Design for a secure interoperable cloud-based Personal Health Record service

Adoption of Personal Health Record (PHR) applications has been slow due to consumers' concerns in security, privacy and trust, and the challenges in interoperability and integration with other Electronic Medical Record (EMR) systems. This paper proposes the design for a secure interoperable cloud-based PHR service. To enhance the portability and interoperability, we use the Continuity of Care Document (CCD) for both storing and exchanging the PHR information for an individual. To provide self-protecting security for each CCD instance, we apply a broad spectrum of security mechanisms - including access control, encryption, and digital signature - in an integrated, embedded, and fine-grained manner, based on open standards such as eXtensible Access Control Markup Language, XML Encryption, XML Signature, and XML Key Management Specification. To support patient-controlled encryption and privacy-preserving keyword search, we use ciphertext-policy attribute-based encryption and public-key encryption with keyword search schemes, again in an integrated, embedded, and fine-grained manner.

[1]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization , 2011, Public Key Cryptography.

[2]  Eric Horvitz,et al.  Patient controlled encryption: ensuring privacy of electronic medical records , 2009, CCSW '09.

[3]  P. V. Biron,et al.  The HL7 Clinical Document Architecture. , 2001, Journal of the American Medical Informatics Association : JAMIA.

[4]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[5]  Fu-Kuo Tseng,et al.  Enabling Searchable Dynamic Data Management for Group Collaboration in Cloud Storages , 2012 .

[6]  Peter Steenkiste,et al.  Exploiting Hierarchical Identity-Based Encryption for Access Control to Pervasive Computing Information , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[7]  Ling Liu,et al.  Security Models and Requirements for Healthcare Application Clouds , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[8]  Colin J. Fidge,et al.  Access Control Requirements for Processing Electronic Health Records , 2007, Business Process Management Workshops.

[9]  Leslie S. Liu,et al.  Barriers to the adoption and use of personal health record systems , 2011, iConference.

[10]  Ming Li,et al.  Securing Personal Health Records in Cloud Computing: Patient-Centric and Fine-Grained Data Access Control in Multi-owner Settings , 2010, SecureComm.

[11]  Amnon Shabo,et al.  Model Formulation: HL7 Clinical Document Architecture, Release 2 , 2006, J. Am. Medical Informatics Assoc..

[12]  Matthew Green,et al.  Self-Protecting Electronic Medical Records Using Attribute-Based Encryption , 2010, IACR Cryptol. ePrint Arch..

[13]  Hideki Imai,et al.  Conjunctive Broadcast and Attribute-Based Encryption , 2009, Pairing.

[14]  G. Hsieh,et al.  Towards Self-Protecting Security for e-Health CDA Documents , 2011 .

[15]  Elisa Bertino,et al.  Security for Web Services and Service-Oriented Architectures , 2009 .

[16]  Willy Susilo,et al.  A Secure Channel Free Public Key Encryption with Keyword Search Scheme without Random Oracle , 2009, CANS.

[17]  Reihaneh Safavi-Naini,et al.  Privacy preserving EHR system using attribute-based infrastructure , 2010, CCSW '10.

[18]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[20]  Matthew Green,et al.  Securing electronic medical records using attribute-based encryption on mobile devices , 2011, SPSM '11.

[21]  Rajendra K. Raj,et al.  Designing a Secure Cloud-Based EHR System using Ciphertext-Policy Attribute-Based Encryption , 2011 .

[22]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[23]  Kenneth D. Mandl,et al.  Indivo: a personally controlled health record for health information exchange and communication , 2007, BMC Medical Informatics Decis. Mak..

[24]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[25]  Yi Mu,et al.  Personal Health Record Systems and Their Security Protection , 2006, Journal of Medical Systems.