Understanding Usage Control in Smart Cities: Smart Health Use Case | Hacker Noon

Smart health is an application of IoT and is enabled via sensors, actuators(implanted medical devices), smartphones and cloud services. Sensors collect clinical data such as blood pressure, blood glucose level, pO2 level and send it to a remote healthcare provider. Remote health care provider can even send commands to the actuators implanted in the human body like insulin infusion pumps, pacemakers and other cardiac devices. SmartUCON model, suggested in my previous article, is a step towards the protection of data collected from smart city infrastructure.

image

Sidra Zafar Hacker Noon profile picture

Sidra Zafar

Cyber Maniac|Technical Writer

According to WHO “The enjoyment of the highest attainable standard of health is one of the fundamental rights of every human being without distinction of race, religion, political belief, economic or social condition” 

Smart Health in Smart cities

Density in the urban population has posed new challenges to healthcare such as high demand for more hospitals, medical personnel, and medical resources in sustainable cities. 

Smart cities provide an infrastructure for many other local and regional government and private functions such as smart health, smart mobility, smart commerce, and smart communication to name a few. 

Smart health in smart cities has been defined by Solanas et al as 

Smart health is the provision of health services by using the context-aware network and sensing infrastructure of smart cities.

Integration of IoT in medical science has made healthcare ubiquitous and pervasive. By providing outpatient care at homes, not only does the cost of healthcare decrease but also the independence of patients and their relatives increase.

Soon, the healthcare sector will evolve from centralized hospitals to ubiquitous and pervasive.  The IoT integration to smart health benefits doctors, patients, and healthcare workers in smart hospitals, smart home care, and robot surgeons.

Internet of Things (IoT) in Healthcare Market is Expected to Grow at a CAGR of 29.9% reaching $322.2 billion by 2025.

Smart health is an application of IoT and is enabled via sensors, actuators(implanted medical devices), smartphones and cloud services. The sensors collect clinical data such as blood pressure, blood glucose level, pO2 level and send it to a remote healthcare provider.

The remote health care provider can even send commands to the actuators implanted in the human body like insulin infusion pumps, pacemakers and other cardiac devices. These devices use wireless remote controls, connect to the internet, relay patient data, and deliver critical therapies on command from remote healthcare providers.    

Privacy in Smart Health

With the comfort and efficiency provided by smart health, there come the issues of privacy and security as well. The health records of patients is confidential information which must not be leaked at any time. But, in a smart health environment where third party cloud services are employed, there are chances of security vulnerabilities. 

The protection of huge amounts of data that contains highly personal information of citizens is an inescapable challenge for researchers.The data protection in smart health is especially critical, as it can lead to life threatening outcomes. In appropriate values of patients vitals can result in wrong medical prescriptions which can lead to serious health problems.   

Along with data protection, unauthorized access to medical devices may result in fatal consequences. An example of a misused insulin infusion pump can result in hyperglycemia/hypoglycemia. Similarly, unauthorized access to cardiac devices can alter the normal functioning of devices and even has potential to kill.  

Usage Control in Smart Health

IoT and cloud-enable smart health accredits healthcare personnel to view and update patients data. Similarly patients can view and update their care records in cloud services. The access to the healthcare records must be controlled through usage control policies. E-g a general physician has the right to view the records of a patient, but he is restricted to update them by usage control policies.      

The Usage Control model, suggested in my previous article, is a step towards the protection of data collected from smart city infrastructure. The components of SmartUCON are mapped onto the smart health scenario and their explanation is given below:

Subjects: Subjects in the case of smart health scenarios are doctors, healthcare providers, and medical staff, who need access to patient’s data for monitoring, diagnostics, and treatment. Patients also become subjects when they need to view their medical records as they are only allowed to access specific information with conditions of not modifying even their records.   

Objects: In the case of smart health data owners are patients. The physiological information of patients to be accessed by subjects may include glucose level sensing, ECG, Blood pressure monitoring, body temperature monitoring, and oxygen saturation monitoring, etc.

Roles: There are several tasks related to patient care e-g keeping and managing records of physiological data, adding or updating records, accessing patient’s current body parameters, administering drugs, etc. SmartUCON utilizes the RBAC model of access control, therefore, roles must be assigned to Subjects (S) with Permission (P) to access only permitted attributes by following Conditions (C) and Obligations (O). Examples of roles in this scenario are roles of healthcare providers which can be a nurse, a senior doctor, a junior doctor, pharmacist, intern, healer, etc. All of these roles are authorized to access only the permitted data according to assigned roles.

Attributes: Since SmartUCON uses the RBAC model which states that the user’s roles are subject attributes. However the attributes whether it be subject attribute or object attribute, an update must be forced and controlled by the system administrator.

Obligations: In smart health, obligations are forced upon the access of sensitive data of patients where subjects are restricted to access information designated to their roles.

Conditions: The example of conditions in smart health are confidentiality, locality, abstraction, and timestamp of patient data.

Rights: Rights are the privilege that roles of smart health hold and practice. The rights contain a set of functions for data usage.

The encryption module of SmartUCON utilizes lightweight encryption techniques to secure data retrieved from the sensing layer of smart cities’ infrastructure. This ensures that even the system administrator and cloud server remains unaware of the assignment of roles to subjects

An example of a very simple use case incorporating different roles in healthcare systems and their rights on objects is given below:

image

The smart health example contains three different roles; Patient, Doctor, and Pharmacist, that have rights to access objects based on their roles.

Here is the formal description of transaction flow in use case;

ROLES= {Patient, Doctor, Pharmacist}

OBJECTS (O) = {Patients Records, Prescription Drugs, Diagnosis}.

RIGHTS (R) = {View, Add, Prescribe, Enter, Dispense}

Example of Doctors accessible operations:

if ROLES(Doctor)==true;

allowed_operation= {View, Add, Prescribe, Enter}.

Similarly for other roles Conditions and Obligations must be fulfilled to grant access.

Conclusion

In addition to preventing unauthorized access, be aware that even authorized users can also be potential threats.

Usage control provides fine grained access to data and resources. Access control in smart cities provides capabilities to configure for different level authorities and easy to track the records of events.

If threat actors can’t access your network, the amount of damage they’ll be able to do will be limited. Yet, keeping in mind the sensitivity of smart health to vulnerabilities, usage control should be accompanied by strong defense mechanisms like encryption, anti malwares, intrusion detection and network segmentation. 

Tags

Join Hacker Noon