Abstract
Mobile phones are increasingly used in the e-health domain. In this context, enabling secure access to health records from mobile devices is of particular importance because of the high security and privacy requirements for sensitive medical data. Standard operating systems and software, as they are deployed on current smartphones, cannot protect sensitive data appropriately, even though modern mobile hardware platforms often provide dedicated security features. Current mobile phones are prone to attacks by malicious software, which might gain unauthorized access to sensitive medical data.
In this paper, we present a security architecture for the protection of electronic health records and authentication credentials that are used to access e-health services. Our architecture is derived from a generic solution and tailored specifically to current mobile platforms with hardware security extensions. Authentication data are protected by a trusted wallet (TruWallet), which leverages trusted hardware features of the phone and isolated application environments provided by a secure operating system. A separate application environment is used to provide runtime protection of medical data. Furthermore, we present a prototype implementation of TruWallet on the Nokia N900 mobile phone. In contrast to commodity systems, our architecture enables healthcare professionals to securely access medical data on their mobile devices without the risk of disclosing sensitive information.
An earlier version of this paper has been published in [11].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Aggarwal, M., Vennon, T.: Study of BlackBerry proof-of-concept malicious applications. Technical Report White paper, SMobile Global Threat Center (January 2010)
Agreiter, B., Alam, M., Hafner, M., Seifert, J.P., Zhang, X.: Model driven configuration of secure operating systems for mobile applications in healthcare. In: Proceedings of the 1st International Workshop on Mode-Based Trustworthy Health Information Systems (2007)
Akinyele, J.A., Lehmann, C.U., Green, M.D., Pagano, M.W., Peterson, Z.N.J., Rubin, A.D.: Self-protecting electronic medical records using attribute-based encryption. Cryptology ePrint Archive, Report 2010/565 (2010), http://eprint.iacr.org/2010/565
Alves, T., Felton, D.: TrustZone: Integrated hardware and software security. Technical report, ARM (July 2004)
Anderson, J.P.: Computer security technology planning study. Technical Report ESD-TR-73-51, AFSC, Hanscom AFB, Bedford, MA, AD-758 206, ESD/AFSC (October 1972)
Android Open Source Project. Project website (2010), http://www.android.com
Apple Inc. iOS website (2010), http://www.apple.com/iphone/ios4
Azema, J., Fayad, G.: M-ShieldTMmobile security technology: making wireless secure. Texas Instruments White Paper (February 2008), http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf
Benelli, G., Pozzebon, A.: Near Field Communication and Health: Turning a Mobile Phone into an Interactive Multipurpose Assistant in Healthcare Scenarios. In: Fred, A., Filipe, J., Gamboa, H. (eds.) BIOSTEC 2009. CCIS, vol. 52, pp. 356–368. Springer, Heidelberg (2010)
Brygier, J., Fuchsen, R., Blasum, H.: PikeOS: Safe and secure virtualization in a separation microkernel. Technical report, Sysgo (September 2009)
Dmitrienko, A., Hadzic, Z., Löhr, H., Sadeghi, A.-R., Winandy, M.: A security architecture for accessing health records on mobile phones. In: Proceedings of the 4th International Conference on Health Informatics (HEALTHINF 2011), pp. 87–96. SciTePress (2011)
EMSCB Project Consortium. The European Multilaterally Secure Computing Base (EMSCB) project (2005-2008), http://www.emscb.org
Fraim, L.: SCOMP: A solution to the multilevel security problem. IEEE Computer, 26–34 (July 1983)
Gajek, S., Löhr, H., Sadeghi, A.-R., Winandy, M.: TruWallet: Trustworthy and migratable wallet-based web authentication. In: The 2009 ACM Workshop on Scalable Trusted Computing (STC 2009), pp. 19–28. ACM (2009)
Gardner, R.W., Garera, S., Pagano, M.W., Green, M., Rubin, A.D.: Securing medical records on smart phones. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Medical and Home-Care Systems, SPIMACS 2009, pp. 31–40. ACM (2009)
Google Android. Security and permissions (2010), http://developer.android.com/intl/de/guide/topics/security/security.html
Han, D., Park, S., Lee, M.: THE-MUSS: Mobile U-Health Service System. In: Fred, A., Filipe, J., Gamboa, H. (eds.) BIOSTEC 2008. CCIS, vol. 25, pp. 377–389. Springer, Heidelberg (2008)
Hildon Application Framework. Project website (2010), http://live.gnome.org/Hildon
Iozzo, V., Weinmann, R.-P.: Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN (March 2010), http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2own/
Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A VMM security kernel for the VAX architecture. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 2–19. IEEE Computer Society, Technical Committee on Security and Privacy (May 1990)
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, Big Sky, MT, USA. ACM Press (October 2009)
Kostiainen, K., Dmitrienko, A., Ekberg, J.-E., Sadeghi, A.-R., Asokan, N.: Key Attestation from Trusted Execution Environments. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 30–46. Springer, Heidelberg (2010)
Kostiainen, K., Ekberg, J.-E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: ASIACCS 2009: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 104–115. ACM (2009)
Liedtke, J.: On microkernel construction. In: Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP 1995), Copper Mountain Resort, Colorado (December 1995); Appeared as ACM Operating Systems Review 29.5
Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 29–42. USENIX Association (2001)
Lua. Project website (2010), http://www.lua.org
Maemo. Project website (2010), http://maemo.org
Microsoft. Windows mobile website (2010), http://www.microsoft.com/windowsmobile
Open Kernel Labs. OKL4 project website (2010), http://okl4.org
Paros. Project website (2010), http://www.parosproxy.org
Picciotto, J., Epstein, J.: Trusting X: Issues in building Trusted X window systems –or– what’s not trusted about X? In: 14th National Computer Security Conference (1991)
Selhorst, M., Stüble, C., Feldmann, F., Gnaida, U.: Towards a Trusted Mobile Desktop. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 78–94. Springer, Heidelberg (2010)
Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: a fast capability system. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP 1999), Kiawah Island Resort, near Charleston, Sout Carolina, pp. 170–185 (December 1999); Appeared as ACM Operating Systems Review 33.5
Sunyaev, A., Leimeister, J.M., Krcmar, H.: Open security issues in german healthcare telematics. In: Proceedings of the 3rd International Conference on Health Informatics, HEALTHINF 2010, pp. 187–194. INSTICC (2010)
Symbian Foundation Community. Project website (2010), http://www.symbian.org
The OpenTC Project Consortium. The Open Trusted Computing (OpenTC) project (2005-2009), http://www.opentc.net
Felton, D., Alves, T.: TrustZone: Integrated Hardware and Software Security (July 2004), http://www.arm.com/pdfs/TZ%20Whitepaper.pdf
Trusted Computing Group. TPM Main Specification, Version 1.2 rev. 103 (July 2007), http://www.trustedcomputinggroup.org
Vennon, T.: Android malware. A study of known and potential malware threats. Technical Report White paper, SMobile Global Threat Center (February 2010)
Vouyioukas, D., Kambourakis, G., Maglogiannis, I., Rouskas, A., Kolias, C., Gritzalis, S.: Enabling the provision of secure web based m-health services utilizing xml based security models. Security and Communication Networks 1(5), 375–388 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dmitrienko, A., Hadzic, Z., Löhr, H., Sadeghi, AR., Winandy, M. (2013). Securing the Access to Electronic Health Records on Mobile Phones. In: Fred, A., Filipe, J., Gamboa, H. (eds) Biomedical Engineering Systems and Technologies. BIOSTEC 2011. Communications in Computer and Information Science, vol 273. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29752-6_27
Download citation
DOI: https://doi.org/10.1007/978-3-642-29752-6_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29751-9
Online ISBN: 978-3-642-29752-6
eBook Packages: Computer ScienceComputer Science (R0)