P2P technology for the provision of PHSs can be flexible and inexpensive for users because it uses available devices at the user’s end for deployment. The characteristics of P2P systems, such as fault tolerance, security and trust, scalability, availability, self-reconfiguration, and extensibility [35,36], facilitate and suit the provision of PHSs. With millions of users worldwide, P2P systems have shown strength in providing services for sharing resources without the need for a central server, for streaming multimedia content with distributed load balancing, for volunteering of computing resources, and for telephony applications. P2P PHSs, such as OnePatient [15] and P2P PHR [6], leverage the power of P2P networks and mobile technology to store health records locally under the control of device owners, thereby increasing patient empowerment and control and simplifying the implementation of data protection principles [8,37,38]. P2P systems have better scalability because operations can be executed locally and customized for different purposes. Patients can easily manage access to their health records by using a single-hop connection (eg, Wi-Fi Direct) with other trusted parties (eg, a physician) without requiring a wireless access point or another intermediary communication network.

Factors that impact the security of centralized PHSs are the database size, the large number of potentially affected users, and the confidentiality of the stored data. The health care sector experiences more data breaches than any other sector [39]. A breach barometer in the United States reported 503 breaches for health data in 2018, affecting over 15 million patients [40]. Similarly, the almost immutable nature of data storage in blockchains makes it nearly impossible for users to erase their stored (metadata) information, which conflicts with the European General Data Protection Regulation (GDPR) [41]. Table 1 outlines the main advantages and disadvantages of P2P PHSs.

For patients to benefit from the advantages of P2P PHSs, the network needs to be robust and fault-tolerant. Information security is paramount because of the high sensitivity of medical data [30,42]. Therefore, a pertinent question is how to make P2P PHSs resilient to attacks. P2P systems communicate over the internet; therefore, they inherit the same security issues as any other networked application on the internet. The P2P architecture poses significant security issues such as index poisoning attacks [43], Sybil attacks [44], chatty peer attacks [45], or distributed denial-of-service (DDoS) attacks [46].

Moreover, P2P systems increase the attack surface owing to 3 disadvantages [26,47]: (1) increased chances of exposing network traffic patterns to attackers; even with encryption, the metadata can still reveal information to external attackers; (2) an inconsistent view of the network (due to a lack of global information), which affects integrity by allowing attackers to cheat and remain undetected; and (3) increased vulnerability to internal attackers due to the absence of a central entity to detect malicious insiders and govern software and security updates.

The concept of P2P was introduced in 1969 in the first Request for Comments of the Internet Engineering Task Force; Request for Comments-1 denotes a host-to-host connection [48]. UseNet [49], a distributed messaging system, is often described as the first true implementation of a P2P network and was established in 1979. UseNet looks like a client server model from users' point of view. However, servers communicate with each other based on the concept of P2P and share content over the entire group of UseNet servers without a central entity. With the surge in popularity of P2P networks, the music and file-sharing P2P application Napster [50] was introduced in 1999, which exhibited some approaches to P2P networks known today. Later, well-known and popular P2P systems emerged, such as Gnutella, eDonkey, and BitTorrent. Within the last 2 decades, the first health information systems were deployed on P2P networks—for example, the e-toile P2P PHS framework aimed at connecting all health care stakeholders in Geneva, Switzerland [21,51]; P2HR [20]; or the PEPP-PT COVID-19 contact tracing system in Europe [22]. The features distinguishing P2P systems from centralized systems are peer and resource discovery [35]. Since there are no servers, peers (eg, patients, practitioners, or PHS providers) must rely on techniques, such as indexing and routing tables [52], to locate other peers in the network (Figure 1).

A P2P network, or system, is a type of computer network that exhibits decentralized control, autonomy, virtualization, and sharing of computing resources [47,50]. Peers participating in the network form a P2P network of nodes and are equally privileged. The network is self-organizing. Peers in the network make their resources directly available to other peers without the need for a central entity to facilitate or co-ordinate transactions [35]—for example, patients can directly exchange information with practitioners over their P2P PHSs. Peers in a P2P network can share and download resources. This is in direct contrast to traditional client-server networks in which resource-sharing and downloading are performed by distinct actors (eg, in PHRs such as Google Health or Microsoft Health Vault).

Centralized P2P PHS (eg, P2P PHR [6] and e-toile framework [21]), and other centralized P2P systems (Napster, SETI@Home, and BOINC [35,50]) combine the features from client-server and decentralized architectures. One or more central servers are used to manage administration, transaction, registration, or resource discovery. To abide by data protection regulations, such as the US Federal Health Insurance Portability and Accountability Act (HIPAA) [6] or the GDPR [34,41], and related regulations, health or personal information should be stored separately from centrally managed operational data (eg, status and metadata of transactions as in P2P PHR [6] or the list of interoperable PHS providers and health care professionals and their access rights in the e-toile framework [21]). In the case of contact tracing systems such as PEPP-PT COVID-19 [22], the central server may be operated by a government or trusted entity to generate identities and contact graphs. In centralized P2P PHSs, the resources are indexed by the central server (Figure 2). Although a client-server approach is used for resource discovery, the actual communication that facilitates resource transmission is decentralized [53].

In centralized P2P PHSs, data protection and security measures based on regulations such as HIPAA [6] or GDPR [41] can be enforced and implemented but PHSs may inherit issues from centralized systems [35], such as vulnerability to insider attacks and function creep by the entity running the server; reduced tolerance to avoid single points of failure; and issues with scalability and robustness. Central servers also become more likely to cause a bottleneck when the number of peers increases.

In decentralized P2P systems, peers have equal rights and responsibilities [35,54]. This can be seen in agent-based co-ordination frameworks proposed for the exchange of electronic health records between different providers (eg, P2P IHE [6,51]) or other P2P systems (eg, BitTorrent, Gnutella, Freenet, Chord, and PAST [35,50]). Each peer shares data that may only be relevant to queries of other peers. A decentralized P2P design is a user-based infrastructure because it requires no specific additional infrastructure and depends solely on the participating users to share resources (bandwidth and storage) [26]. In a decentralized P2P system architecture, 2 further dimensions are important [35]: the network structure and logical network topology (overlay network).

The network structure of a P2P network can be single-tier or multitier. In a single-tier network (eg, Gnutella, Freenet, and PAST [35,50]), loads and functionalities are equally distributed among the nodes participating in the network. In contrast, the multitier network has a routing structure with hierarchical layers. An example of a P2P protocol in this category includes the Super-peer Architecture and Crescendo System [35].

The logical network topology can be structured or unstructured. In unstructured P2P networks (eg, FreeNet, Gnutella, and KaZaA [50]), which exhibit a mesh topology [26], each peer maintains the list of its neighbors to which it may forward queries. Hence, in most cases, a peer must search a large fraction of the network when looking for a desired resource in the network, as there is no precise mapping between the identifiers of resources and peers [55]. Messages are continuously propagated by neighbors in the network [26], which affects the reliability of message delivery when the network is congested. This type of P2P system can be unsuitable for PHS deployment, especially in emergency situations where a patient’s medical history (located with another remote peer) is urgently needed for medical care.

To address these problems, structured P2P PHSs such as P2P IHE [51] and other structured P2P systems (eg, Chord, Kademlia, Pastry, and CAN [35]) have emerged. In structured P2P systems, a mapping between peers and data exists, data placement is under the control of Distributed Hash Tables (DHTs), and each peer has to maintain routing tables. A DHT is a hash table containing a key-value lookup function, and the entire index is equally distributed among participating peers [55]. The key-value store represents only the metadata of the participating peers, for example, the mapping (id, ptr) indicates that a resource with identifier id is located at a peer pointed to by ptr. The general idea of structured P2P networks is to minimize the number of peer lookups (eg, by adopting a key-based routing strategy) to identify and locate a desired resource in the network [35]. The cost of maintaining the structured topology is high when participants arbitrarily join and leave the network.

The overall issue of decentralized P2P systems is the slow search for peers offering the desired resources in the network [35], and freedom to join or leave the network affects availability [20,56]. However, these systems do not have single points of failure and benefit from other features, such as scalability and robustness to operational errors. The lack of centralized control is a major factor contributing to routing difficulties: routing becomes more complicated with more diverse participating nodes [57], when massive peer churn is present [58] and when there is a dependence on nodes that could be malicious [59]. To remedy this, a shared memory in a distributed tuple space architecture [60], as used in the P2P PHS agent-based co-ordination framework P2P IHE [51], can be leveraged. In such an architecture, a distributed network of tuple centers is used as a co-ordination framework to facilitate interactions between various PHS providers and other health care stakeholders [51].

P2HR [20] is an example of a hybrid P2P PHS. Other P2P systems (eg, BestPeer [35], BestPeer++ [61], or BitTorrent [62]) eventually relied on this topology. Hybrid P2P architectures were introduced to address the challenges of centralized servers in P2P networks and the time required for resource discovery in decentralized P2P networks [35,54]. They combine the advantages of both architectures [50], such as reliable resource discovery and scalability. Although there are no servers in hybrid P2P systems, peer nodes that have more resources in terms of storage, computation power, network connectivity, stability, and uptime can fulfill the role of servers and assist common peers with resource discovery. These nodes are referred to as super peers. In hybrid P2P systems, resource discovery can be performed by querying the super peer (in a centralized manner) or using decentralized search techniques [63]. Common peers form the lower layer, while super peers form the upper layer.

Although super peers share some similar properties with servers in a centralized P2P network, they are different [35]: (1) a super peer only acts as a manager for its subset of peers in the network—it is not as powerful as a server in centralized P2P networks that oversees the entire network. For PHSs, dividing patients into groups (eg, per hospital) ensures that patients’ data are only shared with users that require them [64]; (2) a super peer also participates and acts as a common peer and facilitates the same operations, such as resource-sharing and downloading. As an analogy, the relationship of super peers with common peers is similar to interactions between entities in human society: for instance, in a hospital, physicians keep more knowledge and connections with their patients than other personnel. As such, patients with health issues are expected to ask for help from physicians, as there is a higher probability that they are able to handle the problem.

Super peers can act as federated authorities whereby participating users can affiliate themselves with provider nodes based on extant trust relationships (eg, friendship or treatment relationships). Provider nodes are largely independent of each other; hence, there is a federation of provider nodes. Each provider is responsible for its common peers; however, individual provider nodes can collaborate to provide services. The placement of super peers in a privileged position enhances the availability of resources, operations, computations, and performance; however, this also raises issues regarding trust, privacy, and integrity as super peers regulate services. The absence of a super peer in the network may affect operations in the network, thereby reducing the fault tolerance of the P2P network. In terms of security, nodes operated by providers are central points of attack (at least for the common peers served by a particular super peer). As super peers manage subsets of peers in the network, they are more attractive targets for attacks. “The main vulnerability of federated systems are such assumptions that federated service providers (e.g., super-peers) will largely act honestly” [26].

On the basis of the discussion of the different forms of P2P PHS architectures in the previous section, the combination of multitier structure and hybrid P2P architecture appears to be most appropriate for P2P PHSs; therefore, we propose an architecture with the following abilities (Figure 3): (1) enforcement of data protection requirements similar to that of HIPAA and semantic compliance through super peers as central index servers; (2) registration and identity verification; (3) higher scalability and availability of resources and lack of single points of failure; (4) association of patients (tier 5, Figure 3) with their respective PHS providers (tier 3, Figure 3) and practitioners (tier 4, Figure 3); and (5) faster PHS updates with security patches through the super peer networks. The P2P PHS network is an overlay of the modeled hierarchical relationships between the tuple center and PHS providers, PHS providers and practitioners, and practitioners and patients.

Large health care IT organizations (eg, the German Healthcare Technology Infrastructure; HTI [2,65]) are represented at the top of the hierarchy in the architecture to facilitate certification of various PHS providers (tier 1, Figure 3). They define and enforce the implementation of various data regulations, representation standards, and ontologies (eg, Health Level Seven and Fast Health care Interoperability Resources [6]) to share heterogeneous medical records across PHS networks. In the second tier, a distributed public network of tuple centers (eg, certified through a national health agency) is provided by trusted third parties (tier 2, Figure 3). Agent-based systems (as in centralized P2P PHSs [51]) can be used across P2P networks with the tuple centers' action-reaction rules for communication events [51]. Agent co-ordination models can handle services for data semantics and peer lookup services while serving as mediums for data sharing between P2P PHS providers, but the actual inter-PHS communications are performed in a P2P manner. P2P PHS providers can subscribe to any certified tuple center. Communication of a PHS provider is limited to communication with other subscribers to the PHS provider’s tuple center subscriptions.

PHSs can be provided by any party. In our scenario, we exemplify hospitals (hyper peers—managers of super peers and other peers in the network) as PHS providers. The hyper peers relay requests and responses among all subpeers across multihop networks. Each hyper peer has its own separate private cloud server, which stores a digital and secure copy of patient health records (Figure 3). These records are a replica of the data available on the patient’s local storage but are only made available in the hyper peer’s private cloud if a patient subscribed to the corresponding additional PHS features (eg, for data backup, ease of remote data sharing, or emergency access). Accessibility and availability traits of the stored common peers’ data on the private cloud are in the control of patients through their local PHS client software. This topology can have 2 issues: (1) similar records of patients are stored locally on their mobile devices and the cloud, which appears redundant, but this redundancy curtails connectivity pitfalls while preserving P2P PHS features in terms of offline capability, and (2) the cloud storage can become inaccessible when the local patient PHS device is lost when the device is used as the source of patient identity verification and access authorization for cloud storage.

Each hyper peer has multiple health practitioners in the network, which maintain patients’ public identities (under the control of DHT [55,66]) for lookup functionality and ease of data access; therefore, a patient (common peer) can be associated with multiple practitioners from various hyper peers (practitioner A, B, C, etc). In such cases, these hyper peers can communicate via tuple centers. This way patient data stored on a cloud of hospital B can be accessed by practitioners in hospitals A or C for diagnosis or treatment, given that the patient grants access rights. Each common peer on the network (corresponding to a patient) is modeled on the local PHS and on the hyper peer’s private cloud server. Common peers can grant access to their health records to any party through single-hop radio communication (without involving a third party in the communication, eg, Wi-Fi direct) or multihop network communications via the cloud storage of the hyper peers [65]. Other parties, such as researchers looking for data for research purposes, can obtain read-permissions for patient records by interacting with the practitioner via the hospitals' private network, which forwards permission requests to patients. However, only aggregated results (anonymized) are returned to the researcher. Moreover, wearable mobile devices and biotechnologies that provide biometric or psychometric data can also be directly connected to a patient’s P2P PHS.

It is often not necessary that users’ confidential or personal documents be exposed by worms or viruses, as many users inadvertently expose these documents [123]. For example, a node may request data X from the user, and the user sends back the entire folder where data X is located. The user may end up exposing all of their sensitive information for the following reasons: (1) a user does not appropriately select or share the requested data, (2) the interface design of the P2P application confuses the user, and (3) the requester offers a huge incentive to share. In 2012, an automated personal health information tool was used to crawl different P2P networks (FastTrack, Gnutella, and eD2K) to analyze Canadians’ personal health information and personally identifiable information in the exchanged text files [83]. Out of the 3924 P2P files with unknown content, 1.45% (57/3924) of files were flagged as personally identifiable information. Manual analysis of the 57 files revealed that 19% (11/57) contained health information about an identifiable individual, that is, inadvertently disclosed health information.

In 2019, a survey identified human errors, such as sending personal information to unintended email recipients or releasing personal information by accident, as the largest source of data breaches in the health sector [39]. Similarly, several peers were found to be inadvertently sharing their financial, email, and web cache data in a study on the KaZaA P2P network [124]. In addition, some P2P users share their personal information intentionally to increase the number of files shared on the network to meet the participation requirements of some P2P systems [85].

P2P clients tend to be set-and-forget applications that run in the background [85,123,125]. This means that the user is not cautiously tracking the activities of the P2P client, which increases the opportunity for abuse.

Geography is largely irrelevant in P2P networks [85], and no region is safer than the other. A computer in Australia or Argentina becomes part of the same network as a computer in Nigeria (Figure 5). In open P2P networks, files can undoubtedly migrate globally, and threats can come from any region of the globe. Hence, the heterogeneity and geographically dispersed nature of P2P networks can be a problematic factor affecting security, quality of service guarantees, and scalability. However, studies have shown that P2P networks converge to a certain degree of geographical clustering [85,126]. Users may choose to download and share content from their region to have lower network use and latency than when downloading or sharing content outside their region.

As a P2P network grows, an increasing number of leaks of confidential files will occur in the network. In 2017, nearly 27 million P2P users downloaded and shared files on P2P networks daily, which is 17 million more users than in 2006 [127,128]. Moreover, P2P networks are heterogeneous and fast-moving; hence, users may not be able to keep track of security issues and developers may neglect them [85].

Conventional P2P networks have no trust mechanism to assist users in deciding whether to share or download content in the network. Similarly, they have no central authority responsible for verifying the authenticity of the resources shared by users [80]. Hence, there is no guarantee that users are sharing the content they promise. This makes it easier for an attacker to spread malware across a P2P network, for instance, to conduct fraudulent activities or pollution attacks [72].

Typically, P2P networks create file indexes using the names of the files and the associated metadata [123]. This constitutes a security issue, as it allows anybody to easily discover files in P2P networks. For example, an opportunistic search with key terms related to the top 10 publicly traded health care firms in the United States revealed 20,000 patient records, 4 patients with acquired immune deficiency syndrome (AIDS), 201 patients with a mental diagnosis, and 326 patients with cancer [125]. The approaches that some P2P clients use to create and manage file names have serious implications in exposing users’ private and confidential information. This can be a problematic factor regarding security because users’ sensitive files can be easily discovered owing to poor P2P client design.

This factor enables attackers to leverage the open nature of P2P networks [100]. The long routing paths across several nodes create a loophole for malicious activity [94]. Peers in a privileged position in the network (eg, super peers) are able to see the communication of other common peers in the network. For example, decentralized P2P systems such as Gnutella [35] have no central servers or auxiliary mechanisms to co-ordinate communication among users, but when a new user connects to the Gnutella network, it chooses a node as its permanent entry point [115]. Thus, high-speed nodes are inadvertently placed in the central part of the topology and can observe the communication of nodes in their local subgraph. Moreover, communication in P2P networks stops being anonymous as soon as the source node establishes a direct connection to a destination node to download files [35]. The IP addresses of both nodes are exposed to each other, which creates another opportunity for abuse. Once the identity of the peer is revealed, further attacks can be carried out [96].

Pollution is a form of attack in which an attacker modifies the original content (through mixing or substituting) so that it has no use or is of low quality [72,79,81]. The polluted content appears to be legitimate content (eg, by having a similar size, format, and title) to trick users to download it. However, the altered content may be malicious, fake, or corrupt. This affects the network’s quality of service (especially in file, voice, and video-based P2P streaming systems [72,73,75,79,80]), overall system energy consumption [74], content availability [78], and data integrity [72]. Pollution is an easy and fast way to disseminate worms or viruses from one to many peers in the network. Therefore, pollution can have an exponential impact on the security of the entire network [72]. The pollution attack was first discovered in 2005, where a crawler was used to retrieve super peers in the KaZaA P2P network [73]. Analysis of the contents collected by the crawler revealed that over 50% of welcome copies (ie, introductory files for a collection of files) for musical files in the KaZaA network were polluted [73]. Pollution is a serious attack on P2P networks, even in a scenario with only one polluter [72,75]. The impact grows when the number of polluters or peers attempting a request increases [75]. As a result, peers often require multiple times the network bandwidth they need in a network free from pollution [75]. Furthermore, the attack is persistent. Even if the polluted contents are identified and blocked by the network, the polluters may remain alive in the network by disguising their identities and can keep polluting the network.

Pollution is categorized based on the attackers’ strategy: (1) metadata pollution, where a file extension or name is modified and replaced with a misleading one; (2) content pollution, where the file content is changed; and (3) index pollution, where an attacker claims ownership of an unindexed bogus file and uploads its record (IP address, port number, etc) to the entities (eg, super peers on hybrid P2P) that maintain such records for distribution [73,77]. In most cases, the polluters also attack legitimate peers’ reputations or boost their own reputation through whitewashing attacks [75,76]. Content pollution is the most popular and common attack in P2P streaming systems [74]; it was detected in 50%-80% of files in KaZaA and about 50% of popular files in eDonkey [73,74]. Pollution is not necessarily caused by malicious users; P2P systems are notorious for illegally sharing and disseminating copyrighted content, and content is often polluted by copyright owners as a countermeasure to protect their rights when legal actions fail [71,72]. To facilitate the protection of copyright claims, some P2P system providers even weaken protection from pollution attacks in their network [73], although this affects the confidence of users in such systems [72,73].

Successful pollution attacks on P2P PHSs can be devastating because of the higher integrity and availability requirements of medical data than data shared in other P2P systems. The consequences of its exploitation could be between low and high, depending on the level of access gained; pollution attacks often serve as a gateway to identify vulnerabilities (eg, unverified inputs that can be used for SQL injection attacks [129]) and mount further attacks (eg, ransomware attacks). For example, in 2020, a patient in need of emergency care due to an aneurysm died in Germany during a ransomware attack in a hospital. The ransomware attack caused a network outage that disrupted emergency services, and the patient was sent to a health care facility approximately 20 miles away [130]. This diversion delayed the treatment of the patient by an hour and she died [130]. The openness of P2P systems allows polluters to easily join and leave the network [20,56]; however, identity verification (eg, via insurance, job contract, token, etc) and multifactor authentication concepts for P2P PHSs could create an additional layer to reduce the vulnerability of the network. Patients or practitioners polluting a P2P PHS through their legitimate accounts can easily be traced; however, in some situations, a double-faced user (legitimate but malicious) could leverage open-source hacking tools such as Burp Suite [78] to, for instance, alter an http request payload with an anonymous ID, add polluted content, and forward it to the content distribution network of a hospital to harm the network.

Malware refers to a wide range of attacks that compromise a system without the knowledge of the system owner [84,90]. P2P networks present a greater risk for receiving malware; for example, only 3 strains of malware infected over 68% of compressed and archived files on the Gnutella network [84]. In the first 3 quarters of 2019, 7.2 billion malware attacks were reported globally [91]. In P2P networks, malware is predominantly used to create botnets by leveraging worms [84,89,90].

A botnet is a network of infected nodes that are usually compromised by worms or viruses. Individual bots in the botnet only use a small portion of the infected resource to remain concealed and create only barely noticeable traffic to share data from the compromised computers with the target [88,89]. The bots are controlled by an attacker (botmaster) through command-and-control servers [89].

A worm is independent and neither requires a host application [84,87,92] nor human intervention [82] to propagate and replicate itself over a network. Worms can result in a high fallout in combination with other vulnerabilities and propagate themselves over email attachments, web server infections, file downloads (counterfeit worms), or other legitimate network activities (silent worms) [78,81,82,84,87]. Passive (counterfeit and silent worms) and active worms are 2 broader categories of P2P worms; they both propagate like a biological virus, but the former waits for victims to infect, while the latter actively searches for new targets [84]. The threats to the amplification of worm-based attacks in a P2P network are high, and the impact grows based on network size, topology degree, or host vulnerability [78]. In contrast to the internet, where worms need to randomly search to identify vulnerable hosts, P2P worms spread rapidly and infect all nodes in the network almost instantaneously [84]. For example, the Antinny (passive and counterfeit) worm that appeared on the Japan-based Winny P2P network led to the disclosure of a large amount of private data: thousands of patient health records, customers’ identifiable information, top-secret military information, and documents of a county police investigator, yielding information on major investigations on 1500 individuals [85,86]. Furthermore, in 2001, in less than 14 hours, the Code-Red worm (active) infected over 350,000 systems and caused more than US $1.2 billion in damages in the first 10 days of its circulation [78].

P2P worms are some of the best facilitators of botnet-based attacks and internet worms. P2P networks are, for instance, known for sharing gray content, such as pornography and pirated streaming media. This can lead users to incautiously monitor unusual behaviors in the network [78,84,85]. Active P2P worms have different attack strategies: pure random scan (PRS), offline hit-list scan, and web-based scan [78,82,84]. The PRS is a starting point, information gathering stage, and is the most commonly used strategy [78]. PRS is useful when the infected host (bot) possesses no prior vulnerability information of potential targets and randomly selects and mounts attacks on targets to propagate the infection, for instance, using random IP addresses searched from the global internet address space [78,82,84]. The offline hit-list scan is a more powerful strategy: the attacker collects and continuously attacks targets using DNS, network topology, and routing information of P2P systems (eg, using crawler tools [83]) until all the hosts in the hit-list are scanned, and the newly compromised bots attack using the PRS strategy [78,82]. Instead of an offline hit-list, the web-based scan strategy primarily launches attacks on its web-based P2P neighbors, and then the worm disseminates further using PRS through the infected worm hosts [78,82].

Ransomware constitutes the biggest threat with 151.9 million attacks globally in the first 3 quarters of 2019 [91]. Moreover, ransomware attackers are shifting tactics to target higher-value institutions, such as hospitals [91]. In 2017, a malware was used in the WannaCry ransomware attack, which infected more than 230,000 computers worldwide [131]. In the British National Health Service, WannaCry disrupted scheduled treatments in many hospitals, resulting in total damages of around £92 (US $12.6) million in the United Kingdom [132]. The malware hijacked users’ data, encrypted the data, and blackmailed users before decrypting their data [133]. For health data on P2P networks, which have a less controlled infrastructure, ransomware attacks can become easier.

The effect of malware on P2P PHS could be high, although the severity of malware attacks is context-dependent. The effect of malware, such as Antinny [85,86], Anatova [134], or Code-Red [78], on P2P PHSs will be detrimental if it denies patients and physicians access to the PHS, steals patient data, or hijacks and encrypts data for ransom. Structured P2P PHSs, similar to our proposed architecture (Figure 3) or the e-toile framework in Switzerland [21], could be less vulnerable to malware in comparison with unstructured P2P PHSs. This is due to the possibility of using control measures on the index and DHT networks [55,66]. The factors that increase the attack surface include that P2P client applications tend to be set and forget [85,123,125] so that they run in the background while the user is not monitoring its activities and that there is no centralized control to detect and prevent attacks in P2P networks. The impact of malware could also escalate beyond the boundary of the P2P network and impede usability features such as emergency access or guardian support. In P2P PHSs, these disruptions can occur on a greater scale than in the example in the previous section, where a single patient could not be treated in a hospital because of a ransomware attack [130].

Some P2P clients are being used by users with limited knowledge of computers and information security [80,94,95]. Depending on the nature of the target network, the effect of social engineering attacks—an attack on the users involved in a system [93]—can facilitate exploits of other vulnerabilities. P2P worms such as silent worms (eg, VBS.Gnutella worms [82]) are based on social engineering, disguise themselves, attach to a known file, and wait to compromise victims [93]. Moreover, some P2P systems (eg, Napster and BitTorrent [92]) implement mechanisms in which the users are incentivized to share resources or content to gain greater performance and access to content; therefore, experienced users or attackers can exploit the eagerness and likely incautiousness of new users to deceive them and obtain confidential information, which could be used to conduct malicious attacks. Owing to the set-and-forget nature of P2P file-sharing applications [35], users may not realize the breach of confidentiality risks when using them, which increases the chances of abuse.

Social engineering can affect all types of P2P PHSs, where an attacker can easily leverage the user layer to deceive patients (older adult patients are more vulnerable to this attack than others [135]). In the case of P2P PHSs, the threat impact could be one user at a time, with the probability of escalating and affecting others in the network. Social engineering can be observed as an intelligent information gathering stage for attackers to mount other attacks [129], such as scamming patients to obtain, for instance, access credentials to their P2P PHS accounts. Depending on the attackers’ goals, they may modify patients’ health records or upload malware to the P2P network to affect patients’ lives, health, location, privacy, behaviors, or activities [93] and sabotage the PHS and its providers.

Poisoning can be performed either by index poisoning or by routing table poisoning [102]. Many P2P systems have a lookup service using indexing or routing table techniques [35,47,95]. A poison attacker can use this to inject invalid information such as bogus resource identifiers or fake IP addresses into the lookup service. An index poisoning attack affects the index of P2P systems [43]. Injecting invalid information in the index or routing table can slow down the query, prevent others from finding the correct resources, or result in a peer wasting time connecting to invalid peers [100,102], which eventually affects the P2P network’s quality of service [101]. Some anticopyright infringement organizations use poisoning attacks to prevent the sharing of pirated content on P2P networks [89,99,100]. These attacks are performed by identifying and poisoning the IP addresses of the servers for pirated content or using their IP addresses as evidence to sue the content server or P2P system providers [71].

An index maintains records in a centralized manner (eg, Napster [50], P2P PHR [6], or e-toile framework [21]) and enables users to locate resource owners’ IP addresses and port numbers. In index poisoning attacks, the attacker aims to compromise indexing peers (peers that participate in the indexing) by adding invalid information into their local indexes by simply sharing the bogus information with the indexing peer [43,81].

A poison attacker can also attack a specific host; for example, if the attacker wants to conduct a DDoS attack on the application server at host 129.13.152.6, the invalid information may include 129.13.152.6 for the IP address and 80 for the port number. Once the indexing peer has been poisoned, another peer can search for a resource and eventually receive invalid information from the poisoned peer and try to download the resource from the victim host. Before downloading the resource, the transmission control protocol (TCP) connection is established with the victim host using invalid information. To download the resource, the requesting peer sends a message to the desired resource. When many peers try to download the resource from the victim host, a TCP-connection DDoS comes into effect [43,97,98].

Structured P2P systems (eg, P2P IHE [51], our proposed PHS architecture [Figure 3], Chord, and Kademlia [35]) are vulnerable to poison attacks [95], although resource discovery is under the control of data structures (eg, DHT). In routing table poisoning, the poison attacker exploits the fact that each peer in a DHT-based P2P system maintains the routing tables of its neighbors [47,56,73,77,95,96]. Each entry in the table includes the neighbor’s identifier, IP address, and port number. The attacker can deceive participating peers by injecting invalid neighbors into their routing tables. The poisoned peer may choose an invalid neighbor in its routing table and forward its messages. If the routing tables of many peers are poisoned with invalid information and each entry points to the IP address of the victim host, the target receives a flood of messages from the DHT [95]. A further type of content pollution attack is a combination attack that combines index poisoning and fake-block attacks to have a higher impact [45,77]. In this case, poison attackers use an index poisoning attack to include their IDs in the invalid information to be advertised. If the victims establish the connection through the invalid information, they may connect to a poison attacker, so that the attacker can feed the victims with fake fragments and impose more harm on them.

Centralized P2P PHSs, such as P2P PHR [6] and the e-toile framework [21], could suffer the worst effects of poison attacks because they can cause DDoS or entire network failure and disrupt the services offered by PHSs. For example, in the e-toile framework [21], a list of health care stakeholders and their access rights, data exchange, and authentication is managed by a central index server; poisoning such an index could mean that the data of a patient registered with PHS^X in need of emergency care at a remote hospital that uses PHS^Y could be inaccessible to practitioners. Even if the networks of PHS^X and PHS^Y are not affected, the single point connecting the PHS providers is disrupted. Depending on the urgency of a patient’s need for treatment, the need for access to health data, and the longevity of the attack, the patient’s health and life could be adversely affected. In some P2P PHSs (eg, P2P PHR [6] or P2HR [20]), peers’ IP addresses are exposed to facilitate health information exchange between different health entities; this makes the attack even easier. For our proposed P2P PHS architecture (Figure 3), there is a federation of PHSs and tuple center providers. Within the context of the previous scenario, access and data exchange will not be impacted if PHS^Y is in the same tuple group as PHS^X.

The name Sybil attack was coined by Microsoft Research in 2002 based on the book Sybil about a patient, named Sybil, diagnosed with dissociative identity disorder [111]. In computer security, Sybils refer to multiple identities of a single user on the same machine; this user can become powerful and control a significant part of the network or use the identities to influence the system behavior [54,56,81,109,110,112]. In DHT-based P2P systems, a user can locally generate multiple node IDs for many node instances on the same machine [108]—on the Kad network, a single node can select multiple IDs concurrently [107]. The creation of Sybils is considered the most harmful behavior on a P2P system [54], as it offsets the network’s redundancy property [81]. Sybil attacks occur in a P2P network, when the reputation mechanisms are compromised [72], secure authentication mechanisms are not implemented (eg, no proof of identification is required for registration in the P2P session initiation protocol network [106]), or verification of a client’s IP address and its maximum number of connections per ID is not implemented (eg, Kad network [98]). Limiting the number of connections per IP address (eg, in eDonkey [84]) does not prevent Sybil attacks because attackers can bypass this by having many virtual IP addresses. It seems that there is no clear and definite solution to prevent Sybil attacks [26]; this is due to the openness and lack of admission control mechanisms in P2P networks.

Sybils are used by attackers to conduct massive and organized attacks on P2P networks [92]. For example, eclipse attacks [54] amplify Sybil attacks through the combination of Sybil and ID assignment or mapping attacks [105], which assigns identifiers near the same portion of the ID space to sufficient Sybil nodes (Figure 6). This enables the attacker to own a deciding power of where in the ID space the new nodes are placed. When the attacker owns more nodes than the benign nodes in the segment, the attacker can control messages in the segment, bias reputation score, create DDoS situations, or force servers to exceed their CPU capacity [26,76,84], which is also known as a gateway attack [92]. In blockchain P2P networks, Sybil attacks are, for instance, used by attackers to outvote the honest nodes in the network [52,63,104], which enables the attacker to cheat without being detected. After a successful Sybil attack, attackers can transmit or discard blocks, effectively block other users from the network, carry out 51% of attacks to change the order of transactions, prevent transactions from being confirmed, or even reverse transactions that they made, which can lead to double spending [103].

Sybil attacks are helpful for attackers to disguise their identities, access vital information managed in the PHS index service, monitor communications between users, steal patient data, or pollute the entire network to disrupt the entire PHS service operation, which would affect patients’ health and life and sabotage the PHS provider's reputation. In our proposed PHS architecture (Figure 3) or the e-toile framework in Switzerland [21], the national health IT agencies are tasked with effectively handling health care stakeholders’ registration, authentication, and verification; therefore, freedom to create multiple concurrent IDs on the same system by any malicious user is reduced by design. P2P PHSs, such as P2P IHE [6,51], could be more vulnerable to Sybil attacks due to the difficulty in establishing control mechanisms in a decentralized network. In any case, attackers can leverage Sybil attacks to steal patients’ identities (eg, for insurance coverage or blackmail).

An eclipse attack is a large-scale man-in-the-middle (MitM) attack that is commonly executed at the P2P network level [54,92]; routing, sniffing, and traffic analysis attacks are variants [56,79,81,93,105,106,115,116]. An eclipse attack aims to separate the entire network into 2 or more partitions (Figure 7) by placing malicious nodes in a strategic routing path of the P2P network [105,106,108] to surround benign nodes with malicious neighbors [77]. In most cases, the routing mechanisms are attacked [47]. This is accomplished by adding the attackers’ addresses to the neighbor list of the benign nodes [54,81] or through fake routing updates and incorrect routing [105]. Once the network is fully segmented with malicious nodes in between the partitions, the attacker can act as a gateway and disrupt the information flow between the network partitions, exclude groups of nodes from the network, or steal peer identities [54,77]. This affects the reliability, autonomy, and connectivity between peers and the CIA properties of P2P networks [72,106,114]. In addition to mounting an eclipse attack by manipulating the overlay network, an attacker that has collected a significant number of peer IDs and acts as a neighbor of benign nodes can easily mount eclipse attacks [54,77,81,107].

Successful eclipse attacks require attackers to possess a high proportion of fake nodes in the network and a higher number of direct routes coming to their nodes than to the average benign nodes in the network [54,77,81], especially in networks with relaxed rules for maintaining the routing table [92]. P2P systems that have no control over node placement in the ID space (eg, Gnutella [54]) or freedom of choice for identifiers (eg, Kad [107]) are highly vulnerable to eclipse attacks. P2P networks are more susceptible to eclipse attacks when they are new [54].

As seen in the Bitcoin network, a botmaster with as few as 24 IP address blocks can eclipse any node with a minimum probability of 85%, irrespective of the number of nodes in the network [114]. Despite new security patches that address eclipse attacks on the Bitcoin network, a novel form of eclipse attack, EREBUS, was found [113], which partitions the network and affects Bitcoin nodes' peering decisions. This shows the likelihood of exploiting eclipses in P2P networks.

The lack of freedom to select and place identities and the presence of a control infrastructure in centralized and hybrid P2P PHS (eg, our proposed architecture [Figure 3] or the e-toile framework in Switzerland [21]) reduces the impact of any form of eclipse attack on P2P PHSs. This could be higher for decentralized P2P PHSs such as P2P IHE [6,51] because of the absence of centralized trust and control infrastructures and the presence of eclipse attack vectors such as resource routing mechanisms in the network [47]. In addition, a successful attack could allow an attacker to eavesdrop on the conversation between users in the network without potentially compromising the patient's system. P2P PHSs on a patient device can be configured with wearable smart sensors to allow health practitioners or an embedded machine learning model to monitor vital parameters (eg, heart rate variability). In the case of a successful MitM attack on such P2P PHSs, the practitioners or machine learning models may receive unreliable data, which could lead to poor therapeutic or diagnostic decisions and even loss of life [93,135]. An attacker can also share fake messages that an older adult has fallen in order to summon the next-of-kin or emergency services or use the patient's location or personal data for blackmail [93,135].

A traditional denial-of-service (DoS) attack stops a service [92,94]. Query flooding is the most common resource and key to mounting DoS on P2P networks [77,105,117]. Invalid or corrupted packets flood the network [95] and impede the delivery of valid requests or messages in the network—byzantine attacks [119]—and therefore stop all communications passing through the affected routes. A DDoS is said to occur when constant streams of invalid packets flood the network in such a way that a single node has to deal with massive traffic and runs out of bandwidth [43,80,81,92]—bandwidth attacks (Figure 8). A lack of central authority can be the root cause for DDoS [97], but the root cause can also be due to the absence of mechanisms that verify response messages from other nodes (eg, in Kad [98]). Many nodes (or zombies controlled by attackers, where each zombie may control other attacking zombies) participate in DDoS attacks [81,88], while the source of the attack is hidden behind a separate layer or through spoofed IP addresses [84,92,105]. This disguise of the attackers makes it difficult to detect them because they are often only indirectly involved [81].

The previously discussed index and DHT routing table poisoning attacks and file request redirection (or topology change) attacks are other methods of mounting DDoS [77,84,98,102,110,118]. A file request redirection attacker (chatty peer) advertises the possession of many false resources that are rare in the P2P network and then establishes several TCP connections with the victims (requesting peers) [45,100,102]. However, if the requesting peers ask for the blocks of the requesting resource, the attacker only resends handshake messages to the victims and never uploads any blocks. This makes the requesting peers spend much time waiting in vain for the attacker's response and blocking other legitimate users from making connections to them. As such, TCP-connection DDoS comes into effect and affects the availability of entire P2P networks [72]. A request-redirection DDoS attack on internet equipment was used to shut down tech giants’ websites (eg, Yahoo and Amazon) in February 2000 [84], which shows the impact severity of DDoS on any network.

DDoS is an active attack that makes it more aggressive. An attacker often attacks the network to prevent certain users from performing their tasks or put the system out of service in one or many segments of the underlying infrastructure [76,84]. The probability of a DDoS attack is high in large P2P networks because nodes have to be reachable (usually outside of firewalls restrictions, etc) by the network [92,117]. Depending on the number of zombies, DDoS on decentralized P2P networks may barely affect the entire network, except for a certain number of affected peers. On the contrary, the impact could be higher on centralized and hybrid systems because communication relies on a single entity that is reachable throughout the network or subnetwork. The higher the number and diversity of nodes involved in the DDoS, the more difficult it is to be blocked [81,97].

When P2P PHS providers are hospitals, as in our proposed architecture (Figure 3), and store all patients’ medical records, a successful DDoS attack on the network (index or super peers) will have severe consequences. The effect could disrupt the network and data access and cause a delay in treatment and even loss of life (eg, the case of a patient who died after a malware hit a hospital in Germany [130]). In some centralized and hybrid COVID-19 contact tracing systems (eg, PEPP-PT [22] and Trace-Together [23]), the identifiers (ephemeral IDs) that are used to share exposure notifications during smartphone encounters are generated through a central authority (eg, a hospital) and enough of them are generated in batches, for future use and for constructing contact graphs of users when they are infected [136]. A DoS on this server could prevent the IDs and relevant estimations to reach the targets, and the affected persons would have a false sense of safety since they are no longer notified about encountered contacts. In any case, the effect of DDoS is likely higher in centralized and hybrid P2P PHS than in decentralized P2P PHSs such as P2P IHE [6,51]. This is because of the presence of single points that manage other users in the network. However, centralized control mechanisms also ease the tracing of attackers and reduce the probability of DDoS attacks.

In 2008, P2P networks accounted for almost 53% of internet traffic in Germany, followed by web browsing (26%) and streaming (7%) [122]. With respect to P2P network traffic, BitTorrent accounted for 37%, web browsing for 15%, and eDonkey for 13% of P2P internet traffic [122]. Given the high proportion of P2P traffic in most regions, it is not surprising that a number of internet service providers (ISPs) are using advanced filtering techniques to impose bandwidth limits and throttle or block traffic associated with P2P systems, for instance, by using port numbers, flow features, and deep packet inspections [46,100,121]. In 2012, the United Kingdom High Court ordered, for example, some ISPs (eg, O2, Virgin Media, and TalkTalk) to block BitTorrent P2P traffic owing to its potential for copyright infringements [120].

The consequence of a P2P traffic blockade on any type of P2P PHS could be high because the effect could render the system unavailable over the network, for instance, in a situation where ISPs realize a high proportion of internet traffic caused by P2P networks and impose bandwidth limits or block the traffic. If any P2P PHS user is affected by the blockage, P2P PHSs, for instance, for remote sharing of medical records or COVID-19 exposure notifications will be disrupted. This can potentially affect patient health and contribute to virus spread. As a workaround, users can move to a different region that does not block traffic because P2P systems are not bound by borders. The chances of being affected by a P2P traffic blockade when using a PHS is higher in regions that often use network traffic blockades as a public policy instrument (eg, in authoritarian regimes).