Skip to main content
SpringerLink
Log in

Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations

  • Conference paper
  • First Online:
Security and Trust Management (STM 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11738))

Included in the following conference series:

Abstract

We propose an audit-based architecture that leverages the Hyperledger Fabric distributed ledger as a means to increase accountability and decentralize the authorization decision process of Attribute-Based Access Control policies by using smart contracts. Our goal is to decrease the trust in administrators and users with privileged accounts, and make the a posteriori verification of access events more reliable. We implement our approach to the use case of Electronic Health Record access control. Preliminary experiments show the viability of the proposed approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/stfbk/AuBACE.

  2. 2.

    Tests were run using Apache JMeter [19] version 5 on a server equipped with Intel Xeon E3-1240 V2 3.40 GHz CPU and 16 GB RAM.

References

  1. Alizadeh, M., Lu, X., Fahland, D., Zannone, N., van der Aalst, W.M.: Linking data and process perspectives for conformance analysis. Comput. Secur. 73, 172–193 (2018). https://doi.org/10.1016/j.cose.2017.10.010

    Article  Google Scholar 

  2. Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: EuroSys 2018. ACM, New York (2018). https://doi.org/10.1145/3190508.3190538

  3. Azaria, A., Ekblaw, A., Vieira, T., Lippman, A.: MedRec: using blockchain for medical data access and permission management. In: OBD 2016, pp. 25–30. IEEE (2016). https://doi.org/10.1109/OBD.2016.11

  4. Introduction to oracles. Corda online documentation v3.3. https://docs.corda.net/oracles.html

  5. Dekker, M.A., Etalle, S.: Audit-based access control for electronic health records. Electron. Notes Theor. Comput. Sci. 168, 221–236 (2007). https://doi.org/10.1016/j.entcs.2006.08.028

    Article  Google Scholar 

  6. Di Francesco Maesa, D., Mori, P., Ricci, L.: Blockchain based access control. In: Chen, L.Y., Reiser, H.P. (eds.) DAIS 2017. LNCS, vol. 10320, pp. 206–220. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59665-5_15

    Chapter  Google Scholar 

  7. ENISA: Distributed Ledger Technology & Cybersecurity (2017). https://doi.org/10.2824/80997. https://www.enisa.europa.eu/publications/blockchain-security

  8. EU: General Data Protection Regulation (GDPR) (2016). https://data.europa.eu/eli/reg/2016/679/2016-05-04

  9. Ferraiolo, D., Chandramouli, R., Hu, V., Kuhn, R.: A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). NIST (2016). https://doi.org/10.6028/NIST.SP.800-178

  10. Fisher, B., et al.: Attribute-Based Access Control. NIST (2017). https://nccoe.nist.gov/projects/building-blocks/attribute-based-access-control

  11. Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10

    Chapter  Google Scholar 

  12. Hyperledger fabric documentation. https://hyperledger-fabric.readthedocs.io/

  13. Hölbl, M., Kompara, M., Kamišalic̀ A., Nemec Zlatolas, L.: A systematic review of the use of blockchain in healthcare. Symmetry 10(10) (2018). https://doi.org/10.3390/sym10100470

    Article  Google Scholar 

  14. Hu, V., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST (2014). https://doi.org/10.6028/NIST.SP.800-162

  15. Hyperledger Performance and Scale Working Group (PSWG): Hyperledger Blockchain Performance Metrics. https://www.hyperledger.org/resources/publications/blockchain-performance-metrics

  16. IETF RFC: JSON Web Token (JWT) (2015). https://tools.ietf.org/html/rfc7519

  17. IETF RFC: Automatic Certificate Management Environment (ACME) (2019). https://tools.ietf.org/html/rfc8555

  18. Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31540-4_4

    Chapter  Google Scholar 

  19. Jmeter. https://jmeter.apache.org/

  20. Lampson, B.: Practical principles for computer security, NATO Security through Science Series - D: Information and Communication Security, vol. 9, pp. 151–195. IOS Press (2007)

    Google Scholar 

  21. Liang, X., Zhao, J., Shetty, S., Liu, J., Li, D.: Integrating blockchain for data sharing and collaboration in mobile healthcare applications. In: PIMRC, pp. 1–5. IEEE (2017). https://doi.org/10.1109/PIMRC.2017.8292361

  22. Glossary of key information security terms. https://csrc.nist.gov/glossary

  23. OASIS: The eXtensible Access Control Markup Language (XACML) (2013). https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf

  24. Dias, J.P., Sereno Ferreira, H., Martins, Â.: A blockchain-based scheme for access control in e-health scenarios. In: Madureira, A.M., Abraham, A., Gandhi, N., Silva, C., Antunes, M. (eds.) SoCPaR 2018. AISC, vol. 942, pp. 238–247. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-17065-3_24

    Chapter  Google Scholar 

  25. Sandhu, R., Samarati, P.: Authentication, access control, and audit. ACM Comput. Surv. (CSUR) 28(1), 241–243 (1996). https://doi.org/10.1145/234313.234412

    Article  Google Scholar 

  26. Thakkar, P., Nathan, S., Viswanathan, B.: Performance benchmarking and optimizing hyperledger fabric blockchain platform. In: MASCOTS 2018, pp. 264–276. IEEE (2018). https://doi.org/10.1109/MASCOTS.2018.00034

  27. Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: S&P 2012, pp. 176–190. IEEE (2012). https://doi.org/10.1109/SP.2012.21

  28. Verizon: Data breach investigations report (2018). https://enterprise.verizon.com/resources/reports/2018/DBIR_2018_Report.pdf

  29. Verizon: Protected health information data breach report (2018). https://enterprise.verizon.com/resources/reports/phi/

  30. Yaga, D., Mell, P., Roby, N., Scarfone, K.: Blockchain Technology Overview. NIST (2018). https://doi.org/10.6028/NIST.IR.8202

  31. Zhang, P., White, J., Schmidt, D.C., Lenz, G., Rosenbloom, S.T.: FHIRChain: applying blockchain to securely and scalably share clinical data. Comput. Struct. Biotechnol. J. 16, 267–278 (2018). https://doi.org/10.1016/j.csbj.2018.07.004

    Article  Google Scholar 

  32. Zyskind, G., Nathan, O., Pentland, A.S.: Decentralizing privacy: using blockchain to protect personal data. In: SPW, pp. 180–184. IEEE (2015). https://doi.org/10.1109/SPW.2015.27

Download references

Author information

Authors and Affiliations

  1. Security & Trust, Fondazione Bruno Kessler, Via Sommarive 18, 38123, Trento, Italy

    Umberto Morelli, Silvio Ranise, Giada Sciarretta & Alessandro Tomasi

  2. EIT Master School, Trento, Italy

    Damiano Sartori

Authors
  1. Umberto Morelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Silvio Ranise
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Damiano Sartori
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Giada Sciarretta
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alessandro Tomasi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alessandro Tomasi .

Editor information

Editors and Affiliations

  1. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Sjouke Mauw

  2. University of Padua, Padua, Italy

    Mauro Conti

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Morelli, U., Ranise, S., Sartori, D., Sciarretta, G., Tomasi, A. (2019). Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations. In: Mauw, S., Conti, M. (eds) Security and Trust Management. STM 2019. Lecture Notes in Computer Science(), vol 11738. Springer, Cham. https://doi.org/10.1007/978-3-030-31511-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-31511-5_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-31510-8

  • Online ISBN: 978-3-030-31511-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation