skip to main content
10.1145/3195258.3195259acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Securing Electronic Health Records in the Cloud

Authors Info & Claims
Published:23 April 2018Publication History

ABSTRACT

Health care institutions gather and store sensitive information from patients with the goal of providing the best care. The medical history of a patient is essential to guarantee that the right diagnosis is achieved and help the clinical staff act in the shortest time possible. This information is highly sensitive and must be kept private for the responsible staff only. At the same time, the medical records should be accessible by any health care institution to ensure that a patient can be attended anywhere. To guarantee data availability, health care institutions rely on data repositories accessible through the internet. This exposes a threat since patient data can be accessed by unauthorized personnel. It is also extremely difficult to manage access to data using standard access control mechanisms due to the vast amount of users, groups and patients and the constant adjustment in privileges that must be done to maintain confidentiality.

This paper proposes a solution to the difficulty that is managing user access control to a complex universe of user data and guarantee confidentiality while using cloud computing services to store medical records.

References

  1. {n. d.}. Projecto Pegasus. http://www.cartaodecidadao.pt. ({n. d.}). Accessed: 2016-01-30.Google ScholarGoogle Scholar
  2. Sanjay P Ahuja, Sindhu Mani, and Jesus Zambrano. 2012. A survey of the state of cloud computing in healthcare. Network and Communication Technologies 1, 2 (2012), 12.Google ScholarGoogle Scholar
  3. Alysson Bessani, Miguel Correia, Bruno Quaresma, Fernando André, and Paulo Sousa. 2013. DepSky: dependable and secure storage in a cloud-of-clouds. ACM Transactions on Storage (TOS) 9, 4 (2013), 12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Alysson Bessani, João Sousa, and Eduardo EP Alchieri. 2014. State machine replication for the masses with BFT-SMaRt. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on. IEEE, 355--362. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Alysson Neves Bessani, Eduardo Pelison Alchieri, Miguel Correia, and Joni Silva Fraga. 2008. DepSpace: a Byzantine fault-tolerant coordination service. In ACM SIGOPS Operating Systems Review, Vol. 42. ACM, 163--176. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Matt Blaze, Joan Feigenbaum, and Jack Lacy. 1996. Decentralized trust management. In Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on. IEEE, 164--173. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Air Force Studies Board. 1983. Committee on Multilevel Data Management Security, Multilevel Data Management Security. National Academy Press 1 (1983), 983.Google ScholarGoogle Scholar
  8. Christian Cachin and Stefano Tessaro. 2006. Optimal resilience for erasure-coded Byzantine distributed storage. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks. 115--124. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Byung-Gon Chun, Petros Maniatis, Scott Shenker, and John Kubiatowicz. 2007. Attested append-only memory: Making adversaries stick to their word. In ACM SIGOPS Operating Systems Review, Vol. 41. ACM, 189--204. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Dorothy E Denning. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (1976), 236--243. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Gary Dickinson, Linda Fischetti, and Sam Heard. 2004. HL7 EHR System Functional Model Draft Standard for Trial Use. Health Level 7 (2004).Google ScholarGoogle Scholar
  12. E.Amoroso. 1994. Fundamentals of Computer Security Technology. Prentice Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. David Ferraiolo, Janet Cugini, and D Richard Kuhn. 1995. Role-based access control (RBAC): Features and motivations. In Proceedings of 11th annual computer security application conference. 241--48.Google ScholarGoogle Scholar
  14. Sudhakar Govindavajhala and Andrew W Appel. 2006. Windows access control demystified. Princeton university (2006).Google ScholarGoogle Scholar
  15. Andreas Grünbacher. 2003. POSIX Access Control Lists on Linux.. In USENIX Annual Technical Conference, FREENIX Track. 259--272.Google ScholarGoogle Scholar
  16. R. Halalai, P. Felber, A. M. Kermarrec, and F. TaÃŕani. 2017. Agar: A Caching System for Erasure-Coded Data. In Proceedings of the IEEE 37th International Conference on Distributed Computing Systems. 23--33.Google ScholarGoogle Scholar
  17. James Hendricks, Gregory R. Ganger, and Michael K. Reiter. 2007. Low-overhead Byzantine fault-tolerant storage. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles. 73--86. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. P. Hunt, M. Konar, F. P. Junqueira, and B. Reed. 2010. ZooKeeper: wait-free coordination for Internet-scale systems. In USENIX Annual Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. H. Krawczyk. 1993. Secret sharing made short. Proceedings of the 13th International Cryptology Conference -- CRYPTOâĂŹ93 (1993), 136--146. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Hugo Krawczyk. 1993. Secret sharing made short. In Advances in CryptologyâĂŤCRYPTOâĂŹ93. Springer, 136--146. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Ming Li, Shucheng Yu, Kui Ren, and Wenjing Lou. 2010. Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings. In Security and Privacy in Communication Networks. Springer, 89--106.Google ScholarGoogle Scholar
  22. Hans Löhr, Ahmad-Reza Sadeghi, and Marcel Winandy. 2010. Securing the e-health cloud. In Proceedings of the 1st ACM International Health Informatics Symposium. ACM, 220--229. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Mr Ian Mann. 2012. Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd.Google ScholarGoogle Scholar
  24. Adam Meyerson and Ryan Williams. 2004. On the complexity of optimal k-anonymity. In Proceedings of the twenty-third ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems. ACM, 223--228. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Kai Rannenberg. 2001. Multilateral security a concept and examples for balanced security. In Proceedings of the 2000 workshop on New security paradigms. ACM, 151--162. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Hsiao-Hsien Rau, Chien-Yeh Hsu, Yen-Liang Lee, Wei Chen, and Wen-Shan Jian. 2010. Developing electronic health records in Taiwan. IT Professional Magazine 12, 2 (2010), 17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Pierangela Samarati and Latanya Sweeney. 1998. Generalizing data to provide anonymity when disclosing information. In PODS, Vol. 98. 188. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Ravi S Sandhu and Pierangela Samarati. 1994. Access control: principle and practice. Communications Magazine, IEEE 32, 9 (1994), 40--48. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Thomas Schabetsberger, Elske Ammenwerth, Stefan Andreatta, Gordon Gratl, Reinhold Haux, Georg Lechleitner, Klaus Schindelwig, Christian Stark, Raimund Vogl, Immanuel Wilhelmy, et al. 2006. From a paper-based transmission of discharge summaries to electronic communication in health care regions. International journal of medical informatics 75, 3 (2006), 209--215.Google ScholarGoogle Scholar
  30. B. Schoenmakers. 1999. A simple publicly verifiable secret sharing scheme and its application to electronic voting. Proceedings of the 19th International Cryptology Conference (1999), 148--164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Latanya Sweeney. 1997. Guaranteeing anonymity when sharing medical data, the Datafly System.. In Proceedings of the AMIA Annual Fall Symposium. American Medical Informatics Association, 51.Google ScholarGoogle Scholar
  32. Latanya Sweeney. 2002. Achieving k-anonymity privacy protection using generalization and suppression. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, 05 (2002), 571--588. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Thilo Weichert. 2004. Die elektronische Gesundheitskarte. Datenschutz und Datensicherheit 28, 7 (2004), 391--403.Google ScholarGoogle Scholar
  34. Ira S Winkler and Brian Dealy. 1995. Information Security Technology? Don't Rely on It. A Case Study in Social Engineering.. In USENIX Security. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Securing Electronic Health Records in the Cloud

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in
    • Published in

      cover image ACM Conferences
      W-P2DS'18: Proceedings of the 1st Workshop on Privacy by Design in Distributed Systems
      April 2018
      39 pages
      ISBN:9781450356541
      DOI:10.1145/3195258

      Copyright © 2018 ACM

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 23 April 2018

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed limited

      Upcoming Conference

      EuroSys '24
      Nineteenth European Conference on Computer Systems
      April 22 - 25, 2024
      Athens , Greece

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader