Abstract
There needs to be a strategy for securing the privacy of patients when exchanging health records between various entities over the Internet. Despite the fact that health care providers such as Google Health and Microsoft Corp.’s Health Vault comply with the U.S Health Insurance Portability and Accountability Act (HIPAA), the privacy of patients is still at risk. Several encryption schemes and access control mechanisms have been suggested to protect the disclosure of a patient’s health record especially from unauthorized entities. However, by implementing these approaches, data owners are not capable of controlling and protecting the disclosure of the individual sensitive attributes of their health records. This raises the need to adopt a secure mechanism to protect personal information against unauthorized disclosure. Therefore, we propose a new Fine-grained Access Control (FGAC) mechanism that is based on subkeys, which would allow a data owner to further control the access to his data at the column-level. We also propose a new mechanism to efficiently reduce the number of keys maintained by a data owner in cases when the users have different access privileges to different columns of the data being shared.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Damiani, E., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Key Management for Multi-User Encrypted Databases. In: Proc. of the 2005 ACM Workshop on Storage Security and Survivability, pp.74–83 (2005)
Davida, G.I., Wells, D.L., Kam, J.B.: A Database Encryption System with Subkeys. ACM Transactions on Database Systems 6(2), 312–328 (1981)
De Capitani di Vimercati, S., Foresti, S, Jajodia, S., Paraboschi, S., Samarati, P.: Over-encryption: Management of Access Control Evolution on Outsourced Data. In: VLDB, pp. 123–134 (2007)
El-khoury, V., Bennani, N., Ouksel, A.M.: Distributed Key Management in Dynamic Outsourced Databases: a Trie-based Approach. In: First Int. Conf. on Advances in Databases, Knowledge, and Data Applications, pp. 56–61 (2009)
European Commission, Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities, L 281, 395L0046, 31–50 (1995)
Google, Health Privacy Policy, http://www.google.com/intl/en-US/health/privacy.html
Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N.,Müller, G.: On Privacy in Medical Services with Electronic Health Records. In: IMIA SiHIS, CoMHI (2009)
Hacigümüs, H., Iyer, B.R., Li, C., Mehrotra, S.: Executing SQL over encrypted data in the database-service-provider model. In: SIGMOD, pp. 216–227 (2002)
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
Hwang, M.S., Yang, W.P.: A Two-Phase Encryption Scheme for Enhancing Database Security. J. Systems Software, Elsevier Science, 257–265 (1995)
Japanese Government: Act on the Protection of Personal Information (2005), http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf
Lin, C.H., Chang, C.C., Lee, C.T.: A record-oriented cryptosystem for database sharing. In: Int. Computer Symposium, pp. 328–329 (1990)
Microsoft, HealthVault Privacy Policy (2009), https://account.healthvault.com/help.aspx?topicid=PrivacyPolicy
Sandhu, R.S.: Cryptographic implementation of a Tree Hierarchy for access control, pp. 95–98. Elsevier, Amsterdam (1988)
Westin, A.F.: Privacy and Freedom. Atheneum, New York (1967)
Zych, A., Petkovic, M., Jonker, W.: Efficient key management for cryptographically enforced access control, pp. 410–417. Elsevier Science, Amsterdam (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hue, P.T.B., Wohlgemuth, S., Echizen, I., Thuy, D.T.B., Thuc, N.D. (2010). Fine-Grained Access Control for Electronic Health Record Systems. In: Kim, Th., Ma, J., Fang, Wc., Park, B., Kang, BH., Ślęzak, D. (eds) U- and E-Service, Science and Technology. UNESST 2010. Communications in Computer and Information Science, vol 124. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17644-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-17644-9_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17643-2
Online ISBN: 978-3-642-17644-9
eBook Packages: Computer ScienceComputer Science (R0)