[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
article

Consent-based access control for secure and privacy-preserving health information exchange

Published: 10 November 2016 Publication History

Abstract

Electronic health record exchanges are crucial functions of modern healthcare systems. These components are fundamental in providing quality care and enable for a larger spectrum of services. A framework which protects patient information during data exchanges is essential for healthcare systems. To achieve security and privacy-preservation for information exchange, we propose a consent-based access control CBAC mechanism for healthcare systems. A consent is an authorization initiated by a patient for an intended data requester via an agreement between them. After obtaining the consent from the patient, a healthcare organization can gain access to the data, which is encrypted by a healthcare provider. This is achieved by a cryptographic primitive: conditional proxy re-encryption. By doing so, patient medical data is protected against access of unauthorized parties, including public data center. Additionally, the proposed scheme achieves collusion resistance. Furthermore, mutual authentication and contextual privacy are attained. Performance evaluation demonstrates that the proposed CBAC scheme can achieve security and privacy preservation with high computational efficiency. Copyright © 2016 John Wiley & Sons, Ltd.

References

[1]
Act A. Health insurance portability and accountability act of 1996. Public Law 1996; Volume 104: pp.191.
[2]
Terhune C. UCLA Health System data breach affects 4.5 million patients, Los Angeles Times, 17-Jul- 2015. Available from: "http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html" {Accessed on 20 April 2016}.
[3]
Weise USATODAYE. Massive breach at health care company Anthem Inc., USA Today, May-2015. Available from: "http://www.usatoday.com/story/tech/2015/02/04/health-careanthem-hacked/22900925/".
[4]
Gorman A, Sewell A. Six people fired from Cedars-Sinai over patient privacy breaches, Los Angeles Times, 12-Jul- 12-Jul-2013. Available from: "http://articles.latimes.com/2013/jul/12/local/la-me-hospitalsecurity-breach-20130713" {Accessed on 20 April 2016}.
[5]
Colbert Y. Mental health records sent to Nova Scotia spa in error over last decade, Jul- 2016. Available from: "http://www.savenkeep.com/weblink/mental-health-records-sent-to--1636158/". {Accessed on 27 June 2016}.
[6]
Nurse guilty of professional misconduct for snooping into patient records. Available from: "http://www.thestar.com/news/gta/2016/04/29/nurse-found-guilty-of-professional-misconduct-for-snooping-into-patient-records.html" {Accessed on 30 April 2016}.
[7]
Acquisti A, Brandimarte L, Loewenstein G. Privacy and human behavior in the age of information. Science 2015; Volume 347 Issue 509: pp.509-515.
[8]
Lin X, Sun X, Ho P, Shen X. GSIS:A secure and privacy preserving protocol for vehicular communications. IEEE Transaction on Vehicle Technology 2007; Volume 56 Issue 6: pp.3442-3456.
[9]
Li H, Lin X, Yang H, Liang X, Lu R, Shen X. EPPDR: An Efficient Privacy-Preserving Demand Response Scheme with Adaptive Key Evolution in Smart Grid. IEEE Transactions on Parallel and Distributed Systems 2014; Volume 25 Issue 8: pp.2053-2064.
[10]
Xiong H, Qin Z. Revocable and Scalable Certificateless Remote Authentication Protocol With Anonymity for Wireless Body Area Networks. IEEE Transactions on Information Forensics and Security 2015; Volume 10 Issue 7: pp.1442-1455.
[11]
Lin X, Lu R, Shen X, Nemoto Y, Kato N. SAGE: A strong privacy-preserving scheme against global eavesdropping for eHealth systems. IEEE Journal on Selected Areas in Communications 2009; Volume 27 Issue 4: pp.365-377.
[12]
Lu R, Lin X, Shen X. SPOC: A secure and privacy-preserving opportunistic computing framework for mobile-healthcare emergency. IEEE Transaction on Parallel and Distributed Systems 2013; Volume 24 Issue 3: pp.614-624.
[13]
Abbas A, Khan SU. A Review on the State-of-the-Art Privacy-Preserving Approaches in the e-Health Clouds. IEEE Journal of Biomedical and Health Informatics 2014; Volume 18 Issue 4: pp.1431-1441.
[14]
Haas S, Wohlgemuth S, Echizen I, Sonehara N, Mller G. Aspects of privacy for electronic health records. International Journal of Medical Informatics 2011; Volume 80: pp.e26-e31.
[15]
Gkoulalas-Divanis A, Loukides G, Sun J. Publishing data from electronic health records while preserving privacy: A survey of algorithms. Journal of Biomedical Informatics 2014; Volume 50: pp.4-19.
[16]
Fernndez-Alemn J, Seor I, Lozoya P, Toval A. Security and privacy in electronic health records: A systematic literature review. Journal of Biomedical Informatics 2013; Volume 46: pp.541-562.
[17]
Laric MV, Pitta DA. Preserving patient privacy in the quest for health care economies. Journal of Consumer Marketing 2009; Volume 26 Issue 7: pp.477-486.
[18]
Snchez D, Batet M, Viejo A. Utility-preserving privacy protection of textual healthcare documents. Journal of Biomedical Informatics 2014; Volume 52: pp.189-198.
[19]
Huanga L, Chub H, Liena C, Hsiaoc C, Kao T. Privacy preservation and information security protection for patients' portable electronic health records. Computers in Biology and Medicine 2009; Volume 39: pp.743-750.
[20]
Zhou J, Lin X, Dong X, Cao Z. PSMPA: Patient Self-Controllable and Multi-Level Privacy-Preserving Cooperative Authentication in Distributed m-Healthcare Cloud Computing System. IEEE Transactions on Parallel and Distributed Systems 2015; Volume 26 Issue 6: pp.1693-1703.
[21]
Lin H, Shao J, Zhang C, Fang Y. CAM: Cloud-Assisted Privacy Preserving Mobile Health Monitoring. IEEE Transactions on Iformation Forensics and Security 2013; Volume 8 Issue 6: pp.985-997.
[22]
Younis YA, Kifayat K, Merabti M. An access control model for cloud computing. Journal of Information Security and Applications 2014; Volume 19: pp.45-60.
[23]
Blanc M, Lalande JF. Improving Mandatory Access Control for HPC clusters. Future Generation Computer Systems 2013; Volume 29: pp.876-885.
[24]
Li Q, Sandhu R, Zhang X, Xu M. Mandatory Content Access Control for Privac Protection in Information Centric Networks. IEEE Transactions on Dependable and Secure Computing: pp.1-13.To appear.
[25]
Ray I, Kumar M. Towards a location-based mandatory access control model. Computer and Security 2006; Volume 25: pp.36-44.
[26]
Yan X, Wang Q, Zhu J, Xi Q. A Logic-Based Safety Analysis Algorithm for Discretionary Access Control. Wuhan University Journal of Natural Sciences 2012; Volume 17 Issue 6: pp.531-538.
[27]
Li N, Tripunitara MV. On Safety in Discretionary Access Control. IEEE Symposium on Security and Privacy, Oakland, California, May, 2005; pp.96-109.
[28]
Slamanig D. Dynamic Accumulator Based Discretionary Access Control for Outsourced Storage with Unlinkable Access. International Financial Cryptography Association, LNCS 2012; Volume 7397: pp.215-222.
[29]
Graham GS, Denning PJ. Procetion: principles and practice. AFIPS Spring Joint Computer Conference, Vol.¿40. AFIPS Press: Atlantic, NJ, USA, 16-18 May, 1972; pp.417-429.
[30]
Zhou L, Varadharajan V, Hitchens M. Secure administration of cryptographic role-based access control for large-scale cloud storage systems. Journal of Computer and System Sciences 2014; Volume 80: pp.1518-1533.
[31]
Liu CL. Cloud service access control system based on ontologies. Advances in Engineering Software 2014; Volume 69: pp.26-36.
[32]
Habiba M, Islam M, Ali A, Islam M. A New Approach to Access Control in Cloud. Arabian Journal for Science and Engineering 2016; Volume 41: pp.1015-1030.
[33]
Kuhn DR, Coyne EJ, Weil TR. Adding Attributes to Role-Based Access Control. Computer 2010; Volume 6: pp.79-81.
[34]
Joshi J, Bertino E, Latif U, Ghafoor A. A Generalized Temporal Role-Based Access Control Model. IEEE Transactions on Knowledge and Data Engineering 2005; Volume 17 Issue 1: pp.4-24.
[35]
Osborn S, Sandhu R, Munawer Q. Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Transactions on Information and System Security 2000; Volume 3 Issue 2: pp.85-106.
[36]
Khan M, Sakamura K. Toward a Synergy Among Discretionary, Role-Based and Context-Aware Access Control Models in Healthcare Information Technology. World Congress on Internet Security, Guelph, Ontario, Canada, June, 2012; pp.66-70.
[37]
Paar C, Pelzl J. Understanding Cryptography-A Textbook for Students and Practitioners. Springer, 2010. 205-234.
[38]
Boneh D, Boyen X. Efficient selective-ID based encryption without random oracles. EUROCRYPT 2004, LNCS, Springer, Heidelberg, 2004; pp.223-238.
[39]
Son J, Kim D, Hussain R, Oh H. Conditional Proxy Re-Encryption for Secure Big Data Group Sharing in Cloud Environment. IEEE INFOCOM Workshop on Security and Privacy in Big Data, Toronto, Ontario, Canada, 2014; pp.541-546.
[40]
Wei G, Lu R, Shao J. EFADS: Efficient, flexible and anonymous data sharing protocol for cloud computing with proxy re-encryption. Journal of Computer and System Sciences 2014; Volume 80: pp.1549-1562.
[41]
Shao J, Wei G, Ling Y, Xie M. Identity-based Conditional Proxy Re-encryption. IEEE ICC, Kyoto, Japan, 2011; pp.1-5.
[42]
Weng J, Deng RH, Ding X. Conditional Proxy Re-Encryption Secure against Chosen-Ciphertext Attack. ASIACCS, Sydney, NSW, Australia, 2009; pp.10-12.
[43]
Jing X. Provably secure certificateless signcryption scheme without pairing. Proceedings of the 2011 International Conference on Electronic and Mechanical Engineering and Information Technology, Harbin, China, August, 2011; pp.4753-4756.
[44]
Shi W, Kumar N, Gong P, Zhang Z. Cryptanalysis and improvement of a certificateless signcryption scheme without bilinear pairing. Frontiers of Computer Science 2014; Volume 8: pp.656-666.
[45]
Shi E, Bethencourt J, Chan H, Song D, Perrig A. Multi-dimensional range query over encrypted data. IEEE Symposium on Security and Privacy, Claremont Resort, Berkeley, CA, USA, 2007; pp.350-364.

Cited By

View all
  • (2023)A Survey on Blockchain for Healthcare: Challenges, Benefits, and Future DirectionsIEEE Communications Surveys & Tutorials10.1109/COMST.2022.322464425:1(386-424)Online publication date: 1-Jan-2023
  • (2017)Secure and Privacy-Preserving Data Sharing and Collaboration in Mobile Healthcare Social Networks of Smart CitiesSecurity and Communication Networks10.1155/2017/64264952017Online publication date: 3-Aug-2017
  1. Consent-based access control for secure and privacy-preserving health information exchange

        Recommendations

        Comments

        Please enable JavaScript to view thecomments powered by Disqus.

        Information & Contributors

        Information

        Published In

        cover image Security and Communication Networks
        Security and Communication Networks  Volume 9, Issue 16
        November 2016
        877 pages
        ISSN:1939-0114
        EISSN:1939-0122
        Issue’s Table of Contents

        Publisher

        John Wiley & Sons, Inc.

        United States

        Publication History

        Published: 10 November 2016

        Author Tags

        1. access control
        2. consent
        3. health information exchage
        4. privacy preservation

        Qualifiers

        • Article

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)0
        • Downloads (Last 6 weeks)0
        Reflects downloads up to 14 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2023)A Survey on Blockchain for Healthcare: Challenges, Benefits, and Future DirectionsIEEE Communications Surveys & Tutorials10.1109/COMST.2022.322464425:1(386-424)Online publication date: 1-Jan-2023
        • (2017)Secure and Privacy-Preserving Data Sharing and Collaboration in Mobile Healthcare Social Networks of Smart CitiesSecurity and Communication Networks10.1155/2017/64264952017Online publication date: 3-Aug-2017

        View Options

        View options

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media