TY - GEN
T1 - Auditing and revocation enabled role-based access control over outsourced private EHRs
AU - Liu, Weiran
AU - Liu, Xiao
AU - Liu, Jianwei
AU - Wu, Qianhong
AU - Zhang, Jun
AU - Li, Yan
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/11/23
Y1 - 2015/11/23
N2 - Electronic Health Record (EHR) systems have an abundance of convenience for telediagnosis, medical data sharing and management. The main obstacle for wide adoption of EHR systems is due to the privacy concerns of patients. In this work, we propose a role-based access control (RBAC) scheme for EHR systems to secure private EHRs. In our RBAC, there are two main types of roles, namely independent patients and hierarchically organized medical staff. A patient is identified by his/her identity, and a medical staff is recognized by his/her role in the medical institute. A user can comprehend an EHR only if he/she satisfies the access policy associated with this EHR, which implies a fine-grained access control. A public auditor is employed to verify whether the EHR is correctly encapsulated with the specified access policy, which provides an a priori approach to find fraudulent EHRs and prevent potential medical disputes. Moreover, our RBAC enforces a forward revocation mechanism. A revoked user cannot access to the future EHRs even if his/her previous role satisfies the access policy. We analyse the security and efficiency of our RBAC, showing that it is an practical solution to secure EHRs.
AB - Electronic Health Record (EHR) systems have an abundance of convenience for telediagnosis, medical data sharing and management. The main obstacle for wide adoption of EHR systems is due to the privacy concerns of patients. In this work, we propose a role-based access control (RBAC) scheme for EHR systems to secure private EHRs. In our RBAC, there are two main types of roles, namely independent patients and hierarchically organized medical staff. A patient is identified by his/her identity, and a medical staff is recognized by his/her role in the medical institute. A user can comprehend an EHR only if he/she satisfies the access policy associated with this EHR, which implies a fine-grained access control. A public auditor is employed to verify whether the EHR is correctly encapsulated with the specified access policy, which provides an a priori approach to find fraudulent EHRs and prevent potential medical disputes. Moreover, our RBAC enforces a forward revocation mechanism. A revoked user cannot access to the future EHRs even if his/her previous role satisfies the access policy. We analyse the security and efficiency of our RBAC, showing that it is an practical solution to secure EHRs.
KW - Data privacy
KW - Electronic health record
KW - Forward revocation
KW - Public audit
KW - Role-based access control
UR - http://www.scopus.com/inward/record.url?scp=84961712013&partnerID=8YFLogxK
U2 - 10.1109/HPCC-CSS-ICESS.2015.10
DO - 10.1109/HPCC-CSS-ICESS.2015.10
M3 - Conference contribution
AN - SCOPUS:84961712013
T3 - Proceedings - 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security and 2015 IEEE 12th International Conference on Embedded Software and Systems, HPCC-CSS-ICESS 2015
SP - 336
EP - 341
BT - Proceedings - 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security and 2015 IEEE 12th International Conference on Embedded Software and Systems, HPCC-CSS-ICESS 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 17th IEEE International Conference on High Performance Computing and Communications, IEEE 7th International Symposium on Cyberspace Safety and Security and IEEE 12th International Conference on Embedded Software and Systems, HPCC-ICESS-CSS 2015
Y2 - 24 August 2015 through 26 August 2015
ER -