Ensuring security of private health data over the communication channel from the sensors to the back-end medical cloud is crucial in a mHealth system. This end-to-end (E2E) security is enabled by distributing cryptographic keys between a sensor and the cloud so that the data can be encrypted and its integrity protected. Further, the key can also be used for mutually authenticating the communication. The distribution of keys is one of the biggest overheads in enabling secure communication and needs to be done is a transparent way that minimizes the cognitive load on the users (patients). Traditional approaches for providing E2E security for mHealth systems are based on asymmetric cryptosystems that require extensive security infrastructure. In this paper, we propose a novel protocol, Physiology-based End-to-End Security (PEES), which provides a secure communication channel between the sensors and the back-end medical cloud in a transparent way. PEES uses: (1) physiological signal features to hide a secret key, and (2) synthetically generated physiological signals from generative models parameterized with patient's physiological information, to unhide the key. Moreover, in PEES authentication comes for free since only sensors on the user's body has access to physiological features and can therefore gain access to the protected information in the cloud. The analysis of the approach using electrocardiogram (ECG) and phototplethysmogram (PPG) signals and their associated models demonstrate the feasibility of PEES. The protocol is light-weight for sensors and has no pre-deployment or storage requirements and can provide strong and random keys (≈ 90 bits long). We have also started clinical studies to establish its efficacy in practice.