Skip to main content

Fine-Grained Access Control for Electronic Health Record Systems

  • Conference paper
U- and E-Service, Science and Technology (UNESST 2010)

Abstract

There needs to be a strategy for securing the privacy of patients when exchanging health records between various entities over the Internet. Despite the fact that health care providers such as Google Health and Microsoft Corp.’s Health Vault comply with the U.S Health Insurance Portability and Accountability Act (HIPAA), the privacy of patients is still at risk. Several encryption schemes and access control mechanisms have been suggested to protect the disclosure of a patient’s health record especially from unauthorized entities. However, by implementing these approaches, data owners are not capable of controlling and protecting the disclosure of the individual sensitive attributes of their health records. This raises the need to adopt a secure mechanism to protect personal information against unauthorized disclosure. Therefore, we propose a new Fine-grained Access Control (FGAC) mechanism that is based on subkeys, which would allow a data owner to further control the access to his data at the column-level. We also propose a new mechanism to efficiently reduce the number of keys maintained by a data owner in cases when the users have different access privileges to different columns of the data being shared.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Damiani, E., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Key Management for Multi-User Encrypted Databases. In: Proc. of the 2005 ACM Workshop on Storage Security and Survivability, pp.74–83 (2005)

    Google Scholar 

  2. Davida, G.I., Wells, D.L., Kam, J.B.: A Database Encryption System with Subkeys. ACM Transactions on Database Systems 6(2), 312–328 (1981)

    Article  MathSciNet  Google Scholar 

  3. De Capitani di Vimercati, S., Foresti, S, Jajodia, S., Paraboschi, S., Samarati, P.: Over-encryption: Management of Access Control Evolution on Outsourced Data. In: VLDB, pp. 123–134 (2007)

    Google Scholar 

  4. El-khoury, V., Bennani, N., Ouksel, A.M.: Distributed Key Management in Dynamic Outsourced Databases: a Trie-based Approach. In: First Int. Conf. on Advances in Databases, Knowledge, and Data Applications, pp. 56–61 (2009)

    Google Scholar 

  5. European Commission, Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities, L 281, 395L0046, 31–50 (1995)

    Google Scholar 

  6. Google, Health Privacy Policy, http://www.google.com/intl/en-US/health/privacy.html

  7. Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N.,Müller, G.: On Privacy in Medical Services with Electronic Health Records. In: IMIA SiHIS, CoMHI (2009)

    Google Scholar 

  8. Hacigümüs, H., Iyer, B.R., Li, C., Mehrotra, S.: Executing SQL over encrypted data in the database-service-provider model. In: SIGMOD, pp. 216–227 (2002)

    Google Scholar 

  9. Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule

    Google Scholar 

  10. Hwang, M.S., Yang, W.P.: A Two-Phase Encryption Scheme for Enhancing Database Security. J. Systems Software, Elsevier Science, 257–265 (1995)

    Google Scholar 

  11. Japanese Government: Act on the Protection of Personal Information (2005), http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf

  12. Lin, C.H., Chang, C.C., Lee, C.T.: A record-oriented cryptosystem for database sharing. In: Int. Computer Symposium, pp. 328–329 (1990)

    Google Scholar 

  13. Microsoft, HealthVault Privacy Policy (2009), https://account.healthvault.com/help.aspx?topicid=PrivacyPolicy

  14. Sandhu, R.S.: Cryptographic implementation of a Tree Hierarchy for access control, pp. 95–98. Elsevier, Amsterdam (1988)

    Google Scholar 

  15. Westin, A.F.: Privacy and Freedom. Atheneum, New York (1967)

    Google Scholar 

  16. Zych, A., Petkovic, M., Jonker, W.: Efficient key management for cryptographically enforced access control, pp. 410–417. Elsevier Science, Amsterdam (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hue, P.T.B., Wohlgemuth, S., Echizen, I., Thuy, D.T.B., Thuc, N.D. (2010). Fine-Grained Access Control for Electronic Health Record Systems. In: Kim, Th., Ma, J., Fang, Wc., Park, B., Kang, BH., Ślęzak, D. (eds) U- and E-Service, Science and Technology. UNESST 2010. Communications in Computer and Information Science, vol 124. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17644-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17644-9_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17643-2

  • Online ISBN: 978-3-642-17644-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics