With an increasing number of IoT devices being deployed in healthcare, massive amounts of electronic health records (EHRs) are generated and shared in the cloud. To preserve data privacy, one promising data-sharing tool named attribute-based encryption (ABE) has been widely employed. However, it is a challenge to achieve flexible data sharing without loss of confidentiality when authorized users are dynamic. Another challenge is how to guarantee fleet data access time when resource-limited devices are used. In this article, a dynamic access policy ABE (DAP-ABE) system for EHRs in the cloud is proposed. The cloud server can update the access policy without sensitive information, while decryption keys of authorized users do not need to be updated. Authorized users enjoy approximately 0.07 ms data access by outsourcing the majority of the decryption overhead to the cloud server. Furthermore, a verification procedure is embedded in DAP-ABE to check the identities of patients in the data sharing stage, which ensures that no malicious user can upload invalid EHRs. Extensive experiments demonstrate the feasibility and efficiency of the DAP-ABE system.