Securing Access to Healthcare Data with Context-aware Policies

Data security in the healthcare domain is of paramount importance. There is a need for advanced access control mechanisms that can be used in the healthcare domain and raise security awareness. In this work, we report on the development of a web-based editor, that enables a user to edit concepts and properties for tailoring a context-aware security model for creating and enforcing access control policies for electronic health records (EHRs). These access control policies are to be enforced as part of two different sequential authorisation paradigms that will be employed for achieving high levels of security controls. These paradigms are the Attributebased Access Control (ABAC), which permits or denies access and/or grants or not editing rights to (encrypted) EHRs and the Attribute-based Encryption (ABE), which handles the way sensitive data should be decrypted, so as to edit functionalities for creating context-aware access policies (ABAC and ABE).

[1]  Yi Mu,et al.  Improving Security and Privacy Attribute Based Data Sharing in Cloud Computing , 2020, IEEE Systems Journal.

[2]  Hongbo Zhu,et al.  Fine-grained multi-authority access control in IoT-enabled mHealth , 2019, Ann. des Télécommunications.

[3]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[4]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[5]  Abdul Raouf Khan,et al.  ACCESS CONTROL IN CLOUD COMPUTING ENVIRONMENT , 2012 .

[6]  Elena Ferrari,et al.  Access Control in Data Management Systems , 2010, Access Control in Data Management Systems.

[7]  Mohammad Hammoudeh,et al.  A Survey on Ciphertext-Policy Attribute-based Encryption (CP-ABE) Approaches to Data Security on Mobile Devices and its Application to IoT , 2017, ICFNDS.

[8]  Li Kang,et al.  Privacy-preserving decentralized ABE for secure sharing of personal health records in cloud storage , 2019, J. Inf. Secur. Appl..

[9]  Yaling Zhang,et al.  Searchable and revocable multi-data owner attribute-based encryption scheme with hidden policy in cloud storage , 2018, PloS one.

[10]  Constantinos Patsakis,et al.  Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions , 2018, J. Cybersecur..

[11]  Gregoris Mentzas,et al.  A Context-Aware Security Model for a Combination of Attribute-Based Access Control and Attribute-Based Encryption in the Healthcare Domain , 2020, AINA Workshops.

[12]  Zoe L. Jiang,et al.  Practical attribute-based encryption: Outsourcing decryption, attribute revocation and policy updating , 2018, J. Netw. Comput. Appl..

[13]  Allison Bishop,et al.  Decentralizing Attribute-Based Encryption , 2011, IACR Cryptol. ePrint Arch..

[14]  Qian Xu,et al.  Decentralized attribute-based conjunctive keyword search scheme with online/offline encryption and outsource decryption for cloud computing , 2019, Future Gener. Comput. Syst..

[15]  Josep Domingo-Ferrer,et al.  Privacy-preserving cloud computing on sensitive data: A survey of methods, products and challenges , 2019, Comput. Commun..

[16]  Achim D. Brucker,et al.  Extending access control models with break-glass , 2009, SACMAT '09.