Researchers at the UPM are in charge of the design of an authentication protocol for communication among medical devices by using RFID technology that guarantees the security and privacy of patient data.


In collaboration with UC3M and the University of Tehran, researchers at the Computer Science School of the Technical University of Madrid (UPM) have developed a new authentication protocol based on ISO standards that guarantees privacy and security within the communication among medical devices implanted on patients through Radio-frequency identification (RFID). Achieving the integration of eHealth systems with RFID technology will contribute to reduce costs and to improve the monitoring and treatments of patients.

RFID systems are widely used nowadays, sometimes we might not be aware about its usage. These systems can be found in places such as in building entrances, freight and fleet management, transport systems, contactless payment systems, or even the UPM campus cards. However, this technology has not been explored enough in medical environments, where there is a promising future for automatic medical monitoring. For example, the control drug intake in order to avoid problems of dosage or being able to communicate with devices implanted on a human body such as pacemakers, insulin pumps, and cochlear implants.

A common system based on RFID has three elements: a database, a reader devices and cards. The communication between the reader and the database is considered safe. However, the communication between a card and a reader is through a communication channel susceptible of being spied by others, an attacker, who could modify the data given by this channel. For this reason, the implementation of this technology brings in question the lack of privacy and security for users. In addition, the application of this system in medical environments can increase the importance of the problems just mentioned.

We can classify the RFID according to the nature of the cards (also known as tags). There are three groups: active, semi-active or passive cards. The active cards have their own power supply and are able to send a signal for a long distance. These do not have software restrictions and are the most expensive ones. The semi-active cards can obtain power supply on their own or by using a reader device. They communicate at short distance and are cheaper than the active cards. Lastly, passive cards do not have their own power supply and they need a reader device capable of communicating information. They are affordable and can communicate at a few centimeters distance and have strict software restrictions.

The scientific community has focused on new protocols that make safe the communication of patients’ data by using passive tags. It is a challenge because they do not admit conventional cryptographic protocols (there are only 1,200 logic gates for securing communication between tags and readers). However, the security of the data belonging to users is being compromised in most protocols. In general, this is due to two factors: the lack of security protocol standards and insufficient strict security analysis.

In order to avoid errors, researchers at the UPM in collaboration with the UC3M and the University of Tehran, have found a new security protocol based on RFID standards (ISO/IEC 9798 and 11770) and also have contributed to proposals of public recommendations made by the National Institute of Standards and Technology (NIST), all of these necessary in order to avoid that the stored data in devices is affected by computer software attacks.


Picazo-Sanchez, P; Bagheri, N; Peris-Lopez, P; Tapiador, JE. Two RFID Standard-based Security Protocols for Healthcare Environments. JOURNAL OF MEDICAL SYSTEMS, 37 (5):10.1007/s10916-013-9962-3 OCT 2013