Practical Privacy-Preserving ECG-Based Authentication for IoT-Based Healthcare

In current healthcare systems, patients use various types of medical Internet of Things devices for monitoring their health conditions. The collected information (personal health records) will be sent back to hospitals for diagnosis and quick responses. However, severe security and privacy leakages with regard to data privacy and identity authentication are incurred because the monitored health data contains sensitive information. Therefore, the data should be well protected from unauthorized entities. Unfortunately, traditional cryptographic approaches or password-based mechanisms cannot fulfill the privacy and security demands in health monitoring due to their low efficiency and knowledge-based property. Biometric authentication overcomes these deficiencies and successfully verifies the inherent characteristics of humans. Among all biometrics, the electrocardiogram (ECG) signal is the most suitable one due to its medical properties. However, the security and privacy objectives of ECG-based authentication usually fail in practice due to the noise interferences in the collected ECG data and the privacy breach of the ECG database. In this paper, we propose a practical scheme that can reliably authenticate patients with noisy ECG signals and provide differentially private protection simultaneously. The effectiveness and efficiency of our scheme are thoroughly analyzed and evaluated over online datasets. We also conduct a pilot study on human subjects experiencing different exercise levels to validate our scheme.