Context-aware pseudonymization and authorization model for IoT-based smart hospitals

Smart hospital is a healthcare infrastructure that uses IoT technology. This intelligent space allows to collaborate a several health actors via their IoT devices. This coordination improves the quality and continuity of health services for better patient care. However, uncontrolled access to patient information can disrupt the smooth running of hospital services. In this paper, we aim to secure the information of patient exchanged and shared, using the privacy and access control based on the context. We develop two protocols, the first is a context-aware pseudonym service. It protects the patient’s personal and health information in two smart space hospital and home. Furthermore, we prevent the disclosure of the patient’s location during his hospital stay. The second is an authorization and delegation protocol based on trust, context and role. It oversees the actions and interactions of health body with the smart bracelet object of patient. Our protocol uses the context to generate a set of roles with their trust values. Only one role is activated if its trust value is greater than or equal to a trust threshold. A dynamic delegation mechanism is created to better manage the interactions between health bodies. We demonstrate through the practical analysis as well as generation time overhead, storage overhead and response time requirement the efficiency and robustness of our proposed protocols.


Introduction
Traditional hospital is an infrastructure connected locally via the intranet of the hospital, the data of patient are stored as a set of records in a database, which is accessible from the local network of hospital.The authorized doctor is the only healthcare provider who can access to secret documents of the patient.Access to various data of the patient depends on the type of information stored locally in hospital, the level of privacy that has been assigned to each type of information, the role, the status of health care and the nature of the therapeutic relation.However, there are doctors, nurses and other hospital staff (administrator, agent, director, etc.) who can access to medical record without the authorization of patient for various reasons, including the alteration of the patient's personal and health information, the steal of patient's private information, and the throwing of a patient's medical record.
The increasing number of wireless medical devices creates the vision of the connected hospital.The connection of these devices may improve the quality of patient care, the management information (treatment, manipulation, and updated), the availability of electronic health record (EHR) and the information that it contains.In the connected hospital, the flow of patient's data is done locally via an intranet local network, or between health care establishments via Internet.Doctors, nurses, visitors, other patients and hospital staff can access to various databases of establishment to change, check, delete and hide the EHR of patient without his permission.Therefore, the preservation of patient's private data must be carefully protected.
In nowadays hospitals, the integration of intelligent systems IoT aims to improve the quality of patient's medical life, and to decrease his suffering.The smart hospital (SH) is adding the intelligence to traditional hospital system.It covers all resources and locations with the patient information (Magdy 2013).This intelligence is expressed the effective use of technology as RFID (radio frequency identification), medical equipment must incorporate RFID tags placed by the manufacturer, and contain a standard unique identifier.The doctors, nurses, caregivers and hospital staff wear an authentication means, that stores their employee ID number (Fuhrer and Guinard 2006).At the arrival of a new patient, a new EHR with an integrated automatic storage, RFID tag is created, a room for a medical stay is reserved if necessary.The patient receives a bracelet to store his personal information (e.g., digital photo, unique patient code, etc.), and link it with his medical record.
With the advance of new communication technologies and the use of wearable embedded technologies in mobile networks, distance monitoring of health status has become possible, in order to provide the medical support outside of hospital and specifically at home, in particular, the smart homes are designed for the dependent and aged people who prefer to live in more safety, more autonomy and in high quality health condition (Aloulou et al. 2013).Remote monitoring of the patient's health state makes his EHR available at any time and any location.It gives the ability to have more details in relation of patient's private life.
The mobile networks and ubiquitous devices favored the emergence of detection technologies.They monitor automatically and preventively the health conditions.Moreover, they detect any undesirable situation affecting the health private data of patients.The EHR is a central element in smart hospital.All inside or outside threats can access to various mobile health devices.They electronically treat the private data of patient may aim at his privacy.Furthermore, the current developments in sensor networks, actuators, RFID technology, and mobile computing show the limitations of devices in terms of resources such as energy, storage capacity, calculation and bandwidth.
The SH environment is composed of heterogeneous devices, which constantly exchange different information.In the context of this work, the security application within a smart hospital is in the category of personal and home: at the scale of personal, home and healthcare (Ouaddah et al. 2017).The EHRs enable patients to access, manage, and share certain of their own health information.The health bodies are able to diagnose the status of patients.They read their EHRs in SH system to ensure the reliable communications exchanging sensitive information between the trusted devices, including the CHDO and the wearable device SBO.The main problems with smart care environments are related to information flow, patient's data storage and other entities in the health care system.These problems are classified: Unauthorized access and privacy of health information.The privacy is the divulgation of personal information of patient (PIP), such as last name, first name, birth date, phone number, address, social security number (SSN), etc.A violation of health information of patients (HIP), such as reports of additional examinations (biology, radiology, imagery, medical notes and results of consultation, etc.) and disclosure of patient medical secrets, such as details of his illness.The smart hospital requires the highest level of data confidentiality, and this applies especially for wireless medical devices.The access control plays an important role in the SH environment, because of the various kinds of users (Wang and Jiang 2015), that create the need of ability to specify (1) what users may access to different EHRs, ( 2) what parts of this record, and ( 3) what kinds of operations may be performed.These requirements are important in order to filter illegitimate access to health data, which could present negative impact on the patient life.This allows also to design a more user-centric access control model, which gives them the total ability to control their wearable devices with specific granularity.
In this study and in order to protect the privacy and integrity of patient's EHR.We propose two protocols, the first one is a context-aware pseudonym service.It protects the patient's personal and health information in an intelligent space, that equipped with miniaturized and not miniaturized embedded technology.In addition, we prevent the disclosure of the patient's location during his hospital stay.The second is an authorization protocol.It controls the using and sharing of health information.Moreover, this protocol monitors the actions and interactions of doctor with the patient and his connected objects, including the access rights to examine and obtain a copy of EHR under the resource constraint.The authorization protocol uses the context to generate a set of roles with assigning their trust values.One role is activated at a time if its trust value is greater than or equal to the threshold value.A dynamic delegation mechanism is created to better manage the interactions between health bodies.
The rest of our paper is organized as follows.In Sect.2, we review some relevant privacy and access control solutions in the health care environment.In Sect.3, we present our system model.In Sect.4, we present the description of the proposed security schema.The analysis of our approach is detailed in Sect. 5.The Sect. 6 concludes this paper.

Privacy in the healthcare
The devices connection in wireless body area network (WBAN) has great advantages in the healthcare.However, it poses the confidentiality problems, that's why, there has been an effort of research for privacy issues in IoT healthcare applications in recent year.In Li et al. (2012), the authors have proposed a method to encrypt each EHR with oneto-many encryption methods, such as the ABE technique, before outsourcing it.Encryption algorithms such as AES and MD5, together with efficient key management, have been used to encrypt each EHR file.A health system can be divided into two security domains, namely public domains (PUDs) and personal domains (PSDs), according to different user data access requirements.PUDs consist of users who need to access based on their professional roles, such as doctors, nurses and medical researchers.For each PSD, its users are personally associated with a data owner, and they make access to EHRs based on access rights assigned by the owner (AL-mawee 2012).In Ukil et al. (2014), the authors have presented a privacy measurement scheme that detects, and analyzes sensitive content of time-series sensor data.It measures the amount of privacy to make a decision whether to release private data or not.Tajer et al. (2011) have proposed a framework that guarantees detection of the cyber attacks, and recovering from them.Different controlling agents, distributed across the network, constitute the attack detection subsystem.System recovery involves iterative local processing and message passing.In Li et al. (2011), the authors have proposed rolling-code cryptographic protocols, and body-coupled communication.These protocols aim to mitigate the eavesdropping on disabled's health data.The study in Haas et al. (2011) is a privacy-management system.It offers informational self-determination to patients, including usage control with implicit possibility to trace data flows after sensitive data has been legitimately disclosed.The proposal mainly consists of two parts: (a) A trustworthy central EHR system.(b) A modified digital watermarking scheme.They control data flows after disclosure.This approach offers a user-controlled disclosure of health data to third parties.It does not force the patients to trust the EHR system provider.Additionally, it offers the ability to override policies in the case of an emergency.In this case, the patient (or e.g. the patient's general practitioner) is notified and legal action might be taken.It creates an attested third party (ATP).In contrast to a trusted third party (TTP), users of an ATP do not have to trust the provider of TTP, the system can prove its behavior towards a verifier.An ATP offers the advantages of secure processing.It stores also the sensitive data without altering the trust model.The system for EHRs is divided into two subsystems: The patient service and the data service.The data service controls the disclosure and storage of EHRs.The service of patient offers administrative communication.It is an interface for patients to system, where they can express privacy policies on the usage of their data, and check their enforcement.In Atzori et al. (2010), the authors have presented a conceptual design and a prototype implementation of a system based on IoT gateways, which aggregate health sensor data, and resolve privacy issues through digital certificates and PKI data encryption.Yang et al. (2017) have proposed a reliable, searchable and privacy-preserving e-healthcare system, which takes advantage of emerging cloud storage and its infrastructure.It enables the healthcare service providers (HSPs) to realize remote patient monitoring in a secure, and regulatory compliant manner.This system is built upon a novel dynamic, searchable symmetric encryption scheme.It prospects and verifies the delegation of health data generated periodically.While the forward privacy is achieved by maintaining an increasing counter for each keyword at an IoT gateway.The data owner delegated verifiability comes from the combination of the bloom filter and aggregates message authentication code.Wang et al. (2015Wang et al. ( , 2017Wang et al. ( , 2018) ) have constructed a secure proxy re-encryption (PRE) based on Cramer-Shoup encryption.They have designed a secure E-health cloud system framework based on IBE.They have proposed also a scalable and controllable cloud data sharing framework for cloud users based on dual of proxy re-encryption scheme.In Hall et al. (2013), the authors can guarantee protecting records by using differential privacy techniques, which rely on adding noise to patient records.Martínez et al. (2013) have proposed a general framework that enables the anonymization of structured non-numerical medical data from a semantic perspective.The framework formalizes three operators (comparison, aggregation and sorting).It exploits medical knowledge structures to enable a semantically-coherent managing of medical terms.Afterwards, the framework is used to adapt three well difference statistical disclosure control (SDC) methods.It masks sensitive attributes while preserving, up to a certain degree, so that structured non-numerical data could be k-anonymized.

Background and literature related to access control
A complete access control infrastructure covers the following three functions (Suhendra 2011): Authentication, authorization and accountability.We focus on authorization function.However, we leave the authentication and accountability out of the scope of our work.The authorization comprises following phases (Ouaddah et al. 2017): define a security policy (set of rules), select an access control model to encapsulate the defined policy, and implement the model.In Benferhat et al. (2016), the authors have proposed a security policy analysis, that involves actions with different levels of granularity.They then show how to integrate complex actions into access control models.They consider complex actions as a partial pre-order of ( a i , o j ), where a i is an elementary action and o j is a concrete object.Wang and Jiang (2015) have developed a task-based access control model (T-RBAC) for a healthcare medical environment.The T-RBAC introduces concept of task by dividing them into four categories: inherited tasks, non-inherited tasks, passive tasks, and active tasks.In RBAC, the roles are assigned statically by the system administrator.In which access is controlled based on the roles that users have in a system (Jayant et al. 2014).In Aftab et al. (2015), the authors have introduced a new model by merging ABAC and RBAC in order to enjoy the benefits of both models and to cover their deficiencies.Hong-Yue et al.
(2012) have investigated the impact and functions of context factors in access control policy decision, and have proposed a context-aware fine-grained access control model.In Sujansky et al. ( 2010), the authors have described the design and implementation of an access-control mechanism for PHR repositories, that is modeled on the eXtensible Access Control Markup Language (XACML) standard.Zerkouk et al. (2013) have presented a novel adaptable access control model and its related architecture.The security policy is based on the handicap situation analyzed from the monitoring of user's behavior, in order to grant a service using any assistive device within intelligent environment.In Bernabe et al. (2016), the authors have proposed a flexible trust-aware access control system for IoT (TACIoT), which provides an end-to-end and reliable security mechanism for IoT devices, based on a lightweight authorization mechanism and a novel trust model that have been specially devised for IoT environments.Rivera et al. (2015) have applied a schema that unifies access control systems between intelligent agents, IoT devices and hybrid elements.This schema tries to seamlessly apply access control policies independently of the nature of entities, that interact in an IoT environment.
In an intelligent healthcare system, a dynamic access control model must meet the following criteria: The integrity and confidentiality refer to the fact that an unauthorized user can not read and not write to the controlled information (Smari et al. 2009(Smari et al. , 2014)).Any attempt to falsify or disclose patient data can cause fatal damage, such as incorrect diagnosis or even death.Also, the restricted access to home devices is also necessary in case of remote consultation.The need of granularity represents the level of detail, and expressive of the grammar used to specify, formulate and apply the security policy in order to properly evaluate the decision, grant or refuse the access of health body to SBO.The revocation is ability to revoke the access permission to resources of patients, including its sensors and SBO.So, the health organization no longer has access to allocated resources if its generated role is revoked.The delegation is widely recognized as an important mechanism, it ensures elasticity and flexibility in the assignment of tasks to authorized users or roles, especially in the event of resource constraints, urgent delays (Priya et al. 2014), so that a user can grant access rights or some of the rights granted to another subject (Ouaddah et al. 2017).Delegation typically involves two users, a delegator and a delegate.This could involve an elementary authorization, a role, or even a role hierarchy.It may be permanent or temporary, based on grants (delegate retains delegated authority), or transferred (delegate loses delegated authority during delegation depending on context) (Priya et al. 2014).The reliable availability is an important criterion in smart hospital.The EHRs are not available for unauthorized health bodies.In the event of absence or delay of a health actor, a level of availability is essential for delegate to ensure the urgent interventions, and guarantee the continuity of healthcare services.In the flexibility, the access control must be adaptable to different contexts.In addition, it should support longevity and planned models, as well as spontaneous and short-lived causal interactions (Ouaddah et al. 2017).Indeed, collaboration between the health bodies in a smart hospital is established implicitly and not scripted.The role of service provider (health actor), or service consumer (patient) is generated dynamically according to the context, since it can be played alternately by the same entity.In the usability, the SH and home health services are managed by non-expert users (health body, hospital staff, patient).The access control should be easily managed, expressed and modified.It is important that the access control system involves users, with their different competencies in the authorization policy, and facilitates their spontaneous and autonomous interaction with the security system.In the user oriented, the users are the master of their own data, they have full and granular access.In SH, patients are the pivotal element, because their EHRs are considered the fuel of any healthcare application.The access authorization model that targets this type of application is strongly required to be user driven, and to preserve their privacy (Ouaddah et al. 2017).In the decentralization, the smart hospital contains a set of entities.Sharing and access to information between them must be done directly, without the intervention of a trusted third party.The scalability is the capacity of the access control model to adapt to the evolution of users, because of the potentially unlimited number of resources (sensors, miniaturized and non-miniaturized devices), and subjects (health body).The authorization mechanism should be scalable in size, structure, and number of users and resources (Ouaddah et al. 2017).In the heterogeneity, the SH is a collaborative environment that combines multiple technologies and devices.A standard layer should be designed to achieve overall agreement.It ensures effective dialogue between all entities that make up the system.In the lightweight, the resource constraint of wearable devices poses always the access control problems.Our authorization model supports light solutions such as solution based on elliptic curves.The environment of smart hospital is rich in terms of contextual information (vital signs sensors, wearable devices, environmental sensors, CHDO, SBO, etc.), that provides health services of dynamic context-aware of patient (personal and health information, tasks, access schedule, organization, device context, etc.), and his environment.The trust is the degree that a subject will accomplish as expected in a given context (Smari et al. 2009(Smari et al. , 2014)).The concept of trust has already been used in access control (Liu 2008).A subject will be associated with a quantified trust level, which represents the one of its attributes during its interventions in the object.
We give a comparison of the related work, which is presented in Table 1.We classify the properties into two main classes, the first is the class of security services and the second class is about the access control properties.Most of the works in the literature propose context-based access control policies, such as Wang and Jiang (2015), Benferhat et al. (2016), Aftab et al. (2015), Smari et al. (2014), Priya et al. (2014), Hong-Yue et al. (2012), Sujansky et al. (2010), Zerkouk et al. (2013), Bernabe et al. (2016), andRivera et al. (2015).However, no work in the literature did provide the revocation property.Few works guarantee the decentralization, the lightweight processing, delegation, usability and scalability.In addition, Smari et al. (2014) is the only work that ensures almost of security and access control properties.In the literature, the access control protocols did not provide all the security and access control services, which are highly required in smart hospital environments.

Scenario
Intelligent health care system (IHCS) is based on the use of ubiquitous and intelligent infrastructure, a patient constitutes a wireless body area network (WBAN), in which sensor nodes are placed on the skin or implanted inside the patient's body, that measure a set of physiological phenomena in order to monitor his health continuously.They collect all kinds of medical information as represented in Eq. 1: where BNP i denotes the body network of patient i , S k is the sensor k , ph k represents the phenomenon measured by the sensor k and α k represents the value or the interval of normal values measured by the sensor k .The system admin- istrator is responsible for defining the phenomena measured by each sensor as well as their normal values, for example, Salah is a patient, he is controlled by three sensors, oxygen in blood sensor, blood glucose sensor and body temperature sensor.The body network of Salah BNP salah is represented as follows: The admission procedure of new patient begins with the creation of his EHR.This last is stored in the hospital's central server database (SDB).The EHR monitors and registers the health status of patient.Each patient receives a smart bracelet object (SBO), which plays the role of a local collection point and guidance in urgent situations.The patient's personal information and his EHR are stored in SDB, while the updates from the different sensors are stored locally in a (1) smart bracelet object database (SBODB), before transferring them to central database as well as the authorized health body.Each element of the health body receives an authentication means, that stores their static and dynamic contexts using it at the entrance and exit of smart hospital.The doctor must also have an overall collection point in the form of a control health device object (CHDO), it can interact with SBO via the Internet connection and IoT network.The doctor also uses a local database to collect, manage and store the status of his patients.The authorized health body can access the patient's medical and personal information, and authenticate according to patient's context (health state, place and time of consultation).Furthermore, the sensors placed on the patient's body, the set of monitoring and control equipments place inside the intelligent home to simplify patient privacy, they are connected via the Internet with the hospital system on one side and the patient via his SBO on the other side.The patient can communicate with his doctor to give him the necessary prescriptions.If a hospital stay is necessary, he resides in a room equipped with health facilities, the consultation is according to his health state.Our system model is illustrated in Fig. 1.

Assumptions
Our smart hospital system assumed that the SBO is responsible for the managing communication security in the WBAN.
The SBO sends information to the doctor in an urgent case via the IoT network.The health bodies may periodically follow the patient's health status.Their access rights to the patient are recorded at the SBO and possibly in SDB.The patient can monitor his health state at the hospital (visit consultation, hospital stay), or in the smart home (remote consultation), his EHR is registered in a hospital data base with access rights.
4 Proposed security scheme

Preliminaries
The context is any information that can be used to characterize the situation of an entity (person, place, object) (Dey 2001), or any information used to characterize the current status of any object or entity (Priya et al. 2014).It is spatial-any information characterizing the situation from spatial dimension (e.g.location, place, position); temporalany information characterizing the situation from the time dimension (e.g.timestamp, period of day, month, year, day, season); spatio-temporal-any information characterizing the situation that is dependent of both spatial and temporal dimensions i.e. each piece of information is associated  with a particular location at a particular time (e.g.weather conditions, temperature, noise, luminosity); social-any information characterizing the situation from social relationships (e.g.nearby persons and nearby friends); and computer-any information describing the situation from the computational characteristics (e.g.user's device capacities) (Filho and Martin 2009).In our paper, we define the context according to the patient and his health environment: 1 -The set of formalized information collected during the consultation visit, or distance as: prescriptions, medical procedure, symptoms, results of analyzes, -The patient's antecedents, -The set of formalized information established at the end of the hospital stay, -The set of information that was collected from third parties not involved in therapeutic care.(c) Temporal context: Refers to the period of consultation (consultation visit, distance remote consultation, and hospital stay) at which the task is performed.It represents also the receipt date of new information related to physiological context.

Notations
Table 2 summarizes the notations used in the proposed privacy protocol. (3)

Protocol steps
In our proposed privacy protocol, a patient must register by the administrative staff, in order to obtain his identifier, which is necessary for the creation of his pseudonym.The pseudonym has an expired lifetime T i defined by SBO at the time of its generation.Our protocol illustrated in Fig. 2 consists of following steps: Step 1: Admission and registration The patient presents physically to hospital.He gives his personal information, as well as his EHR in the case where it is a transfer or has antecedents.A smart bracelet is allocated for each patient i .It has a PID i and a location tag L i , which directed him to a service.After consultation, the doctor saves the EHR of the patient.
Step 2: Pseudonym generation Each sensor k ( S k ) sends periodically to SBO via a secure channel its identifier ( IDS (k,i) ), the phenomenon ( ISS (k,i) ), and the date of sending ( CKISS (k,i) ), that represent the message M (k,i) .Afterward, the smart bracelet record it.This allows the SBO to play the role of a detector for abnormal situations related to patient, and displays an advice guide Sending date of the data ISS (k,i)

CkISS i
Sending date of latest data Number of sensors placed on the patient body i according to patient's health status.In emergency cases, a context-aware pseudonym C i is generated, and sent to appro- priate doctor j .The latter sends his certified public key KPD j to SBO using elliptic curve cryptography (Koblitz 1987;Miller 1986).In our privacy protocol, we use ECC by the definition of cubic equation as follows: (4) Call Algorithm 1 Pseudonym Generation Ask the certified public key KPD j (RN, T S)KSSBO i ) Send the certified public key KPD j (RN, T S)KSSBO i )KPD j )) where a , b ∈ F p , p > 3 , and 4a 3 + 27b 2 ≠ 0 .In our protocol, we consider a = −4 and b = 2 to get the elliptic curve:

Send((((RN, T S)KSSBO
To generate the encryption and decryption keys, we apply the addition principle in elliptic curve.Given two points P 1 and P 2 , with the coordinates ( x 1 , y 1 ), ( x 2 , y 2 ), respectively.The point p 3 with the coordinates ( x 3 , y 3 ), represents the addition results, where x 3 and y 3 are defined as follows: such that and ( 5) The generation principle of public/private key using elliptic curve cryptography is described as follows: 1.In our protocol, the patient and doctor have to agree on a defined curve in Eq. 5 with a base point Q. 2. Doctor j chooses an integer, which represents his private key KSD j .3. Doctor j generates a public key KPD j = Q ⋅ KSD j .4. Likewise, patient i chooses an integer, which represents his private key KSSBO i . 5. Patient i generates a public key The Algorithm 1 shows the pseudonym generation method and the intelligent behavior of SBO.The lifetime T i of pseu- donym is defined at its generation.It is varied according to the type of consultation, the duration between two consecutive medical tasks, or it is a basic time defined by the system administrator.Algorithm 2 illustrates the dynamism of pseudonym generation time.
Step 3: Send pseudonym During the description of context C i , the SBO generates a random number RN , and a public/private ECC key pairs ( KPSBO i ∕KPSBO i ).Afterwards, the SBO signs RN and sending time stamp ( TS ) by its private key ( (RN, TS) KSSBOi ).It encrypts the resulting signature using the doctor's public key ( ((RN, TS) KSSBOi ) KPDj ).The SBO sends the encrypted result to CHDO.
Step 4: Update pseudonym Each pseudonym has a period of life.The smart bracelet must obtain a new pseudonym at each change of the patient's context, or after a basic time defined by the system administrator.In the case of a context changing, the expired pseudonym is maintained in a revocation list, otherwise, it will be saved in expiration list after the exhaustion of the allocated time T i .

Constructing our authorization model
Our proposed authorization model defines the following components: 1. Attribute (A): It is a variable that captures the properties of an entity i.An attribute record (AR) represents a set of n attributes attached to the same entity.
In our authorization model, the system administrator is responsible for assigning attribute values.

Context (C):
The context aims to manage, and organize the different users, and their hierarchical levels between them according to: Time, environment, organization, and health action: -Subject (S): The subject S is the user of access control.In our work, it represents the members of health bodies (HB=doctors and nurses).The attribute record of health body ( AR HB ) represents a set of n attributes attached to HB: -Control health device object (CHDO): The health body uses the control health device for monitoring and remote consultation of patients.The attribute record of control health device object ( AR CHDO ) rep- resents a set of n attributes attached to CHDO: (10) AR HB = {A (HB,1) , A (HB,2) , … , A (HB,n) } (11) -Smart bracelet object (SBO): It is the health device assigned to each patient, and manipulated by health body with its resources (file, database, etc.).The attribute record of smart bracelet object ( AR SBO ) represents a set of n attributes attached to SBO: -Organization (O): It is a set of health body and their devices that monitor the health state of the same patients.In our paper, we represent the organization of n health body and their objects as follows: -Time (T): Every health body can have a schedule to follow his patients.Its attributes record of time ( AR T ) is: -Health environment (HE): This is the location of health body at a given time.Its attributes record ( AR HE ) is: (12)  -Health actions (HA): It represents the operations assigned to a health body on a set of objects of the patient, and this to monitor its health state at a given time, in a given environment, and from a given environment.In our model, the authorized health body can read, write, update or delete the patient resources.Its attributes record ( AR HA ) is: 3. Role (R): It groups together the privilege set, that will then be assigned to the users.In our work, role definition depends on health body's static context, his devices, health actions, location and trust.4. Trust degree (TD): Indicates the authorization value ∈ [0,1] of the health body on SBO.It takes the value 0 < TD ≤ 1 according to context, where the value 1 is fully authorized, and the value 0 is the unauthorized one.

Protocol phases
Our authorization protocol consists of three phases, phase I for role generation, from the contextual attributes, we generate a set of dynamic roles for each health body.We take the doctor as a representative of the health bodies, phase II for trust affectation, each role is attached to a trust value in order to validate the doctor's context attributes, and phase III for delegation role and access authorization, in which assigning the trust values for the delegates if that is the case, then activating the associated role and finally verifying the access privileges.
Phase I: Role generation The dynamic generation of contextual role R C consti- tutes the set of role R, and depends on attributes AR i for each health body.The detail of this phase is illustrated in Algorithm 3.
When a message arrives from the SBO to HB, the authorized doctor tries to access the patient to perform the necessary medical actions, according to his received context (see the privacy protocol in Sect.4.1).He must provide his context via his CHDO.The architecture of our security policy is shown in Fig. 3.

Phase II: Trust affectation
Once the set of dynamic roles R i are generated for each health body, the trust values ( α j ) that are assigned to them based on AR i as illustrated in Algorithm 4.

3
Phase III: Delegation role and access authorization After the assignment phase of trust values , if the health body delegates his roles, then, he sends a delegation message to the doctor delegate, including his DID (doctor identifier) with a set of delegated roles and their trust values respectively.Afterwards, only one role is selected by both the delegate or its owner in absence of delegation, if selected role trust value is greater than or equal to a threshold defined by system administrator, therefore, the role is activated otherwise a revocation procedure is launched.Furthermore, the health body actions performed on SBO vary according to trust value assigned to activated role, for example, write access, update and delete to a file requires a higher trust degree ( β ) to that in reading ( δ ), and access to confidential file requires a higher trust degree than that of an ordinary file.The detail of this phase is illustrated in Algorithm 5.

Analysis of our approach
This section provides the analysis of our approach with two axes.First is the security analysis, where we explain the resistance of our proposed approach against various attacks, in order to show its effectiveness in accordance with the design goals.Next, we provide the practical analysis in terms of pseudonym generation time, storage overhead and response time.

Privacy preserving integrity
In steps 2 and 3 of the privacy protocol, the generated context-aware pseudonym is signed by the private key ( KSSBOi ) of SBO.It's certified by the public key ( KPD j ) of doctor for verification.In the authorization protocol, an unauthorized user whether a non-delegated doctor, a doctor who does not have an authorized role, or one who has a trust degree value below the threshold ( TD < Threshold ) has no right to access the EHR of patient.Therefore, the message integrity is preserved.

Privacy preserving authentication
The privacy protocol aims to sign and certify the context before transferring it to the appropriate doctor.The CHDO should acquire a new pseudonym after a period of time ( T i ).In step 4 of the privacy protocol, the expired pseudonym is maintained in a revocation list.Otherwise, it will be saved in the expiration list after the exhaustion of allocated time T i .Therefore, it is hard for an attacker to correlate the pseu- donym.In the authorization protocol, the doctor or his delegate can't access to the patient's encrypted data, only if he has a trust degree value greater than or equal threshold ( TD ≥ Threshold ).Furthermore, his role R depends on the health body's static context, devices, health actions, location and trust.Therefore, it is difficult that an unauthorized doctor can access to medical and personal information of patient.

Non-repudiation
In step 3 of the privacy protocol, the sent context-aware pseudonym is signed by the private key ( KSSBO i ) of SBO .It is certified by the public key ( KPD j ) of a doctor.There- fore, no other patient can diffuse this pseudonym.Moreover, the pseudonym itself contains a current sending time stamp ( TS ).Therefore, not only the non-repudiation is assured, but the protocol also provides the prevention against replay attack.

Practical analysis
In this subsection, we analyze the hardware performance required to put in the real practice our approach.Indeed, each wearable sensor k maintains a set of security param- eters.It periodically sends its phenomenon ISS (k,i) to SBO, which in turn generates a pseudonym corresponds to global context C i , and send it to health bodies.Thereafter, each health body accesses to SBO to guide and control the patient in an emergency situation.Three important criteria are involved in our approach: pseudonym generation time, context storage space in privacy protocol, and the response time in authorization protocol.

Pseudonym generation time requirement
Here, we discuss in terms of time, the computational overhead incurred by the SBO when analyzing the global context C i , as well as the pseudonym generation.We also analyze, the computational overhead incurred by the sensor k during the collection of patient's partial context C (k,i) , in order to send it to SBO.Moreover, the message M (k,i) is diffused periodically by each sensor k to SBO of patient i .In emergency cases, the SBO generates a pseudonym corresponds to global context C i , and send it to CHDO of health bodies, thus, the pseudonym generation time varies according to the number N i of sensor, that communicate with SBO.It depends on the sending date CKISS (k,i) of M (k,i) by the sensor k , the time generation of global context C i , the checking time of partial context signature and random number.
In practice, the SBO takes 5 ms to verify the abnormal situations of patient, and the time sending from each sensor to SBO requires 5 ms.Following, we suppose the detailed time to process the necessary transactions of pseudonym generation, and send it to CHDO. Figure 4 illustrates the pseudonym generation time according to various IoT sensors.For example, with 100 urgent wearable sensors, the pseudonym time generation does not exceed 14 seconds.Therefore, we note that, this criterion is well adapted to IoT sensors.

Storage overhead
The message M (k,i) sending by each sensor k to SBO of the patient i includes the IDS (k,i) , the ISS (k, i) and the CKISS (k, i) .Thus, the partial context C (k,i) includes the PID i of patient i , the message M (k,i) and the location L i .Moreover, the global context C i represents the concatenation of signed partial con- texts of all sensors, that send the abnormal urgent information to SBO.The following represents the necessary size of context, as well as the total pseudonym size, including the encryption overhead in our proposed privacy protocol.
Figure 5 illustrates the storage capacity required according to various IoT sensors sizes.For example, the storage capacity for 100 wearable sensors does not exceed 8500 bytes.Consequently, we note that our proposed protocol presents no constraints in terms of storage capacity.-RN = 10 bytes -T i = 5 bytes.

Response time requirement
We were interested in the response time, which is highly required in emergency healthcare applications.The generated pseudonym is stored in the SBO, and sent to health bodies who try to decrypt the contents of receiving pseudonym, in order to access to their contexts that contains the information about the patient's situation.After the verification of the delegation, the role selection and the assignment of its trust degree.The SBO only allows legitimate health bodies to access to its resources, and monitor the health status of their patients.In our protocol, we assume a delay time △ t = 20 ms , which represents the time lost for each health body to access to SBO.The Eq. 17 illustrates the calculation of the response time R t of each access request: where R is the number of access requests from the health bodies to SBO, V t is the verification time of the delegation, the role selection and the assignment of its trust degree, it can reach 30 ms, R leg is the access requests number of legiti- mate health bodies trying to access to SBO, and T p is the processing time required to decrypt the pseudonym, in order to access the global context, and find the partial context of each IoT sensor.In our protocol, we assume that T t requires 100 ms. Figure 6 illustrates the response time according to the access request number R leg .For example, with 100 requests, the response time required does not exceed 14 s.Therefore, we note that our authorization protocol presents no constraints in terms of response time.

Conclusion
The use of miniaturized and not miniaturized devices in a smart hospital improve the quality of patient's medical life.However, this environment poses many security problems due to the resource constraints of these devices, taking into account the different living spaces of the patient.The protection of patient data has a primordial importance in the establishment of his EHR record.The specificity of data contained in this record, and the transmission of sensitive information that contains it require the development of a set of security mechanisms, that protect both privacy and access control to this file.In this paper, we proposed an approach based on two new protocols.Firstly, we presented a context-aware pseudonym, that protects the EHR of a patient in hospital, and at home in the case of remote consultation.In addition, we prevented the disclosure of the patient location during his hospital stay.Secondly, we developed an authorization model, which oversees the actions and interactions between the patient's organization and his SBO.The model uses context to generate a set of roles by assigning them trust values.Only, one role is activated, if its trust value greater than or equal to trust threshold assigned to a patient's context.A dynamic delegation mechanism is created to better manage the interactions between health bodies.The practical analysis of our approach shows the acceptable storage and computation overhead.For the continuity of this work, we aim to extend our privacy protocol by incorporating an efficient mechanism of distributed public-key certificate, taking into consideration a case study under a telemedicine platform.We will propose an information flow control protocol for wearable objects in smart environments.

Fig. 2
Fig. 2 Sequence diagram of our protocol

Fig. 3
Fig. 3 Authorization and delegation architecture based on TCR (trust, context and role)