Advertisement

Journal of Medical Systems

, Volume 36, Issue 6, pp 3491–3505 | Cite as

Security Risks Associated with Radio Frequency Identification in Medical Environments

  • Peter J. HawrylakEmail author
  • Nakeisha Schimke
  • John Hale
  • Mauricio Papa
Original Paper

Abstract

Radio frequency identification (RFID) is a form of wireless communication that is used to identify assets and people. RFID has significant benefits to the medical environment. However, serious security threats are present in RFID systems that must be addressed in a medical environment. Of particular interest are threats to patient privacy and safety based on interception of messages, interruption of communication, modification of data, and fabrication of messages and devices. This paper presents an overview of these security threats present in RFID systems in a medical environment and provides guidance on potential solutions to these threats. This paper provides a roadmap for researchers and implementers to address the security issues facing RFID in the medical space.

Keywords

RFID Security Radio frequency identification Privacy Network security Risk assessment Vulnerability analysis Medical informatics 

References

  1. 1.
    Sanders, D., Mukhi, S., Laskowski, M., Khan, M., Podaima, B. W., and McLeod, R. D., A network-enabled platform for reducing hospital emergency department waiting times using an RFID proximity location system, International Conference on Systems Engineering, pp. 538–543, 2008.Google Scholar
  2. 2.
    Nursing, Replacing bar coding: radio frequency identification. Nursing 36(12):30–30, 2006.Google Scholar
  3. 3.
    Pang, Z., Chen, Q., and Zheng, L., A pervasive and preventive healthcare solution for medication noncompliance and daily monitoring, 2nd International Symposium on Applied Sciences in Biomedical and Communication Technologies, pp.1–6, 2009.Google Scholar
  4. 4.
    Reiner, J., and Sullivan, M., RFID in healthcare: a panacea for the regulations and issues affecting the industry? Healthc. Purch. News 29(6):74–76, 2005.Google Scholar
  5. 5.
    Revere, L., Black, K., and Zalila, F., RFIDs can improve the patient care supply chain. Hosp. Top. 88(1):26–31, 2010.CrossRefGoogle Scholar
  6. 6.
    Roark, D. C., and Miguel, K., RFID: bar coding’s replacement? Nurs. Manag. 37(2):28–31, 2006.CrossRefGoogle Scholar
  7. 7.
    Lai, C.-H., Chien, S.-W., Chang, L.-H., Chen, S.-C., and Fang, K., Enhancing medication safety and healthcare for inpatients using RFID. Portland International Center for Management of Engineering and Technology, pp. 2783–2790, 2007.Google Scholar
  8. 8.
    Lavine, G., RFID technology may improve contrast agent safety. Am. J. Health-Syst. Pharm. 65(15):1400–1403, 2008.CrossRefGoogle Scholar
  9. 9.
    Wicks, A. M., Visich, J. K., and Li, S., Radio frequency identification applications in hospital environments. Hosp. Top. 84(3):3–8, 2006.CrossRefGoogle Scholar
  10. 10.
    Hanser, F., Gruenerbl, A., Rodegast, C., and Lukowicz, P., Design and real life deployment of a pervasive monitoring system for dementia patients, Second International Conference on Pervasive Computing Technologies for Healthcare, pp. 279–280, 2008.Google Scholar
  11. 11.
    Juels, A., RFID security and privacy: a research survey. IEEE J. Sel. Areas Commun. 24(2):381–394, 2006.MathSciNetCrossRefGoogle Scholar
  12. 12.
    Trček, D., and Jäppinen, P., RFID security. In: Yan, L., Zhang, Y., Yang, L. T., and Ning, H. (Eds.), The internet of things: from RFID to pervasive networked systems. Auerbach Publications, Taylor & Francis Group, Boca Raton, 2008.Google Scholar
  13. 13.
    Xiao, Y., Shen, X., Sun, B., and Cai, L., Security and privacy in RFID and applications in telemedicine. IEEE Commun. Mag. 44(4):64–72, 2006.CrossRefGoogle Scholar
  14. 14.
    Thompson, C. W., and Thompson, D. R., Identity management. Internet IEEE Comput. 11(3):82–85, 2007.CrossRefGoogle Scholar
  15. 15.
    Garfinkel, S. L., Juels, A., and Pappu, R., RFID privacy: an overview of problems and proposed solutions. IEEE Secur. Priv. 3(3):34–43, 2005.CrossRefGoogle Scholar
  16. 16.
    Koscher, K., Juels, A., Brajkovic, V., and Kohno, T., EPC RFID tag security weaknesses and defenses: passport cards, enhanced drivers licenses, and beyond, Proceedings of the 16th ACM conference on Computer and communications security, pp. 33–42, 2009.Google Scholar
  17. 17.
    Hoque, M. E., Rahman, F., and Ahamed, S. I., Supporting recovery, privacy and security in RFID systems using a robust authentication protocol, Proceedings of the 2009 ACM symposium on Applied Computing, pp. 1062–1066, 2009.Google Scholar
  18. 18.
    Muwanguzi, M., and Biermann, E., Integrated security framework for low cost RFID tags, Proceedings of the 2010 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists, pp. 201–208, 2010.Google Scholar
  19. 19.
    Molnar, D., and Wagner, D., Privacy and security in library RFID: issues, practices, and architectures, Proceedings of the 11th ACM conference on Computer and communications security, pp. 210–219, 2004.Google Scholar
  20. 20.
    Wang, S.-W., Chen, W.-H., Ong, C.-S., Liu, L., and Chuang, Y.-W., RFID application in hospitals: a case study on a demonstration RFID project in a Taiwan Hospital, Proceedings of the 39th Annual Hawaii International Conference on System Sciences. Vol. 8, pp. 184a–184a, 2006.Google Scholar
  21. 21.
    Swedberg, C. (2010j). RFID-based Hand-Hygiene System Prevents Health-care Acquired Infections. RFID J., 2010. Retrieved June 11, 2010, from http://www.rfidjournal.com/article/view/7660.
  22. 22.
    Becker, E., Metsis, V., Arora, R., Vinjumur, J., Xu, Y., and Makedon, F., SmartDrawer: RFID-based smart medicine drawer for assistive environments, Proceedings of the 2nd international Conference on Pervsive Technologies Related To Assistive Environments (PETRA ’09), ACM, New York, NY, pp. 1–8, 2009.Google Scholar
  23. 23.
    Vinjumur, J. K., Becker, E., Ferdous, S., Galatas, G., and Makedon, F., Web based medicine intake tracking application, Proceedings of the 3rd International Conference on Pervasive Technologies Related To Assistive Environments, 2010.Google Scholar
  24. 24.
    Hawrylak, P. J., and Mickle, M. H., EPC Gen-2 standard for RFID. In: Zhang, Y., Yang, L. T., and Chen, J. (Eds.), RFID and sensor networks: architectures, protocols, security and integrations. Taylor & Francis Group, CRC Press, Boca Raton, pp. 97–124, 2009.CrossRefGoogle Scholar
  25. 25.
    Raymond, D. R., Marchany, R. C., Brownfield, M. I., and Midkiff, S. F., Effects of denial-of-sleep attacks on wireless sensor network MAC protocols. IEEE Trans. Veh. Technol. 58(1):367–380, 2009.CrossRefGoogle Scholar
  26. 26.
    Savi, “Savi® ST-674 Sensor Tag”, Datasheet, 2010, [online] accessed Feb. 16, 2011: http://go.savi.com/l/2422/2010-05-04/1JRVT/2422/37447/ST_674_DS_10_03a.pdf.
  27. 27.
    Maillart, L. M., Kamrani, A., Norman, B. A., Rajgopal, J., and Hawrylak, P. J., Optimizing RFID tag-inventorying algorithms. IIE Trans. 42(9):690–702, 2010.CrossRefGoogle Scholar
  28. 28.
    Juels, A., Rivest, R. L., and Szydlo, M., The blocker tag: selective blocking of RFID tags for consumer privacy, Proceedings of the 10th ACM conference on computer and communications security, pp. 103–111, 2003.Google Scholar
  29. 29.
    Juels, A., and Brainard, J., Soft blocking: flexible blocker tags on the cheap, Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pp. 1–7, 2004.Google Scholar
  30. 30.
    Sadeghi, A., Viscontiand, I., and Wachsmann, C., Location privacy in RFID applications, Lecture Notes on Computer Science. Vol. 5599, pp. 127–150. Springer, 2009.Google Scholar
  31. 31.
    Batina, L., Guajardo, J., Kerins, T., Mentens, M., Tuyls, P., and Verbauwhede, I., Public-key encription for RFID-tags, Proceedings of the Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops, pp. 217–222, 2007.Google Scholar
  32. 32.
    Rieback, M. R., Crispo, B., and Tanenbaum, A. S., Is your cat infected with a computer virus?, Proceedings of the Fourth Annual IEEE International Conference on Pervasive Computing and Communications, pp. 169–179, 2006.Google Scholar
  33. 33.
    International Organization for Standardization, ISO/IEC 18000–2 Information Technology—Radio frequency identification for item management—Part 2: Parameters for air interface communications below 135 kHz, 2009.Google Scholar
  34. 34.
    International Organization for Standardization, ISO/IEC 18000–3 Information technology—Radio frequency identification for item management—Part 3: Parameters for air interface communications at 13,56 MHz, 2008.Google Scholar
  35. 35.
    International Organization for Standardization, ISO/IEC 18000-6:2010 FDIS Information technology—Radio frequency identification for item management—Part 6: Parameters for air interface communications at 860 MHz to 960 MHz, 2010.Google Scholar
  36. 36.
    International Organization for Standardization, ISO/IEC 18000-7 Information technology—Radio frequency identification for item management—Part 7: Parameters for active air interface communications at 433 MHz, 2009.Google Scholar
  37. 37.
    Healthcare Purchasing News, RFID improves medical device management in surgery unit, Oct. 2006. Available: http://www.hpnonline.com/inside/2006-10/0610-whatworks.html.
  38. 38.
    Mobile Aspects®, “iRISupplyTM”, available online: http://www.mobileaspects.com/solutions/irisupply.
  39. 39.
    Karygiannis, T., Eydt, B., Barber, G., Bunn, L., and Phillips, T., Guidelines for Securing Radio Frequency Identification (RFID) Systems Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-98, April 2007.Google Scholar
  40. 40.
    Mirowski, L., Hartnett, J., and Williams, R., An RFID attacker behavior taxonomy. IEEE Pervasive Comput. 8(4):79–84, 2009.CrossRefGoogle Scholar
  41. 41.
    Hancke, G. P., and Kuhn, M. G., Attacks on time-of-flight distance bounding channels, In Proceedings of the first ACM conference on Wireless network security (WiSec ‘08), ACM, New York, NY, USA, pp. 194–202, 2008.Google Scholar
  42. 42.
    Mitrokotsa, A., Rieback, M. R., and Tanenbaum, A. S., Classifying RFID attacks and defenses. Inf. Syst. Front. 12(5):491–505, 2010.CrossRefGoogle Scholar
  43. 43.
    Hancke, G. P., Design of a secure distance-bounding channel for RFID. J. Netw. Comput. Appl. 34(3):877–887, 2011.CrossRefGoogle Scholar
  44. 44.
    Halamka, J., Juels, A., Stubblefield, A., and Westhues, J., The security implications of VeriChip cloning. J. Am. Med. Inform. Assoc. 13(6):601–607, 2006.CrossRefGoogle Scholar
  45. 45.
    O’Connor, M. C., Study determines optimized, RFID-enabled resupply system for nurse stations, RFID J., 2010. Retrieved July 1, 2011, from http://www.rfidjournal.com/article/view/8552.
  46. 46.
    International Organization for Standardization, ISO/IEC 14443-1:2008 Identification cards—Contactless integrated circuit cards—Proximity cards—Part 1: Physical characteristics, 2008.Google Scholar
  47. 47.
    International Organization for Standardization, ISO/IEC 14443-2:2010 Identification cards—Contactless integrated circuit cards—Proximity cards—Part 2: Radio frequency power and signal interface, 2010.Google Scholar
  48. 48.
    International Organization for Standardization, ISO/IEC 14443-3:2011 Identification cards—Contactless integrated circuit cards—Proximity cards—Part 3: Initialization and anticollision, 2011.Google Scholar
  49. 49.
    International Organization for Standardization, ISO/IEC 14443-4:2008 Identification cards—Contactless integrated circuit cards—Proximity cards—Part 4: Transmission protocol, 2008.Google Scholar
  50. 50.
    International Organization for Standardization, ISO/IEC 15693-1:2010 Identification cards—Contactless integrated circuit cards—Vicinity cards—Part 1: Physical characteristics, 2010.Google Scholar
  51. 51.
    International Organization for Standardization, ISO/IEC 15693-2:2006 Identification cards—Contactless integrated circuit cards—Vicinity cards—Part 2: Air interface and initialization, 2006.Google Scholar
  52. 52.
    International Organization for Standardization, ISO/IEC 15693-3:2009 Identification cards—Contactless integrated circuit cards—Vicinity cards—Part 3: Anticollision and transmission protocol, 2009.Google Scholar
  53. 53.
    Garcia, F. D., van Rossum, P., Verdult, R., and Schreur, R. W., Wirelessly pickpocketing a Mifare classic card, 2009 30th IEEE Symposium on Security and Privacy, pp. 3–15, May 17–20, 2009.Google Scholar
  54. 54.
    Nohl, K., Evans, D., Starbug, S., and Plötz, H., Reverse-engineering a cryptographic RFID tag, USENIX Security 2008, pp. 185–193, 2008.Google Scholar
  55. 55.
    U.S. Department of Health and Human Services, Health Information Privacy. Retrieved March 13, 2011, from http://www.hhs.gov/ocr/privacy.
  56. 56.
    Larken, E., Identity thieves target medical records, PCWorld, Jun. 19, 2009. Retrieved July 25, 2011 from: http://www.pcworld.com/article/166879/identity_thieves_target_medical_records.html.
  57. 57.
    Oren, Y., and Wool, A., RFID-based electronic voting: what could possibly go wrong?, 2010 IEEE International Conference on RFID, pp.118–125, April 14–16, 2010.Google Scholar
  58. 58.
    Czeskis, A., Koscher, K., Smith, J. R., and Kohno, T. RFIDs and secret handshakes: defending against ghost-and-leech attacks and unauthorized reads with context-aware communications, In Proceedings of the 15th ACM conference on Computer and communications security (CCS ‘08), ACM, New York, NY, USA, pp. 479–490, 2008.Google Scholar
  59. 59.
    Bustillo, M. (July 23, 2010) Wal-Mart radio tags to track clothing. Wall Street Journal. http://online.wsj.com/article/SB10001424052748704421304575383213061198090.html. Accessed Feb. 18, 2011.

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Peter J. Hawrylak
    • 1
    Email author
  • Nakeisha Schimke
    • 2
  • John Hale
    • 2
  • Mauricio Papa
    • 2
  1. 1.Department of Electrical EngineeringThe University of TulsaTulsaUSA
  2. 2.Department of Computer ScienceThe University of TulsaTulsaUSA

Personalised recommendations