Journal of Medical Systems

, 40:253 | Cite as

Patient-Controlled Attribute-Based Encryption for Secure Electronic Health Records System

  • Jieun Eom
  • Dong Hoon LeeEmail author
  • Kwangsu LeeEmail author
Systems-Level Quality Improvement
Part of the following topical collections:
  1. Security and Privacy in e-healthcare


In recent years, many countries have been trying to integrate electronic health data managed by each hospital to offer more efficient healthcare services. Since health data contain sensitive information of patients, there have been much research that present privacy preserving mechanisms. However, existing studies either require a patient to perform various steps to secure the data or restrict the patient to exerting control over the data. In this paper, we propose patient-controlled attribute-based encryption, which enables a patient (a data owner) to control access to the health data and reduces the operational burden for the patient, simultaneously. With our method, the patient has powerful control capability of his/her own health data in that he/she has the final say on the access with time limitation. In addition, our scheme provides emergency medical services which allow the emergency staffs to access the health data without the patient’s permission only in the case of emergencies. We prove that our scheme is secure under cryptographic assumptions and analyze its efficiency from the patient’s perspective.


Electronic health records Patient control Data privacy Cloud computing 



This research was supported by Samsung Research Funding Center of Samsung Electronics under Project Number SRFC-TB1403-03 and by Global PH.D Fellowship Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2013H1A2A1033834).


  1. 1.
    104th United States Congress. Health Insurance Portability and Accountability Act (HIPAA), 1996.
  2. 2.
    Abbas, A., and Khan, S. U. h., A review on the state-of-the-art privacy-preserving approaches in the e-health clouds. IEEE J. Biomed. Health Inf. 18(4):1431–1441, 2014.CrossRefGoogle Scholar
  3. 3.
    AbuKhousa, E., Mohamed, N., and Al-Jaroodi, J., e-health cloud: opportunities and challenges. Futur. Internet 4(3):621–645, 2012.CrossRefGoogle Scholar
  4. 4.
    Akinyele, J. A., Garman, C., Miers, I., Pagano, M. W., Rushanan, M., Green, M., and Rubin, A. D., Charm: a framework for rapidly prototyping cryptosystems. J. Cryptograph. Eng. 3(2):111–128, 2013.CrossRefGoogle Scholar
  5. 5.
    Akinyele, J. A., Pagano, M. W., Green, M. D., Lehmann, C. U., Peterson, Z. N. J., and Rubin, A. D., Securing electronic medical records using attribute-based encryption on mobile devices. In: SPSM’11, pp. 75–86. ACM (2011)Google Scholar
  6. 6.
    Fernȧndez Alemȧn, J. L., Carriȯn Seṅor, I., Lozoya, P. Ȧ. O., and Toval, A., Security and privacy in electronic health records: a systematic literature review. J. Biomed. Inf. 46(3):541–562, 2013.CrossRefGoogle Scholar
  7. 7.
    Benaloh, J., Chase, M., Horvitz, E., and Lauter, K. E., Patient controlled encryption: ensuring privacy of electronic medical records. In: CCSW 2009, pp. 103–114. ACM, 2009Google Scholar
  8. 8.
    Boneh, D., and Boyen, X., Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., and Camenisch, J. (Eds.) Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pp. 223–238. Springer, 2004.Google Scholar
  9. 9.
    Chen, T.-S., Liu, C.-H., Chen, T.-L., Chen, C.-S., Bau, J.-G., and Lin, T.-C., Secure dynamic access control scheme of PHR in cloud computing. J. Med. Syst. 36(6):4005–4020, 2012.CrossRefPubMedGoogle Scholar
  10. 10.
    Dong, N., Jonker, H., and Pang, J., Challenges in ehealth: From enabling to enforcing privacy. In: Foundations of Health Informatics Engineering and Systems, pp. 195–206. Springer, 2011.Google Scholar
  11. 11.
    European Comission. Directive 95/46/EC on Data Protection - data protection in the area of public health, 2011.
  12. 12.
    Fabian, B., Ermakova, T., and Junghanns, P., Collaborative and secure sharing of healthcare data in multi- clouds. Inf. Syst. 48:132–150, 2015.CrossRefGoogle Scholar
  13. 13.
    Zhangjie, F., Ren, K., Shu, J., Sun, X., and Huang, F., Enabling personalized search over encrypted outsourced data with efficiency improvement. IEEE Trans. Parallel Distrib. Syst. 27(9):2546–2559, 2015.Google Scholar
  14. 14.
    Zhangjie, F., Sun, X., Qi, L., Zhou, L., and Shu, J., Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing. IEICE Trans. Commun. E98-B(1):190–200, 2015.CrossRefGoogle Scholar
  15. 15.
    Haas, S, Wohlgemuth, S., Echizen, I., Sonehara, N., and Mu̇ller, G., Aspects of privacy for electronic health records. I. J. Med. Inf. 80(2):e26–e31, 2011.CrossRefGoogle Scholar
  16. 16.
    Jiankun, H., Chen, H.-H., and Hou, T.-W., A hybrid public key infrastructure solution (HPKI) for HIPAA privacy/security regulations. Comput. Standards Interf. 32(5–6):274–280, 2010.Google Scholar
  17. 17.
    Lee, K., Self-updatable encryption with short public parameters and its extensions. Des. Codes Cryptograph. 79(1):121–161, 2016.CrossRefGoogle Scholar
  18. 18.
    Lee, K., Choi, S. G., Lee, D. H., Park, J. H., and Yung, M., Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency. In: Sako, K., and Sarkar, P. (Eds.) Advances in Cryptology - ASIACRYPT 2013, volume 8269 of Lecture Notes in Computer Science, pp. 235–254. Springer ,2013.Google Scholar
  19. 19.
    Lee, W.-B., and Lee, C.-D., A cryptographic key management solution for HIPAA privacy/security regulations. IEEE Trans. Inf. Technol. Biomed. 12(1):34–41, 2008.CrossRefPubMedGoogle Scholar
  20. 20.
    Li, M., Shucheng, Y., Cao, N., and Lou, W., Authorized private keyword search over encrypted data in cloud computing. In: International Conference on Distributed Computing Systems, pp. 383–392. IEEE, 2011.Google Scholar
  21. 21.
    Li, M., Shucheng, Y., Ren, K., and Lou, W., Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings. In: SecureComm 2010, pp. 89–106. Springer, 2010.Google Scholar
  22. 22.
    Li, M., Shucheng, Y., Zheng, Y., Ren, K., and Lou, W., Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE Trans. Parallel Distrib. Syst. 24(1):131–143, 2013.CrossRefGoogle Scholar
  23. 23.
    Liu, J., Huang, X., and Liu, J. K., Secure sharing of personal health records in cloud computing: Ciphertext-policy attribute-based signcryption. Futur. Gen. Comp. Syst. 52:67–76, 2015.CrossRefGoogle Scholar
  24. 24.
    Mandl, K. D., Simons, W. W., Crawford, W. C. R., and Abbett, J. M., Indivo: a personally controlled health record for health information exchange and communication. BMC Med. Inf. Decis. Making 7:25, 2007.CrossRefGoogle Scholar
  25. 25.
    Narayan, S., Gagnė, M., and Safavi-Naini, R., Privacy preserving EHR system using attribute-based infrastructure. In: CCSW 2010, pp. 47–52. ACM, 2010.Google Scholar
  26. 26.
    Neubauer, T., and Heurix, J., A methodology for the pseudonymization of medical data. I. J. Med. Inf. 80 (3):190–204, 2011.CrossRefGoogle Scholar
  27. 27.
    Prince, P. B., Krishnamoorthy, K., Anandaraj, R., Jeno Lovesum, S. P., Rsa-dabe: A novel approach for secure health data sharing in ubiquitous computing environment. Indian J. Sci. Technol. 8(17), 2015.Google Scholar
  28. 28.
    Bo, Q., Deng, H., Qianhong, W., Domingo-Ferrer, J., Naccache, D., and Zhou, Y., Flexible attribute-based encryption applicable to secure e-healthcare records. Int. J. Inf. Sec. 14(6):499–511, 2015.CrossRefGoogle Scholar
  29. 29.
    Rosenthal, A., Mork, P., Li, M.H., Stanford, J., Koester, D., and Reynolds, P., Cloud computing: A new business paradigm for biomedical information sharing. J. Biomed. Inf. 43(2):342–353, 2010.CrossRefGoogle Scholar
  30. 30.
    Rouselakis, Y., Waters, B., and Gligor, V. D., Practical constructions and new proof methods for large universe attribute-based encryption. In: Sadeghi, A.-R., and Yung, M. (Eds.) CCS 2013, pp. 463–474. ACM, 2013.Google Scholar
  31. 31.
    Shi, J., Lai, J., Li, Y., Deng, R. H., and Weng, J., Authorized keyword search on encrypted data. In: ESORICS 2014, vol. 8712, pp. 419–435. Springer, 2014.Google Scholar
  32. 32.
    Sunyaev, A., Chornyi, D., Mauro, C., and Krcmar, H., Evaluation framework for personal health records: Microsoft healthvault vs. google health. In: HICSS-43 2010, pp. 1–10. IEEE, 2010.Google Scholar
  33. 33.
    Szolovits, P., Doyle, J., Long, W. J, Kohane, I., and Pauker, S. G., Guardian angel: Patient-centered health information systems. Technical report, Cambridge, MA, USA, 1994.Google Scholar
  34. 34.
    Tang, P. C., Ash, J. S., Bates, D. W., Marc Overhage, J., and Sands, D. Z., Personal health records: Definitions, benefits, and strategies for overcoming barriers to adoption. JAMIA 13(2):121–126, 2006.PubMedPubMedCentralGoogle Scholar
  35. 35.
    U.S. Department of Health and Human Services. Health Information Technology for Economic and Clinical Health (HITECH) Act, 2009,
  36. 36.
    Wan, Z., Liu, J., Deng, R. H, HSBE: A hierarchical attribute-based solution for flexible and scalable access control in cloud computing. IEEE Trans. Inf. Forens. Secur. 7(2):743–754 , 2012.CrossRefGoogle Scholar
  37. 37.
    Wang, C., Xu, X.-L., Shi, D.-Y., Fang, J., Privacy-preserving cloud-based personal health record system using attribute-based encryption and anonymous multi-receiver identity-based encryption. Informatica 39(4), 2015.Google Scholar
  38. 38.
    Xia, Z., Wang, X., Sun, X., and Wang, Q., A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data. IEEE Trans. Parallel Distrib. Syst. 27(2):340–352, 2015.CrossRefGoogle Scholar
  39. 39.
    Yang, J.-J., Li, J., Niu, Y., A hybrid solution for privacy preserving medical data sharing in the cloud environment. Future Gen. Comp. Syst. 43–44:74–86, 2015.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Graduate School of Information SecurityKorea UniversitySeoulSouth Korea
  2. 2.Department of Computer and Information SecuritySejong UniversitySeoulSouth Korea

Personalised recommendations