Secure and Efficient Biometric Data Streaming with IoT for Wearable Healthcare ^†

Abstract

The growing adoption of wearable devices creates a critical need for robust and secure Internet of Things solutions to manage biometric data streams. Current architectures often lack emphasis on seamless data capture, secure cloud storage and integrated dashboard visualization. This research addresses these gaps by investigating and evaluating an IoT framework leveraging lightweight communication and real-time visualization for improved healthcare monitoring. Drawing primarily on recent peer-reviewed journals and reputable conference proceedings, we evaluate an IoT architecture that securely integrates wearable biometric data into a cloud-based dashboard. The system utilizes encrypted advertising packets (e.g., AES-128-CCM) to broadcast biometric signals, eliminating the need for permanent device pairing and minimizing energy consumption. These packets are captured by our prototype ESP32-based (Espressif Systems, Shanghai, China) gateway node, decrypted and forwarded to a secure cloud environment that ensures persistent storage and accessibility. The cloud-based dashboard provides medical staff and end-users with real-time insights and long-term data tracking. Emphasis was placed on evaluating the system’s low latency performance, energy efficiency and data confidentiality. System evaluation demonstrates that encrypted advertising packets can securely transmit biometric signals, while drastically reducing energy consumption and latency. System evaluation demonstrates that encrypted BLE advertising serves as a superior alternative to traditional pairing-based methods for long-term medical monitoring. By implementing a dual-optimization strategy that balances data confidentiality with power efficiency, the proposed system achieved a 33-fold increase in operational autonomy compared with standard permanent BLE connections. These results represent a significant advancement in battery longevity for the IoMT ecosystem, providing a scalable solution for continuous, secure biometric signal transmission with minimal energy overhead.

1. Introduction

The rapid expansion of the Internet of Medical Things (IoMT) has revolutionized remote patient monitoring, enabling continuous health tracking outside of clinical settings [1]. However, the deployment of wearable healthcare devices necessitates advanced architectures that can successfully balance robust security with prolonged battery life [2]. As the demand for real-time biometric data streaming grows, efficient power management becomes a critical design constraint for battery-operated edge devices.

1.1. Problem Statement

Bluetooth Low Energy (BLE) has emerged as the de facto communication standard for short-range wearable devices due to its low power consumption and ubiquity. Despite its advantages, wearable healthcare BLE devices encounter substantial limitations in battery longevity, primarily due to persistent communication requirements [3]. Standard connection-oriented BLE protocols require the device to maintain a synchronized link with a central node, which drains energy even during idle periods. Furthermore, many existing implementations exhibit insufficient robustness in ensuring secure data transmission, leaving sensitive medical data vulnerable to eavesdropping and interception [4].

1.2. Proposed Solution

To address these challenges, our objective is to develop a secure, energy-efficient IoT framework that integrates specialized edge hardware with a modern, cloud-native visualization stack. Unlike traditional approaches that rely on power-hungry pairing mechanisms, this study focuses on utilizing encrypted BLE advertising packets for data transmission. By leveraging a connectionless broadcasting model, the system significantly reduces the radio duty cycle, while maintaining data confidentiality through encryption.

1.3. Contribution

This manuscript presents a comprehensive architecture that bridges the gap between low-power edge sensing and scalable cloud monitoring. We implement a system where a wearable node broadcasts encrypted biometric data to an edge gateway, which then securely forwards the payload to a containerized cloud environment for real-time visualization. This approach verifies that decoupling security from connection-oriented protocols provides a viable pathway for extending the operational lifespan of medical IoT devices without compromising data integrity.

The remainder of this paper is organized as follows: Section 2 details the hardware implementation and the cloud software stack. Section 3 presents the experimental results regarding power consumption and security performance. Section 4 discusses the implications of the findings and system limitations. Finally, Section 5 concludes the study and discusses future implications.

2. Methodology

Our approach integrates specialized low-power edge hardware with a scalable, containerized cloud infrastructure to ensure seamless and secure biometric data flow. The system architecture is divided into three distinct layers: the wearable device, the edge gateway, and the cloud backend, as illustrated in Figure 1.

2.1. Hardware Implementation

The hardware design focuses on minimizing power consumption while maintaining processing capability for encryption.

2.1.1. Wearable Device

The sensing node is developed using the Seeed Xiao ESP32-C6 (Seeed Studio, Shenzhen, China) System-on-Chip (SoC) [5]. This microcontroller unit (MCU) was selected for its compact form factor and RISC-V architecture, which supports efficient low-power modes.

• Sensor Integration: A MAX30100 sensor (Maxim Integrated, San Jose, CA, USA) [6] is interfaced with the MCU via the Inter-Integrated Circuit ($I^{2}C$) bus to acquire real-time heart rate (HR) and pulse oximetry (SpO2) data.
• Sensor Setup: The MAX30100 sensor utilizes red and infrared light-emitting diode (IR LED) drivers in order to drive LED pulses for SpO2 and HR measurements. The LED current can be programmed from 0 mA to 50 mA with the supply of 3.3 V. The LED pulse width can be programmed from 200 µs to 1.6 ms to balance accurate measurements and power consumption [6].
• Operation: To improve measurement accuracy, our IoMT node processes raw data locally before transmission. From an initial sample of 16 measurements taken at 26 ms, the device filters out the 8 most extreme values as outliers and transmits the calculated average of the remaining data points.

2.1.2. Edge Gateway

An ESP32-WROOM (Espressif Systems, Shanghai, China) node serves as the intermediary bridge between the local BLE network and the internet. The gateway allows the wearable device to remain offline (from the internet’s perspective), thereby conserving energy. Its primary functions include:

• Continuously scanning for specific advertising packets.
• Decrypting the received payloads.
• Forwarding the data via Wireless Fidelity (WiFi).

2.2. Secure Communication Protocols

The core innovation of this methodology lies in the transmission strategy.

2.2.1. Encrypted BLE Advertising

Instead of utilizing standard BLE pairing—which requires a persistent connection and handshake overhead—the Xiao ESP32-C6 broadcasts biometric data using encrypted BLE advertising packets. The system implements AES-128-CCM encryption to ensure data confidentiality during the broadcast phase, effectively mitigating eavesdropping risks [7].

Table 1. Our proposed advertising payload protocol.

Offset	Field	Size	Description
0–1	Company ID	2 bytes	16-bit vendor identifier
2–5	Counter (nonce part)	4 bytes	32-bit incremental counter
6–7	Ciphertext (HR, SpO2)	2 bytes	Encrypted values
8–15	Authentication Tag	8 bytes	CCM MAC Tag

outlines a 16-byte advertising payload structure used in BLE protocols. At offset 0–1 (2 bytes), the Company ID field holds a 16-bit vendor identifier for proprietary broadcasts. Offset 2–5 (4 bytes) contains the nonce part ensuring each message encrypted with the same key produces a different ciphertext. Offset 6–7 (2 bytes) contains the ciphertext, encrypted HR and SpO2 data. Finally, offset 8–15 (8 bytes) features a CCM authentication tag ensuring payload integrity via cryptographic verification.

2.2.2. Cloud Communication

Once the gateway decrypts the BLE packets, the data is re-encrypted for transport over the internet. The gateway transmits the payload to the cloud infrastructure using MQTT over TLS (MQTTS) protocol, ensuring end-to-end security from the edge to the backend.

2.3. Cloud and Software Stack

The backend infrastructure is hosted on an Azure Cloud VM running a Docker containerized environment. This architectural approach, utilizing a containerized IoT stack for biometric data, aligns with established methodologies in the IoT field, such as the one proposed by Katsoulis et al. [8], where a similar pipeline was deployed for real-time monitoring. This containerization ensures portability and scalability. The data pipeline consists of the following components:

1.

Mosquitto (MQTT Broker): Handles the incoming secure message streams from the edge gateway.

2.

Telegraf (MQTT Agent): Acts as the data collection agent, subscribing to the broker and formatting the metrics for storage.

3.

InfluxDB (Database): A high-performance time-series database used to store the streaming biometric data for real-time access and historical analysis.

4.

Grafana (Visualization): Connected to InfluxDB, this platform renders real-time dashboards accessible via HyperText Transfer Protocol Secure (HTTPS), displaying HR and SpO2 trends to the end-user.

3. Results

The experimental evaluation of the proposed architecture focuses on three key performance indicators: security integrity, system latency, and energy efficiency.

3.1. Security and Performance Analysis

The security integrity of the system was validated using a BLE packet sniffer [9] to capture the advertising payloads during transmission. The analysis confirmed that the payload appeared pseudo-random to any device lacking the decryption key, thereby validating the confidentiality provided by the AES-128-CCM algorithm against eavesdropping. Furthermore, the message integrity check (MIC), inherent to the CCM mode, successfully ensures that any packets injected with manipulated payloads are rejected by the gateway, effectively mitigating tampering and replay attacks.

Regarding performance and latency, the system was evaluated end-to-end within a one second transmission cycle. The total active processing time on the Seeed Xiao ESP32-C6 was measured at approximately 65 ms, ensuring a low duty cycle (≈6.5%) to conserve energy (935 ms idle or deep sleep time). Specifically, the active sampling phase (26 ms) implements a local pre-processing algorithm to improve measurement accuracy as mentioned in Section 2.1.1. Following data acquisition, the AES-128-CCM encryption and BLE advertising transmission are completed in just 10 ms, demonstrating that the security overhead is minimal compared with the sensor stabilization and sampling requirements. Additionally, the integration of the lightweight MQTTS protocol combined with efficient edge processing at the gateway level resulted in minimal delay, demonstrating the capability to transmit sensor data from the wearable node to the cloud infrastructure with latency levels suitable for live patient monitoring.

3.2. Energy Efficiency

A comparative analysis was conducted between the proposed encrypted advertising method and standard connection-oriented BLE pairing. The power consumption results are summarized as follows:

• Permanent BLE Connection: A connection-oriented BLE pairing with interval 1 Hz results in a power consumption of 31 µWh per second, as detailed in

  Table 2. Permanent BLE connection with a 1 Hz interval and duty cycle of 6.5%.

  Cycle	Duration	Average Current	Energy Consumption
  Boot and Initialization	19 ms	30 mA	0.5858 µWh
  Delay to let sensor wake up	10 ms	30 mA	0.3083 µWh
  Active Sampling	26 ms	50 mA	1.3361 µWh
  Encryption and Transmission	10 ms	32 mA	0.3289 µWh
  Idle	935 ms	30 mA	28.8292 µWh
  Total *	1 s		31.0677 µWh

  * Bold values indicate the total duration and energy consumption for one complete cycle.

  . The autonomy of our IoMT node is restricted to just 1.98 h, by utilizing a 3.7 V/150 mAh lithium-ion polymer (LiPo) battery [10], making a permanent BLE link unsustainable for long-term monitoring.
• Advertising BLE Packets: In contrast, the implementation of BLE advertising with the same 1 Hz interval achieves a 12-fold power reduction, from 31.0677 µWh to 2.5784 µWh, as viewed in Table 2 and

  Table 3. Advertising BLE packets with a 1 Hz interval and duty cycle of 6.5%.

  Cycle	Duration	Average Current	Energy Consumption
  Boot and Initialization	19 ms	30 mA	0.5858 µWh
  Delay to let sensor wake up	10 ms	30 mA	0.3083 µWh
  Active Sampling	26 ms	50 mA	1.3361 µWh
  Encryption and Transmission	10 ms	32 mA	0.3289 µWh
  Deep Sleep	935 ms	20 µA	0.0192 µWh
  Total *	1 s		2.5784 µWh

  * Bold values indicate the total duration and energy consumption for one complete cycle.

  , whereas the conventional BLE pairing connection remains viable for approximately only 2 h when powered by the specified LiPo battery [10]. The proposed architecture demonstrates a significant enhancement in longevity, reaching 23.76 h of continuous operation.
• Optimizing Autonomy: Through the combined implementation of optimized sensor sampling and a reduction in LED current, the system achieved a 33-fold increase in operational autonomy compared with standard configurations maintaining a permanent BLE connection. This dual-optimization strategy involved integrating a connectionless advertising approach alongside a strategic decrease in the MAX30100 LED current from 20 mA to 8 mA. These adjustments significantly lowered the sensor’s power draw while maintaining an acceptable measurement accuracy, as detailed in

  Table 4. Optimized autonomy by advertising BLE packets with a 2 Hz interval and duty cycle of 2.75%.

  Cycle	Duration	Average Current	Energy Consumption
  Boot and Initialization	19 ms	30 mA	0.5858 µWh
  Delay to let sensor wake up	10 ms	30 mA	0.3083 µWh
  Active Sampling	16 ms	38 mA	0.6249 µWh
  Encryption and Transmission	10 ms	32 mA	0.3289 µWh
  Deep Sleep	1945 ms	20 µA	0.04 µWh
  Total *	2 s		1.8879 µWh

  * Bold values indicate the total duration and energy consumption for one complete cycle.

  . Consequently, utilizing the same LiPo battery, the system reached a continuous operational duration of 65.52 h (2.73 days).

These results indicate that utilizing connectionless BLE advertising instead of persistent pairing drastically extends the operational lifespan of the wearable node.

3.3. Visualization Outcomes

The cloud-native stack successfully processed the incoming data streams. The Grafana dashboard rendered real-time charts for HR and SpO2, which were accessible remotely via HTTPS. This confirms the functional integrity of the end-to-end pipeline, from the sensor acquisition to the end-user interface.

4. Discussion

The results of this study highlight the critical role of protocol selection in the design of wearable IoMT devices.

4.1. Decoupling Security from Connectivity

Traditional Bluetooth Low Energy applications typically rely on the “connect–pair–bond” model to secure data. While robust, this model imposes a significant energy overhead due to the necessity of maintaining synchronization events between the peripheral and the central device. Our findings suggest that decoupling security from the connection state, by embedding encryption directly into the advertising payload, provides a more scalable solution for medical monitoring. The use of AES-128-CCM allows the wearable device to operate in a “fire-and-forget” manner while ensuring that sensitive health data remains unintelligible to unauthorized scanners.

4.2. Cloud Integration and Scalability

The successful integration of the edge hardware with a containerized cloud stack (Azure VM/Docker) demonstrates the system’s scalability. By utilizing MQTTS, we ensured that the lightweight nature of the edge communication did not compromise the security of the backhaul link to the cloud. Furthermore, the storage of data in InfluxDB enables not just real-time monitoring but also future retrospective analysis of patient health trends, which is essential for predictive medical diagnostics.

4.3. Limitations and Resource Requirements

While the proposed architecture offers significant advantages in energy efficiency, certain limitations must be acknowledged.

• Manpower and Deployment: Deploying this system requires specialized expertise in both embedded systems (for the BLE stack) and cloud engineering (Docker/MQTT). This technical barrier may require dedicated personnel for maintenance compared with off-the-shelf proprietary medical monitoring solutions.
• System Architecture Constraints: Although the ESP32-C6’s hardware accelerator optimizes AES-128-CCM execution, the framework is ultimately bound by the strict payload limitations of BLE advertising. The mandatory cryptographic overhead (Nonce and MIC) reduces the effective data throughput per packet. This dictates the use of lightweight symmetric cryptography and enforces a hard constraint on the balance between data granularity, security depth, and battery longevity.
• Compliance and Certification Costs: Transitioning from a research prototype to a certified medical device requires substantial investment in regulatory compliance (such as HIPAA in the United States of America or GDPR/MDR in Europe). The cost of official security audits to validate the AES-128-CCM implementation and the integrity of the data pipeline often exceeds the cost of the hardware itself.

Despite these challenges, the proposed framework remains a viable proof-of-concept (PoC), offering a scalable foundation for low-cost remote monitoring that successfully balances strict resource limits with essential security requirements.

5. Conclusions

This manuscript presented a secure and energy-efficient framework for biometric data streaming in the context of wearable healthcare. The proposed architecture successfully integrates specific low-power hardware, namely the Seeed Xiao ESP32-C6 and ESP32-WROOM, with a modern cloud-native stack.

The experimental evaluation confirms that utilizing encrypted BLE advertising is a superior alternative to traditional pairing for long-term monitoring scenarios. By balancing data confidentiality with power efficiency, our dual-optimization strategy increased operational autonomy by 33-fold compared with standard permanent BLE connections. This results in a significant leap forward for battery longevity within the IoMT ecosystem. Future work will focus on implementing adaptive advertising intervals based on real-time patient activity levels to further optimize energy efficiency.