Privacy‐ensuring electronic health records in the cloud

Despite the evident benefits of the access to virtually unlimited computational resources in cloud environments, enterprises and researchers still face upending challenges when deploying applications that deal with sensitive information to the cloud. That is specially true for medical or tax records, for which there are strong legal restrictions to data escrow. In these cases one must be certain that a third party, such as the cloud provider, will never have access to the data. This work presents a solid access control framework that uses hybrid cryptography at client‐side and a two‐factor authentication technique to guarantee a secure key management protocol. We also demonstrate the use of homomorphic and order‐preserving encryption as a viable solution for the computation of regular searches over electronic health records in the cloud, while preserving the confidentiality of clinical data and the privacy of patients, even in the face of a semi‐honest, or “honest, but curious,” cloud provider. We introduce a trusted element, a browser extension, to prevent attacks from malicious cloud providers. The result is evaluated through a full‐featured prototype that manages health records modeled with a few OpenEHR archetypes. The prototype can be easily extended to handle any data structure modeled with OpenEHR.

[1]  A Min Tjoa,et al.  The security issue of federated data warehouses in the area of evidence-based medicine , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[2]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[3]  Sushil Jajodia,et al.  A data outsourcing architecture combining cryptography and access control , 2007, CSAW '07.

[4]  Jiankun Hu,et al.  Corresponding author’s address: , 2022 .

[5]  Kuo-Ching Liu,et al.  Efficient key management for preserving HIPAA regulations , 2011, J. Syst. Softw..

[6]  Michael Naehrig,et al.  Private Predictive Analysis on Encrypted Medical Data , 2014, IACR Cryptol. ePrint Arch..

[7]  Melissa Chase,et al.  An Anonymous Health Care System , 2010, HealthSec.

[8]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[9]  Ahmad-Reza Sadeghi,et al.  Securing the e-health cloud , 2010, IHI.

[10]  Wendy L. Currie,et al.  A Cross-Country Study of Cloud Computing Policy and regulation in Healthcare , 2014, ECIS.

[11]  Nathan Chenette,et al.  Order-Preserving Symmetric Encryption , 2009, IACR Cryptol. ePrint Arch..

[12]  Sushil Jajodia,et al.  Access control for smarter healthcare using policy spaces , 2010, Comput. Secur..

[13]  Heather Leslie International Developments in OpenEHR Archetypes and Templates , 2008, Health information management : journal of the Health Information Management Association of Australia.

[14]  Chin-Ming Hsu,et al.  A secure identification access control scheme for accessing healthcare information systems , 2003, 4th International IEEE EMBS Special Topic Conference on Information Technology Applications in Biomedicine, 2003..

[15]  Nathan Chenette,et al.  Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions , 2011, CRYPTO.

[16]  Jörg Schwenk,et al.  Guardians of the Clouds: When Identity Providers Fail , 2014, CCSW.

[17]  Reihaneh Safavi-Naini,et al.  Privacy preserving EHR system using attribute-based infrastructure , 2010, CCSW '10.