on, to generate dynamic access polices.
conditions. Thus, ABAC reduces the number of static access control rules and
makes RBAC feasible for a large number clients and providers.
2.3. Limitations and problem formulation The ACL, RBAC, and ABAC share a common problem which
is centralization. In these models, a central entity is responsible
Although there are some researches on lightweight authenti- for making authorization decisions including combining attributes
cation and secure communications for IoT-based healthcare sys- and enforcing policies. This entity has to be always online to pro-
tems [35–40], little attention has been paid to authorization. There vide an authorization decision for every request made by clients.
are a few healthcare frameworks that adopted Role-based Access However, the centralized decision making property of these mod-
Control [41] and Attribute-based Access Control models [42] to els may not provide good scalability in the distributed IoT envi-
ensure the privacy of the electronic medical records stored in a ronments. Another major drawback of these models is that they
central entity. However, these proposed frameworks lack security only consider service clients as a human user. As a result, these
scheme to protect medical devices, which operate in a distributed approaches cannot be applied to the scenarios where medical
system, from unauthorized accesses. The lack of an authorization devices communicate with each other such as sensor-to-sensor or
scheme for medical devices can be life-threatening for a patient. sensor-to-actuator interactions.
For example, an authorized access to the IoT-enabled Pacemaker
implanted in a patient’s chest will enable an adversary to regulate Capability-based Access Control (CapBAC): The CapBAC models,
the beating of the heart maliciously. In another scenario, an ad- that were proposed for distributed systems a long time ago in the
versary can change the drug dosage for a diabetic patient gaining literature [51–53], can be suitable for the IoT. The CapBAC approach
access to the electronic insulin pump attached to his/her body. offers flexibility that can meet the requirements of various IoT
architectures. CapBAC maps access rights to a client’s capability
2.4. Proposed solution token. The token is signed by a central party and issued to the
client. Thus, it is cryptographically protected and cannot be forged.
In light of the aforementioned security gaps in the exist- Most recently, CapBAC models for IoT systems have been proposed
ing smart healthcare applications, we propose an IoT-enabled in several research works [54–60]. These models can be classified
and secure health prescription assistant framework. We integrate into three categories based on the approach they follow verify-
OpenID standard [43] to the HPA for user authentication. To ing a capability token, such as centralized, distributed, and semi-
mitigate unauthorized access related risks, we adopt Attributed-
distributed.
based Access Control (ABAC) model for protected access to elec-
In the centralized approaches [54–56], an IoT device com-
tronic medical records stored in the Cloud, and propose a Dele-
municates with an intermediate party different than the issuing
gated Context-ware Capability-based Access Control (DCCapBAC)
one to validate the correctness of a capability token every time
scheme for ensuring protected access to medical sensors and ac-
tuators operate in the edge of the networks. DCCapBAC enables a client makes a request. An IoT device validates the token by
medical devices to expose their services in a protected way. DC- itself in the distributed approach [57,58]. In the semi-distributed
CapBAC unburden resource-limited medical sensors and actuators approach [59,60], a gateway communicates with the intermediate
from computation intensive cryptographic operations by delegat- party on behalf of the IoT device for token validation.
ing them to a smart Gateway (e.g., border router) [44–46] co- However, in our proposed DCCapBAC approach, the validation
located with the medical devices. DCCapBAC also reduces commu- task is delegated to the gateway. The gateway intercepts an in-
nication and memory overhead involved in making an authoriza- coming request and makes an authorization decision (permit or
tion decision for a request. Thus, real-time updates on a patient’s deny) for a medical device without any communication with the
physical conditions get published to caregivers. This also enables intermediate party. The details of the DCCapBAC is presented in
medical sensors receiving caregivers’ instructions immediately. Section 5.4.3.
M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439 425
and reported to the medicine box for subsequent processing and planes: communication plane, aggregation plane, decision plane,
references. The medicine box communicates with both the patients and security-enforcement plane. The communication plane en-
body-patch sensor network and the Internet, and thus, become a ables interactions between multi-protocol devices and networks.
vital part of the IoT-based HPA. Eventually, the HPA can address It allows communication between the HPA and the smart objects
each and every pill individually, per the patients requirements. located in a smart-home or medical sensors attached to a patient.
Moreover, the aggregated data from the patient BAN will be stored Smart objects and wearable sensors communicate among them-
and processed on the health cloud computing server for further selves through the smart gateway as well. The aggregation plane
need. complies data from medical sensors and publishes them to the
Cloud HPA services. The decision plane is intelligent enough to
Health Databases: The HPA can access several databases to assist
process sensor data, to learn health condition, and to make decision
the patient in a number of ways. The database may contain a
locally. The security-enforcement plane protects smart nodes from
stack of some representative DBs, including a food and nutrition
unauthorized accesses. The planes of the smart gateway can be
DB, measured physiological biomarker DBs, and disease-specific
implemented using the 6LoWPAN border-routers manufactured
tips DBs. The food and nutrition DB provides an extensive list
by Intel [67] and Weptech [68].
of foods with their nutrition facts in a structured form so the
HPA can automatically process the data and determine further 4.3. Operation and benefits
actions according to the aggregated data. This DB can supply the
system with information about how a particular food affects the 4.3.1. HPA operation
patients health, which makes it easier to select a healthy diet, Step 1: The HPA is installed with an appropriate interface for
whereas the disease-specific tips DB provides advice, archived doctors in the doctors smart device. Step 2: The HPA is installed
experiences from other patients, as well as information about with an appropriate interface for patients in the patients smart
medications. These databases might be offered by third parties device. Step 3: Both doctor and patient agree to use the HPA service
who provide business-to-business services. In that case, the DB for the intended purpose and enable the HPA service accordingly.
service providers and the HPA must agree on a standard protocol Step 4: The doctor provides a digitized prescription to the system
to communicate with each other in order to establish system through the HPA. Step 5: The doctor and patient touch their smart
compatibility. The types and numbers of various DBs integrated devices for a mutual permission through near field communication
with the HPA depend upon the respective authority of the hospital (NFC), and the HPA starts working. In case of a remote consultation,
providing healthcare services. both the doctor and the patient implement a message-passing
Computing and the Control Server: The health cloud computing protocol and input codes to complete the mutual permission.
and control server is basically responsible for the core computing
and decision making requested from time to time by the HPA. As 4.4. Benefits of an HPA
mentioned earlier, the aggregated data will be conveyed to the
health cloud computing and control server for storage, processing, Since the HPA can act as a reminder, the patient never forgets
analyzing, and visualization. The control server is the central hub to take medicines and follow a proper diet. The HPA detects any
of the HPA. It monitors and controls the clients installed at various adverse drug reaction through the use of an array of sensors, and
points, including any clients in the doctors devices and the patients can report those issues to the doctor and healthcare providers.
devices. It also aggregates the events reported by various edges Owing to mutual understanding and interactions between the HPA
of the HPA system (e.g., sensors, the patient, health professionals, and the medicine box, the HPA protects the patient from taking
and DBs) and prepares the structured commands to be sent to the the wrong medicine by mistake. Thus, with the help of relevant
computing server. The computing server analyses the commands databases and based on the doctors recommendations, as well as
received from the control server and sends the respective edges the detected diseases, the HPA can recommend appropriate recipes
the results. Unlike the control server, which must be owned by for the patients health from the food available in the refrigera-
each hospital, the computing server might be supplied by a third tor. Moreover, the HPA also interacts with the smart-home sys-
party. Furthermore, visualization is an important research area in tem where the patient resides by setting the ideal environmental
the science [64], and thus, it is a vital requirement for systems temperature and humidity for the patients needs. The system is
like the HPA, where the measured biosensor information must considered robust and reliable against unauthorized access due
be in a form in which the doctor can read it and understand the to the presence of the gateway. The gateway can be configured
impact of the specific event on the patients health condition. In with appropriate authorization so the HPA can safely coordinate
the literature, several approaches [65,66] enable visualization of databases, the health cloud computing and control server, and the
the data in various forms. health clinics.
The Smart Home: The HPA communicates with a smart-home 5. Security system
system to give the patient more suitable and comfortable living
conditions, including room temperature, adequate lightning, and 5.1. Security components
proper humidity. In some cases, the HPA requires special designs
of smart-home elements. For example, it needs a specially designed This section presents an overview of the security components
refrigerator to keep track of preserved food items. The refrigerator for the proposed prescription assistant system (see Fig. 3). Note
consists of several chambers, and each chamber contains several that the security system follows the OpenID standard [43] to au-
cells. The chambers and cells are equipped with sensors. These thenticate users.
sensors can communicate with the main RFID of the refrigerator,
Identity Provider: An identity provider (IdP) provides identifiers
which communicates with the smart-home server and connects to
for users (e.g., physicians, patients, employees, etc.) who interact
the Internet. Also, if the control server provides access, the smart
with the IoT health assistant. The IdP also confirms with the IHA
home and the patients systems can directly communicate with
that an identifier presented by a user is known. Additionally, the
each other for a specific session.
IdP provides other information, such as address, date of birth,
The Smart Gateway: A smart gateway is a resource-rich device gender, etc., about the user, which is known to the provider.
placed at the edge of a network. The gateway has four different For example, the IHA system allows users to register/login with
M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439 427
in the system, and each role has its own access rights to a set of the conjunction, disjunction, and negation operations of the at-
services. The set of roles (RSet) is defined as follows: tribute elements. To further understand the expression of the at-
tribute constraint, consider the following example. Suppose there
RSet = {R1 , R2 , R3 , . . . , Rn−1 , Rm } is a security rule such that ‘‘All physicians from the cardiology
Ri = {Subi1 , Subi2 , Subi3 , . . . , Subij−1 , Subij } department can check the status of a pacemaker’’. This rule can be
represented as:
Here m, j ∈ N, 1 ≤ i ≤ m, and Sij ∈ SubS
AT = {Role, Department , Dev ice}
Operation (OP): Operations, such as GET, POST, DELETE, and PUT,
are sent to the services. For example, a user performs a read AC = ∀Role.Physician ∩ ∀Department .Cardiology
operation to a service by issuing a GET request. A set of operation ∩ ∀Dev ice.Pacemaker
is defined as follows.
Context constraint: Context is used to characterize the situation
OP = {GET , POST , DELETE , PUT , . . .} of an entity. An entity can be a person, place, or object that is
considered relevant to the interaction between a user and a med-
Service (S): Services are offered by medical IoT devices. Each
ical IoT service. Different types of context, such as time, space,
service consists of a set of resources (res), such as configuration
object status, etc., can be used during the policy evaluation phase to
files and sensor data sorted in a database or on-device memory. A
determine whether to allow/deny a request [69]. For example, it is
service receives a users request and complies with it. The request is
possible for a users request to be rejected if the request originates
verified by the Access Control Logic (ACLogic) engine as described from a certain location. A request can also be rejected if it was
in Section 5.4.2 before being fulfilled. A set of service (SS) and performed earlier, or if issued after a certain time of day. Moreover,
resource (RS) are defined as follows: a request can be rejected based on a medical devices current status,
RS = {res1 , res2 , res3 , . . . , resq−1 , resq } such as the operating mode (e.g., it is in energy-saving mode). In
all these cases, a user has the right to invoke services or access
SS = {S1 , S2 , S3 , . . . , St −1 , St } resources; however, the request might not be accepted because the
Si = {resi1 , resi2 , resi3 , . . . , resij−1 , resij } conditions in the context information were not satisfied. A context
set is defined as follows:
Here q, t , j ∈ N, 1 ≤ i ≤ t, and resij ∈ RS
CT = {ct1 , ct2 , ct3 , . . . , ctn−1 , ctn } (n ∈ N)
Permission (P): A permission is an approval of a particular mode Each element of the context set represents a context type
of operation for one or more services in the system. Permissions (ct). Each context element (CE) is expressed as a triple CE =
enable the holder of the permission to perform some action in {cti , name, v alue}, cti ∈ CT . For example, (dev ice, mode, energy-
the system. For example, a nurse has permission to retrieve the sav ing) expresses the operating mode of the device, and
thermometer reading, however she cannot issue a command to (physician, location, coordinate(33.5o , 86.8o )) expresses a location
the pill bottle. A set of permission (PS) is defined using operation context. For instance, one can consider a security rule like ’’Any
assignments (OA) as follows: request originating from a hospital should be served, regardless of
the time of the day and the operating mode of the device’’. Such a
PS = {P1 , P2 , P3 , . . . , Pt −1 , Pt }
context constraint can be expressed as follows:
Pi = {OAi1 , OAi2 , OAi3 , . . . , OAiq−1 , OAiq }
CT = {Time, Location, Dev ice)
OAij = Si × OPi
CC = ∀Location.Hospital ∩ ∀Time.Hour
Here, t , q ∈ N, 1 ≤ i ≤ t, OPi ⊂ OP, and Si ∈ SS ∩ ∀Dev ice.OperatingMode
Attribute constraint: There are different types of attributes, such
as user attributes, role attributes, and medical device attributes, 5.2.2. Components relationship
which can be used during policy assignment: user assignment, UA, PA, and OA stand for user assignment, permission assign-
permission assignment, and operation assignment. For example, ment, and operation assignment, respectively.
the age/work experience of a user may be considered during user
UA ⊆ U × R : User assignment is a many-to-many mapping
assignment: assigning a role to the user. Or perhaps a physician
between users and roles. Each user must be assigned with a role.
must have 15 years of experience to be assigned to a senior physi-
One user can belong to multiple groups, since a user may have
cian role. Similarly, the properties of a role, such as the size of multiple roles.
the group or the functions of a group, can be considered during
permission assignment. For example, at least one person should PA ⊆ P × R : Permission assignment is a many-to-many mapping
be assigned to the senior physician role, or no two nurses should between permissions and roles. To access resources, each role is
have access to the same medical devices of a patient: access to assigned with certain permissions.
such services is mutually exclusive. Furthermore, device properties OA ⊆ OP × S : Operation assignment is a many-to-many mapping
like memory, communications interface, or energy source (e.g., between operations and services. Each service is assigned with a
battery-driven) can determine operation assignment. For example, certain number of operations.
a medical IoT node with read-only memory must not be accessed
RAA ⊆ R × AT : Role attribute assignment (RAA) is a many-
for POST actions. An attribute set is defined as follows:
to-many relation between roles and attribute types. Each role is
AT = {at1 , at2 , at3 , . . . , atn−1 , ctn } (n ∈ N) specified with appropriate attributes by a security administrator.
Each element of the attribute set represents an attribute type PAA ⊆ P × AT : Permission attribute assignment (PAA) is a many-
(at). An attribute element (AE) is expressed as a triple AE = to-many relation between permissions and attribute types. A set
{ati , name, v alue}, ati ∈ AT . For example, (dev ice, memory, 16MB) of attributes is first defined, and then appropriate attributes are
expresses the capacity of the memory, (patient , age, 45) expresses assigned to the permissions by a security administrator.
the age of the patient, and the size of a group is expressed as OPAA ⊆ OP × AT : Operation attribute assignment (OPAA) is a
(role, size, 15). An attribute constraint (AC ) is expressed by a com- many-to-many relation between operations and attribute types. A
bination of attribute elements. The combination is achieved with security administrator assigns a set of attributes to the operations.
M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439 429
Fig. 5. An example policy for nurse and physician. A physician inherits the privileges
of a Nurse.
5.2.3. Policy
Policy determines the capabilities of the users. Each policy con-
tains a subset of the permission assignment and operation assign-
ment, but does not contain a user assignment: users information
is not included in the policy. Policies are defined for roles, and
roles are mapped to users. Therefore, the capabilities of a user
correspond to polices defining his/her roles. Policies are defined
and stored in the policy database in the authorization service. Fig. 5
shows an example of access control policy encoded in Extensible
Access Control Markup Language (XACML) [70].
A capability token, which this paper designates as a security Fig. 8. SAT generation process.
access token, is created from these policies and issued to a user.
Unlike policy encoding, capability tokens are signed and encoded
in Java Script Object Notation (JSON) [71]. A user sends a request to 5.3.2. Service access ticket (SAT) generation phase
a medical IoT, and attaches the capability token with the request. Step 1: The user provides the SCert to the Authentication Au-
The medical device checks the requesters access rights by verifying thority and requests for a Service Access Ticket (SAT). Step 2:
the token, and then applies context constraints to allow or deny the Authentication Authority validates the SCert by checking the IdP’s
request (see Fig. 6).
signature which is attached to the SCert. Next, the Authentication
Authority retrieves the UID of the User. Step 3: The Authentication
5.3. Operational model Authority provides the UID to the Authorization Authority, and re-
quests to generate a new SAT for the user. Step 4: As shown in Fig. 8,
This section presents the operation model of the proposed The authorization service first checks that the user has not been
security architecture (see Fig. 7). blacklisted. Next, it retrieves the role of the user in the system. After
that, it obtains the policies, permissions, and context constraints
5.3.1. Authentication phase defined for the role. Finally, the SAT creation service generates
Step 1: A user sends a login request to the authentication a signed SAT using the retrieved information (see Algorithm 1).
authority. The authentication authority allows the user to select an Step 5: The authentication authority receives the issued SAT from
IdP. The authentication authority redirects the user to the selected the authorization authority, and forwards the SAT to the user. The
IdP service. Step 2: The IdP service asks for the user’s credentials user is required to present the SAT to an IoT device to access
such as email address and password. The user provides the creden- resources and services offered by that smart device. The IoT device
tials. The IdP verifies the credentials and issues a Secret Certificate verifies the SAT as described in the following section and grants
(SCert) to the user. access.
430 M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439
which is complex and expensive, especially for a large number of step, based on the SAT validation outcome (e.g., accept or reject), it
medical IoT devices. either forwards the request to the requested medical device or re-
jects the request without sending it to the requested device. Thus,
5.4.2. SAT verification process the proposed scheme unburdens resource-limited devices from
A SAT is verified by a verification process named ACLogic engine compute-intensive operations and reduces storage and memory
which executes the condition script embedded in the SAT. The requirements for concerned cryptographic hardware or software.
ACLogic engine makes a permit or deny decision according to the This approach also enables medical devices to serve a real-time
execution result. The ACLogic engine ensures that a request meets request. The gateway is located closer to the medical devices as
the constraints defined for the requester. The ACLogic engine uses compared to a Cloud authorization server used in the centralized,
a data structure called a stack. A SAT is valid if nothing in the semi-distributed, and distributed approaches (see Fig. 12). As such,
condition script triggers failure and the top stack item is true the delegation of the SAT verification task to the gateway, instead
(non-zero). A stack is a very simple data structure, which can be of delegating the task to the Cloud, results in a faster processing
visualized as a stack of cards. A stack allows two operations: push of a request. In the following section, we provide the experimen-
and pop. Push adds an item on top of the stack. Pop removes the tal evaluation of the proposed delegation-based SAT verification
top item from the stack. When the script execution ends, the stack method.
should be left with the value TRUE. The ACLogic engine returns
a permit decision if it finds a TRUE value in the stack; otherwise, 6. Experiment and evaluation
it returns a deny decision. To further understand the concept, an
execution of the script is presented as follows: We analyzed and compared the resource efficiency of our pro-
posed delegation-based SAT verification approach (see Fig. 11)
Condition Script = SIG SPK DECRYPT HASH EQUALVERIFY NB TIME with the distributed SAT verification approach (see Fig. 12(c)). We
GRATER_THAN NA TIME LESS_THAN OPERATION_MODE FORALL provided the performance analysis in terms of energy consump-
BATTERY_STATUS FORALL LOCATION FORALL tion, computation cost, and communication overhead. Centralized
The execution of the above condition script is divided into (see Fig. 12(a)) and semi-distributed (see Fig. 12(b)) approaches
three parts. Part 1 (see Fig. 10(a)) shows signature verification were not considered for experimental evaluation since they are
steps. The signature verification script is: SIG SPK DECRYPT HASH not suitable for medical IoT systems. In these approaches, a device
EQUALVERIFY. The value of the SIG field is first decrypted with the located on the edge of the network has to communicate with a
issuer’s public keys (SPK); note that, the issuer’s private key is SSK. central entity to retrieve authorization decision. Such a communi-
Next, the HASH operation generates a hash of the JSON envelope cation has a considerable delay that limits medical sensor serving
(SAT packet). The hash value is then matched with the decrypted a real-time request.
SIG value. Here, it is assumed that the SIG values was computed as
SIG = EncryptSSK (Hash(SAT)). If both of the values are found equal 6.1. Experimental setup
then the SAT has not been forged or tamper with, otherwise the
SAT has been forged. The experimental setup and network architecture are shown in
Part 2 (Fig. 10(b)) shows the verification of the obligation fields. Figs. 13 and 14, respectively. Table 1 presents the details of the
The script to verify obligations is: NB TIME GRATER_THAN NA specifications of the experimental devices and network interfaces.
TIME LESS_THAN. The ACLogic engine checks that the current time An RE-Mote [74] IoT device performed as a service provider. A
(TIME) is greater than (GRATER_THAN) the value of the NB field. Raspberry Pi model-3 [75] computer was used as a gateway device
Similarly, The ACLogic also verifies that value of the NA field is less to bridge IPv4 and IPv6 networks. The Raspberry Pi device was also
than (LESS_THAN) the current time (TIME). used as a delegation server that performed the SAT verification
Part 3 (Fig. 10(c)) shows the verification of the context con- process for a constrained device in the delegation-based approach.
straints, and the verification script is: OPERATION_MODE FORALL A Nexus 4 smart phone and another RE-Mote were used as service
BATTERY_STATUS FORALL LOCATION FORALL. According to the script, clients. The RE-Motes were operating in a 6LoWPAN network [61].
the request should be served regardless (FORALL) of the opera- The 6LoWPAN network enables end-to-end communications over
tional mode and battery status of a medical IoT device, as well as an IEEE 802.15.4 link [76].
the location of the user. The FORALL operation ignores the value of
the OperatingMode, BatteryStatus, and Location by removing the 6.2. Prototype implementation
corresponding element from the stack top.
We implemented the ACLogic engine using C language for the
The execution of the condition script is successful, if the stack distributed approach. The C-based ACLogic engine was running on
top is left with a TRUE value, which means all the conditions and constrained medical IoT (mIoTs) devices powered by popular IoT
constraints of the script have been satisfied. Any value other than operating system Contiki [77]. We also implemented Constrained
TRUE on the stack top indicates, that at least one condition or Application Protocol (CoAP) [78] servers that were running on
constraint was not satisfied. service-provider medical IoT devices (mIoTs). Furthermore, CoAP
client applications were developed for the service-clients, such as
5.4.3. SAT verification approach mIoT and smartphone. The client devices consumed the medical
We propose a delegation-based SAT verification approach for services provided by the service devices. The clients and providers
resource-constrained medical devices and their networks (see communicated to each other over user datagram protocol (UDP)
Fig. 11). In this approach, a smart gateway, co-located with the protocol. We ported Relic [79] library to Contiki for performing
personal area network, performs the SAT verification process on cryptographic operations, such as signature verification, message
account of the medical devices. As described in the early part of this authentication code (MAC) computation, and AES encryption and
paper, the smart-gateway is a resource-rich entity as compared decryption. We also ported Powertrace library [80] to Contiki to
to the health devices. The gateway is embedded with the ACLogic measure energy consumptions of the cryptographic operations and
engine and is configured such that it can authorize an incoming end-to-end communications.
service access request in two steps. In the first step, the gateway In the delegation-based approach, the ACLogic engine was
validates the SAT attached to the access request. In the subsequent implemented using Java language. The Java-based engine was
432 M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439
(a) Part (1/3): Signature verification. (b) Part (2/3): Obligation verification.
running on the Raspberry Pi computer powered by Ubuntu op- 6.3. Experimental scenarios
erating system. The computer was also running a CoAP server
(delegation server) that was implemented using Californium li- We simulated the use-cases of HPA in our experimental scenar-
brary [81]. The delegation server provided the SAT verification ios. The HPA can have four use-cases – (a) a physician accessing
service. Note that Java Security framework has been utilized to electronic medical records (EMR) stored in the HPA databases; (b)
implement cryptographic operations of the ACLogic engine. a physician accessing a wearable medical senor remotely through
M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439 433
Table 1
Experimental Devices’ Specifications.
User (Smartphone) as a Service Client
Hardware → Nexus-4 smart phone. 1.5 GHz Dual CPU, 2 GB RAM, and
16 GB storage, and WiFi network interface
Software → Operating System: Android 4.4.
Runtime: JVM
Responsibility → Service client device
Gateway Device
Hardware → Raspberry Pi Model 3. 1.2 GHz Quad CPU, 1 GB RAM,
16 GB storage, and WiFi and IEEE 802.15.4 dual network interface
Software → Operating System: Ubuntu 16.10.
(b) Semi-distributed approach. Runtime: JVM
Responsibility → 6LowPAN border router and Delegation server
Medical IoT Device (Provider or Client)
Device → RE Mote
Hardware → 16 MHz CPU, 8 KB RAM, 40 KB ROM, and IEEE 802.15.4
radio interface
Software → Operating System: Contiki 3.1.
Runtime: C
Responsibility → Medical service provider device and service client
device
(c) Distributed approach. use-case b, c, and d into two categories. We denoted use-case b and
c as user-to-device (U2D) interaction and use-case d as device-to-
Fig. 12. Contemporary SAT verification approaches. device (D2D) interaction.
In the experimental scenarios, we considered U2D and D2D
interactions both for delegation-based and distributed SAT vali-
the HPA Gateway to retrieve real-time health conditions; (c) a dation approaches. The details of the interactions are shown in
caregiver accessing a medical sensor locally through the Smart Figs. 15 & 16. In the U2D interaction, the Smartphone sends a
Gateway; (d) a smart device (medical sensors, actuators, or home request to the mIoT service-provider. The request is routed through
appliances) accessing medical sensors or actuators through the the Raspberry Pi gateway (see Fig. 15). In the D2D interaction, the
Smart Gateway in the local network. In use-case a, the Security mIoT service-client either sends a request directly to the mIoT
Servers located in the Cloud (see Fig. 2) ensure protected access service-provider (see Fig. 16(a)) or the request is routed to the
to the EMR. However, in the local network, the Smart Gateway service-provider through the gateway (see Fig. 16b).
ensures authorized access to the medical sensors and actuators In the distributed approach, the service-provider RE-Mote re-
by employing DCCapBAC (use-case b, c, and d). We divided the ceived a SAT from a user and then performed the SAT verification
434 M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439
Fig. 16. Device to Device interactions. MAC = Message Authentication Code. PSK =
Pre-Shared Key. N = Nonce.
Fig. 15. User to Device interactions. MAC = Message Authentication Code. PSK =
Pre-Shared Key. N = Nonce.
scheme (see Figs. 15(a) and 16(a)). However, in the delegation- Fig. 17. IEEE 802.15.4 Frame [82].
based approach, the verification task was offloaded to the Rasp-
berry Pi delegation server (see Figs. 15(b) and 16(b)).
For simplicity, we adopted pre-shared key based authentica-
tion. However, devices can use public key based schemes, such as
certificates, for authentication and to establish a shared key. As
shown in Figs. 15 & 16, communicating peers authenticate each
other using a pre-shared key. A client device selects a Nonce (N),
computes a Message Authentication Code (MAC) of the nonce using
a pre-shared key (PSK) as MACPSK (N), and sends them to a service
device. The service device verifies the MACPSK (N) and authenti-
cates the client device. The service device processes the request
only after a successful authentication. To achieve confidentiality,
the client device can encrypt the SAT using the PSK as EncPSK (SAT)
and send the encrypted SAT to the service device.
Fig. 19. Correlation between service count and packet fragmentation. MAC scheme [83], which is designed for MSP430 16 MHz IoT
devices, to compute a MAC. We used Contiki’s Clock library [84]
to record the execution time. We measured the execution time as
shown in Algorithm 2, and then presented the results in Fig. 22. The
runtime for delegation-based (RTdel ) and distributed approaches
(RTdis ) were computed as RTdel = ExecutionTime (MACPSK′ (N))
and RTdis = ExecutionTime (AES + SHA-1 + Capability Verifica-
tion). From Fig. 22, we can observe the runtime in delegation-
based approach is much less than in the distributed approach.
This is because the service device did not perform capability and
signature verification operations. The delegation-based approach
unburdened the service device from these computation inten-
Fig. 20. Comparison of RDD for distributed and delegation approaches used in user-
to-device interactions. sive operations by delegating them to the Delegation Server. The
service device only computed a lightweight MAC to verify the
MACPSK ′ (Nonce) as shown in Step 4 of Figs. 15(a) & 16(a).
Fig. 21. Comparison of RDD for distributed and delegation approaches used in Request Completion Time (RCT): An RCT is the total time required
device-to-device interactions. to serve a request. We calculated an RCT as the summation of
request delivery delay, runtime, and response delivery delay. The
RCTs for distributed and delegation-based approaches are pre-
sented in Figs. 23 and 24. From Fig. 23, we can see that the time to
Gateway fragments a packet before sending it to the IEEE 802.15.4
serve a user’s request is about three times faster in the delegation-
link in the U2D interaction (see Fig. 16).
based approach than that of the distributed approach. We can
We found the RDDs for U2D and D2D interactions as shown
in Figs. 20 and 21. From the graphs, we can see that the also observe, from Fig. 24, that the distributed approach could
RDD in delegation-based approach is significantly less than in reduce the request complication time by a factor of two. To this
the distributed approach. In the delegation-based approach (see end, we can conclude from Fig. 25 that if the delegation-based
Figs. 15(b) & 16(b)), the Delegation Server authenticated the client approach is followed then the combined latency of communication
device using a pre-shared key (PSK). After that, the Delegation and computation in D2D and U2D interactions can be reduced, on
Server and service provider authenticated each other using an- an average, by 100% and 250%, respectively.
other pre-shared key (PSK′ ). The size of the authentication payload Analysis of Energy Cost: We measured the amount of energy
was 32 Bytes (16 Bytes MAC and 16 Bytes Nonce). This 32 Bytes consumed by the radio frequency (RF) transceiver for sending and
payload fit the MTU and was sent in a single packet. However, receiving packets and by the CPU for performing cryptographic
in the distributed approach (see Figs. 15(a) & 16(a)), a SAT was operations and fragments reassembly. We recorded the energy
sent in multiple packet fragments. These fragments traveled to the consumption at the service device. We provided the operating
service device which the device had to receive and reassemble. As voltage (3.6 volts) and currents (CPU 2400 mA, radio transmit 21
a result, the RDD was much higher in distributed approach than in mA and radio listen 23 mA) of RE-Mote as inputs to the Powertrace
delegation-based approach. library [80] and recorded the energy consumption for crypto-
Runtime Performance: We measured the execution time for SAT graphic operations and receiving and transmitting packets. The
verification and MAC computation at the service device. The SAT Powertrace library uses Contiki’s energy APIs [85] to measure the
verification is essentially the execution of the condition script as power consumption of CPU and radio transceiver. The code snippet
shown in Fig. 10. The verification process comprises of crypto- for measuring energy consumption is shown in Algorithm 3. An
graphic operations for an issuer’s signature verification, such as analysis and comparison of the energy cost for the delegation-
AES encryption and SHA-1 hash computation, and a client’s capa- based and distributed approaches are presented in Fig. 26. From
bility validation. We used Relic library [79] to perform the cryp- the graph, we can see that the communication energy consump-
tographic operations. Additionally, we adopted modified Chaskey tion increases linearly in the distributed approach; however, it
436 M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439
Hence, a medical device cannot serve a request immediately, if cen- understand the SAT-verification process, this paper presents exe-
tralized and semi-distributed approaches are applied to medical cution of a condition script. A prototype-based experiment is con-
IoT systems. ducted to validate the different SAT verification schemes. Based the
To minimize the communication overheads of centralized and experimental results, the paper shows how the delegation-based
semi-distributed approaches, the distributed approach [57,58] SAT verification approach outperforms the distributed approach
embeds the ACLogic engine with the medical IoT devices (see in terms of both communication and computation latency. Also,
Fig. 12(c)). Upon receiving a request, a mIoT device executes the the paper uncovered that the delegation-based SAT verification
ACLogic engine to verify the SAT attached to the request. However, approach is more appropriate for heavy resource constrained med-
the medical devices are so resource constrained that they cannot ical IoT devices, since this approach is found more energy efficient
afford the processing cost of the ACLogic execution, such as sig- than the distributed approach. In sum, the proposed model of the
nature verification and capability validation, and storage require- health prescription assistant and the suggested security system are
ments for cryptographic materials, such as keys and certificates expected to be useful to researchers and developers working in the
stored on-device memories (RAM and ROM) [86]. area of the IoT and wireless health.
The distributed approach provides better scalability over semi-
distributed and centralized approaches. However, they are not
suitable for resource-limited medical sensors due to computation Acknowledgments
intensive SAT verification operations. Moreover, it is a complex
procedure to update the authorization policies embedded with the This work was supported in part by ‘The Cross-Ministry Giga
medical devices. In contrast, managing authorization policies are KOREA Project’ grant from the Ministry of Science and ICT, Korea
simple in the semi-distributed and centralized procedures. How- GK17P0100, in part by Sejong University Faculty Research Fund
ever, they do not scale well for a large number of medical IoT de- 20170139, and in part by the National Science Foundation CAREER
vices. Furthermore, semi-distributed and centralized approaches Award CNS-1351038.
serve a request much slower than distributed approach. A request
has to reach to a Cloud Authorization service before it reaches a
References
medical device.
It is clear from the above discussion that, neither of the existing
[1] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, M. Ayyash, Internet of
CapBAC approaches can achieve the low communication overhead, things: A survey on enabling technologies, protocols, and applications, IEEE
inexpensive computation, and load scalability requirements as a Commun. Surveys Tutor. 17 (4) (2015) 2347–2376.
whole demanded by medical IoT systems. However, our proposed [2] www.gartner.com, The Internet of Things will transform the Data Center, http:
//www.gartner.com/newsroom/id/2684616, 2014.
DCCapBAC model resolved these issues by integrating ABAC model
[3] www.idc.com, Finding success in the new IoT ecosystem: Market to reach
with the CapBAC model. Like the ABAC model, the DCCapBAC $3.04 trillion and 30 billion connected things in 2020, http://www.idc.com/
manages authorization policies for a large number of clients and getdoc.jsp?containerId=prUS25237214, 2014.
medical devices while it ensures authorized access to medical [4] S.R. Islam, M.N. Uddin, K.S. Kwak, The IoT: Exciting possibilities for bettering
devices that operate on the edge of the network to the same lives: Special application scenarios, IEEE Consumer Electron. Mag. 5 (2) (2016)
49–57.
degree as of the CapBAC model. Thus, although the roles, rules, [5] J. Holler, V. Tsiatsis, C. Mulligan, S. Avesand, S. Karnouskos, D. Boyle, From
and policies are specified using XACML and stored in a central Machine-to-Machine to the Internet of Things: Introduction to A New Age of
entity, we eliminate the interaction between the central entity Intelligence, Academic Press, 2014.
and a medical device (centralized approach) or a gateway (semi- [6] L. Tan, N. Wang, Future internet: The internet of things, in: 3rd International
Conference on Advanced Computer Theory and Engineering, ICACTE, Vol. 5,
distributed approach). Moreover, since SATs are generated dynam- IEEE, 2010 pp. V5–376.
ically from the XACML policies and issued to clients, the proposed [7] D. Guinard, V. Trifa, E. Wilde, A resource oriented architecture for the web of
model does not need to explicitly manage the capabilities of the things, in: Internet of Things (IOT), 2010, IEEE, 2010, pp. 1–8.
clients, unlike conventional CapBAC schemes. Furthermore, in the [8] A. Aijaz, A.H. Aghvami, Cognitive machine-to-machine communications for
Internet-of-Things: A protocol stack perspective, IEEE Internet Things J. 2 (2)
proposed model, we let the resource-limited medical sensors leave
(2015) 103–112.
from a set of SAT validation tasks, including the issuer’s signature [9] M. Hassanalieragh, A. Page, T. Soyata, G. Sharma, M. Aktas, G. Mateos, B.
verification, certificate validation, and SAT revocation list checking Kantarci, S. Andreescu, Health monitoring and management using Internet-
by delegating these computation intensive operations to the smart of-Things (IoT) sensing with cloud-based processing: Opportunities and chal-
lenges, in: IEEE International Conference on Services Computing, SCC, IEEE,
gateway co-located with the medical sensors and actuators in the
2015, pp. 285–292.
distributed medical IoT networks. [10] C.O. Rolim, F.L. Koch, C.B. Westphall, J. Werner, A. Fracalossi, G.S. Salvador,
A cloud computing solution for patient’s data collection in health care insti-
8. Conclusion tutions, in: Second International Conference on eHealth, Telemedicine, and
Social Medicine, IEEE, 2010, pp. 95–99.
[11] L. Catarinucci, D. De Donno, L. Mainetti, L. Palano, L. Patrono, M.L. Stefanizzi,
This paper proposes a theoretical framework for an IoT-based L. Tarricone, An iot-aware architecture for smart healthcare systems, IEEE
health prescription assistant that helps a patient to properly fol- Internet of Things J. 2 (6) (2015) 515–526.
low his/her doctors recommendations. Also, a security system is [12] S.R. Islam, D. Kwak, M.H. Kabir, M. Hossain, K.-S. Kwak, The internet of things
for health care: A comprehensive survey, IEEE Access 3 (2015) 678–708.
designed so that each user of this health assistant gets protected [13] K. Saleem, Z. Tan, W. Buchanan, Security for cyber-physical systems in health-
access to the resources and services of interest. For deeper in- care, in: Health 4.0: How Virtualization and Big Data are Revolutionizing
sight into the architectural framework of the proposed security Healthcare, Springer, 2017, pp. 233–251.
system, the paper provides an overview of the security compo- [14] C. Camara, P. Peris-Lopez, J.E. Tapiador, Security and privacy issues in im-
plantable medical devices: A comprehensive survey, J. Biomed. Inform. 55
nents, including the identity provider, the registration authority, (2015) 272–289.
and the IoT service provider. The paper demonstrates that pro- [15] T. Webb, S. Dayal, Building the wall: Addressing cybersecurity risks in medical
tected access to IoT services and resources can be achieved by devices in the USA and Australia, Comput. Law Security Rev. (2017).
adopting a context-aware capability-based access control model. [16] M. Khera, Think like a hacker: Insights on the latest attack vectors (and security
controls) for medical device applications, J. Diabetes Sci. Technol. 11 (2) (2017)
Furthermore, this paper shows how operation of said authorization
207–212.
model can be performed in a two-phase process consisting of [17] J. Sametinger, J. Rozenblit, R. Lysecky, P. Ott, Security challenges for medical
an authentication phase and a SAT-generation phase. In order to devices, Commun. ACM 58 (4) (2015) 74–82.
438 M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439
[18] K. Fu, J. Blum, Controlling for cybersecurity risks of medical device software, [45] A.-M. Rahmani, N.K. Thanigaivelan, T.N. Gia, J. Granados, B. Negash, P. Liljeberg,
Biomed. Instrum. Technol. 48 (s1) (2014) 38–41. H. Tenhunen, Smart e-health gateway: bringing intelligence to internet-of-
[19] J. Radcliffe, Hacking medical devices for fun and insulin: Breaking the human things based ubiquitous healthcare systems, in: 12th Annual IEEE Consumer
SCADA system, in: Black Hat Conference presentation slides, 2011. Communications and Networking Conference, CCNC, IEEE, 2015, pp. 826–834.
[20] B. Farahani, F. Firouzi, V. Chang, M. Badaroglu, N. Constant, K. Mankodiya, [46] W. Shen, Y. Xu, D. Xie, T. Zhang, A. Johansson, Smart border routers for
Towards fog-driven IoT eHealth: Promises and challenges of IoT in medicine ehealthcare wireless sensor networks, in: 7th International Conference on
and healthcare, Future Gener. Comput. Syst. 78 (2017) 659–676. Wireless Communications, Networking and Mobile Computing, WiCOM, IEEE,
[21] T. Wu, F. Wu, J.-M. Redouté, M.R. Yuce, An autonomous wireless body area 2011, pp. 1–4.
network implementation towards IoT connected healthcare applications, IEEE [47] J. Qian, S. Hinrichs, K. Nahrstedt, ACLA: A framework for access control list
Access 5 (2017) 11413–11422. (ACL) analysis and optimization, in: Communications and Multimedia Security
[22] G. Neagu, Ş. Preda, A. Stanciu, V. Florian, A Cloud-IoT based sensing service Issues of the New Century, Springer, 2001, pp. 197–211.
for health monitoring, in: E-Health and Bioengineering Conference, EHB, IEEE, [48] V. Grout, J.N. Davies, A simplified method for optimising sequentially pro-
2017, pp. 53–56. cessed access control lists, in: Sixth Advanced International Conference on
[23] M. Bhatia, S.K. Sood, A comprehensive health assessment framework to fa- Telecommunications, AICT, IEEE, 2010, pp. 347–352.
cilitate IoT-assisted smart workouts: A predictive healthcare perspective, [49] X. Jin, R. Sandhu, R. Krishnan, RABAC: Role-centric attribute-based access
Comput. Ind. 92 (2017) 50–66. control, Comput. Netw. Security (2012) 84–96.
[24] R.K. Lomotey, J. Pry, S. Sriramoju, E. Kaku, R. Deters, Wearable IoT data [50] D. Servos, S.L. Osborn, Current research and open problems in attribute-based
architecture, in: IEEE World Congress on Services (SERVICES), IEEE, 2017, access control, ACM Computing Surveys (CSUR) 49 (4) (2017) 65.
pp. 44–50. [51] L. Snyder, Formal models of capability-based protection systems, IEEE Trans.
[25] F. Ali, P. Khan, D. Kwak, S.R. Islam, N. Ullah, S.-j. Yoo, K. Kwak, Type-2 Fuzzy Comput. C–30 (3) (1981) 172–181.
Ontology–aided Recommendation Systems for IoT–based Healthcare, Comput. [52] S.J. Mullender, A.S. Tanenbaum, The design of a capability-based distributed
Commun. (2017). operating system, Comput. J. 29 (4) (1986) 289–299.
[26] S. Pinto, J. Cabral, T. Gomes, We-care: An IoT-based health care system for [53] Landau, Charles, Security in a secure capability-based system, Oper. Syst. Rev.
elderly people, in: IEEE International Conference on Industrial Technology, (1989) 2–4.
ICIT, IEEE, 2017, pp. 1378–1383. [54] S. Gusmeroli, S. Piccione, D. Rotondi, A capability-based security approach to
[27] Y. Zhang, M. Chen, D. Huang, D. Wu, Y. Li, iDoctor: Personalized and profession- manage access control in the Internet of Things, Math. Comput. Modelling
alized medical recommendations based on hybrid matrix factorization, Future (2013).
Gener. Comput. Syst. 66 (2017) 30–35. [55] L. Seitz, G. Selander, C. Gehrmann, Authorization framework for the Internet-
[28] G. Muhammad, M. Alsulaiman, S.U. Amin, A. Ghoneim, M.F. Alhamid, A facial- of-Things, in: WowMoM, IEEE, 2013, pp. 1–6.
expression monitoring system for improved healthcare in smart cities, IEEE [56] P.P. Pereira, J. Eliasson, J. Delsing, An authentication and access control
Access 5 (2017) 10871–10881. framework for CoAP-based Internet of Things, in: IECON, IEEE, 2014, pp. 5293–
[29] M.S. Hossain, M.A. Rahman, G. Muhammad, Towards energy-aware cloud- 5299.
oriented cyber-physical therapy system, Future Gener. Comput. Syst. (2017). [57] J.L. Hernández-Ramos, A.J. Jara, L. Marın, A.F. Skarmeta, Distributed capability-
[30] M. Alhussein, Monitoring parkinsons disease in smart cities, IEEE Access based access control for the Internet of Things, JISIS (2013).
(2017). [58] P.N. Mahalle, B. Anggorojati, N.R. Prasad, R. Prasad, Identity authentication
[31] S.K. Sood, I. Mahajan, Wearable iot sensor based healthcare system for identi- and capability based access control (IACAC) for the Internet of Things, J. Cyber
fying and controlling chikungunya virus, Comput. Ind. 91 (2017) 33–44. Security Mob. (2013).
[32] S.F. Khan, Health care monitoring system in internet of things (iot) by using [59] S. Cirani, M. Picone, P. Gonizzi, L. Veltri, G. Ferrari, IoT-OAS: An OAuth-based
rfid, in: International Conference on Industrial Technology and Management, authorization service architecture for secure services in IoT scenarios, J. Sen-
ICITM, IEEE, 2017, pp. 198–204. sors (2015).
[33] A. Amato, A. Coronato, An iot-aware architecture for smart healthcare coaching [60] S. Gerdes, O. Bergmann, C. Bormann, Delegated CoAP authentication and
systems, in: Advanced Information Networking and Applications, AINA, 2017 authorization framework (DCAF), ETF Internet Draft, 2014.
IEEE 31st International Conference on, IEEE, 2017, pp. 1027–1034. [61] C.P.P. Schumacher, N. Kushalnagar, G. Montenegro, IPv6 over low-power wire-
[34] E. Guillén, J. Sánchez, L.R. López, IoT protocol model on healthcare monitoring, less personal area networks (6LoWPANs): Overview, assumptions, problem
in: VII Latin American Congress on Biomedical Engineering CLAIB, Springer, statement, and goals, RFC 4919 (2007).
2017, pp. 193–196. [62] H. Qin, Y. Wang, W. Zhang, ZigBee-Assisted WiFi transmission for multi-
[35] C. Doukas, I. Maglogiannis, V. Koufi, F. Malamateniou, G. Vassilacopoulos, interface mobile devices, in: MobiQuitous, Vol. 104, Springer, 2011, pp. 248–
Enabling data protection through PKI encryption in IoT m-Health devices, 259.
in: 12th International Conference on Bioinformatics & Bioengineering, BIBE, [63] K.-H. Chang, Bluetooth: A viable solution for IoT?[Industry Perspectives], IEEE
IEEE, 2012, pp. 25–29. Wireless Commun. 21 (6) (2014) 6–7.
[36] T. Kumar, A. Braeken, M. Liyanage, M. Ylianttila, Identity privacy preserving [64] E.R. Tufte, G.M. Schmieg, The visual display of quantitative information, Amer.
biometric based authentication scheme for naked healthcare environment, J. Phys. 53 (11) (1985) 1117–1118.
in: Communications, ICC, 2017 IEEE International Conference on, IEEE, 2017, [65] S.O. Torres, H. Eicher-Miller, C. Boushey, D. Ebert, R. Maciejewski, Applied
pp. 1–7. visual analytics for exploring the national health and nutrition examination
[37] C.T.G. Manogaran, M. Priyan, Centralized fog computing security platform for survey, in: 45th Hawaii International Conference on ystem Science, HICSS,
iot and cloud in healthcare system, Exploring the Convergence of Big Data and IEEE, 2012, pp. 1855–1863.
the Internet of Things (2017) 141. [66] C.G. Healey, Choosing effective colours for data visualization, in: Seventh Int.
[38] R. Tso, A. Alelaiwi, S.M.M. Rahman, M.-E. Wu, M.S. Hossain, Privacy-preserving Conference on Visualization, IEEE, 1996, pp. 263–270.
data communication through secure multi-party computation in healthcare [67] Intel, Intel IoT Gateway, https://www.intel.com/content/www/us/en/embedd
sensor cloud, J. Signal Process. Syst. 89 (1) (2017) 51–59. ed/solutions/iot-gateway/overview.html, accessed on May 4, 2017, 2017..
[39] M. Khan, M.T. Jilani, M.K. Khan, M.B. Ahmed, A security framework for wireless [68] Weptech, Weptech 6lowpan gateway, https://www.weptech.de/en/6lowpan/
body area network based smart healthcare system, in: International Confer- gateway-saker.html, accessed on June 6, 2017, 2017.
ence for Young Researchers in Informatics, Mathematics and Engineering, [69] G. Zhang, J. Tian, An extended role based access control model for the inter-
CEUR–WS Press, 2017, pp. 80–85. net of things, in: Proceeding of the International Conference on Information
[40] F. Rahman, M.Z.A. Bhuiyan, S.I. Ahamed, A privacy preserving framework for Networking and Automation, ICINA, Vol. 1, IEEE, 2010 pp. V1–319.
RFID based healthcare systems, Future Gener. Comput. Syst. 72 (2017) 339– [70] OASIS, XACML v3.0 Administration and Delegation Profile Version 1.0, http:
352. //www.oasis-open.org, 2009.
[41] A. Yavari, A.S. Panah, D. Georgakopoulos, P.P. Jayaraman, R. van Schyndel, [71] T. Bray, The javascript object notation (JSON) data interchange format, RFC
Scalable role-based data disclosure control for the internet of things, in: 37th 7159, http://tools.ietf.org/html/rfc7159.html, 2014.
International Conference on Distributed Computing Systems, ICDCS, IEEE, [72] P. Levis, S. Madden, J. Polastre, R. Szewczyk, K. Whitehouse, A. Woo, D. Gay,
2017, pp. 2226–2233. J. Hill, M. Welsh, E. Brewer, et al., Tinyos: An operating system for sensor
[42] S. Sicari, A. Rizzardi, L. Grieco, G. Piro, A. Coen-Porisini, A policy enforcement networks, in: Ambient Intelligence, Springer, 2005, pp. 115–148.
framework for internet of things applications in the smart health, Smart Health [73] A. Dunkels, B. Grönvall, T. Voigt, Contiki-a lightweight and flexible operating
(2017). system for tiny networked sensors, in: Proceeding of the International Confer-
[43] D. Recordon, D. Reed, OpenID 2.0: A platform for user-centric identity man- ence on Local Computer Networks, IEEE, 2004, pp. 455–462.
agement, in: Proceedings of the second ACM workshop on Digital identity [74] Re-Mote, Z1 6LoWPAN IoT Device, 2017, http://zolertia.io/z1.
management, ACM, 2006, pp. 11–16. [75] R. Pi, A Tiny and low cost smart device, https://www.raspberrypi.org/, https:
[44] A. Glória, F. Cercas, N. Souto, Design and implementation of an iot gateway to //www.raspberrypi.org/products/raspberry-pi-3-model-b/, accessed on May
create smart environments, Procedia Comput. Sci. 109 (2017) 568–575. 18, 2017, 2016.
M. Hossain et al. / Future Generation Computer Systems 82 (2018) 422–439 439
[76] A.F. Molisch, K. Balakrishnan, C.-C. Chong, S. Emami, A. Fort, J. Karedal, J. Farman Ali received the B.S. degree in Computer Engi-
Kunisch, H. Schantz, U. Schuster, K. Siwiak, IEEE 802.15.4a channel model-final neering from the University of Peshawar, Pakistan in 2011
report, IEEE P802 15 (04) (2004) 0662. and the M.S. degree in Computer Science from Gyeongsang
[77] Contiki, Contiki OS: An open source operating system for the Internet of Things, National University, South Korea in 2014. From 2015, he is
http://www.contiki-os.org/, 2016. studying at the Department of Information and Communi-
[78] Z. Shelby, K. Hartke, C. Bormann, The constrained application protocol (CoAP), cation Engineering at Inha University, South Korea doing
RFC, IETF (2014). the Ph.D. degree. His current research interests include
[79] Relic, An Efficient Library for Cryptography, https://github.com/relic-toolkit, Opinion Mining, Ontology, Fuzzy logic, Artificial Intelli-
2017. gence, and Machine Learning.
[80] Powertrace A power measuring library for contiki iot devices, https://github.
com/sonhan/contiki, https://github.com/KineticBattery/Powertrace, accessed
on June 20, 2017 2017.
[81] Californium, A Java-based CoAP Server, https://eclipse.org/californium/, 2017.
[82] G. Montenegro, N. Kushalnagar, J. Hui, D. Culler, Transmission of IPv6 packets
over IEEE 802.15. 4 networks, IETF, RFC 4944, 2007.
Kyung-Sup Kwak received the Ph.D. degree from the Uni-
[83] G. Lee, H. Seo, T. Park, H. Kim, Optimized implementation of chaskey MAC on
versity of California at San Diego in 1988. From 1988 to
16-bit MSP430, in: Ninth International Conference on Ubiquitous and Future
1989, he was with Hughes Network Systems, San Diego,
Networks, ICUFN, IEEE, 2017, pp. 904–909.
CA, USA. From 1989 to 1990, he was with the IBM Net-
[84] Contiki, Contiki clock library, http://www.eistec.se/docs/contiki/a02184.html,
work Analysis Center, Research Triangle Park, NC, USA.
accessed on May 8, 2017, 2017.
Since then, he has been with the School of Information
[85] Contiki, Contiki apis for measuring energy consumption, http://contiki.source
and Communication Engineering, Inha University, South
forge.net/docs/2.6/a00452_source.html, 2017..
Korea, as a Professor, where he had been the Dean of the
[86] M.M. Hossain, M. Fotouhi, R. Hasan, Towards an analysis of security issues,
Graduate School of Information Technology and Telecom-
challenges, and open problems in the internet of things, in: IEEE World
munications from 2001 to 2002. He has been the Director
Congress on Services, 2015, pp. 21–28.
of the UWB Wireless Communications Research Center
(formerly Key National IT Research Center), South Korea, since 2003. In 2006, he
served as the President of Korean Institute of Communication Sciences, and in 2009,
the President of Korea Institute of Intelligent Transport Systems. In 2008, he had
Mahmud Hossain received the B.S. degree in Computer
been selected for Inha Fellow Professor and now for Inha Hanlim Fellow Professor.
Science and Engineering from Bangladesh University of
Dr. Kwak published more than 200 peer-reviewed journal papers and served as
Science and Technology, Bangladesh in 2009. He is cur-
TPC/Track chairs/organizing chairs for several IEEE related conferences. His research
rently pursuing his Ph.D. degree at the Secure and Trust-
interests include wireless communications, UWB systems, sensor networks, WBAN,
worthy Computing Lab, University of Alabama at Birming-
and nano communications. He was a recipient of the number of awards, including
ham, USA. Before that, he served Samsung R&D Institute
the Engineering College Achievement Award from Inha University, the LG Paper
Bangladesh (SRBD) as a Lead Engineer at the Dept. of
Award, the Motorola Paper Award, the Haedong Prize of research, and various
Solution Lab for the period June 2010 to August 2014. His
government awards from the Ministry of ICT, the President, and the Prime Minister
research interests include security and privacy of Internet
of Korea, for his excellent research performances.
of Things, embedded systems, and mobile and cloud com-
puting.
S.M. Riazul Islam received the B.S. and M.S. degrees Ragib Hasan, is an Associate Professor at the Department
in Applied Physics and Electronics from University of of Computer and Information Sciences at the University of
Dhaka, Bangladesh in 2003, and 2005, respectively and Alabama at Birmingham. Prior to joining UAB, He received
the Ph.D. degree in Information and Communication En- his Ph.D. and M.S. in Computer Science from the Uni-
gineering from Inha University, South Korea in 2012. He versity of Illinois at Urbana Champaign in October, 2009,
has been working at Sejong University, south Korea as and December, 2005, respectively, and was an NSF/CRA
an Assistant Professor at the Department of Computer Computing Innovation Fellow post-doc at the Department
Science and Engineering since March 2017. From 2014 of Computer Science, Johns Hopkins University. Hasan has
to 2017, he worked at Inha University, South Korea as a received multiple awards in his career, including the 2014
Research Professor at the UWB Wireless Communications NSF CAREER Award, 2013 Google RISE Award, and 2009
Research Center. Dr. Islam was with the University of NSF Computing Innovation Fellowship.
Dhaka, Bangladesh as an Assistant Professor and Lecturer at the Dept. of Electrical
and Electronic Engineering (formerly Dept. of Applied Physics, Electronics & Com-
munication Engineering) for the period September 2005 to March 2014. In 2014,
he worked at the Samsung R&D Institute Bangladesh (SRBD) as a Chief Engineer
at the Dept. of Solution Lab for six months. His research interests include wireless
communications, signal processing for communications, and enabling technologies
for 5G and beyond.