short-paper

Securing electronic medical records using attribute-based encryption on mobile devices

Authors:

Joseph A. Akinyele,

Matthew W. Pagano,

Matthew D. Green,

Christoph U. Lehmann,

Zachary N.J. Peterson,

Aviel D. RubinAuthors Info & Claims

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

Pages 75 - 86

https://doi.org/10.1145/2046614.2046628

Published: 17 October 2011 Publication History

Abstract

We provide a design and implementation of self-protecting electronic medical records (EMRs) using attribute-based encryption on mobile devices. Our system allows healthcare organizations to export EMRs to locations outside of their trust boundary. In contrast to previous approaches, our solution is designed to maintain EMR availability even when providers are offline, i.e., where network connectivity is not available. To balance the needs of emergency care and patient privacy, our system is designed to provide fine-grained encryption and is able to protect individual items within an EMR, where each encrypted item may have its own access control policy. We implemented a prototype system using a new key- and ciphertext-policy attribute-based encryption library that we developed. Our implementation, which includes an iPhone app for storing and managing EMRs offline, allows for flexible and automated policy generation. An evaluation of our design shows that our ABE library performs well, has acceptable storage requirements, and is practical and usable on modern smartphones.

References

[1]

Advance Directives Information Sheet. http://www.mva.maryland.gov/Resources/AdvanceDirective.pdf.

[2]

iPhone Developer Reference. http://developer.apple.com/iPhone/library/navigation/index.html.

[3]

Stanford Pairing-Based Crypto Library. http://crypto.stanford.edu/pbc/.

[4]

War in the fifth domain. The Economist, 396(8689), 2010.

[5]

104th United States Congress. Health Insurance Portability and Accountability A (HIPPA), 1996. http://aspe.hhs.gov/admnsimp/pl104191.htm; Last access: August 16, 2004.

[6]

Gail-Joon Ahn and Badrinath Mohan. Role-based authorization in decentralized health care environments. In 18th ACM on Applied Computing, 2003.

Digital Library

[7]

ASTM International. ASTM E2369 - 05e1 Standard Specification for Continuity of Care Record (CCR), 2009.

[8]

Moritz Y. Becker and Peter Sewell. Cassandra: flexible trust management, applied to electronic health records. In 17th IEEE CSFW, 2004.

Digital Library

[9]

Josh Benaioh, Melissa Chase, Eric Horvitz, and Kristin Lauter. Patient controlled encryption: Ensuring privacy of electronic medical records. In ACM CCSW '09, pages 103--114. ACM, 2009.

Digital Library

[10]

John Bethencourt. Ciphertext-policy Attribute-Based Encryption library, 2006. Available at http://acsc.cs.utexas.edu/cpabe/.

Digital Library

[11]

John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In 2007 IEEE Security and Privacy, pages 321--334. IEEE Computer Society, 2007.

Digital Library

[12]

Alexandra Boldyreva, Vipul Goyal, and Virendra Kumar. Identity-based encryption with efficient revocation. In 15th ACM CCS '08, pages 417--426. ACM, 2008.

Digital Library

[13]

Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Persiano. Public key encryption with keyword search. In EUROCRYPT '04, volume 3027 of LNCS, pages 506--522. Springer, 2004.

[14]

Carol Franc Buck. Designing a consumer-centered personal health record. Technical report, California Health Foundation, March 2007.

[15]

United States Congress. Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), 2009.

[16]

Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. In 13th ACM CCS '06, pages 89--98. ACM, 2006.

Digital Library

[17]

Matthew Green, Susan Hohenberger, and Brent Waters. Outsourcing the decryption of ABE ciphertexts. In In Proceedings of USENIX Security 2011, 2011.

Digital Library

[18]

Live Hacking. Android browser data stealing vulnerability, 2010. http://www.livehacking.com/2010/11/23/android-browser-data-stealing-vulnerability/.

[19]

Health Level Seven, Inc. and ASTM International. Continuity of Care Document (CCD), 2009.

[20]

Luan Ibraimi, Muhammad Asim, and Milan Petkovic. Secure management of personal health records by applying attribute-based encryption, July 2009.

[21]

Luan Ibraimi, Milan Petkovic, Svetla Nikova, Pieter Hartel, and Willem Jonker. Mediated ciphertext-policy attribute-based encryption and its application. In WISA, 2009.

Digital Library

[22]

George R. Kim and Christoph U. Lehmann. Pediatric aspects of inpatient health information technology systems. In Pediatrics, volume 122, 2008.

[23]

Nicole Lewis. EMR data theft booming. InformationWeek, 2010.

[24]

Allison Lewko, Amit Sahai, and Brent Waters. Revocation systems with very small private keys. In IEEE Symposium on Security and Privacy. IEEE, 2010.

Digital Library

[25]

Sarah A. Lister. Hurricane Katrina: The public health and medical response. CRS Report for Congress, September 2005.

[26]

Steve Lohr. G.E. and Intel join forces on health technologies. New York Times, 3 April 2009.

[27]

Feisal Nanji. Security challenges of electronic medical records. ComputerWorld, 2009.

[28]

Shivaramakrishnan Narayan, Martin Gagne, and Reihaneh Safavi-Naini. Privacy preserving ehr system using attribute-based infrastructure. In ACM CCSW, 2010.

Digital Library

[29]

M. Pirretti, P. Traynor, P. McDaniel, and B. Waters. Secure atrribute-based systems. In ACM CCS '06, 2006.

Digital Library

[30]

QuantiaMD. Patient privacy concerns are 1 barrier to doctor adoption of mobile devices, 2011. http://blog.veriphyr.com/2011/06/patient-privacy-tablet-smartphone.html.

[31]

Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In Advances in Cryptology, EUROCRYPT, pages 457--473, 2005.

Digital Library

[32]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. In IEEE Computer, 1996.

Digital Library

[33]

Paul C. Tang, Joan S. Ash, David W. Bates, J. Marc Overhage, and Daniel Z. Sands. Personal health records: Definitions, benefits, and strategies for overcoming barriers to adoption. Journal of the American Medical Informatics Association, 13(2):121--126, 2006.

[34]

Patrick Traynor, Kevin Butler, William Enck, and Patrick McDaniel. Realizing massive-scale conditional access systems through attribute-based cryptosystems. In In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS), 2008.

[35]

Micky Tripathi, David Delano, Barbara Lund, and Lynda Rudolph. Engaging patients for health information exchange. Health Affairs, 28(2):435--443, March 2009.

[36]

U.S. Department of Health and Human Services. The nationwide privacy and security framework for electronic exchange of individually identifiable health information. ONC for Health Information Technology, December 2008.

[37]

Brent Waters. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. Cryptology ePrint Archive, Report 2008/290, 2008.

[38]

Brent Waters. Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In Advances in Cryptology CRYPTO 2009, pages 619--636. Springer, 2009.

Digital Library

[39]

Wei-Chuen Yau, Swee-Huay Heng, and Bok-Min Goi. Off-line keyword guessing attacks on recent public key encryption with keyword search schemes. In Autonomic and TC, volume 5060 of Lecture in CS, pages 100--105. Springer Berlin / Heidelberg, 2008.

Digital Library

[40]

Longhua Zhang, Gail-Joon Ahn, and Bei-Tseng Chu. A role-based delegation framework for healthcare information systems. In ACM SACMAT, 2002.

Digital Library

Cited By

Masenya T(2024)Digital Preservation and Management of Medical RecordsInclusivity and Accessibility in Digital Health10.4018/979-8-3693-1463-0.ch005(62-77)Online publication date: 26-Apr-2024
https://doi.org/10.4018/979-8-3693-1463-0.ch005
Ge CLiu ZSusilo WFang LWang H(2024)Attribute-Based Encryption With Reliable Outsourced Decryption in Cloud Computing Using Smart ContractIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.326593221:2(937-948)Online publication date: Mar-2024
https://doi.org/10.1109/TDSC.2023.3265932
Walid RJoshi KChoi S(2024)Comparison of attribute-based encryption schemes in securing healthcare systemsScientific Reports10.1038/s41598-024-57692-w14:1Online publication date: 26-Mar-2024
https://doi.org/10.1038/s41598-024-57692-w
Show More Cited By

Index Terms

Securing electronic medical records using attribute-based encryption on mobile devices
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Attribute-based encryption schemes with constant-size ciphertexts

Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data. In its key-policy flavor (the dual ciphertext-policy scenario proceeds the other way around), the primitive enables senders to ...
Flexible attribute-based encryption applicable to secure e-healthcare records

In e-healthcare record systems (EHRS), attribute-based encryption (ABE) appears as a natural way to achieve fine-grained access control on health records. Some proposals exploit key-policy ABE (KP-ABE) to protect privacy in such a way that all users are ...
Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-Based Encryption

Personal health record (PHR) is an emerging patient-centric model of health information exchange, which is often outsourced to be stored at a third party, such as cloud providers. However, there have been wide privacy concerns as personal health ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

October 2011

96 pages

ISBN:9781450310000

DOI:10.1145/2046614

General Chair:
Xuxian Jiang
North Carolina State University
,
Program Chairs:
Amiya Bhattacharya
Arizona State University
,
Partha Dasgupta
Arizona State University
,
William Enck
North Carolina State University

Copyright � 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 17, 2011

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 46 of 139 submissions, 33%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

135
Total Citations
View Citations
1,886
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)2

Reflects downloads up to 22 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Masenya T(2024)Digital Preservation and Management of Medical RecordsInclusivity and Accessibility in Digital Health10.4018/979-8-3693-1463-0.ch005(62-77)Online publication date: 26-Apr-2024
https://doi.org/10.4018/979-8-3693-1463-0.ch005
Ge CLiu ZSusilo WFang LWang H(2024)Attribute-Based Encryption With Reliable Outsourced Decryption in Cloud Computing Using Smart ContractIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.326593221:2(937-948)Online publication date: Mar-2024
https://doi.org/10.1109/TDSC.2023.3265932
Walid RJoshi KChoi S(2024)Comparison of attribute-based encryption schemes in securing healthcare systemsScientific Reports10.1038/s41598-024-57692-w14:1Online publication date: 26-Mar-2024
https://doi.org/10.1038/s41598-024-57692-w
Revathi KManikandan T(2024)A smart and secured blockchain for children’s health monitoring using hybrid encryption and adaptive machine learning techniquesExpert Systems with Applications10.1016/j.eswa.2024.124689255(124689)Online publication date: Dec-2024
https://doi.org/10.1016/j.eswa.2024.124689
Belel ADutta RMukhopadhyay S(2024)Key-homomorphic and revocable ciphertext-policy attribute based key encapsulation mechanism for multimedia applicationsMultimedia Tools and Applications10.1007/s11042-024-18626-w83:33(78827-78859)Online publication date: 29-Feb-2024
https://doi.org/10.1007/s11042-024-18626-w
Luo HMei NDu C(2024)EMR sharing system with lightweight searchable encryption and rights managementCluster Computing10.1007/s10586-024-04294-w27:5(6341-6353)Online publication date: 28-Feb-2024
https://doi.org/10.1007/s10586-024-04294-w
Inshi SChowdhury ROuld-Slimane HTalhi C(2023)Secure Adaptive Context-Aware ABE for Smart EnvironmentsIoT10.3390/iot40200074:2(112-130)Online publication date: 20-Apr-2023
https://doi.org/10.3390/iot4020007
Sreeja Lekshmi R J R. Sowmiya (2023)Secure And Efficient Access Control Over Blockchain PHR Cloud Storage SystemInternational Journal of Scientific Research in Science and Technology10.32628/IJSRST52310539(312-321)Online publication date: 10-Sep-2023
https://doi.org/10.32628/IJSRST52310539
Xu SNing JLi YZhang YXu GHuang XDeng R(2023)A Secure EMR Sharing System With Tamper Resistance and Expressive Access ControlIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.312653220:1(53-67)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3126532
Bianco GRaso EFiore LMazzaracchio VBracciale LArduini FLoreti PMarrocco GOcchiuzzi C(2023)UHF RFID and NFC Point-of-Care—Architecture, Security, and ImplementationIEEE Journal of Radio Frequency Identification10.1109/JRFID.2023.32684227(301-309)Online publication date: 2023
https://doi.org/10.1109/JRFID.2023.3268422
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents