With the rapid technological advancements in the Internet of Things (IoT), wireless communication and cloud computing, smart health is expected to enable comprehensive and qualified healthcare services. It is important to ensure security and efficiency in smart health. However, existing smart health systems still have challenging issues, such as aggregate authentication, fine-grained access control and privacy protection. In this paper, we address these issues by introducing SSH, a Secure Smart Health system with privacy-aware aggregate authentication and access control in IoT. In SSH, privacy-aware aggregate authentication is enabled by an anonymous certificateless aggregate signature scheme, in which users' identity information is protected based on symmetric encryption mechanisms. In addition, privacy-aware access control is based on anonymous attribute-based encryption technologies. Our formal security proofs indicate that SSH achieves batch authentication and non-repudiation under the Computational Diffie-Hellman assumption. Extensive experimental results and performance comparisons show that SSH is practical in terms of computation cost and communication overheads.