Personal health record (PHR) is an emerging patient-centric model of health information exchange, which is often outsourced to be stored at a third party, such as cloud providers. However, there have been wide privacy concerns as personal health information could be exposed to those third party servers and to unauthorized parties. Yet, issues such as risks of privacy exposure, scalability in key management, flexible access, and efficient user revocation, have remained the most important challenges toward achieving fine-grained, cryptographically enforced data access control. In this paper, we propose a novel patient-centric framework and a suite of mechanisms for data access control to PHRs stored in semitrusted servers. To achieve fine-grained and scalable data access control for PHRs, we leverage attribute-based encryption (ABE) techniques to encrypt each patient’s PHR file. Different from previous works in secure data outsourcing, we focus on the multiple data owner scenario, and divide the users in the PHR system into multiple security domains that greatly reduces the key management complexity for owners and users. A high degree of patient privacy is guaranteed simultaneously by exploiting multi authority ABE. Our scheme also enables dynamic modification of access policies or file attributes, supports efficient on-demand user/attribute revocation and break-glass access under emergency scenarios. Extensive analytical and experimental results are presented which show the security, scalability, and efficiency of our proposed scheme
 M. Li, S. Yu, K. Ren, and W. Lou, ―Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings,‖ in SecureComm’10, Sept. 2010, pp. 89–106.  H. L¨ohr, A.-R. Sadeghi, and M. Winandy, ―Securing the e-health cloud,‖ in Proceedings of the 1st ACM International Health Informatics Symposium, ser. IHI ’10, 2010, pp. 220–229.  M. Li, S. Yu, N. Cao, and W. Lou, ―Authorized private keyword search over encrypted personal health records in cloud computing,‖ in ICDCS ’11, Jun. 2011.  K. D. Mandl, P. Szolovits, and I. S. Kohane, ―Public standards and patients’ control: how to keep electronic medical records accessible but private,‖ BMJ, vol. 322, no. 7281, p. 283, Feb. 2001. J. Benaloh, M. Chase, E. Horvitz, and K. Lauter, ―Patient controlled encryption: ensuring privacy of electronic medical records,‖ in CCSW ’09, 2009, pp. 103–114.  S. Yu, C. Wang, K. Ren, and W. Lou, ―Achieving secure, scalable, and fine-grained data access control in cloud computing,‖ in IEEE INFOCOM’10, 2010.  C. Dong, G. Russello, and N. Dulay, ―Shared and searchable encrypted data for untrusted servers,‖ in Journal of Computer Security, 2010.  V. Goyal, O. Pandey, A. Sahai, and B. Waters, ―Attribute-based encryption for fine-grained access control of encrypted data,‖ in CCS ’06, 2006, pp. 89–98.  M. Li, W. Lou, and K. Ren, ―Data security and privacy in wireless body area networks,‖ IEEEWireless Communications Magazine, Feb. 2010.  A. Boldyreva, V. Goyal, and V. Kumar, ―Identity-based encryption with efficient revocation,‖ in ACM CCS, ser. CCS ’08, 2008, pp. 417–426.  L. Ibraimi, M. Petkovic, S. Nikova, P. Hartel, and W. Jonker, ―Ciphertext-policy attribute-based threshold decryption with flexible delegation and revocation of user attributes,‖ 2009.  S. Yu, C. Wang, K. Ren, and W. Lou, ―Attribute based data sharing with attribute revocation,‖ in ASIACCS’10, 2010.   S. Narayan, M. Gagn´e, and R. Safavi-Naini, ―Privacy preserving ehr system using attribute-based infrastructure,‖ ser. CCSW ’10, 2010, pp. 47–52.  X. Liang, R. Lu, X. Lin, and X. S. Shen, ―Patient self-controllable access policy on phi in ehealthcare systems,‖ in AHIC 2010, 2010.  L. Ibraimi, M. Asim, and M. Petkovic, ―Secure management of personal health records by applying attribute-based encryption,‖ Technical Report, University of Twente, 2009.  J. Bethencourt, A. Sahai, and B. Waters, ―Ciphertext-policy attribute-based encryption,‖ in IEEE S& P ’07, 2007, pp. 321–334.  J. A. Akinyele, C. U. Lehmann, M. D. Green, M. W. Pagano, Z. N. J. Peterson, and A. D. Rubin, ―Self-protecting electronic medical records using attribute-based encryption,‖ Cryptology ePrint Archive, Report 2010/565, 2010, http://eprint.iacr.org/.  M. Chase and S. S. Chow, ―Improving privacy and security in multi-authority attribute-based encryption,‖ in CCS ’09, 2009, pp. 121–130.  X. Liang, R. Lu, X. Lin, and X. S. Shen, ―Ciphertext policy attribute based encryption with efficient revocation,‖ Technical Report, University of Waterloo, 2010.  J. Hur and D. K. Noh, ―Attribute-based access control with efficient revocation in data outsourcing systems,‖ IEEE Transactions on Parallel and Distributed Systems, vol. 99, no. PrePrints, 2010.  S. Jahid, P. Mittal, and N. Borisov, ―Easier: Encryption-based access control in social networks with efficient revocation,‖ in ASIACCS, Hong Kong, March 2011.  S. Ruj, A. Nayak, and I. Stojmenovic, ―Dacc: Distributed access control in clouds,‖ in 10th IEEE TrustCom, 2011.  A. Lewko and B. Waters, ―Decentralizing attribute-based encryption,‖ Advances in Cryptology–EUROCRYPT, pp. 568–588, 2011.
Personal health records, cloud computing, data privacy, fine-grained access control, attribute-based encryption.