As healthcare systems become increasingly interconnected, ensuring secure and continuous device authentication in health information exchange (HIE) networks is critical to safeguarding patient data and clinical operations. In this context, this paper proposes a novel cross-layer authentication scheme for HIE networks that integrates cryptographic mechanisms with physical (PHY) layer-based authentication to ensure reliable communication while minimizing computational and communication overheads. The initial authentication phase leverages a traditional public key infrastructure (PKI)-based approach, employing elliptic curve cryptography (ECC) and digital certificates to verify the legitimacy of communicating devices. Simultaneously, it extracts unique hardware-level features such as carrier frequency offset (CFO) and quadrature skewness from the devices. These features are then used to train a machine learning (ML) model during an offline phase managed by a regional centralized authority (RCA). For re-authentication, the system re-extracts these PHY-layer features from incoming orthogonal frequency division multiplexing (OFDM) symbols and verifies the device identity in real-time using the trained ML classifier. This cross-layer strategy enables continuous, lightweight identity verification without the need to exchange and validate cryptographic signatures for each message, thereby reducing system overhead. The proposed scheme further enhances privacy through the use of encrypted, frequently refreshed pseudo-identities, ensuring unlinkability and resistance to identity tracking. A formal security analysis using Burrows-Abadi-Needham (BAN) logic demonstrates the scheme's robustness against various threats, including impersonation, man-in-the-middle (MitM), replay, and Sybil attacks.

翻译：随着医疗系统互联程度的日益加深，在健康信息交换（HIE）网络中确保安全且持续的设备认证，对于保护患者数据和临床操作至关重要。在此背景下，本文提出了一种面向HIE网络的新型跨层认证方案，该方案将密码机制与基于物理层（PHY）的认证相结合，旨在实现可靠通信的同时，最小化计算与通信开销。初始认证阶段采用基于传统公钥基础设施（PKI）的方法，利用椭圆曲线密码（ECC）和数字证书验证通信设备的合法性；同时，该方法从设备中提取独特的硬件级特征，如载波频率偏移（CFO）和正交偏斜度。这些特征随后用于在区域集中管理机构（RCA）管理的离线阶段训练机器学习（ML）模型。在重新认证时，系统从接收到的正交频分复用（OFDM）符号中重新提取这些物理层特征，并利用训练好的机器学习分类器实时验证设备身份。这种跨层策略能够实现持续、轻量级的身份验证，无需为每条消息交换和验证密码签名，从而降低了系统开销。所提方案还通过使用加密且频繁刷新的伪身份标识增强隐私保护，确保不可关联性以及对身份追踪的抵抗能力。基于Burrows-Abadi-Needham（BAN）逻辑的形式化安全分析表明，该方案能够有效抵御包括伪造攻击、中间人攻击（MitM）、重放攻击和女巫攻击在内的多种威胁。