Abstract
With the rapid advancement of healthcare analytics, the need of security of privacy of health data is extremely needed. Electronic health record (abbreviated as EHR) is a communication tool which supports the services such as early prediction of disease, clinical decision support system, and personalized healthcare through intelligent mechanism such as artificial intelligence, and machine and deep learning. With the advent of the ICT and availability of big data in the healthcare systems, the privacy concerns are raised. Developing an access control model EHR is one of the solutions to preserve the privacy and confidentiality of the data. There are umpteen number of access control models such as RBAC and MAC have been invented. The said models are security focused meaning their primary focus is to provide security to health data which differs from safeguarding privacy of personal information in health records. Although tremendous amount of work has been done around access control models for preserving privacy, there a still a space for improvement in terms of effective access of data through better access control model. In addition, most of the access control models for past are static and do not consider the case wherein the privacy–utility of the EHR changes according to the requirement of healthcare organizations. This paper presents a risk- and utility-based access control (henceforth called RUBAC) model for flexible privacy–utility situation in healthcare. The proposed privacy-enabled model consists of three major entities, viz. risk and utility factors (X-axis), data access scenarios (Y-axis) and roles (Z-axis). All the entities are flexible. The model is evaluated against uses case and the 25 criteria given in [1],the model outperformed in accessing the healthcare records efficiently. The proposed model provides dynamic and flexible control through a 3-D framework, exceeding current approaches and opening the door to improved healthcare security practices.
Similar content being viewed by others
Data availability
Since this is a conceptual model, no data and material are applicable to this research work.
References
Helms E, Williams L. Evaluating access control of open source electronic health record systems. In: Proceedings of the international conference on software engineering, 2011. p. 63–70. https://doi.org/10.1145/1987993.1988006
Dong N, Jonker H, Pang J. Challenges in eHealth: From enabling to enforcing privacy, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7151 LNCS(September), 2012. p. 195–206.
Anonymous. Data Leakage Events, Informationisbeautiful. 2019. https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/.
Jercich K. The biggest healthcare data breaches of 2021. Healthcareitnews. 2021. https://www.healthcareitnews.com/news/biggest-healthcare-data-breaches-2021.
Bose A. Top 10 data breaches that have occurred in India in 2020–21. Ipleaders. 2021. https://blog.ipleaders.in/top-10-data-breaches-that-have-occurred-in-india-in-2020-21/.
Jin H, Luo Y, Li P, Mathew J. A review of secure and privacy-preserving medical data sharing. IEEE Access. 2019;7:61656–69.
Majeed A. Attribute-centric anonymization scheme for improving user privacy and utility of publishing e-health data. J King Saud Univ Comput In Sci. 2019;31(4):426–35.
Lin JC, Yeh KH. Security and privacy techniques in IoT environment. Sensors. 2021;21(1):2021.
de Carvalho Junior MA, Bandiera-Paiva P. Health information system role-based access control current security trends and challenges. J Healthc Eng. 2018;18:6510249.
Khalid T, et al. A survey on privacy and access control schemes in fog computing. Int J Commun Syst. 2021. https://doi.org/10.1002/dac.4181.
Yang X, Lu R, Shao J, Tang X, Ghorbani AA. Achieving efficient secure deduplication with user-defined access control in cloud. IEEE Trans Depend Secure Comput. 2022;19(1):591–606.
Seol K, Kim YG, Lee E, Seo YD, Baik DK. Privacy-preserving attribute-based access control model for XML-based electronic health record system. IEEE Access. 2018;6:9114–28.
Elgendy R, Morad A, Elmongui HG, Khalafallah A, Abougabal MS. Role-task conditional-purpose policy model for privacy preserving data publishing. Alex Eng J. 2017;56(4):459–68.
Peleg M, Beimel D, Dori D, Denekamp Y. Situation-based access control: privacy management via modeling of patient data access scenarios. J Biomed Inf. 2008;41(6):1028–40.
Tembhare A, SibiChakkaravarthy S, Sangeetha D, Vaidehi V, VenkataRathnam M. Role-based policy to maintain privacy of patient health records in cloud. J Supercomput. 2019;75(9):5866–81.
Wang Q, Jin H, Quantified risk-adaptive access control for patient privacy protection in health information systems, Proceedings of the 6th International Symposium on Information, Computer and Communications Security, ASIACCS 2011, 2011;406–10.
Kumar R, Tripathi R. Scalable and secure access control policy for healthcare system using blockchain and enhanced Bell–LaPadula model. J Ambient Intell Humaniz Comput. 2021;12(2):2321–38.
Prince PB, Lovesum SPJ. Privacy enforced access control model for secured data handling in cloud-based pervasive health care system. SN Comput Sci. 2020;1(5):1–8.
Sicuranza M, Esposito A. An access control model for easy management of patient privacy in EHR systems, 2013 8th International Conference for Internet Technology and Secured Transactions. ICITST. 2013;2013:463–70.
Dagher GG, Mohler J, Milojkovic M, Marella PB. Ancile: Privacy-preserving framework for access control and interoperability of electronic health records using blockchain technology. Sustain Cities Soc. 2017;2018(39):283–97.
Rezaeibagha F, Mu Y. Distributed clinical data sharing via dynamic access-control policy transformation. Int J Med Inf. 2016;89:25–31.
Xu J, et al. Healthchain: a blockchain-based privacy preserving scheme for large-scale health data. IEEE Internet Things J. 2019;6(5):8770–81.
Ming Y, Zhang T. Efficient privacy-preserving access control scheme in electronic health records system. Sensors (Switzerland). 2018;18(10):3520.
Ding W, et al. An extended framework of privacy-preserving computation with flexible access control. IEEE Trans Netw Serv Manage. 2020;17(2):918–30.
Premarathne U, et al. Hybrid cryptographic access control for cloud-based EHR systems. IEEE Cloud Comput. 2016;3(4):58–64.
Ding W, Yan Z, Deng RH. Privacy-preserving data processing with flexible access control. IEEE Trans Depend Secure Comput. 2020;17(2):363–76.
Shi M, Jiang R, Hu X, Shang J. A privacy protection method for health care big data management based on risk access control. Health Care Manag Sci. 2020;23(3):427–42.
Babrahem AS, Monowar MM. Preserving confidentiality and privacy of the patient’s EHR using the OrBAC and AES in cloud environment*. Int J Comput Appl. 2021;43(1):50–61.
Camenisch J, Hohenberger S, Lysyanskaya A. Balancing accountability and privacy using e-cash. In: International conference on security and cryptography for networks. Berlin, Heidelberg: Springer; 2006. p. 141–55.
Thwin TT, Vasupongayya S. Blockchain-based access control model to preserve privacy for personal health record systems. Secur Commun Netw. 2019;2019:1–15.
Grunwell D, Gajanayake R, Sahama T. Demonstrating accountable-eHealth systems. In: 2014 IEEE international conference on communications (ICC), Sydney, NSW, Australia. 2014. p. 4258–63. https://doi.org/10.1109/ICC.2014.6883989.
Mohan K, Aramudhan M. Ontology based access control model for healthcare system in cloud computing. Indian J Sci Technol. 2015;8(S9):218.
Ni Q, Bertino E, Lobo J, Calo SB. Privacy-aware role-based access control. IEEE Secur Priv. 2009;7(4):35–43. https://doi.org/10.1109/MSP.2009.102.
Liddell K, Simon DA, Lucassen A. Patient data ownership: who owns your health? J Law Biosci. 2021;8(2):lsa023.
Levin O, Salido J, The two dimensions of data privacy measures, Brussels Privacy Symposium. 2016;7
Wagner I, Eckhoff D. Technical privacy metrics: a systematic survey. ACM Comput Surv. 2018;51(3):1–45.
Prasser F, Kohlmayer F, Lautenschläger R, Kuhn KA, ARX--A Comprehensive Tool for Anonymizing Biomedical Data, AMIA ... Annual Symposium proceedings/AMIA Symposium. AMIA Symposium. 2014
Cormode G, Procopiuc CM, Shen E, Srivastava D, Yu T, Empirical privacy and empirical utility of anonymized data. In: 2013 IEEE 29th International Conference on Data Engineering Workshops (ICDEW). 2013;2013:77–82.
Elliot M, Domingo-Ferrer J, The future of statistical disclosure control, The National Statistician’s Quality Review. 2018
Prasser F, Kohlmayer F, Kuhn K. The importance of context: risk-based de-identification of biomedical data. Methods Inf Med. 2016;55:347–55.
Mai PX, Goknil A, Shar LK, Pastore F, Briand LC, Shaame S. modeling security and privacy requirements: a use case-driven approach. Inf Softw Technol. 2018;100:165–82.
Ray P, Wimalasiri J, The Need for Technical Solutions for Maintaining the Privacy of HER. In: 2006 International Conference of the IEEE Engineering in Medicine and Biology Society. 2006, 2006:4686–89.
More SJ, Java Privacy Guard - The OpenPGP Message Format and an Implementation in Java, Bachelor’s Thesis, Graz University of Technology Institute for Applied Information Processing and Communication. 2015
Ferraiolo DF, Sandhu R, Gavrila S, Kuhn DR, Chandramouli R. Proposed NIST standard for role-based access control. ACM Trans Inf Syst Secur. 2001;4(3):224–74.
Acknowledgements
The authors have used ChatGPT and Quillbot software for rewording of the sentences in the manuscript.
Funding
There is no funding associated with this research study.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors of this research study declare that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article is part of the topical collection “Advanced Computing and Data Sciences” guest edited by Mayank Singh, Vipin Tyagi and P.K. Gupta.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Churi, P., Pawar, A. RUBAC: Proposed Access Control for Flexible Utility–Privacy Model in Healthcare. SN COMPUT. SCI. 5, 297 (2024). https://doi.org/10.1007/s42979-024-02616-8
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42979-024-02616-8