The use of the Internet of Things (IoT) in the electronic health (e-health) management systems brings with it many challenges, including secure communications through insecure radio channels, authentication and key agreement schemes between the entities involved, access control protocols and also schemes for transferring ownership of vital patient information. Besides, the resource-limited sensors in the IoT have real difficulties in achieving this goal. Motivated by these considerations, in this work we propose a new lightweight authentication and ownership transfer protocol for e-health systems in the context of IoT (LACO in short). The goal is to propose a secure and energy-efficient protocol that not only provides authentication and key agreement but also satisfies access control and preserves the privacy of doctors and patients. Moreover, this is the first time that the ownership transfer of users is considered. In the ownership transfer phase of the proposed scheme, the medical server can change the ownership of patient information. In addition, the LACO protocol overcomes the security flaws of recent authentication protocols that were proposed for e-health systems, but are unfortunately vulnerable to traceability, de-synchronization, denial of service (DoS), and insider attacks. To avoid past mistakes, we present formal (i.e., conducted on ProVerif language) and informal security analysis for the LACO protocol. All this ensures that our proposed scheme is secure against the most common attacks in IoT systems. Compared to the predecessor schemes, the LACO protocol is both more efficient and more secure to use in e-health systems.

Introduction

Health-care is an indispensable part of human life. In addition, in recent decades there has been an increase in life expectancy. Because of this, there has been an increase in the population over the age of 65 who regularly demand medical services of some kind. Due to the large number of patients, the provision of high-quality care to at-risk patients may be interrupted or the quality of service may deteriorate. While technology cannot reduce the demand for health services, it can at least offer potential solutions by integrating traditional health-care systems with electronic devices [1]. Recent health-care systems, called e-health systems, are supported by electronic devices with wireless connectivity, which are currently communicated through a central device (gateway) which usually transmits the collected data to a cloud [2, 3] –in the future, the devices will be able to communicate directly with each other. The use of these systems provides virtual consultations to patients such that the vast majority of them can rest at home and be treated with telemedicine, which is provided by doctors and hospitals [4, 1]. With advances in the Internet of Things (IoT) systems, many medical and wearable devices, equipped with sensors and placed in or on the patient’s body, can collect the vital real-time data and transmit it to a base station [5, 6]. This base station could be a kind of smartphone or tablet carried by the patient and would send the collected information to the hospital server [7, 8]. Finally, authorized users such as doctors and nurses can access these data to do or decide the best. As for the user’s connection to the medical server, the user must be authenticated at an early stage, usually using a smart card [9]. Likewise, for some devices communication is bi-directional and authorized entities such as physicians can change the reprogramming of patient devices [10, 11].