Attribute Based Cryptographic Enforcements for Security and Privacy in E-health Environments

In the last few decades, there have been significant efforts in integrating information and communication technologies into healthcare practices. This new paradigm commonly known as electronic healthcare (e-health) allows provisioning of healthcare services at an affordable price to its consumers while enabling a platform for efficient inter-domain health information exchange. Although such benefits exist, given that health information of patients contain a lot of sensitive information, secure sharing of patient records is of utmost importance to ensure the privacy of the patients. In addition, the linkability of different user access sessions over patient health information could also lead to the violation of patient privacy as well as the privacy of the accessing user. Furthermore, to strengthen the access flexibility in collaborative e-health environments, access delegation plays a vital role. However, access delegation has to be enforced in a controlled manner, and it is a research area that has not received significant attention. In this dissertation, we considered two application scenarios that resemble a collaborative e-health environment. In the first scenario, the health information of patients are stored under the control of a local healthcare provider (LHP), and we require the health information to be shared with the healthcare professionals of LHP as well as users from other domains in a flexible and a privacy preserving manner. In the second scenario, we considered the case where health information of patients are stored in a third-party cloud platform which brings the challenge of enforcing flexible and privacy preserving access over the encrypted data. In relation to the above stated scenarios, our objective is to propose efficient attribute based cryptographic constructions that enable access anonymization and controlled access delegatability. To achieve this objective, in this dissertation, we propose seven attribute based cryptographic constructions which not only enable the aforementioned characteristics but also ensure secure, privacy preserving and flexible access to the stored health information of patients.

[1]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[2]  Jonathan Katz Signature Schemes Based on the (Strong) RSA Assumption , 2010 .

[3]  Dimitrios Pendarakis,et al.  Security audits of multi-tier virtual infrastructures in public infrastructure clouds , 2010, CCSW '10.

[4]  S. Kortesis,et al.  Deployment of the NETC@RDS service: A new step towards a European e-health space , 2010, 2010 3rd International Conference on Biomedical Engineering and Informatics.

[5]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[6]  Sérgio Shiguemi Furuie,et al.  A contextual role-based access control authorization model for electronic patient record , 2003, IEEE Transactions on Information Technology in Biomedicine.

[7]  Han Zhu,et al.  Extending Fuzzy Identity-Based Encryption with delegating capabilities , 2011, 2011 6th IEEE Joint International Information Technology and Artificial Intelligence Conference.

[8]  Gail-Joon Ahn,et al.  Access Control Model for Sharing Composite Electronic Health Records , 2008, CollaborateCom.

[9]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[10]  R.T.Subhalakshmi,et al.  Scalable and Secure Sharing of Personal Health Records in Cloud Computing using Attribute-Based Encryption , 2016 .

[11]  David M. Eyers,et al.  OASIS role-based access control for electronic health records , 2006, IEE Proc. Softw..

[12]  Xiaohui Liang,et al.  Secure Threshold Multi Authority Attribute Based Encryption without a Central Authority , 2008, INDOCRYPT.

[13]  Wojciech Mostowski,et al.  Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards , 2011, SecureComm.

[14]  Haakon Bryhni,et al.  Security and privacy legislation guidelines for developing personal health records , 2015, 2015 Second International Conference on eDemocracy & eGovernment (ICEDEG).

[15]  Hhs Office for Civil Rights Standards for privacy of individually identifiable health information. Final rule. , 2002, Federal register.

[16]  Nan Guo,et al.  Anonymous Credential-Based Privacy-Preserving Identity Verification for Business Processes , 2014, 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[17]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[18]  Vladimir A. Oleshchuk,et al.  Blockchain Based Delegatable Access Control Scheme for a Collaborative E-Health Environment , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Kevin S. Mccurley,et al.  The discrete logarithm problem , 1990 .

[21]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[22]  Ken Sakamura,et al.  A smartcard-based framework for delegation management in healthcare Access Control systems , 2016, 2016 IEEE Region 10 Conference (TENCON).

[23]  Xuemin Shen,et al.  PEACE: An efficient and secure patient-centric access control scheme for eHealth care system , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[24]  Vladimir A. Oleshchuk,et al.  A Patient-Centric Attribute Based Access Control Scheme for Secure Sharing of Personal Health Records Using Cloud Computing , 2016, 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC).

[25]  Vijay Karamcheti,et al.  dRBAC: distributed role-based access control for dynamic coalition environments , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[26]  Rajendra K. Raj,et al.  Secure Access for Healthcare Data in the Cloud Using Ciphertext-Policy Attribute-Based Encryption , 2012, 2012 IEEE 28th International Conference on Data Engineering Workshops.

[27]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[28]  Vladimir A. Oleshchuk,et al.  Privacy preserving mechanisms for enforcing security and privacy requirements in E-health solutions , 2016, Int. J. Inf. Manag..

[29]  Hovav Shacham,et al.  Randomizable Proofs and Delegatable Anonymous Credentials , 2009, CRYPTO.

[30]  Sherman S. M. Chow,et al.  Improving privacy and security in multi-authority attribute-based encryption , 2009, CCS.

[31]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[32]  Hakki C. Cankaya Access Control Lists , 2011, Encyclopedia of Cryptography and Security.

[33]  Jaap-Henk Hoepman,et al.  An Efficient Self-blindable Attribute-Based Credential Scheme , 2017, Financial Cryptography.

[34]  Sahadeo Padhye,et al.  Efficient ID-Based Signature Scheme from Bilinear Map , 2011 .

[35]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization , 2011, Public Key Cryptography.

[36]  Vladimir A. Oleshchuk,et al.  Location-based security framework for use of handheld devices in medical information systems , 2006, Fourth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOMW'06).

[37]  Yunan Chen,et al.  Privacy management in dynamic groups: understanding information privacy in medical practices , 2013, CSCW.

[38]  Wen-Guey Tzeng,et al.  Identity-Based Proxy Re-encryption Without Random Oracles , 2007, ISC.

[39]  Jeff Yu Lei,et al.  Implementing and Managing Policy Rules in Attribute Based Access Control , 2015, 2015 IEEE International Conference on Information Reuse and Integration.

[40]  Pim Vullers,et al.  Efficient implementations of attribute-based credentials on smart cards , 2014 .

[41]  Xuemin Shen,et al.  SPS: Secure personal health information sharing with patient-centric access control in cloud computing , 2013, 2013 IEEE Global Communications Conference (GLOBECOM).

[42]  Xiaohui Liang,et al.  ESPAC: Enabling Security and Patient-centric Access Control for eHealth in cloud computing , 2011, Int. J. Secur. Networks.

[43]  Sherman S. M. Chow A Framework of Multi-Authority Attribute-Based Encryption with Outsourcing and Revocation , 2016, SACMAT.

[44]  Gail-Joon Ahn,et al.  A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[45]  Ying Sun,et al.  A Secure Cryptocurrency Scheme Based on Post-Quantum Blockchain , 2018, IEEE Access.

[46]  Matthew Green,et al.  Identity-Based Proxy Re-encryption , 2007, ACNS.

[47]  Security and electronic signature standards--HCFA. Proposed rule. , 1998, Federal register.

[48]  Zarina Shukur,et al.  Security Challenges and Success Factors of Electronic Healthcare System , 2013 .

[49]  Georg Fuchsbauer,et al.  Commuting Signatures and Verifiable Encryption , 2011, EUROCRYPT.

[50]  Ravi Sandhu,et al.  A Role-Based Delegation Model and Some Extensions , 2000 .

[51]  Inma Carrión,et al.  Usable Privacy and Security in Personal Health Records , 2011, INTERACT.

[52]  Elisa Bertino,et al.  Multi-domain and privacy-aware role based access control in eHealth , 2008, Pervasive 2008.

[53]  Vladimir A. Oleshchuk,et al.  Attribute based access control scheme with controlled access delegation for collaborative E-health environments , 2017, J. Inf. Secur. Appl..

[54]  Sushmita Ruj,et al.  Attribute based access control in clouds: A survey , 2014, International Conference on Signal Processing and Communications.

[55]  Toshihiko Matsuo,et al.  Proxy Re-encryption Systems for Identity-Based Encryption , 2007, Pairing.

[56]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[57]  Daniel Slamanig,et al.  Cryptography for Security and Privacy in Cloud Computing , 2013 .

[58]  Feng Tian,et al.  An agri-food supply chain traceability system for China based on RFID & blockchain technology , 2016, 2016 13th International Conference on Service Systems and Service Management (ICSSSM).

[59]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[60]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[61]  Yeping He,et al.  Spatial Context in Role-Based Access Control , 2006, ICISC.

[62]  Dejan Vujičić,et al.  Blockchain technology, bitcoin, and Ethereum: A brief overview , 2018, 2018 17th International Symposium INFOTEH-JAHORINA (INFOTEH).

[63]  Alan Calder Implementing Information Security based on ISO 27001/ISO 27002 , 2009 .

[64]  Helena M. Mentis,et al.  Non-static nature of patient consent: shifting privacy perspectives in health information sharing , 2013, CSCW.

[65]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[66]  Xiaohui Liang,et al.  Attribute based proxy re-encryption with delegating capabilities , 2009, ASIACCS '09.

[67]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[68]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[69]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[70]  Brent Waters,et al.  Short and Stateless Signatures from the RSA Assumption , 2009, CRYPTO.

[71]  Dong-Yuan Shi,et al.  An Efficient Cloud-Based Personal Health Records System Using Attribute-Based Encryption and Anonymous Multi-receiver Identity-Based Encryption , 2014, 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing.

[72]  Vladimir A. Oleshchuk,et al.  A Distributed Multi-Authority Attribute Based Encryption Scheme for Secure Sharing of Personal Health Records , 2017, SACMAT.

[73]  Polun Chang,et al.  Taiwan's perspective on electronic medical records' security and privacy protection: Lessons learned from HIPAA , 2006, Comput. Methods Programs Biomed..

[74]  Kevin M. Stine,et al.  Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule [revision 1] , 2005 .

[75]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[76]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[77]  Shanqing Guo,et al.  Attribute-based re-encryption scheme in the standard model , 2008, Wuhan University Journal of Natural Sciences.

[78]  M. Mambo,et al.  Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts (Special Section on Cryptography and Information Security) , 1997 .

[79]  Jiqiang Liu,et al.  RBTBAC: Secure access and management of EHR data , 2011, i-Society 2011.

[80]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[81]  Arif Ghafoor,et al.  Policy-based security management for federated healthcare databases (or RHIOs) , 2006, HIKM '06.

[82]  Zhong Chen,et al.  Ciphertext Policy Attribute-Based Proxy Re-encryption , 2010, ICICS.

[83]  Hee Jeong Cheong,et al.  Improving Korean Service Delivery System in Health Care: Focusing on National E-health System , 2009, 2009 International Conference on eHealth, Telemedicine, and Social Medicine.

[84]  Ken Sakamura,et al.  A secure and flexible e-Health access control system with provisions for emergency access overrides and delegation of access privileges , 2016, 2016 18th International Conference on Advanced Communication Technology (ICACT).

[85]  Rafail Ostrovsky,et al.  Attribute-based encryption with non-monotonic access structures , 2007, CCS '07.

[86]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[87]  Vladimir A. Oleshchuk,et al.  An Efficient Multi-Show Unlinkable Attribute Based Credential Scheme for a Collaborative E-Health Environment , 2017, 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC).

[88]  Tatsuaki Okamoto,et al.  Cryptography Based on Bilinear Maps , 2006, AAECC.

[89]  Vladimir A. Oleshchuk,et al.  An attribute based access control scheme for secure sharing of electronic health records , 2016, 2016 IEEE 18th International Conference on e-Health Networking, Applications and Services (Healthcom).

[90]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[91]  Jun Pang,et al.  Challenges in eHealth: From Enabling to Enforcing Privacy , 2011, FHIES.

[92]  Pieter H. Hartel,et al.  Efficient and Provable Secure Ciphertext-Policy Attribute-Based Encryption Schemes , 2008, ISPEC.

[93]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[94]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[95]  Ergin Soysal,et al.  Security Standards for Electronic Health Records , 2012, 2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining.

[96]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[97]  Ravi S. Sandhu,et al.  Role-Based Access Control , 1998, Adv. Comput..

[98]  Huihui Yang,et al.  Cryptographic Enforcement of Attribute-based Authentication , 2016 .

[99]  Seyed Alireza Pourbakhsh,et al.  Efficient attributes in secure credentials , 2015, 2015 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM).

[100]  Milan Petkovic,et al.  Secure management of personal health records by applying attribute-based encryption , 2009, Proceedings of the 6th International Workshop on Wearable, Micro, and Nano Technologies for Personalized Health.

[101]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[102]  Ken Sakamura,et al.  Toward a synergy among discretionary, role-based and context-aware access control models in healthcare information technology , 2012, World Congress on Internet Security (WorldCIS-2012).

[103]  Jan Camenisch,et al.  Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain , 2017, CCS.

[104]  Allison Bishop,et al.  New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques , 2012, CRYPTO.

[105]  Pan Su,et al.  Securing patient-centric personal health records sharing system in cloud computing , 2014, China Communications.

[106]  Dimitra I. Petrakaki,et al.  Implementation and adoption of nationwide electronic health records in secondary care in England: final qualitative results from a prospective national evaluation in 'early adopter' hospitals , 2011 .

[107]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[108]  Sylvia L. Osborn,et al.  Current Research and Open Problems in Attribute-Based Access Control , 2017, ACM Comput. Surv..

[109]  Achim Lang,et al.  e-Health policy and deployment activities in Europe. , 2011, Telemedicine journal and e-health : the official journal of the American Telemedicine Association.

[110]  Pieter H. Hartel,et al.  Ciphertext-Policy Attribute-Based Threshold Decryption with Flexible Delegation and Revocation of User Attributes (extended version) , 2009 .

[111]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures on Equivalence Classes and Constant-Size Anonymous Credentials , 2018, Journal of Cryptology.

[112]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.