PRD performance results of normal and abnormal ECG signal for the proposed algorithm.
Wavelet packet transform has been used in many applications of biomedical signal processing, for example, feature extraction, noise reduction, data compression, electrocardiogram (ECG) anonymisation and QRS detection. The wavelet analysis methods, in these applications, represent the temporal characteristics of a biological signal by its spectral components in the frequency domain. Furthermore, it has been shown in many works that the ECG signal can be used as a biometric method for robust human identification and authentication. In this case, it is necessary to anonymise the ECG data during the distribution and storage of the signal in a public repository. A neglectful system leads to an eavesdropper recording the ECG data and uses it as recognition data to gain access via an ECG biometric system. This chapter discusses and reviews recent researches on ECG anonymisation wavelets-based techniques. These techniques use discrete wavelet transform and wavelet packet transform. A comparative study between the wavelets-based methods will be presented.
- wavelet analysis
In June 2006, Cisco released a virtual network index (VNI) forecast that projects global IP traffic over the next 5 years . According to Cisco’s paper, there has been quantitative evidence that proliferation of global IP traffic will exchange data to reach the order of zettabyte (ZB) by 2021. This massive amount of data will be driven mainly by the number of connected devices to IP networks, such as smart phones, tablets, sensors and machine-to-machine (M2M) applications that are estimated to be more than three times the global population. Hence, in this era, just about every physical object we see (e.g. health-care monitoring apparatus, machinery, appliances, autonomous cars and intelligent transportation, etc.) will be connected, forming the Internet of Things (IoT) . In order to handle the countless number and various types of devices as well as linking the existing radio-access technologies, a new architecture that will increase data rate, lower end-to-end latency and improve the coverage is urgently required. Therefore, to meet with this demand, a new standard on the fifth-generation (5G) networks is currently under consideration .
Health and medical care are considered as one of the most fascinating applications that can fully benefit from IoT deployment. The IoT that employs various sensor and smart medical devices may serve in, for example, tele-auscultation, remote health monitoring, remote diagnostics and possibly treatment as well as elderly care [4, 5, 6]. Such Internet of Medical Things (IMedT) is expected to reduce consultation and transportation cost and to shrink the gap for those who live in the isolated/remote areas where the presence of doctors is void. Nevertheless, transmitting medical data to health-care providers through the public networks require high data security as public networks are somehow vulnerable to spoof attack. In this chapter, two anonymisation techniques based on wavelet decomposition and wavelet packet (WP) transform for securing ECG signals will be discussed.
An electrocardiogram (ECG) signal contains important health information of a patient. It is used to detect abnormal heart rhythms by measuring the electrical activity generated by the heart as it contracts. Recent studies show that an ECG signal can be used as a biometric method for robust human identification and authentication [7, 8, 9]. The ECG signal was found to be unique for each individual over a long period of time [10, 11]. An ECG biometric system consists of feature extraction and classifiers to identify and recognise a person. The selection of appropriate features is crucial for successful individual identification. In , ECG-based biometric features were grouped as fiducial based, non-fiducial based or hybrid.
An unsecure ECG signal can be subjected to man in the middle attack where fraudsters can use the spoofed recorded ECG data to gain access to a secured service [13, 14, 15]. A scenario where a man in the middle attack can be a real threat for health information transmission is presented in Figure 1. The figure illustrates possible attack points that include (1) wireless links between sensor nodes that collect health information data from wireless body area networks (WBAN) and gateways, (2) wire/wireless links between the gateway and the edge router, (3) wire/wireless links between the other side of the edge router and health-care provider router and (4) repository in the data centre/public server or health-care provider. In order to minimise such security threat to a system, a health-care provider needs to comply with certain widely accepted standards to protect medical records safely. For example, US government passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 for protecting medical privacy users , the European Union adopted the Directive on Data Protection in 1995 , the Health Information Privacy Code was passed by New Zealand government in 1994, which sets specific rules for agencies in the health sector to ensure protection of individual privacy  and the personally controlled electronic health record (PCEHR) eHealth system was launched by Australian government in 2012 .
There have been several proposed security techniques including image  and ECG steganography [21, 22, 23, 24] to secure confidential patient information. In the steganography techniques, sensitive patient information is concealed inside public host data without incurring huge computational overhead or any increase in the size of the host data . ECG data is used as the host signal to embed secret patient information and physiological readings. This may create watermarked ECG signals that is then transferred to a remote hospital server for further diagnosis. The effectiveness of ECG watermarking is dependent on the difference between the original host data and the watermarked data, that is, greater differences point to an ineffective steganography process. Unfortunately, all steganography methods bear some degree of information loss. This severe loss of information contributes to smeared/incorrect signal features and in some cases can lead to the failure of reconstructing the original ECG signal from the watermarked ECG signal . However, even effective ECG watermarking can result in the delectability of ECG fiducial and non-fiducial features, which may allow for patient identification according to research in [7, 8, 9]. Therefore, a method combining the advantages of steganography with a technique that hides ECG fiducial and non-fiducial features is required. In this chapter, a review between two ECG anonymisation methods based on wavelet decomposition and wavelet packet transform (WPT) is presented.
3. Wavelet decomposition-based ECG anonymisation approach
Recent ECG anonymisation approaches based on wavelet decomposition were proposed in [13, 14]. During the wavelet decomposition process, filters of different cut-off frequencies were used to analyse the ECG signal at different scales (frequencies). It can be done by passing the ECG signal through a series of high-pass filters (i.e. the detail coefficients) for examining the high-frequency bands. The ECG signal was also passed through a series of low-pass filters (i.e. the approximation coefficients) to evaluate the low-frequency bands. Wavelet decomposition at level 3 was used during signal evaluation in the chapter . Moreover, in the order to construct a complete evaluation, two individual methods were studied during the experimentation . Block diagram for the wavelet decomposition can be seen in Figure 2.
3.1. Method 1: discrete wavelet base anonymisation
In the first method, approximation (cA3) and detail (cD3) coefficients were removed after level 3 decomposition. Subsequently these nodes were encrypted using the well-known RSA symmetric cryptography. On the other hand, the remaining nodes, that is, cD1 and cD2, were compressed and transmitted to the ECG repository. Figure 3 shows that without knowledge of nodes cA3 and cD3, the newly constructed signal in the repository completely hides P wave and T wave of the original ECG. It can be concluded that the first method hides most of the features required to reconcile the identity of a patient . On the contrary, this method is not able to provide complete obfuscation of the cardiovascular conditions. This is mainly because the RR interval and certain types of arrhythmias are visible  as obvious in Figure 3. However, this method only required minimal selection of coefficient (approximately 25%) for encryption and key distribution. This is the main advantage of the first method. This method will perform well when faster distribution of key is priority and strong security is not deemed necessary. The removed coefficients are shown in Figure 4.
3.2. Method 2: discrete wavelet base anonymisation
In the second method, nodes cA3, cD3 and cD2 were selected for encryption, while the remaining coefficients cD1 were transmitted to the ECG repository. In contrast to the previous method, Figure 5 shows that the reconstructed ECG from the coefficients that are extracted from the repository is completely able to obfuscate features related to cardiovascular condition and person identification.
Therefore, this method provides higher ECG security by compromising larger key size (approximately 50%) as can be seen in Figure 6. Figure 5 shows that the reconstructed ECG signal does not contain any ECG features.
Both methods described above suffer from long key size and lack of complete obfuscation to the ECG data. The long key size requires wider bandwidth during transmission process of the key to the ECG repository. On the other hand, lack of complete obfuscation results in trivial interpretation of the anonymised ECG signal. Therefore, due to these two main reasons, other methods based on the wavelet packet were proposed and developed.
4. Wavelet packet-based ECG anonymisation approach
4.1. Overview of wavelet packet transform
Wavelet packet transform has been used in many applications of biomedical signal processing, for example, feature extraction, noise reduction, data compression and QRS detection. Furthermore, wavelet packet transform has long been used for ECG signal analysis. A wavelet packet function  is defined as
where and are the scale (frequency) and the translation (time) parameters, respectively, and is the oscillation parameter. The structure of wavelet packet (WP) decomposition is described as a binary tree structure ; each node is described as , where is a node’s scale level and is a node’s number on the corresponded level. The root node of the WP tree corresponds to the entire frequency range, , where is the ECG sampling frequency of the ECG signal. Each internal node of the WP tree is called a parent node that is divided into two child nodes: the first and the second nodes are associated with low-pass and high-pass filters. These nodes forms a quadrature mirror filter (QMF) pair .
The scaling function and the mother wavelet for the wavelet packet when and are given by
The other wavelet packet functions for and are shown as follows:
where the low-pass filter gives , and the high-pass filter gives . The operator stands for the inner product. The wavelet packet coefficients of the ECG signal, , are expressed as follows:
Each coefficient measures a specific sub-band frequency content, controlled by the scaling parameter, , and the oscillation parameter, . The ECG signal, , can be decomposed into a different time-frequency space with Eq. (6) and Eq. (7). By computing the full wavelet packet decomposition on the ECG signal, for the level of decomposition, we have sets of sub-band coefficients of length , where is the ECG signal length . Each sub-band coefficient, node, has a frequency range in the interval . This is how wavelet packet decomposes the original ECG signal into two or more coefficients.
4.2. The generalised framework for the ECG anonymisation method
In this section, a generalised framework for the ECG anonymisation using wavelet packet transform (WPT) will be introduced. The proposed framework for ECG anonymisation can be seen in Figure 7, while its pseudo-code is listed in Algorithm 1. This framework comprises the following steps:
Step 1: Perform wavelet packet decomposition of the ECG signal, , at level . The signal coefficients at this level are given by
where represents the coefficients of the nth node at level .
Step 2: Exclude the first node, , from in Eq. (8) to get
The excluded node is set to
where is an unencrypted and uncompressed key that includes the low-frequency components of the ECG signal, .
Step 3: Modify each node in , Eq. (9), using a reversible function/operation such as logarithm or division. In this chapter each node in is divided by . is a reversible function driven from the key coefficients. Hence, the modified coefficients in are given by
where , , is a constant and is the absolute operator. The offset term in is used to prevent division by zero.
Step 4: Securely distribute the key, , and the offset value to medical personnel. The key security will be achieved by compressing and encrypting the first node, , and the offset as follows:
where is the compression operator and is the encryption operator . Compression and encryption are beyond the scope of this chapter.
Step 5: Perform wavelet packet reconstruction to the modified terminal nodes’ coefficient, , to get the anonymised ECG, .
Step 6: Upload the anonymised ECG, , to the repository.
4.3. The ECG reconstruction method
The proposed reconstruction process for the anonymised ECG signal is shown in Figure 8, while the pseudocode is shown in Algorithm 2. The authorised personnel receives the secure key, , and the anonymised ECG, , and performs the reconstruction process by the following steps:
Step 1: Perform decryption and decompression to the key, K, to get
where and are the decryption and decompression operators, respectively. Decryption and decompression are beyond the scope of this chapter.
Step 2: Perform wavelet packet decomposition of the ECG signal, , at level to get as in Eq. (11).
Step 3: Multiply each node at by the factor to get
|Algorithm 1: Wavelet packet-based ECG anonymisation process||Algorithm 2: Wavelet packet-based reconstruction process|
4: // exclude the first node as a key
9: //compression and encryption
10: Send to healthcare providers or doctors as a key
12: Upload to public server
13: Save with unique ID for a particular individual
2: // decryption and decompression
Step 4: Add the first node, , to the WPT vector at Eq. (14) to get the WPT vector coefficients, , of the original ECG signal, .
Step 5: Perform wavelet packet reconstruction of the coefficients vector, , at level to recover the original unanonymised ECG signal, .
5. Algorithm validation
Two types of electrocardiogram (ECG) signals were used to validate and investigate the performance and the effectiveness of the generalised ECG anonymisation framework. These signals are
normal ECG signal for a healthy subject, and
abnormal ECG signals for a patient with supraventricular arrhythmia and a patient with ventricular tachyarrhythmia.
The normal and abnormal ECG signals with different sampling frequencies were used in this chapter to study the robustness of the proposed anonymisation approach in concealing and smearing the ECG’s fiducial and non-fiducial features. The normal and abnormal ECG data were obtained from the PTB ECG database  and the MIT-BIH arrhythmia database , respectively. These databases are publically available [26, 27].
In the evaluation process in the latter sub-section, bior5.5 wavelet was used. Besides this type of mother wavelet resembling the shape of an ECG signal, it is widely used for speech, video and biomedical signals providing that bior5.5 inherited linear phase. Nevertheless, it should be noted that for ECG anonymisation in this chapter, mother wavelet will not impact the anonymisation result since the ECG signal will be constructed back to its original at the receiver side.
The security of the proposed scheme depends on the following parameters that are required at the receiver side:
the encrypted security key which should be shared secretly,
the reversible function that should be used to reconstruct the original ECG information from the anonymised ECG, and
the type of transformation and the level of decomposition (wavelet packet transform at level 2 is used in this study).
An attacker with stolen key (i.e. able to decrypt the secure key) using brute force or any other method will require the knowledge of the reversible function and the level of decomposition. This information will be stored inside a patient/medical personnel PC and will not be transmitted under any circumstance. In this case, brute force attack is infeasible for the attack.
In the following sections, performance analysis using cross-correlation of normal and anonymised ECG signals, power spectral density of anonymised ECG signal and percentage residual difference (PRD) methods will be examined.
5.1. Performance evaluation over normal electrocardiogram
An electrocardiogram (ECG) signal has a well-defined P, QRS and T signature that is represented with each heartbeat. The P-wave arises from the depolarisation of the atrium. The QRS complex arises from depolarisation of the ventricles and T-wave arises from repolarisation of the ventricle muscles. The duration, shape and amplitude of these waves are considered as major features in time-domain analysis. Sometimes the time morphologies of these waves are similar.
The normal ECG was obtained from the PTB database (patient247, signal s0479). The sampling frequency, , for this signal was 1 kHz. A total of 10 s of this signal was transformed by wavelet packet decomposition at level 2, . Decomposition level, , depends on the ECG sampling frequency. Higher sampling frequency requires a low value of to conceal all features in the anonymised signal. Node of size (= 10,000 samples) was removed from the wavelet packet coefficients of the normal ECG signal. This node was used to generate the key, , which was distributed securely to medical personnel. The anonymised ECG is reconstructed from the rest nodes, three nodes, using the anonymisation algorithm in Section II (B) and transmitted confidently over the public internet, since the anonymised ECG does not impose any threat to privacy.
Figure 9 (a) and (b) shows the time-domain representation of the 10-s normal ECG signal (patient247, signal s0479) and its anonymisation version, respectively. The frequency range for the anonymised ECG after node removal is 125 and 500 Hz. From the time-domain representation of the ECG signal and its anonymisation in Figure 9 (a) and (b), the proposed anonymisation algorithm conceals all fiducial features from the reconstructed ECG signal (Figure 9(b)). Figure 10 (a) and (b) shows the frequency representation of the 10-s normal ECG signal (Figure 9 (a)) and its anonymisation version, respectively. The non-fiducial features were also concealed as shown in the frequency-domain representation of the anonymised version of the normal ECG signal.
Figure 11 shows the time-domain representation of the coefficients which was used to create the secure key, . The frequency range for in this data is between 0 and 125 Hz. This node preserves all fiducial features in the original ECG signal. Figure 12 (a) and (b) shows the reconstructed ECG signal at the medical personnel side and its cross-correlation with the original ECG signal at the patient side, respectively. From Figure 12 (b), both signals are highly correlated, which guarantees a lossless reconstruction.
5.2. Performance evaluation over abnormal electrocardiogram
An arrhythmia is an abnormality in the heart’s rhythm or heartbeat pattern. The heartbeat can be too slow, too fast, have extra beats or otherwise beat irregularly . The types of abnormal ECG signals investigated in this study were supraventricular arrhythmia and ventricular tachyarrhythmia. Supraventricular arrhythmia occurs in the upper areas of the heart and is less serious than ventricular arrhythmia. It has irregular shapes of QRS complexes . These arrhythmia data—supraventricular arrhythmia and ventricular tachyarrhythmia—were obtained from the MIT-BIH arrhythmia database .
5.2.1. Supraventricular arrhythmia
The sampling frequency, , for this signal was 128 Hz. A total of 10 s of this signal was transformed by wavelet packet decomposition at level 2, .
Node of size (= 1280 samples) was removed from the wavelet packet coefficients of the supraventricular arrhythmia signal. This node was used to generate the key, , which was distributed securely to medical personnel. The frequency range for in this data is between 0 and 16 Hz. The other nodes at level 2 with the frequency range between 16 and 64 were used to construct the anonymised signal.
Figure 13 (a) and (b) shows the time-domain representation of the 10-s ECG signal of a patient with supraventricular arrhythmia and its anonymisation version, respectively. The frequency-domain representation for both signals is shown in Figure 14 (a) and (b). The fiducial and non-fiducial features were concealed in the time-domain and frequency-domain representation of the anonymised supraventricular arrhythmia signal.
Figure 15 shows the time-domain representation of the coefficients , which was used to create the secure key, . This node preserves all fiducial features in the original supraventricular arrhythmia signal.
5.2.2. Ventricular tachyarrhythmia
The sampling frequency, , for this signal was 250 Hz. A total of 10 s of this signal was transformed by wavelet packet decomposition at level 2. Node of size (= 2500 samples) was removed from the wavelet packet coefficients of the ventricular tachyarrhythmia signal. This node was used to generate the key , which was distributed securely to medical personnel. The other nodes were used to reconstruct the anonymised ventricular tachyarrhythmia signal.
Figure 16 (a) and (b) shows the time-domain representation of the 10-s ECG signal of a patient with ventricular tachyarrhythmia and its anonymisation version, respectively. The frequency-domain representation for both signals is shown in Figure 17 (a) and (b). The fiducial and non-fiducial features were concealed in the time-domain and frequency-domain representation of the anonymised supraventricular arrhythmia signal.
Figure 18 shows the time-domain representation of the coefficients which was used to create the secure key, . This node preserves all fiducial features in the original supraventricular arrhythmia signal.
5.3. Performance evaluation with the PRD metric
The percentage residual difference (PRD) is used to measure the difference between the original ECG signal and the anonymised ECG signal using the following equation.
where is the original ECG signal, is the anonymised ECG signal and , where is the total number of the sample.
Performance of the proposed anonymisation algorithm using PRD metric is shown in Table 1. It can be seen from the table that the minimum and the maximum PRD measured were 14.8 and 70.6%, respectively. The PRD value depends on the ECG frequency bandwidth and its sampling frequency.
|ECG type||Sampling frequency , Hz||PRD %|
Comparing with ECG steganography methods, ECG steganography has a low PRD value between original and watermarked ECG signal. For example, in , the maximum PRD measured was 0.6%. Low PRD is essential in ECG steganography to guarantee correct diagnosis of the ECG watermarked signal. However, the lower value of PRD makes the ECG vulnerable to attack [1, 2, 3, 9].
A generalised wavelet packet-based ECG anonymisation framework has been presented in this chapter. This proposed anonymisation technique was used to conceal fiducial and non-fiducial features from normal and abnormal ECG signal for secure transmission over the public internet. Normal and abnormal ECG signals with different sampling frequencies have been investigated by the proposed method. Signal transformations other than wavelet packet transform can be used in this framework. Such transformations should have inverse property.
The performance analysis revealed that the proposed method is able to conceal both fiducial and non-fiducial features in normal and abnormal ECG signals under examination. Moreover, the analysis showed that the reconstructed ECG is highly correlated with the original ECG signal. It achieved a lossless reconstruction of the ECG data and proved the robustness of the proposed method. The security measures taken to secure the key and other information such as the level of decomposition and the knowledge of the reversible function make attacks using methods such as brute force is infeasible.