Securing the provenance of wearable healthcare sensing data

Abstract

Wearable sensors for physiological measurements of heart-rate, ECG, blood pressure, and blood glucose are gaining increasing prominence in healthcare applications such as continuous monitoring of chronically ill patients in homes and hospitals. Data from such devices has begun to feature in settlement claims and as evidence in courts, requiring it to be irrefutable and tamper-proof. Given that various stakeholders (users, doctors, insurers, prosecutors) may have motivations to tamper with the data, coupled with the fact that researchers have demonstrated the feasibility of tampering with such systems, acceptance of data from these devices deserves careful attention, as does the context such as time and location where the data was collected (aka provenance). In this thesis we design, develop, and evaluate three schemes to address the aforementioned security concerns related to wearable sensor devices. Our first contribution addresses the time-context associated with medical sensing data. We begin by demonstrating with two medically approved devices on the market today that the timestamps associated with the data are easily tampered to backfill medical data. We then propose a novel overlay solution that works within the resource constraints of wearable devices to secure timestamps against malicious or ill-configured gateways. Our second contribution ensures tamper-protection of medical sensing data and binds it to its time and location context by leveraging the density of wireless devices in the vicinity of the transaction to create witness records. We develop a secure logging architecture that compacts witness records using Bloom filters and hash-chains them to bind them to the data, allowing fast and reliable forensic verification. Our third contribution develops an enhancement to the aforementioned crowd-sourced logging solution for use by forensics experts in criminal investigations where anonymity of the witnesses is indispensable. Using the reciprocity property of wireless medium between them, gateway and the witness devices generate pairs of closely matching link signatures, which not only provide the proof of presence for the witnesses in the vicinity but also act as their time-varying pseudonyms, thereby providing witness privacy. We demonstrate the feasibility and efficacy of our schemes through implementation using real wireless devices, and via simulation and experimental results.