1. Introduction

2. Background & Literature Study

3. Materials and Research Methods

3.2. Security Constraints and Requirements

Incorporating security measures into resource-constrained devices poses significant challenges since the security mechnisms are influenced by computational limitations, memory constraints, and network restrictions. The authors of [38] also suggests that the IoT grapples with processing, storage, and network contraints. While solutions like the cloud could potentially address these constraints, however, they introduces additional security and privacy concerns since majority of the storage or computation are done with third party service providers. While balancing the above constraints it is critical to maintain a balance between the minimum necessary security requirements, performance and device contriants. It is crutial to maintain the following key aspects in the process of developing secure IoMT infrastructure.

Data Confidentiality: Ensure all patient data is protected to prevent privacy violations or exposure to unauthorised third parties.

Integrity: Ensure that patient medical data is tampered proof during the communication from the IoMT device to the server.

Authentication, Authorisation and Access Control: Ensure only authorised devices and users can join the network or begin communication to and from the server while participation is authorised and access of information is controlled.

Freshness: Ensure that real-time communication is achieved.

Non-Repudiation: Ensure data signing to validate where the data is originating from to ensure non-repudiation in the process of an identity attack.

Isolated Network: The system should be allowed to withstand network failure and be able to conduct self-healing in the process of data recovery when the network fails.

Figure 1. System Requirement.

Figure 1. System Requirement.

4. Proposed System & Architecture

4.2. RTPM Controller at the Client

The IoMT device is activated with unique ID that is supplied during the registration process of the user and along with the NHS number, the device is uniquely identified by the server. The monitoring events are grouped into four strands namely: device protection, alerting or alarming, space quality and health condition aspects. Due to the lack of compatible sensors to integrate with the designed system some health sensing systems like heart rate, ECG and Oxygen level could not be integrated. The system continually monitor the user and its environment as shwn in Figure 3 and the system records every events and evidences inlcuding errors to monitor the issues and identify the reasons of the failures of the system. The controller monitors the events and activities of all the four activity strands and alert the concern and relevant stackholders including the people around the room if they come too close or move the device or even try to steal. In such event, an evidence is collected in the form of movement detection and snapshots of the environment is captured with the camera and the evidece are securely transmissted to the server for investigation and service quality monitoring (knows who touch the device, when and how often etc.).

Figure 3. RTPM Controller Architecture at the client.

Figure 3. RTPM Controller Architecture at the client.

5. Results and Discussion

a)

Data confidentiality: It is crucial to maintain data confidentiality since it deals with health and or wellbeing-related data. The proposed system interacts and engages between the client node and the IoMT server using an AES session key which is generated and provided by the server to the IoMT client. The session key is securely delivered using RSA public key cryptography and the key is signed to guarantee the source of the generation and maintain the integrity of the information. The client and the server are both capable of generating keys. To maintain freshness and preserve security, the session keys are generated for every new connection and each session. Table 2 provides the security method’s overhead in terms of time of execution, and these results are tested using IoMT client (Raspberry Pi 4) with a configuration, Broadcom BCM2711 SoC with a 1.8 GHz, 64-bit quad-core ARM Cortex-A72 processor with 4GB RAM and the IoMT server executing with 64-bit, Intel Core i7, CPU @2.6GHz with 32GB RAM. The system is tested with various key sizes (standard and above) to select the best key sizes for performing real-time communication. The results of Table 2 are average values of executing over 10 rounds for each key size. The key generation and the key file generation take exponential time as the key size increases. The AES key generation time encryption time or decryption time takes only a few milliseconds irrespective of the key sizes ( 128-bit, 192-bit, or 256-bit) while the RSA takes a little less than a second only for those key sizes below 2048-bit key size for key generation, but takes some seconds to minutes for key sizes RSA 4096 and above respectively. However, the RSA method of encryption takes from around 0.01s to 0.07s when the key size increases from RSA 1024 bit to RSA 8192 bit. On average the decryption time takes more than the encryption time. To meet the real-time requirement of interaction between the client and the server, the best option is the use of the AES encryption method while the secure session key transfer is done by RSA. To meet real-time requirements, this paper uses RSA 2048, AES 256, and SHA 256.

b)

Data Integrity: Every data generated by the IoMT client is signed and the integrity of the data is preserved using SHA-256 along with the private of the sender to avoid any form of non-repudiation attack. Creating a digital signature of the IoMT data takes 0.0011s to 1.03s when the RSA 1024-bit key and RSA 8192-bit key respectively are used. As expected as the key size increases the digital verification takes longer, but it is more of a linear and not exponential. Since the paper uses an RSA 2048-bit key, it takes 0.04s for signing and 0.0008s for the verification which is ideal for real-time communication.

c)

Data Availability (Authorisation, Authentication, and Access Control): To ensure data availability and protect the system from conducting any form of DoS or DDoS attack. The proposed system authorised every user through a registration process and a unique code is generated using SHA 256 with the help of the user’s registration data (ɤ), MAC address (∂), and a 32-bit random number (µ) at the IoMT server and is provided to add in the IoMT client as a unique ID = SHA256(ɤ+∂+µ) along with the NHS number to help the server uniquely identify and authenticate the connecting IoMT devices. This ensures that every connection request is unique, and the system also removes any idle connection request (including any half-open connections using a timeout technique) to guarantee service availability.

d)

System Recovery and Self-Healing Network: One of the biggest issues when data collection is done over a network is the fear of network failure. In a real-time monitoring system, network failure will lead to data loss, but health and well-being data are critical, so every data should be delivered. So, in this system is self-healing network system is adopted to recover and avoid data lost in the process of network failure. If the client is disconnected, the last data block sent is remembered and continues sending the data from the last point of failure automatically when the application is restarted. So, the interaction of the client with the server is seamlessly synced without any data duplication or data loss when the network fails. To achieve this goal, the client reading the sensory data shares the same database with the application that connects with the server, and every data that is acknowledged by the server is set to 1 to realise what is delivered and what is yet to be delivered otherwise.

e)

Privacy-based Alerting, Monitoring, and Evidence Collection: The system can securely alert the user’s selected individual e.g. friends or family (via email) when the condition of the monitoring outcome is not normal (e.g. when the body temperature is too high or when the air quality of the room is bad). It is to support and update the wellbeing of the user to the carers and near ones. The IoMT device detects when someone approaches and when someone touches or moves the IoMT device with the help of proximity, accelerometer, and gyroscope sensors and alerts about the events with a message and a red LED and Buzzer. This is to ensure that the system is not disturbed, stolen, damaged, or moved unnecessarily when the system is in operation. If the alert messages are ignored and the IoMT device is touched or moved, then visual evidence is captured by a camera, and the evidence is securely transferred to the server. However, these settings can be disabled when the monitoring is done remotely from home, but these functions can be enabled when it is deployed in public care areas like hospitals to track and trace events in and around the patient for their safety and security. Figure 8 shows a warning message while Figure 9 alert message is triggered when someone comes too close to the device and Figure 10 shows an activation of the camera when someone attempts to take or move the IoMT device. These systems are necessary to alert the surroundings and also connect with the concern stackholders of the user. s

f)

Visualisation of the Collected Data: The health and well-being environmental data that are collected from IoMT sensors can be viewed by the stakeholders through the IoMT server and web server. The screenshots of the temperature reading and moisture level of the skin when holding the sensors were collected using temperature sensor and humidity sensors and the results are shown in Figure 11. The spikes in the results are the results of blowing warm air through the mouth which guarantees a proper working of the system. The readings are taken from a snapshot record from 11:51:33(AM) to 12:58:17(PM) and the readings are taken every 5 seconds and updated on the server only when there is a change in the reading value, however, the IoMT client pushes the last recorded data even if there is no change if the time lapse over 5 minutes with no change in the data reading to ensure that the connection is live.

Figure 11. The Body Temperature and Moisture Level.

Figure 11. The Body Temperature and Moisture Level.

Figure 12. Air Quality of the Room and Movement Monitoring.

Figure 12. Air Quality of the Room and Movement Monitoring.

Figure 13. Lighting and noise monitoring.

Figure 13. Lighting and noise monitoring.

6. Conclusions

References

1. Mohanta, B., Das, P., & Patnaik, S. (2019). Healthcare 5.0: A Paradigm Shift in Digital Healthcare System Using Artificial Intelligence, IOT and 5G Communication. 2019 International Conference on Applied Machine Learning (ICAML). [CrossRef]
2. Ashton, K. (2009). That “Internet of Things” Thing. In That “Internet of Things” Thing -RFID Journal. https://www.itrco.jp/libraries/RFIDjournal-That%20Internet%20of%20Things%20Thing.pdf.
3. Scarpato, N., Pieroni, A., Nunzio, L. D., & Fallucchi, F. (2017). E-health-IoT Universe: A Review. International Journal on Advanced Science, Engineering, and Information Technology, 7(6), 2328. [CrossRef]
4. Internet of Medical Things [IOMT] Market Size and Growth, 2028. (2024, April 8). Retrieved April 24, 2024, from https://www.fortunebusinessinsights.com/industry-reports/internet-of-medical-things-iomt-market-101844.
5. Sahi, M. A., Abbas, H., Saleem, K., Yang, X., Derhab, A., Orgun, M. A., Iqbal, W., Rashid, I., & Yaseen, A. (2018). Privacy Preservation in e-Healthcare Environments: State of the Art and Future Directions. IEEE Access, 6, 464–478. [CrossRef]
6. Vishnu, S., Ramson, S. R. J., & Jegan, R. (2020). Internet of Medical Things (IoMT) - An overview. 2020 5th International Conference on Devices, Circuits and Systems (ICDCS). [CrossRef]
7. Malasinghe, L. P., Ramzan, N., & Dahal, K. (2017). Remote patient monitoring: a comprehensive study. Journal of Ambient Intelligence and Humanized Computing, 10(1), 57–76. [CrossRef]
8. Tabatabaei, S. M., Kasrineh, M. R., Sharifzadeh, N., & Soodejani, M. T. (2021). COVID-19: an Alarm to Move Faster towards “Smart Hospital.” Online Journal of Public Health Informatics, 13(1). [CrossRef]
9. Michard, F., Saugel, B., & Vallet, B. (2020). Rethinking the post-COVID-19 pandemic hospital: more ICU beds or smart monitoring on the wards? Intensive Care Medicine, 46(9), 1792–1793. [CrossRef]
10. [10]IBM Security X-Force Threat Intelligence Index 2024. https://www.ibm.com/reports/threat-intelligence.
11. BBC News. (2014, August 18). Community Health Systems data hack hits 4.5 million. BBC News. https://www.bbc.co.uk/news/technology-28838661.
12. Zetter, K. (2016, January 13). Hacking team’s leak helped researchers hunt down a Zero-Day. WIRED. https://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-find-zero-day-exploit/.
13. Staff, D. R. (2023, December 11). Former NY hospital employee admits to stealing colleagues’ data. https://www.darkreading.com/cyberattacks-data-breaches/former-ny-hospital-employee-admits-to-stealing-colleagues-data.
14. Anthem pays OCR $16 million in record HIPAA settlement following largest U.S. health data breach in history | Guidance Portal. (n.d.). https://www.hhs.gov/guidance/document/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-us-health-data-breach.
15. Davis, J. (2021, October 19). Magellan Health Data breach victim tally reaches 365K patients. HealthITSecurity. https://healthitsecurity.com/news/magellan-health-data-breach-victim-tally-reaches-365k-patients.
16. Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International journal of advanced research in computer science, 8(5), 1938-1940.
17. Lazarovitz, L. (2021). Deconstructing the solarwinds breach. Computer Fraud & Security, 2021(6), 17-19. [CrossRef]
18. Muncaster, P. (2024, April 28). Save the Children hit by $1m BEC scam. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/save-the-children-hit-by-1m-bec/#:~:text=Phil%20Muncaster&text=The%20attacker%20managed%20to%20access,center%20solar%20panels%20in%20Pakistan.
19. Townsened, C. (2019, January 30). Why data security has become a priority for healthcare professionals. United States Cybersecurity Magazine. https://www.uscybersecurity.net/healthcare/.
20. Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International journal of advanced research in computer science, 8(5), 1938-1940.
21. Martani, A., Geneviève, L. D., Elger, B., & Wangmo, T. (2021). ‘It’s not something you can take in your hands’. Swiss experts’ perspectives on health data ownership: an interview-based study. BMJ Open, 11(4), e045717.
22. Zhang, C., Xia, J., Yang, B., Puyang, H., Wang, W., Chen, R., ... & Yan, F. (2021, November). Citadel: Protecting data privacy and model confidentiality for collaborative learning. In Proceedings of the ACM Symposium on Cloud Computing (pp. 546-561).
23. Simmons, G. J. (1979). Symmetric and asymmetric encryption. ACM Computing Surveys (CSUR), 11(4), 305-330. [CrossRef]
24. Qiu, T., Chi, J., Zhou, X., Ning, Z., Atiquzzaman, M., & Wu, D. O. (2020). Edge computing in industrial internet of things: Architecture, advances and challenges. IEEE Communications Surveys & Tutorials, 22(4), 2462-2488. [CrossRef]
25. Indu, I., Anand, P. R., & Bhaskar, V. (2018). Identity and access management in cloud environment: Mechanisms and challenges. Engineering science and technology, an international journal, 21(4), 574-588. [CrossRef]
26. AlHogail, A. (2018). Improving IoT technology adoption through improving consumer trust. Technologies, 6(3), 64. [CrossRef]
27. Dzissah, D. A., Lee, J. S., Suzuki, H., Nakamura, M., & Obi, T. (2019). Privacy enhanced healthcare information sharing system for home-based care environments. Healthcare informatics research, 25(2), 106. [CrossRef]
28. Hathaliya, J. J., & Tanwar, S. (2020). An exhaustive survey on security and privacy issues in Healthcare 4.0. Computer Communications, 153, 311-335. [CrossRef]
29. Elhoseny, M., Ramírez-González, G., Abu-Elnasr, O. M., Shawkat, S. A., Arunkumar, N., & Farouk, A. (2018). Secure medical data transmission model for IoT-based healthcare systems. Ieee Access, 6, 20596-20608.
30. Yeh, K.-H. (2016). BSNCare+: A Robust IoT-Oriented Healthcare System with Non-Repudiation Transactions. Applied Sciences, 6(12), 418. [CrossRef]
31. Tsai, K.-L., Huang, Y.-L., Leu, F.-Y., You, I., Huang, Y.-L., & Tsai, C.-H. (2018). AES-128 Based Secure Low Power Communication for LoRaWAN IoT Environments. IEEE Access, 6, 45325–45334. [CrossRef]
32. Moosavi, S. R., Nigussie, E., Levorato, M., Virtanen, S., & Isoaho, J. (2018). Performance Analysis of End-to-End Security Schemes in Healthcare IoT. Procedia Computer Science, 130, 432–439. [CrossRef]