A Risk Management Framework for Data Security and Privacy of Wireless Body Area Network based Healthcare Applications

Abstract

Wireless Body Area Network (WBAN) based applications are gaining popularity due to recent advances in sensor technology, integrated circuits, mobile apps and wireless communication. The literature review conducted as part of this research indicates that the most challenging issues related to developing a WBAN based healthcare application are energy efficiency, antenna design, assuring quality of service, and security and privacy. WBAN applications operate in environments where people may have open internet access, making the application vulnerable and open to larger attack surfaces. Attacks can affect the performance and availability of the service, sometimes leading to life-threatening situations or even death. Through the literature review and an interview with one WBAN development organisation, this research has identified that assuring security and privacy while collecting, transmitting, processing, and storing personal health record (PHR) data is a key challenge for developers. The reasons for this challenge include (i) developers have limited knowledge of marketspecific regulatory requirements and standards, and (ii) there are a vast number of controls with insufficient implementation detail. The literature review also found no complete solution exists for assuring data security and privacy while also meeting the regulatory requirements for WBAN based healthcare applications. To address these challenges for assuring security and privacy, this research has developed a data security and privacy risk management (WBANSecRM) framework that will assist the developer in assuring security and privacy of the data and put them on the path to regulatory compliance. The framework outlines the process to identify the list of assets, threats, and vulnerabilities specific to WBAN applications. The framework also consists of a comprehensive list of controls, along with implementation details to mitigate the threats and vulnerabilities. The framework has been validated by implementation in an organisation that develops WBAN applications and was further validated by expert review