Role-based and time-bound access and management of EHR data

Security and privacy are widely recognized as important requirements for access and management of electronic health record EHR data. In this paper, we argue that EHR data need to be managed with customizable access control in both spatial and temporal dimensions. We present a role-based and time-bound access control RBTBAC model that provides more flexibility in both roles spatial capability and time temporal capability dimensions to control the access of sensitive data. Through algorithmic combination of role-based access control and time-bound key management, our RBTBAC model has two salient features. First, we have developed a privacy-aware and dynamic key structure for role-based privacy aware access and management of EHR data, focusing on the consistency of access authorization including data and time interval with the activated role of user. In addition to role-based access, a path-invisible EHR structure is built for preserving privacy of patients. Second, we have employed a time tree method for generating time granule values, offering fine granularity of time-bound access authorization and control. Our initial experimental results show that tree-like time structure can improve the performance of the key management scheme significantly, and RBTBAC model is more suitable than existing solutions for EHR data management because it offers high-efficiency and better security and privacy. Copyright © 2013 John Wiley & Sons, Ltd.

[1]  Ling Liu,et al.  Sharoes: A Data Sharing Platform for Outsourced Enterprise Storage Environments , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[2]  Hung-Min Sun,et al.  On the Security of an Efficient Time-Bound Hierarchical Key Management Scheme , 2009, IEEE Transactions on Dependable and Secure Computing.

[3]  Gail-Joon Ahn,et al.  Access Control Model for Sharing Composite Electronic Health Records , 2008, CollaborateCom.

[4]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[5]  R. Califf,et al.  Health Insurance Portability and Accountability Act (HIPAA): must there be a trade-off between privacy and quality of health care, or can we advance both? , 2003, Circulation.

[6]  David M. Eyers,et al.  OASIS role-based access control for electronic health records , 2006, IEE Proc. Softw..

[7]  Mingxing He,et al.  An Improved Time-Bound Hierarchical Key Assignment Scheme , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[8]  Selim G. Akl,et al.  Cryptographic solution to a problem of access control in a hierarchy , 1983, TOCS.

[9]  Sushil Jajodia,et al.  Over-encryption: Management of Access Control Evolution on Outsourced Data , 2007, VLDB.

[10]  Richard Fernandez Secure Enterprise Access Control (SEAC) Role Based Access Control (RBAC) , 2004 .

[11]  Xun Yi,et al.  Security of Chien's efficient time-bound hierarchical key assignment scheme , 2005, IEEE Transactions on Knowledge and Data Engineering.

[12]  Douglas M. Blough,et al.  A Patient-centric, Attribute-based, Source-verifiable Framework for Health Record Sharing , 2009 .

[13]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[14]  Snezana Sucurovic An Approach to Access Control in Electronic Health Record , 2009, Journal of Medical Systems.

[15]  Kevin Fu,et al.  Group Sharing and Random Access in Cryptographic Storage File Systems , 1999 .

[16]  Wen-Guey Tzeng,et al.  A Time-Bound Cryptographic Key Assignment Scheme for Access Control in a Hierarchy , 2002, IEEE Trans. Knowl. Data Eng..

[17]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[18]  Ravi S. Sandhu,et al.  Cryptographic Implementation of a Tree Hierarchy for Access Control , 1988, Inf. Process. Lett..

[19]  Alfredo De Santis,et al.  New constructions for provably-secure time-bound hierarchical key assignment schemes , 2007, SACMAT '07.

[20]  Christian Damsgaard Jensen,et al.  Cryptographic access control in a distributed file system , 2003, SACMAT '03.

[21]  Chi-Sung Laih,et al.  Merging: an efficient solution for a time-bound hierarchical key assignment scheme , 2006, IEEE Transactions on Dependable and Secure Computing.

[22]  David W. Chadwick,et al.  Policy based electronic transmission of prescriptions , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[23]  Jyh-haw Yeh,et al.  An RSA-based time-bound hierarchical key assignment scheme for electronic article subscription , 2005, CIKM '05.

[24]  Dimitrios G. Katehakis,et al.  Electronic Health Record , 2006 .

[25]  Ebru Celikel Cankaya,et al.  A Hybrid Web Based Personal Health Record System Shielded with Comprehensive Security , 2012, 2012 45th Hawaii International Conference on System Sciences.

[26]  Hung-Yu Chien,et al.  Efficient time-bound hierarchical key assignment scheme , 2004, IEEE Transactions on Knowledge and Data Engineering.

[27]  Ling Liu,et al.  Privacy analysis and enhancements for data sharing in *nix systems , 2008, Int. J. Inf. Comput. Secur..

[28]  Qiang Tang,et al.  Comments on a cryptographic key assignment scheme , 2005, Comput. Stand. Interfaces.

[29]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[30]  Hung-Yu Chen,et al.  Efficient time-bound hierarchical key assignment scheme , 2004 .

[31]  Elisa Bertino,et al.  An Efficient Time-Bound Hierarchical Key Management Scheme for Secure Broadcasting , 2008, IEEE Transactions on Dependable and Secure Computing.

[32]  Hakan Hacigümüs,et al.  Providing database as a service , 2002, Proceedings 18th International Conference on Data Engineering.

[33]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[34]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[35]  Lynda L. McGhie,et al.  THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT , 2004 .

[36]  Gail-Joon Ahn,et al.  Toward an Access Control Model for Sharing Composite Electronic Health Records , 2008 .

[37]  Alfredo De Santis,et al.  New constructions for provably-secure time-bound hierarchical key assignment schemes , 2008, Theor. Comput. Sci..

[38]  Chin-Chen Chang,et al.  A new cryptographic key assignment scheme with time-constraint access control in a hierarchy , 2004, Comput. Stand. Interfaces.

[39]  Yiming Ye,et al.  Security of Tzeng's Time-Bound Key Assignment Scheme for Access Control in a Hierarchy , 2003, IEEE Trans. Knowl. Data Eng..

[40]  Kai Wang,et al.  An Efficient Time-Bound Access Control Scheme for Dynamic Access Hierarchy , 2009, 2009 Fifth International Conference on Mobile Ad-hoc and Sensor Networks.

[41]  Ling Liu,et al.  Security Models and Requirements for Healthcare Application Clouds , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[42]  Alfredo De Santis,et al.  Enforcing the security of a time-bound hierarchical key assignment scheme , 2006, Inf. Sci..