Enabling Pervasive Healthcare with Privacy Preservation in Smart Community Xiaohui Liang† , Xu Li∗ , Rongxing Lu† , Xiaodong Lin‡ , and Xuemin (Sherman) Shen† †

Department of Electrical and Computer Engineering, University of Waterloo, Canada ∗ INRIA Lille - Nord Europe, France ‡ Faculty of Business and Information Technology, University of Ontario Institute of Technology, Canada Email: {x27liang, rxlu, xshen}@bbcr.uwaterloo.ca; [email protected]; [email protected] Abstract—Smart community is an emerging Internet of Things application. It supports a variety of high-value automated services such as pervasive healthcare through a multi-hop community network of smart homes in a local residential region. In this paper, we study privacy preserving data communication between patients and an online healthcare provider (referred to as vendor) for efficient remote healthcare monitoring (RHM) in a smart community environment. We adopt patients’ attribute structures instead of their identities for authentication and preserve identity privacy during patient-to-vendor communication, and we build a receiver chain among smart homes to enable vendor-to-patient communication and achieve location privacy. The privacy preserving properties of the proposed data communication scheme are analyzed, and its effectiveness and efficiency are demonstrated through extensive simulations. Keywords—Remote healthcare monitoring, smart community, privacy preservation.

I. I NTRODUCTION Remote healthcare monitoring (RHM) is a promising application in the future sensor-rich ubiquitous computing environment. It enables healthcare providers to continuously monitor patients’ body parameters through medical sensing and wireless communication technologies and to provide timely and precise medical care when abnormal health signals are detected. RHM is especially useful for patients with chronic diseases, e.g., cardiovascular disease, arthritis, diabetes, diminished hearing and eyesight, Parkinsons, etc., who need be under close surveillance around the clock. To realize RHM and enable its wide adoption and deployment, an efficient, secure and privacy-preserving data communication channel must be maintained between patients and healthcare providers. While efficiency and security have long been two major concerns in literature, privacy [1], [2] is an emerging issue that received considerable attention recently. Among common privacy requirements [3]–[5], identity and location privacy, i.e., preventing unauthorized parties from learning one’s identity and current or past locations, are of paramount importance. In the context of RHM, simply stoping sharing identity and location information discourages cooperation during data communication and hinders efficient use of network resources. Location information is also necessary for enabling healthcare providers to properly respond to emergency situations. Existing privacy preserving solutions consider 3G cellular networks as the communication platform,

where patients stay connected to remote healthcare providers through handheld devices and cellular base stations. In such a scenario, a trusted third party is generally assumed to receive personal health data directly from patients, and the privacy issues can be readily resolved by using traditional encryption and signature schemes. Relying on 3G cellular networks for continuous data communication is however associated with high monetary cost and may not be affordable for all RHM users. In the sequel, we will refer to healthcare providers as vendors for simplicity. Smart community [6]–[8] is an emerging application of Internet of Things. It is composed of networked smart homes in a local residential region and formed upon the agreement of participating home owners, with respect to local geographic, terrain and zoning features. Inside each of these smart homes, communication devices such as personal computers, smart phones, and tablets are connected to a wireless router, called home gateway, which provides cheap and fast Internet access through wire lines. Home gateways represent their hosting smart homes and together constitute a wireless multi-hop network through WiFi technologies. This community network is a free ubiquitous computing platform covering the residential region and extends residents Internet access ability in space. It supports a variety of high-value automated services including pervasive healthcare, which is our focus in this paper. In this paper, we study how to enable patients to communicate privately with online vendors through the message relay of smart homes, rather than 3G cellular networks, for reducing RHM cost. Our contributions are threefold. First, we introduce a threshold attribute structure and develop a privacy preserving authentication method based on it. Using this method, patients are able to preserve their identity privacy and communicate to their online vendors by exploiting their social relations with smart homes. Second, we create a receiver chain among smart homes to forward data from the online vendors to mobile patients while preserving location privacy. Third, we build our simulation based on real geographic maps and evaluate our approach under different parameters. The remainder of this paper is organized as follows. Section II introduces the network model and the design goals. We present our data communication scheme in Section III and analyze its privacy preserving properties in Section IV. The simulation based performance evaluation is presented in Sec-

tion V, followed by the closing remarks given in Section VI. II. N ETWORK M ODEL AND D ESIGN G OAL We consider a homogeneous smart community consisting of m smart homes denoted by {s1 , s2 , · · · , sm }. Smart homes (precisely, home gateways) have equal wireless communication range, denoted by trs . They are connected to the Internet through wired backbone links, and know the global topology of the wireless multi-hop community network. There are n mobile patients {u1 , u2 , · · · , un } in the smart community including all the people living in, or visiting the smart community. Each patient ui is wearing multiple body sensors. These sensors sense ui ’s health statues and transmit the sensory data to its handheld device pi through Bluetooth technology. The handheld device has WiFi interface and can communicate with the smart homes within its communication range tru (tru ≤ trs ). A trusted authority (TA) initializes a universal attribute set Au = {a1 , a2 , · · · , al } and associates each patient ui with an attribute set Ai ⊆ Au that represents the patient’s social interests. Each smart home sj inherits the attribute sets of the patients living in it. The shared interests between two entities can be used to measure their social similarity. s5

Internet Connection

s2

s3

III. P RIVACY P RESERVING H EALTHCARE s4

Wireless Connection

s6

2 1 3

s1

Fig. 1.

patient has three potential uploading paths (highlighted and numbered). In this paper, we develop a privacy preserving data communication scheme for RHM in a smart community environment described above. Specifically, the following two privacy preserving objectives will be achieved. • Identity privacy preservation: If a patient directly reveals its identity to smart homes when using them to communicate to the vendor, the authenticity of its health data can be easily confirmed by smart homes, and the patient may obtain the best uploading services from social-related smart homes. However, disclosing identity information incurs serious privacy violation and enables malicious adversaries to track patient’s behavior easily, and therefore should be avoided. • Location privacy preservation: The vendor may need to communicate to patients for various purposes such as confirming data reception and sending healthcare instructions. If the vendor knows a patient’s current location, the communication can be performed efficiently through geographic routing for example. Nevertheless, location information is privacy sensitive and tightly related to personal living style. It must have unlinkability. That is, patients’ future locations can not be inferred from their current and past location information.

Patient-to-vendor communication

Smart homes service patients by bridging them with online vendors. The communication between the patients and their vendors are encrypted, and thus the contained health data cannot be read by smart homes. Different patients may have different vendors. Because of limited Internet bandwidth, each smart home is able to provide service only to a limited number of patients. When the number of patients requesting for uploading service is beyond its capability, it services only the most social-related patients and direct the remaining patients to other smart homes. Social relation is measured by similarity, which is in turn determined by common interests. A patient may be more than one hop away in the community network from the smart home agreeing to service it, and message relay has to be involved for data uploading. An uploading path with large hop count causes long delay. We set a maximum hop count hmax for all patients. It indicates that a patient selects a smart home if and only if the smart home is within hmax hops in the community network. When there are multiple paths for data uploading, the similarity and the hop distance will be considered for choosing the most reliable one. In Fig. 1, the

In this section, we propose a privacy preserving data communication scheme for RHM application. The scheme is designed for two-phase communication. In patient-to-vendor communication phase, a patient finds a smart home, called proxy, which is able and willing to provide help in connecting to its vendor. The patient only reveals partial attribute information to smart homes and thus identity privacy is preserved. In vendor-to-patient communication phase, a patient’s proxy acts as the proxy of the patient’s vendor and forwards data to the patient. To achieve location privacy, a receiver chain is constructed among smart homes as the patient moves so that the proxy can direct data to the patient. Note that vendor-topatient communication takes place only after patient-to-vendor communication has started. This is because the vendor need to know which smart home will be its communication proxy. Below, we elaborate the two communication phases separately. A. Patient-to-Vendor Communication We propose a privacy-preserving attribute authentication method which supports a single threshold attribute structure (maximum threshold gate value d). An example 3-of-8 structure is shown in Fig. 2. By using this structure, a patient is able to prove that he/she has at least three of the eight attributes (a1 , · · · , a8 ). To achieve this goal, a well-known bilinear pairing technique [9] is adopted. Bilinear pairing notations: Let G and GT be two finite cyclic groups of the same large order n, where n = pq is a product of two large primes p and q. Suppose G and GT are equipped with a pairing, i.e., a non-degenerated and efficiently

3

a1 Fig. 2.

a2

... ...

a3

a8

Threshold-based attribute structure

computable bilinear map e : G × G → GT such that i) ∀g, h ∈ G, ∀a, b ∈ Zn , e(g a , hb ) = e(g, h)ab ; and ii) ∃g ∈ G, e(g, g) has order n in GT . I NITIALIZATION : TA chooses a redundant attribute set Ar = {al+1 , · · · , al+d−1 }, two generators (g, u) of G, a generator h of Gq (Gq is a subgroup of G with order q), a secure cryptographic hash function H : {0, 1}∗ → Z∗n , and random number δ ∈ Z∗n . For all 1 ≤ y ≤ l + d − 1, TA chooses random numbers ty ∈ Z∗n and computes Ty = g ty . TA also computes Δ = e(g, u)δ . With these settings, TA keeps the master key (δ, (ty )1≤y≤l+d−1 ) secretly, and publishes the public parameter pub = (n, g, u, h, G, GT , e, H, Δ, Ty (1 ≤ y ≤ l + d − 1), Au ∪ Ar ). PATIENT R EGISTRATION : TA chooses a unique random number t ∈ Z∗n and a random polynomial q(x) = κd−1 xd−1 + κd−2 xd−2 + · · · + κ1 x + δ, and generates Ei = q(y)

kd , (dy )ay ∈Ai ∪Ar , where kd = t and dy = u t+ty . Then, the secret key Ei is deployed into ui ’s handheld device. Let ui and sj denote the signer and verifier, respectively. Let ui ’s attribute structure be Ti , the threshold value of Ti be k, and a spot set corresponding to Ti ’s leaf nodes be Θi . Let Φi ⊆ Ai ∩ Θi be a spot set with size k. S IGNING BY PATIENT ui : ui first chooses a subset Ar ⊆ Ar (|Ar | = d − k). Let Ar be {al+1 , · · · , al+d−k }. Then, for each attribute ay ∈ Ψ= Φi ∪ Ar , ui computes the 0−w Lagrange coefficient ωy = w|aw ∈Ψ,w=y y−w . ui randomly ∗  selects rt , rp , ry ∈ Zn for ay ∈ Θi ∪ Ar and computes Sy for ay ∈ Θi ∪ Ar as follows  ry y dω y · h , if ay ∈ Ψ Sy = (1) hry , if ay ∈ Θi \ Φi ui outputs the signature σi = Ti , St , Sp , (Sy )ay ∈Θi ∪Ar , π1 , π2 , 1

where St = g kd · hrt , Sp = g kd +H(pidi ) · hrp and   y rt π1 = Sprt (g H(pidi ) g kd )rp , π2 = (dω y ) ay ∈Ψ

(St Ty )ry

ay ∈Θi ∪Ar

V ERIFICATION BY SMART HOME sj : sj receives σi and checks ⎧ ? H(pidi ) ⎪ , Sp ) = e(g, g) · e(h, π1 ) ⎨ e(St g  ? e(Sy , St Ty ) = Δ · e(h, π2 ), ⎪ ⎩ ay ∈Θi ∪Ar

If the equations hold, sj confirms that ui claims pseudonym pidi is associated with an attribute set that satisfies Ti . Then, ui further provides the authenticity proof of having pidi . The

authenticity proof can be a short signature using the secret key corresponding to pidi [4]. ui broadcasts the signature and the proof to all hmax -hop smart homes as a connection request and expects an ACK message from its vendor. After receiving and verifying the connection request, a smart home sj calculates a similarity score ssi,j reflecting the strength of its social relation with ui . Since ui reveals its attribute information as Ti to sj , the similarity score ssi,j can be calculated using Ti and Aj . Let Θi be the attribute set of Ti . Denote ψi,j = Aj ∩ Θi , |Θi | = α, and |ψi,j | = β. We assume that ui uses a k-size subset A¯i of Ai to generate Ti . We define ssi,j as the expected value of the number of attributes that appear in both ψi,j and A¯i as follows:

β  α−β  k k · kβ x · Pr[x] = x · x αk−x = ssi,j = . α k x=1 x=1 From the above equation, it can be seen that ssi,j increases as k or β increases and α decreases. An attribute structure with a large k and a small α reveals more individual attributes of ui . The more attribute information ui uses in constructing the attribute structure, the more acknowledged it is by sj when computing similarity score. If the size of overlapping attribute set ψi,j (i.e., β) increases, ui and sj become more social-related. Based on the similarity scores, smart home sj assigns different priorities to patients. Given limited Internet bandwidth, it only responds to a limited number of patients who are at the top of the priority list. Meanwhile, it also sets a minimum similarity requirement to leave more bandwidth to those patients that are strongly social-related. If sj decides to service ui , it will sign ui ’s connection request and upload it to the vendor of ui , which will then verify the request and reply with a signed ACK message confirming the connection. The ACK message contains the information of sj . sj forwards the ACK to ui , proving that it is able and willing to help ui to connect to the vendor. It will keep silent to ui if no ACK is received. The process of forwarding the ACK from sj to ui is the same as vendor-topatient communication to be detailed in the next subsection. ui considers that the patient-to-vendor communication channel is successfully established when it receives such an ACK. Multiple channels may be established through different proxies by a single connection request; ui will choose to use the most appropriate one according to some local policy and notify the other proxies so that they can service other patients. B. Vendor-to-Patient Communication Vendor-to-patient communication is necessary for vendor to acknowledge the reception of data from patients and to send control messages or healthcare related instructions to patients. The smart home selected by a patient as patient-tovendor communication proxy also serves as vendor-to-patient communication proxy. It receives data from the vendor and forwards it to the patient through a multi-hop path in the community network. A simple solution of vendor-to-patient communication is to require the patient to continuously expose

Szt+1 (ui,szt+2) Szt

Wireless connection

(ui,szt+1)

(ui,szt+2) Szt+2

ui M ov e

ve Mo

ui

ui

Fig. 3.

Vendor-to-patient communication

physical locations so that the proxy can easily route messages to the patient through a geographic routing protocol. However, direct exposure of patients’ locations is unacceptable from location privacy viewpoint. We propose a solution to realize the privacy-preserving vendor-to-patient communication. Suppose that patient ui has chosen smart home sj as patient-to-vendor communication proxy. Patient ui appoints a smart home sz in direct contact as receiver and notifies sz that sj will receive data from vendor on its behalf. For vendor-to-patient communication, sj first sends messages to sz who then forwards them to ui via onehop wireless communication. ui may move to another location, breaking the one-hop connection between ui and sz . In this case, ui will designate a currently neighboring smart home sz as a new receiver, which then introduces itself to the old receiver sz so that any vendor message routed to sz can be redirected to sz and then to ui . (sz and sz are wirelessly interconnected due to large trs .) By this means, a receiver chain is constructed as ui moves, as shown in Fig. 3; it ensures vendor-to-patient message delivery. S41

S82

S53 S56

S2

4

Fig. 4.

S1

S77

5

S38

a) Identity privacy preservation: In vendor-to-patient communication, patient identity information is not used. In patient-to-vendor communication, since patients authenticate attribute structures to smart homes, their identities are not disclosed. Each attribute structure is in a form of threshold based structure; it anonymizes patient attributes. By authenticating an attribute structure of a patient, a smart home cannot identify the exact attributes that the patient has. When a patient uses different attribute structures during different communication sessions, a smart home cannot link these sessions. Therefore, the proposed scheme can achieve patient identity privacy. Note that, a patient is able to define an appropriate threshold gate value and the size of attribute set in the attribute structure to maintain its anonymity at a desired level. b) Location privacy preservation: In patient-to-vendor communication, patient location information is not used. In vendor-to-patient communication, a receiver chain is constructed by a patient as the patient moves. The chain is used to forward the data from vendors. It can be seen that each receiver si only knows the three consecutive circular areas that the patient has been recently located in, i.e., the communication area of the receiver prior to si , si and the receiver posterior to si . Since each receiver knows fuzzy and limited location information of the patient, the trajectory of the patient is kept secretly. Hence, patient location privacy is preserved in our proposed data communication scheme. V. P ERFORMANCE E VALUATION In this section, we evaluate the performance of our proposed data communication scheme using a custom Java-based simulator. The performance metric used is service rate, i.e., the ratio of the patients served to the patients walking in the community streets.

Deleted from receiver chain

Receiver chain

When ui tries to find a new receiver from its neighboring smart homes, there may be some smart homes that have been previously chosen as receivers. Denote these smart homes by s1x1 , s2x2 , · · · , sγxγ in selection order. It is desired that ui chooses among them the most previously selected one, i.e., s1x1 , as receiver. The logic is: if s1x1 is chosen, all the receivers after s1x1 can be deleted and the length of receiver chain is maximally shortened, as shown in Fig. 4. This selection approach eliminates unnecessary forwarding and increase data communication efficiency. IV. P RIVACY A NALYSIS In this section, we discuss the privacy preserving properties of our proposed data communication scheme. In particular, following the privacy requirements discussed earlier, our analysis will focus on how the scheme can achieve patient identity privacy and location privacy. Note that collusion attacks launched by multiple smart homes are out of the scope of this paper.

Fig. 5.

Geographical view of smart community

A. Simulation settings We adopt a real community map shown in Fig. 5, where total 84 smart homes are distributed in a 650m × 300m rectangular area. Each smart home has a communication range of 100m. There are un = 5 · · · 50 patients walking on the circular route at average speed 1.5m/s. Each patient has a handheld device with communication range 50m. The TA initializes 25 abstract attributes and associates each patient or smart home with 8 randomly selected attributes. The attribute structure that a patient uses is in the form of “t of 8” for t = {1, 2, · · · , 7}. For simplicity, we assume that each smart home can service

0.8 th = 4 th = 7

0.7

0.85

1

un = 20 un = 30 un = 40

0.6

0.9

0.8

0.6 0.5 0.4 0.3 0.2

0.5

Service rate

0.7

Service rate

Service rate

0.8

0.4

0.3

0.75

0.7

0.1 0 7

0.2 6

0.1

0.65

0.2

5 0.3 4

0.4 0.6 0.7

2

0

0.8 1

Threshold gate

0.1

0.5

3

0.9

Service threshold

(a) Service rate vs. Threshold th and Gate k

5

10

15

20

25

30

35

40

45

50

Patient number

(b) Service rate vs. Patient number Fig. 6.

0.6

1

2

3

Hop distance

(c) Service rate vs. Hop distance

Simulation results

one patient at a time. It calculates patients similarity and only serves the requested patient with the highest similarity score. Each smart home also sets a threshold th = 0.125 × x (x ∈ [1, 7]) so that it never responds to those patients with similarity under the threshold.

services. Fig. 6(c) further shows that the improvement of service rate by adopting different strategies is most significant when 40 patients are walking in the community, which indicates that the ≤ 3-hop strategy is suitable for the case of large number of patients.

B. Simulation results In Fig. 6(a), we initialize 25 patients, and plot the service rate based on the threshold gate value k of the attribute structure and the service threshold value th set by smart homes. From the figure, we can see that when threshold gate k increases or service threshold th decreases continuously, the service rate is able to reach a maximum bound 0.95. Recalling that the similarity score is defined as tk n . If a patient chooses “3 of 8” as the attribute structure, the score is 0.375 × t where t is the number of overlapped attributes between Aj and Θi . In this case, if a smart home sj sets x = 3 so that th = 0.375, it will service the patient where t = |Aj ∩ Θi | ≥ 1 because tk n ≥ 0.375. As a tradeoff, if a patient chooses “1 of 8” as the attribute structure which better preserves the anonymity of attributes, the number of the smart homes that are willing to serve the patient decreases because the number of overlapped attributes t must be no less than 3. Fig. 6(b) shows that the average service rate varies with the number of users for th = 0.5 and th = 0.875, respectively. It can be seen that the increase of user number leads to a decrease of service rate. This is because when more users exist in the networks, the competition for obtaining the services from smart homes becomes more intense and thus more patients cannot find an available smart home for uploading their health data. Additionally, as shown in Fig. 6(c), we show the performance of the scheme when adopting the cooperative communication among smart homes for enabling a patient to request the service from a multihop away smart home. In the simulations, we consider three strategies in which patients request the services from 1-hop smart homes, ≤ 2-hop smart homes, or ≤ 3-hop smart homes, respectively. The service rate increases as more smart homes become potential service providers for a single patient. This is because a patient could have more choices in selecting the most reliable smart home, i.e., the one with the largest similarity score, to obtain reliable

VI. C ONCLUSION In this paper, we have proposed a privacy preserving communication scheme for remote healthcare monitoring in smart community. Through cooperative and networked smart homes, the scheme enables bidirectional data communication between patients and an online healthcare efficiently without using costly 3G cellular networks. It preserves both identity privacy and location privacy for patients. Through extensive simulation, we have demonstrated the effectiveness and efficiency of the proposed scheme. In the future, we will strengthen the scheme so as to resist collusion attacks from smart homes. R EFERENCES [1] X. Lin, R. Lu, X. Shen, Y. Nemoto, and N. Kato, “Sage: A strong privacypreserving scheme against global eavesdropping for ehealth systems,” in IEEE JSAC, vol. 27, no. 4, 2009, pp. 365–378. [2] R. Lu, X. Lin, X. Liang, and X. Shen, “Secure handshake with symptomsmatching: The essential to the success of mhealthcare social network,” in BodyNets, 2010. [3] X. Liang, L. Chen, R. Lu, X. Lin, and X. Shen, “Pec: A privacypreserving emergency call scheme for mobile healthcare social networks,” IEEE/KICS Journal Communications and Networks (JCN), vol. 13, no. 2, pp. 102–112, 2011. [4] J. Freudiger, M. Manshaei, J.-P. Hubaux, and D. Parkes, “On noncooperative location privacy: a game-theoretic analysis,” in ACM CCS, 2009, pp. 324–337. [5] R. Lu, X. Lin, H. Luan, X. Liang, and X. Shen, “Pseudonym changing at social spots: An effective strategy for location privacy in vanets,” IEEE Transactions on Vehicular Technology, vol. 61, no. 1, pp. 86–96, 2012. [6] C.-L. Wu, C.-F. Liao, and L.-C. Fu, “Service-oriented smart-home architecture based on osgi and mobile-agent technology,” IEEE Transactions on Systems, Man, and Cybernetics, Part C, vol. 37, no. 2, pp. 193–205, 2007. [7] X. Li, R. Lu, X. Liang, J. Chen, X. Lin, and X. Shen, “Smart community: an internet of things application,” IEEE Communications Magazine, vol. 49, no. 11, pp. 68–75, 2011. [8] P. Rashidi, D. J. Cook, L. B. Holder, and M. Schmitter-Edgecombe, “Discovering activities to recognize and track in a smart environment,” IEEE Transactions on Knowledge Data Engineering, vol. 23, no. 4, pp. 527–539, 2011. [9] X. Boyen and B. Waters, “Full-domain subgroup hiding and constant-size group signatures,” in Public Key Cryptography, 2007, pp. 1–15.