short-paper

Securing electronic medical records using attribute-based encryption on mobile devices

Authors:
Joseph A. Akinyele

Johns Hopkins University, Baltimore, MD, USA

Johns Hopkins University, Baltimore, MD, USA
View Profile

,
Matthew W. Pagano

Johns Hopkins University, Baltimore, MD, USA

Johns Hopkins University, Baltimore, MD, USA
View Profile

,
Matthew D. Green

Johns Hopkins University, Baltimore, MD, USA

Johns Hopkins University, Baltimore, MD, USA
View Profile

,
Christoph U. Lehmann

Johns Hopkins Medical Institutions, Baltimore, MD, USA

Johns Hopkins Medical Institutions, Baltimore, MD, USA
View Profile

,
Zachary N.J. Peterson

Naval Postgraduate School, Baltimore, MD, USA

Naval Postgraduate School, Baltimore, MD, USA
View Profile

,
Aviel D. Rubin

Johns Hopkins University, Baltimore, MD, USA

Johns Hopkins University, Baltimore, MD, USA
View Profile

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devicesOctober 2011Pages 75–86https://doi.org/10.1145/2046614.2046628

Published:17 October 2011Publication History

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

Pages 75–86

ABSTRACT

We provide a design and implementation of self-protecting electronic medical records (EMRs) using attribute-based encryption on mobile devices. Our system allows healthcare organizations to export EMRs to locations outside of their trust boundary. In contrast to previous approaches, our solution is designed to maintain EMR availability even when providers are offline, i.e., where network connectivity is not available. To balance the needs of emergency care and patient privacy, our system is designed to provide fine-grained encryption and is able to protect individual items within an EMR, where each encrypted item may have its own access control policy. We implemented a prototype system using a new key- and ciphertext-policy attribute-based encryption library that we developed. Our implementation, which includes an iPhone app for storing and managing EMRs offline, allows for flexible and automated policy generation. An evaluation of our design shows that our ABE library performs well, has acceptable storage requirements, and is practical and usable on modern smartphones.

References

Advance Directives Information Sheet. http://www.mva.maryland.gov/Resources/AdvanceDirective.pdf.Google Scholar
iPhone Developer Reference. http://developer.apple.com/iPhone/library/navigation/index.html.Google Scholar
Stanford Pairing-Based Crypto Library. http://crypto.stanford.edu/pbc/.Google Scholar
War in the fifth domain. The Economist, 396(8689), 2010.Google Scholar
104th United States Congress. Health Insurance Portability and Accountability A (HIPPA), 1996. http://aspe.hhs.gov/admnsimp/pl104191.htm; Last access: August 16, 2004.Google Scholar
Gail-Joon Ahn and Badrinath Mohan. Role-based authorization in decentralized health care environments. In 18th ACM on Applied Computing, 2003. Google ScholarDigital Library
ASTM International. ASTM E2369 - 05e1 Standard Specification for Continuity of Care Record (CCR), 2009.Google Scholar
Moritz Y. Becker and Peter Sewell. Cassandra: flexible trust management, applied to electronic health records. In 17th IEEE CSFW, 2004. Google ScholarDigital Library
Josh Benaioh, Melissa Chase, Eric Horvitz, and Kristin Lauter. Patient controlled encryption: Ensuring privacy of electronic medical records. In ACM CCSW '09, pages 103--114. ACM, 2009. Google ScholarDigital Library
John Bethencourt. Ciphertext-policy Attribute-Based Encryption library, 2006. Available at http://acsc.cs.utexas.edu/cpabe/. Google ScholarDigital Library
John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In 2007 IEEE Security and Privacy, pages 321--334. IEEE Computer Society, 2007. Google ScholarDigital Library
Alexandra Boldyreva, Vipul Goyal, and Virendra Kumar. Identity-based encryption with efficient revocation. In 15th ACM CCS '08, pages 417--426. ACM, 2008. Google ScholarDigital Library
Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Persiano. Public key encryption with keyword search. In EUROCRYPT '04, volume 3027 of LNCS, pages 506--522. Springer, 2004.Google Scholar
Carol Franc Buck. Designing a consumer-centered personal health record. Technical report, California Health Foundation, March 2007.Google Scholar
United States Congress. Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), 2009.Google Scholar
Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. In 13th ACM CCS '06, pages 89--98. ACM, 2006. Google ScholarDigital Library
Matthew Green, Susan Hohenberger, and Brent Waters. Outsourcing the decryption of ABE ciphertexts. In In Proceedings of USENIX Security 2011, 2011. Google ScholarDigital Library
Live Hacking. Android browser data stealing vulnerability, 2010. http://www.livehacking.com/2010/11/23/android-browser-data-stealing-vulnerability/.Google Scholar
Health Level Seven, Inc. and ASTM International. Continuity of Care Document (CCD), 2009.Google Scholar
Luan Ibraimi, Muhammad Asim, and Milan Petkovic. Secure management of personal health records by applying attribute-based encryption, July 2009.Google Scholar
Luan Ibraimi, Milan Petkovic, Svetla Nikova, Pieter Hartel, and Willem Jonker. Mediated ciphertext-policy attribute-based encryption and its application. In WISA, 2009. Google ScholarDigital Library
George R. Kim and Christoph U. Lehmann. Pediatric aspects of inpatient health information technology systems. In Pediatrics, volume 122, 2008.Google Scholar
Nicole Lewis. EMR data theft booming. InformationWeek, 2010.Google Scholar
Allison Lewko, Amit Sahai, and Brent Waters. Revocation systems with very small private keys. In IEEE Symposium on Security and Privacy. IEEE, 2010. Google ScholarDigital Library
Sarah A. Lister. Hurricane Katrina: The public health and medical response. CRS Report for Congress, September 2005.Google Scholar
Steve Lohr. G.E. and Intel join forces on health technologies. New York Times, 3 April 2009.Google Scholar
Feisal Nanji. Security challenges of electronic medical records. ComputerWorld, 2009.Google Scholar
Shivaramakrishnan Narayan, Martin Gagne, and Reihaneh Safavi-Naini. Privacy preserving ehr system using attribute-based infrastructure. In ACM CCSW, 2010. Google ScholarDigital Library
M. Pirretti, P. Traynor, P. McDaniel, and B. Waters. Secure atrribute-based systems. In ACM CCS '06, 2006. Google ScholarDigital Library
QuantiaMD. Patient privacy concerns are 1 barrier to doctor adoption of mobile devices, 2011. http://blog.veriphyr.com/2011/06/patient-privacy-tablet-smartphone.html.Google Scholar
Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In Advances in Cryptology, EUROCRYPT, pages 457--473, 2005. Google ScholarDigital Library
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. In IEEE Computer, 1996. Google ScholarDigital Library
Paul C. Tang, Joan S. Ash, David W. Bates, J. Marc Overhage, and Daniel Z. Sands. Personal health records: Definitions, benefits, and strategies for overcoming barriers to adoption. Journal of the American Medical Informatics Association, 13(2):121--126, 2006.Google ScholarCross Ref
Patrick Traynor, Kevin Butler, William Enck, and Patrick McDaniel. Realizing massive-scale conditional access systems through attribute-based cryptosystems. In In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS), 2008.Google Scholar
Micky Tripathi, David Delano, Barbara Lund, and Lynda Rudolph. Engaging patients for health information exchange. Health Affairs, 28(2):435--443, March 2009.Google ScholarCross Ref
U.S. Department of Health and Human Services. The nationwide privacy and security framework for electronic exchange of individually identifiable health information. ONC for Health Information Technology, December 2008.Google Scholar
Brent Waters. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. Cryptology ePrint Archive, Report 2008/290, 2008.Google Scholar
Brent Waters. Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In Advances in Cryptology CRYPTO 2009, pages 619--636. Springer, 2009. Google ScholarDigital Library
Wei-Chuen Yau, Swee-Huay Heng, and Bok-Min Goi. Off-line keyword guessing attacks on recent public key encryption with keyword search schemes. In Autonomic and TC, volume 5060 of Lecture in CS, pages 100--105. Springer Berlin / Heidelberg, 2008. Google ScholarDigital Library
Longhua Zhang, Gail-Joon Ahn, and Bei-Tseng Chu. A role-based delegation framework for healthcare information systems. In ACM SACMAT, 2002. Google ScholarDigital Library

Index Terms

Securing electronic medical records using attribute-based encryption on mobile devices
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Attribute-based encryption schemes with constant-size ciphertexts

Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data. In its key-policy flavor (the dual ciphertext-policy scenario proceeds the other way around), the primitive enables senders to ...
Read More
Flexible attribute-based encryption applicable to secure e-healthcare records

In e-healthcare record systems (EHRS), attribute-based encryption (ABE) appears as a natural way to achieve fine-grained access control on health records. Some proposals exploit key-policy ABE (KP-ABE) to protect privacy in such a way that all users are ...
Read More
Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-Based Encryption

Personal health record (PHR) is an emerging patient-centric model of health information exchange, which is often outsourced to be stored at a third party, such as cloud providers. However, there have been wide privacy concerns as personal health ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
October 2011
96 pages
ISBN:9781450310000
DOI:10.1145/2046614
General Chair:
Xuxian Jiang
North Carolina State University
,
Program Chairs:
Amiya Bhattacharya
Arizona State University
,
Partha Dasgupta
Arizona State University
,
William Enck
North Carolina State University
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 17 October 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
access control
attribute-based encryption
continuity of care record
electronic medical record
medical security
mobile device
privacy
public-key cryptography
Qualifiers
- short-paper
Conference

Acceptance Rates
Overall Acceptance Rate46of139submissions,33%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 132
  Total Citations
  View Citations
- 1,871
  Total Downloads
- Downloads (Last 12 months)49
- Downloads (Last 6 weeks)12
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Securing electronic medical records using attribute-based encryption on mobile devices

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

ABSTRACT

References

Cited By

Index Terms

Recommendations

Attribute-based encryption schemes with constant-size ciphertexts

Flexible attribute-based encryption applicable to secure e-healthcare records

Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-Based Encryption