Secure e-Health System on Passive RFID: Outpatient Clinic and Emergency Care

In recent years, many researches have demonstrated several RFID-based solutions to enhance patient medication safety and avoid human errors. Although RFID-based procedure is more efficient than traditional process, patient's information may be attacked (or stolen) during the data transmission period. This will cause inappropriate medication use and medical errors. In this paper, we introduce a robust RFID-based e-Health system which strengthens the system security and protects the patient's privacy as well. In addition, our e-Health system can provide better efficiency of outpatient clinic procedure and emergency care procedure in hospital environment.


Introduction
Recently, RFID technology has promptly been adopted to enhance the communication efficiency in hospital environment.As a result, the development of a broad range of new electronic-Health (e-Hhealth) applications has emerged; these are, for example, patient safety and medication management [1][2][3][4][5][6][7][8], ubiquitous healthcare systems [9], inpatientcare systems [10,11], autotracking clinical interventions [12], and electronic-health records [13].All of these applications promise patient, nurse, doctor, and administrator to efficiently access relevant health information, enhance the quality of patient care, reduce healthcare errors, increase collaboration, and encourage the adoption of healthy behaviors.
Since new and efficient health information technologies realize the implementations of diverse e-Health services, the system security and patient (or hospital administrator) privacy have been focused by human right organizations, governments, and research community.The essential security elements for e-Health systems are data confidentiality, data integrity, service availability, accountability, and nonrepudiation of information.Meanwhile, personal privacy is the fundamental human right, and basic privacy protection principles are universal.Information privacy concerns exist wherever personally identifiable information is collected, processed, stored, and disclosed.In the following, we present basic information securities and privacy principles [14,15].
(i) Patient data must be processed fairly and used for specified and lawful purposes.
(ii) Unauthorized or unlawful processing of patient data must be efficiently measured and dealt with.
(iii) Accountability should be guaranteed.
(iv) The consent for data processing should be freely given.
(v) Patient data must not be exploited without adequate level of protection.
(vi) Patient data must be adequate, relevant, and not excessive in relation to the purpose for which it is processed.
(vii) Patient data processed for any purpose must not be kept for longer than is necessary for that purpose.
Based on the previous properties, we argue that data processing should be legal and meet regulatory and contractual obligations.In addition, the patient's health data (or personal examination report) is sensitive and, however, usually identifiable.Therefore, personal health data must be well protected to fulfill the above mentioned security and privacy principles; for example, the international standard ISO 27799 [16] can be a solution for security management of health information.
In this paper, we focus on RFID technology integrated with the process for medicine error reduction, patient (and inpatient) safety enhancement, and health care management.In particular, the issues of performance efficiency, system security, and patient privacy will be thoroughly investigated.We intend to deliver a patient privacy-aware e-Health system based on passive RFID to simultaneously enhance system efficiency and patient privacy.

Related Work
In 2007, Agrawal and Johnson [13] proposed a so-called Hippocratic Database which enables enterprises to comply with privacy and security laws without impeding the management of personal health information.To secure electronic health records, their proposal involves five techniques: (1) active enforcement of fine-grained data disclosure policies, (2) efficient auditing of past database access, (3) privacyaware data mining, (4) deidentification of personal health data, and (5) robust information sharing.Later, to deal with the difficulty of securely manage the aggregation of health related data from various IT environments, Boyd et al. [10] developed a honest broker mechanism to maintain privacy for patient care and academic medical research.The honest broker can offload the burden of housing identifiable data elements of protected health information as well as manage date transfer between clinical and research systems.
In 2010, two tag coexistence schemes had been proposed by Chien et al. [2] to eliminate medication errors and enhance patient's safety.An online-based administration protocol and an offline version were proposed, respectively.However, the two proposed mechanisms did not consider important security and privacy issues [5].Moreover, the feasibilities of these two schemes are doubted as only protocol designs are provided.That is, without any demosystem implementations, the practicability of these two protocols still has space for improvement.Later, Peris-Lopez et al. [4] implemented an Inpatient Safety RFID System (IS-RFID) which takes into account the information technology infrastructure of real hospital environment and completely covers the whole drug administration process.The system efficiency can be guaranteed as only lightweight cryptography modules such as random number generator and exclusive-or operations are exploited in IS-RFID.However, the insecurity of IS-RFID has been pointed by Yen et al. [7] in 2012.
Next, Yu et al. [8] developed a mechanism utilizing only simple logic gates, for example, AND, XOR, and ADD bitwise operations, to construct a secure e-Health system.Their scheme is efficient as it does not need any complicated cryptography modules.However, Wu et al. [6] have pointed the security vulnerability, that is, impersonation attacks, of their protocol.A lightweight binding proof protocol is then proposed to overcome the weakness identified in Yu et al. 's scheme.Next, Lin and Zhang [3] introduced an Elliptic Curve Cryptography-(ECC-) based solution to prove the coexistence of multiple RF tags and improve patient's drug security.Yet, as the heavy computation cost of ECC module cannot be afforded on resource-constrained RF tags, there exists a doubt on the feasibility of Lin and Zhang's scheme.
A wireless autotracking system for clinical intervention, such as drug administrations and blood tests at the patient bedside, is proposed by Ohashi et al. [12].The system can authenticate patients and nurses, confirm medications, and provide relevant information based on the clinical situation and personal location.According to the evaluation, the proposed system can reduce significant medical errors and nurse workload with high efficiency.Najera et al. [11], in their study, first analyzed the case of a medical equipment tracking system for healthcare facilities enabling both realtime location and theft prevention.The authors then provided a solution for care and control of patients in a hospital environment based on passive RFID.Lo et al. [9] proposed a decision support systems, called the Ubiquitous Context-aware Healthcare Service System (UCHS), which uses microsensors integrated with RFID technology to sense user's life vital signal, such as electrocardiogram, heart rate, respiratory rate, blood pressure, blood sugar, and temperature and light.The UCHS is built upon an integrated service platform in which medical experts' knowledge and all position and negative influence of therapy are inferred via semantic network.
In 2013, Köstinger et al. [17] developed a ward round system with mobile smartphones in which Near Field Communication (NFC) technology is utilized to explore new ways of interaction.The system achieves patient identification via NFC tags.In their proposed scenario, when the patient arrives in the hospital, he/she will get a NFC wristband.This wristband carries information about their real identity, and in the following the hospital staff will utilize NFC-enabled mobile device to retrieve the information from the wristband.In 2013, Ajami and Carter [18] analyzed the advantages and disadvantages of adopting RFID in emergency room.In their study, the advantages are as follows: improving patient's safety, eliminating or reducing clinical errors, and decreasing medical errors to improve patient safety and save lives.However, the authors argued that the cost of healthcare system is still high for service providers.In addition, the privacy, legality, and security are the key problems needed to be solved in e-Health environment.Safdari et al. [19] have pointed that the organization needs to concentrate on the following privacy and security issues: (1) only authorized users can access sensitive information, (2) the integrity and accuracy of data should be guaranteed, and (3) the hospital needs to protect the patient information.In order to achieve these three goals, the authors provided a security solution, that is, anonymous transmission at tag side.That is, user can retrieve the unique tag ID without revealing the relationship between the object and the tag ID.

The Proposed e-Health System:
Novel Outpatient Clinic Process and Emergency Care Procedure In this section, we introduce an efficient and patient privacyaware e-Health system based on passive RFID.We assume that the tags are able to perform PRNG function and XOR operation.Note that the output of PRNG function must be at least 96 bits for system security.In addition, 128 bits, 256 bits, and 512 bits are acceptable bit lengths also.Before we present the details of our proposed system, it is important to define the adversary model of our system environment.In 2001, Canetti and Krawczyk [20] demonstrate two adversary models: the unauthenticated-links model and the authenticatedlinks model.In the unauthenticated-links model, there exists a probabilistic polynomial-time attacker Eve who controls the communication links and the schedule of protocol events.Eve has the abilities, such as message modification, transmission injection, and the protocol event rescheduling.In general, Eve is able to send the following queries.
(i) Session-state reveal: Eve submits a party's identity and an incomplete session identifier to learn the state of the session.Note that Eve cannot learn any long-term secrets or master keys held by the party.
(ii) Session-key query: Eve submits a party's identity and a complete session identifier to learn the session key in the intended session.
(iii) Session expiration: Eve submits a party's identity and a complete session identifier for letting the simulator erase the session key and related session states.
(iv) Party-corruption query: Eve decides to corrupt a party and learns all secrets or master keys of the party and then completely controls the party.
On the other hand, the authenticated-links model is applicable to the case that the attacker does not have the capability to inject or modify the transmitted messages.Under the previous assumptions, we then define our adversary model into two types: type I model and type II model.In type I model, a probabilistic polynomial-time attacker Eve controls the communication links and the schedule of protocol events.In addition, Eve is able to perform message modification, transmission injection, and the protocol event rescheduling with oracle queries such as session-state reveal, sessionkey query, session expiration, and party-corruption query.
Mapping to the hospital environment, Eve can be the roles of nurse, doctor, examiner, and system administrator who are legitimate and verified in our system and possess the authorization of some system functionalities.In type II model, there exists a probabilistic polynomial-time attacker Eve, who is restricted to delivering messages generated from one of the communicating parties to the other one.Mapping to the hospital environment, this kind of attacker can be an outsider who does not have the capability to inject or modify the transmitted messages.Note that an insider without any entity verification or function authorization can be an example also.In addition, all the adversaries can simply obtain an RF reader and smart card reader to help his/her cryptanalysis.
In the following, we will demonstrate the details of our system.The proposed system consists of two newly designed processes on passive RFID that are (1) outpatient clinic process and (2) emergency care procedure, which accelerate and improve hospital administration and patient services.

New Outpatient Clinic Process on
Passive RFID.This subsection presents a novel outpatient clinic process adopting passive RFID technology.The major procedures are illustrated in Figure 1 in which eight processes, that is, parts A to H, are presented.First, the part A's purpose is to bind patient's identity with a temporarily issued RFID tag in which patient's smart card will be utilized to encrypt (or protect) tag's information.Afterward, an anonymous authentication mechanism will be adopted in part B when doctors require confirming patient's legitimacy.Suppose that the patient is diagnosed with needing further examination tracking or condition tracking.Part C will be informed to maintain the record of the doctor's diagnosis.Next, in part D the inspector will reconfirm patient's legitimacy via patient's tag, and generates evidences in part E. Lab processes bind the drug jar and patient's identity, and store the binding information in backend server via part F. Finally, parts G and H are utilized for medication administration.In the following, we illustrate the details of these eight procedures.

Part A: RFID Tag Issuing & Bind It with ID Card.
In part A (Figure 2), the main target is to bind RF tag Tag  and patient's identity, where the patient's smart card is used for data encryption.In this part, the tag and the patient's identity will be bound in backend server.In action (A1), the RF reader inquiries the Tag  and retrieves the unique identity PID  of Tag  .Note that PID  can be the patient's temporary and unique identity.At the same time, the smart card reader (SCReader) scans the user's smart card to retrieve the patient's secret key   .Note that the user's smart card can be any type of smart card which possesses the user's secret key such as Citizen Digital Certificate [21] or Mifare Card [22].
The RF reader transfers PID  to SCReader for encryption in action (A2).When SCReader receives the PID  , it exploits the patient's secret key   to encrypt PID  in action (A3), that is,   = AES   (PID  ), where AES represents Advanced Encryption Standard [23].
Afterward, SCReader generates a pseudonym Pseu  connected to value   and sends {Pseu  ,   } to RF reader which then writes the received value {Pseu  ,   } to Tag  to replace the original value PID  in action (A4).Meanwhile, SCReader transmits {Pseu  ,   } to the backend server.So far, both the tag Tag  and the backend server maintain the values Pseu  and   .

Part B: Examined and Diagnosed by a Doctor (Anonymous Authentication).
In part B (Figure 3), the patient gets efficiently retrieve the value   and computes   ⊕ PRNG(   ⊕   ).Then, the backend server verifies the correctness of   in action (B4), that is, whether the received value   equals to the calculated value   ⊕ PRNG(   ⊕   ) or not.If this verification is passed, the legitimacy of patient can be confirmed without revealing his/her identity.Note that in this stage, Pseu  is used to gain system efficiency.Since Pseu  is a random nonce temporarily representing the patient's primary key during the search in the backend database, Pseu  will not reveal any information regarding the patient's privacy.For this reason, this design will not influence the system security.

Part C: Further Tracking.
Once the patient needs further physical examinations, part C (Figure 4) will be launched.The doctor firstly encrypts and stores the patient's diagnosis (or inspection report) with a unique number  in the backend server.The patient then utilizes the following processes to record the reference number of his/her diagnosis (or inspection report) in his/her own tag Tag  .Thirdly, the backend server retrieves the value   via Pseu  and computes   = PRNG(   ⊕   ) ⊕ .Then, the backend server transmits   = PRNG(   ⊕   ) ⊕  to the RF reader in part (C3).Finally, the reader sends   to Tag  which then derives the number  with the received value   , that is,  =   ⊕ PRNG(   ⊕   ).After that, Tag  possesses the values .

Part D: Examination Room & X-Ray Process (Anonymous Authentication).
Once the patient obtains the reference number, that is, , of the diagnosis (or inspection report), the next stage is performed, that is, examination procedure or Xray process.In part D (Figure 5), the inspector at each substage will reconfirm patient's legitimacy via patient's tag Tag  .
(D1) Reader → Tag  :    .First, the RF reader generates a random number

Part E: Examination Room & X-Ray Process (Evidence Generation).
Once the legitimacy of the patient is confirmed, the patient will get the service from examination or Xray rooms.In this stage, we will generate a corresponding evidence (or proof) for further verification if any.That is, part E (Figure 6) will create an evidence for the patient's inspection procedure.   }.Next, the tag Tag   sends   to the RF reader in action (E4), where   is the inspector's identity maintained in the inspector's tag Tag   .Then, the reader transfers the message {Pseu  ,   ,   ,    } to the backend server in action (E5).Finally, the backend server will generate a digital signature of {Pseu  ,   ,   ,    } as an evidence for further verification.This proof will be useful once possible medical disputes happen.Note that the technique of digital signature can be RSA [24] or DSA [25].
3.1.6.Part F: Lab Process.The purpose of lab process (Figure 7) is to bind the target blood jar and patient's identity in the backend server.That is, we intend to correctly identify the source, that is, the target patient, of the target blood jar.Next, Tag   sends a computed value    =    ⊕   to the reader in actions (F4) and (F5), respectively, where   is the identity of Tag   .
The RF reader then retrieves   from    and transfers the message {Pseu  ,   ,    ,   } to the backend server in the subpart (F6).Finally, in action 7 the backend server retrieves   via Pseu  , and verifies the legitimacy of the patient.That is, the backend server examines whether the computed   ⊕ PRNG(   ⊕   ) equals to the received   or not.If it holds, the server appends the information   to the patient's record.8) discusses the medication administration which is able to confirm the correctness of each target drug suggested by the doctor.In brief, this process will verify if current medicine jar is in the drug list suggested by the doctor; if yes, the medicine (or drug) in the jar will be taken into the patient's unit dose medication.Note that since the doctor's diagnosis has been completed in parts B and C, the suggested medicine list is maintained in the backend server.This list corresponds with the patient's information   .
First, the backend server generates a random number    and transmits    to the RF reader (e.g., the action (G1)).
Reader → Tag   :    .Tag   : Next, the reader forwards    with all (   ,   )s to the backend server which then verifies all the received values   s to check if ID   is in the suggested list.If the verification holds, the server will inform the pharmacist to put the drug into unit-dose medication.Finally, the backend server calculates  UD = ID   ⊕   , and stores  UD in both the backend server and tag   embedded on the patient's medicine bag.

Part H: Pick Up the Medicine (Matching Verification).
In part H (Figure 9), we present the matching verification in Outpatient Department (OPD) dispensary when collecting medicine.When the reader receives these two incoming values, the reader forwards {Pseu  ,   ,  ℎ ,  ℎ  } to the backend server for the matching verification, that is, whether the received value   is equal to the computed value (  ) ⊕ PRNG( ℎ  ⊕   ) or not, and whether the received value  ℎ is equal to the computed value ( UD ) ⊕ PRNG( ℎ  ⊕  UD ) or not.If it is verified successfully, this medicine bag correctly and actually belongs to the patient with   .Note that Pseu  will be used to efficiently retrieve corresponding information of the patient.

Novel Emergency Care
Process on Passive RFID.In Section 3.2, we present a novel emergency care process based on passive RFID (Figure 10).The major difference between outpatient clinic procedure and emergency care process is whether the patient is a roadside patient or not.In general, the roadside patients may not possess their ID card.This causes the inconvenience on identifying these patients.In such case, our process will issue a RFID tag as the roadside patient's temporary ID card.Please refer to part A of Figure 10.In the following, we present part A in a more detailed way.Note that the other parts in emergency care process are the same with that ones in outpatient clinic process.For clarity, we hence ignore the details of these procedures.
In part A of Figure 10, there are two conditions in this action.If the patient is roadside patient without ID card, the hospital will issue an RFID card with a temporary identity number to this patient.Next, in action (A1) of Figure 11 the RF reader inquiries the Tag  and retrieves the unique identity PID  in action (A1).After that, RF reader transmits PID  to the backend server.Since in this stage the roadside patient does not have any history of medical information, the consideration of this patient's privacy can be ignored.Therefore, PID  can be substituted for   in emergency care process until the patient's has been identified.In other conditions, if this roadside patient has the ID card, the process will perform the same steps of part A of the new outpatient clinic process.

Security and Efficiency Analyses
In this section, we present the security and efficiency analyses of our proposed e-Health system, such as data confidentiality and patient anonymity, data integrity and nonrepudiation, resistance to the replay attack, and system efficiency.

Security Analysis.
In our proposed e-Health system, we consider the adversary who does not have the capability to inject or modify the transmitted messages.Thus, such type of attacker can be an outsider (and an insider) without any entity verification or system authorization.

Claim 1. The proposed e-Health system can provide patient anonymity and data confidentiality
In the outpatient clinic process, we use the key   in the user's smart card to encrypt the patient's PID  number.This prevents the attacker from cracking PID  number as the attacker cannot know the key.In addition, since   = AES   (PID  ) is connected with the patient's secret key   , this value   can correctly be connected to this patient via   even though this patient had left the hospital and this card had been assigned to another new patient.Moreover, at each session we utilize the secret value   to protect all the transmitted messages.Without knowing the value   , the adversary cannot obtain the sensitive information regarding the patient.Hence, our proposed system can ensure the data confidentiality.
Furthermore, as we implement an anonymous authentication technique in the proposed e-Health system, the doctor only needs to know if the patient is legal (or illegal) without revealing the real identity of this patient.In a more detailed way, in our proposed system all the messages are transmitted in cipher format instead of plain text.The secret   is utilized to protect transmitted messages during each action.In that case, all sensitive information such as reference number  and the patient's identity are well protected.In addition, at each action we exploit random numbers, that is,    ,    ,    ,    ,    ,    , and  ℎ  , to randomize transmitted messages.On the other hand, in the emergency care process we cannot learn the patient's identity (or privacy) because the roadside patient will not provide any information of his/her medical history.As a result, our proposed system can guarantee the property of patient anonymity.

Claim 2. The proposed e-Health system can provide data integrity and nonrepudiation
In part E of our proposed system, we generate a random number    and retrieve the identity   of the inspector's tag Tag   .Next, to make an evidence for further verification, the signature of message {Pseu  ,   ,   ,    } is produced [24,25].If adversary intends to modify {Pseu  ,   ,   ,    }, the verification of this signature will fall.Therefore, the generated evidence can achieve the data integrity and non-repudiation at the same time.

Claim 3. The proposed e-Health system can resist to the replay attack
In each session of our proposed system, we exploit random numbers, that is,    ,    ,    ,    ,    ,    , and  ℎ  , in randomizing transmitted messages.In addition, in part E a timestamp   is involved with the signature creation.These random numbers and timestamp cannot only randomize the transmitted messages but also ensure the resistance the replay attack.

Discussion on Efficiency and Security.
In this paper, we adopt the concept of passive RFID to construct our proposed system, where RF tag only needs to support lightweight cryptography modules, that is, random number generator PRNG and exclusive-or operations XOR.This design is one of the future trends of RFID technology development in hospital environments [4,8,18].The cost of RFID tag reflects the capability of tag; that is, heavy cryptography modules always need higher computation cost while lightweight ones require fewer.In the hospital environment, the computation efficiency is highly critical as the processing time for each medical procedure is one of the major considerations during the design of an e-Health system.Thus, without any heavy cryptography modules, we believe that our proposed system achieves a good system efficiency.
In addition, from Figures 1 and 10, we can easily conduct the traditional outpatient clinic process and emergency care procedure without any RFID related procedures.Compared to the original non-RFID hospital administration system, we believe that the efficiency can be gained during parts D and F. In general, the process of examination room and LAB is time consuming.With our design, the process time of these two processes can be reduced, and the patient security is guaranteed as well.Note that although the other parts mainly focus on security enhancement and privacy protection, we still think that our proposed e-Health procedures are efficient.In brief, our system introduces a new way to implement a solution for not only achieving hospital administration efficiency but also delivering the security enhancement and privacy protection at the same time.

Prototype Implementation
In this section, we demonstrate the prototype implementation of our proposed e-Health system.

System Environment.
In the prototype implementation, the environment is shown as that in the Table 1.First of all, we adopt android with version 4.1.1 as the base operating system to construct our e-Health system.In addition, we use the Eclipse Java EE IDE to develop our system.NEXUS 7 tablets are used to support the computations at the tag side and at the reader side.For instance, once the authentication process begins, the NEXUS 7 tablet at the doctor (or nurse) side will act as a RF reader to send a random number to the Mifare card at the patient side.Note that we also utilize Mifare cards as  the target RF tags embedded on the drug bag.In our system, NEXUS 7 tablets are used to transfer and receive information via Near Field Communication (NFC) technology.Moreover, NFC has three communication modes that are peer-to-peer mode, read/write mode, and card emulation mode.In our prototype implementation, we use read and write mode as the basic communication mode.

System Architecture and Implementation.
As mentioned in Section 3, the outpatient clinic process and emergency care process are almost the same.We thus implement only the outpatient clinic process as the system prototype.Figure 12 is the architecture of implementation of our proposed outpatient clinic process.In the following, we will illustrate the implementation of each process (i.e., part A to part H).Before that, we present the system snapshot at the doctor side (i.e., the reader side or the server side) in Figure 13, while Figure 14 shows the patient information on the NEXUS 7 tablet at the doctor side.Similarly, Figures 15 and 16 demonstrate the system snapshot at the patient side (i.e., the tag side) and the patient information on the NEXUS 7 tablet at the patient side, respectively.Note that in our implementation, the patient  also possesses a NEXUS 7 tablet to clearly demonstrate all processes including the message transmission, entity authentication, match verification, and others.Two NEXUS 7 tablets at the doctor side and the patient side will not exploit the peerto-peer mode to ensure that the prototype implementation actually reflects the practicality of our proposed RFID-based e-Health system.
(i) RFID Tag Issuing & Bind with ID Card.In our simulation of part A, we use Mifare card to substitute personal smart card with a unique secret key.First, the NEXUS 7 tablet at the server side scans the card and explores the secret key   to encrypt the unique identity PID  , that is   = AES   (PID  ).
Second, the NEXUS 7 tablet at the server side stores the information   and a temporary pseudonym Pseu  in backend  server for future verification process.Figure 17 presents the message for the success of transmitting the secret information   and Pseu  to the backend server.).This random number can randomize all transmitted messages.Then, the application (shown in Figure 15) at the patient side will perform the corresponding procedures as that mentioned in Section 3.   (iv) Lab Process in Part F. In part F, an anonymous authentication for the patient is firstly performed.Next, the server will request the information   .Then, server generates a random number    and sends it to tag   which computes value    =    ⊕   .Tag   send    back to the server.Finally, the server retrieves the number   .Figure 18 shows the write mode in part F.  at the server side can confirm the correctness of drugs suggested by the doctor.The system verifies whether the medicine jar is in the suggested list.If the verification holds, the verified medicines will be put into patient's medicine bag.First, the application at the doctor side generates a random number    to the tag.Tag computes   = PRNG(   ⊕   )⊕  and then sends (   ,   ) to the server.Next, the server verifies the received value   to check if   is in the doctor suggested list.After that, the server computes  UD =   ⊕   and stores the  UD in the patient's medicine tag   for part H. Figure 19 presents the matching success result of part G.
(vi) Pick Up the Medicine in Part H.In part H, the server will first check the validity of the patient.Next, the server needs to make sure the correctness of the patient's medicine tag   .As the previous authentication process, the server first generates a random number and sends it to tag   .Then, tag   computes  ℎ = ( UD ) ⊕ PRNG( ℎ  ⊕  UD ) and sends  ℎ to the server side for matching verification.

Conclusion
In this paper, we have introduced an e-Health system consisting of two processes, that is, outpatient clinic process and emergency care process.Eight RFID-based procedures are proposed for enhancing the system efficiency of these two processes.Several techniques such as data encryption, digital signature, anonymous authentication, and tag coexistence proof are adopted as core designs in the proposed system to simultaneously achieve system security and protect patient privacy.Based on our prototype implementation, we believe that our e-Health system can easily be implemented in hospital environment.In brief, our e-Health system demonstrates the system robustness, user/patient privacy protection, and the process efficiency on the medical administration.In the future, more complex hospital scenarios will be discussed.For example, once patient transferring happens, doctor may need

Figure 1 :Figure 2 :Figure 3 :
Figure 1: The proposed outpatient clinic process based on passive RFID.

Figure 4 :Figure 5 :
Figure 4: The part C of the new outpatient clinic process.

𝑟Figure 6 :
Figure 6: The part E of the new outpatient clinic process.

(Figure 7 :
Figure 7: The part F of the new outpatient clinic process.

Figure 8 :
Figure 8: The part G of the new outpatient clinic process.

(Figure 9 :
Figure 9: The part H of the new outpatient clinic process.

Figure 10 :Figure 11 :
Figure 10: The proposed emergency care process based on passive RFID.
Part A RFID tag issuing and bind it with ID card Part B Examined and diagnosed by a doctor Part C Advanced tracking Part D (anonymous authentication) Examination room and X-ray process Part E (evidence generation) Examination room and X-ray process

Figure 12 :
Figure 12: The architecture of the outpatient clinic process.

Figure 13 :
Figure 13: The system snapshot of the NEXUS 7 tablet at the doctor side.

Figure 14 :
Figure 14: The patient information on the NEXUS 7 tablet at the doctor side.

Figure 15 :
Figure 15: The system snapshot of the NEXUS 7 tablet at the patient side.

Figure 16 :
Figure 16: The patient information on the NEXUS 7 tablet at the patient side.

(
ii) Authenticating the Patient Identity in Part B, Part D, Part E, Part F, and Part H.In parts B, D-F, and H, we implement an anonymous authentication.First, the NEXUS 7 tablet at the server side sends a random number to the NEXUS 7 tablet at the patient side (please refer to Figures 13 and 15

(
iii) Information Storing at the Patient Side in Part C. Part C presents the patient needs for further physical examinations.

Figure 17 :
Figure 17: Success image of part A.

Figure 18 :
Figure 18: The write mode in part F.
(v) Medication Administration in Part G.In part G, we use RFID card binding with the medicine jar, and our application

Figure 19 :
Figure 19: Matching success image of part G.