A Certificate Authority (CA)-based cryptographic solution for HIPAA privacy/security regulations

The Health Insurance Portability and Accountability Act (HIPAA) passed by the US Congress establishes a number of privacy/security regulations for e-healthcare systems. These regulations support patients' medical privacy and secure exchange of PHI (protected health information) among medical practitioners. Three existing HIPAA-based schemes have been studied but appear to be ineffective as patients' PHI is stored in smartcards. Moreover, carrying a smartcard during a treatment session and accessing PHI from different locations results in restrictions. In addition, authentication of the smartcard presenter would not be possible if the PIN is compromised. In this context, we propose an MCS (medical center server) should be located at each hospital and accessed via the Internet for secure handling of patients' PHI. All entities of the proposed e-health system register online with the MCS, and each entity negotiates a contributory registration key, where public-key certificates issued and maintained by CAs are used for authentication. Prior to a treatment session, a doctor negotiates a secret session key with MCS and uploads/retrieves patients' PHI securely. The proposed scheme has five phases, which have been implemented in a secure manner for supporting HIPAA privacy/security regulations. Finally, the security aspects, computation and communication costs of the scheme are analyzed and compared with existing methods that display satisfactory performance.

[1]  Gail-Joon Ahn,et al.  Patient-centric authorization framework for electronic healthcare services , 2011, Comput. Secur..

[2]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .

[3]  S. Gritzalis,et al.  Managing Medical and Insurance Information Through a Smart-Card-Based Information System , 2000, Journal of Medical Systems.

[4]  D. Richard Kuhn,et al.  SP 800-32. Introduction to Public Key Technology and the Federal PKI Infrastructure , 2001 .

[5]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[6]  Polun Chang,et al.  Taiwan's perspective on electronic medical records' security and privacy protection: Lessons learned from HIPAA , 2006, Comput. Methods Programs Biomed..

[7]  Kuo-Ching Liu,et al.  Efficient key management for preserving HIPAA regulations , 2011, J. Syst. Softw..

[8]  Rakesh Agrawal,et al.  Securing electronic health records without impeding the flow of information , 2007, Int. J. Medical Informatics.

[9]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[10]  Rebecca Herold,et al.  Standards for privacy of individually identifiable health information. Office of the Assistant Secretary for Planning and Evaluation, DHHS. Final rule. , 2001, Federal register.

[11]  Chien-Ding Lee,et al.  A Cryptographic Key Management Solution for HIPAA Privacy/Security Regulations , 2008, IEEE Transactions on Information Technology in Biomedicine.

[12]  Hhs Office for Civil Rights Standards for privacy of individually identifiable health information. Final rule. , 2002, Federal register.

[13]  Mohammad Khubeb Siddiqui,et al.  Application of data mining: Diabetes health care in young and old patients , 2013, J. King Saud Univ. Comput. Inf. Sci..

[14]  Chin-Chen Chang,et al.  Preserving PHI in Compliance with HIPAA Privacy/Security Regulations Using Cryptographic Techniques , 2008, 2008 International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[15]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[16]  M. Ufuk Çaglayan,et al.  Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure , 2004, TSEC.

[17]  W.D. Yu,et al.  A RFID technology based wireless mobile multimedia system in healthcare , 2006, HEALTHCOM 2006 8th International Conference on e-Health Networking, Applications and Services.

[18]  G. P. Biswas Establishment of Authenticated Secret Session Keys Using Digital Signature Standard , 2011, Inf. Secur. J. A Glob. Perspect..

[19]  T. T. May Medical information security: the evolving challenge , 1998, Proceedings IEEE 32nd Annual 1998 International Carnahan Conference on Security Technology (Cat. No.98CH36209).

[20]  Ted Cooper,et al.  Beyond good practice: why HIPAA only addresses part of the data security problem , 2004, CARS.

[21]  Chien-Ding Lee,et al.  A Novel Key Management Solution for Reinforcing Compliance With HIPAA Privacy/Security Regulations , 2011, IEEE Transactions on Information Technology in Biomedicine.

[22]  Chia-Hung Hsiao,et al.  Privacy preservation and information security protection for patients' portable electronic health records , 2009, Comput. Biol. Medicine.

[23]  Jiankun Hu,et al.  Corresponding author’s address: , 2022 .

[24]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[25]  Shaker El-Sappagh,et al.  A distributed clinical decision support system architecture , 2014, J. King Saud Univ. Comput. Inf. Sci..

[26]  Kazuhiro Yokoyama,et al.  Elliptic curve cryptosystem , 2000 .

[27]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[28]  Arif Ghafoor,et al.  Engineering a Policy-Based System for Federated Healthcare Databases , 2007, IEEE Transactions on Knowledge and Data Engineering.

[29]  Jiankun Hu,et al.  A pixel-based scrambling scheme for digital medical images protection , 2009, J. Netw. Comput. Appl..