Authentication and Authorization for the Internet of Things for Health
Summary
Background: The Internet of Things (IoT) may transform health and other sectors but this requires (technological) solutions that ensure adequate security and privacy. Proper authentication and authorization are essential to achieve these goals, but may also harm these if the solutions for authentication and authorization are designed or configured improperly. Goal: The goal of this thesis project is to find out how authentication and authorization can help ensuring security and privacy for IoT devices in the health sector. Method: Current solutions for authentication and authorization in the IoT are analyzed. Using semi-structured interviews, requirements for authentication and authorization solutions for the IoT in health are presented. Results: The analysis of available solutions for authentication and authorization shows that there are many different models, architectures, and mechanisms for authentication and authorization, each having their own advantages and disadvantages. The results of the interviews show that the main objectives of authentication and authorization are related to privacy, confidentiality, and integrity of data. The most important challenges to achieve these objectives are heterogeneity and a lack of standardization, as well as problems related to managing (large amounts of) data. To achieve a desired level of security and privacy, authentication and authorization must offer transparency, anonymity / pseudonymity, unlinkability, unobservability, confidentiality, integrity, availability, usability, accountability, auditability, trustworthiness, and non-repuditation. A general set of guidelines for secure and privacy preserving authentication and authorization is proposed and validated. Conclusion: In health care, organizations are vulnerable to security and privacy threats. In some cases there is a trade-off between some security and privacy objectives. There is an orientation towards centralized IoT solutions. Potential negative effects for privacy are avoided through legal and organizational measures. Current trends such as virtualization of networks may affect the way authentication and authorization is carried out.