Securing Personal Health Records in Cloud Computing: Patient-Centric and Fine-Grained Data Access Control in Multi-owner Settings

Online personal health record (PHR) enables patients to manage their own medical records in a centralized way, which greatly facilitates the storage, access and sharing of personal health data. With the emergence of cloud computing, it is attractive for the PHR service providers to shift their PHR applications and storage into the cloud, in order to enjoy the elastic resources and reduce the operational cost. However, by storing PHRs in the cloud, the patients lose physical control to their personal health data, which makes it necessary for each patient to encrypt her PHR data before uploading to the cloud servers. Under encryption, it is challenging to achieve fine-grained access control to PHR data in a scalable and efficient way. For each patient, the PHR data should be encrypted so that it is scalable with the number of users having access. Also, since there are multiple owners (patients) in a PHR system and every owner would encrypt her PHR files using a different set of cryptographic keys, it is important to reduce the key distribution complexity in such multi-owner settings. Existing cryptographic enforced access control schemes are mostly designed for the single-owner scenarios.

[1]  A. Meyer The Health Insurance Portability and Accountability Act. , 1997, Tennessee medicine : journal of the Tennessee Medical Association.

[2]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[3]  I. Kohane,et al.  Public standards and patients' control: how to keep electronic medical records accessible but private. , 2001, BMJ : British Medical Journal.

[4]  S. Becker THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT , 2004 .

[5]  Sushil Jajodia,et al.  Key management for multi-user encrypted databases , 2005, StorageSS '05.

[6]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[7]  Sushil Jajodia,et al.  Over-encryption: Management of Access Control Evolution on Outsourced Data , 2007, VLDB.

[8]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[9]  Naranker Dulay,et al.  Shared and Searchable Encrypted Data for Untrusted Servers , 2008, DBSec.

[10]  Kevin M. Stine,et al.  Draft Security Architecture Design Process for Health Information Exchanges (HIEs) , 2008 .

[11]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[12]  Gail-Joon Ahn,et al.  Patient-centric authorization framework for sharing electronic health records , 2009, SACMAT '09.

[13]  Milan Petkovic,et al.  Secure management of personal health records by applying attribute-based encryption , 2009, Proceedings of the 6th International Workshop on Wearable, Micro, and Nano Technologies for Personalized Health.

[14]  Pieter H. Hartel,et al.  Ciphertext-Policy Attribute-Based Threshold Decryption with Flexible Delegation and Revocation of User Attributes (extended version) , 2009 .

[15]  Eric Horvitz,et al.  Patient controlled encryption: ensuring privacy of electronic medical records , 2009, CCSW '09.

[16]  Xiaodong Lin,et al.  Ciphertext Policy Attribute Based Encryption with Efficient Revocation , 2009 .

[17]  Bharat K. Bhargava,et al.  Secure and efficient access to outsourced data , 2009, CCSW '09.

[18]  Sherman S. M. Chow,et al.  Improving privacy and security in multi-authority attribute-based encryption , 2009, CCS.

[19]  Marina Blanton,et al.  Dynamic and Efficient Key Management for Access Hierarchies , 2009, TSEC.

[20]  Kevin M. Stine,et al.  Security Architecture Design Process for Health Information Exchanges (HIEs) [DRAFT] , 2010 .

[21]  Stelvio Cimato,et al.  Managing key hierarchies for access control enforcement: Heuristic approaches , 2010, Comput. Secur..

[22]  Cong Wang,et al.  Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[23]  Cong Wang,et al.  Attribute based data sharing with attribute revocation , 2010, ASIACCS '10.

[24]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[25]  Ming Li,et al.  Data security and privacy in wireless body area networks , 2010, IEEE Wireless Communications.

[26]  Vipul Goyal,et al.  Identity-based encryption with efficient revocation , 2008, IACR Cryptol. ePrint Arch..