(PDF) Internet-of-Everything Oriented Implementation of Secure Digital Health (D-Health) Systems

2016 IEEE Symposium on Computers and Communication (ISCC) Internet-of-Everything Oriented Implementation of Secure Digital Health (D-Health) Systems Grayson Honan, Alex Page, Ovunc Kocabas Tolga Soyata Burak Kantarci University of Rochester, ECE SUNY Albany, ECE Clarkson University, ECE Rochester, NY 14627 Albany, NY 12222 Potsdam, NY 13699 {ghonan2,apage4,okocaba}@ece.rochester.edu

Abstract—The past few decades have witnessed incredible ized [16]–[18] that provide clinical grade remote health mon- advances in human health care, owing to the invention of itoring of advanced bio-markers such as gait, posture, body devices such as MRI scanners, which allow physicians to monitor temperature, and surface EMG. Acquisition of the data that can personal health in more detail than was ever previously possible. Such advances have drastically improved diagnostic quality and be used to improve health care is not limited to personal data; patient health care. Central to this incredible progress was the the crowdsensing phenomenon promises to acquire data from uncanny ability of technologists and academics to invent ever the environment that can be used to determine environmental more useful tools to help physicians, be it the X-ray machine, factors that are affecting our health [19], such as air or water CT, or MRI scanner. Whereas the aforementioned past-decades’ quality. tools aimed at acquiring personal data, the advent of the Internet- of-Things, vast computational power available in the cloud, The final destination of this acquired data is the cloud, and new data analytics algorithms will completely change the where machine learning algorithms [20] make statistical infer- way we acquire and process medical data to improve health ences on the data to provide decision support to the health care care going forward. In this paper, we conduct a quantitative professionals [21]–[24]. Using an expanding set of medical feasibility study of a Digital Health (D-Health) system that is databases will open the door to discoveries of new treatments aimed at acquiring and processing health data using the emerging Internet-of-Everything paradigm. We specifically investigate the for diseases [25] and a better understanding the way the technological feasibility of communication, software, and data human body works [26]. In this paper, we investigate how privacy aspects. these individual trends can be incorporated into a holistic Index Terms—decision support; Internet of Everything (IoE); system designed to develop effective, commercially-accepted visualization; analytics; remote health monitoring. D-Health systems that can improve our health care. Our contributions in this paper are: In Section II-A, we draw I. I NTRODUCTION a conceptual diagram of a D-Health system that can be applied It is hard to believe that in 2016, cardiac diagnoses are to a generalized set of applications aimed at improving our mostly based on physical examinations and visual inspection health care. We highlight technical challenges in realizing a D- of electrocardiograms [1], [2]; such methods could almost Health system in Section II-B and provide technical feasibility be considered “vintage” when compared to the non-medical studies for each technical challenge: Issues related to providing world’s technology. Real-time means to assess and predict a reliable communication infrastructure are elaborated on in the risk of cardiac diseases that can lead to chronic heart Section III. In Section IV, issues related to data privacy, failures, and methods to permit therapeutic intervention are no system-level security and the correctness of acquired data more than research topics [3]. The pathological progression of are studied quantitatively. In Section V, quantitative case many diseases requires long term observations of a patient to studies are provided for visualization and analytics algorithms. gather sufficient data to make accurate statistical inferences Our concluding remarks in Section VI outline our position related to the onset of the disease at hand [4]. A D-Health regarding the future of D-Health systems. system that provides automated remote health monitoring of clinically-relevant bio-markers could provide invaluable II. D-H EALTH S YSTEM S TRUCTURE AND C HALLENGES diagnostic information [5]–[7] and translate to health care cost A conceptualized D-Health system is depicted in Fig. 1, savings of up to $300 B [8]. which consists of two sections: Front End section is respon- Adoption of D-Health systems and their use in improving sible for acquiring, aggregating, and pre-processing the data. health care will advance simultaneously with trends that are Back End section is responsible for processing the data to in motion already; commercially available personal health and extract useful information for use in health care. We will now fitness monitoring devices such as Applewatch [9], Fitbit [10], detail the components and challenges of a D-Health system. and Jawbone [11] are becoming the “next iPhone,” and are even considered fashionable [12]. Off-the-shelf advanced A. Conceptualized Structure of a D-Health System personal health monitoring devices also exist for Glucose Data Acquisition: Personal health monitoring is achieved monitoring [13] or ECG monitoring [14], [15]. Significantly using Wireless Body Area Networks (WBANs). WBANs con- more sophisticated bio-patches are also becoming commercial- sist of lightweight wearable sensors [5], [27] or more ad- 978-1-5090-0679-3/16/$31.00 ©2016 IEEE 2016 IEEE Symposium on Computers and Communication (ISCC) FRONT END BACK END DATA AGGREGATION CLOUD ACQUISITION PRE-PROCESSING STORAGE/PROCESSING SERVICES WBAN DECISION DECI ISION SUPPORT Bio Patches • INFRASTRUCTURE CROWDSENSED DATA ACQUISITION • PROCESSING • VISUALIZATION • STORAGE • ANALYTICS • DATABASE • OTHER SOFTWARE SOCIAL NETWORKS Fig. 1. A conceptual structure of a D-Health system, consisting of two parts: Front End is where the data is acquired, aggregated and pre-processed. Back End is where the data is stored/processed to provide services to health care organizations. vanced clinical grade sensors (bio-patches) that are capable of Protocol Design Challenges and solutions are addressed measuring bio-markers such as EMG, gait, and blood pressure in Section III-B. Physical layer challenges aim at address- [17], [28]. BAN sensors utilize low-power Bluetooth or ZigBee ing path loss and low power gain in on-body sensor net- protocols, based on standards such as the IEEE 802.15.6 [29], works whereas MAC layer challenges deal with urgency- which prescribes radio frequency (RF)-based ultrawideband based resource allocation for message frames. Network layer (UWB) and narrowband communication standards and RF- challenges include thermal-aware routing algorithms to avoid based human body communication standards [30]. tissue damage. Data Aggregation/Pre-processing: A WBAN consists of Data Privacy Challenges involve protecting data from severely battery-power-restricted sensor devices and passive adversaries attempting to obtain it without authorization and RF devices. Aggregation and pre-processing of the acquired are primarily crypto-level challenges. We detail the encryption data is necessary to reduce the data volume being handled schemes that are used to ensure data privacy in Section IV-B. and transmitted. This is achieved by concentrators [31], [32], System Level Security is examined in IV-C in terms of and cloudlets [33]–[35], or smartphones acting as cloudlets, side channel attacks because they attempt to obtain the secret because sensors aren’t computationally capable enough for D- keys by using system-level operational run-time information, health data processing and have more limited battery life. such as server power consumption during crypto operations. Crowdsensed Data Acquisition is an emerging phe- Data Trustworthiness Challenges include distinguishing nomenon [36], [37] that promises to enable the concurrent between sensor malfunction and intentional sensor tampering. acquisition and aggregation of data — such as temperature, These challenges are exacerbated in crowdsensing settings. A air quality, or humidity — from a wealth of capable, sensor- detailed quantitative study is provided in Section IV-D. rich “crowd” resources [38], such as smartphones and tablets. Database Challenges: Health records in many different Cloud Infrastructure functions provided by a cloud formats must be parsed and aggregated into a database system service include multiple servers on one or more racks, storage that is well-suited for tasks such as statistical analysis and space, virtualization, and other components to enable the back machine learning. end functionality of a D-Health system. This infrastructure Visualization of medical data reduces the data burden for must be compliant with government health data regulations. the doctor and allows fast data handling for multiple patients. Database-Oriented Storage structures medical data in A quantitative case study is provided in Section V-A. a standardized format to be rapidly queried for analytics Decision Support by using machine learning algorithms purposes. Structuring the data in a standard database format reduce the statistical inference burden by taking advantage also enables the fusion of similar data from multiple sources of the vast processing capability of computers. A quantitative to enrich the data quality. case study is provided in Section V-B. Services such as decision support for health-care profes- III. C OMMUNICATION C HALLENGES sionals can be provided once the data is stored in a structured We break communication challenges in D-Health systems way and potentially fused with the crowdsensed data and into two main categories, namely i) the wireless standards applied as input to statistical inference algorithms. for D-Health systems and ii) the protocol design challenges. B. Technical Challenges in Building D-Health Systems Wireless communications are widely used for sensor readings and actuation signals in D-Health systems [39], [40]. Wireless Standards and Interoperability are discussed in Section III-A. Multiple wireless services can operate on the A. Wireless Standards and Interoperability Industrial Scientific and Medical (ISM) 2.4 GHz band leading The scope of IEEE 802.15.6 includes radio frequency (RF)- to co-channel interference for on-body networks. based ultrawideband (UWB) and narrowband communication 2016 IEEE Symposium on Computers and Communication (ISCC) standards, as well as RF-based human body communication in response to its bandwidth request by using contention- standards. RF-based human body communications utilize the based access [48]. Applicability of hybrid MAC protocols to 21 MHz centered frequency band with data rates of 164- D-Health systems has been extensively discussed in [47] in 1312.5 Kbps. UWB and narrowband-based human body com- the context of M2M communications, and the authors have munications utilize frequency bands between 402 MHz and concluded that hybrid MAC protocols would have scalability 10 Ghz. UWB operates at data rates between 395 Kbps and issues due to the dense deployment of M2M networks. Ran- 12.636 Mbps, and narrowband-based communications operate dom access-based reservation of slots, codes, and frequencies at 100 Kbps and 1000 Kbps [29]. lead to bottlenecks under hybrid MAC protocols. Furthermore, RF-based communications have been reported to commu- overheads due to system reconfiguration lead to a large number nicate through the air with high attenuation due to body of wasted time slots when compared to conventional wireless shadowing at data rates up to 13 Mbps, whereas on-body sensor networks. Hence, the authors advocate that TDMA- communications solutions communicate through the body with based MAC protocols are more suitable to M2M communica- low signal attenuation at data rates below 2 Mbps [40]. The tion systems. protocols should be built on the communication standards Network-layer Challenges: Thermal-aware routing algo- for on-body networks, and address energy efficiency, security, rithm (TARA) has been proposed to avoid hotspots in a body privacy and low electromagnetic interference. area network [49]. TARA defines a temperature threshold to Cognitive and opportunistic solutions have become popular identify a region in the network as a hot-spot (i.e., above the to address the interoperability challenges. Several system threshold); the packets are routed around the hotspot regions. architectures have been developed on IEEE 802.22, which If a region is identified as a hotspot in the network by a specifies the standard for Wireless Cognitive Radio Network node, the protocol withdraws all the packets destined to that Medium Access Control [41]. region, and sends them back to the source node. In [50], the hotspot preventing routing algorithm (HPR) selects the B. Protocol Design Challenges shortest path to the destination node if the destination is PHY layer Challenges: The study in [42] uses a biofeed- not in a hotspot region. While selecting the next hop, if the back control loop through sensor and actuator nodes. The temperature of the next hop is not above the threshold, the proposed on-body network operates in the low bit rate med- packet is sent to that node, otherwise, the packet is sent to the ical implant communication service (MICS) 402–405 MHz coolest neighbor unless the next hop which is a hot spot is frequency band with maximum bandwidth of 300 KHz [43]. not the destination. Scalability and longer network lifetime is The sensor nodes perform continuous health monitoring while guaranteed by HPR (compared to TARA) at the expense of an the actuator nodes are responsible for medical drug delivery overhead due to carrying the temperature information forward for patients who are in critical condition. as a packet propagates towards its destination [51]. As another As an alternative to the MICS-based wearable and im- alternative to TARA, Adaptive Least Temperature Routing plantable systems such as [42], UWB-based implantable body (ALTR) sends the packets to the coolest neighbor [52]; as area networks are also popular [44], [45]. A grand challenge soon as the number of hops exceeds a pre-defined threshold, in an RF-based body area network is the path loss and the algorithm switches to shortest hop routing. signal attenuation due to the physical characteristics of the medium such as blood circulation, respiration, and temperature IV. S ECURITY C HALLENGES variation throughout the body. Floor et al. derived a path loss In this section, we study the security mechanisms that allow model for UWB-based in-vivo communication systems [46] a D-Health system to guarantee privacy, prevent side channel and showed that low frequencies such as 1–3 GHz reduced attacks, and ensure the correctness of crowdsensed data. the transmission power in implanted networks as the path loss was remarkably low at these frequency levels. Furthermore, the A. Cryptographic Challenges study shows that the higher the number of on-body receiver We study medical data privacy from three different aspects: antennas, the better the power gains (i.e., ≥ 3dB) as long as Data Storage Privacy refers to the assurance that en- they are placed close enough to each other. Propagation paths crypted data cannot be accessed unless an adversary obtains are highly correlated; therefore, this phenomenon has to be access to the private key, which is necessary for decryption. taken into account in designing communication protocols and Conventional encryption schemes such as Advanced Encryp- algorithms. tion Standard (AES) and Elliptic Curve Cryptography (ECC) MAC layer Challenges: In [47], MAC layer protocols can provide data privacy and their details are given below. have been surveyed within the context of Machine-To-Machine Data Sharing Privacy refers to the guarantee that when (M2M) communications; hybrid protocols have also been multiple users must share data — within a list of authorized studied as a solution to cope with the performance issues users — no additional user can access the data. This is feasible experienced under either contention-based or scheduling-based by Attribute Based Encryption (ABE) schemes that allow MAC protocols. As an example hybrid protocol, Hybrid MAC access to data based on user credentials, i.e., attributes. Two (HyMAC) consolidates the advantages of CDMA with TDMA existing ABE family encryption schemes, namely KP-ABE and FDMA; each node is assigned a time slot and a frequency and CP-ABE are detailed below. 2016 IEEE Symposium on Computers and Communication (ISCC) Data Computation Privacy refers to the protection of scheme implements either homomorphic addition or homo- data privacy during computation. Homomorphic encryption morphic multiplication, which translate to addition and multi- schemes (e.g. Paillier and Fully Homomorphic Encryption) plication on plaintext, respectively. A homomorphic scheme can achieve data computation privacy and allow computations is defined as Fully Homomorphic Encryption (FHE) when on medical data to be performed on encrypted data [53], [54]. it implements both homomorphic addition and homomorphic These schemes are detailed below. multiplication, and is thus able to evaluate arbitrary functions. Paillier HE [59] is a lightweight, additively-homomorphic B. Encryption Schemes to Protect Data Privacy encryption scheme used for many practical applications. Its Encryption schemes can be categorized as conventional performance is similar to CP-ABE; encryption and decryption and emerging. Conventional encryption schemes — AES and take 6 orders-of-magnitude longer than plain AES and cipher- ECC — find widespread acceptance due to their resource- texts require 2 orders-of-magnitude more storage. friendliness; however, they only provide data storage privacy. FHE schemes are fairly resource-intensive for current gener- Emerging schemes — ABE and homomorphic — provide data ation D-Health systems [60]–[62], even when using the state- sharing and data computation privacy but they are significantly of-art Brakerski-Gentry-Vaikuntanathan (BGV) scheme [63]. more resource-intensive. We detail these schemes below. Using the HElib implementation as a benchmark [64], BGV Advanced Encryption Standard (AES): AES [55] is takes nearly 6 orders-of-magnitude longer for encryption and one of the most commonly-used symmetric key conventional 6 orders-of-magnitude longer for decryption when compared encryption schemes for industry and government security to a generic C implementation of AES. Additionally, BGV needs. AES uses lightweight functions including XOR, data ciphertexts require 6 orders-of-magnitude more storage than shuffling, and replacement-by-lookup, so the algorithm is both AES, and BGV homomorphic computation is 3100× slower fast and power efficient. than Paillier computation [65]. Elliptic Curve Cryptography (ECC): ECC is a public key conventional encryption scheme that can achieve the C. System-Level Security Challenges level of security provided by 1024-bit RSA using only a 160-bit prime p. This vast improvement on RSA’s key sizes Chief among the security concerns associated with D-Health allows significant savings in bandwidth and storage when system design are various side channel attacks that exploit using public key cryptosystems. One of ECC’s most common systemic information leaks. Vulnerabilities in the system’s implementations is the Elliptic Curve Integrated Encryption software and hardware implementations can enable these at- Scheme (ECIES) [56], which makes use of Diffie-Hellman tacks as we detail below. key exchange to generate a shared secret. ECIES is much more Cache Attacks: Cache attacks work by observing the computationally expensive than plain AES; in a generic C im- cache access latency of the cryptographic instructions to re- plementation [57], ECIES takes 3 orders-of-magnitude longer cover the cache lines that store the secret key [66], [67]. Some for encryption and decryption than plain AES. Additionally, hardware offers built-in defenses against this attack. The Intel ciphertext in ECIES requires approximately 6× more space AES-NI CPU instruction set [68], for example, makes cache than a generic C implementation of AES. access latency independent of data and calculates substitution Attribute-based Encryption (ABE): ABE improves results in hardware, rather than using a lookup table. on the data sharing capabilities of conventional encryption Timing Attacks: Timing attacks attempt to discover the schemes (e.g., AES and ECIES) through the use of access secret key of a cryptosystem by observing the execution time policies. ABE exists in two variants, based on the placement of operations performed during encryption or decryption. If of the access policy: Ciphertext-Policy ABE (CP-ABE) and the execution time of operations varies based on the bits Key-Policy ABE (KP-ABE). of the secret key [69], a timing attack will be effective. In In CP-ABE, users’ private keys are associated with their ECC timing attacks, the execution time of scalar multiplication credentials [58]. The ciphertext specifies an access policy, and operations can leak information. This leak can be prevented only the users whose credentials satisfy the requirements of by using a multiplication method that performs the operation the access policy can decrypt it. Encryption and decryption independent of the bits in the secret key, such as the Mont- in CP-ABE take 6 orders-of-magnitude longer than plain AES gomery multiplication method [70]. and ciphertexts require two orders-of-magnitude more storage. Power Analysis Attacks: If power consumption of a In KP-ABE, access policies are placed on users’ private keys cryptosystem varies based on the bit values of a secret key, and attributes are associated with the ciphertexts. Encryption adversaries can discover the key by observing the power usage and decryption in KP-ABE take four orders-of-magnitude of the device (simple power analysis) or by using statistical longer than plain AES, and ciphertexts occupy approximately methods of differential power analysis for more noise-tolerant 40× more space than plain AES. measurements. When using AES, such attacks can be pre- Homomorphic Encryption: Absent from the encryption vented by using randomized masks on AES operations [71] schemes we’ve examined thus far is the ability to operate on to remove the correlation between power consumption, the encrypted data; homomorphic encryption (HE) enables com- AES secret key, and the data being acted upon. In ECC power putation without observing decrypted data. At the least, an HE analysis attacks, randomizing the intermediate computations 2016 IEEE Symposium on Computers and Communication (ISCC) has been shown to remove the correlation between power consumption and sensitive key information. Fault-Based Attacks: Through the application of a power glitch, magnetic field, or other stimulus to a cryptosystem, errors may be generated that reveal the secret key to an adver- sary. To prevent such attacks from being effective against AES- based cryptosystems, [72] proposes checking the correctness of results at various stages. An alternative presented in [73] is based on error detecting codes (EDC). Fault-based attacks for ECC-based schemes attempt to produce a point that is not on the elliptic curve during decryption [74]; these attacks can be thwarted by checking if the result is a point on the elliptic curve, and if not, discarding the result. Data Rate Attacks: If the amount of data being transferred from a remote medical sensor depends on any physiological Fig. 2. A case study of crowdsensing utility under various trustworthiness assessment approaches. parameters, then an attacker may be able to learn some health information simply from the data transfer rate. For example, if a packet is sent after every heart beat, the heart rate can be easily inferred from the number of packets being sent per " − pi (t)+ minute. Defense against this type of attack involves using <i (t) = σ · <i (t ) + (1 − σ) · (1 − δ) · pi (t)+ni (t)+ techniques such as padding to maintain the same data rate X independent of physiological events. (ωj · χij · <j ) # (2) j|T{i} ∩T{j} 6=∅ +δ · X (ωj · <j ) j|T{i} ∩T{j} 6=∅ D. Data Correctness (Trustworthiness) Challenges where <i (t) is the reputation of node i and is a compound function of the statistical reputation (<stat i (t) i.e., ratio of In crowdsensing-assisted data acquisition via social com- positive readings (pi (t)) to the total readings (pi (t) + ni (t))) munities, trustworthiness of crowdsensed data should focus on and social reputation (<voted i (t)). σ and δ are weight factors reputation of sensing devices and their corresponding sensing that are used to quantify the transition speeds of node reputa- accuracy [75], [76]. In trustworthy crowdsensing, instruments tions [37]. (1) can be expanded as (2), where T{i} denotes the (nodes) are recommended to be recruited based on their set of data sensed by node i such that T{i} ∩ T{j} represents reputation [77]. Percentage of “positive” readings — excluding the intersection of the sets of data sensed by node i and node outliers via an outlier detection algorithm [78] — denotes the j. In the vote-based component of the reputation assessment, reputation of a node [19]. Although tracking positive/negative ωi denotes the current vote capacity of user i, and χij denotes readings may improve trustworthiness of crowdsensed data, the vote of node j for node i. the system is still prone to Sybil-like attacks [79]; a newly When health data is acquired through crowdsensing, the joining mobile device (i.e., sensing node) builds its reputation sensing nodes that are recruited for data acquisition need to based on the votes of other devices. be rewarded based on their sensing costs and the usefulness of Vote-based trustworthiness of node i is defined as <i (t) and the data they have provided. Figure 2 illustrates a comparison is calculated as the total vote from the neighbors averaged between the statistical, vote-based and collaborative trust- by their total voting capacities. However, this may still lead worthiness assessment approaches in terms of crowdsensing to biased calculation of trustworthiness of crowdsensed data. utility where reputation-unaware data acquisition is used as Two solutions can be considered against this challenge. First, a benchmark. Utility is defined as the difference between some trustworthy nodes, called anchor nodes, can be initially the total usefulness of the acquired data and the rewards/- recruited with 100% trustworthiness and 100% vote capacity compensation made to the sensing nodes. Figure 2 is based no matter what they report as sensing data [37]. Alterna- upon a simulation study in a 1000 m×1000 m terrain with tively, collaborative trustworthiness can also be considered 1000 nodes and a sensing range of 30m. Amongst the 1000 as a hybrid of the vote-based and statistical trustworthiness nodes, 5% report wrong sensing data intentionally whereas assessment [80]. Assessing trustworthiness of crowdsensed the rest of the nodes report accurate sensor readings 97- data requires assessing sensing node reputations according to 98% of the time. The upper bound for the usefulness of acquired data and the sensing costs are set at 5 and 10, <i (t) = σ · <i (t− ) + (1 − σ) · <i (t) respectively. The 30-minute monitoring period under various (1) = σ · <i (t− ) + (1 − σ) (1 − δ)<stat sensing task arrival rates shows the viability of collaborative i (t) + δ · <voted i (t) 2016 IEEE Symposium on Computers and Communication (ISCC) trustworthiness assessment for the sensing nodes. Furthermore, B. Decision Support solely vote-based assessment leads to biased votes under heavy We tested several machine learning (ML) algorithms on 639 data acquisition rates leading to lower crowdsensing utility. 24-hour Holter ECG recordings. 145 of the recordings came V. S OFTWARE I MPLEMENTATION C HALLENGES from LQTS type 2 patients, 294 came from LQTS type 1 patients (both are genetic disorders affecting cardiac function), In this section, we quantitatively study two key software- and 200 recordings came from healthy patients. We used the side technical challenges of designing a D-Health system. scikit-learn Python library [83] to provide decision support. First, the large volume of sensor data produced from long- 70% of the data set is used for training the ML algorithms, term, persistent patient monitoring would easily overwhelm and the resulting model is tested on the remaining 30% of the a physician caring for 20-30 patients; therefore, new data dataset. Classifier performance was characterized based on 20 visualization methods must be introduced to present medical trials with Holter recordings randomly split between “training” data in an intuitive, summarized format. Second, decision and “testing” during each trial. On average, classification of support based on statistical trends in a patient cohort has the “healthy” vs. “long QT” was relatively accurate (around 90%). potential to increase diagnostic accuracy and clinical predictive Additionally, differentiation between type 1 and type 2 LQTS capabilities, but significant challenges exist (including the is found to be 70–75% accurate with Support Vector Machine assurance of data privacy). (SVM) and Random Forest ML algorithms. A. Data Visualization All classifiers were generally effective, especially when op- A novel visualization mechanism is introduced in [81] that timized attributes were used; for example, setting the coef0 is capable of presenting multi-modal medical data on a scale of attribute for Polynomial SVM to 1.0 and dual for Linear ≥24 hours. The authors generate these visualizations through SVM to False improved the scores by ∼4%. Random Forest several stages of preprocessing, which transform the raw and SVM generally proved superior to other algorithms. The sensor data into filtered clinical markers for plotting [82]. This ability to change the SVM classification method by simply preprocessing step also addresses the issue of data volume by changing the kernel attribute offers great versatility; in our simplifying raw data into a summarized and practical format case, polynomial SVM performed slightly better than the linear for clinical use. A quantitative example of data visualization or radial basis function (RBF) SVM. for the QTc clinical market is given in Fig. 3 using the open VI. C ONCLUSION AND O NGOING W ORK source code provided in [81]. In this example, the polar plot The digital health (D-Health) revolution is propelled for- shows intervals measured beat-to-beat during a 24 hour ECG ward by the Internet-of-Everything (IoE) paradigm, leading of a patient. While the patient’s daytime QTc values are only to the creation of advanced D-health systems capable of somewhat alarming, the nighttime values are distinctly life- remote monitoring, analytics, visualization, and decision sup- threatening. port. In this paper, we have studied the feasibility of a holistic framework for D-Health systems where data acquisition is based on IoE and assisted by mobile crowdsensing, and processing and storage are handled at a cloud platform to provide services such as visualization, analytics and decision support. The proposed D-Health framework consists of Front End and Back End sections. The front end is responsible for data acquisition via IoE sensors (i.e., on-body sensors and crowdsensing smartphones) and incorporates a cloudlet which performs aggregation and pre-processing. The back end consists of the cloud platform, which primarily provides storage and processing for services that include visualization, analytics, and so on. We have thoroughly investigated the challenges faced in the implementation of this framework, and we have discussed the possibility of integration of existing solutions to those challenges. To this end, we have studied the feasibility of crowdsensed data acquisition under various correctness assessment techniques, and we have concluded that the collaborative approaches perform better when data acquisition is assisted by crowdsensing nodes. As for the back Fig. 3. Example 24-hour QTc plot in the “ECG Clock” format [81]. QTc end processing, we have used measurements from 24-hour for a healthy patient should normally fall into the green range for the entire Holter ECG recordings to test the performance of various day. While this patient shows a borderline high QTc range during daytime, QTc becomes clearly abnormal at night, indicating a potential cardiac hazard. data classifiers, and found that SVM and Random Forest Increased risk during sleep is consistent with this patient’s LQT2 diagnosis. based classifiers were superior to other approaches in this case study. Finally, as a service component in the back end, we 2016 IEEE Symposium on Computers and Communication (ISCC) have presented an intuitive way to visualize the continuously [15] C. Leaf, “World’s Thinnest 3-Lead ECG Patch,” http://www. monitored data to the end user. clearbridgevitalsigns.com/brochures/CardioLeaf ULTRA Brochure.pdf. [16] S. Xu, Y. Zhang, L. Jia, K. E. Mathewson, K.-I. Jang, J. Kim, H. Fu, We are planning to integrate these pieces on a real testbed, X. Huang, P. Chava, R. Wang, S. Bhole, L. Wang, Y. J. Na, Y. Guan, where on-body sensors are interfaced by front end circuitry M. Flavin, Z. Han, Y. Huang, and J. A. Rogers, “Soft microfluidic and communicate with the cloudlet through low-power Blue- assemblies of sensors, circuits, and radios for the skin,” Science, vol. 344, pp. 70–74, 2014. tooth. We will also attempt to address trustworthiness/tamper- [17] D. Son, J. Lee, S. Qiao, R. Ghaffari, J. Kim, J. E. Lee, C. Song, S. J. Kim, resistance of sensor data, as conceptualized in [4]. Further- D. J. Lee, S. W. Jun, S. Yang, M. Park, J. Shin, K. Do, M. Lee, K. Kang, more, social networks currently serve as the data publishing C. S. Hwang, N. Lu, T. Hyeon, , and D.-H. Kim, “Multifunctional wearable devices for diagnosis and therapy of movement disorders,” layer in the data acquisition block of the front end plane. Nature Nanotechnology, pp. 1–8, 2014. Therefore, we are planning to extend the role of social [18] D.-H. Kim, R. Ghaffari, N. Lu, and J. A. Rogers, “Flexible and networks to an unstructured knowledge-base which will be stretchable electronics for biointegrated devices,” Annual Review of Biomedical Engineering, pp. 113–128, 2012. analyzed by the cloudlet in order to retrieve useful data. [19] B. Kantarci and H. Mouftah, “Trustworthy Sensing for Public Safety in Cloud-Centric Internet of Things,” IEEE Internet of Things Journal, ACKNOWLEDGMENTS vol. 1, no. 4, pp. 360–368, Aug 2014. [20] Committee on the Analysis of Massive Data, Frontiers in Massive Data This work is supported in part by the National Science Analysis. National Academies Press, 2013. Foundation grants CNS-1239423 and CNS-1464273. Tolga [21] M. Hassanalieragh, A. Page, T. Soyata, G. Sharma, M. K. Aktas, Soyata was an Assistant Professor - Research during the G. Mateos, B. Kantarci, and S. Andreescu, “Health Monitoring and Management Using Internet-of-Things (IoT) Sensing with Cloud-based preparation of this manuscript. He was the PhD adviser of Alex Processing: Opportunities and Challenges,” in IEEE International Con- Page and Ovunc Kocabas, as well as the undergraduate adviser ference on Services Computing (SCC), Jun 2015, pp. 285–292. of Grayson Honan. Before the publication of this manuscript [22] S. Earley, “The Promise of Healthcare Analytics,” IEEE Computing Edge, pp. 27–29, June 2015. he joined SUNY Albany, ECE as an Associate Professor. [23] L. Wang and R. Ranjan, “Processing distributed internet of things data in clouds,” IEEE Computing Edge, pp. 12–16, Jun 2015. R EFERENCES [24] A. Page, S. Hijazi, D. Askan, B. Kantarci, and T. Soyata, “Research Directions in Cloud Based Decision Support Systems for Health Moni- [1] E. J. Petr, C. R. Ayers, A. Pandey, J. A. Lemos, T. Powell-Wiley, toring Using Internet-of-Things Driven Data Acquisition,” International A. Khera, D. M. Lloyd-Jones, and J. D. Berry, “Perceived lifetime risk Journal of Services Computing (IJSC), vol. 4, no. 4, pp. 18–34, 2016. for cardiovascular disease (from the dallas heart study),” The American [25] E. Eskin, “Discovering Genes Involved in Disease and the Mystery of Journal of Cardiology, vol. 114, no. 1, pp. 53 – 58, 2014. Missing Heritability,” Communications of the ACM, vol. 58, no. 10, pp. [2] J. Saul, P. J. Schwartz, M. J. Ackerman, and J. K. Triedman, “Rationale 80–87, 2015. and objectives for ECG screening in infancy,” Heart Rhythm, vol. 11, no. 12, pp. 2316 – 2321, 2014. [26] Multiple, “Hacking the Human OS,” IEEE Spectrum, pp. 31–48, June [3] W.-H. Lin, H. Zhang, and Y.-T. Zhang, “Investigation on cardiovascular 2015. risk prediction using physiological parameters,” Computational and [27] A. Benharref and M. Serhani, “Novel cloud and SOA-based framework Mathematical Methods in Medicine, vol. 2013, no. 1, pp. 1–21, 2013. for E-Health monitoring using wireless biosensors,” IEEE Journal of [4] A. Page, M. Hassanalieragh, T. Soyata, M. K. Aktas, B. Kantarci, and Biomed. and Health Inf., vol. 18, no. 1, pp. 46–55, Jan 2014. S. Andreescu, “Conceptualizing a Real-Time Remote Cardiac Health [28] S. Babu, M. Chandini, P. Lavanya, K. Ganapathy, and V. Vaidehi, Monitoring System,” in Enabling Real-Time Mobile Cloud Computing “Cloud-enabled remote health monitoring system,” in Int. Conf. on through Emerging Technologies. IGI Global, 2015, ch. 1, pp. 1–34. Recent Trends in Inform. Tech. (ICRTIT), July 2013, pp. 702–707. [5] A. Pantelopoulos and N. Bourbakis, “A survey on wearable sensor-based [29] “IEEE Standard for Local and metropolitan area networks - Part 15.6: systems for health monitoring and prognosis,” IEEE Trans. Sys., Man, Wireless Body Area Networks,” IEEE Std 802.15.6-2012, pp. 1–271, and Cybernetics, Part C: Applic. and Reviews, vol. 40, no. 1, pp. 1–12, Feb 2012. Jan 2010. [30] T. Soyata, L. Copeland, and W. Heinzelman, “RF Energy Harvesting for [6] R. Paradiso, G. Loriga, and N. Taccini, “A wearable health care Embedded Systems: A Survey of Tradeoffs and Methodology,” IEEE system based on knitted integrated sensors,” IEEE Trans. Info. Tech. Circuits and Systems Magazine, vol. 16, no. 1, pp. 22–57, Feb 2016. in Biomedicine, vol. 9, no. 3, pp. 337–344, Sept 2005. [31] W. Zhao, C. Wang, and Y. Nakahira, “Medical application on internet of [7] A. Milenkovi, C. Otto, and E. Jovanov, “Wireless sensor things,” in IET Int. Conf. on Com. Tech. and Application (ICCTA 2011), networks for personal health monitoring: Issues and an Oct 2011, pp. 660–665. implementation,” Comput. Commun., vol. 29, no. 1314, [32] F. Hu, D. Xie, and S. Shen, “On the application of the internet of pp. 2521 – 2533, 2006, wirelsess Senson Networks and things in the field of medical and health care,” in IEEE Int. Conf. on Wired/Wireless Internet Communications. [Online]. Available: and IEEE Cyber, Physical and Social Computing Green Computing and http://www.sciencedirect.com/science/article/pii/S0140366406000508 Communications (GreenCom),(iThings/CPSCom), Aug 2013, pp. 2053– [8] Goldman Sachs, Inc. Digital Healthcare could save 2058. America $300 Billion. http://www.businessinsider.com/ [33] N. Powers, A. Alling, K. Osolinsky, T. Soyata, M. Zhu, H. Wang, goldman-digital-healthcare-is-coming-2015-6. H. Ba, W. Heinzelman, J. Shi, and M. Kwon, “The Cloudlet Accelerator: [9] Apple Inc., “Apple watch,” accessed April 2015. [Online]. Available: Bringing Mobile-Cloud Face Recognition into Real-Time,” in Globecom https://www.apple.com/watch/ Workshops (GC Wkshps), San Diego, CA, Dec 2015. [10] FitBit Inc., “flex: Wireless activity + sleep wristband,” accessed April [34] T. Soyata, R. Muraleedharan, C. Funai, M. Kwon, and W. Heinzelman, 2015. [Online]. Available: https://www.fitbit.com/flex “Cloud-Vision: Real-Time Face Recognition Using a Mobile-Cloudlet- [11] Jawbone Inc., “Jawbone fitness trackers,” accessed April 2015. [Online]. Cloud Acceleration Architecture,” in IEEE Symposium on Computers Available: https://jawbone.com/up/trackers and Communications (ISCC), Cappadocia, Turkey, Jul 2012, pp. 59–66. [12] A. Schneider, “Tech makeover: The days of tech being a mere practical [35] T. Soyata, H. Ba, W. Heinzelman, M. Kwon, and J. Shi, “Accelerating application of science are over. fashionistas, take note : Sartorial has mobile cloud computing: A survey,” in Communication Infrastructures turned cyber,” In New York, pp. 26–31, June 2015. for Cloud Computing, H. T. Mouftah and B. Kantarci, Eds. IGI Global, [13] Sensys Medical, Inc. Near-Infrared Spectroscopy. http: Sep 2013, ch. 8, pp. 175–197. //www.diabetesnet.com/diabetes-technology/meters-monitors/ [36] X. Sheng, J. Tang, X. Xiao, and G. Xue, “Sensing as a Service: future-meters-monitors/sensys-medical. Challenges, Solutions and Future Directions,” IEEE Sensors Journal, [14] Alivecor. (2013) ECG screening made easy. http://www.alivecor.com/. vol. 13, no. 10, pp. 3733–3741, Oct 2013. 2016 IEEE Symposium on Computers and Communication (ISCC) [37] M. Pouryazdan, B. Kantarci, T. Soyata, and H. Song, “Anchor-Assisted [58] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute- and Vote-based Trustworthiness Assurance in Smart City Crowdsens- based encryption,” in IEEE Symposium on Security and Privacy, 2007, ing,” IEEE Access, vol. 4, pp. 529–541, Mar 2016. pp. 321–334. [38] T. Soyata, Enabling Real-Time Mobile Cloud Computing through Emerg- [59] P. Paillier, “Public-key cryptosystems based on composite degree resid- ing Technologies. IGI Global, Aug 2015. uosity classes,” in EUROCRYPT, 1999, pp. 223–238. [39] Y. Liu, T. Ketterl, G. Arrobo, and R. Gitlin, “Modeling the wireless in [60] O. Kocabas and T. Soyata, “Utilizing Homomorphic Encryption to vivo path loss,” in IMWS-Bio), Dec 2014, pp. 1–3. Implement Secure and Private Medical Cloud Computing,” in IEEE 8th [40] A. Karargyris and A. Koulaouzidis, “OdoCapsule: Next-Generation International Conference on Cloud Computing (CLOUD), New York, Wireless Capsule Endoscopy With Accurate Lesion Localization and NY, Jun 2015, pp. 540–547. Video Stabilization Capabilities,” IEEE Transactions on Biomedical [61] O. Kocabas, T. Soyata, J. Couderc, M. K. Aktas, J. Xia, and M. Huang, Engineering, vol. 62, no. 1, pp. 352–360, Jan 2015. “Assessment of Cloud-based Health Monitoring using Homomorphic [41] “Standard for Wireless Regional Area Networks Part 22 : Cognitive Encryption,” in IEEE International Conference on Computer Design Wireless RAN Medium Access Control(MAC) and Physical Layer (ICCD), Ashville, VA, Oct 2013, pp. 443–446. (PHY) specifications: Policies and procedures for operation in the TV [62] A. Page, O. Kocabas, S. Ames, M. Venkitasubramaniam, and Bands,” IEEE Std 802.22-2011, Jul 2011. T. Soyata, “Cloud-based Secure Health Monitoring: Optimizing Fully- [42] Q. Fang, S.-Y. Lee, H. Permana, K. Ghorbani, and I. Cosic, “Developing Homomorphic Encryption for Streaming Algorithms,” in Globecom a Wireless Implantable Body Sensor Network in MICS Band,” IEEE Workshops (GC Wkshps), Austin, TX, Dec 2014, pp. 48–52. Transactions on Information Technology in Biomedicine, vol. 15, no. 4, [63] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) fully homo- pp. 567–576, Jul 2011. morphic encryption without bootstrapping,” in ITCS, 2012, pp. 309–325. [43] US Federal Communications Commission (FCC), “Medical De- [64] S. Halevi and V. Shoup, “HElib,” https://github.com/shaih/HElib. vice Radiocommunications Service ,” https://www.fcc.gov/encyclopedia/ [65] O. Kocabas, T. Soyata, and M. Aktas, “Emerging Security Mechanisms medical-device-radiocommunications-service-medradio. for Medical Cyber Physical Systems,” IEEE/ACM Transactions on Computational Biology and Bioinformatics (TCBB), 2016. [44] Y. Gao, Y. Zheng, S. Diao, W.-D. Toh, C.-W. Ang, M. Je, and C.- [66] D. J. Bernstein, “Cache-timing attacks on AES,” 2005. H. Heng, “Low-Power Ultrawideband Wireless Telemetry Transceiver [67] D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and counter- for Medical Sensor Applications,” IEEE Transactions on Biomedical measures: the case of AES,” in Topics in Cryptology–CT-RSA, 2006, pp. Engineering, vol. 58, no. 3, pp. 768–772, Mar 2011. 1–20. [45] M. Yuce, “Recent wireless body sensors: Design and implementation,” in [68] S. Gueron, “Intels new AES instructions for enhanced performance and IEEE MTT-S International Microwave Workshop Series on RF and Wire- security,” in Fast Software Encryption, 2009, pp. 51–66. less Technologies for Biomedical and Healthcare Applications (IMWS- [69] P. C. Kocher, “Timing attacks on implementations of diffie-hellman, rsa, BIO), Dec 2013, pp. 1–3. dss, and other systems,” in CRYPTO, 1996, pp. 104–113. [46] P. Floor, R. Chavez-Santiago, S. Brovoll, O. Aardal, J. Bergsland, O.- [70] P. L. Montgomery, “Speeding the pollard and elliptic curve methods of J. Grymyr, P. Halvorsen, R. Palomar, D. Plettemeier, S.-E. Hamran, factorization,” Mathematics of computation, vol. 48, no. 177, pp. 243– T. Ramstad, and I. Balasingham, “In-Body to On-Body Ultrawideband 264, 1987. Propagation Model Derived From Measurements in Living Animals,” [71] T. S. Messerges, “Securing the AES finalists against power analysis IEEE Journal of Biomedical and Health Informatics, vol. 19, no. 3, pp. attacks,” in Fast Software Encryption, 2001, pp. 150–164. 938–948, May 2015. [72] R. Karri, K. Wu, P. Mishra, and Y. Kim, “Fault-based side-channel [47] A. Rajandekar and B. Sikdar, “A Survey of MAC Layer Issues and cryptanalysis tolerant rijndael symmetric block cipher architecture,” in Protocols for Machine-to-Machine Communications,” IEEE Internet of Defect and Fault Tolerance in VLSI Systems, 2001. Proceedings. 2001 Things Journal, vol. 2, no. 2, pp. 175–186, Apr 2015. IEEE International Symposium on, 2001, pp. 427–435. [48] M. Salajegheh, H. Soroush, and A. Kalis, “HYMAC: Hybrid TD- [73] G. Bertoni, L. Breveglieri, I. Koren, P. Maistri, and V. Piuri, “Error MA/FDMA Medium Access Control Protocol for Wireless Sensor analysis and detection procedures for a hardware implementation of Networks,” in IEEE Intl. Sympp. on Personal, Indoor and Mobile Radio the advanced encryption standard,” Computers, IEEE Transactions on, Communications (PIMRC), Sep 2007. vol. 52, no. 4, pp. 492–505, 2003. [49] Q. Tang, N. Tummala, S. Gupta, and L. Schwiebert, “TARA: Thermal- [74] I. Biehl, B. Meyer, and V. M¨uller, “Differential fault attacks on elliptic Aware Routing Algorithm for Implanted Sensor Networks,” in Dis- curve cryptosystems,” in CRYPTO, 2000, pp. 131–146. tributed Computing in Sensor Systems, V. Prasanna, S. Iyengar, P. Spi- [75] L. Kazemi, C. Shahabi, and L. Chen, “GeoTruCrowd: Trustworthy rakis, and M. Welsh, Eds., 2005, vol. 3560, pp. 206–217. Query Answering with Spatial Crowdsourcing,” in Proceedings of [50] A. Bag and M. A. Bassiouni, “Hotspot Preventing Routing algorithm the 21st ACM SIGSPATIAL International Conference on Advances in for delay-sensitive applications of in vivo biomedical sensor networks,” Geographic Information Systems, 2013, pp. 314–323. Information Fusion, vol. 9, no. 3, pp. 389–398, 2008. [76] C. Shahabi, “Towards a Generic Framework for Trustworthy Spatial [51] R. Kamal, M. Rahman, and C. S. Hong, “A lightweight temperature Crowdsourcing,” in MobiDE, Jun 2013, pp. 1–4. scheduling routing algorithm for an implanted sensor network,” in [77] X. Sheng, J. Tang, X. Xiao, and G. Xue, “Sensing as a Service: International Conference on ICT Convergence, Sep 2011, pp. 396–400. Challenges, Solutions and Future Directions,” IEEE Sensors Journal, [52] A. Bag and M. Bassiouni, “Energy Efficient Thermal Aware Routing vol. 13, no. 10, pp. 3733–3741, Oct 2013. Algorithms for Embedded Biomedical Sensor Networks,” in IEEE [78] Y. Zhang, N. Meratnia, and P. Havinga, “Outlier Detection Techniques International Conference on Mobile Adhoc and Sensor Systems (MASS), for Wireless Sensor Networks: A Survey,” IEEE Communications Sur- Oct 2006, pp. 604–609. veys Tutorials, vol. 12, no. 2, pp. 159–170, 2010. [53] O. Kocabas and T. Soyata, “Medical Data Analytics in the cloud [79] B. Kantarci, K. G. Carr, and C. D. Pearsall, “SONATA: Social Network using Homomorphic Encryption,” in Handbook of Research on Cloud Assisted Trustworthiness Assurance in Smart City Crowdsensing,” Intl. Infrastructures for Big Data Analytics, P. R. Chelliah and G. Deka, Eds. Journal of Distributed Systems and Technologies, vol. 7, no. 1, pp. 64– IGI Global, Mar 2014, ch. 19, pp. 471–488. 84, Jan-Mar 2016. [54] A. Page, O. Kocabas, T. Soyata, M. K. Aktas, and J. Couderc, “Cloud- [80] B. Kantarci, P. M. Glasser, and L. Foschini, “Crowdsensing with social Based Privacy-Preserving Remote ECG Monitoring and Surveillance,” network-aided collaborative trust scores,” in IEEE Global Communica- Annals of Noninvasive Electrocardiology (ANEC), vol. 20, no. 4, pp. tions Conference (GLOBECOM), Dec 2015. 328–337, 2014. [81] A. Page, T. Soyata, J. Couderc, and M. K. Aktas, “An Open Source ECG [55] National Institute of Standards and Technology, “Advanced encryption Clock Generator for Visualization of Long-Term Cardiac Monitoring standard (AES),” Nov 2001, FIPS-197. Data,” IEEE Access, vol. 3, pp. 2704–2714, Dec 2015. [56] D. Hankerson, A. J. Menezes, and S. Vanstone, Guide to elliptic curve [82] A. Page, T. Soyata, J. Couderc, M. Aktas, B. Kantarci, and S. Andreescu, cryptography. Springer Science & Business Media, 2006. “Visualization of Health Monitoring Data acquired from Distributed [57] J. A. Akinyele, C. Garman, I. Miers, M. W. Pagano, M. Rushanan, Sensors for Multiple Patients,” in IEEE Global Telecommunications M. Green, and A. D. Rubin, “Charm: a framework for rapidly proto- Conference (GLOBECOM), San Diego, CA, Dec 2015. typing cryptosystems,” Journal of Cryptographic Engineering, vol. 3, [83] F. Pedregosa et al., “Scikit-learn: Machine learning in Python,” Journal no. 2, pp. 111–128, 2013. of Machine Learning Research, vol. 12, pp. 2825–2830, 2011.