Wireless body area network (WBAN) is one of the most promising wireless sensor technologies, significantly enhancing the quality of service of healthcare. But the potential users' worries about privacy leakage impede its wider application. To alleviate such worries, we present a remote anonymous authentication protocol to enable client terminals/application to securely access WBAN services. In particular, our protocol is rooted in a novel certificateless cryptosystem, which has negligible computational cost and a number of security properties that are especially desirable in WBANs. Our protocol ensures that even the application providers (APs) cannot recover the user's real identity given all the session information. Also, the network manager (NM), who plays the role of private key generator (PKG), can be prevented from impersonating any legitimate users. We theoretically validate that our protocol can achieve a better tradeoff than most of existing schemes in terms of essential security properties and computational overhead.