Cryptographic Access Control in Electronic Health Record Systems: A Security Implication

  • Pasupathy VimalachandranEmail author
  • Hua Wang
  • Yanchun Zhang
  • Guangping Zhuo
  • Hongbo Kuang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10570)


An electronic health record (EHR) system is designed to allow individuals and their health care providers to access their key health information online. These systems are considered more efficient, less error-prone and higher availability over traditional paper based systems. However, privacy and security concerns are arguably the major barriers in adoption of these systems globally including Australia. Individuals are unwilling to accept EHR systems unless they ensure their shared key health information is securely stored, a proper access control mechanism is used and any unauthorised disclosure is prevented. In this paper, we propose a cryptographic access control mechanism to protect the health information in EHR systems. We also developed a new encryption framework for the cryptographic access control to maintain a high level of protection. We systematically review the traditional cryptography methods to identify the weaknesses in order to overcome those weaknesses in our new method.


EMR concerns EHR PCEHR security 


  1. 1.
    Vimalachandran, P., Wang, H., Zhang, Y.: Securing electronic medical record and electronic health record systems through an improved access control. In: Yin, X., Ho, K., Zeng, D., Aickelin, U., Zhou, R., Wang, H. (eds.) HIS 2015. LNCS, vol. 9085, pp. 17–30. Springer, Cham (2015). doi: 10.1007/978-3-319-19156-0_3 Google Scholar
  2. 2.
    Pearce, C.: Electronic Medical Records - Where to from Here?. Professional Practice, Melbourne (2009)Google Scholar
  3. 3.
    McInnes, D.K., Slatman, D.C., Kidd, M.R.: General practitioners’ use of computers for prescribing and electronic health records: results from a national survey, Australia (2011). Accessed 12 Mar 2016
  4. 4.
    Iakovidis, I.: Towards personal health record: current situation, obstacles and trends in implementation of electronic healthcare records in europe. Int. J. Med. Inform. 52(128), 105–117 (1998)CrossRefGoogle Scholar
  5. 5.
    Shekelle, P., Morton, S.C., Keeler, E.B.: Costs and Benefits of Health Information Technology. Evidence Reports/Technology Assessments, No. 132 (2006)Google Scholar
  6. 6.
    Rash, M.C.: Privacy concerns hinder electronic medical records. Bus. J. Greater Triad Area (2005) Google Scholar
  7. 7.
    Department of Health: Get your personal eHealth record now. Department of Health, Canberra (2013). Accessed 10 Mar 2015
  8. 8.
    Glance, D.: Is the Government’s Missed Health Record Target Meaningful?. The Conversation, Melbourne (2013)Google Scholar
  9. 9.
    Dunlevy, S.: Taxpayers Have Spent More than $1 Billion on a Digital Health Record that Doctors Won’t Use. News.Com, Melbourne (2015)Google Scholar
  10. 10.
    Royle, R.: Review of the Personally Controlled Electronic Health Record, Department of Health, Canberra, pp. 13–15 (2013)Google Scholar
  11. 11.
    Bosch, M., et al.: Review article: effectiveness of patient care teams and the role of clinical expertise and coordination: a literature review. Med. Care Res. Rev. (2009)Google Scholar
  12. 12.
    Ray, P., Wimalasiri, J.: The need for technical solutions for maintaining the privacy of EHR. In: Proceedings of 28th IEEE EMBS Annual International Conference, pp. 4686–4689, September 2006Google Scholar
  13. 13.
    Mont, M.C., Bramhall, P., Harrison, K.: A flexible role-based secure messaging service: exploiting IBE technology for privacy in health care. In: Proceedings of 14th International Workshop on Database and Expert Systems Applications (DEXA 2003) (2003)Google Scholar
  14. 14.
    Lee, W.-B., Lee, C.-D.: A cryptographic key management solution for HIPAA privacy/security regulations. IEEE Trans. Inf. Technol. Biomed. 12, 34–41 (2008)CrossRefGoogle Scholar
  15. 15.
    Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006)Google Scholar
  16. 16.
    Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). doi: 10.1007/11426639_27 CrossRefGoogle Scholar
  17. 17.
    Blaze, M.: A cryptographic file system for UNIX. In: ACM Conference on Computer and Communications Security, pp. 158–165 (1993)Google Scholar
  18. 18.
    Fu, K.: Group sharing and random access in cryptographic storage file systems. Master’s thesis, Massachusetts Institute of Technology, June 1999Google Scholar
  19. 19.
    Tan, C.C., Wang, H., Zhong, S., Li, Q.: Body sensor network security: an identity-based cryptography approach. In: The ACM Conference on Wireless Network Security (WiSec 2008), April 2008Google Scholar
  20. 20.
    Zhang, L., Ahn, G.J., Chu, B.T.: A rule-based framework for role based delegation and revocation. ACM Trans. Inf. Syst. Secur. 6(3), 404–441 (2003)CrossRefGoogle Scholar
  21. 21.
    Bao, S.-D., Zhang, Y.-T., Shen, L.-F.: Physiological signal based entity authentication for body area sensor networks and mobile healthcare systems. In: Proceedings of 28th IEEE EMBS Annual International Conference, pp. 58–65, September 2005Google Scholar
  22. 22.
    Wang, H., Cao, J., Zhang, Y.: A flexible payment scheme and its role-based access control. IEEE Trans. Knowl. Data Eng. 17(3), 425–436 (2005)CrossRefGoogle Scholar
  23. 23.
    Sun, X., Li, M., Wang, H.: A family of enhanced (L, α)-diversity models for privacy preserving data publishing. Future Gener. Comput. Syst. 27(3), 348–356 (2011)CrossRefGoogle Scholar
  24. 24.
    Wang, H., Zhang, Y., Cao, J.: Effective collaboration with information sharing in virtual universities. IEEE Trans. Knowl. Data Eng. 21(6), 840–853 (2009)CrossRefGoogle Scholar
  25. 25.
    Kabir, M.E., Wang, H., Bertino, E.: A conditional purpose-based access control model with dynamic roles. Expert Syst. Appl. 38(3), 1482–1489 (2011)CrossRefGoogle Scholar
  26. 26.
    Sun, X., et al.: Injecting purpose and trust into data anonymization. Comput. Secur. 30(5), 332–345 (2011)CrossRefGoogle Scholar
  27. 27.
    Kabir, M.E., et al.: Efficient systematic clustering method for k-anonymization. Acta Informatica 48(1), 51–66 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Sun, X., et al.: Satisfying privacy requirements before data anonymization. Comput. J. 55(4), 422–437 (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Pasupathy Vimalachandran
    • 1
    Email author
  • Hua Wang
    • 1
  • Yanchun Zhang
    • 1
  • Guangping Zhuo
    • 2
  • Hongbo Kuang
    • 3
  1. 1.Centre for Applied Informatics College of Engineering and ScienceVictoria UniversityMelbourneAustralia
  2. 2.Department of Computer ScienceTaiyuan Normal UniversityTaiyuanChina
  3. 3.Bistone Information Technology Ltd, Ahjie Pty LtdSydneyAustralia

Personalised recommendations