AN ACCESS CONTROL MECHANISM TO ENSURE PRIVACY USING ATTRIBUTE BASED ENCRYPTION

Abstract

PHR contains patient’s personal data which should be protected from unauthorized access. There are laws such as The Health Insurance Portability and Accountability Act (HIPAA) which protects the health records of an individual. In this work we propose a novel approach, of how a patient can maintain the privacy of his health records. We use Ciphertext-Policy Attribute-Based Encryption (CP-ABE) for confidentiality of records. To make the system more secure, we have features like revocation. Whenever a Medical Personnel is found doing malicious behavior, we can revocate him from the system. Also, if the patient loses his attribute key, we can revocate the patient so that unauthorized access to the records can be avoided. We have also implemented the concept of break the glass in our system. In case of emergency, normal access policy is overridden and emergency staff is able to access patient’s health records. To provide better health services, we have delegation in our system. A doctor of one hospital may like to consult a doctor of another hospital. For consultation purpose the doctor will delegate part of his key to another doctor, so that the other doctor can also decrypt the records. At any time, delegated key can be revoked. In the system, all the medical personnel are not given write access. Whenever a Medical Personnel wants to write on patient’s records, he has to prove his write access to the patient, only then the patient will accept the updated records. All the reads and writes to the health records are audited so that any malicious behavior can be detected and avoided in the future. Extensive experimental results are presented which show the efficiency of our proposed system.