Today’s society is rapidly moving toward an aged society. The rapid changes in modern styles provide ongoing opportunities to build new markets and industries. Radio frequency identification (RFID) systems can be applied to many industries, and include many potential applications such as manufacturing, supply chain management, access control, inventory control, e-passports, pharmacies, and hospital management. RFID has the advantages of low cost and convenience in identifying an object with non-lineof- sight reading.
Ubiquitous technologies based on mobile devices and sensor nodes are able to manage healthcare information with small sensors and devices. As information technologies are rapidly developed, e-healthcare systems are currently being realized. Recently, the trend in healthcare systems has moved toward u-healthcare systems because of smart equipment and devices with low computing power. RFID is an automated data-capture technology that uses low-power radio waves to communicate between readers and tags . RFID technology is also applicable to u-healthcare systems to reduce manual handling errors, monitor patient’s medical information accurately, maintain efficient processes, and track patients’ location. To utilize this system, new problems should be solved such as security, authentication, and safety . Advanced technologies and existing medical technologies should be combined properly to meet the requirements for service efficiency, accuracy, and clinical significance. This kind of fusion technology is called a ubiquitous healthcare system. It should be noted that uhealthcare systems improve and enrich the quality of life. This comes about by the improvement of constraints and medical treatments by connecting a lot of devices with medical treatment. Any security vulnerability may cause a leakage of personal information. Therefore, security protocols should be prepared and taken into consideration prior to the implementation of a u-healthcare system. The owner of personal information can also be threatened by hackers and malicious attackers . For this reason, the Department of Health and Human Services (HHS) in the United States has recently issued “an interim final rule regulating when and how patients must be notified if their healthcare information has been exposed in a security breach by hospitals, physician offices, and other healthcare organizations”. Health Insurance Portability and Accountability (HIPAA) is an act introduced in 1996 to protect a patient’s rights to medical history. A research group on healthcare is working on developing expertise in several areas and is planning to integrate these in 3G and 4G networking. The hospital information system today integrates individually optimized sections including nurses, other staff, and patients. The remainder of this paper is organized as follows. Section I is the introduction. Section II summarizes related work on the application of RFID related to security issues. Section III presents the analyses of the u-healthcare system, reviews the analysis of the protocol, and discusses various security and privacy issues such as associated attacks. Finally, Section IV provides the conclusions.
Information related to healthcare services is very confidential and sensitive. Healthcare systems are divided into several part systems in hospitals. Therefore, a divided security mechanism is required to integrate different types of security. In general, we should consider the characteristics of wireless communication between a user’s tag and mobile agent, in addition to the wired connection between a mobile device and database. Generally speaking, firewall and traffic analysis can be used for the protection of sensible information from non-authorized attacks over the Internet protocol. Such attacked can be induced by authentication and security problems in this situation . Healthcare staff members increasingly require medical data to be delivered in real time to support their decision making process. The adoption of mobile devices allows this process to occur concurrently. Privacy is an important aspect of pervasive and ubiquitous computing systems, and, in particular, pervasive healthcare. Moncrieff et al.  have presented a design framework for implementing privacy measures in ubiquitous computing environments, and have demonstrated its application to pervasive healthcare. Sun et al.  have contributed a detailed discussion on the privacy and security issues in e-healthcare systems and viable techniques for these addressing issues. Furthermore, they demonstrated the design challenge in the fulfillment of conflicting goals through an example scenario, where a wireless body sensor network is leveraged, and an optimized solution is proposed to overcome the conflict. Boukerche and Ren  introduced the technique of trust evaluation without a centralized trust management authority and proposed a novel trust evaluation model that can efficiently calculate the trustworthiness of mobile healthcare devices and dynamically manage medical nodes. Markovic et al.  considered the issues of mobile healthcare security and employ cryptographic techniques to address possible vulnerabilities. They make use of symmetrical cryptographic methods to protect data confidentiality, and asymmetrical cryptographic algorithms such as public key infrastructure (PKI) and digital signature techniques to achieve data integrity.
III. ANALYSES OF U-HEALTHCARE SYSTEM
At the initial model of the u-health system, a mhealthcare system is designed as an enhancement of the ehealthcare system supported by wireless electronic medical record (EMR) access. Fig. 1 depicts the concept of the network topology for the u-healthcare system. It represents a brief network topology for a virtual hospital. This network will be modified and extended based on the security and protocol requirements . To overcome additional vulnerabilities, wireless architecture with embedded security modules should be designed with an essential requirement for wireless EMR access. In particular, a patient’s privacy is very important in a hospital information system (HIS) environment. The information should be secured permanently, either when it is transmitted or stored in databases. Security issues could occur with sharing information among interconnected hospitals. Secure access of electronic health record (EHR) with distributed topology units should be also considered. Healthcare networks based on electronic or mobile devices are established by connecting general clinics, hospitals, and national/private medical centers. However, health information which is stored in a healthcare center is usually accessible only to authorized staff of that center in traditional healthcare systems . To improve medical service quality in hospitals and enhance safety control for patients, integration of RFID technologies into medical industries has recently been progressively evolving. Effectively merging RFID techniques with the existing HISs is occurring gradually . Yao et al.  has reviewed the literature on RFID applications in healthcare based on a formal research framework and has identified current opportunities, potential benefits, and adoption barriers. Wang et al.  demonstrated the RFID infrastructure of Taipei Medical University Hospital. This architecture shows how data was collected, processed, stored, and transformed into useful information for medical services in the hospital. Yu et al.  provided the u-healthcare system with real-time technologies, which a great deal of security precautions. He also described differences between e-healthcare systems and u-healthcare systems, as shown in Table 1.
U-healthcare systems may bring unlimited convenience to the customers and staff of hospitals. However, security vulnerabilities can be found and would be attacked by skilled hackers. Security breaches may result in a loss of data or leakage of personal information unless hospital information systems are designed with security features. However, many organizations commit the mistake of neglecting the security aspect because security features do not generate any visible return on investment for them. As shown in Fig. 1, at the end of the network topology, a mobile device and wireless access point are utilized to implement interaction of transmitted information between the end device and the database servers through the network. An authentication server is located in the middle of the data transmission for access control in the authentication process. To identify security vulnerabilities and threats, security solutions and compact protocol design should be suggested to mitigate all kinds of risks . Table 2 shows the structure of the secure layer and its characteristics.
To mitigate the aforementioned problems, we analyzed a security mechanism that protects EMRs and is suitable for ubiquitous medical service. The mechanism consists of numerous security measures such as authentication and a cryptographic algorithm. According to the structure of the security level, the measures can be categorized into three security layers: authentication based on the network, authentication based on the application, and database protection.
[Table 1.] Difference between e-healthcare and u-healthcare networks.
Difference between e-healthcare and u-healthcare networks.
The wired equivalent privacy (WEP) protocol was designed to provide the same level of privacy as a wired network. Due to the low complexity of security concerns over the WEP standard, many researchers continue to debate whether WEP alone is sufficient for HIPAA transmission security or not. Consequently, a healthcare delivery organization should use a combination of WEP and other security protocols for wireless networks. In order to avoid potential security breaches such as authentication and privacy protection, the existing healthcare agent architecture should be considered for some special security requirements. The wireless public area network is the connection of servers. The relevant enabling technologies for wireless public area networks are Bluetooth and ZigBee. They are a set of high level communication protocols that use low power resources. The use of RFID is increasing for healthcare systems and patient monitoring systems as well. Deploying RFID technology in the healthcare industry for promoting patient’s data and records in the hospital is a complex issue since it involves technological, economic, social, and administrative factors. Table 3 summarizes the major barriers, benefits, and attacks from the collected literature .
[Table 2.] Structure of secure layer for services.
Structure of secure layer for services.
[Table 3.] Benefits of, barriers to, and attacks on RFID applications in healthcare systems.
Benefits of, barriers to, and attacks on RFID applications in healthcare systems.
A. Authentication Based on Network
As a first step toward security, well-organized authentication processes based on the network should be prepared against various threats, especially for wireless networks. In recent years, hospitals have also introduced wireless communication systems. However, not many hospitals are aware of the security issues because their working process is mainly focused on emergencies rather than security. This may result in a security problem such as information leakage. Fig. 1 describes a topology of ubiquitous healthcare systems. When a mobile agent attempts to connect to Wi-Fi protected access (WPA2)-Enterprise architecture, they must investigate the 802.1X/EAP process. This process has several steps: After the mobile agent establishes an association to the access point (AP), the remote authentication dial in user service (RADIUS) server initiates server-side authentication with the supplicant. In this authentication, the server sends its certificate to the mobile agent and requests that the user reply with the certificate of the mobile agent. Next, the mobile agent starts the client-side authentication by sending its authentication information to the server. After these steps, the mobile agent has proven its credentials in order to be allowed on the network. After authentication is completed, authentication is needed in order to make sure that matching encryption keys are installed on the mobile agent and access point. Negotiation to exchange the advanced encryption standard/counter mode CBC-MAC protocol (AES/CCMP) encryption key is carried out by robust security network (RSN) which is used for communications in a WPA2 network. Once the AES-CCMP encryption keys are successfully installed on both the AP and mobile agent, secure data will be transmitted across the WLAN. There are three methods that offer mutual security levels. To select the proper method, compatibility with the hospital environment should be analyzed. Extensible authentication protocol-message digest5 (EAP-MD5) should not be employed because it has weak security features.
[Table 4.] Comparison of u-healthcare network and IPv6.
Comparison of u-healthcare network and IPv6.
To apply the EAP-transport layer security (TLS) protocol to a wireless network, implementation of the WLAN standard is required. WPA2 is one of the standards in which EAP-TLS can be implemented. Also, WPA2 employs AES-CCMP to overcome the vulnerabilities of other wireless communication standards [17,18]. Huang et al.  presented a healthcare system hierarchical network architecture for wireless sensor networks. When IPv6 over IEEE 802.15.4 is implemented into sensor nodes, furthermore, biomedical sensor positioning is a foundational and crucial subject for detecting the location of elderly or chronic patients at any place, at any time. The global positioning system, multi-dimensional scaling, or radio frequency identification techniques can be also applied to biomedical sensor systems. Table 4 depicts a comparison of u-healthcare network and IPv6 network bases .
B. Authentication Based on Application
A user’s authorization should be authenticated by a webbased authentication process for accessing the EMR even though the user connects to the network through network authentication.
The security guidance is republished by HIPAA in the US. To understand the prevailing regulations surrounding the protection of healthcare information in the US, it is important to have a basic understanding of the HIPAA Act of 1996. Specifically, HIPAA defines privacy as an individual’s interest in limiting who has access to his or her personal healthcare information and specifies that security measures must encompass all the administrative, physical, and technical safeguards in an information system . According to recent studies, two-factor authentication has been reported. These are the usual authentication methods based on a challenge-response handshake and session key agreement during the authentication process. Secure communication with a session key can communicate with confidentiality .
[Table 5.] Key sizes giving equivalent security.
Key sizes giving equivalent security.
Xiao et al.  presented distributed architecture of a health agent system and its resource access flow control and agent interaction model with a security policy in health agents. Misik  reported on healthcare wireless sensor networks implemented using 802.15.4 beacon-enabled technology, in which security processors are implemented with low power microcontrollers.
In this setting, he proposed using elliptic curve cryptography (ECC) for key distribution in order to decrease energy consumption compared to the better known RSA algorithm. Recently, ECC has been demonstrated as computationally lightweight, yet its security is comparable to that of RSA. For the same security level, ECC has much smaller key sizes compared to RSA, as shown in Table 5 .
The use of the mobile device in the hospital environment provides an opportunity to offer better services for patients and staff. Mobile technology offers many advantages for improving patient information management and reducing the costs of processing time of medical information. We analyzed the issues of security related to privacy and comparison of e-healthcare and u-healthcare system and privacy. Neither a symmetric nor an asymmetric cryptographic deployment is necessary with the lightweight algorithm in a user’s device. In future work, we will develop a test bed with an RFID system embedded in a ubiquitous healthcare system to estimate the performance and related problems and improve the security of a pervasive and mobile healthcare system.