*Article* **Fuzzy Cognitive Scenario Mapping for Causes of Cybersecurity in Telehealth Services**

**Thiago Poleto 1 , Victor Diogho Heuer de Carvalho 2 , Ayara Letícia Bentes da Silva 1 , Thárcylla Rebecca Negreiros Clemente 3 , Maísa Mendonça Silva 4 , Ana Paula Henriques de Gusmão 5 , Ana Paula Cabral Seixas Costa <sup>4</sup> and Thyago Celso Cavalcante Nepomuceno 3, \***


**Abstract:** Hospital organizations have adopted telehealth systems to expand their services to a portion of the Brazilian population with limited access to healthcare, mainly due to the geographical distance between their communities and hospitals. The importance and usage of those services have recently increased due to the COVID-19 state-level mobility interventions. These services work with sensitive and confidential data that contain medical records, medication prescriptions, and results of diagnostic processes. Understanding how cybersecurity impacts the development of telehealth strategies is crucial for creating secure systems for daily operations. In the application reported in this article, the Fuzzy Cognitive Maps (FCMs) translated the complexity of cybersecurity in telehealth services into intelligible and objective results in an expert-based cognitive map. The tool also allowed the construction of scenarios simulating the possible implications caused by common factors that affect telehealth systems. FCMs provide a better understanding of cybersecurity strategies using expert knowledge and scenario analysis, enabling the maturation of cybersecurity in telehealth services.

**Keywords:** cybersecurity; fuzzy cognitive maps; telehealth; scenario analysis; planning

### **1. Introduction**

The Brazilian Ministry of Health created the national telehealth system in 2007 with the initial objective of promoting family health remotely by using Information and Communication Technologies (ICT). One factor that justifies implementing this system is delivering healthcare to people living in remote communities where the nearest hospital care is distant. Bernardes et al. [1] stated that based on data from the Brazilian Institute of Geography and Statistics, only 24% of the country's population live in large cities, which adds to telehealth's importance as a public policy.

During the first semester of 2020, telehealth, also called telemedicine strategies, became essential in Brazil and many other countries due to the COVID-19 pandemic pressure on the limited hospital resources and the related response from public authorities imposing quarantine campaigns and mobility interventions worldwide. According to Nepomuceno et al. [2], when many potentially infected patients require regular or intensive care at the same time, hospitals with limited resources end up overloaded, the probability of propagation increases, and, as a result, the health systems collapse due to the lack of

#### **Citation:** Poleto, T.;

Carvalho, V.D.H.d.; Silva, A.L.B.d.; Clemente, T.R.N.; Silva, M.M.; Gusmão, A.P.H.d.; Costa, A.P.C.S.; Nepomuceno, T.C.C. Fuzzy Cognitive Scenario Mapping for Causes of Cybersecurity in Telehealth Services. *Healthcare* **2021**, *9*, 1504. https:// doi.org/10.3390/healthcare9111504

Academic Editors: Tin-Chih Toly Chen and Daniele Giansanti

Received: 16 September 2021 Accepted: 2 November 2021 Published: 5 November 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

technical resources, fatigue, and overloading health teams. COVID-19 lockdown and social distance strategies in many have presented an opportunity for both doctors and patients to use telemedicine as a new manner of engagement and treatment in many regions [3,4].

The Telehealth Guidelines established by the Ministry of Health through Decree-Law No. 9795, of 17 May 2019, are mainly intended to improve user satisfaction and the quality of services provided to citizens through the Unified Health System [5]. The related systems have confidential data such as patient health histories, drug prescriptions, and medical diagnoses. Such data can be the target of cyberattacks, highlighting the importance of welldefined strategies for their protection. According to Kruse et al. [6], there was a 22% increase in cyberattacks in 2015, compromising about 112 million medical information records.

It is emphasized that cybersecurity should not be analyzed only as a compliance practice given the occurrence of specific events causing additional costs [7,8], but should be designed in a structured and contingent way to consider all systems from the conception of telemedicine systems and services to be offered [9,10]. Deficiencies in the ICT infrastructure of these services contribute significantly to the increase of harmful attacks on health organizations that also adopt the strategy of promoting their services remotely [11]. Thus, the ICT infrastructure is a crucial factor in developing cybersecurity analysis to implement telehealth systems [12–15]. The importance of considering vulnerabilities is often associated with the risk of losses, corruptions, inappropriate changes, and theft of data, with information and documents that affect the integrity of medical diagnoses delivered to the patient, which can cause serious damage to the health of the individual [16]. In general, these situations allow threats to be exploited and are often caused by cyberattacks from malicious systems or people [17]. Zain et al. [18] identified four main situations verified in cyberattacks which can occur in telehealth services, such as (i) when the data is destroyed or becomes unavailable, (ii) when an unauthorized system or person accesses the database, (iii) when an unauthorized system or person obtains access to the service and makes improper changes, and (iv) when an unauthorized system or person inserts counterfeit objects into the database. These situations are possible failures or threats in the data transmission process, which can be accidental or purposeful.

In telehealth services, the main challenge of the physicians is protecting the privacy of data. However, most of these professionals do not receive adequate training, and they are subject to situations that may compromise the performance of healthcare. This context requires preventive actions and security tools due to the sensitive data in healthcare systems such as digital signatures, professional credentials, financial data, patient diagnostic images, among others [19]. It is worth mentioning that this concern becomes even more complex when considering cyberattacks, especially due to the different interactions that occur on the Internet [20]. Furthermore, failure to comply with legal regulations may result in financial or criminal penalties [21,22]. For this, the IT professionals must make strategic decisions to define security policies and ensuring authenticity, integrity, and confidentiality of the database, besides ensuring business sustainability.

Little research has been carried out in the context of cybersecurity in telehealth and on attacks on related systems to analyze the damaging effects of information stored on patients' clinical health. Poleto et al. proposed a framework for cybersecurity risk management in telemedicine [23]. New studies focus can be oriented towards cybersecurity aspects, determining causal relationships either to prevent attacks or to solve problems that have already occurred, ensuring the security of services and, consequently, the activities and associated practices. The use of tools to support the identification of these security factors in telehealth services is beneficial for this purpose; however, the analytical process can be complex, and it requires high cognitive effort from the professionals involved, whether analysts or decision-makers, towards the planning of different assessment scenarios, helping to choose the best security measures.

Most of these strategic decisions are involved in business sustainability process [24], which can define action plans to ensure the telehealth services operation. The ICT management process assists in directing how medical centers can use IT to manage technologic

solutions. For this, it is opportune to present methodologies to support organizational diagnoses to identify these possible causes of threats in telehealth systems. One of these methodologies is Fuzzy Cognitive Maps (FCMs) [25], which represents scientific knowledge and strategic decision making in systems using elements of a mental map, based on fuzzy logic computation.

This context into account, this article proposes an analytical approach based on Fuzzy Cognitive Maps (FCM) aimed at the mental representation of experts on causal relationships within a set of concepts related to cybersecurity that impact telehealth systems, providing support for strategic planning and decision-making. FCM can represent all relationships intelligibly, enabling creating scenarios and reducing cognitive effort by allowing their analysis through objective graphic elements, and representing interesting support to improve information asset protection concerning patient information management. This article aims to demonstrate the results of applying FCMs in favor of cybersecurity in a telehealth system, seeking to identify variables that can be used for cybersecurity planning, in addition to simulating involved scenarios. The remaining of this paper is organized as follows: Section 2 presents the Materials and Methods, explaining the mechanism of the proposed approach. Section 3 undertakes an application that validates the proposed approach. Section 4 is the discussion of the main findings; conceptual and practical implications are in Section 5. Finally, Section 6 draws some conclusions, indicates some study limitations, and suggests future research lines.

#### **2. Materials and Methods**

According to Tsadiras [26], FCM analysis allows identifying strategies cybersecurity in a system having a more significant impact on other factors and provides possible scenarios by varying the degree of intensity of these variables in a complex problem. Moreover, incorporating the subjectivity and knowledge of an expert leads to a constructivist methodology and provides a complement to information security planning in hospitals.

Protecting patients' private data in telehealth services can be severely damaged by malicious interventions, such as altering or stealing data and information. Other factors, such as data privacy and credibility, can affect the image of the medical center. In Brazil, telehealth services have been valued in recent years and this has encouraged governmental decisions regarding (i) the prioritization of telemedicine infrastructure; (ii) the systematization of the teleassistance process, with the development of clinical data cybersecurity protocols; and (iii) the structuring of security planning to provide the quality and confidentiality of the data and services offered by telehealth in hospitals.

The present research's motivation is based on the following question: what are the main cybersecurity factors affecting telehealth? In response to this question, the following issues will be discussed: (i) the role of stakeholders in the cybersecurity decision process at a hospital; (ii) the use of FCM as an integrated methodology to analyze cybersecurity, to develop planning policies, and to assess the impacts of such decisions in hospital.

First, we identified the main security concepts that occur in telehealth services. For this, an informative and analytical list of concepts that may influence cybersecurity planning in telehealth at a hospital was created. Considering that the planning decisions are strategic, a manager in the ICT area of a hospital assumed the expert's role in eliciting the concepts in the cybersecurity context. Two technical meetings were held with the hospital's ICT manager, each having an average duration of two hours, coordinated by a facilitator who is an expert in information security and responsible for analyzing the results. During the interview, the study's objectives and the research procedure were presented, allowing for a better understanding of the study by the ICT manager. As a result, the list of the main concepts and the description of the leading information about security strategies adopted to treat and prevent problems caused by cyberattacks in telehealth services were obtained, considering the ICT manager's perception [27].

This list consisted of grouping the concepts that affect cybersecurity and analyzing the cause and effect relationship between them. For this, the Mental Modeler software was used to obtain the expert's cognitive map [28]. The ICT manager identified causal connections between the nodes, which required defining the type of relationship (positive or negative), between *w<sup>i</sup>* and *w<sup>j</sup>* , and the intensity of each one over the other. The dynamic analysis of the FCM focuses on evaluating the system's behavior when the cause and effect relationships between the selected concepts are changed, enabling the evaluation of different scenarios [29].

The information was collected to support developing a strategic plan dedicated to cybersecurity in telehealth at hospital. Moreover, to analyze the changes that may impact cybersecurity, the construction of scenarios involves using the identified relationships among the concepts. Consequently, the scenarios can be considered roadmaps for developing and improving the model that describes the problem in a learning process. This study's cognitive structure allowed for greater transparency in cybersecurity planning of telehealth services and theoretical contributions, directed to strategic decisions, and promoting organizational learning [30].

#### *FCM Procedure*

A FCM can be described as a fuzzy graph containing the concepts to be casually assigned in the nodes and the relationships in the edge arrows [25]. The procedure for creating the FCM can be defined in three main steps [27]:

*First Step*: clarify the FCM purpose and if it is not well defined the search for causal relationships will make the formation of the FCM unfeasible.

*Second Step*: identify the relevant concepts that influence the decision to be taken.

*Third Step*: find the causal relationships between the concepts defined in the previous step, so that these relationships need to be abstracted from the decision maker's definitions, through instruments such as questionnaires and interviews.

Thus, from a mathematical point of view, an FCM can be described as a set of nodes (concepts) *C<sup>i</sup>* with *i* = 1, . . . , *n*, being the number of concepts in the problem and all these concepts together represent a vector of state *A* = [*A*1, . . . , *An*]. The value of each concept is influenced by the values of the concepts that are related to it along with the corresponding causal weight and for the concept system to evolve, the vector *A* needs to be passed repeatedly over the connection matrix *W* [31].

The associated mathematical formula is given in Equation (1) [32]:

$$A\_I^{(K+1)} = f\left(A\_i^k + \sum\_{\substack{j=1 \\ j=1}}^N A\_j^k \mathcal{W}\_{ji} \right) \tag{1}$$

where:

*A* (*K*+1) *I* is the value of concept *C<sup>i</sup>* at step *k* + 1;

*A k j* is the value of the concept *C<sup>j</sup>* in step *k*;

*Wji* is the weight of the relationship between *C<sup>j</sup>* and *C<sup>i</sup>* ; and

*f*(*x*) is a sigmoid threshold function defined by Equation (2):

$$f = \frac{1}{1 + e^{-\lambda x}}\tag{2}$$

where *λ* is a positive constant in a determined interval and *f*(*x*) lies between [0, 1].

#### **3. Results**

The proposed FCM model considers a holistic view to analyze cybersecurity concepts within telehealth in a hospital in the Amazon region. In the model, minimal changes were necessary to expand the notion and technical specifications for adequate cybersecurity planning. First, the concept of cybersecurity was explained to the ICT manager—it refers to the

art of ensuring the existence and continuity of a nation's information society, guaranteeing and protecting in cyberspace all of its information assets and critical infrastructure.

The interaction with the ICT manager was essential for analyzing concepts that influence cyberattacks in telehealth systems, especially in the testimony of their possible consequences associated with the system's vulnerabilities. The data relevance reinforces the importance of guaranteeing the network's health since, in the case of loss of confidentiality, it can cause moral damage to all involved, especially to patients [31,32]. Despite many studies identifying threats regarding cybersecurity in distributed systems, there is still a gap in the literature related to the causes that trigger ecosystem cybersecurity occurrences in telehealth systems.

In addition to the discussion with the information security expert, a total of fifteen variables (concepts) influencing the cyberattacks occurrences in telehealth services were identified, which had support in the literature [33]. These concepts can be considered the weaknesses that affect the operational performance in telehealth systems. Table 1 presents a description of these concepts that the ICT manager has validated, three meetings were held and the time was 1 h.

**Main Concepts Description Fuzzy Interpretation References** C1: Insecure network protocols Due to insecure network protocols, (HTTP), attackers can enter the organization's network −1: Low incompatibility network protocol 0: Average incompatibility network protocol 1: High incompatibility network protocol [34] C2: Sensitive data encryption Involve custom code development that brings encryption into the individual application data fields −1: Low Information Security maintenance 0: Average Information Security maintenance 1: High Information Security maintenance [35] C3: Mobile health apps failure Operational failures occur in telehealth due to users not being prepared to adopt information security protocols. −1: Low Operational failures occur in telehealth 0: Average Operational failures occur in telehealth 1: High Operational failures occur in telehealth [36] C4: Cybersecurity certification Provides a rationale for why the auditable events are deemed to be adequate to support the after-fact investigations of security incidents into operational telehealth server −1: Absolute abandonment of auditable events. 0: Average attention to auditable events. 1: Priority attention to auditable events [37] C5: Outsourcing of IT cloud services Provides help desks, tech support, and provider to protect the confidentiality of the outsourced information. −1: No supporting communication security. 0: A few supporting communication security. 1: Priority attention to communication security [38] C6: IT governance Provides security strategies aligned with and supporting the business objectives −1: Absolute abandonment of IT Governance. 0: Average attention to IT Governance. 1: Priority attention to IT Governance [39] C7: Controls for wireless communication Establishment of policies and procedures for the effective implementation of selected security and control enhancements into telehealth. −1: Absolute abandonment of policy access. 0: Average attention to policy access. 1: Priority attention to policy access [40] C8: Mobile connected medical devices Lack of updates or lack of patching, a common threat that can have a significant impact on the healthcare organization −1: Low Information Security maintenance 0: Average Information Security maintenance 1: High Information Security maintenance [5] C9: Supplier eligibility criteria Establish security baseline requirements and translate them into eligibility criteria when selecting suppliers −1: No supporting supplier eligibility 0: A few supporting Supplier eligibility 1: Plenty of supporting supplier eligibility [41] C10: Medical system configuration error Medical platforms are software that needs to be installed on a practice or health system's local server −1: No supporting medical systems. 0: A few supportive medical systems. 1: Priority attention of medical systems. [42] C11: Big data privacy in healthcare Big data has considerable potential to improve patient outcomes and predict outbreaks of epidemics −1: Low Information Security maintenance 0: Average Information Security maintenance 1: High Information Security maintenance [43] C12: Augmented reality Provide remote clinicians, such as surgeons, to guide physicians, paramedics, and other staff to perform emergency procedures in telehealth −1: No supporting augmented reality 0: A few supporting augmented reality 1: Plenty of supporting augmented reality [44] C13: IT Investment Provides IT investments during the pandemic, accelerating the use of telemedicine services −1: No supporting IT Investment 0: A few supporting IT Investment 1: Plenty of supporting IT Investment [35] C14: Patient's errors Providers should educate patients about cybersecurity and the steps they should take to improve the overall safety of their interactions online −1: No supporting education. 0: A few supporting education. 1: Plenty of supporting education [45] C15: Incident response plan Systems and devices eventually fail due to inaccurate coding, improper handling, or just tear and wear −1: No supporting incident plan. 0: A few supporting incident plan. 1: Plenty of supporting incident plans [6]

**Table 1.** Description of variables involved in the study in telehealth services.

The concepts allow complex and critical ecosystem threats to be exploited in a telehealth system. However, the lack or inefficiency of information security planning makes it challenging to identify cybersecurity. This inefficiency also requires tools and methodologies to minimize cybersecurity consequences, which can cause large-scale damage to business sustainability [20].

An FCM diagram was built using the ICT manager's knowledge with the cybersecurity expert's support through an interview. A cognitive structure with subjective information was generated using the central concepts previously discussed, enabling performance analysis of the telehealth system. This information is associated with the concepts of critical infrastructures—which refers to facilities, services, goods, and systems that will have a severe social and economic impact if their performance is degraded or if they are suspended or destroyed. The visual representation of the expert-based FCM created based on the concepts is shown in Figure 1.

**Figure 1.** Model FCM cybersecurity in the telehealth university hospital.

The FCM diagram's construction aims at verifying the computed values of intensity in the concepts related to cybersecurity in telehealth. The causal relationship between concepts is indicated by an arrow and the positive symbol (+).

The framework of Figure 1 is meant to map the cybersecurity relationships (networks) within the scope of telehealth management by using a Fuzzy Cognitive Map. This process consisted of three phases: 1. Nodes: The key concepts from an Expert Panel; 2. Map: Cause-and-effect relationship in each of the arcs and a graphical representation of the network; and 3. Model: Numerical values and computational simulation. Once the cybersecurity in the telehealth management model is formulated, the subsequent simulation tasks (what-if scenarios) is carried out, with assumptions that modify the input variables (Value Repositories and Constraints), to finally check what impact these changes have on the performance of cybersecurity in the telehealth.

#### *Outputs of Scenario Analysis*

The interpretations of the FCM diagram's relationships are important for the strategic planning process of the hospital's ICT department. With these implications, ICT managers can define preference concept actions and develop information security plans capable of minimizing the consequences caused by the vulnerabilities. Each analysis compares the steady-state promoted by the FCM with the scenarios defined by the ICT manager based on the main concepts. Therefore, it is possible to highlight the best and worst scenarios of cyberattacks in the hospital's telehealth system, considering the concepts of the present study. Table 2 shows the levels of centrality and preferred state for the concepts of cybersecurity in telehealth.


**Table 2.** Degree of the centrality of IT manager preference concepts.

The analysis based on the FCM modeling results allows the ICT manager to build different scenarios of strategic consequences. The construction of the scenarios offers contributions in the simulation of possible implications caused by common factors that affect telehealth systems in a specific way. In addition, these scenarios can support the decision process in the strategic planning of actions to prevent or mitigate vulnerabilities that could compromise the performance of telehealth systems. Planning of mitigation actions, when done without due care can negatively influence the possibility of occurrences of attacks analyzed in Figure 2. The matrix representation of the fuzzy cognitive map (the Wij Weight matrix) obtained after expert interviews and process of modeling change its configuration depending on the experts' corrections. Based on the current literature, it was found that if a negative value is specified in the initial concept state of the estimation vector, then the modeling results influenced by the factors would be inverted, meaning that hostile factors contribute to cybersecurity.


**Figure 2.** Final equilibrium states by the value of nodal element C1 (insecure network protocols), C2 (Sensitive data encryption), C6 (IT Governance), C10 (Medical system configuration error), and C14 (Patient's error).

−

The main components in telehealth systems, according to ICT expert, judged in the range [−1] to [1], are "Mobile health apps failure" (C3) and "Controls for wireless Communication" (C7) [6]. On the other hand, regarding "Supplier eligibility criteria" (C9) and "Big Data privacy in healthcare" (C11) [46]. Figure 3 illustrates the telehealth scenario analysis.

**Figure 3.** Scenario I: analysis cybersecurity in telehealth.

− − − Scenario I analyzes the impact of the set of the main concept "Mobile health apps failure" (C3) scoring −0.18, "Controls for wireless Communication" (C7) scoring 0.12, "Supplier eligibility criteria" (C9) with scoring −0.07, and "Big Data privacy in healthcare" (C11) scoring −0.51 on the vulnerabilities pointed out in the telehealth system. This scenario highlights the association with the consequence of exploiting vulnerabilities when these factors are identified. These results confirm how changes and wrong configurations can be overflowing the infrastructure of telehealth servers [47–49].

Further, configurations and composition of the servers responsible for the processing and storage of data and information can increase the probability of attacks that deflect the destination of the data and manipulate the system's functionalities. Thus, it is necessary to monitor the data origin and destination points, checking what actions are being carried out, as well as to understand the collaboration policies between providers of these ICT services and systems' users (patients or physicians) so that the university hospital can minimize the damage on the services provided.

In Scenario II, the main components are "Medical System configuration error" (C10) and "IT Investments" (C13). Although each business has its budget destined for investments, procrastinating investment to adequate technology, or using poor quality devices can increase the probability of inefficiency in the answering service and reinforce problems in devices used in telehealth systems. In this context, the effect of cybersecurity is more significant because the malicious action activates defense planning. These situations are generally recorded when the telehealth system comes with records of malware and logical attacks [50]. The analysis related to this Scenario II is represented in Figures 4 and 5.


**Figure 5.** Scenario II: analysis cybersecurity in telehealth.

− − − − − − − − In Scenario II, as shown in Figure 5, the main concepts are "Sensitive data encryption" (C2 with −0.22) occurrence, "Cybersecurity certification" (C4 with −0.15), "Outsourcing of IT Cloud services" (C5 with −0.14), and "IT Governance" (C6 with −0.06) occurrence. This scenario highlights the concern about controlling the ICT services that are essential for the organization. In medical centers, personal data relating to the patients' health status should receive greater attention and should be considered requirements for developing specific security policies. The results show that it is possible to view different vulnerability types regarding patient care in the two scenarios. Based on the analysis, it is important to consider that in addition to the value of the information, other criteria must be incorporated in the process of defining the protection requirements of telehealth systems, such as the ability to identify and record system's threats and vulnerabilities. However, these criteria were not analyzed in the present study. Despite this limitation, it is essential to know in

advance the asset's value to be protected to identify threats and vulnerabilities to return consistent results, which is why cybersecurity planning is needed.

#### **4. Discussion**

Recent studies argue that the increase in cybersecurity investments has not resulted in more adequate security levels in many areas. This discrepancy can be justified by the lack of consistent information security management [41]. According to Sivaprakash et al. [51], in a comparison made between healthcare and financial organizations, in terms of data management and protection, both types of organizations are concerned and incorporate strategic actions to control and protect data generated in their environments. However, managers do not have adequate training to deal with cyber threats in healthcare organizations [6]. In contrast, financial organizations have been investing in cybersecurity for about twenty years, aligning cybersecurity with the organization's objectives.

The need for data sharing in heterogeneous public and private healthcare organizations and the lack of continuous and standardized communication in cybersecurity show importance in the responses under the threats and vulnerabilities of the systems, involving medical actors, patients, and ICT analysts [52]. In this context, the ICT professionals have access to data about patients and their clinical status (clinical historic, vital parameters, physical examination data, among other data) that are useful for planning and the decision-making process in telehealth services. However, the provision of healthcare assistance cannot be analyzed as an isolated process but in line with organizational planning as a whole. From this perspective, this study can help the senior manager and the IT manager to understand the vulnerabilities that can affect telehealth systems' operational performance that contribute as a resource to support cybersecurity planning and ensuring the achievement and enhancement of the efficiency of the information protection in medical centers.

The value of the information is not the only criterion used to define the protection requirements. The measure of the ability to identify threats can be a more consistent indicator of this definition. When the asset's value is known, the greater the likelihood of efficiency in the process, hence the need for cybersecurity planning. Annual audits, for example, are a way of ensuring minimum compliance with cybersecurity requirements. The determination of an approved regulatory and supervisory body requires organizations to adopt information security procedures and standards to be used as maturity indicators, ensuring an effective cybersecurity policy for telehealth services. The lack of an information security policy is directly reflected in telehealth services' operational performance.

Our findings show that without imposing any restrictions on cybersecurity, it is possible to allow significant occurrences and negative impacts to reduce telehealth services' efficiency [53]. The visualization tools allow a better understanding of the causal relationships between the factors and the vulnerabilities considered. FCM is a modeling method for complex systems that use simulations based on the mental map of human reasoning to operate on systems' representation. Thus, the application of FCM shows the modeling ability to operate ambiguous and vague terms, simulating a sense of words and supporting decision-making and strategic planning of actions related to information security in the health area, a fact reinforced in a previous work of ours (see [54]), which has been expanded by the present article.

#### *4.1. University Hospitals and Telehealth Cyber Security Strategies*

Regarding the objective unit of the case study, university hospitals, it is noted a strategic decision-making application of actions in an ad hoc stage in relation to cybersecurity risks and necessary measures for prevention and mitigation. This is because, in the university hospital's perspective where the analysis was applied, planning, information security is considered an essential requirement to be fulfilled within the overall information technology planning. On the other hand, although managers understand the importance of this type of security, it is noteworthy they still do not have the most appropriate tools capa-

ble of supporting their decision-making process for related planning, seeking to identify empirically the causal relationships between the various existing elements or concepts, and prioritize them according to their impact on the continuity of telehealth services. At some instance this has been sufficient for mitigating some risks and technological treats.

Resorting to most appropriate tools, however, may offer additional opportunity for managerial continuous improvement. Tools such as FCM, despite popular in many sectors of economic activity and other areas for decision-making, seem to be unknown or underused instruments for cybersecurity managers in Brazil, taking this conclusion specifically within the context of university hospitals. The development of the case study reported here also suggests they can be used relatively easily and efficiently so that these managers can develop plans more in line with the reality they know well, as they develop daily activities on them. Above all, FCM constitute a knowledge management tool capable of externalizing the experiences contained in these managers' minds, encoding this experience in an intelligible and accessible way for use in cybersecurity and information security planning.

#### *4.2. Comparison with Other Methods/Approaches Found in Literature*

In Table 3, a synthesis of the works containing similar methods used in the literature to support the development of this article will be presented. It contains the objectives and main similarities and differences, as well as a synthesis of this work, for comparative purposes.


#### **Table 3.** Literature comparison.

#### **5. Conceptual and Practical Implications**

Our results highlight cybersecurity issues in telehealth services that deserve special attention, whether from a conceptual or practical point of view since sensitive data circulates through any type of information system. In this sense, exploring the system's possible vulnerabilities is fundamental to adopting preventive or corrective measures [55].

This issue is even more delicate in telehealth services and systems since certain information may be under medical confidentiality and can compromise patients' physical and psychological integrity should they be improperly exposed [56]. The conceptual point of view about using FCM in telehealth systems is linked to how this tool can influence the planning and adoption of security measures in these systems. Here we can establish the following question: how should these systems be thought of, from their planning through their implementation, finally reaching their full functioning, to ensure that this sensitive information is protected efficiently and effectively?

Our model demonstrates that several concepts related to threats in systems and types of cyberattacks, always considering the participation of experts, whose understanding of the relationships between these concepts is represented through the graph resulting from the application of the FCM. These relationships are still supported by obtaining a measure of strength extracted from a fuzzy context that represents vagueness in the definitions made by these experts when eliciting his knowledge.

Here it can be connected with knowledge engineering, which states that eliciting or extracting expert (tacit) knowledge is a bottleneck and a critical issue in systems development [57]. In this analogy, the FCM acts as a formal means for this knowledge to be acquired and recorded, allowing the engineers and systems analysts involved with telehealth systems projects to correct existing security breaches and design plans for action contingency of possible cyberattacks.

From the perspective of telehealth systems actors, whether health professionals or patients, concepts such as confidentiality, consistency, and availability of information, together with the use of these systems only by authorized personnel and the presence of functions to reduce errors [58], deserve mention in this discussion, to add or enforce security requirements. In addition to the professionals responsible for designing, implementing, and managing information systems and ensuring information security, users also deserve to be heard since they are the final subjects to whom the system was designed [10].

Therefore, the applied methodology can be extended to obtain new security perceptions about the telehealth system, reinforcing those already elicited from experts. These two perspectives, in fact, require feedback: (i) on the knowledge of experts providing technical elements for the design and implementation of systems and information security measures; and (ii) on the opinion of the end-users, being evaluated based on these technical elements, to reinforce them or identify new requirements.

Based on our empirical results, referring to vulnerabilities, forms of cyber-attacks, and user concerns, can be analyzed through the FCM. The results obtained should be discussed by the security project team in a post-conceptualization stage. While other works have their approach focused on more technical elements related to the security guarantee in telehealth systems, the value of the methodology used in this work is at a more managerial and strategic level, ensuring the visualization of the related concepts for making decisions about themselves.

This part of the discussion aims to determine what should be implemented as a priority since the conceptual elements detected through the methodology are likely to be in large numbers. Trade-offs will emerge in this type of valuation, such as less time spent on systems valuation instead of information and more time spent assigning values to the assets involved [59].

The following question arises: what is the most appropriate way to evaluate these concepts and to choose what will be implemented as a priority? Each team must carry out the evaluations according to what is defined by the organization, and the users' opinions deserve attention, complementing the information security requirements. Nevertheless,

it is essential to note that the information collected mainly from the users can provide valuable feedback to the project development team. FCMs have the advantage of showing defuzzified numerical values referring to the relationships between the evaluated elements [60,61]. These indicators can be combined with other more common elements in evaluating alternatives to be implemented, such as the cost and time involved. Moreover, FCMs make it possible for decisions to be made by analyzing varied scenarios built based on the subjective opinions of the people involved [31], ensuring the inclusion of elements described in a technical and non-technical way, the latter related to the perspectives of users.

Furthermore, practical implications at a higher level, leaving aside the view on more technical elements, the use of FCM favors the creation of information security and cybersecurity policies. Analyzing the existing relationships between guidelines, requirements, and rules—elements that constitute these policies and lead to information security compliance [55]—is a process potentially facilitated by using the explored methodology. On the other hand, the definition of these policies implies the determination of a pattern of user behavior towards security in telehealth systems, since the behavioral factor alone has a more considerable influence than technical security elements in related systems and services [62] since the focus of the analysis now becomes the users' conduct as a "breach breaker" of security in the system.

In summary, the practical implications of the use of FCMs fall on implementing the telehealth system, providing security requirements to be implemented, whether defined by the experts' perspective or considering users' opinions. Also, the conduct of users of the system must be in line with security policies, which are also definitions that can be carried out with the support of the methodology.

#### **6. Conclusions**

In general, telehealth, precisely its technological, economic, and environmental characteristics, substantially contribute to society and is expected to provide health services to thousands of people limited by geographical constraints. Given this context, telehealth can benefit from the scenario-planning approach because it plays an essential role in future development related to planning policies against cyberattacks.

This paper presented an application of FCM that analyzes information security factors related to telehealth. The FCM model allowed the causal inference of direct chaining and numerical data-based updates and cybersecurity experts' opinions. Preliminary results are encouraging concerning the FCM approach's possibilities to decision-makers/ICT managers, enabling a good insight into the impact of cyberattacks on telehealth and ensuring a more focused view of the necessary protective actions. These results show the possibility of obtaining scenario planning in cybersecurity, highlighting the most critical telehealth factors. The analytical process should be carried out annually or semiannually to analyze the impact of improvements in information security, with possible improvements addressing identified critical points.

Although our focus is on the main concepts of aligning cybersecurity in telehealth, it should be noted that the construction of FCM allowed the identification of new concepts. In particular, the problem of image privacy of medical exam results can affect patients' integrity. Moreover, new concepts were included in the FCM, as they are rarely considered in security practice, which allowed it to be formalized in a way that contributed to reducing the variables omitted in the decision on cybersecurity.

The tools proposed by previous FCM literature were suitable for the cybersecurity scenario due to the ability to capture the ICT experts' knowledge by modeling dynamic simulation systems and improving support against cyberattacks. COVID-19 has dramatically impacted telehealth functionality and required adaptation in coping with circumstances that continued to change relative to safety measures, limiting customer interactions and reducing employee availability. The COVID-19 pandemic has generated remarkable and

unique societal and economic events leveraged by cyber-criminals. Our analysis of telehealth has shown the causes of cybersecurity in telehealth services.

With many new perspectives brought by the current pandemic, we believe this new paradigm for cybersecurity in telehealth also came to stay in the post-pandemic (hopefully) new future. FCMs can be adjusted according to iterative scenarios to support accurate decision-making representing subjectivity in the business model of healthcare units. In addition, it can increase the transparency of analyses, including information hidden to IT managers. The post-pandemic is an important consideration to accommodate many legal aspects generated during the pandemic, specially related to the computerization of various services or intensification of current computerized services, as it is the case with telehealth. Therefore, this kind of application is essential for helping hospital managers concerned with the maintenance of telemedicine services during the planning phases, which are not limited to the pandemic context.

It is worth noting that telemedicine has become an efficient and effective way to develop the necessary care in a critical period such as the COVID-19 pandemic, avoiding hospital overload with high demands of patients seeking care, and avoiding contamination by the disease amidst clusters of people. Our perception leads us to believe that cybersecurity measures in telehealth systems have entered as mandatory components in ICT planning for hospital institutions, ensuring the security of patient information and ensuring that services continue to run without interruptions and external interference, such as hacker attacks. The FCMs are a helpful instrument for university hospital managers concerned with the maintenance of their telemedicine services, and regardless of the pandemic context, they deserve to be applied in the associated planning phase.

Therefore, the added value of using FCMs in cybersecurity in telemedicine is none other than supporting the planning of strategies to combat security breaches, always preventing sensitive and sensitive patient information from being accessed or intercepted by inappropriate persons. In the planning practice, it is a new tool for managers to use, in the planning practice, helping in their decisions about actions to avoid or correct security problems.

Future work should aggregate other methods to assist ICT managers in deciding upon actions such as using fuzzy sets theory to translate the judgments of health units' managers into crisp values for an accurate support that can minimize cybersecurity problems in telehealth [63], and combining multicriteria methods with other operational methodologies for conflict resolution, resource management and risk assessment in telemedicine [53,55,64]. More specifically, the research leading to this article, for the time being, has implications for the construction and improvement of a framework aimed at identifying risks associated with cybersecurity in telemedicine, carrying out tests for its validation in Brazilian university hospitals.

Concerning the continuation of this research, it is possible to define the need to assess how university hospitals, in a study of multiple cases, are prepared to deal with cybersecurity threats, clarifying what the main strategies adopted are, in addition to how the planning process is developed for these strategies, gathering data with a set of these hospitals. Another indication is the development of a meta-analysis study comparing quantitative results of other works containing methods applied with the same purpose as the one applied in this study, helping mainly to determine which methods are most suitable to support the planning process in cybersecurity in telehealth.

For these two last indications of further research, as we did not aimed at evaluating a general context for cybersecurity, and evaluating the performance of many different healthcare institutions to know how well they are in preparing to face telehealth cybersecurity threats, they are beyond of the scope of our current application. Therefore, these limitations can be addressed in future extensions of the current analysis.

**Author Contributions:** Conceptualization, T.P., V.D.H.d.C., and A.L.B.d.S.; methodology, A.P.H.d.G. and T.R.N.C.; software, A.L.B.d.S.; validation, T.P., V.D.H.d.C., and T.C.C.N.; formal analysis, M.M.S. and T.R.N.C.; writing—review and editing, T.C.C.N. and V.D.H.d.C.; visualization, A.P.C.S.C. and T.R.N.C.; project administration, T.P., V.D.H.d.C., and A.L.B.d.S.; funding acquisition, T.P. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** The data presented in this study are available on request from the corresponding author.

**Acknowledgments:** This research was partially supported by the Universidade Federal do Pará (PROPESP/UFPA), the Universidade Federal de Alagoas (UFAL), the Universidade Federal de Pernambuco (UFPE), and the Grupo de Pesquisa em Sistemas de Informação e Decisão (GPSID). The authors would like to acknowledge the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior—Brazil (CAPES) and the Conselho Nacional de Desenvolvimento Científico e Tecnológico— Brazil (CNPq) for their financial support.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


## *Article* **Hospitals' Cybersecurity Culture during the COVID-19 Crisis**

**Anna Georgiadou 1, \* , Ariadni Michalitsi-Psarrou 1 , Fotios Gioulekas 2 , Evangelos Stamatiadis 2 , Athanasios Tzikas 2 , Konstantinos Gounaris 2 , Georgios Doukas 1 , Christos Ntanos 1 , Luís Landeiro Ribeiro <sup>3</sup> and Dimitris Askounis 1**


**Abstract:** The coronavirus pandemic led to an unprecedented crisis affecting all aspects of the concurrent reality. Its consequences vary from political and societal to technical and economic. These side effects provided fertile ground for a noticeable cyber-crime increase targeting critical infrastructures and, more specifically, the health sector; the domain suffering the most during the pandemic. This paper aims to assess the cybersecurity culture readiness of hospitals' workforce during the COVID-19 crisis. Towards that end, a cybersecurity awareness webinar was held in December 2020 targeting Greek Healthcare Institutions. Concepts of cybersecurity policies, standards, best practices, and solutions were addressed. Its effectiveness was evaluated via a two-step procedure. Firstly, an anonymous questionnaire was distributed at the end of the webinar and voluntarily answered by attendees to assess the comprehension level of the presented cybersecurity aspects. Secondly, a post-evaluation phishing campaign was conducted approximately four months after the webinar, addressing non-medical employees. The main goal was to identify security awareness weaknesses and assist in drafting targeted assessment campaigns specifically tailored to the health domain needs. This paper analyses in detail the results of the aforementioned approaches while also outlining the lessons learned along with the future scientific routes deriving from this research.

**Keywords:** cybersecurity culture; COVID-19; security assessment; phishing; health domain

#### **1. Introduction**

Coronavirus disease 2019 (COVID-19) is an infectious disease caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) [1]. It was originally identified in December 2019 in Wuhan [2], from where it spread worldwide, leading to a pandemic, as denoted by the World Health Organization (WHO), in March 2020 [3]. Since then, there have been 198,778,175 confirmed cases of COVID-19, including 4,235,559 casualties [4]. As of 14 June 2021, a total of 2,310,082,345 vaccine doses have been administered, attempting to armor humans against this virus.

Even though epidemiologists argue that the health crisis is close to being over, the same does not apply to its political, societal, economic, and technical side-effects. Special circumstances created by this extraordinary crisis led to what is known as the "Great Shutdown" or "Great Lockdown" [5–8], radically altering our daily reality. Digital transformation and adaptation were forced in almost all aspects of the business world. Remote working, commonly known as "tele-working" or "working from home", became a necessity even for sectors where it was considered prohibited up until now [9,10].

The accruing anxiety and generic crisis conditions provided a fertile ground for opportunistic criminals to act. A significant cyber-crime increase was denoted during the

**Citation:** Georgiadou, A.; Michalitsi-Psarrou, A.; Gioulekas, F.; Stamatiadis, E.; Tzikas, A.; Gounaris, K.; Doukas, G.; Ntanos, C.; Landeiro Ribeiro, L.; Askounis, D. Hospitals' Cybersecurity Culture during the COVID-19 Crisis. *Healthcare* **2021**, *9*, 1335. https://doi.org/10.3390/ healthcare9101335

Academic Editor: Daniele Giansanti

Received: 25 August 2021 Accepted: 1 October 2021 Published: 7 October 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

pandemic [11–13], with a noticeable preference towards the health sector [14–16]. Phishing, ransomware, and distributed denial-of-service attacks are only a sample of the reported cyber-crime incidents during the COVID-19 crisis [17–21].

Cybersecurity has been one of the emerging technological challenges of this century for the health domain [22], being among each country's critical infrastructures. Over the last years, extensive research has been conducted aiming to identify vulnerabilities and gaps in the cyber-resilience of hospitals and healthcare facilities [23–26]. Various assessment methodologies have been applied towards pinpointing mitigation techniques and cyber-defense strategies [27–32]. Yet, scientific contribution and professional evolution failed to protect the health sector during a crisis which dictated its devotion to its main purpose of curing patients and saving lives.

Most of the security agencies, organizations and experts worldwide have issued recommendations and proposed safeguard measures to assist individuals and corporations defend against cyber-crime [11,33–35]. Security officers have become aware of the great cybersecurity perils they are facing. Therefore, the vast majority of them has designed and conducted a series of security awareness training programs carefully trimmed to the needs and the busy schedule of their workforce.

This paper presents the effort made by the IT and security experts of European health representative organizations during the pandemic aiming to endorse the cybersecurity awareness of healthcare employees. Towards that end, a virtual workshop was designed and held on the 16 December 2020 in Greece [36]. The effectiveness of the security awareness training program was assessed in a two-phase evaluation: a questionnaire filled directly after the workshop voluntarily by the participants and a phishing campaign held four months later.

This paper presents our research approach on evaluating the security readiness of the healthcare personnel during the COVID-19 pandemic, based on a holistic cybersecurity culture framework. Section 2 offers background information related to both the framework and the participating health domain representatives. Section 3 unfolds our methodological approach using a sequential switching between training and assessment steps. In Section 4, we analyze our two-phase security evaluation while underlying important results. Section 5 collectively summarizes our key findings, whereas, in Section 6, we outline a number of considerations and limitations regarding the proposed methodology. Finally, Section 7 concludes our research presentation by outlining areas of further research and potential future applications.

#### **2. Background**

#### *2.1. Cybersecurity Culture Framework*

Cybersecurity Culture Framework was developed in the context of the EnergyShield [37], a European Union (EU) project targeting cybersecurity in the Electrical Power and Energy System (EPES). It was officially introduced in 2020 [38], presenting an evaluation and assessment methodology of both individuals' and organizations' security culture readiness. It is based on a combination of **organizational** and **individual** security factors structured into **dimensions** and **domains**. Its main goal is to examine organizational security policies and procedures in conjunction with employees' individual characteristics, behavior, attitude, and skills. Each security metric introduced by the framework is assessed using a variety of evaluation techniques, such as surveys, tests, simulations, and serious games.

The framework was later on correlated both with the hybrid MITRE ATT&CK Model for an OT Environment, consisted of a combination of the Enterprise and the ICS threat model [39] and with an enriched version of the Management and Education of the Risk of Insider Threat (MERIT) model [40], developed by the Secret Service and the Software Engineering Institute CERT Program at Carnegie Mellon University. Research related to both scientific directions focused on mapping the end-users' socio-cultural behavior to specific cyber-threats.

During the COVID-19 crisis, the aforementioned framework was used to design a cybersecurity culture assessment campaign targeting critical infrastructures [41]. Its revealing findings [42] provided significant feedback to the participating EU organizations. Insights and recommendations towards enforcing their cybersecurity resilience were offered, further contributing to this research domain.

This scientific effort inspired SPHINX, an EU project aiming to enhance the cyber protection of the Health and Care IT Ecosystem [43], and triggered a collaboration activity with EnergyShield. The following paragraph presents how the cybersecurity culture framework assisted SPHINX security specialists in the design of a two-phase security awareness campaign targeting health sector personnel.

#### *2.2. Cybersecurity Assessment*

Approximately two months prior to the global outbreak of the COVID-19 crisis, a cybersecurity awareness assessment was conducted among Greek, Portuguese, and Romanian healthcare employees [44] in the context of the SPHINX EU Project. The findings on the IT workforce, doctors, nurses, auxiliary staff, laboratory personnel and administrative clerks indicated the necessity of performing targeted training and campaigns to mitigate the increasing number of phishing and fraud attacks and fortify hospital assets.

More specifically, the result analysis revealed that limited investment had been made in cybersecurity appliances procurement, software upgrades and hardware. Although an individual cybersecurity unit was not fully deployed in the surveyed organizations, all IT departments had firewalls, antivirus solutions, as well as backup mechanisms. Furthermore, it was noticed that the IT departments did not regularly keep log files of cybersecurity-related events or login actions. Cybersecurity-related key performance indicators (KPIs) were not being monitored. Notwithstanding, the IT workforce reported that penetration tests or associated training on cybersecurity concepts had not been conducted to assist them in reaching a higher level of readiness.

Additionally, a significant percentage of the non-IT staff stated that they were unaware of information security policies, albeit they could comprehend when a computer was hacked or infected and knew whom to contact. Moreover, many of them reported that they did not know what an email fraud is or how to identify it. Most importantly, the vast majority considered that organizational security policies would help improve their own work while indicating the necessity to attend sufficient cybersecurity training programs and/or general data protection regulation (GDPR) [45] seminars targeted exclusively to the operations of their healthcare institution.

Within this context, the SPHINX consortium defined and organized specific training activities and awareness webinars to increase the level of cybersecurity. To this end, apart from the dissemination of information material to the healthcare organizations with important indications and cybersecurity alerts, a webinar was explicitly designed and held to improve the cybersecurity skills of the IT employees during the COVID-19 period. The webinar took place in Greece, presenting state-of-the-art security practices, methods, tools, and standards to the healthcare environments. The cybersecurity culture framework, developed in the context of the EnergyShield project, was used to evaluate the effectiveness of the aforementioned training program, as presented in detail in the following paragraphs.

#### **3. Methodology**

In September 2019, a three-month cybersecurity awareness survey was held by the SPHINX consortium. After assessing 28 and 449 responses from IT and non-IT healthcare employees in Greek Healthcare Institutions [44], respectively, it was deduced that certain actions toward introducing advanced cybersecurity methods, tools, and standards were required. Therefore, an internal awareness campaign initiated by the IT departments to the rest of the healthcare staff was executed verbally or via dissemination actions. On the 16 December 2020, an IT-dedicated webinar took place [36]. The specific webinar's effectiveness was assessed via a two-step methodology: a questionnaire filled directly after

its conclusion voluntarily by the attendees and a phishing campaign held from the 26 April 2021 until the 28 May 2021. The aforementioned methodological approach is being graphically represented in Figure 1.

**Figure 1.** Cybersecurity Awareness Methodology.

#### *3.1. Cybersecurity Awareness Campaign*

As described in the previous paragraphs, an intensive awareness campaign through the IT departments of Greek Healthcare institutions was initiated, in December 2019, focusing on actions and precautions that each healthcare employee should undertake to protect the data they handle. A variety of communication means were employed, including:


#### *3.2. Cybersecurity Awareness Webinar*

In December 2020, a cybersecurity awareness webinar was specifically designed trimmed to the needs of the Greek IT health domain departments. The webinar was made publicly available (upon registration) to every EU healthcare IT employee interested in participating. Instructors from the European Union Agency for Cybersecurity (ENISA), academic institutions and cybersecurity industry representatives from the SPHINX consortium were involved. The webinar presented aspects from ISO 27001 [46] as a path to the directive on security of network and information systems (NIS directive) compliance [47]. Moreover, it highlighted the key points to cybersecurity risk assessment in hospitals along with procurement guidelines for healthcare cybersecurity. Furthermore, various practical methods and techniques were presented to assist IT employees in their daily activities to

control cybersecurity while topics in the state-of-the-art firewalls, antivirus configurations, backup mechanisms as part of the network topologies were covered.

After the webinar's conclusion, the participants were requested to respond to a questionnaire, voluntarily and anonymously, in order to measure the comprehension level of the concepts presented. The questionnaire included questions on demographics, information security and policies, network security and data management (Appendix A). From a total of 113 attendees from various EU countries and institutions, 62 were employed in Greek Hospitals' IT departments (approximately 30% of the total permanent IT workforce of Greek healthcare organizations in the public sector [48]), and 30 of them answered the optional questionnaire.

#### *3.3. Phishing Awareness Campaign*

Based on the 2020 HIMSS Healthcare Cybersecurity Survey, security incidents continue to plague healthcare organizations of all types and sizes, with phishing being the most common of all [49]. Phishing is a social engineering tactic that is used to persuade individuals to provide sensitive information. Malicious actors employ phishing techniques for a variety of reasons, including identity theft, access to proprietary information, transmission of malicious software to include ransomware, unauthorized remote access, and initiation of unauthorized financial transactions [50]. The most common form of phishing is the **phishing email** which usually attempts to appeal to a recipient's fear, duty, obligation, curiosity, or greed [51].

In late January 2020, Coronavirus-themed Emotet spam campaigns were reported, primarily targeting Japanese entities [52,53]. From January to April 2020, Interpol detected about 907,000 spam messages tied to COVID-19 [54]. During April 2020, Google reportedly blocked more than 18 million malware and phishing emails related to COVID-19 and in addition to more than 240 million COVID-related daily spam messages [55].

Consequently, and as a final methodological step, a cybersecurity culture assessment campaign was sketched aiming to post-evaluate the health domain's workforce familiarity with phishing email techniques in specific. Recent research shows a statistically significant positive correlation between workload and the probability of health care staff opening a phishing email [28]. Therefore, we decided to create a phishing quiz, instead of a simple questionnaire, including several different phishing emails. Its duration needed to be short to ensure the commitment and concentration of the participants given their extremely heavy workload and resulting fatigue.

A phishing simulation exercise–where the participants would receive a phishing email without prior knowledge, containing a link they should not click on-could have been a more realistic approach towards evaluating the actual workforce behavior given the concurrent circumstances. Yet, such an approach was rejected by the collaborating IT experts after extensive discussions. One of the main reasons was that such an evaluation exercise would suggest a significant effort in altering the configuration of the existing security solutions in place to allow those "phishing" emails to reach their targeted participants. Moreover, participants needed to be informed and consent to become part of this security evaluation campaign. Due to the psychologically and emotionally demanding period of the COVID-19 pandemic, it was agreed that most people would willingly take a short quiz initiated on-demand and in their time of choice rather than accept to be evaluated via a simulation test performed over a specific period of time. The latter would significantly increase the evaluation stress and, therefore, decrease the participation rate.

Phishing emails that were either blocked by the deployed antispam solutions or communicated to the IT departments by the healthcare recipients and processed accordingly based on the applied security protocols have been gathered by SPHINX security experts and collaboratively examined for similarities and differences. After a number of evaluation sessions, they concluded with the five emails presented in Table 1.

The specific survey targeted hospitals' workforce during the COVID-19 crisis. A significant percentage of the IT staff, technicians and administrative clerks exercised teleworking due to

the COVID-19 restrictions opposite to the medical, nursing and laboratory personnel that had no such alternative. Therefore, our main goal was to evaluate the familiarity of non-medical personnel with phishing email techniques and assess their readiness while in teleworking conditions and following previous cybersecurity training and familiarity campaigns (Table 2).

**Table 1.** Emails Used in The Evaluation Campaign.


**Table 2.** Groups of Users Participating in The Evaluation Campaign.


IT: employees working in the information technology department; technicians: employees working in the electro-mechanical and biomedical departments; clerks: employees working in the accounting, finance, and procurement departments.

A special invitation email was sent to the selected participants providing a connection link and appropriate authentication credentials. Each participant was able to complete only once the phishing quiz, with no time limitations, and had to provide an answer to each one of the emails included in the campaign. Both the invitation email and the phishing quiz were localized, ensuring proximity, and lifting language barriers usually introduced to such evaluations.

The campaign was available for participation for almost a month, starting from 26 April 2021 and ending on 28 May 2021. During that period, all 50 invited participants completed the phishing quiz anonymously, thus, achieving 100% participation rate. Participation rate varied based on the hospitals' patient capacity concluding to a 54% from Institution A, 40% from Institution B and 6% from Institution C. More specifically, 56% of the participants were clerks, 22% were IT professionals, and 22% were technicians (as presented in Figure 2).

**Figure 2.** Campaign General Participation Information: (**a**) Expertise, (**b**) Healthcare Institution.

#### **4. Detailed Assessment Results**

#### *4.1. Cybersecurity Awareness Webinar Results Analysis*

Immediately after the conclusion of the cybersecurity awareness webinar, participants were asked to complete a questionnaire (presented in Appendix A) voluntarily and anonymously. Based on its results Table 3, 56.7% of the participants were aged between 40–49 years old, while 43.3% were female. Moreover, 56.7% held an MSc, while 80.0% had more than ten years of working experience in the field of healthcare IT. Around 70.0% were employed in hospitals, and 33.3% held managerial positions, while 36.7% worked for healthcare institutions that employ more than 1201 healthcare professionals.

**Category Participants** Total *n* = 30 (100%) **Gender** Male 17 (56.7%) Female 13 (43.3%) **Age** 20–29 2 (6.7%) 30–39 6 (20.0%) 40–49 17 (56.7%) 50–59 5 (16.7%) **Education** Secondary Education 2 (6.7%) Bachelor's degree 7(23.3%) MSc 17 (56.7%) PhD 4 (13.3%) **Years of Experience** 0–5 5 (16.7%) 6-10 1 (3.3%)

**Table 3.** Demographics of Workshop Participants That Answered the Questionnaire.

> 10 24 (80.0 %) **Position** ICT staff 12 (40.0%) ICT manager 10 (33.3%) ICT director 3 (10.0%) Other 5 (16.7%) **Organization** Hospital 21 (70.0%) Health Authority 3 (10.0%) Other 6 (20.0%) **Number of Employees in your Organization** <100 4 (13.3%) 100–300 2 (6.7%) 301–600 7 (23.3%) 601–1000 3 (10.0%) 1001–1200 3 (10.0%) >1201 11 (36.7%)

ICT: Internet and Communication Technologies.

Figure 3 presents the questionnaire results associated with information security and policies. More specifically, 90% responded correctly that Health Insurance Portability and Accountability Act (HIPAA) [56] and ISO/IEC 27799 (Health informatics—Information security management in health using ISO/IEC 27002) [57] standards are those they should be aware of, while the rest of the participants (10%) answered incorrectly that COBIT and ITIL or PCI/DSS and SOX should be taken into consideration. Furthermore, in the question related to the resources' allocation towards the discovery of cybersecurity events, 77% replied correctly that resources should be exclusively allocated to this task, while 23% considered that it would be better to allocate these resources elsewhere or that resources should be allocated based on the availability of an IT team. A total of 67% of the responders correctly stated that a vulnerability management plan that includes, among others, scanning for patch levels, functions, ports, protocols, and services could support risk assessment in comparison to 33% that replied negatively or were unaware. Only 37% replied correctly that the assessment scale for the impact and the likelihood could not only vary between the values one and ten, while 63% replied either positively or ignorant.

Around 67% answered correctly that it was necessary for their organization to receive and share threat and vulnerability information from/with internal and external sources. Regarding the multiple answers question about the necessity to address risk and opportunities within their organization, only 17% responded that it was required to both prevent and reduce undesired effects and achieve continual improvement. The rest—83%, answered either partially or in combination with other alternatives. Only 30% replied correctly that every organization asset should be encompassed in the inventory of systems and resources, while 70% replied partially correctly to the question. Finally, 20% replied correctly that people, software, and paper-based information represented assets from an information security perspective. The rest—80%, responded only partially correctly or considered that unauthorized modification or low awareness of information security could be assets too.

Figure 4 collectively presents answers to questions associated with network security and data management. More specifically, this part of the questionnaire revealed that 53% of the participants prefer a standard password expiration policy at regular intervals, while 47% stated they prefer to change the default passwords and, thereafter, not asking end-users to change their passwords. A total of 83% of the responders considered that a centralized administration of virus control, such as distribution of signature updates, reporting, policy enforcement and vendor management, was important to their daily IT operations because it helped them do their work faster and real-time monitor their assets. On the other hand, 17% replied that they had manually installed antivirus software to their assets and consequently did not consider this an important security policy. The vast majority (87%)

recognized a flat network topology as a vulnerable architecture. Furthermore, from a CIA perspective (confidentiality, integrity, availability), 90% replied that regular backups and restoration tests ensured availability and reduction of the recovery time in restoring a system to operational mode. On the other hand, 10% stated ignorant or that only backups were important for availability, reducing the risk of losing data. Further, 73% responded correctly that the concept of reducing the attack surface involved segmentation of network zones, blocking of activities associated with vulnerabilities and combating malicious code. In addition, 27% replied partially correct by selecting only one from the aforementioned actions.

**Figure 4.** Evaluation of the Comprehension of Network Security and Data Management.

Furthermore, 70% answered that it was important to have an automatic, near zeroconfiguration security architecture because it reduced manual labor and human error, while 30% added incorrectly that it would also be cheaper and easier to implement. In addition, 60% replied correctly that the most commonly exploited application is the Office Suite, while the rest 40% reported either browsers, operating systems, JAVA or PDF files. Moreover, 43% stated correctly that Trojans were the most common threat of malware infection while the rest 57% answered adware, viruses, or potentially unwanted programs. When questioned if intrusion detection and intrusion prevention software was considered as one of the important components in edge security, 63% replied positively having active subscription while the rest 37% responded positively too without having an active subscription, considering though to procure it in the future.

#### *4.2. Phishing Awareness Campaign Results Analysis*

Based on the phishing quiz results, as presented in Figure 5, 1 out of 4 participants was able to distinguish a legit from a phishing email with a 100% success score. Only 10% of them did not manage to obtain a passing score since they only identified two out of five emails. Although such a score would be considered quite satisfying in many cases, the same does not apply to the cybersecurity reality where an organization is as strong as its weakest link.

(**a**)

**Figure 5.** *Cont*. **Figure 5.** Campaign generic assessment results: (**a**) overall, (**b**) per group, (**c**) per expertise and (**d**) per email.

(**d**)

(**c**)

When examining the overall campaign's results from a group perspective, as depicted in Figure 5b, we notice that five out of seven groups managed to achieve a score higher than 70%. Probably, a disturbing observation, though, is that IT personnel appears to bear the lowest average in comparison with the rest of the groups, meaning the clerks and the technicians (Figure 5c). Due to the close correlation of the Information Technology and Information Security domains, a better cybersecurity awareness and phishing techniques' familiarity was expected of the IT experts.

Narrowing down to achievement scores per email, Emails I and II appear to have better phishing identification scores (higher than 80% by all participating groups), as presented in Figures 5d and 6. Interestingly, these two emails bear no similarities. The first one, as presented in Table 1, is related to a bank institution, containing an easily recognizable logo and seeking account verification by clicking on a hyperlinked text where a suspicious redirection is being hidden. The second one is quite long, containing only text and attempting to convince, using slang language, its recipients to pay an amount of ransom in Bitcoin in order not to reveal personal videos recorded via their hacked workstation cameras. Phishing techniques used in these two cases are quite different and usually aim at different target audiences. Email I have an appeal on a recipient's sense of duty and punctuality, whereas Email II on fear and uncertainty. Yet, hospital employees participating in this evaluation campaign managed in their majority to recognize both of them as not legit.

**Figure 6.** Campaign assessment results per expertise for: (**a**) email I, (**b**) email II, (**c**) email III, (**d**) email IV and (**e**) email V, of the phishing quiz.

One would expect that Email III would present similar results with Email I since, as presented in Table 1, they look alike. Email III is also related to a bank institution, containing its logo, seeking account verification by providing a hyperlink that is not hidden but instead is fully visible to its readers. Therefore, better results were anticipated since less effort was needed to locate the misleading redirection. Since it was the third entry in the phishing quiz, boredom and carelessness could be taking the lead from caution and reservedness explaining the degrading scores. However, such a conclusion would not agree with the results noticed for Email IV, as depicted in Figures 5d and 6, where scores are improved.

Last but not least, we notice that the majority of the participants (64%) failed to identify the only legit email included in the phishing quiz. The specific email was short (no more than 38 words), containing no images or logos, no special font formatting or email structures (e.g., tables). The word "here" was used to provide a hidden hyperlink (could be previewed when the user hovered over the word with the mouse) which could be easily acknowledged that it redirects to the legit Ministry of Internal Affairs website. Even though the specific result could be attributed to the increased cautiousness of the users due to the special circumstances of the crisis and the nature of the assessment, it remains quite disturbing. Legit emails might be forwarded for security analysis, rejected, or even deleted without communicating their context to their recipients due to them being erroneously identified as phishing attempts.

#### **5. Key Findings**

The analysis of the webinar's questionnaire showed that the IT departments comprehended sufficiently concepts such as standards' application to their policies and the incorporation of iterative risk assessment of their assets among their operations. Additionally, they exhibited high familiarity with the various network topologies and advanced cybersecurity tools. However, more emphasis should be given to focused training programs targeting risk assessment and data asset identification. It is deduced that healthcare IT employees are highly aware of cybersecurity concepts and how to protect their network and information systems.

Summing up the results of the targeted post-assessment campaign on phishing, the most apparent and at the same time unexpected observation is that the lowest average score is attributed to the IT professionals. They were expected to be the most qualified of the respondents and the ones apt to guide and advise the hospitals' personnel on their actions with respect to suspicious emails. However, these results came after a series of Emotet spam campaigns that affected their hospitals. These events can have reasonably sensitized their awareness and hardened their judgment. Indeed, the lowest score emerges for Email V where only 18% of the IT personnel identified successfully that that was a legit email (Figure 6). Although the above reasoning could adequately justify this result, it cannot be considered an explanation where no action is required. Behavioral awareness in cybersecurity calls for the right decisions where legit emails will reach their recipients and enjoy appropriate handling, while phishing emails will be immediately detected and rejected. Therefore, the results suggest that there is still room for dedicated training programs that should first—but not exclusively—target the hospitals' IT departments for them to be able to offer a robust first security layer and provide the right advice when requested. Besides, the great success of phishing emails in deceiving can be attributed to the fact that phishers become smarter [58]. Therefore, even the tech-savvy people can be deceived, while regular training can certainly shield an organization, as previous works suggest [59,60].

Another observation is that there is no notable difference among the three groups of IT personnel, technicians, and clerks, as indicated by both their average scores and the individual analysis, which would constitute the one better prepared than the others. We see two explanations that can be given to that. Firstly, in general, people tend to have difficulty relating to such a theoretical problem, which they believe will not happen to

them [61]. Therefore, when receiving a new email, they do not invest the time and effort to question its intentions. Secondly, more tech-savvy people tend to be overconfident in their ability over others to identify fraud and mal-intent, which usually turns to be a naive perception [61].

Finally, the analysis results yielded no noteworthy differences among the three Greek healthcare institutions participating in the analysis. As depicted in Figure 7, the encouraging finding is that the lowest scores appear for all three hospitals for Email V, the only legit email of the phishing quiz. However, this finding should not remain unaddressed for the reasons explained previously. In general, advancing phishing email filters [62] in a way that would ensure that only the bare minimum of phishing emails and only rarely will remain undetected and surpass the filter would well safeguard the hospitals and take the weight of increased awareness off the employees' shoulders. Experience has shown, though, that a perfect phishing email filtering mechanism could not exist, and the recipients' cybersecurity awareness is the key to phishers' failure.

**Figure 7.** Campaign assessment results per hospital for: (**a**) email I, (**b**) email II, (**c**) email III, (**d**) email IV and (**e**) email **Figure 7.** Campaign assessment results per hospital for: (**a**) email I, (**b**) email II, (**c**) email III, (**d**) email IV and (**e**) email V, of the phishing quiz.

#### **6. Considerations and Limitations**

The security awareness webinar and the post-evaluation phishing campaign were conducted during the COVID-19 crisis. Cyber-attacks against critical infrastructures were on the rise, while, on parallel, the health sector necessitated advanced cybersecurity protection mechanisms and enhanced security culture as this is introduced by an organization's human capital. In this context, we aimed at informing the hospitals' personnel regarding concurrent cybersecurity risks and mitigation strategies against them. We then evaluated their cybersecurity resilience using both a simplified questionnaire and a phishing campaign. The prioritization of the phishing quiz campaign against the other alternatives provided by the Cybersecurity Culture Framework presented in Section 2.1 was set by the IT and security experts of the participating hospitals, giving their alarming frequency. A phishing simulation exercise, which could also serve the same purpose, was rejected, after careful consideration, due to the extra effort required by the IT and security personnel to properly configure and by-pass the anti-spam solutions in place. Concerns related to ensuring a high participation rate without further disrupting or stressing participants were also in favor of the phishing quiz approach.

Due to COVID-19 and the profoundly heavy schedule of the medical staff, we decided not to engage them at this stage, which, of course, restricted the extent of our analysis and the application scope and generalizability of its findings. Our next steps involve engaging a fair sample of the medical staff of these three hospitals in the campaign when conditions permit it. This will allow a complete understanding of the hospitals' readiness concerning phishing attacks since staff from all key roles of the hospitals' operation will have been engaged.

Another limitation is the fact that the campaign was restricted in Greece; thus, not making possible the comparison of the cybersecurity culture in the health sector among countries in the EU or even globally. Furthermore, the selection of five emails (four of them not being legitimate) for the phishing quiz that the participants had to take might be considered small and not adequate for assessing one person and his security behavior. However, the engagement of a satisfactory number of the hospitals' staff in the campaign and their focus during the quiz's completion were the top priorities, susceptible to nonsatisfaction if an enlarged, more complex quiz had been given. In parallel, these five emails were proven enough to highlight potential gaps and weaknesses in Greek hospitals' security culture and pinpoint new training routes.

#### **7. Conclusions and Future Work**

The current manuscript aimed to explore cybersecurity culture of the hospitals' personnel during the COVID-19 pandemic. A questionnaire examined participants' knowledge and familiarity with information security concepts, policies, procedures, and practices, while a phishing campaign focused on their attitude and behavior towards phishing techniques; probably the most disturbing security issue faced during the COVID-19 crisis. The assessment's design was based on a robust methodology, which is part of a broader context, the Cybersecurity Culture Framework presented in Section 2.1. Three Greek hospitals participated in the evaluation campaign with staff members belonging to one of the following three groups: IT professionals, technicians, and clerks.

In that view and given the previously identified considerations concerning the current work, our next steps involve extending the analysis in three levels: (a) participants' involvement and role in the hospital, (b) the examined security dimensions of the cybersecurity culture framework, and (c) the geographical coverage. Two new cybersecurity culture assessment campaigns are now planned, aiming after the first and second levels, respectively. In particular, the first campaign aims to continue the current phishing campaign involving more staff members, focusing on the medical staff, to allow a full overview of the participating hospitals' readiness concerning phishing attacks. The second campaign aims to involve and examine more security dimensions of the cybersecurity culture framework through an effective combination of questionnaires, tests, simulations, and serious games

targeted to the background and needs of the health sector. This campaign will focus on selected personnel with key roles with respect to security in the participating hospitals. The extension of these campaigns to more countries will follow the completion of the objectives mentioned above.

**Author Contributions:** Conceptualization, A.G., A.M.-P. and F.G.; methodology, A.G., A.M.-P., F.G., E.S., A.T., K.G. and G.D.; software, A.G. and A.M.-P.; validation, F.G., E.S., A.T., K.G. and G.D.; formal analysis, A.G., A.M.-P. and F.G.; resources, A.M.-P., C.N., L.L.R. and D.A.; writing—original draft preparation, A.G., A.M.-P. and F.G.; writing—review and editing, A.G., A.M.-P. and F.G.; visualization, A.G., A.M.-P. and F.G.; supervision, A.M.-P., C.N., L.L.R. and D.A.; project administration, A.M.-P., C.N., L.L.R. and D.A.; funding acquisition, L.L.R. and D.A. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research was funded by the European Union's Horizon 2020 Research and Innovation Programme, Grant Number 832907. Moreover, this work was funded by the SPHINX project that has received funding from the European Union's Horizon 2020 Research and Innovation Programme under Grant Agreement No. 826183 on Digital Society, Trust and Cyber Security E-Health, Well-being and Ageing.

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** The data presented in this study are available on request from the corresponding author.

**Acknowledgments:** This project has received funding from the European Union's Horizon 2020 Research and Innovation Programme under Grant Agreements Nos. 832907 and 826183.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **Appendix A**

*General Characteristics*-*Demographics*

1. Country

*(Free Text)*

2. Age

20–29 30–39 40–49 50–59 60 +

3. Gender

Male Female

4. Education



#### 8. Number of Employees in your Organization


9. Which of the following represent assets from an information security perspective?


10. Organizations should retain an inventory of systems and resources. Which of the following should be included?


11. Risks and opportunities need to be addressed within the organization in order to:


12. Ensure all employees are aware of the risks and opportunities Should your organization receive and share threat and vulnerability information from/with internal and external sources?


13. Risk analysis includes assessment of the impact the risk can have on the company and assessment of the likelihood that the identified risk can really happen. The assessment scale for the impact and the likelihood can only vary between the values 1 and 10.


14. Vulnerability management plan includes, among other, scanning for patch levels, scanning for functions, ports, protocols, and services. Do you think this plan can support risk assessment?



22. Is centralized administration of virus control, such as distribution of signature updates, reporting, and policy enforcement and vendor management important to your daily ICT operations?


23. Do you ensure that passwords are regularly changed on networking devices?


24. What is the concept of reducing the attack surface?


25. Why is important to have an automatic, near zero-configuration security architecture


#### **References**


**Hyunho Ryu and Hyunsung Kim \***

School of Computer Science, Kyungil University, Gyeongsan-si 38428, Korea; ryoofamily0430@gmail.com **\*** Correspondence: kim@kiu.ac.kr

**Abstract:** Mobile healthcare service has become increasingly popular thanks to the significant advances in the wireless body area networks (WBANs). It helps medical professionals to collect patient's healthcare data remotely and provides remote medical diagnosis. Since the health data are privacyrelated, they should provide services with privacy-preserving, which should consider security and privacy at the same time. Recently, some lightweight patient healthcare authentication protocols were proposed for WBANs. However, we observed that they are vulnerable to tracing attacks because the patient uses the same identifier in each session, which could leak privacy-related information on the patient. To defeat the weakness, this paper proposes a privacy-preserving authentication protocol for WBANs in healthcare service. The proposed protocol is only based on one-way hash function and with exclusive-or operation, which are lightweight operations than asymmetric cryptosystem operations. We performed two rigorous formal security proofs based on BAN logic and ProVerif tool. Furthermore, comparison results with the relevant protocols show that the proposed protocol achieves more privacy and security features than the other protocols and has suitable efficiency in computational and communicational concerns.

**Keywords:** healthcare service; body area network; privacy; authentication; security protocol

#### **1. Introduction**

Advances in mobile networking for Internet of Things (IoT) are powering the fourth industrial revolution. It connects physical things with digital worlds and allows for better collaboration and access across network participants, application services and people [1–5]. Wireless sensor network (WSN) technology is an essential component of IoT because it consists of a collection of sensors connected wirelessly. In the diverse kinds of WSNs, wireless body area network (WBAN) is a highly suitable communication network for medical IoT devices [6–9]. Healthcare services based on WBAN could provide remote mechanisms to monitor and collect patient's health data. The distance between patients and professional doctor can affect health status [10–13]. However, locational inequality in the medical system such as lower hospital and professional doctor is a problem that exists in almost all countries [14,15]. However, the remote healthcare system can be helpful for this problem. Especially, the remote healthcare system is beneficial for chronic diseases such as diabetes, heart failure, and chronic obstructive pulmonary disease [16]. And chronic diseases are an increasingly important concern for remote healthcare systems [17]. Because the remote healthcare system can check a patient's health status anytime and anywhere. In addition, since the patient's health status is checked in real-time, it has the advantage of able to cope quickly and the doctor can early diagnosis if the patient's health status become emergency [18,19]. Additionally, remote healthcare monitoring allows people to continue to stay at home rather than in expensive healthcare facilities such as hospitals or nursing homes [20,21].

However, privacy and security play key roles in protecting these data during data collection and transmission since remote healthcare service is vulnerable to various attacks [22–29]. If any attacker successfully launches the attacks, unintended functions may

**Citation:** Ryu, H.; Kim, H. Privacy-Preserving Authentication Protocol for Wireless Body Area Networks in Healthcare Applications. *Healthcare* **2021**, *9*, 1114. http:// doi.org/10.3390/healthcare9091114

Academic Editors: Daniele Giansanti and Tin-Chih Toly Chen

Received: 13 July 2021 Accepted: 24 August 2021 Published: 28 August 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

be performed via WBAN and these can cause a life threat to the patient. Therefore, it is imperative to devise authentication and key establishment protocols for securing remote healthcare applications.

There have been many authentication protocols for WBANs in healthcare applications [30–41]. Especially, the first anonymous authentication protocol based on smartcards was proposed by Zhu et al., which provides authentication with one round message communication but keeps user anonymity [30]. However, Lee et al. showed that Zhu et al.'s protocol cannot provide perfect user anonymity and backward secrecy and proposed an enhanced protocol [31]. Zhu et al.'s protocol and Lee et al.'s protocol were based on hash operations, a symmetric key cryptography and exclusive-or operations. Memon et al. proposed an anonymous authentication protocol for location-based services, which is based on elliptic curve cryptography (ECC) [32]. Soon after Reddy et al. showed vulnerabilities of Memon et al.'s protocol focused on key compromised impersonation attack, insider attack and insecure password changing phase and a problem of imperfect mutual authentication. Reddy et al. also proposed a two-factor authentication protocol based on ECC and smartcards [33]. Memon et al.'s protocol and Reddy et al.'s protocol are depending on asymmetric key cryptography, especially ECC. For the telecare medicine information system, Khatoon et al. and Ostad-Sharif et al. separately proposed authentication and key agreement protocol based on ECC [34,35]. By adopting a fuzzy extractor for the identification of patients using biometrics, Khatoon et al.'s protocol purposed to provide secure and privacy-preserving of the patient, bilinear pairing-based, unlinkable, mutual authentication and key agreement [34]. Ostad-Sharif et al. designed an anonymous and unlinkable authentication and key agreement protocol to provide perfect forward secrecy, which provided the formal security analysis using simulation tool AVISPA result [35]. Apart from the research efforts, Ali et al. proposed an authentication and access control protocol for securing wireless healthcare WSNs [36]. Ali et al.'s protocol is based on ECC and bilinear pairing and is proven to be secure based on AVISPA tool and Burrows–Abadi–Needham (BAN) logic [37].

Primitives based on ECC or bilinear pairing have computational overhead than any other cryptographic primitives and thereby they are heavily weighted on WBANs. To cope with the overhead, Khan et al. proposed an anonymous biometric-based authentication protocol using chaotic maps [38]. To use biometrics in the protocol, Khan et al. hired the Chebyshev chaotic map and hash function, which is a lightweight authentication cryptographic primitives. Aman et al. proposed a lightweight authentication protocol over WBANs, which are based on physical unclonable functions (PUFs) [39]. Aman et al.'s protocol is based on hash functions and exclusive-or operations. Even if two protocols from Khan et al. and Aman et al. provide operational efficiency, PUF assumption is a big burden to WBANs environment. Xu et al. proposed a lightweight anonymous authentication and key agreement protocol for WBANs without using the chaotic map nor PUFs [40]. Their protocol is only based on a hash function and exclusive-or operations and has an advantage in operational cost. However, Alzahrani et al. showed that Xu et al.'s protocol is vulnerable against replay attacks and key compromise impersonation attacks and suffers from the offline identity-guessing attack [41]. Furthermore, they proposed an improved protocol for WBANs in healthcare applications. Even though Alzahrani et al.'s protocol provides a lightweight computational overhead with various advantages on security and privacy concerns, we found that Alzahrani et al.'s protocol does not provide unlinkability of patients because it uses the same identifier of access point in each session.

The contributions of this paper are as follows:

(1) A new privacy-preserving authentication protocol for WBANs in remote healthcare applications is devised. In the protocol, an entity could protect privacy and security with a session key establishment for secure communication.

(2) The proposed protocol utilizes lightweight operations, which are based on the hash function and exclusive-or operation. This makes the protocol suitable for WBANs in remote healthcare applications.

(3) The formal security proof in BAN logic [37] demonstrates that the proposed protocol supports privacy and security. The formal security verification with ProVerif tool [42] shows that the proposed protocol can withstand both passive and active attacks. The informal analysis of its privacy and security is presented to verify the robustness of the proposed protocol against the well-known attacks.

(4) Efficiency analysis is done based on the complexity analysis of computation and communication overheads. The results show that the proposed protocol has a little overhead than the existing protocols.

The remainder of this paper is structured as follows. Section 2 summarizes the preliminaries of the research focused on healthcare system configuration, CK threat model and design goals. Section 3 gives a detailed description of the proposed privacy-preserving authentication protocol for remote healthcare applications. Section 4 demonstrates the formal, semi-formal and informal privacy and security results of the proposed protocol. Section 5 shows performance results focused on computation and communication. Section 6 provides discussion of importance of this research with future works. Section 7 concludes the work.

#### **2. Preliminaries**

In the digital age, hospitals and health service providers have pursued innovations for rich healthcare services. WBAN technology allows patients to be treated always even in remote areas and enables doctors to diagnose diseases and treat patients in medical institutions. And its technology can help anyone to easily access medical information [43]. It also serves to reduce patient anxiety by providing easy access to current medical information such as coronavirus disease 2019 (COVID-19). This section briefly reviews a system configuration for the target remote healthcare service and the design goals of the proposed protocol.

#### *2.1. System Configuration*

The target remote healthcare service is based on WBAN for patients. As shown in Figure 1, there are three main entities, which are a patient (PT) with some sensor nodes (SNs) on WBAN, access point (AP) and hub node (HN) as a server of the remote healthcare system. Especially, a system administrator (SA) is required for the system set-up but HN could do this role instead if it is necessary. The roles of each entity are defined as follows:


**Figure 1.** System configuration for remote healthcare service.

#### *2.2. CK Threat Model*

This subsection describes the widely accepted and well-known Canetti and Krawczyk (CK) threat model, which defines the ability of an adversary and is one of the foundations for formal privacy and security analysis on cryptographic protocol [44,45]. In the CK model, the adversary can fully control the communication links by listening to, altering, deciding on and injecting into the transferring information. Apart from these basic adversarial capabilities, in this model, it is assumed that the adversary can obtain secret information stored in the parties' memories via explicit attacks. As a result, the security of an authentication protocol should guarantee that the leakage of private values, such as session ephemeral secrets, would have the least possible influence on the security of other sessions and other private credentials of the communicating entities.

#### *2.3. Design Goals*

The healthcare system should provide privacy and security at the same time [46,47]. Normally, only anonymity is considered to provide privacy of PT in some other protocols in [40,41]. However, we also need to further consider unlinkability as another important privacy feature. To design a new authentication protocol for the remote healthcare service based on the CK threat model, the following five security properties and two privacy requirements are considered in this paper.

[SP1] Mutual authentication: To allow only authorized PT to get the medical services provided by HN, mutual authentication between SN and HN is required.

[SP2] Session key agreement: After a successful process of mutual authentication, further EHR data communications between SN and HN should be encrypted based on the session key to achieve confidentiality and integrity.

[SP3] Message freshness: Each entity in the system needs to check message freshness to cope with various attacks. It could be supported either by using timestamp or random nonce.

[SP4] Perfect forward secrecy: It could assure that the security of the system will not be compromised even if long-term secrets used in the protocol are compromised.

[SP5] Attack resistance: Due to the open environment in the remote healthcare service, the transmitted messages among network entities may be intercepted, modified and replayed by the adversary. Therefore, the proposed authentication protocol should be able to withstand various attacks, such as replay attack, impersonation attack, man-in-themiddle attack and known session-specific temporary information attack.

[PP1] Anonymity: Anonymity is an important privacy feature in the remote healthcare service. To protect the identity privacy of PT, the proposed protocol should guarantee that no one can get the PT's identity from the intercepted messages on the public channels.

[PP2] Unlinkability: Unlinkability is another important privacy feature in the remote healthcare service, which guarantees that the adversary cannot distinguish whether these different session's messages are related or not. The cryptographic protocol should not only guarantee the PT's anonymity but also provide unlinkability between sessions.

#### **3. Proposed Authentication Protocol**

In this section, a privacy-preserving authentication protocol for WBANs in healthcare service is proposed. The proposed protocol uses only the hash function with exclusive-or operations to provide the design goals. We assume that all the participants are synchronized on time using any proper scheme and a maximum transmission delay ∆*t* is agreed on mutually. The proposed protocol consists of four phases, i.e., initialization phase, registration phase, authentication phase and identity modification phase. First of all, the initialization phase sets up a security building block for the overall network. PT possessed with SN and AP is a target for the registration phase to either SA or HN. The authentication phase is for the basic security service to check whether the entity is legal or not and is also to set up a session key for further secure communications. The identity modification phase is used when PT wants to change SN's identity for privacy reasons. Table 1 defines the symbols and their meanings used in this paper.



#### *3.1. Initialization Phase*

For the system initialization, SA performs the following steps.

Step 1. SA selects a long-term master key *KSHN* for HN. Step 2. SA stores *KSHN* in the memory of HN.

#### *3.2. Registration Phase*

When a PT wants to subscribe to a remote healthcare service, HN performs the following steps after issuing SN and AP for PT as shown in Figure 2. All parameters are established by HN for WBANs over a secure channel.

**Figure 2.** Registration phase.


Step 3. HN stores *PIDAP* in the memory of AP.

#### *3.3. Authentication Phase*

When a PT wants to use the subscribed remote healthcare service, PT with SN and AP needs to use this phase to log-in HN as shown in Figure 3. SN does whole roles of PT periodically to send the predefined sensed EHR data to HN via AP. This phase has two purposes, mutual authentication and session key agreement. Timestamp in each message is used to provide message freshness, which is used to cope with the replay attack. The detailed steps are as follows:


*NXSN* = *XSN* ′ ⊕ *g*, *NYSN* = *YSN* ′ ⊕ *g*, *CSN* = *h*(*q*||*IDSN* ′||*j*||*XSN* ′||*YSN* ′||*T*2*HN*) and *K<sup>S</sup>* = *h*(*q*||*S*1*SN*||*S*2*SN*||*HC<sup>i</sup>* ). After that, HN overwrites *S*1*SN* into *S*2*SN* and changes *S*2*SN* with *K<sup>S</sup>* in its memory, which are used for the next authentication for privacy provision. And then, HN calculates *HC<sup>i</sup>* ′ = *h*(*HC<sup>i</sup>* ) and replaces it to *HC<sup>i</sup>* as *HC<sup>i</sup>* = *HC<sup>i</sup>* ′ , which is for updating the session key parameter. After that, HN composes a message {*r*, *NXSN*, *NYSN*, *CSN*, *T*2*HN*, *NPIDAP*, *ZAP*} and sends it to AP.


#### *3.4. Identity Modification Phase*

Whenever a PT wants to change his (or her) identity, this phase should be performed. To change identity of PT, SN sends the identity modification request to HN. Then HN provides identity modification parameter only after the successful authentication. The phase is performed as follows:



*T*2*HN*), which are withdrawing the new identity related authentication parameters. After that, SN validates *CSN* ′ by comparing it with *CSN* in the message. It aborts the session if the validation fails. Otherwise, SN replaces *YSN* with *YSN*" in its memory.

**Figure 3.** Authentication phase.

#### **4. Security and Privacy Results**

This section provides security analysis of the proposed protocol by using BAN logic and ProVerif tool based on the CK threat model [37,42]. Then, we demonstrate that the proposed protocol can achieve higher privacy and security features than the other related protocols.

#### *4.1. BAN Logic Result*

In this subsection, we analyze the security of the proposed protocol based on BAN logic. BAN logic is a widely adopted major formal method of valuation of any authentication protocol. BAN logic analyses using axioms to verify message origin, message freshness and faithful of the origin of the message [37]. The notations in formal security analysis for BAN logic are listed as follows:


In addition, we use the following BAN logic rules to prove that the proposed protocol provides a secure mutual authentication between SN, AP and HN:


To show how the proposed protocol provide secure mutual authentication between SN and HN, we need to achieve the following goals:

**Goal 1:** HN|≡(HN*Ks* ↔SN**)**

**Goal 2:** SN|≡(SN*Ks* ↔HN**)**

**Goal 3:** HN|≡SN|≡(SN*Ks* ↔HN**)**

**Goal 4:** SN|≡HN|≡(HN*Ks* ↔SN**)**

**Idealized form:** The arrangement of the transmitted messages between *SN*, *AP* and *HN* in the proposed protocol to the idealized forms is as follows:

Message 1. SN → AP: <*XSN*>*KSHN*, <*YSN*>*KSHN*, <*RIDs*>*KSHN*, *T*1*SN*

Message 2. AP → HN: <*XSN*>*KS*HN, <*YSN*>*KS*HN, <*RIDs*>*KS*HN, *T*1*SN*, <*PIDAP*>*KSHN* Message 3. HN → AP: <*r*>*KSHN*, <*NXSN*>*KSHN*, <*NYSN*>*KSHN*, <*CSN*>*KSHN*, <*NPIDAP*>*KSHN*, <*ZAP*>*KSHN*, *T*2*HN*

Message 4. AP → SN: <*r*>*KSHN*, <*NXSN*>*KSHN*, <*NYSN*>*KSHN*, <*CSN*>*KSHN*, *T*2*HN* **Assumptions:** The following are the initial assumptions of the proposed protocol: A1: HN|≡#(*T*1*SN*)

A2: HN|≡#(*T*2*SN*) A3: SN|≡#(*T*1*HN*) A4: SN|≡#(*T*2*HN*) A5: SN|≡HN*<sup>X</sup>* ↔*SN*SN A6: HN|≡HN*<sup>X</sup>* ↔*SN*SN A7: SN|≡HN=⇒HN*<sup>X</sup>* ↔*SN*SN A8: HN|≡SN=⇒HN*<sup>X</sup>* ↔*SN*SN

**Proof.** In the following, we prove the test goals in order to show the secure authentication using BAN logic rules and the assumptions.

Based on Message 1, we could derive:

Step 1. AP⊳(<*XSN*>*KSHN*, <*YSN*>*KSHN*, <*RIDs*>*KSHN*, *T*1*SN*) Based on Step 1, AP adds <*PIDAP*>*KSHN* to the message and sends it to HN. Based on Message 2, we could derive:

Step 2. HN⊳(<*XSN*>*KSHN*, <*YSN*>*KSHN*, <*RIDs*>*KSHN*, *T*1*SN*, <*PIDAP*>*KSHN*) According to assumption A6 and the message-meaning rule, we get:

Step 3. HN|≡AP|∼(<*XSN*>*KSHN*, <*YSN*>*KSHN*, <*RIDs*>*KSHN*, *T*1*SN*, <*PIDAP*>*KSHN*) According to assumptions A1 and A2 and the freshness concatenation rule, we get:

Step 4. HN|≡#(<*XSN*>*KSHN*, <*YSN*>*KSHN*, <*RIDs*>*KSHN*, *T*1*SN*, <*PIDAP*>*KSHN*) According to Steps 3 and 4 and the nonce verification rule, we get:

Step 5. HN|≡SN|≡(<*XSN*>*KSHN*, <*YSN*>*KSHN*, <*RIDs*>*KSHN*, *T*1*SN*, <*PIDAP*>*KSHN*) According to Step 5, assumption A6 and the believe rule, we get:

Step 6. HN|≡SN|≡(HN*KS* ↔*HN*SN)

According to assumption A8 and the jurisdiction rule, we get:

Step 7. HN|≡(HN*KS* ↔*HN*SN)

According to Steps 5, 6 and 7 and the nonce verification rule, we conclude:

Step 8. HN|≡SN|≡(SN*Ks* ↔HN) **(Goal 3)**

According to assumption A8 and the jurisdiction rule, we get:

Step 9. HN|≡(HN*Ks* ↔SN) **(Goal 1)**

Based on Message 3, we could derive:

Step 10. AP⊳(<*r*>*KSHN*, <*NXSN*>*KSHN*, <*NYSN*>*KSHN*, <*CSN*>*KSHN*, <*NPIDAP*>*KSHN*, <*ZAP*>*KSHN*, *T*2*HN*)

According to the message meaning rule, we get:

Step 11. AP|≡HN|∼(<*r*>*KSHN*, <*NXSN*>*KSHN*, <*NYSN*>*KSHN*, <*CSN*>*KSHN*, <*NPIDAP*>*KSHN*, <*ZAP*>*KSHN*, *T*2*HN*)

Based on Step 10, AP drops <*NPIDAP*>*KSHN* and <*ZAP*>*KSHN* to the message and sends it to HN.

Based on Message 4, we derive:

Step 12. SN⊳(<*r*>*KSHN*, <*NXSN*>*KSHN*, <*NYSN*>*KSHN*, <*CSN*>*KSHN*, *T*2*HN*) According to assumption A5 and the message-meaning rule, we get:

Step 13. SN|≡AP|∼(<*r*>*KSHN*, <*NXSN*>*KSHN*, <*NYSN*>*KSHN*, <*CSN*>*KSHN*, *T*2*HN*)

According to assumptions A3 and A4 and the freshness concatenation rule, we get: Step 14. SN|≡#(<*r*>*KSHN*, <*NXSN*>*KSHN*, <*NYSN*>*KSHN*, <*CSN*>*KSHN*, *T*2*HN*)

According to Steps 12 and 13 and the nonce verification rule, we get:

Step 15. SN|≡HN|≡(<*r*>*KSHN*, <*NXSN*>*KSHN*, <*NYSN*>*KSHN*, <*CSN*>*KSHN*, *T*2*HN*) According to Step 14, assumption A5 and the believe rule, we get:

Step 16. SN|≡HN|≡(HN*KS* ↔*HN*SN)

According to assumption A7 and the jurisdiction rule, we get:

Step 17. SN|≡(HN*KS* ↔*HN*SN)

According to Steps 14, 15 and 16 and the nonce verification rule, we get:

Step 18. SN|≡HN|≡(HN*Ks* ↔ SN) **(Goal 4)**

According to assumption A7 and the jurisdiction rule, we get:

Step 19. SN|≡(SN*Ks* ↔HN) **(Goal 2)**

According to Steps 9 and 19, the proposed authentication protocol successfully achieves the four goals. Both SN and HN could believe that they share the common session key *K<sup>S</sup>* = *K<sup>S</sup>* ′ = *h*(*q* ′||*S*1*SN*||*S*2*SN*).

#### *4.2. ProVerif Result*

ProVerif is an automated tool for verifying security in cryptographic protocol [42]. It is supposed to be based on the CK threat model for security verification. ProVerif is a powerful tool that can verify all the possible attacks regarding mutual authentication. It also can prove safety of security properties for mutual authentication. For ProVerif analysis, we first define two channels ch1 and ch2 as public channels, among SN, AP and HN. In the ProVerif analysis, we used svalueA and svalueB to validate the session dependency. There are four events to check mutual authentication between SN and HN, which are SHbegin(entity), HSbegin(entity), SHend(entity) and HSend(entity). Session key security could be proved based on two queries, query attacker(svalueA) and query

```
attacker(svalueB) based on the shared session key. For the basic operations, we defined
Hash(bitstring) and XOR(bitstring, bitstring) for a one-way hash function and an exclusive-
or operation, respectively. After defining processes of each entity, we performed a ProVerif
demo for the entities of SN, AP and HN.
     We have configured the ProVerif code as follows:
         (*–The two public channel–*)
     free ch1: channel.
     free ch2: channel.
         (*–The basic type–*)
     type entity.
     type nonce.
     type key.
         (*–Hash operation–*)
     fun Hash(bitstring): bitstring.
         (*–XOR operation–*)
     fun XOR(bitstring, bitstring): bitstring.
     equation forall x: bitstring, y: bitstring;
     XOR(XOR(x, y), y) = x.
         (*–Concat operation–*)
     fun Con(bitstring, bitstring): bitstring.
     fun Enc(bitstring,key): bitstring.
     reduc forall x: bitstring, y: key;
     Dec(Enc(x,y),y) = x.
         (*–Type convertion–*)
     fun nontobit(nonce): bitstring [data,typeConverter].
     fun bittokey(bitstring): key [data,typeConverter].
         (*–The basic variables–*)
     free SN, AP, HN: entity. (*—three entities in the proposed protocol–*)
     free T1SN: bitstring.
     free T2HN: bitstring.
     free S1SN: bitstring.
     free S2SN: bitstring.
     free HCi: bitstring.
     free KSHN: bitstring[private]. (*—public key–*)
         (*–Authentication queries–*)
     event SHbegin(entity).
     event SHend(entity).
     event HSbegin(entity).
     event HSend(entity).
     query t: entity; inj-event(SHend(t)) ==> inj-event(SHbegin(t)).
     query t: entity; inj-event(HSend(t)) ==> inj-event(HSbegin(t)).
         (*–Queries–*)
     free svalueA, svalueB: bitstring [private].
     query attacker(svalueA);
     attacker(svalueB).
         (*–SN–*)
     let processSN(IDSN: bitstring, XSN: bitstring, YSN: bitstring) =
     let (RIDs: bitstring) = Hash(Con(IDSN, Con(XSN, Con(YSN, Con(S2SN,
     Con(HCi,T1SN)))))) in
     event HSbegin(HN);
         (*– SN > AP –*)
     out(ch1, (XSN, YSN, RIDs, T1SN, true));
         (*– AP > SN –*)
     in(ch1, (r: bitstring, NXSN: bitstring, NYSN: bitstring, CSN: bitstring));
```

```
let (xj: bitstring) = XOR(IDSN, XOR(YSN, XSN)) in
    let (xq: bitstring) = XOR(r, xj) in
    let (xg: bitstring) = Hash(Con(xq, Con(xj, S2SN))) in
    let (xXSN: bitstring) = XOR(NXSN, xg) in
    let (xYSN: bitstring) = XOR(NYSN, xg) in
    let (xCSN: bitstring) = Hash(Con(xq, Con(IDSN, Con(xj, Con(xXSN, Con(xYSN,
T2HN)))))) in
    if xCSN = CSN then
    let (xKs: bitstring) = Hash(Con(xq, Con(S1SN, Con(S2SN, HCi)))) in
    event SHend(SN);
    out(ch1, Enc(svalueA, bittokey(xKs))).
         (*–AP–*)
    let processAP(IDAP: bitstring, PIDAP: bitstring) =
    in(ch1, (XSN: bitstring, YSN: bitstring, RIDs: bitstring));
         (*– AP > HN –*)
    out(ch2, (XSN, YSN, RIDs, T1SN, PIDAP, true));
         (*– HN > AP –*)
    in(ch2, (r: bitstring, NXSN: bitstring, NYSN: bitstring, CSN: bitstring, NPIDAP: bit-
string, ZAP: bitstring));
    let (xZAP: bitstring) = Hash(Con(PIDAP, Con(NPIDAP, IDAP))) in
    if xZAP = ZAP then
         (*– AP > SN –*)
    out(ch1, (r, NXSN, NYSN, CSN, T2HN, true)).
         (*–HN–*)
    let processHN(IDAP: bitstring, IDSN: bitstring) =
    in(ch2, (XSN: bitstring, YSN: bitstring, RIDs: bitstring, PIDAP: bitstring));
    let (a: bitstring) = XOR(XSN, KSHN) in
    let (xIDAP: bitstring) = XOR(PIDAP,Hash(Con(a,KSHN))) in
    let (xIDSN: bitstring) = XOR(YSN,Hash(Con(KSHN,a))) in
    if xIDSN = IDSN then
    let (xRIDs: bitstring) = Hash(Con(IDSN,Con(XSN,Con(YSN,Con(S2SN, Con(HCi,
T1SN)))))) in
    if xRIDs = RIDs then
    event SHbegin(SN);
    new q: nonce;
    new nasn: nonce;
    let (xXSN: bitstring) = XOR(nontobit(nasn),KSHN) in
    let (xYSN: bitstring) = XOR(IDSN,Hash(Con(KSHN,nontobit(nasn)))) in
    let (NPIDAP: bitstring) = XOR(IDAP,Hash(Con(nontobit(nasn),KSHN))) in
    let (j: bitstring) = XOR(IDSN,XOR(YSN,XSN)) in
    let (r: bitstring) = XOR(nontobit(q),j) in
    let (g: bitstring) = Hash(Con(nontobit(q),Con(j,S2SN))) in
    let (ZAP: bitstring) = Hash(Con(PIDAP,Con(NPIDAP,IDAP))) in
    let (NXSN: bitstring) = XOR(xXSN,g) in
    let (NYSN: bitstring) = XOR(xYSN,g) in
    let (CSN: bitstring) = Hash(Con(nontobit(q), Con(IDSN, Con(j, Con(xXSN, Con(xYSN,
T2HN)))))) in
    let (Ks: bitstring) = Hash(Con(nontobit(q),Con(S1SN, Con(S2SN, HCi)))) in
         (*– HN > AP –*)
    out(ch2, (r, NXSN, NYSN, CSN, T2HN, NPIDAP, ZAP, true));
    event HSend(HN);
    out(ch2, Enc(svalueB, bittokey(Ks))).
         (*–Start process–*)
    process(
```
new XSN: bitstring; new YSN: bitstring; new PIDAP: bitstring; new IDSN: bitstring; new IDAP: bitstring; (!processSN(IDSN, XSN, YSN)) | (!processAP(IDAP, PIDAP)) | (!processHN(IDAP, IDSN)) )

Figure 4 shows ProVerif result, which provides the successful security validation of the proposed protocol. From the result, we could find that "Query inj-event(SHend(t)) ==> inj-event(SHbegin(t)) is true." and "Query inj-event(HSend(t)) ==> inj-event(HSbegin(t)) is true." Those are to show mutual authentication property and replay attack resistance of the proposed protocol. After "Query not attacker (svalueA[]) is true." and "Query not attacker (svalueB[]) is true." show the anonymity of network participants and secrecy of the shared session key. It shows that the proposed protocol is properly performed by the tool without having any problems. As a result, we could conclude that the proposed protocol could establish a secure session key between SN and HN and the CK adversary could not discover the session key.

#### **Figure 4.** ProVerif result.

#### *4.3. Informal Privacy and Security Analysis*

As mentioned in [48], past research over the last thirty decades has told us that, a security proof is highly prone to be fallacious due to the adoption of an insufficient security model which fails to capture all the realistic capabilities of the adversary or due to a flawed or non-tight security reduction, and the field of provable security is a much an art as a science. While formal methods are often misused and reductionist

security proofs are usually very intricate, turgid and prone to errors, particular care shall be given when conducting proof for an authentication protocol. To cope with the formal methods problems, this subsection is dedicated to present informal privacy and security analysis of the proposed protocol, which is focused on the privacy and security goals depicted in Section 2.3. For the CK threat model, we use the definition mentioned in Section 2.2. Table 2 shows the feature comparisons among the related protocols devised by Khatoon et al. in [34], Ostad-Sharif et al. in [35], Khan et al. in [38], Xu et al. in [40] and Alzahrani et al. in [41].


**Table 2.** Privacy and security feature comparison result.

SP1: mutual authentication, SP2: session key agreement, SP3: message freshness, SP4: perfect forward secrecy, SP5: attack resistance, PP1: anonymity, PP2: unlinkability.

> [SP1] Mutual authentication: Authentication is performed between SN and HN mutually in the proposed protocol. Authentication is related to the messages from SN to HN and vice versa. SN needs to be authenticated by HN based on {*XSN*, *YSN*, *RIDS*, *T*1*SN*, *PIDAP*}, which is a message from SN to HN via AP. Only the legal SN could be authenticated by HN in the proposed protocol because a CK adversary needs to compute *RID<sup>S</sup>* = *h*(*IDSN*||*XSN*||*YSN*||*S*2*SN*||*T*1*SN*), which needs knowledge on *IDSN* and *S*2*SN* at the same time even if the adversary could get and use the previous session's *XSN* and *YSN*. However, there is no way that the adversary could get them in the proposed protocol. HN needs to be authenticated by SN based on {*r*, *NXSN*, *NYSN*, *CSN*, *T*2*HN*}, which is a message from HN to SN via AP. Adversaries need to form a message, which could be validated by SN, especially *CSN* validation that is related with knowledge of *q*, *IDSN*, *j*, *XSN* ′ , *YSN* ′ and *T*2*HN*. However, the knowledge is related with *KSHN*, which is the master key of HN. It means that the proposed protocol provides mutual authentication between SN and HN and there is no way that the adversary could succeed in the authentication process.

> [SP2] Session key agreement: Session key is required to establish a secure channel between SN and HN to provide confidentiality on data. SN and HN agree on a session key *Ks* = *h*(*q*||*S*1*SN*||*S*2*SN*) after the successful authentication. There is no way that a CK adversary could get any information on *Ks* from the session messages {*XSN*, *YSN*, *RIDS*, *T*1SN}, {*XSN*, *YSN*, *RIDS*, *T*1*SN*, *PIDAP*}, {*r*, *NXSN*, *NYSN*, *CSN*, *T*2*HN*, *NPIDAP*, *ZAP*} and {*r*, *NXSN*, *NYSN*, *CSN*, *T*2*HN*}. The parameters of *Ks* are not exposed to any parameter in the messages. Especially, *q* is related to *r* = *q* ⊕ *j* but the adversary needs to know *j* to extract out the wanted value from *r*. However, the adversary could not get *q* from *r* due to the format of *j* = *IDSN* ⊕ *YSN* ⊕ *XSN*, which is related with the knowledge of *KSHN*. Thereby, the proposed protocol provides a secure session key agreement only between SN and HN.

> [SP3] Message freshness: There are two ways to provide message freshness in cryptographic protocol, which are based on challenge-response mechanism and timestamp mechanism. The proposed protocol uses a timestamp mechanism to cope with replay attacks because the network entity could be synchronized with a time when SA issues SN and AP for a PT during the registration phase. If a CK adversary wants to succeed in any attack against message freshness, the adversary needs to know and change timestamp-related values. From the session messages {*XSN*, *YSN*, *RIDS*, *T*1SN}, {*XSN*, *YSN*, *RIDS*, *T*1*SN*, *PIDAP*}, {*r*, *NXSN*, *NYSN*, *CSN*, *T*2*HN*, *NPIDAP*, *ZAP*} and {*r*, *NXSN*, *NYSN*, *CSN*, *T*2*HN*}, there are two integrity values *RID<sup>S</sup>* = *h*(*IDSN*||*XSN*||*YSN*||*S*2*SN*||*T*1*SN*) and

*CSN* = *h*(*q*||*IDSN*||*j*||*XSN* ′||*YSN* ′||*T*2*HN*) that the adversary needs to compute. If the adversary gets a proper current timestamp *T*1*SN* ′ , the adversary should compute two new values of *RID<sup>S</sup>* = *h*(*IDSN*||*XSN*||*YSN*||*S*2*SN*||*T*1*SN* ′ ) and *CSN* = *h*(*q*||*IDSN*||*j*||*XSN* ′||*YSN* ′ ||*T*1*SN* ′ ). However, the two computations are impossible because the adversary needs to know the other parameters except *T*1*SN* ′ to compute *RID<sup>S</sup>* and *CSN*. Furthermore, each entity checks the freshness of the message using ∆*t* each time they receive any message. So, the proposed protocol provides message freshness.

[SP4] Perfect forward secrecy: It is a very strong form of long-term security which guarantees that future disclosures of some long-term secret keys do not compromise past session keys [49]. It is widely accepted that the perfect forward secrecy can only be provided by asymmetric schemes. Nonetheless, there are a small number of existing symmetrickey protocols that provide secrecy [50–52]. The proposed protocol uses the dynamic authentication credential, which keeps evolving in sessions to achieve the perfect forward secrecy. In the proposed protocol, if an adversary has obtained the long-term key, *KHN*, the adversary still cannot get the session key *KS*. The reason is that after each successful session, the values *HC<sup>i</sup>* , *S*1*SN* and *S*2*SN* will be updated by one-way hash function. Because of the one-wayness of the hash function, there is no way to get these values to compute the session key to the adversary. Therefore, the proposed protocol can provide perfect forward secrecy.

[SP5] Attack resistance: We could argue that any attack is successful if a CK adversary finds any mechanism to do various attacks, such as replay attack, impersonation attack and man-in-the-middle attack. Most of all, replay attack is tightly related with the message freshness. It means that any protocol with challenge-response or timestamp mechanism could cope with the attack. Messages in the proposed protocol are together with timestamp as the form of *T*1*SN* and *T*2*HN*, respectively. Thereby, the proposed protocol is strong against replay attack. Impersonation attack is the second one we need to consider, which has a relationship with mutual authentication. As we mentioned in the mutual authentication, the adversary needs to form the first message {*XSN*, *YSN*, *RIDS*, *T*1*SN*} to disguise as SN and the third message {*r*, *NXSN*, *NYSN*, *CSN*, *T*2*HN*, *NPIDAP*, *ZAP*} to masquerade as HN, respectively. However, they are related to the knowledge of *KSHN*. So, the proposed protocol could cope with impersonation attacks. Man-in-the-middle attack is similar to an active eavesdropping in which the adversary makes independent connections with the network entities and relays messages between them to make them believe they are communicating directly to each other but in fact, the entire communication is controlled by the adversary. It is quite related to mutual authentication and confidentiality of parameters in the messages. Since we mentioned the mutual authentication provision from the proposed protocol, we will only consider confidentiality of the messages. There are only possibilities on knowing secret key-related information to legally registered SNs and HN but not any others. In the CK model, it is required that the generated session key from the protocol should not be compromised even in the case of ephemeral secrets leakage. In the proposed protocol, the ephemeral secrets are *aSN* and *q*. Having access to these two, the adversary also needs to know both *S*1*SN* and *S*2*SN* to compute the session key *KS*. Since only SN and HN know the values, the proposed protocol can withstand this attack. That is why any adversary could not get any useful information even if the adversary could tap into the communication link among SN, AP and HN. Thereby, the proposed protocol provides attack resilience. Finally, known session-specific temporary information attack should be considered in the protocol, which has an assumption that an adversary could get the ephemeral random number *q* to get the session key *K<sup>S</sup>* since the attacker has no way to compute the long-term key *KSHN* and one-time hash chain value *HC<sup>i</sup>* . Moreover, the messages transmitted in the public channel are unhelpful to compute the session key *KS*. Therefore, the proposed protocol has the ability to prevent the session-specific temporary information attack.

[PP1] Anonymity: Anonymity is defined as "the state of being not identifiable within a system." Anonymity from a CK adversary's perspective means that the adversary cannot identify any entity within a system. In security protocol, it is necessary to check identity-

related information in messages transmitted among system entities to consider anonymity. There are *YSN*, *RIDS*, *NYSN* and *CSN*, for *IDSN* and *PIDAP*, *NPIDAP* and *ZAP* for *IDSN*, respectively, in the messages, which has a relationship with the identity factor. Adversaries do not have any method to identify any entity from the parameters in the proposed protocol. To do so, the adversary needs to have knowledge of *KSHN*, which is not feasible. As a result, the proposed protocol provides anonymity.

[PP2] Unlinkability: It has a meaning after a system with anonymity has been defined and the entities interested in linking by a CK adversary have been characterized. Unlinkability of two or more sessions of interest from the adversary's perspective means that within the system, the adversary cannot distinguish whether they are related or not. As we discussed on anonymity, session linkability is related to the identifier and the message freshness of session message parameters. Each parameter in the session messages has a relationship with the session-dependent random numbers of *aSN*, *S*1*SN*, *S*2*SN*, *q* and *naSN* and timestamps of *T*1*SN* and *T*2*HN* in the proposed protocol. It means that the proposed protocol uses session-dependent parameters to form messages to cope with unlinkability. So, the proposed protocol provides unlinkability.

As shown in Table 2, the proposed protocol satisfies all the security and privacy properties as we set our protocol design goal in Section 2.3. However, Khatoon et al.'s protocol does not provide SP5, especially against the known-session-specific temporary information attack as mentioned in [53]. Thereby, the adversary could compute the session key *SK* in Khatoon et al.'s protocol based on the session-specific temporary information, *Ti* , *R<sup>i</sup>* , *T<sup>s</sup>* and *R<sup>s</sup>* , which are parameters to compute *SK* and are exposed on the public communication channel. As stated above, the attacker can compute *L<sup>s</sup>* . Ostad-Sharif et al.'s protocol is weak against the denial-of-service attack, the password guessing attack and the stolen verifier attack [54]. So, Ostad-Sharif et al.'s protocol does not provide SP5 also. Furthermore, Khan et al.'s protocol has security weakness against the user impersonation attack, which is related to SP5 again [55]. Xu et al.'s protocol does not provide the replay attack since an attacker could configure a valid request by merging two session parameters by intercepting contents of the previous session and the current session parameters [41]. Alzahrani et al.'s protocol has a security weakness against the known-session-specific temporary information attack because it does not provide SP4 also. Furthermore, Xu et al.'s protocol and Alzahrani et al.'s protocol do not provide PP2 especially. In addition to this, Xu et al.'s protocol is not secure against the replay attack and the impersonation attack and does not provide PP1 due to the offline identity guessing attack feasibility [41].

#### **5. Performance Results**

In this section, we provide performance analysis focused on computation and communication overheads by providing comparisons with the related protocols in [34,35,38,40,41]. A dataset is developed to produce further testing and enhancements instead of spending a considerable amount of time, money and effort for data collection. 10 users were tested in the proposed protocol run for a total of 10 times. The experiment of the protocols was performed over ARM Microcontrollers MCU Mainstream Arm Cortex-M4 running on MCU 170 MHz with 128 KB of flash memory.

#### *5.1. Computation Result*

There are four phases in the proposed protocol, which are initialization phase, registration phase, authentication phase and identity modification phase. We will concentrate on the computation requirements of the authentication phase only from the proposed protocol because the phase is the most frequently used one. To facilitate computation analysis, we define the computational requirements of a one-way hash function as *T<sup>h</sup>* , a symmetric key encryption and decryption as *Tsym*, an elliptic curve cryptosystem as *Tecc* and a bilinear pairing operation as *Tbp*, respectively, but do not consider the overhead of the exclusive-or operations, which require a comparatively quite low overhead than any other operations. Table 3 shows the computational overhead comparison among the related protocols.


**Table 3.** Computation cost comparison result.

From the experiment, we acquired the required time for *T<sup>h</sup>* , *Tsym*, *Tecc* and *Tbp*, which are approximately 0.08 ms, 0.14 ms, 4.31 ms and 14.48 ms, respectively. The proposed protocol requires 14 hash operations, which is a bit more expensive than the protocols in [38,40,41] but quite lower than the works in [34,35]. However, the protocols in [40,41] do not provide the privacy concerns as we discussed in Table 2. So, we could say that the computational overhead in the proposed protocol is for the sake of privacy-preserving. Especially, it is better to get less computational overhead on the patient side than the server side as the proposed protocol. However, Khan et al.'s protocol is opposite from the notion, which has a more burden to the patient's side. Figure 5 shows the performance comparisons among the related protocols.

**Figure 5.** Computation cost comparison.

From Figure 5, we could know that the proposed protocol requires about 40% more computational overhead than the protocols in [38,40,41], which could be the overhead to provide unlinkability. However, the proposed protocol is relatively lightweight compared to the protocols in [34,35].

#### *5.2. Communication Result*

For the communication analysis, we assumed that the lengths of identity and random numbers are 128 bits each. However, we considered that the lengths for timestamp, hash function, symmetric key cryptosystem, elliptic curve cryptosystem and bilinear pairing are 32 bits, 160 bits, 128 bits, 256 bits and 256 bits, respectively. Table 4 shows a comparison for the communication cost among the related protocols.


**Table 4.** Communication cost comparison result.

Protocols of Khatoon et al., Ostad-Sharif et al. and Khan et al. require 2 messages with 1472 bits, 2528 bits and 1760 bits, respectively. However, protocols of Xu et al., Alzahrani et al. and the proposed one need 4 messages of 3136 bits, 3136 bits and 3872 bits, respectively. The first three protocols in Table 4 do not involve any intermediate entity between two end parties for the communication. That is why the communication requirements are less than those four other protocols. In addition to this, the proposed protocol requires about 700 bits more than Xu et al.'s protocol and Alzahrani et al.'s protocol due to the session-dependent dynamic identifier distribution to entities in the system. As shown in Figure 6, in contrast with the computational overhead, the proposed protocol requires the heaviest communicational overhead due to the usage of AP in between SN and HN, which is different from the other protocols.

**Figure 6.** Communication cost comparison.

#### **6. Discussion**

This section discusses challenges and solutions on the authentication protocol for WBAN based healthcare applications. After that, we will provide some future work.

#### *6.1. Challenges and Soluitons*

Healthcare systems can provide an opportunity to meet the needs of individuals or households facing health difficulties. However, the healthcare system has an obligation to protect the privacy of patients [56]. And all participants in healthcare such as professionals of medical industries, always must be provide privacy with health data. Furthermore, healthcare professionals and medical industries around the globe are urged to fight against various security and privacy attacks on the healthcare system. WBAN based healthcare application shares some common functionalities with a typical computer network as it is a special type of network and also exhibits several unique characteristics that are specific to it. WBAN based healthcare application requires to guarantee security, privacy, data integrity and confidentiality of patient's EHR at all times. Towards the design of efficient cryptographic solution, there are more challenges in the WBANs than wired networks. They are the wireless nature of communication, resource inadequacy on SNs and very large and dense networks. Authentication is considered as the basic security building block for

any systems, which is a process by which the identity of a node in a network is verified and guarantees that the data or the control messages originate from an authenticated source. So, we will address some challenges and solutions for the authentication protocol.

The first challenge is to provide security in healthcare services that use the public network. Authentication protocol based on the public network is vulnerable against various attacks such as replay attack, impersonation attack and man-in-the-middle attack. The security issues could be overcome by utilizing various cryptographic primitives including asymmetric key cryptography, symmetric key cryptography, hash function and so on. Recently, researchers have been developing lightweight protocols, such as hash-based protocol and symmetric key cryptography-based protocol, to achieve feasibility on WBANs. Furthermore, designing authentication protocols with PUFs could help to resolve the security issues.

The second challenge is to preserve the privacy of network entities. Patient personal information is one of the most sensitive data in message transmission over the public network. The privacy issues could be dealt with by utilizing session-dependent information such as a one-time pseudonym for only the session usage. Recently, researchers have been deploying unidirectional hash chain values. A hash value from the chain is used only once and authentication protocol based on the value could provide unlinkability between sessions. In addition, cryptographic researchers should collaborate with healthcare professionals and medical industry workers to adopt and recognize various target field requirements from different backgrounds and aspects.

#### *6.2. Future Work*

In short, the proposed authentication protocol tries to generalize the process of mutual authentication and session key agreement for WBANs in healthcare applications. The proposed protocol takes full lightweight advantage of one-way hash function and exclusiveor operation to establish better security and privacy in solving authentication and session key establishment issues. In our future work, we aim to implement the proposed protocol in a real hospital environment with a big EHR database. We will focus on conducting experiments by optimizing patient side operational and communicational overhead of the proposed protocol to achieve better WBAN feasibility in terms of improved security and privacy. In addition, we will deploy a real-time adaptive artificial intelligence model on categorizing and analyzing EHR data to provide much richer patient healthcare services. Artificial intelligence can bring numerous benefits to the evolving of the healthcare industry. Based on artificial intelligence software, certain symptoms can be detected before the obvious symptoms of diseases such as lung cancer appear [57]. In addition, in the case of learned artificial intelligence, it can reduce the possibility of a doctor's misdiagnosis, to reducing patient anxiety [58]. Moreover, this research work will motivate researchers to pay more attention to security and privacy and explore the combination of other technologies, such as multimedia, robots and smart cities, to provide more convenient healthcare services to patients.

#### **7. Conclusions**

In this paper, we proposed a privacy-preserving authentication protocol for WBANs in healthcare applications. First of all, we set our design goals focused on 5 security properties and 2 privacy requirements, which are mutual authentication, session key agreement, message freshness, perfect forward secrecy, attack resistance, anonymity and unlinkability. To satisfy those features, we designed a new authentication protocol based on only two simple and lightweight operations, hash and exclusive-or. Especially, to provide 2 privacy requirements, the proposed protocol uses session-dependent pseudo identifiers for SN and AP. The formal and informal privacy and security analyses demonstrate the resistance of the proposed protocol against all sorts of privacy and security attacks. Especially, the privacy and security features of the proposed protocol are formally verified and validated based on BAN logic and ProVerif simulation tool. Performance analysis showed that the

proposed protocol has a reasonable overhead compared to the related previous protocols but still lightweight. We need to note that privacy-preserving is an important feature in healthcare service because healthcare information is sensitive. Nobody wants to expose their EHR-related information to others.

**Author Contributions:** Conceptualization, H.K.; methodology, H.K.; software, H.R.; validation, H.K. and H.R.; formal analysis, H.K.; writing—review and editing, H.R.; supervision, H.K.; project administration, H.K.; funding acquisition, H.K. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research was funded by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2017R1D1A1B04032598).

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** Data could be downloaded with the following URL at https://github. com/hs-kim-andre/healthcare.git, accessed on 26 August 2021.

**Conflicts of Interest:** The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### **References**

