We have chosen to use wireless motes (such as the Crossbow MICA [22] and the Moteiv Tmote Sky [23]) as the sensor nodes in our design for several reasons. First, the motes are much smaller and lighter than other types of portable embedded devices (e.g., PDAs), making them easier to carry. Second, our specific application typically does not require complex data processing and has a low data transfer rate (e.g., 4 packets/second or less). As such, we need a device with a reasonable amount of computing power and data transmission capability, while maintaining extremely low energy consumption during sleep in order to support long-term monitoring. The Tmote Sky motes seem to have these characteristics, making them well suited for our goals. Using motes also allows for ease of prototype development, as the motes include an onboard CPU and enjoy the support of an active research community with a wealth of open-source software and tools. We note that it is certainly possible that motes with higher power CPUs could work (or even outperform the Tmote Sky) in our application, a point we plan to investigate in the future.

Unfortunately, the resource constraints in wireless motes make it challenging to meet the abovementioned security requirements. Motes have much lower processor speed, memory, link bandwidth, and energy supply than mobile PCs or PDAs, so our security mechanisms must be very resource-efficient. The MICA motes, for example, use an 8-bit, 8 MHz processor, and the comparable Tmote Sky platform employs a 16-bit, 8 MHz processor. Conventional security mechanisms incur high costs; some RSA operations can take over 80 seconds to run on a low-power 8-bit CPU [17]. In addition, the radio bandwidths of recent IEEE 802.15.4-compliant motes are limited to 250 kbps.

Security mechanisms developed for other sensor networks or in general may not be applicable to medical sensor networks due to their unique characteristics, as we explain below.

Communication Pattern sensor nodes on different patients do not communicate with one another. Instead, they communicate with one or more base stations close to the healthcare provider. Therefore, we need to protect the communication between the sensor nodes and base stations. However, most existing research focuses more on enabling secure communication among sensor nodes. Often, a simple symmetric-key mechanism is used between the sensor nodes and base stations, e.g., pre-configuring a shared secret in each sensor node and the base station. These mechanisms do not offer enough protection against physical compromise of sensor nodes.

Threat Model physical compromise of sensor nodes is a greater threat in medical sensor networks due to two factors: (1) mobility: while most other sensor networks have stationary sensors, medical sensors move with the patients and may get lost without even being noticed; (2) accessibility: it is relatively easy for attackers to find targets, i.e., patients in local healthcare facilities, as opposed to in remote locations such as forests or battlefields. Note that physically compromising the base stations is harder because they can be protected in secure locations. Once a sensor node is compromised, the attacker can capture any sensitive information remaining in the mote, including personal medical data and secret key material. The attacker can then use the key material to decrypt any previously recorded communication. Furthermore, the attacker can inject false data using the node. Therefore, we need to limit the amount of private information disclosed after the physical compromise as well as the damage that the attacker can cause through impersonating the patient. This has several implications for our design: (1) secret keys should be periodically updated; (2) when a node is turned off, no security material (such as a shared secret or a static public/private key) should have to be stored permanently in the node’s non-volatile memory (a pre-configured shared secret obviously does not satisfy this requirement); and (3) authentication must rely on something that the attacker cannot easily capture or forge.

We have made two explicit architectural decisions that differentiate our design from previously proposed architectures such as CodeBlue [4]. These choices make it easier to secure the overall system, without unduly sacrificing the system’s functionality or performance.

First, the motes communicate only with the base stations, not with individual medical professionals’ computers. This is because in a large healthcare facility, it would be difficult for the motes to directly authenticate hundreds of individual users (physicians, nurses, etc.). The motes simply do not have the memory resources to maintain all this access control information. Instead, our design authenticates the users at the base stations and has the base stations issue queries to the motes on behalf of the users. Motes are configured with the base stations’ addresses and public keys for authentication.

Second, motes do not have their own permanent public/private key pairs, because such a key pair would have to be kept in non-volatile memory to prevent it from being lost when a mote is turned off. Since individual motes are relatively easy to physically compromise, an attacker who captures a mote would be able to decrypt all previously recorded data sent by the mote. Moreover, if the mote’s public/private key pair is used for authentication, the attacker would be able to impersonate the patient after capturing the mote.

Our security mechanisms are summarized in Figure 2. First, we propose a two-tier authentication scheme based on patient biometric and physiological data, in order to handle spoofing or physical compromise of motes. We assume that each mote is connected to a small fingerprint scanner or a comparable biometric identification device. The base station first verifies the patient’s identity via a biometric signature, then checks incoming data against the patient’s profile for consistency. Our authentication scheme is resilient against spoofing and physical compromise of motes, because it is difficult for an attacker to both forge a valid patient’s biometric signature and generate physiological data that is consistent with the patient’s own data.

Second, queries and data are encrypted and integrity protected using dynamically generated symmetric keys, in order to defend against attacks that compromise the privacy and integrity of patient data. As mentioned earlier, motes are very resource-constrained, so it is more efficient to use pairwise symmetric keys shared between the base station and motes for data protection.

Third, we propose an elliptic curve cryptography (ECC) based key agreement protocol to allow base stations and motes to securely derive symmetric keys without any prior shared secrets. In order to handle spoofing of base stations, motes are pre-configured with base stations’ public keys so that they can establish symmetric keys only with valid base stations. If there are many base stations in the facility, we can use the group public-key scheme proposed in [24]. This scheme allows each base station to have its own private key, while allowing the motes to use a single public key for the entire base station group. In the next three sections, we present the specific design, implementation, and evaluation of each mechanism.

At the first tier, each mote is integrated with a small biometric scanner to capture a unique signature for the patient. The biometric signature must be validated by a base station before communication between the base station and mote can occur. We assume that the base stations have access to a list of valid patient biometric signatures (this could be obtained from each patient upon admission to the facility), and also that the space of possible signatures is sufficiently large that a brute-force attack is infeasible. There are several off-the-shelf miniature fingerprint readers and finger vein readers that could serve as the biometric scanner. One example is the MBF200 solid-state fingerprint sensor from Fujitsu [25] (also shown in Figure 2). It is small (24 mm × 24 mm × 1.4 mm), low in power consumption (20 mA active, < 200 μA sleep, 20 μA standby), and inexpensive (about $30 per unit in bulk quantities). Moreover, it can capture a fingerprint in less than one second. The fingerprint sensor simply captures an image (which would be inefficient to transmit directly), but off-the-shelf hardware (e.g., [26]) exists that integrates the Fujitsu sensor with a small processing board to allow feature extraction from the raw image.

The first tier alone is insufficient for ensuring data authenticity because an attacker can capture a patient’s mote after the patient has been accepted into the system. Therefore, we add a second-tier authentication system to assert the identity of a patient based solely on the sensor data being collected from that patient. More specifically, each patient will wear the sensors for a short period of time for the base station to “learn” the patient’s profile. From then on, whenever the patient’s data deviates substantially from that profile, the base station will raise an alarm. The alarm could be caused by forged data or by a medical emergency. In either case, it is important that the patient be checked on, so issuing the alarm is warranted. This approach does not require any extra bandwidth (the data being used is sent anyway) and is completely passive from the viewpoint of the patient.

Our second-tier authentication mechanism requires statistical or machine learning techniques to recognize medical data as being from a particular patient. We have investigated a neural network approach for implementing this mechanism. Each patient is associated with a neural network, which is first trained on data from that patient and some reference patients. The neural network then monitors incoming data for consistency with the training data. Both the initial training and the detection mechanism are run on the base station, in order to minimize computation on the mote. Once trained, the neural network can quickly process incoming data.

We use a feed-forward neural network (Figure 3) that consists of a number of inputs, hidden cells, and outputs, along with a set of connection weights that determine how the output is computed from the input. Our current implementation uses patient electrocardiogram (ECG) signals to train the neural network, due to the high amount of identifying features that this data offers. The input to the neural network is one heartbeat of ECG data; the output is 0 or 1 (NO or YES) depending on whether the neural network believes this data is consistent with the training data.

One issue with this approach is that raw ECG data for a single heartbeat can contain hundreds of individual samples. Using this data in its entirety is impractically complex. To address this problem we opted to extract a set of representative features from the raw ECG data to use as neural network inputs. A typical ECG signal for a single heartbeat is shown in Figure 4; it consists of a small P wave, followed by a large QRS complex, followed by a small T wave. We extract eight features per heartbeat: the lengths of the (1) PR interval, (2) PR segment, (3) QRS complex, (4) ST segment, and (5) QT interval; and the peak amplitudes of the (6) P wave, (7) QRS complex, and (8) T wave.

As we do not yet have access to real ECG sensors, we used publicly available data from the long-term ST ECG database at MIT’s PhysioWeb [27] for developing our neural networks. Each patient’s ECG data covers a period of 21–24 hours. We set aside some of these patients as a “reference set.” For each of the remaining patients, a training data set was constructed consisting of the first 2000 heartbeats from that particular patient’s record (associated with a neural network output of 1) and the first 2000 heartbeats from each of the patients in the reference set (associated with a neural network output of 0).

We performed some experimentation with different neural network setups by varying the number of reference patients used in training as well as the features extracted from each beat of ECG data. The results in Table 1 suggest that increasing the number of reference patients potentially has the greatest returns on performance. For subsequent experiments, we chose the setup with the best overall performance for the training of each patient’s neural network, i.e., 9 reference patients and a four-layer feed-forward neural network model with 8 input cells, 2 layers of 15 hidden cells, 1 output cell, and a log sigmoid activation function on the hidden layers.

Table 2 shows how well the trained neural networks could classify the training data from 10 patients (patients are labeled P₁, ...P₁₀, and reference patients are labeled R₁, ...R₉). The number corresponding to (P_i, self) indicates the percentage of training samples (heartbeats) from patient P_i that were correctly classified as from that patient. The number (P_i, R_j) indicates the percentage of training samples from reference patient R_j that were correctly classified as not being from patient P_i. For example, the fourth row of Table 2 indicates that (1) the trained network for patient P₄ was able to correctly classify 99.85% of the training inputs from P₄ as being from P₄ (the first value); and (2) it was able to classify 100% of the training inputs from reference patients R₁, R₂, R₄...R₉, and 99.93% of the training inputs from R₃, as not being from P₄. Overall, the neural networks learned the training data very well, with an average accuracy of 99.8%.

Next, we use each trained neural network to classify the validation data (i.e., 10,000 heartbeats not used in training) from each of the non-reference patients. As shown in Table 3, the neural networks give accurate results in most cases. For example, the fourth row shows that patient P₄’s neural network was able to correctly classify the validation data from patients P₁ through P₆ and P₈ through P₁₀ almost 100% of the time, but was less accurate with P₇. The average validation accuracy for the neural networks over all patients was 87.7%.

To see how well these results might generalize, we also expanded the neural network training to a larger set of data from the long-term ST database (26 patients P₁ ... P₂₆, with the same set of reference patients R₁ ... R₉). We found that the overall effectiveness of the neural networks on the larger set was comparable to the figures presented here, with an average accuracy of 99.7% on the training data and 91.5% on the validation data. Due to space constraints we do not include the detailed results.

It is important to note that perfect classification is not required at all in our scheme since our goal is to detect suspicious data. We just need to raise an alarm when a certain percentage of incoming data deviates from a patient’s profile. The above results suggest that the alarm threshold can be set to a relatively small number (e.g., 10–30%) with a low false positive and low false negative rate. In fact, with a threshold of 25%, we would have 0 false positives and only 1 false negative (P₁ could be considered P₉) in Table 3. One may further lower the threshold to reduce the false negative rate, with the possibility of increasing the false positive rate. As long as the false positive rate is relatively low, this may be a desirable trade-off: a false negative could have serious consequences, e.g., neglecting false data or missing an emergency situation, while a false positive simply leads to a re-examination of the patient.

We first present some background on ECC and then describe the design of our key agreement protocol and key update protocol.

Our development environment is TinyOS 2 [29] running on the Moteiv Tmote Sky platform, which features a 16-bit, 8 MHz Texas Instruments MSP430 processor with 48 KB of program ROM and 10 KB of RAM. Program code in this environment is written in nesC (networked embedded systems C), a dialect of C designed for use with TinyOS. (As of late 2007, Moteiv has changed its name to Sentilla and has discontinued production and support of its Tmote product line in favor of a new hardware platform designed for Java applications. However, the new platform is backwards-compatible with the Tmote Sky. Furthermore, Crossbow Technology still offers its TelosB mote for sale, which is functionally identical to the Tmote Sky. Both the TelosB and Tmote Sky remain popular in the research community.)

Our basic ECC operations are based on North Carolina State University’s TinyECC 1.0 distribution [16]. We implemented ECIES for secure key agreement, using the elliptic curve secp160r1 defined over a 160-bit prime field as recommended by [30]. We use 160-bit private keys, 320-bit public keys, and a 160-bit random number r in ECIES. We then implemented our key agreement protocol, using a 32-bit session number (SN), 48-bit patient fingerprint (F P), 128-bit master key (K_m), 128-bit transient and session keys (K^′_s, K^′_mac, K_s, K_mac), and 64-bit nonces (n₁, n₂). The resulting KeyGenStart, KeyGenAck, and KeyGenVerify messages are 56, 52 and 32 bytes long.

Due to its customizability and ease of implementation, we chose the RC5 block cipher in ciphertext stealing (CTS) mode for the symmetric encryption in ECIES, using the recommended parameters of 64-bit blocks, 128-bit keys, and 12 rounds. For the hash function we chose SHA-1 [31], which allowed us to save code space by using SHA-1 based algorithms for both the message authentication code function (for integrity checking) and key derivation function. We implemented HMAC-SHA-1 [32] and PBKDF1 [33], respectively.

Our compiled code on the Tmote uses 30 KB of ROM and 4.4 KB of RAM, which leaves reasonable space for other applications. We note that most of this memory requirement comes from TinyECC, which includes numerous optimizations to speed up the ECC operations. As indicated by Liu and Ning [16], these optimizations can be selectively disabled to reduce the code size at the cost of increased computation time.

We timed our protocol which ran on two motes and had a laptop PC (2.66 GHz Intel Pentium 4) as a base station. As illustrated in Figure 7, mote A acts as a sender, while mote B serves as the interface between the sender and the PC by receiving A’s wireless packets and forwarding them over a serial connection (emulated via a physical USB connection). Mote B essentially serves as a bridge between the sending mote and the PC, as the PC lacks a native way of wirelessly receiving data from a mote. Mote A took 7075 ms to generate and send KeyGenStart, and 123 ms to check KeyGenAck and send KeyGenVerify. The base station took 77 ms to check KeyGenStart and send KeyGenAck, and 13.3 ms to check KeyGenVerify. Virtually all of the time required to generate and send KeyGenStart is due to two ECC scalar point multiplications (computing the points rQ and rG, as described previously).

Although a CPU time investment of over 7 s may seem intensive, we note that the key agreement protocol only has to be run once to establish the initial symmetric keys, and once each time the keys expire. We explain in Section 8.5 that this periodic investment has minimal effect on the mote’s battery life.

To get an idea of the performance impact of performing symmetric encryption/MAC on every data packet, we conducted a simple experiment in which mote A (see Figure 7) sent 2000 packets over the air as rapidly as possible. We varied the packet size from 40 bytes to 100 bytes (near the upper limit of packet size for our platform) and measured the throughput of the system. As illustrated in Figure 8, using encryption and integrity checking does lower the throughput from 31–53 kbps to 8–14 kbps (depending on packet size). We also directly measured the time required to perform the MAC and encryption operations on a single 100-byte packet and we found that this consumes about 44 ms of CPU time. However, we feel that this is a reasonable price to pay for the added security. Moreover, the lower throughput is still sufficient for a practical deployment, as we explain later.

We then set up a more realistic network with multiple senders and one receiving mote, with a fixed sending rate of four 100-byte packets per second (both encryption and MAC are enabled). We chose this sending rate (400 bytes/s per patient) based on the following considerations. The ECG data in the long-term ST database was sampled at 250 Hz. Allotting 2 bytes for each sample, this results in 500 bytes per second of raw data. However, we found that 500 bytes of raw ECG data can be reduced to about 260 bytes using S-LZW [34], a compression scheme specifically designed for the resource constraints of wireless motes. Compression would thus allow ample space for ECG data as well as other types of patient data to be sent. Note that other patient data (e.g., body temperature) could be sampled at a much lower rate than the ECG data.

Figures 9 and 10 show the throughput and packet loss as measured at the receiving mote (mote B in Figure 7) and at the PC. Any difference between the two curves in each figure indicates that packets were dropped by the serial connection between the receiving mote and the PC. We found that a single receiving mote is able to reliably handle 10 senders, with a packet loss of under 1%. At 11 senders and above, the receiving radio is unable to keep up with the incoming packets.

For the stress test, we modified the senders to send 100-byte packets with MAC/encryption as quickly as possible, at about 17 packets per second. Note that in practice the senders are unlikely to send their sampled data at such a high rate, due to energy consumption concerns. We wanted to evaluate this scenario solely to see how the system would perform at its hardware limits. Figures 11 and 12 show the throughput and packet loss. These two figures demonstrate that a single receiving mote is able to reliably handle data from up to 4 senders sending at their maximum rate. Beyond this point, the receiving radio is unable to keep up with the incoming packets, resulting in significant packet loss. Additionally, when there are more than 4 senders, the serial connection between mote B and the PC also becomes a bottleneck, resulting in a higher loss rate observed at the PC than at the receiving mote. To address the radio packet loss issues, we attempted using the PacketLink reliable transmission layer in TinyOS. However, we found that this further lowered throughput as the high loss rate resulted in many retransmissions. Overall, we feel that the MAC layer being used in TinyOS can be improved to more gracefully handle high loads; we plan to further investigate this in the future.

The above results may seem to suggest that a single base station can support only a very small number of sending motes. However, the number of motes reliably handled by a base station can be improved significantly simply by attaching more than one receiving mote (mote B in Figure 7) to the PC. Each receiving mote is set to a different wireless channel and handles incoming packets only from motes sending on that channel. To demonstrate the feasibility of this approach, we repeated the above stress test with two and three receiving motes. As shown in Figure 13, we found that the base station’s ability to handle multiple sending motes scales very well with the number of receiving motes attached. The overall throughput increases linearly with additional receiving motes. With four senders per receiver, for instance, a single receiving mote allows a throughput of about 46.9 kbps; this increases to 93.0 kbps and 142.9 kbps for two and three receiving motes, respectively. We also observed that the packet loss remains low (on the order of 1%) with the additional receiving motes.

A complete energy profile for the sending mote must consider the processor, the radio, and the attached medical sensors. Of these components, the processor is used heavily during the initial ECC operations and in the encryption/MAC of outgoing packets. As discussed previously, the ECC key agreement consumes 7198 ms of CPU time on the mote, while performing encryption/MAC on a single 100-byte packet consumes 44 ms of time.

The radio and the sensors are used periodically to sample patient data and forward it to the base station. Based on the previous experiments, the time required for the radio to send a single a 100-byte packet is about 15 ms. In addition to the radio, the mote’s batteries would have to be used to power the attached biometric scanner and medical sensors. Because we have not yet integrated these sensors onto our motes, it is difficult for us to quantify their energy requirements. However, we note that the scanner is needed only once each time the key agreement protocol is run. Meanwhile, the medical sensors do not have to be continuously working; they might operate in a low-power sleep mode, being activated only when required to sample the patient’s data.

To get a rough estimate of energy consumption in a real-world deployment, we made the following assumptions: (1) the ECC key agreement protocol will be run once per 24 hours; and (2) the mote will send patient data at the rate of four 100-byte packets per second. The Tmote Sky draws 5.1 μA with the processor on standby and radio off, 1.8 mA with the processor alone on, and 19.5 mA with the processor on and the radio transmitting [23]. For the envisioned processor/radio usage, the mote’s AA batteries (using a conservatively low estimate of 500 mAh) would be sufficient for about 14 days of operation. The majority (78.5%) of the power requirement comes from the radio, with 21.2% from CPU use during encryption/MAC and less than 1% from CPU use during the ECC key setup and idling.