Proc. 3rd Conf on Information and Communication Technologies: From Theory to Applications, 2008. ICTTA 2008.

Publication Date: 7-11 April 2008, pp 1-6, Damascus, Syria. ISBN: 978-1-4244-1751-3, INSPEC Accession Number: 10053429, Digital Object Identifier: 10.1109/ICTTA.2008.4530274 Current Version Published: 2008-05-23

Threat Assessment of Wireless Patient Monitoring Systems

Wolfgang Leister, Habtamu Abie, Arne-Kristian Groven, Truls Fretland
Norsk Regnesentral Oslo, Norway {wolfgang.leister, habtamu.abie, arne-kristian.groven, truls.fretland}@nr.no

Ilangko Balasingham
Interventional Center Rikshospitalet University Hospital Oslo, Norway ilangkob@ulrik.uio.no

AbstractWe address issues related to threat assessment of mobile patient monitoring systems using a wireless infrastructure including body area biomedical sensor networks. Several user scenarios are presented. Patient sensitive data, mobile and wireless infrastructure, and resource-constraint sensor nodes provide a challenging task of fulfilling some minimum requirements for security, privacy, reliability of the data and availability of the system. We have therefore studied threats associated to both short range and long range mobile wireless communication infrastructures, where requirements for security recommendations for such systems are presented. Emphasis is given on applications that employ a wireless infrastructure, such as biomedical sensor networks. In this work we present an informal threat assessment of mobile patient monitoring systems used with several scenarios. Keywords-biomedical sensor networks; threat assessment; wireless; patient monitoring; healthcare; security

fatal consequences both to the patient, the health care enterprise, and third parties. Confidentiality is needed in the environment of the sensors to protect information travelling between the sensor nodes of the network or between the sensors and the base station from disclosure. It is also essential for each sensor node and base station to have the ability to verify that the received was really send by a trusted sender and not by an adversary that tricked legitimate nodes into accepting false data. Sensor applications for healthcare monitoring rely on the integrity of the information to function with accurate outcomes. Sensor applications are also threatened by message replay attack where an adversary may capture messages exchanged between nodes and replay them later to cause confusion to the network. Work has been done on the security in wireless sensor networks [1], [2]; however many challenges still remain. There are still many unsolved security issues, e.g., concerning the integrity of the collected data, and the privacy of the patient [3], [4]. Threat assessment of wireless patient monitoring systems will be the main topic of this paper, based on experiences from previous and ongoing projects. The form of the threat assessment will be informal and for each threat we identify possible countermeasures which lead to the security requirements. II. PATIENT MONITORING SYSTEMS

I. INTRODUCTION Wireless technologies in health care can be used to eliminate the use of cables, which gives advantages for patients and personnel. Mobile hand-held devices such as personal digital assistants and laptops can be used by medics and ambulance personnel, and these devices can also facilitate communication to servers of health care enterprises. Longrange and short-range wireless communication technologies are employed to facilitate information exchange. Biomedical sensors are increasingly used to monitor biological parameters in tissues and organs, and to detect abnormal biological changes. We use the term biomedical sensor in our work since the term biosensor refers to a device for the detection of an analyte that combines a biological component with a physiochemical detector component. Biosensors consist of a sensitive biological element, a transducer, and a physiochemical detector element. Biomedical sensor networks often comprise of tiny, lowcost wireless electronic devices, capable of gathering environmental information and forwarding them to a base station. The limited computational and communication capabilities, that their reduced cost and size enforce, introduce many resource-related challenges in their function, efficiency, and security. Threats may compromise system security with
This work is funded by the SAMPOS project in the VERDIKT programme of the Norwegian Research Council, and is in the context of the EU project IST-33826 CREDO: Modeling and analysis of evolutionary structures for distributed services.

Wireless patient monitoring systems and biomedical sensor networks can be applied in a variety of health care scenarios in a range of paramedic, diagnostic, surgical, and post-operative phases. In order to articulate the security requirements we identify three important scenarios: (1) hospital scenario (using an array of biomedical sensors for diagnostics, surgical, and post operative phases), (2) nursing and citizen homes (patients equipped with wireless biomedical sensors triggering alarms; surveillance of patients after being discharged from hospital), and (3) paramedic. We derive our security model for patient monitoring systems from the work done in [5], which is based on several demonstrators which include the FieldCare demonstrator

(emergency site) [6], the WiSMoS demonstrator (postoperative monitoring) [7], and the blood-glucose demonstrator (home-situation monitoring) [8]. These demonstrators have in common that medical data from a patient are collected by biomedical sensors and forwarded to a data collector, which forwards the data to the hospital information system. Health care personnel can access data directly or via the hospital infrastructure. A. A Model for Wireless Patient Monitoring Systems The security architecture is based on a generic system model developed for all demonstrator systems mentioned above. This generic system model, shown in Fig. 1, contains components and channels. In a concrete instance of this model, each component can be realized by means of several physical components, and a physical component can realize several components. The mapping of the components to the physical components of a concrete instance can therefore imply the necessity of security requirements additional to those identified for the generic model.

The generic model includes the following channels: Channel A between the source and the PDC, is based on a short-range wired and/or wireless communication links. The Channel A might be implemented by a wireless biomedical sensor network. Channel B is a long-range wired or wireless communication link, possibly over a public network, e.g., GSM, GPRS or PSTN networks. Channel D may be implemented as any type of communication link, possibly over a public network. Channel E may be an internal interface or a wired/wireless short-range communication link. Longrange communication between PDC and PDAU should be provided via the HCIS. Channel G is implemented as an internal interface in one of the components used to retrieve the patient identity. B. Communication Based on Public Networks For long-distance communication public networks based on different technologies (GSM, GPRS, UMTS, WiMAX, etc.) are used, which includes the transfer of data through the networks of providers who are part of the secure infrastructure of health care enterprises. In this scenario the Channels B or D can be implemented with these technologies. C. Communication Based on Bluetooth The Bluetooth technology is emerging as communication technology for parts of the wireless infrastructure for shortrange communication. In our scenarios (parts of) the Channels A, B, D, or E can be implemented using Bluetooth, using a point-to-point connection. The identification of security-related properties of Bluetooth is elaborated in [9]. D. Wireless Biomedical Sensor Networks Biomedical sensor networks can be a part of a patient monitoring system, located as source, (parts of) Channel A, and possibly the PDC. We derive specific scenarios for biomedical sensor networks from the Case Study 2 of the CREDO project [10]. A sensor network may consist of a large number of sensor nodes, and sink nodes which are connected by a wireless medium using single-hop communication or multi-hop communication. The data flow is from the sensor to a sink node, which communicates the data to a gateway. The capabilities of these nodes are limited due to size, cost, memory, and battery lifetime constraints with the result that resource-intensive algorithms cannot be performed on an individual node. Note that some security-related functionality require resources beyond the capabilities of biomedical sensors. A biomedical sensor is an electronic device which performs the tasks of sensing, processing, sending, and/or receiving biomedical data. From a data-flow perspective, a generic biomedical sensor node can be decomposed into four abstract parts: sensor, receiver, processing unit, and transmitter. Technically, a sensor node is built up of a micro controller unit

BSN

G Patient data collector B E G ID data mapper

A
patient with biomedical sensors

Patient data accessing unit

HC information system

medical staff

Figure 1: The Generic System Model with components (boxes) and channels (arrows). The green markers denote channels that must be protected.

The components of the generic system model include: Source, which denotes sources of patient data, e.g., sensors, storage units, or user input devices. Each source is connected, physically or logically, to only one patient at a time. The source is assumed to have very limited capabilities of protecting the communication, e.g., there might be no possibility for authenticating the receiver properly. Patient Data Collector (PDC), which collects patient data from one or more sources and sends these data to a patient data forwarder and/or directly to a PDC. The PDC is a trusted entity that can handle unencrypted, personally identifiable patient data. Health Care Information System (HCIS), which receives patient data for processing or storage. The HCIS may forward patient data to a PDAU. Patient Data Accessing Unit (PDAU), which receives patient data and presents these to the medical staff. ID-data mapper, which determines the identity of the patient to whom patient data pertains and sends the identity to the PDC or the HCIS.

(MCU), memory (RAM, ROM), a wireless communication device, biomedical sensors, and a power supply (battery). The functionality of a biomedical sensor is controlled by software, usually consisting of firmware, operating system, and specific application software for treating the biomedical signals and their transfer. Different biomedical sensors can produce measurements for different kinds of biomedical data, such as electrocardiogram (ECG), electroencephalography (EEG), blood oxygen saturation, blood pressure, and temperature. The biomedical sensor data consist of one or several tracks of sampled measured values, supplemented with administrative data, e.g., a time-stamp and the identity of the sensor. The biomedical sensor data must be protected against modification and deletion. While it is necessary to implement a detection mechanism for modification and deletion, the reconstruction of data destroyed by an attacker would be desirable in order to provide the availability of data. In a biomedical sensor network using single-hop communication, the scenario is restricted to one biomedical sensor and one receiver (gateway) of data, using solely one hop for data communication. In this scenario we concentrate on identifying threats from the biomedical sensor node, the data, and the wireless communication. In a biomedical sensor network using multi-hop communication several nodes for communication are used. Additional complexity is introduced through routing, aggregation of data, and data of several patients in one network. In a third scenario biomedical sensor network are embedded into the enterprise infrastructure as shown in the generic model. Issues of identity of sensors, actors, patient and data, initialization procedures, and emergency procedures are in the focus of this scenario. III. SECURITY REQUIREMENTS From the list of security requirements for patient monitoring systems identified in [11] we derive requirements for the overall patient monitoring system, and specifically for the biomedical sensor network. A. Security Requirements for Patient Monitoring Systems For all channels personally identifiable patient data shall be protected from eavesdropping and integrity-protected when transmitted across open networks, in order to provide confidentiality and integrity. Additionally, Channels D and E shall authenticate the user; Channel D shall additionally authenticate the HCIS, and Channel E shall authenticate the PDC. All components where unencrypted data is handled shall deny unauthorized access of any kind (view, insert, transform, delete of patient data). The HCIS system is a part of the hospital infrastructure, and shall therefore in addition: (1) verify the integrity of patient data, (2) authenticate the PDC, (3) know the identity of the patient, (4) to whom the patient data pertain, and (5) know the type of source used to produce the patient data. The PDAU

shall in addition to the requirements for all components verify the integrity of the patient data. For all components where emergency access functionality is available, the invocation of emergency access shall override the restriction on read access. For all components, except the source, an emergency access shall trigger extended monitoring of relevant events to enable the detection of unnecessary access. B. Security Requirements Specific to Biomedical Sensor Networks Since the source has limited storage the source shall not store data longer than necessary. Due to limited battery capacity unnecessary communication shall be avoided. The communication of Channel A must be treated differently from the other channels, since the possibility for strong security is limited. We cannot assume that a source is capable of authenticating itself. Therefore communication on Channel A shall be short-range, while the transmitted data shall be protected from eavesdropping. Integrity protection of the transmitted data is necessary, since interferences from other medical instruments are possible. The connection between source and PDC shall be manually initiated, i.e., a human actor determines by means of a defined procedure which sources and PDCs shall communicate. Automatic roaming to other PDCs shall not be allowed. The PDC shall in addition to the requirements for all components: (1) verify the correct identity of the source, (2) not modify the patient data, except for aggregation or other defined transformations, and (3) not store data longer than necessary to ensure successful transmission of patient data. To provide flexibility we must consider security challenges for software upgrades via the wireless network, reconfiguration, self-organization, and device-mobility (e.g., handovers on different layers). Configuration control (e.g., check whether versions of hardware and software fit together, verify whether the patient is in the correct situation) shall be employed. Aspects of availability are often neglected, which include scalability (growing sensor networks might not scale as the number of sensor nodes or their data rate increases), quality of service (mechanisms to provide an agreed QoS regarding parameters such as network bandwidth, data throughput, signal quality, response time, latency, packet delivery rate, jitter), and power consumption (power outage may compromise the availability of data, and thus threaten the patient). In complex communication environments, mechanisms should be employed to mitigate interference from co-exist wireless networks and various medical applications. Robust error detection and correction algorithms should be used in packet transmission procedures. IV. THREAT ASSESSMENT

The main objective of the security and privacy solutions for wireless patient monitoring systems is to provide services for confidentiality, privacy, integrity, availability and nonrepudiation.

Data confidentiality and privacy ensure that health care data remain private and will not be disclosed without the consent or permission of the owner of the data. Integrity of health data is maintained by ensuring that data are accurate, complete, and trustworthy. Availability provides reliable access to health care data by authorized persons with a legitimate need. Nonrepudiation guarantees that an individual or entity cannot later deny having performed a particular action related to heath care data. The general threats and attacks to these security objectives are eavesdropping (listening to communication channels), denial of service (making health care computer resources unavailable to its intended users), masquerading (pretending of an entity to be different entity for unauthorized access or forgery of health care data), and disclosure (disclosing of health care data). Presenting the identification of threats to wireless patient monitoring systems, it is customary to take into account the different abstraction levels and components of the system in order to have a holistic view of threats to the overall system. At stakeholders and application level, the generic threat model includes that a companys stakeholders (employees, consultants, shareholders etc.) who access sensitive health care data records are not trusted. This is because the stakeholders may be careless in their use and distribution of data, their software might be untrustworthy (e.g., compromised), or a stakeholder may be dishonest. Such lack of trust implies strong control on both client-side and server-side as a requirement, which propels health care security into the realm of trusted computing. At the communication level, the identification of threats builds on the trust assumption that wireless communication is based on broadcast principles, and hence cannot be trusted without extra infrastructural measures. A. Patient monitoring systems For the components the threats and associated factors identified in [5] include (1) compromised or fake components (physical or logical attack), (2) destroyed, malfunctioning, lost, or stolen component, (3) software errors (e.g., failure in security mechanisms, routing, etc.), (4) misuse of emergency access, and (5) denial of service attacks (physical or logical attacks, bad quality, accidents, etc.). For the channels they identified: (6) compromised or fake (components of) communication infrastructure (physical or logical attack), (7) unstable communication infrastructure (physical or logical attack, bad quality, accidents), and (8) eavesdropping of communication. These threats and vulnerabilities identified may lead to the unwanted consequences that information or equipment might be unavailable, incorrect information is received (medical data, patient identity, sensor type, etc.), sensitive information is leaked, or damage to the patient, operators or equipment. Recent studies like those from the CSIRO Preventive Heath Flagship, have also confirmed the accidental disclosure of individuals (medium risk), linking data records to the wrong people and/or by the wrong reasons (very high risk), the

incorrect use of data, use of data for the wrong project or purpose (medium to high risk), missing knowledge or control over their own data (medium to high risk), and not following the privacy principles and their local policies (low to medium risk). This study has further identified the main threats as perceived by the public that include: abuse of genetic data (e.g., disclosure to insurance companies), release of sensitive information (e.g., sexual, mental health), governmental control of personal data, use of data without an individual giving explicit consent (primarily for research purposes), poor data integrity (information inaccurately recorded or records mismatched), and inadequate safeguards (any access by unauthorized people). B. Biomedical Sensor Networks The general threats for biomedical sensor networks can be characterized into the following levels: (1) the entity level, (2) the network level, (3) the routing and forwarding level, and (4) the specific protocol level. Any adversary can potentially eavesdrop on the traffic, inject new messages, replay or change previous messages. The biomedical sensors do not trust each other; while each sensor node trusts itself. Base stations (gateways) are assumed not to be compromised. However, compromising them could render the entire sensor network useless. Thus the base stations are a necessary part of the trusted computing base, and all sensor nodes trust the base station. A sensor network should be both preventive and resilient to severe types of attacks regarding both control traffic and data traffic. Typical examples of control traffic are routing, monitoring whether a node is awake, asleep, or dead, topology discovery, and distributed location determination. Control traffic attacks include blackhole attacks, wormhole attacks [12], rushing attacks [13], sybil attacks and compromised sensors [14], [15], sinkhole attacks [16], and HELLO flood attacks [16]. Control attacks are especially dangerous because they can be used to subvert the functionality of the routing protocol and create opportunities for a malicious node to launch data traffic attacks such as dropping all or a selective subset of data packets. A sensor network should be both preventive and resilient to severe type of attacks such as wormhole attack, the Sybil attack, and compromised sensors [17]. While secure routing ensures that data are forwarded to the correct recipient, it does not include confidentiality and protection against replay attacks, which could be caused by underlying spoofed, altered or replayed routing information, selective forwarding, acknowledgement spoofing, and the attacks mentioned above. Specific sensor protocols can have weaknesses that can be exploited. A relevant selection of these include TinyOS beaconing (in an attack any node can claim to be a base station, which can compromise the entire network), Laptop-attacks (an attacker using laptops can use wormhole and sinkhole attacks even if the routing updates are authenticated). Laptop-attackers could also use a HELLO flood attack to the whole network, which will let all nodes mark this laptop as its parent, while the

radio range of the nodes does not reach it, and mote-class attackers can create routing loops. At the sensor node level, attacks could potentially change settings in a sensor or transmitter unit, its software or data, resulting in a threat. Consequences might be exposure to increased heating (e.g., of tissue) or radiation from the device. The general attacks by a malicious entity can therefore be classified as generate fake emergency warnings, prevent legitimate warnings from being reported, battery power depletion, excessive heating in the tissue of the patient, and radiation from the entity. C. Short-range communication via Bluetooth The threats analyzed above also apply to Bluetooth. Bluetooth employs rather weak encryption based on the assumption that the communication is short-range. However, this argument may be questionable since well equipped attackers using signal amplification and directional antennae can enlarge the communication range substantially. Also the fact that the Bluetooth devices often are very mobile and can contact many other Bluetooth devices short-range while passing by, is a substantial threat. Note that the equipment might be exposed to social engineering. The sole secret credential in a Bluetooth network is the PIN code of the device. While weaknesses in the cryptographic protocol can be neglected, there are different implementation weaknesses for the equipment of some vendors. When these are exploited, devices and sessions can be taken over by an intruder. Attacks include bluejacking, attacks on the link layer, snarf attacks, backdoor attacks, and BlueBug [9]. D. Long-range Communication Long-range communication using a third-party provider is subject to the threats analyzed above. Since communication over SMS is not reliable, the use of IP over GPRS, EDGE, 3G, or similar technologies is recommended. An encryption scheme and intruder detection must be employed in order to provide privacy. Note that the risks for attacks are different whether an attack affects one patient or many patients. While there are several PKI solutions available, the use of keys stored in the SIM cards reflects the security needs for mobile patient monitoring systems. More details on a risk analysis of longrange communication for one of the demonstrators can be found in [8]. E. Countermeasures The following possible countermeasures can be used against the general threat attacks. Protocol modifications by adding anti-clogging messages and then blacklisting originators of bogus messages can be used to prevent denial of service attacks. In the case of disclosure, an appropriate countermeasure can be a setting up of secure channels using encryption. A signature or message authentication code can be used to protect the message integrity and to the authentication of of its origin in order to counter message modification attack. In order to counter a replay attack a sequence number could be added to the message in order to drop the previously processed messages.

Countermeasures to avoid that attackers exploit weaknesses of the protocols or infrastructure include [16]: (a) link layer encryption and authentication with a common symmetric key prevents most outsider attacks, and an adversary cannot join the topology; (b) preventing replay attacks by using a packet counter; (c) encryption. Note that an insider cannot be prevented to participate in the operations of the network, and hence, can masquerade as any node, which implies as further countermeasure that (d) identities should be verified. However, since public keys cannot be used due to resource limitations, a solution might build on the use of unique symmetric keys which the nodes share with their base station. Further countermeasures include (e) limiting the number of neighbors per node, so that an attacker cannot form symmetric keys with every node, (f) restricting the structure of the network topology, (g) identifying HELLO floods by verifying the bi-directionality of the link, and (h) identifying wormhole attacks by geographic routing. V. SECURITY RECOMMENDATIONS

Based on the informal analysis of threats and security requirements we have proposed security recommendations for the overall system, which can be found in [11]. A security architecture must address patient identification and identity management of patients, devices and personnel. Other elements include device administration (which requires key distribution), user administration, authorization policy, mandatory encryption for data stored on mobile devices, communication encryption, communication and data source authentication, data manipulation detection, and logging of critical events. For the sake of scalability, authorization schemes must be role-based (as opposed to being individual-based). The authorization database stores information about roles and their assigned privileges, which might be constrained by contextual information. Session keys are preferably generated during the authentication protocol, while confidentiality is established through encryption, and integrity is established through a signature generation service. Since the HCIS cannot authenticate all sources, e.g., biomedical sensors, these sources must be authenticated by proxy, i.e., the PDC identifies the source, and guarantees its authenticity towards the HCIS. The security components are distributed over several components in the generic model. These components include (1) the key generation service for session keys; (2) security protocols that support authentication, confidentiality, integrity, key agreement, and the associated cryptographic algorithms; (3) signature generation and verification services, along with a local storage for credentials and keys; (4) access enforcement services for both users and system components; (5) the log collector to collect metadata about events; and (6) front-ends for various services, such as security administration and authentication. Bluetooth as a technology could be employed in all channels. Confidentiality protection of a Bluetooth channel may be provided by the Bluetooth link-layer encryption functionality. Though this encryption functionality has some weaknesses, it is considered sufficient because of the rather short communication range. Establishment of a shared, secret

key between the Source and the Patient Data Collector is considered to be sufficient to ensure authentication with respect to the traffic between them. When security mechanisms are not offered, e.g., when using a channel over a public network, application layer mechanisms should be employed, e.g., using encryption possibilities offered by application layer protocols. For biomedical sensor networks the fact that the medium is a broadcast channel, and that minimal energy consumption is an issue, makes it necessary that the security mechanisms are carefully designed. Security mechanisms, like encryption, utilize extra computing cycles (and therefore consume energy), as does the transfer of unnecessary data. Wherever a sufficient security mechanism is offered at lower layers in the communication stack, these should be employed, since these are better fitted to the utilized technology than higher level mechanisms. However, there should be a minimal set of mechanisms in the application level that protect the data. While the relationship between the patient and the patient data must be given at all times, it is not recommended that the patient identification is transmitted on unsecured media. In this case the relationship between patient and patient data is achieved by authenticating the device or sensor. VI. CONCLUSIONS AND FUTURE WORK

REFERENCES
[1] H. Yang, H. Luo, S. Ye, S. Lu, L. Zhang: Security in mobile ad hoc networks: Challenges and solutions, IEEE Wireless Communications, 11(1), pp. 38-47, 2004. R. Savola, J. Holappa: Self-measurements of the information security level in a monitoring system based on mobile ad hoc networks, Proc. of the 3rd International Workshop in Wireless Security Technologies (IWWSXT'05), 2005. R.S.H. Istepanian, E. Jovanov, Y.T. Zhang: Introduction to the special section on M-Health: Beyond seamless mobility and global wireless health-care connectivity, IEEE Transactions on Information Technology in Biomedicine, , 8(4), pp. 405-414, 2004. L Schwiebert, S.K.S. Gupta, J. Weinmann: Research challenges in wireless networks of biomedical sensors, Mobile Computing and Networking, 2001. R. Arnesen, J. Danielson, I. Vestgrden, J. lnes: Wireless Health & Care security architecture, NR Report No. 1006, Norsk Regnesentral, 2005. Shahrzade Mazaher: Security architecture of the FieldCare Demonstrator, Research Note DART/06/05, Norsk Regnesentral, 2005. P. Re, J. lnes, A. Larsen, I. Balasingham, K. yri: Wireless Health & Care security architecture - the wireless instrumentation demonstrator WiSMoS, Research Note DART/07/05, Norsk Regnesentral, 2005. P. Re, J. lnes, O. Walseth: Wireless Health & Care security architecture - the blood glucose demonstrator, Research Note DART/09/05, Norsk Regnesentral, 2005. Hans Jakob Rivertz: Bluetooth security, Research Note DART/05/05, Norsk Regnesentral, 2005. Balasingham, Ilangko; Kyas, Marcel; Leister, Wolfgang; Liang, Xuedong; stvold, Bjarte M.; Rossum, Anne van; Salden, Alfons; Steffen, Martin; Valk, Jeroen M.: Deliverable D6.1 - User driven requirements, CREDO, Project number 33826, funded by the European Commission, 2007. R. Arnesen, J. Danielsson, J. Vestgrden, J. lnes: Wireless Health & Care security requirements, Research Note DART/01/05, Norsk Regnesentral, 2005. Y. Hu, A. Perrig, D. Johnson: Packet Leashes: A defense against wormhole attacks in wireless ad hoc networks, Proc. INFOCOM, 2003. Y. Hu, A. Perrig, D. Johnson: Rushing attacks and defense in wireless ad hoc network routing protocols, Proc. WISE, 2003. J. Newsome, E. Shi, D. Song, A. Perrig: The sybil attack in sensor networks: analysis and defenses, Proc. IPSN, 2004. J. Douceur: The sybil attack, Proc. IPTPS, 2002 C. Karlof, D. Wagner: Secure routing in sensor networks: attacks and countermeasures, Proc. SNPA, 2003 L. Lazos, R. Poovendran: SeRLoc: Secure range-independent localization for wireless sensor networks, ACM Workshop on Wireless Security, 2004.

[2]

[3]

[4]

[5]

[6] [7]

[8]

[9] [10]

We have identified threats, which are important security requirements for the deployment of patient monitoring systems using biomedical sensor networks. These requirements address infrastructural, administrative, and technical measures. Technical and infrastructural measures are applied to the different medical scenarios so that wireless monitoring systems can be securely used for instance in hospitals, at accident sites, and homecare monitoring situations. Threats at different levels have been scrutinized for mobile patient monitoring systems using long range wireless communication using third-party providers (GPRS) and short range wireless sensor networks. Based on threat assessments a set of security requirements has been identified, and recommendations have been suggested for the overall patient monitoring system. The medical data can be considered as multimedia data, where the data is aggregated over a period of time and bundled with patient identity and communication system configuration information. This means that multimedia standards such as the MPEG-21 multimedia framework (ISO/IEC 21000) could be used for data security. Due to resource constraint in sensor networks, the usability and adaptability of MPEG-21 in sensor networks remains to be seen. ACKNOWLEDGMENT Parts of this work build on work in the WsHC project of the Norwegian Research Council by Jon lnes, Ragni Ryvold Arnesen, Shahrzade Mazaher, Per Re, Hans Jakob Rivertz, and others.

[11]

[12] [13] [14] [15] [16] [17]