Attack-Tree Based Risk Assessment on Cloud-Oriented Wireless Body Area Network

Attack-Tree Based Risk Assessment on Cloud-Oriented Wireless Body Area Network

Theodoros Mavroeidakos (University of Piraeus, Greece), Nikolaos Peter Tsolis (University of Piraeus, Piraeus, Greece), Dimitrios D. Vergados (University Of Piraeus, Piraeus, Greece) and Stavros Kotsopoulos (Wireless Telecommunications Laboratory, Department of Electrical and Computer Engineering, University of Patras, Patras, Greece)
DOI: 10.4018/IJITN.2019100105

Abstract

Machine-to-machine (M2M) communication is an emerging technology with unrivaled benefits in the fields of e Health and m-Health. The wireless body area networks (WBANs) consist of a major subdomain of M2M communications. The WBANs coupled with the Cloud Computing (CC) paradigm introduce a supreme infrastructure in terms of performance and Quality of Services (QoS) for the development of eHealth applications. In this article, a risk assessment aiming to disclose potential threats and highlight exploitation of health care services, is introduced. The proposed assessment is based upon the implementation of a series of steps. Initially, the health care WBAN-CC infrastructure is scrutinized; then, its threats' taxonomy is identified. Then, a risk assessment is carried out based on an attack-tree consisting of the most hazardous threats against Personally Identifiable Information (PII) disclosure. Thus, the implementation of several countermeasures is realized as a means to mitigate gaps.
Article Preview
Top

1. Introduction

The health care domain consists of a cornerstone for the welfare of society. In the recent years there has been gaining much attention the convergence of emerging technologies such as the Big Data, the CC paradigm and the M2M communication architectural models. In the health care domain, sophisticated algorithms and novel processing techniques introduce benefits by mining Big Data and extracting knowledge while the CC paradigm establishes private back-end infrastructures, capable to handle massive quantities of clinical health data. The M2M architectural model, which is exploited in the health sector is comprised of mobile nodes, sensors and actuators interconnected to wireless networks through distributed base stations in the hospital’s physical environment. Thus, a type of wireless sensor networks (WSNs) (Rawat et al., 2014), the WBANs and their potential, unfold. The WBANs consist of a variety of on-body and implanted medical devices and sensors responsible for the continuous measurement of vital signs such as the temperature, the respiratory rate, the blood pressure and the arterial oxygen saturation.

The collection rate of clinical health data by sensors (Boubiche et al., 2018), necessitates the deployment of a highly scalable backend infrastructure to support the deployment of the medical applications’ logic as well as the data storage. Thus, the interconnection of WBANs with a private cloud infrastructure consists of a viable solution that enables scalability, availability better QoS through fast resource allocation, increased data storage and high computational power for the provision of a multithreaded eHealth or mHealth application. However, the distributed nature and mobile ad-hoc networks for the purpose of data propagation to backend endpoints of M2M architecture endanger the overall operation. By integrating CC backend endpoints, the already existing attack surface interacts with WBANs’ threats. These threats lay on the vulnerabilities of the M2M communications’ routing protocols and authentication schemes, as well as on specific characteristics such as the swiftly changing network topology and unattended clinical areas. Thus, the threat landscape is expanded.

Bearing in mind that the ulterior aim of the CC environment is to offer storing and processing capabilities on the basis of a high level of privacy and security without risking the disclosure of clinical health data, a risk assessment should be established prior its deployment. The proposed risk assessment correlates threats and security challenges of WBANs and CC environment in view of determining the total attack surface and estimating the probability of occurrence of an attack. Then, the mechanisms and processes providing the healthcare service (i.e. mHealth application) are safeguarded by countermeasures against the identified attack surface, in alignment with the principles of the Confidentiality, Integrity and Availability (CIA triad) (Juliadotter & Choo, 2015).

Accordingly, every technical component which is orchestrated in the context of the healthcare infrastructure’s operation, should be accompanied by a security component or countermeasure in order to minimize the total attack surface. Due to the diversity of these measures, the criterion which should be met by every countermeasure is to pose the minimum performance constraints over the other alternatives. Beyond the orchestration of countermeasures, the collection of clinical health data should be implemented in compliance with national norms and regulations due to the individuals’ rights and freedoms. Thus, the WBANs, as well as the CC environment should operate according constrains and legal instructions inaugurated by national regulations.

The remainder of the paper is organized as follows. Section 2 introduces the background on securing critical infrastructures and assessing their security level such as those in health care while Section 3 outlines the architectural elements of WBAN-CC infrastructure apparatus. Section 4 analyses the threats’ taxonomy while Section 5 reviews the attack-tree upon which the risk assessment is implemented. Section 6 contains the description of the risk assessment while examination of countermeasures is carried it out in section 7. The conclusions are drawn in Section 8.

Complete Article List

Search this Journal:
Reset
Open Access Articles
Volume 12: 4 Issues (2020): 1 Released, 3 Forthcoming
Volume 11: 4 Issues (2019)
Volume 10: 4 Issues (2018)
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing