A SECURITY ARCHITECTURE FOR ACCESSING HEALTH RECORDS ON MOBILE PHONES Alexandra Dmitrienko, Zecir Hadzic, Hans L¨ohrand Marcel Winandy Horst G¨ortzInstitute for IT Security, Ruhr-University Bochum, Germany falexandra.dmitrienko, zecir.hadzic, hans.loehr, [email protected] Ahmad-Reza Sadeghi Fraunhofer-Institut SIT Darmstadt, Technische Universit¨atDarmstadt, Germany [email protected] Keywords: Health records, mobile computing, smartphone, security architecture, trusted computing. Abstract: Using mobile phones to access healthcare data is an upcoming application scenario of increasing importance in the near future. However, important aspects to consider in this context are the high security and privacy requirements for sensitive medical data. Current mobile phones using standard operating systems and software cannot offer appropriate protection for sensitive data, although the hardware platform often offers dedicated security features. Malicious software (malware) like Trojan horses on the mobile phone could gain unauthorized access to sensitive medical data. In this paper, we propose a complete security framework to protect medical data (such as electronic health records) and authentication credentials that are used to access e-health servers. Derived from a generic architecture that can be used for PCs, we introduce a security architecture specif- ically for mobile phones, based on existing hardware security extensions. We describe security building blocks, including trusted hardware features, a security kernel providing isolated applica- tion environments as well as a secure graphical user interface, and a trusted wallet (TruWallet) for secure authentication to e-health servers. Moreover, we present a prototype implementation of the trusted wallet on a current smartphone: the Nokia N900. Based on our architecture, health care professionals can safely and securely process medical data on their mobile phones without the risk of disclosing sensitive information as compared to commodity mobile operating systems. 1 INTRODUCTION efficient computing devices, they generally do not offer sufficient security mechanisms to protect the data they operate on. This is mainly due to the The usage of mobile phones as multi-purpose architectural shortcomings of their operating sys- assistant device in healthcare has been proposed tems, which are derived from the same (secu- in several application scenarios. Its usefulness is rity) architecture as desktop operating systems. derived from its mobility and flexibility, i.e., to- Typical examples are Google Android (Android day's smartphones offer appropriate computing Open Source Project, 2010), Apple iOS (Apple and storage capacity allowing the realization of Inc., 2010), Symbian (Symbian Foundation Com- various applications that can be used basically munity, 2010), and Windows Mobile (Microsoft, from everywhere. For instance, healthcare profes- 2010). Although, some of them provide more so- sionals can use a mobile phones to download and phisticated security mechanisms than their desk- share electronic health records of their patients top counterparts, e.g., application-oriented access (Benelli and Pozzebon, 2010). In other scenar- control in Android (Google Android, 2010), they ios, patients use their mobile phones to provide still suffer from fundamental security problems personal health data, e.g., taken from additional due to their large code base and complexity, lack- bio-sensors, to a medical information and diagno- ing of strong isolation of applications (secure exe- sis system (Han et al., 2008). cution) and insufficient protection of stored data While smartphones are very flexible and cost- (secure storage). Recent attacks on smartphones its correctness and security. While earlier sys- demonstrate their vulnerability (Iozzo and Wein- tems suffered mostly from poor performance in mann, 2010; Vennon, 2010; Aggarwal and Ven- those days, recent CPU hardware technology, es- non, 2010). But the secure operation of a mobile pecially their virtualization support, and the de- phone is an important aspect when a user is work- velopment of efficient microkernel software archi- ing with security and privacy-sensitive data such tectures (Liedtke, 1995) allow for the realization as personal health records on the device. of security kernels with low performance over- Especially in healthcare telematics infrastruc- head while maintaining compatibility to exist- tures, the end-user systems of health professionals ing applications. For example, Turaya (EMSCB have been identified as an insecure and less spec- Project Consortium, 2008) and the OpenTC se- ified component (Sunyaev et al., 2010). Malware curity architecture (The OpenTC Project Con- on the user's computing platform could steal pass- sortium, 2009) are research efforts that take ad- words that are used to access healthcare informa- vantage of these technologies to develop a security tion systems, manipulate data such as medical kernel on modern CPU hardware. prescriptions, or eavesdrop on and copy private data such as personal health records. While the Contribution In this paper, we propose a se- connection of stationary desktop systems to the curity architecture for accessing e-health services healthcare telematics may be protected by addi- on mobile phones. We present the combination tional secure hardware network components like, of efficient solutions that current technology can e.g., special firewalls and gateway routers, the sit- offer on mobile phones for the secure handling of uation gets worse when mobile phones are used. accessing and processing of security-sensitive data Due to their mobility and changing connectivity such as electronic health records. In particular, (wireless LAN or GSM network), mobile phones we propose (i) a security framework to create a may usually only use Virtual Private Network secure runtime environment for medical applica- (VPN) technology to secure the connection. But tions, and (ii) specific tools that protect the au- the necessary credentials, like user passwords and thentication of users and their mobile devices to VPN keys, are not sufficiently protected against e-health servers. malware on the device, and, hence, could be ac- cessed by unauthorized parties. In our security framework, we combine the concept of a security kernel with hardware se- However, modern smartphone hardware offers curity features of modern mobile phone proces- advanced security functionality, which are embed- sors. On top of this layer, we use isolated ex- ded in their processors, but generally not used by ecution compartments to separate applications the mainstream mobile operating systems. For that process medical data (e.g., an EHR viewer) instance, ARM TrustZone (Tiago Alves, 2004) and applications that process non-medical data and Texas Instruments M-Shield (Azema and (e.g., the telephony application or an ordinary Fayad, 2008) offer secure boot1 functionality, se- web browser). cure storage and secure execution environments for security-critical functions, which are isolated As a secure authentication tool, we propose a based on hardware mechanism from other pro- trusted wallet service that protects the user's lo- cesses running on the phone. gin credentials and performs the authentication to e-health (or other) servers on behalf of the On the other hand, previous works on secure user. This tool protects the users from being operating systems, e.g., (Fraim, 1983; Karger tricked into entering their credentials in malicious et al., 1990), have shown how to achieve strong applications or faked web sites, and takes advan- isolation for secure execution and to have less tage of the underlying security framework to pro- complexity for the trusted computing base, i.e., tect the credentials from malicious software po- the code that all security relies upon. The con- tentially running on the phone. We present a new cept of a security kernel (Anderson, 1972) in- implementation of this wallet for mobile phones corporates all relevant functionality needed to based on the Nokia N900 platform. enforce the security into a kernel that is iso- lated and protected from tampering by other Compared to commodity mobile phone oper- software and small enough to be verifiable for ating systems, our approach provides a secure en- vironment against software attacks like malware. 1Secure boot means that a system terminates the The usage of security-critical data like patients boot process in case the integrity check of a compo- health records is effectively isolated from other nent to be loaded fails. software running on the phone, and secret data like login credentials to healthcare information (for integrity and authenticity), and user authen- systems is protected by the advanced hardware tication (for legitimacy of access). However, the security features. protection of the critical cryptographic keys that In the following, we describe the usage and are needed for those mechanisms is not addressed adversary scenario we consider (Section 2). Then, appropriately. Hence, an attacker who gains ac- we present our security architecture (Section 3): cess to these keys can circumvent any other pro- first from a generic perspective, which can be used tection mechanism. on all platforms, followed by its instantiation on Therefore, in this paper we concentrate on an mobile phone platforms. In Section 4, we describe adversary model in which the attacker targets the how our architecture can be implemented and we mobile computing device of health care profes- present