WO2009004578A2 - Multidimensional identification, authentication, authorization and key distribution system for patient monitoring - Google Patents

Multidimensional identification, authentication, authorization and key distribution system for patient monitoring Download PDF

Info

Publication number
WO2009004578A2
WO2009004578A2 PCT/IB2008/052642 IB2008052642W WO2009004578A2 WO 2009004578 A2 WO2009004578 A2 WO 2009004578A2 IB 2008052642 W IB2008052642 W IB 2008052642W WO 2009004578 A2 WO2009004578 A2 WO 2009004578A2
Authority
WO
WIPO (PCT)
Prior art keywords
keying material
wireless
devices
medical
orthogonal
Prior art date
Application number
PCT/IB2008/052642
Other languages
French (fr)
Other versions
WO2009004578A3 (en
Inventor
Oscar Garcia Morchon
Heribert Baldus
Axel Gunther Huebner
Original Assignee
Koninklijke Philips Electronics N.V.
Philips Intellectual Property & Standards Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V., Philips Intellectual Property & Standards Gmbh filed Critical Koninklijke Philips Electronics N.V.
Priority to US12/666,848 priority Critical patent/US8356180B2/en
Priority to EP08763432.5A priority patent/EP2174459B1/en
Priority to RU2010103512/08A priority patent/RU2491746C2/en
Priority to JP2010514229A priority patent/JP2010534003A/en
Priority to CN200880022900.9A priority patent/CN101690102B/en
Publication of WO2009004578A2 publication Critical patent/WO2009004578A2/en
Publication of WO2009004578A3 publication Critical patent/WO2009004578A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H40/00ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices
    • G16H40/60ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices for the operation of medical equipment or devices
    • G16H40/67ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices for the operation of medical equipment or devices for remote operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • Monitors and sensors for patients have become ubiquitous and are used to track vital signs and other needed data of patients in both inpatient and outpatient settings.
  • Many known sensors are 'wired' and thus include a wired connection between the sensor and a monitor or other display/data gathering device.
  • wired arrangements can limit free-movement of the patient and thus can be inconvenient.
  • limiting a patient's movement can also prevent monitoring of germane patient data outside of sedentary activity and thus may not provide an accurate account of the patient's condition.
  • BSN body sensor network
  • ZigBee Alliance is defining a Personal Home and Hospital Care (PHHC) profile that describes the use and application of the ZigBee standard to enable secure communications in medical environments and related scenarios to the described in the present patent application.
  • PHHC Personal Home and Hospital Care
  • Such wireless monitoring of patient data in ZigBee-based networks, and in general, by means of wireless sensor networks provides convenience as needed to enable 'real-life' patient monitoring. While the benefits of wireless monitoring are significant, there remains the need to ensure sensitive patient information remains secure. For example, security is a mandatory requirement for such systems in order to both ensure patient safety and privacy and comply with legal requirements in healthcare such as HIPAA in the USA.
  • Key management is fundamental to enable BSN security, since it provides and manages the cryptographic keys to enable further security services, such as authentication, confidentiality and integrity. Protection of the patient's privacy sphere is needed, in order to protect patients from tracking, and guarantee that only granted personal can access to patient's medical information.
  • a key distribution system used to distribute cryptographic keys to medical devices is know as the Hierarchical Deterministic Pairwise Key Pre-distribution Scheme (HDPKPS), which is described in the cross-referenced application.
  • the HDPKPS is a very efficient key distribution system that allows any pair of devices (chosen from a large pool of medical devices) to generate a pairwise key. Key generation is carried out by exploiting the HDPKPS keying material that each medical device stores.
  • a pairwise key can be used to provide further security services, and be linked to the unique HDPKPS' identifier so that a device can be unambiguously authenticated.
  • the HDPKPS keying material maps predefined relationships, such as ownership, via a hierarchical infrastructure of security domains enabling in this way precise device identification.
  • a device can be classified according to the ownership into a four level hierarchical security domains, namely solid, health institution, hospital, and department.
  • the mapping of predefined relationships is carried out by distributing to each and every of the nodes a set of keying material (KM).
  • the keying material a node carries is linked to the different security domains to which that node belongs. For instance, if a node belongs to a supplier, health institution A, hospital H, and department D, that node would get a set of KM composed of four independent sub-sets of KM, namely: KMsuppher, KM ⁇ , KM H , and KM D . Each of these sub-sets of KM are linked to previous security domains.
  • both nodes can identify the origin of the other party in this hierarchical distribution of SDs, identify to each other and agree on a common key by exploiting the common keying material. For instance, given two nodes belonging to Philips, same health institution, same hospital, but different departments, both nodes can recognize the origin of the other node, and agree on a common pairwise key based on the keying material linked to the deepest common security domain (DCSD), namely, the hospital keying material.
  • DCSD deepest common security domain
  • the common key is generated at this level, as it provides the maximum security level.
  • the keying material used to agree on a common key can be based on a pre- distributed secret, a ⁇ -secure approach based on polynomials, or public keys.
  • the HDPKPS uses a hierarchical distribution of ⁇ -secure DPKPS keying material. This keying material is linked to each security domain, and two nodes belonging to the same SD get correlated but different sets of keying material. Since future patient monitoring will enable patient's to move freely within of hospital's facilities, or even pervasive patient monitoring, high secure patient monitoring must be ensured wherever the patient is located.
  • a (medical) device or entity linked to a public key that authenticates that that device or entity is featured by set of identifiers can be substituted by discrete identifiers where identifiers are be arranged according to orthogonal features classified in a hierarchical manner, and each feature can be authenticated in an individual manner.
  • a method of security management in a wireless network comprises: identifying a plurality of orthogonal classifications of medical devices; generating identifiers for each security domain within each of the orthogonal classifications; generating keying material for each identifier; and exchanging identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof.
  • a security system for a wireless network includes: a wireless device; and a medium access controller (MAC) operative to: identify a plurality of orthogonal classifications of the wireless devices and to assign at least one of the orthogonal classifications to each wireless device and to generate identifiers for each security domain within each of the orthogonal classifications and to assign the identifiers to each wireless sensor and each wireless node, wherein the wireless devices exchange the identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof.
  • MAC medium access controller
  • a wireless device operative to communicate with other wireless devices in a network comprises: an orthogonal classification; an identifier for each security domain within each orthogonal classification; and a keying material for each identifier wherein each wireless device is adapted to exchange one or more of respective identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof.
  • Fig. 1 is a conceptual schematic diagram of a wireless system in accordance with a representative embodiment
  • Fig. 2 is a conceptual schematic diagram of a wireless device seeking to communicate with another wireless device in accordance with a representative embodiment.
  • Fig. 3 shows tabular representations of classifications, identifiers and keying material of wireless devices in accordance with a representative embodiment.
  • Fig. 4 is a conceptual schematic diagram of a sequence of establishing a secure connection at a deepest common security domain accordance with a representative embodiment.
  • Fig. 5 is a flow-chart illustrating the search for the deepest common SD in accordance with a representative embodiment.
  • the terms 'a' or 'an', as used herein are defined as one or more than one.
  • routines and symbolic representations of operations of data bits within a computer readable medium associated processors, microprocessors, digital storage oscilloscopes, general purpose personal computers, manufacturing equipment, configured with data acquisition cards and the like.
  • a method herein is conceived to be a sequence of steps or actions leading to a desired result, and as such, encompasses such terms of art as "routine,” “program,” “objects,” “functions,” “subroutines,” and “procedures.”
  • the illustrative embodiments may be implemented in one or more of a variety of wireless systems, networks, devices and protocols within the purview of one of ordinary skill in the art and in future wireless systems. Many aspects of the current invention of the representative embodiments can implemented in either the medium access control (MAC) or application layer.
  • the wireless system/network may be compliant to one or more of the following protocols: IEEE 802.1 1 and its progeny, including ad-hoc networks; IEEE 802.15 and its progeny; and IEEE 802.22, and IEEE 802.15.4(commonly referred to as ZigBee).
  • IEEE 802.1 1 and its progeny including ad-hoc networks
  • IEEE 802.15 and its progeny and IEEE 802.22, and IEEE 802.15.4(commonly referred to as ZigBee).
  • the representative embodiments are described in connection with medical networks and devices. This is merely an illustrative application. Notably, the present teachings may be applied to other systems system can be used to enable and improve further security services including distributed access control, device or entity identification, privacy protection and secure roaming in wireless networks, such as ZigBee networks. Notably, distributed access control can be achieved by limiting access (rights) to only those devices or entities that possess authorized identifiers and that can prove it according to pre-defined rules.
  • entity or device identification is improved as an entity or device is identified not only by a single identifier, but also according to its features.
  • an entity or device can show the possession of individual identifiers linked to individual features making possible more specific identification of a device or entity without requiring a public key or access to a dedicated server.
  • privacy protection can be achieved by limiting the identification information disclosed when starting a communication.
  • Fig. 1 is a conceptual schematic diagram of a wireless medical system 100 in accordance with a representative embodiment.
  • the system 100 includes a plurality of medical devices (S], S 2 , ⁇ . -S n ), which are wireless medical devices.
  • the devices comprise, illustratively, wireless medical devices, such as physiological condition sensors and monitors, bedside monitors, controllable medication dosing devices and personal digital assistants (PDAs).
  • PDAs personal digital assistants
  • the system 100 also includes a hierarchical classification of the devices based on the ownership of those devices. Accordingly, a wireless device (Sj, S 2 , ...S n ) of the system 100 may be categorized according to three levels: manufacturer of the device; medical facility (e.g., hospital); and medical department to which the device belong.
  • both devices belong to the same security domain (SD) at that level.
  • SD security domain
  • devices Si and S 2 belong to the same department and hospital at security domains levels 3 and 2, respectively.
  • the HDPKPS allows both devices to authenticate each other, and generate a pairwise key which can be used to provide further security services.
  • the HDPKPS distributes correlated (but different) keying material linked to that SD to those devices. Both devices can exploit their respective sets of keying material to agree on a common key on a real-time basis.
  • HDPKPS enables full-device hierarchical identification and full interoperability according to the ownership of the devices
  • authentication by this method may not provide enough security or flexibility.
  • H_A 101 and HJB 102 Each hospital has a cardiology department, Dj and D_II, respectively.
  • Dj cardiology department
  • HJB/D_II cardiology department
  • the patients sensors e.g., Sj
  • H_A/D_II When the patient arrives to HJB/D_II, the patients sensors (e.g., Sj) from H_A/D_I can establish a secure communication with the bedside monitor of HJB/D II as the sensors and bedside monitors belong to the same health institution, and they can use this category, and their corresponding sub-set of correlated keying material linked to that feature (or security domain) to generate a pairwise key.
  • the resiliency of HDPKPS at higher security domains is weaker, and it might not provide enough security level.
  • greater flexibility and security is realized with a key distribution system known as orthogonal HDKPS (OKPS).
  • the OKPS distributes keying material according to a multidimensional identification of a device or entity.
  • the system distributes keying material linked to an identifier to each device in such a way that that device can identify or authenticate each feature in an individual manner.
  • These hierarchical classifications of features are orthogonal in the sense that the SDs, which each classification defines, do not fully overlap, but just partially. For instance, in a city, several hospitals may be from several health institutions, but only in some of them might be the same medical specialty.
  • the present invention is based on the used of several orthogonal categories or classifications of features.
  • OKPS is based on two or more orthogonal classifications for wireless devices.
  • the hierarchical classifications of features illustratively include, but are not limited to: 1), Location of the device (for instance, wireless devices can be classified according to country - state and city (Germany /NR W/ ⁇ achen)); medical specialty (for instance, wireless devices can be classified according to a general specialty, sub-specialty (surgery, neurosurgery)); expected operational zone in the medical facility/hospital (For instance, operational zone 1 might cover the orthopedic and radiology's department, as well as the gym facilities.
  • Figs. 2-4 disclose a method of effecting authentication between two wireless devices (e.g., Si and S 2 ) in accordance with a representative embodiment.
  • one of the wireless devices may be a patient's physiological sensor, and the other may be a clinician's PDA adapted to garner data from the sensor.
  • Fig. 2 is a conceptual schematic diagram of a wireless device Si seeking to communicate with another wireless device S 2 .
  • Each device includes at least two orthogonal classifications, security domains within the classification, identification and keying material. For example, Table 1
  • the SD's identifiers are exchanged, allowing the devices to recognize ownership of the device, the location of that medical device, the medical specially in which it is used, etc.
  • This sequence is known as the identification sequence, and is illustrated in Figs. 3 and 4.
  • the identification sequence can be more complex in order to identify more complex roles of the devices and could be identify as a matrix.
  • an axis identifies the different roles and the second axis assigns different values to the different roles at different depths in a hierarchical distribution.
  • Table 1 can be seen as a specific example of such a matrix for previous example.
  • a configuration request 401 is sent from one wireless device to the other indicating the need for a secure connection.
  • an identification request 402 in which the requesting device sends a message including the minimum number of features to be disclosed for each feature (in order to enable privacy protection/distributed access control).
  • These features are shown in table 301 and in general for feature f, the first L f identifiers must be disclosed, where Lf is the number of hierarchical levels in which the feature is organized. Notably, this step might be modified if both nodes use access control/privacy aware policies.
  • both nodes could exchange a sub-set of identifiers, in order to protect patient's privacy, or restrict access if the other party does not prove its memberships to a specific (and predefined) group, security domain, or feature.
  • two devices look for the deepest common security domain for each and every of the features, i.e., the devices use the exchanged SD' s identifiers to discover the DCSD for each independent HDPKPS. Both devices then generate a pairwise key K by combining each of the independent partial pairwise keys generated from each independent HDPKPS.
  • the devices complete an authentication handshake.
  • the devices For each identification feature i shown in Table 302, the devices identify the deepest common security domain j (* 1).
  • the devices exploit their own pair ⁇ IDij-a, KMij-a ⁇ (S ⁇ ) and the IDij-b (S 2 ) to agree on a partial key Kij-ab.
  • Fig. 5 is a flow-chart illustrating the search for the deepest common SD in accordance with a representative embodiment. The method relies on features and details described in connection with the embodiments previously described. Such details and features are not repeated in order to avoid obscuring the description of the presently described embodiments.
  • the wireless device determine whether they are in the same security domain (SD1-SD2). If not, then the lowest common level is k- 1. If the devices are at the same SD, then they proceed to level k+1. At step 502, if the devices are not in the deepest SD, then the method reverts to step 501. If the devices are in the deepest SD, then the deepest level common level is L.
  • the previous operation is repeated for each feature, so that two devices can identify the keying material they can use to agree on a common partial secret and to identify to each other for each and every of the features.
  • the OKPS allows classifying a sensor node according to several features. This allows secure patient transfer from ICU to normal care unit. For example, consider a cardiac patient in a hospital who is operated due to a heart attack. During and the first few days after the operation he is attended at the ICU. However, after a couple of days he is transferred to a normal care unit specialized in cardiac patients, cardiac care unit (CCU). Wireless sensors used in this setting shall be configured according to an OKPS composed of two (hierarchical) security domains. On the one hand, these sensor nodes belong to the security domain of the ICU. Hence, these sensors shall carry keying material from the hospital and from the ICU's department. On the other hand, the operational zone of these sensors includes the CCU. Hence, those sensor nodes must also carry keying material of both orthogonal security domains,
  • a benefit of this implementation is that patients can keep the same sensor nodes during the whole treatment but with an optimal security level is higher as sensor nodes belong to two orthogonal security domains, namely ICU's keying material and CCU' keying material.
  • a cardiac patient in a hospital wears a wireless sensor node that continuously monitors his ECG. He has to go to the hospital's gym every day for exercising. During this period of time, patient ⁇ is monitored both at the cardiology department and gym.
  • the OKPS allows this at a high security level, as cardiology and gym are in parallel supported as secure domains. Hence, the secure connection is not only based on the hospital level, but also in the operational zone of the sensor. This fact augments the resiliency of the system.
  • the secure connection fosters transparent security roaming from one security domain to another.
  • a medical network such as a hospital medical network
  • Each ZigBee network controls its own security, but devices could keep keying material sets belonging to the different networks where a patient is to be treated.
  • the patient's sensor nodes already carry keying material linked to both zones, security domains, networks, or ZigBee networks, enabling transparent security roaming.
  • a wireless sensor does not disclose all the identifiers, but only some of them. For instance:
  • a sensor node can still be identified but not completely, protecting in this manner patient's privacy. This represents a huge advantage when compared with other identification systems that require the disclosure of a single identifier linked to for instance the public key of the corresponding entity. Therefore, this system allows implementing privacy aware techniques in low-resource constrained devices.
  • Sensor nodes are identified by means of several orthogonal classifications. This enables a more precise authenticated identification, when required, of the ownership, location, illness, etc, of the patients. This can be very useful to detect for example medical errors during a patient transfer, as sensor nodes can identify the operation zone of the nodes. For instance, if a patient carries several sensor nodes with multi-dimensional identifiers, granted physicians can check whether that patient is located in the operation area, department, etc he should, In this manner, possible errors during patient transfer can be detected.
  • OKPS enables distributed access control features by making use of the orthogonal identification features of devices.
  • the system could be configured in a way that only hospital devices fulfilling several features have access to patient's health information.
  • patient's ECG sensor are preconfigured to enable patient monitoring of only bedside monitors that belong to the hospital in which a patient is treated or are in the same city and are linked to the cardiology specialty.
  • patient's ECG sensor will only disclose patient's ECG vital signs to nodes that successfully authenticate as belonging to the same hospital, or to other hospital of the same city with the cardiology specialty.
  • medical device or entity e.g. a sensor node
  • medical device or entity could store a list with the features that arc required to carry out those actions.
  • the medical device requests the identification and authentication of a specific sub-set of features that is required to authorize the activity. If the other party can prove its identity, the action is granted, i.e., authorized. Otherwise, the action is rejected.
  • This feature is useful particularly for new wireless sensor network standards such as ZigBee as access control is a compulsory requirement in new applications, and current centralized access control solutions have a limited scope and are not flexible enough.

Abstract

A method, wireless system and a wireless device are described. The method, system and device provide multidimensional identification, authentication, authorization and key distribution providing secure communications at a deepest common security domain.

Description

Multidimensional Identification, Authentication, Authorization and Key Distribution
System for Patient Monitoring
DESCRIPTION
Monitors and sensors for patients have become ubiquitous and are used to track vital signs and other needed data of patients in both inpatient and outpatient settings. Many known sensors are 'wired' and thus include a wired connection between the sensor and a monitor or other display/data gathering device. As will be appreciated, such wired arrangements can limit free-movement of the patient and thus can be inconvenient. Moreover, limiting a patient's movement can also prevent monitoring of germane patient data outside of sedentary activity and thus may not provide an accurate account of the patient's condition.
The advent of wireless communications has fostered wireless sensors and monitors. In this setting, a set of wireless sensor nodes attached to a patient and measuring patient's vital signs form what is called a body sensor network (BSN). As will be appreciated, sensors can send data garnered from a patient in a wireless manner to a monitor, or to a clinician remotely located from the patient.
Wireless patient monitoring will continue to emerge in application as standards such as IEEE 802.15.4/ZigBee become more prevalent in application. The ZigBee Alliance is defining a Personal Home and Hospital Care (PHHC) profile that describes the use and application of the ZigBee standard to enable secure communications in medical environments and related scenarios to the described in the present patent application.
Such wireless monitoring of patient data in ZigBee-based networks, and in general, by means of wireless sensor networks provides convenience as needed to enable 'real-life' patient monitoring. While the benefits of wireless monitoring are significant, there remains the need to ensure sensitive patient information remains secure. For example, security is a mandatory requirement for such systems in order to both ensure patient safety and privacy and comply with legal requirements in healthcare such as HIPAA in the USA. Key management is fundamental to enable BSN security, since it provides and manages the cryptographic keys to enable further security services, such as authentication, confidentiality and integrity. Protection of the patient's privacy sphere is needed, in order to protect patients from tracking, and guarantee that only granted personal can access to patient's medical information. A key distribution system used to distribute cryptographic keys to medical devices is know as the Hierarchical Deterministic Pairwise Key Pre-distribution Scheme (HDPKPS), which is described in the cross-referenced application. The HDPKPS is a very efficient key distribution system that allows any pair of devices (chosen from a large pool of medical devices) to generate a pairwise key. Key generation is carried out by exploiting the HDPKPS keying material that each medical device stores. A pairwise key can be used to provide further security services, and be linked to the unique HDPKPS' identifier so that a device can be unambiguously authenticated.
Additionally, the HDPKPS keying material maps predefined relationships, such as ownership, via a hierarchical infrastructure of security domains enabling in this way precise device identification. For example, a device can be classified according to the ownership into a four level hierarchical security domains, namely fabricant, health institution, hospital, and department.
The mapping of predefined relationships is carried out by distributing to each and every of the nodes a set of keying material (KM). The keying material a node carries is linked to the different security domains to which that node belongs. For instance, if a node belongs to a supplier, health institution A, hospital H, and department D, that node would get a set of KM composed of four independent sub-sets of KM, namely: KMsuppher, KMΛ, KMH, and KMD. Each of these sub-sets of KM are linked to previous security domains.
In the HDPKPS, when two nodes want to agree on a common key, they exchange the HDPKPS identifiers that identify the SDs to which the nodes belong. With this information, both nodes can identify the origin of the other party in this hierarchical distribution of SDs, identify to each other and agree on a common key by exploiting the common keying material. For instance, given two nodes belonging to Philips, same health institution, same hospital, but different departments, both nodes can recognize the origin of the other node, and agree on a common pairwise key based on the keying material linked to the deepest common security domain (DCSD), namely, the hospital keying material. The common key is generated at this level, as it provides the maximum security level.
The keying material used to agree on a common key, can be based on a pre- distributed secret, a λ-secure approach based on polynomials, or public keys. The HDPKPS uses a hierarchical distribution of λ-secure DPKPS keying material. This keying material is linked to each security domain, and two nodes belonging to the same SD get correlated but different sets of keying material. Since future patient monitoring will enable patient's to move freely within of hospital's facilities, or even pervasive patient monitoring, high secure patient monitoring must be ensured wherever the patient is located.
There is a need of identifying different features of medical devices in an easy manner, without requiring heavy cryptography (e.g. public key) or access to a server. In a representative solution, a (medical) device or entity linked to a public key that authenticates that that device or entity is featured by set of identifiers can be substituted by discrete identifiers where identifiers are be arranged according to orthogonal features classified in a hierarchical manner, and each feature can be authenticated in an individual manner. Additionally, there is a need, for a method, apparatus and system that improves patient security in wireless patient monitoring systems.
In a representative embodiment, a method of security management in a wireless network comprises: identifying a plurality of orthogonal classifications of medical devices; generating identifiers for each security domain within each of the orthogonal classifications; generating keying material for each identifier; and exchanging identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof.
In another representative embodiment, a security system for a wireless network, includes: a wireless device; and a medium access controller (MAC) operative to: identify a plurality of orthogonal classifications of the wireless devices and to assign at least one of the orthogonal classifications to each wireless device and to generate identifiers for each security domain within each of the orthogonal classifications and to assign the identifiers to each wireless sensor and each wireless node, wherein the wireless devices exchange the identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof.
In accordance with yet another representative embodiment, a wireless device operative to communicate with other wireless devices in a network, comprises: an orthogonal classification; an identifier for each security domain within each orthogonal classification; and a keying material for each identifier wherein each wireless device is adapted to exchange one or more of respective identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof. The present teachings are best understood from the following detailed description when read with the accompanying drawing figures. The features are not necessarily drawn to scale. Wherever practical, like reference numerals refer to like features.
Fig. 1 is a conceptual schematic diagram of a wireless system in accordance with a representative embodiment,
Fig. 2 is a conceptual schematic diagram of a wireless device seeking to communicate with another wireless device in accordance with a representative embodiment.
Fig. 3 shows tabular representations of classifications, identifiers and keying material of wireless devices in accordance with a representative embodiment.
Fig. 4 is a conceptual schematic diagram of a sequence of establishing a secure connection at a deepest common security domain accordance with a representative embodiment.
Fig. 5 is a flow-chart illustrating the search for the deepest common SD in accordance with a representative embodiment.
As used herein, the terms 'a' or 'an', as used herein are defined as one or more than one.
In the following detailed description, for purposes of explanation and not limitation, illustrative embodiments disclosing specific details are set forth in order to provide a thorough understanding of the present teachings. Moreover, descriptions of well-known devices, hardware, software, firmware, methods and systems may be omitted so as to avoid obscuring the description of the illustrative embodiments. Nonetheless, such hardware, software, firmware, devices, methods and systems that are within the purview of one of ordinary skill in the art may be used in accordance with the illustrative embodiments. It is emphasized that while the representative embodiments are directed to medical sensors and monitors, medical wireless sensor networks, and ZigBee networks, the present teachings may be otherwise applied where authentication is desired before communications between devices occurs. For example, the present teachings may be applied to other types of monitoring/measuring systems, such as RFID systems, with suitable modifications.
The detailed description which follows presents methods that may be embodied by routines and symbolic representations of operations of data bits within a computer readable medium, associated processors, microprocessors, digital storage oscilloscopes, general purpose personal computers, manufacturing equipment, configured with data acquisition cards and the like. In general, a method herein is conceived to be a sequence of steps or actions leading to a desired result, and as such, encompasses such terms of art as "routine," "program," "objects," "functions," "subroutines," and "procedures."
The illustrative embodiments may be implemented in one or more of a variety of wireless systems, networks, devices and protocols within the purview of one of ordinary skill in the art and in future wireless systems. Many aspects of the current invention of the representative embodiments can implemented in either the medium access control (MAC) or application layer. For purposes of illustration and not limitation, the wireless system/network may be compliant to one or more of the following protocols: IEEE 802.1 1 and its progeny, including ad-hoc networks; IEEE 802.15 and its progeny; and IEEE 802.22, and IEEE 802.15.4(commonly referred to as ZigBee). As the details of such systems are within the purview of one of ordinary skill in the art, such details and their particular application to the present teachings are not described in order to avoid obscuring the description of the representative embodiments.
The representative embodiments are described in connection with medical networks and devices. This is merely an illustrative application. Notably, the present teachings may be applied to other systems system can be used to enable and improve further security services including distributed access control, device or entity identification, privacy protection and secure roaming in wireless networks, such as ZigBee networks. Notably, distributed access control can be achieved by limiting access (rights) to only those devices or entities that possess authorized identifiers and that can prove it according to pre-defined rules.
Beneficially, in medical applications and other contemplated applications, entity or device identification is improved as an entity or device is identified not only by a single identifier, but also according to its features. In this manner, an entity or device can show the possession of individual identifiers linked to individual features making possible more specific identification of a device or entity without requiring a public key or access to a dedicated server. Moreover, privacy protection can be achieved by limiting the identification information disclosed when starting a communication.
Fig. 1 is a conceptual schematic diagram of a wireless medical system 100 in accordance with a representative embodiment. The system 100 includes a plurality of medical devices (S], S2, ■ . -Sn), which are wireless medical devices. The devices comprise, illustratively, wireless medical devices, such as physiological condition sensors and monitors, bedside monitors, controllable medication dosing devices and personal digital assistants (PDAs). The system 100 also includes a hierarchical classification of the devices based on the ownership of those devices. Accordingly, a wireless device (Sj, S2, ...Sn) of the system 100 may be categorized according to three levels: manufacturer of the device; medical facility (e.g., hospital); and medical department to which the device belong. If two devices belong to the same category at the same level, we say that both devices belong to the same security domain (SD) at that level. For instance, in the present illustration, devices Si and S2 belong to the same department and hospital at security domains levels 3 and 2, respectively. If two devices belong to the same SD, the HDPKPS allows both devices to authenticate each other, and generate a pairwise key which can be used to provide further security services. In general, if two devices belong to the same SD (i.e., they share a common feature, such as location, ownerships, etc) the HDPKPS distributes correlated (but different) keying material linked to that SD to those devices. Both devices can exploit their respective sets of keying material to agree on a common key on a real-time basis. As used herein, the term 'exploit' means modify the keying material that was distributed previously in order to calculate a common deepest security level. For instance, suppose two devices, device a and device b, carry two sets of keying material (KMa and KMb), where the KMa = f(a,y) and KMb = f(b,y) and f(x,y) is a symmetric polynomial in two variables x,y, i.e. f(x,y)=f(y,x). Then, both nodes a and b can exchange their identifiers, namely a and b. Then, device a exploits its KMa by calculating f(a,y) in y=b. The result is f(a,b). Node b can also exploit its keying material getting the same result f(b,a). Further details of authentication by HDPKPS are provided in the parent application referenced above.
While HDPKPS enables full-device hierarchical identification and full interoperability according to the ownership of the devices, in some scenarios, authentication by this method may not provide enough security or flexibility. To illustrate this, consider a Health Institution having two hospitals, H_A 101 and HJB 102. Each hospital has a cardiology department, Dj and D_II, respectively. Suppose a patient, who is treated in H_A/D_I, must be moved to HJB/D_II in order to be treated by another specialist. When the patient arrives to HJB/D_II, the patients sensors (e.g., Sj) from H_A/D_I can establish a secure communication with the bedside monitor of HJB/D II as the sensors and bedside monitors belong to the same health institution, and they can use this category, and their corresponding sub-set of correlated keying material linked to that feature (or security domain) to generate a pairwise key. However, the resiliency of HDPKPS at higher security domains is weaker, and it might not provide enough security level. In accordance with representative embodiments, greater flexibility and security is realized with a key distribution system known as orthogonal HDKPS (OKPS). The OKPS distributes keying material according to a multidimensional identification of a device or entity. Stated differently, the system distributes keying material linked to an identifier to each device in such a way that that device can identify or authenticate each feature in an individual manner. These hierarchical classifications of features are orthogonal in the sense that the SDs, which each classification defines, do not fully overlap, but just partially. For instance, in a city, several hospitals may be from several health institutions, but only in some of them might be the same medical specialty.
Λs will become clearer as the present description continues, the present invention (or OKPS) is based on the used of several orthogonal categories or classifications of features. In a representative embodiment, OKPS is based on two or more orthogonal classifications for wireless devices, In addition to a feature such as the ownership of devices, the hierarchical classifications of features illustratively include, but are not limited to: 1), Location of the device (for instance, wireless devices can be classified according to country - state and city (Germany /NR W/Λachen)); medical specialty (for instance, wireless devices can be classified according to a general specialty, sub-specialty (surgery, neurosurgery)); expected operational zone in the medical facility/hospital (For instance, operational zone 1 might cover the orthopedic and radiology's department, as well as the gym facilities. In the same manner, other operational zones can be defined within of the hospital facilities.) Beneficially, once the classifications are determined according to the different features of an entity or device and keying material distributed to the different entities and devices, two devices can exchange their identifiers, and exploit the distributed keying material to achieve device authentication and key agreement.
Figs. 2-4 disclose a method of effecting authentication between two wireless devices (e.g., Si and S2) in accordance with a representative embodiment. For example, one of the wireless devices may be a patient's physiological sensor, and the other may be a clinician's PDA adapted to garner data from the sensor.
Fig. 2 is a conceptual schematic diagram of a wireless device Si seeking to communicate with another wireless device S2. Each device includes at least two orthogonal classifications, security domains within the classification, identification and keying material. For example, Table 1
Figure imgf000010_0001
Continuing with the illustrative identifiers, when two devices Si and S2 meet, the SD's identifiers are exchanged, allowing the devices to recognize ownership of the device, the location of that medical device, the medical specially in which it is used, etc. This sequence is known as the identification sequence, and is illustrated in Figs. 3 and 4.
In general, the identification sequence can be more complex in order to identify more complex roles of the devices and could be identify as a matrix. In that matrix, an axis identifies the different roles and the second axis assigns different values to the different roles at different depths in a hierarchical distribution. Table 1 can be seen as a specific example of such a matrix for previous example.
Initially, a configuration request 401 is sent from one wireless device to the other indicating the need for a secure connection. This is followed by an identification request 402 in which the requesting device sends a message including the minimum number of features to be disclosed for each feature (in order to enable privacy protection/distributed access control). These features are shown in table 301 and in general for feature f, the first Lf identifiers must be disclosed, where Lf is the number of hierarchical levels in which the feature is organized. Notably, this step might be modified if both nodes use access control/privacy aware policies. In this case both nodes could exchange a sub-set of identifiers, in order to protect patient's privacy, or restrict access if the other party does not prove its memberships to a specific (and predefined) group, security domain, or feature. In general, after exchanging the identifiers, two devices look for the deepest common security domain for each and every of the features, i.e., the devices use the exchanged SD' s identifiers to discover the DCSD for each independent HDPKPS. Both devices then generate a pairwise key K by combining each of the independent partial pairwise keys generated from each independent HDPKPS.
At step 403, the devices complete an authentication handshake. In this step, that takes place after exchanging the multidimensional identifiers shown in Table 302. For each identification feature i shown in Table 302, the devices identify the deepest common security domain j (* 1). Next, the devices exploit their own pair {IDij-a, KMij-a} (S ι) and the IDij-b (S2) to agree on a partial key Kij-ab. Next, the devices agree on a global secret K, for instance, by calculating the hash of all the partial pairwise keys K = h(Klj-ab||K2j- ab||.. ,||Knj-ab) and make use of K to authenticate both nodes/enable secure communications. Accordingly, both devices make use of identifier and keying material associated with each of the DCSDs and at the deepest common SD to generate a partial pairwise key, Kp, as described by HDPKPS.
Fig. 5 is a flow-chart illustrating the search for the deepest common SD in accordance with a representative embodiment. The method relies on features and details described in connection with the embodiments previously described. Such details and features are not repeated in order to avoid obscuring the description of the presently described embodiments.
At step 501, during the authentication step, the wireless device determine whether they are in the same security domain (SD1-SD2). If not, then the lowest common level is k- 1. If the devices are at the same SD, then they proceed to level k+1. At step 502, if the devices are not in the deepest SD, then the method reverts to step 501. If the devices are in the deepest SD, then the deepest level common level is L.
In general, the previous operation is repeated for each feature, so that two devices can identify the keying material they can use to agree on a common partial secret and to identify to each other for each and every of the features.
Certain examples illustrating the use and function of the methods, apparatuses and systems of the representative embodiments are provided. These examples are only illustrative and in no way limiting in nature. The OKPS allows classifying a sensor node according to several features. This allows secure patient transfer from ICU to normal care unit. For example, consider a cardiac patient in a hospital who is operated due to a heart attack. During and the first few days after the operation he is attended at the ICU. However, after a couple of days he is transferred to a normal care unit specialized in cardiac patients, cardiac care unit (CCU). Wireless sensors used in this setting shall be configured according to an OKPS composed of two (hierarchical) security domains. On the one hand, these sensor nodes belong to the security domain of the ICU. Hence, these sensors shall carry keying material from the hospital and from the ICU's department. On the other hand, the operational zone of these sensors includes the CCU. Hence, those sensor nodes must also carry keying material of both orthogonal security domains,
A benefit of this implementation is that patients can keep the same sensor nodes during the whole treatment but with an optimal security level is higher as sensor nodes belong to two orthogonal security domains, namely ICU's keying material and CCU' keying material.
A cardiac patient in a hospital wears a wireless sensor node that continuously monitors his ECG. He has to go to the hospital's gym every day for exercising. During this period of time, patient Λ is monitored both at the cardiology department and gym. The OKPS allows this at a high security level, as cardiology and gym are in parallel supported as secure domains. Hence, the secure connection is not only based on the hospital level, but also in the operational zone of the sensor. This fact augments the resiliency of the system.
Additionally, the secure connection fosters transparent security roaming from one security domain to another. We can imagine that a medical network, such as a hospital medical network, is divided into several sub-wireless sensor network domains, or several ZigBee networks. Each ZigBee network controls its own security, but devices could keep keying material sets belonging to the different networks where a patient is to be treated. In this manner, when a patient moves from a zone A, with ZigBee network A, to other zone B, with ZigBee network B, the patient's sensor nodes already carry keying material linked to both zones, security domains, networks, or ZigBee networks, enabling transparent security roaming.
Protection of patient's privacy is of paramount importance for pervasive patient monitoring. For instance, if medical devices are identified by means of a unique identifier patients could be tracked. The multi-dimensional OKPS' identifier helps preventing this problem by slightly modifying the operation mode of OKPS,
In the normal operation mode, a sensor would disclose all its identifiers. In the case of Table 1 a node would disclose: Table 2
Figure imgf000013_0001
In this additional privacy aware operation mode, a wireless sensor does not disclose all the identifiers, but only some of them. For instance:
Table 3
Figure imgf000013_0002
Based on this information, a sensor node can still be identified but not completely, protecting in this manner patient's privacy. This represents a huge advantage when compared with other identification systems that require the disclosure of a single identifier linked to for instance the public key of the corresponding entity. Therefore, this system allows implementing privacy aware techniques in low-resource constrained devices.
Sensor nodes are identified by means of several orthogonal classifications. This enables a more precise authenticated identification, when required, of the ownership, location, illness, etc, of the patients. This can be very useful to detect for example medical errors during a patient transfer, as sensor nodes can identify the operation zone of the nodes. For instance, if a patient carries several sensor nodes with multi-dimensional identifiers, granted physicians can check whether that patient is located in the operation area, department, etc he should, In this manner, possible errors during patient transfer can be detected.
OKPS enables distributed access control features by making use of the orthogonal identification features of devices. For instance, the system could be configured in a way that only hospital devices fulfilling several features have access to patient's health information.
For instance, let us assume that patient's ECG sensor are preconfigured to enable patient monitoring of only bedside monitors that belong to the hospital in which a patient is treated or are in the same city and are linked to the cardiology specialty. In this case, patient's ECG sensor will only disclose patient's ECG vital signs to nodes that successfully authenticate as belonging to the same hospital, or to other hospital of the same city with the cardiology specialty.
In general, a minimum number of features can be required to perform specific actions. Hence, medical device or entity (e.g. a sensor node) could store a list with the features that arc required to carry out those actions. Before an action is granted, the medical device requests the identification and authentication of a specific sub-set of features that is required to authorize the activity. If the other party can prove its identity, the action is granted, i.e., authorized. Otherwise, the action is rejected. This feature is useful particularly for new wireless sensor network standards such as ZigBee as access control is a compulsory requirement in new applications, and current centralized access control solutions have a limited scope and are not flexible enough. In view of this disclosure it is noted that the various methods, apparatuses and systems described herein can be implemented in a variety of applications with variant devices, modalities, software and hardware. Moreover, applications other than patient monitoring may benefit from the present teachings. Further, the various devices, modalities, software and hardware and parameters are included by way of example only and not in any limiting sense. In view of this disclosure, those skilled in the art can implement the present teachings in determining their own applications and needed devices, software, hardware and other equipment to implement these applications, while remaining within the scope of the appended claims.

Claims

1. A method of security management in a wireless network, the method comprising: identifying a plurality of orthogonal classifications of medical devices; generating identifiers for each security domain within each of the orthogonal classifications; generating keying material for each identifier; exchanging identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof, at the deepest common security domain within an orthogonal classification.
2. A method as claimed in claim I5 where the network is a medical network and the devices are medical devices.
3. A method as claimed in claim 1 , wherein the orthogonal classifications comprise: ownership, location, medical specialty and operational zone.
4. A method as claimed in claim 1 , wherein the keying material further comprises subsets of keying material, independent or dependent of each other, such as HDPKPS keying material, DPKPS keying material, or in general, any other kind of keying material that allows identifying a specific feature/identifier of a device or entity.
5. A method as claimed in claim 2, wherein at least one of the wireless medical devices is a wireless medical sensor.
6. A method as claimed in claim 6, wherein the wireless medical devices include: physiological condition monitors, controllable medication dosing devices and personal digital assistants (PDAs).
7. A security system for a wireless network, comprising: a wireless device; and a medium access controller (MAC) operative to: identify a plurality of orthogonal classifications of the wireless devices and to assign at least one of the orthogonal classifications to each wireless device and to generate identifiers for each security domain within each of the orthogonal classifications and to assign the identifiers to each wireless sensor and each wireless node, wherein the wireless devices exchange the identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof.
8. A security system as claimed in claim 7, wherein the MAC layer further comprises: a key generator operative to generate the keying material for each wireless device and to the keying material to the wireless device, wherein keying material is linked to the identifiers that identify a node.
9. A security system as claimed in claim 7, wherein the wireless device is a medical sensor.
10. A security system as claimed in claim 9, wherein the medical sensor and another wireless device are adapted to exchange respective identifiers to agree on a common keying material,
1 1. A system as claimed in claim 9, wherein further comprising a wireless node that comprises a medical monitoring device.
12. A system as claimed in claim 9, wherein the orthogonal classifications comprise: ownership, location, medical specialty and operational zone.
13. A system as claimed in claim 9, wherein the ownership comprises one or more of the following hierarchical security domains: an enterprise; a medical facility; a department within the medical facility.
14. A system as claimed in claim 7, wherein the keying material further comprises several sets of Hierarchical Deterministic Pairwise Key Prc-distribution Scheme (HDPKPS) keying material, DPKPS keying material, or in genera! other type of keying material that can allow identifying and authenticating the different orthogonal features of a device,
15. A system as claimed in claim 14, wherein the keying material of each security domain is independent of the keying material of another security domain, so that the different features can be identified and authenticated individually.
16. A wireless device operative to communicate with other wireless devices in a network, comprising: an orthogonal classification; an identifier for each security domain within each orthogonal classification; and a keying material for each identifier wherein each wireless device is adapted to exchange one or more of respective identifiers to establish a key agreement, or an access control, or privacy protection or a combination thereof
17. A wireless device as claimed in claim 16, wherein the wireless devices are medical devices including: physiological condition monitors, controllable medication dosing devices and personal digital assistants (PDAs).
18. A wireless device as claimed in claim 16, wherein the orthogonal classifications comprise: ownership, location, medical specialty and operational zone.
19. A wireless device as claimed in claim 16, wherein the keying material further comprises Hierarchical Deterministic Pairwisc Key Pre-distribution Scheme (HDPKPS) keying material, or a DPKPS keying material.
20. A wireless device as claimed in claim 16, where the wireless device is arid device.
21. A wireless device as claimed in claim 16, wherein the device is adapted to migrate or roam to among different orthogonal security domains.
PCT/IB2008/052642 2007-07-03 2008-07-01 Multidimensional identification, authentication, authorization and key distribution system for patient monitoring WO2009004578A2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US12/666,848 US8356180B2 (en) 2007-07-03 2008-07-01 Multidimensional identification, authentication, authorization and key distribution system for patient monitoring
EP08763432.5A EP2174459B1 (en) 2007-07-03 2008-07-01 Multidimensional identification, authentication, authorization and key distribution system for patient monitoring
RU2010103512/08A RU2491746C2 (en) 2007-07-03 2008-07-01 Multidimensional identification, authentication, authorisation and key distribution system for patient monitoring
JP2010514229A JP2010534003A (en) 2007-07-03 2008-07-01 Multidimensional identification, authentication, authorization and key distribution system for patient monitoring
CN200880022900.9A CN101690102B (en) 2007-07-03 2008-07-01 Multidimensional identification, authentication, authorization and key distribution system for patient monitoring

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US94778907P 2007-07-03 2007-07-03
US60/947,789 2007-07-03
US99190107P 2007-12-03 2007-12-03
US60/991,901 2007-12-03

Publications (2)

Publication Number Publication Date
WO2009004578A2 true WO2009004578A2 (en) 2009-01-08
WO2009004578A3 WO2009004578A3 (en) 2009-07-09

Family

ID=40226608

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/052642 WO2009004578A2 (en) 2007-07-03 2008-07-01 Multidimensional identification, authentication, authorization and key distribution system for patient monitoring

Country Status (6)

Country Link
US (1) US8356180B2 (en)
EP (1) EP2174459B1 (en)
JP (1) JP2010534003A (en)
CN (1) CN101690102B (en)
RU (1) RU2491746C2 (en)
WO (1) WO2009004578A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013090791A1 (en) 2011-12-15 2013-06-20 Becton, Dickinson And Company Near field telemetry link for passing a shared secret to establish a secure radio frequency communication link in a physiological condition monitoring system
JP2018061823A (en) * 2016-10-13 2018-04-19 ヴァレックス イメージング コーポレイション Authentication for X-ray imaging components

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011045714A2 (en) * 2009-10-14 2011-04-21 Koninklijke Philips Electronics N.V. A method for operating a node in a wireless sensor network
US9215075B1 (en) 2013-03-15 2015-12-15 Poltorak Technologies Llc System and method for secure relayed communications from an implantable medical device
EP2782041B1 (en) * 2013-03-22 2018-11-14 F. Hoffmann-La Roche AG Analysis system ensuring that sensitive data are not accessible
US9293029B2 (en) * 2014-05-22 2016-03-22 West Corporation System and method for monitoring, detecting and reporting emergency conditions using sensors belonging to multiple organizations
GB2549735B (en) * 2016-04-26 2020-07-29 Checkit Ltd Network access control
US10903997B2 (en) 2017-10-19 2021-01-26 Autnhive Corporation Generating keys using controlled corruption in computer networks
KR20200107931A (en) 2017-10-19 2020-09-16 오튼하이브 코퍼레이션 System and method for key generation and storage for multi-point authentication
US11626010B2 (en) * 2019-02-28 2023-04-11 Nortek Security & Control Llc Dynamic partition of a security system
US11863348B2 (en) * 2021-07-06 2024-01-02 Cisco Technology, Inc. Message handling between domains

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006131849A2 (en) 2005-06-08 2006-12-14 Koninklijke Philips Electronics N.V. Deterministic key for pre-distribution for mobile body sensor networks

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5202921A (en) * 1991-04-01 1993-04-13 International Business Machines Corporation Method and apparatus for authenticating users of a communication system to each other
US20040059205A1 (en) * 2002-09-20 2004-03-25 Sven-Erik Carlson Configuration for monitoring the state of health of a person
US7571321B2 (en) * 2003-03-14 2009-08-04 Voltage Security, Inc. Identity-based-encryption messaging system
US8058986B2 (en) 2004-11-12 2011-11-15 Koninklijke Philips Electronics N.V. Method for automatic association devices to a patient and concurrent creation of a patient record
ATE545361T1 (en) * 2004-12-13 2012-03-15 Koninkl Philips Electronics Nv MOBILE MONITORING
RU59389U1 (en) * 2006-06-15 2006-12-27 ООО "Лаборатория РАМЕДИС" COMPLEX FOR MONITORING THE STATE OF THE ORGANISM
WO2007149848A2 (en) * 2006-06-22 2007-12-27 Koninklijke Philips Electronics, N.V. Advanced access control for medical ad hoc body sensor networks
US8189791B2 (en) * 2006-06-22 2012-05-29 Koninklijke Philips Electronics N.V. Hierarchical deterministic pairwise key predistribution scheme

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006131849A2 (en) 2005-06-08 2006-12-14 Koninklijke Philips Electronics N.V. Deterministic key for pre-distribution for mobile body sensor networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SANCHEZ D.S. ET AL.: "A Deterministic Pairwise Key Pre-distribution Scheme for Mobile Sensor Networks", PROCEEDINGS OF THE FIRST INTERNATIONAL CONFERENCE ON SECURITY AND PRIVACY FOR EMERGING AREAS IN COMMUNICATIONS NETWORKS, 5 September 2005 (2005-09-05), pages 277 - 288, XP010902898, DOI: doi:10.1109/SECURECOMM.2005.2

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013090791A1 (en) 2011-12-15 2013-06-20 Becton, Dickinson And Company Near field telemetry link for passing a shared secret to establish a secure radio frequency communication link in a physiological condition monitoring system
EP2791782A4 (en) * 2011-12-15 2015-10-21 Becton Dickinson Co Near field telemetry link for passing a shared secret to establish a secure radio frequency communication link in a physiological condition monitoring system
US10039496B2 (en) 2011-12-15 2018-08-07 Becton, Dickinson And Company Near field telemetry link for passing a shared secret to establish a secure radio frequency communication link in a physiological condition monitoring system
US10327706B2 (en) 2011-12-15 2019-06-25 Becton, Dickinson And Company Near field telemetry link for passing a shared secret to establish a secure radio frequency communication link in a physiological condition management system
JP2018061823A (en) * 2016-10-13 2018-04-19 ヴァレックス イメージング コーポレイション Authentication for X-ray imaging components

Also Published As

Publication number Publication date
US8356180B2 (en) 2013-01-15
RU2491746C2 (en) 2013-08-27
US20100241862A1 (en) 2010-09-23
EP2174459B1 (en) 2018-04-11
EP2174459A2 (en) 2010-04-14
WO2009004578A3 (en) 2009-07-09
CN101690102A (en) 2010-03-31
RU2010103512A (en) 2011-08-10
CN101690102B (en) 2014-08-20
JP2010534003A (en) 2010-10-28

Similar Documents

Publication Publication Date Title
US8356180B2 (en) Multidimensional identification, authentication, authorization and key distribution system for patient monitoring
EP2291977B1 (en) Personal security manager for ubiquitous patient monitoring
Li et al. Data security and privacy in wireless body area networks
Jabeen et al. A survey on healthcare data security in wireless body area networks
Ramli et al. Surveying the wireless body area network in the realm of wireless communication
Iqbal et al. Efficient and secure attribute-based heterogeneous online/offline signcryption for body sensor networks based on blockchain
Gonçalves et al. Security architecture for mobile e-health applications in medication control
EP2036299A2 (en) Advanced access control for medical ad hoc body sensor networks
Bahache et al. Authentication schemes for healthcare applications using wireless medical sensor networks: A survey
Ali et al. Verifiable online/offline multi-keyword search for cloud-assisted industrial internet of things
Annane et al. Blockchain based context-aware CP-ABE schema for Internet of Medical Things security
Pal Internet of Things and Access Control: Sensing, Monitoring and Controlling Access in IoT-Enabled Healthcare Systems
Sethia et al. CP-ABE for selective access with scalable revocation: A case study for mobile-based healthfolder.
Liu et al. Secure PHR access control scheme for healthcare application clouds
Chakraborty et al. FC-SEEDA: Fog computing-based secure and energy efficient data aggregation scheme for Internet of healthcare Things
Awotunde et al. A secured smart healthcare monitoring systems using blockchain technology
Huang et al. Sharing medical data using a blockchain‐based secure EHR system for New Zealand
Gaikwad et al. A Review: Security and Privacy for Health Care Application in Wireless Body Area Networks
Badri et al. BIoMT: A Blockchain-Enabled Healthcare Architecture for Information Security in the Internet of Medical Things
Ahamed et al. An enhanced context-aware capability-based access control model for the internet of things in healthcare
Al-Muhtadi et al. Access control using threshold cryptography for ubiquitous computing environments
Huang et al. A privacy-preserving data sharing solution for mobile healthcare
Alami et al. A study of security requirements in wireless sensor networks for smart home healthcare systems
Sumathi et al. Internet of thing based confidential healthcare data storage, access control and monitoring using blockchain technique
Bhardwaj et al. Review and analysis of security model in healthcare system

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200880022900.9

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 2008763432

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2010514229

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 534/CHENP/2010

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 2010103512

Country of ref document: RU

WWE Wipo information: entry into national phase

Ref document number: 12666848

Country of ref document: US