Professional Documents
Culture Documents
14251-14258
© Research India Publications. http://www.ripublication.com
1
Isra’a Ahmed Zriqat and 2Ahmad Mousa Altamimi
1
Applied Science Private University, Department of Computer Science, Jordan.
2
Applied Science Private University, Department of Computer Science, Jordan.
2
Orcid: 0000-0003-3642-5257
14251
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 14251-14258
© Research India Publications. http://www.ripublication.com
of the model is then given in Section 5. And finally, Key management has also been considered in other works.
conclusions and future directions are discussed in Section 6. Recently, W. Liu et al. [29] suggested a generic framework
based on hierarchical identity-based encryption (HIBE) model
and the role-based access control (RBAC). The HIBE model
RELATED WORK is used to encrypt patients’ data before they are sent to the
storage server. Nevertheless, this process may not provide
E-health information systems consist of various types of
accurate access control requirements. For example, patients
context information needed to be guarded by appropriate
might not able to access their own data without being
security countermeasures at all times. In fact, many security
authorized by HIPAA regulations.
models have been proposed in the literature. This includes the
traditional mechanisms such as standard encryption techniques Ultimately, the fine-grained access control has been provided
or the using of Role Based Access Control (RBAC). In fact, by many models [30-31]. In [30] Adaptive Access Control
most of these traditional mechanisms cannot meet the access model is proposed to consider privilege overriding and
requirements of modern healthcare environments. As a result, behavior. Users here can access their data even if sudden
the traditional mechanisms have been extended in various incidents occur. Therefore, human authorizations are not
ways to incorporate awareness information [4], and to provide essential for users to get access to their data since they
variety and flexible security policies [15-19]. commence their sessions through a trust model based on users,
location, time and action. Ultimately, a secure scheme for
For example, RBAC model have been extended to include
authentication and scalable fine-grained data access control is
additional information that influences the access decisions.
suggested in [31]. According to its authors, the access control
One can consider the GEO-RBAC [20] and Location-Aware
is implemented in two phases: Static authorization method and
Role-Based Access Control model (LRBAC) [21]. Here, a list
Restricted access permissions. However, the main limitation
of locations is stored in the model, if the user is existed in one
of these models is that there is no prevention or detection
of these locations, roles are activated. The association of role–
mechanism to check user’s data access when the critical
time has also been considered, for instance the Temporal
situation occurs, which is provided by our model.
Role-Based Access Control Model (TRBAC) [22] includes
time constraints to support enabling and disabling roles. It is
important to mention here that other models considering both
BACKGROUND MATERIAL
location and time constraints to decide whether the access is
permitted or not. Models such as TLRBAC [23] and LOT- e-Healthcare
RBAC [24] can be considered in this context.
E-Healthcare is the integration of the internet into healthcare
On the other hand, modified versions of attribute-based where healthcare institutions exchange and share data. In an
encryption [25] have been considered in [26-28] to guarantee interoperability way if guarantees effective connection among
a proper level of security. Specifically, Z. Guan et al. [26] healthcare entities (patients, doctors, hospitals and
proposed a novel encryption by using seven combining pharmacies), care providers will be able to tackle with health
encryption technique Mask-Certificate Attribute-Based issues well [32]. EHRs are designed in a way that enables
encryption (MC-ABE). In the encryption process scheme, data patients to get a full access to the data which are managed and
are first encrypted and then masked before being stored in the controlled online by providers in charge. Furthermore, HER
storage server. In the same vein, M. Barna et al. [25] are constructed according the necessary standards of data
privileges are mapped into roles and then roles are connected collection. These standards consist of three domains: a set of
with ABE access structures. While these models are beneficial intelligent physiological sensors in a personal server whose
for cutting down the maintaining cost of eHealth data and job is to identify vital signs, a heterogeneous network, and a
providing the data whenever needed, fine-grained access remote health care server. In EHRs, patients are called data
control is difficult to obtain. users, whereas doctors and pharmacists are called requesters.
As for servers, they are divided into local server or cloud
Authors of [27-28] stated that fine-grained access control
server which store, process and analyze healthcare data [33-
would be managed by categorizing the users into public
34]. Networks are the means in which patients and medical
domain and personal domain. Where multi-authority ABE is
staff can share data, see Fig.1.
utilized in public domain to improve the fine-grained security
countermeasures. However, policies updating, and key Despite countless benefits healthcare systems have, some
management were the main limitations of this model. security threats may emerge. These threats may include
Consequently, [28] proposed attribute group key to resolve changing information, losing important data or
this problem. By employing this method, the key escrow misunderstanding roles [35-39].
problem re-encryption could be solved, and the computational
overheads could also be reduced.
14252
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 14251-14258
© Research India Publications. http://www.ripublication.com
14253
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 14251-14258
© Research India Publications. http://www.ripublication.com
algorithms is less than asymmetric encryption algorithms. AES scheme. They found AES achieves a faster execution
Jasim et al., [11] analyzed the performance of encrypted large speed of encryption and decryption processes. Thus,
database using symmetric and asymmetric key algorithms, and motivating by these studies and facts, the AES is used in our
concluded that the performance of encryption process using model as described in Section 4.
asymmetric key algorithm is lower when compared to
symmetric algorithm.
THE SECURITY MODEL (SAFE)
Additional studies have been carried out to decide which
symmetric algorithm is the best suited in the healthcare means. SAFE model safeguards the healthcare systems. Specifically,
Thus, many algorithms such as DES, 3DES, AES, Blowfish, the suggested model is placed at the top of the server to act as
RC5 are studied. However, to utilize an appropriate one, it is an access point for users’ requests. Because patient’s health
necessary to know its strength and limitation. Parameters such data could be exposed during the transmission process to the
as: Security, Scalability (in terms of Memory Usage, medical server. It should be encrypted, so if any
Encryption rate, computational time and Software/hardware attackers/intruder get access to the data, attacker cannot
performance), Limitations, and Flexibility have been disclose it. To do this and motivated by the advantages of
considered in many studies [9-10, 13-14, 42, 44, 47]. B. S. symmetric encryption techniques (presented in section 3.3),
Varsha and P. S. Suryateja [12] discussed two critical aspects we choose to use AES as it’s proved one of the best technique
of personal health record (PHR) management, those of suited for encryption healthcare information [9-14].
security and data access control. In their work, they compare
In SAFE, all requests for accessing information must be
the performance of symmetric and asymmetric algorithms
approved to ensure their eligibility. The User Interface
likes DES, AES, RSA, and ECC. Among these, they found
Module (UIM) is used to define security policies. It can be
that the AES is a strong algorithm. In AES the encryption
either website or a smartphone application. The policies are
process is done in a specified number of rounds, which makes
identified by both patients and doctors to set patient’s privacy.
the data more secure. Further, it can be used for secure
All policies identified are parsed into its own components and
transmission of data in the encrypted format.
then they are stored in a central security database. This is done
J. Park et al., [10] investigated some of the security algorithms by using Extended-RBAC model (discussed in Section 3.2).
that could be worked well in uHealth systems to provide good
When a user requests data of a patient, a session is set up
security level for personal data and bio signal information.
between the requester and the server by the session handler
They implemented several security algorithms such as DES,
module (SHM). The session is held when a transmission
3DES, Blowfish, AES, and RC4 for their u-Health monitoring
protocol is employed. It is worth mentioning that session
system. They concluded that AES does not have a well-known
information is saved, so that it can be available when needed.
weakness, and it requires low memory usage than Blowfish
Auditing session manager (ASM) is responsible for all
and RC4. Thus, they chose AES as the most appropriate
established sessions that data will be retrieved at the user’s
algorithm for their system. N. Aleisa [47] presented a
request. Moreover, the requester’s security settings (username
comparison study of well-known symmetric key encryption
and password) are stored among other accounts stored in the
standards, 3DES and AES. It was found that AES has been
database. User verifier Module (CAV) is responsible for
designed efficiency in software and hardware means to be an
classifying and verifying the requesters account and then
efficient technique even on small devices such as smartphones.
giving permission or not. This process is carried out by
However, with a larger block size using a 128-bit and with
contacting the security database to identify the applied policies
different bit keys (128, 192 and 256 bits), AES provides more
and the requester. CAV determines whether the requested
security in the long term. M. Ebrahim [42] presented a similar
information is critical or natural to reach the final decision;
study to analyze the performance based on different
this depends on the context-aware information. When the
parameters. Authors were observed that AES was the best
patient’s situation is critical, the security settings are
among all in terms of Security, Memory usage, Flexibility, and
automatically adapted to the good of the user.
Encryption performance. He also concluded that although
other algorithms were also eligible, however most of them That is, the need for user authorization is removed to handle
have a tradeoff between encryption performance and memory the required exceptional access. Consequently, caregivers are
usage. Furthermore, they highlighted the major weakness of permitted to override the access restrictions assigned to them.
the mentioned algorithms. And found that, the AES algorithm Thus, an effective mechanism is needed to predict or diagnose
has no serious weakness. the patient’s situation with good accuracy. In this context,
many studies have investigated this issue [49-51]. For
Based on that studies, some authors considered AES as
example, Authors of [51] set five classifiers (e.g., Naïve
unbreakable in practical use and thus adapted it in their
Bayes, Decision Tree, Discriminant, Random Forest, and
systems. As an example, J. Young Oh et al., [14] proposed a
Support Vector Machine), the authors found that the
novel algorithm for medical information encryption based on
classification algorithms are appropriate for providing
14254
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 14251-14258
© Research India Publications. http://www.ripublication.com
relatively correct answers concerning patient’s status. the eHealth environment. It consists of three main
Decision tree is regarded number one by evaluation measures. components: The User Interface Tool that allows end users to
Based on that, we choose the decision tree classifier to be design policies and directly interacts with the security
integrated into the SAFE model to provide an effective repository. The Security Repository in turn stores the policies
forecasting mechanism that determines the patient’s medical generated by the interface tool. And finally, the Policy
situation. Manager that retrieves policies from the repository and
delivers them to the access control module (Users Verifier
Ultimately, assuming the user request is granted, in this case
Module) for enforcement.
the requested data will be decrypted back before responding.
All the needed keys are stored safely in the security database. Our application uses Web Services as they provide flexibility
The basic structure is illustrated in Fig. 2. in accessing the application through different interfaces using
heterogeneous API. In addition, web services are integrated
into the World Wide Web, and support direct interactions with
THE IMPLEMENTATION OF SAFE MODEL other software agents using XML-based message exchanges
via Internet-based protocols. Off course, using such standers
To support the evaluation of the proposed approach, we will
allows our model to be compatible with other applications.
provide a prototype implementation developed specifically for
14255
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 14251-14258
© Research India Publications. http://www.ripublication.com
CONCLUSION [7] Freitas-Lima, P., et al., The social context and the need
of information from patients with epilepsy: evaluating a
In this research, a security model (SAFE) is presented to tertiary referral service. Arquivos de neuro-psiquiatria,
provide the security countermeasures for healthcare systems. 2015. 73(4): p. 298-303.
SAFE model aims to support an efficient access control
decision depending on the patient’s medical situation and the [8] Mondal, S., S. Sural, and V. Atluri, Security analysis of
requester’s assigned roles. In particular, SAFE grants the GTRBAC and its variants using model checking.
user’s accessing to the patient’s context information if the computers & security, 2011. 30(2): p. 128-147.
user’s roles are not restricted by the stored authorization [9] Kabilan, N.: ‘Scalable And Secure Sharing Of Personal
policies. This can be relaxed in the case of abnormal medical Health Record Maintenance Using Advanced
situation (emergency) where the user can override all his Encryption Standard (AES)’.
restrictions. To do this, the decision tree classifier is integrated
into the SAFE model to provide an effective forecasting [10] Park, J., Lee, Y.-G., and Yoon, G.: ‘Implementation of
mechanism that determines the patient’s medical situation. Security Algorithms for u-Health Monitoring System’,
Moreover, SAFE utilizes the AES encryption technique to Development, 2012, 2296, pp. 12468.
assure that the patient’s context information cannot be [11] Jasim, O.K., Abbas, S., El-Horbaty, E., and Salem, A.:
exposed during the transmission process to third parties. ‘Efficiency of Modern Encryption Algorithms in Cloud
Computing’, International Journal of Emerging Trends
& Technology in Computer Science (IJETTCS), 2013,
2, (6), pp. 270-274.
14256
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 14251-14258
© Research India Publications. http://www.ripublication.com
[12] Varsha, B.S., and Suryateja, P.: ‘Using Advanced [24] Chandran, S.M., and Joshi, J.B.: ‘LoT-RBAC: a
Encryption Standard for Secure and Scalable Sharing of location and time-based RBAC model’, in Editor
personal Health Records in Cloud’, 2014. (Ed.)^(Eds.): ‘Book LoT-RBAC: a location and time-
based RBAC model’ (Springer, 2005, edn.), pp. 361-
[13] Cankaya, E.C., and Kywe, T. ‘A Secure Healthcare
375.
System: From Design to Implementation’, Procedia
Computer Science, 2015, 62, pp. 203-212. [25] Sun, L., and Wang, H.: ‘A purpose based usage access
control model for e-healthcare services’, in Editor
[14] Oh, J.-Y., Yang, D.-I., and Chon, K.-H.: ‘A selective
(Ed.)^(Eds.): ‘Book A purpose based usage access
encryption algorithm based on AES for medical
control model for e-healthcare services’ (IEEE, 2011,
information’, Healthcare informatics research, 2010,
edn.), pp. 41-46.
16, (1), pp. 22-29.
[26] Guan, Z., Yang, T., and Du, X.: ‘Achieving secure and
[15] Garcia-Morchon, O., and Wehrle, K.: ‘Efficient and
efficient data access control for cloud-integrated body
context-aware access control for pervasive medical
sensor networks’, International Journal of Distributed
sensor networks’, in Editor (Ed.)^(Eds.): ‘Book
Sensor Networks, 2015.
Efficient and context-aware access control for
pervasive medical sensor networks’ (IEEE, 2010, edn.), [27] Kumar, M.R., Fathima, M.D., and Mahendran, M.:
pp. 322-327. ‘Personal Health Data Storage Protection on Cloud
Using MA-ABE’, International Journal of Computer
[16] Gajanayake, R., Iannella, R., and Sahama, T.: ‘Privacy
Applications, 2013, 75, (8).
oriented access control for electronic health records’,
electronic Journal of Health Informatics, 2014, 8, (2), [28] Zhu, H., Huang, R., Liu, X., and Li, H.: ‘SPEMR: A
pp. 15. new secure personal electronic medical record scheme
with privilege separation’, in Editor (Ed.)^(Eds.):
[17] Kumar, P., and Lee, H.-J.: ‘Security issues in healthcare
‘Book SPEMR: A new secure personal electronic
applications using wireless medical sensor networks: A
medical record scheme with privilege separation’
survey’, Sensors, 2011, 12, (1), pp. 55-91.
(IEEE, 2014, edn.), pp. 700-705.
[18] Saleem, S., Ullah, S., and Yoo, H.S.: ‘On the security
[29] Liu, W., Liu, X., Liu, J., Wu, Q., Zhang, J., and Li, Y.:
issues in wireless body area networks’, JDCTA, 2009,
‘Auditing and Revocation Enabled Role-Based Access
3, (3), pp. 178-184.
Control over Outsourced Private EHRs’, in Editor
[19] Santos-Pereira, C., Augusto, A.B., Cruz-Correia, R., (Ed.)^(Eds.): ‘Book Auditing and Revocation Enabled
and Correia, M.E.: ‘A secure RBAC mobile agent Role-Based Access Control over Outsourced Private
access control model for healthcare institutions’, in EHRs’ (IEEE, 2015, edn.), pp. 336-341.
Editor (Ed.)^(Eds.): ‘Book A secure RBAC mobile
[30] Maw, H.A., Xiao, H., and Christianson, B.: ‘An
agent access control model for healthcare institutions’
adaptive access control model for medical data in
(IEEE, 2013, edn.), pp. 349-354.
wireless sensor networks’, in Editor (Ed.)^(Eds.):
[20] Damiani, M.L., Bertino, E., Catania, B., and Perlasca, ‘Book An adaptive access control model for medical
P.: ‘GEO-RBAC: a spatially aware RBAC’, ACM data in wireless sensor networks’ (IEEE, 2013, edn.),
Transactions on Information and System Security pp. 303-309.
(TISSEC), 2007, 10, (1), pp. 2.
[31] Kahani, N., Elgazzar, K., and Cordy, J.R.:
[21] Ray, I., Kumar, M., and Yu, L.: ‘LRBAC: a location- ‘Authentication and Access Control in e-Health
aware role-based access control model’, in Editor Systems in the Cloud’, in Editor (Ed.)^(Eds.): ‘Book
(Ed.)^(Eds.): ‘Book LRBAC: a location-aware role- Authentication and Access Control in e-Health Systems
based access control model’(Springer, 2006, edn.), pp. in the Cloud’ (IEEE, 2016, edn.), pp. 13-23.
147-161
[32] Oh, H., Rizo, C., Enkin, M., and Jadad, A.: ‘What is
[22] Bertino, E., Bonatti, P.A., and Ferrari, E.: ‘TRBAC: A eHealth (3): a systematic review of published
temporal role-based access control model’, ACM definitions’, J Med Internet Res, 2005, 7, (1), pp. e.
Transactions on Information and System Security
[33] Zhang, K., Yang, K., Liang, X., Su, Z., Shen, X., and
(TISSEC), 2001, 4, (3), pp. 191-233.
Luo, H.H.: ‘Security and privacy for mobile healthcare
[23] Bertolissi, C., and Fernández, M.: ‘Time and location networks: from a quality of protection perspective’,
based services with access control’, in Editor IEEE Wireless Communications, 2015, 22, (4), pp.
(Ed.)^(Eds.): ‘Book Time and location based services 104-112.
with access control’ (IEEE, 2008, edn.), pp. 1-6.
14257
International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 14251-14258
© Research India Publications. http://www.ripublication.com
[34] PATIL, S.S.S.a.D.: ‘Review On Security And Privacy [47] Aleisa, N.: ‘A Comparison of the 3DES and AES
For Mobile Healthcare Networks: From A Quality Of Encryption Standards’, International Journal of Security
Protection Perspective’, International Journal of and Its Applications, 2015, 9, (7), pp. 241-246.
Engineering Research-Online A Peer Reviewed
[48] Hasimoto-Beltran, R., Al-Masalha, F., and Khokhar,
International Journal 2015, 3, (6).
A.: ‘Performance evaluation of chaotic and
[35] Habib, K., Torjusen, A., and Leister, W.: ‘Security conventional encryption on portable and mobile
analysis of a patient monitoring system for the Internet platforms’: ‘Chaos-Based Cryptography’ (Springer,
of Things in eHealth’, Book Security analysis of a 2011), pp. 375-395.
patient monitoring system for the Internet of Things in
[49] Gupta, S., Kumar, D., and Sharma, A.: ‘Performance
eHealth (2015, edn.).
analysis of various data mining classification
[36] Saleem, S., Ullah, S., and Kwak, K.S.: ‘A study of techniques on healthcare data’, International journal of
IEEE 802.15. 4 security framework for wireless body computer science & Information Technology (IJCSIT),
area networks’, Sensors, 2011, 11, (2), pp. 1383-1395. 2011, 3, (4).
[37] CHELLI, K.: ‘Security Issues in Wireless Sensor [50] Jyoti Sony, Uma Ansari, Dinesh Sharma, Suita Sony
Networks: Attacks and Countermeasures’, in Editor “Predictive data mining for medical diagnosis: an
(Ed.)^(Eds.): ‘Book Security Issues in Wireless Sensor overview of heart disease prediction” International
Networks: Attacks and Countermeasures’ (2015, edn.), Journal of Computer Science and Engineering, vol. 3,
pp. 1-3. 2011.
[38] Kumar, P., and Lee, H.-J.: ‘Security issues in healthcare [51] Zriqat, I.A., Altamimi, A.M., and Azzeh, M.: ‘A
applications using wireless medical sensor networks: A Comparative Study for Predicting Heart Diseases Using
survey’, Sensors, 2011, 12, (1), pp. 55-91. Data Mining Classification Methods’, International
Journal of Computer Science and Information Security
[39] Om, S., and Talib, M.: ‘Wireless Ad-hoc Network
(IJCSIS), Vol. 14, No. 12, December 2016.
under Black-hole Attack’, International Journal of
Digital Information and Wireless Communications
(IJDIWC), 2011, 1, (3), pp. 591-596.
[40] Røstad, L.: ‘Access control in healthcare information
systems’, Norwegian University of Science and
Technology, 2008.
[41] Meyer, C.H.: ‘Cryptography-a state of the art review’,
in Editor (Ed.)^(Eds.): ‘Book Cryptography-a state of
the art review’ (1989, edn.), pp. 4/150-154/154.
[42] Ebrahim, M., Khan, S., and Khalid, U.B.: ‘Symmetric
algorithm survey: a comparative analysis’, arXiv
preprint arXiv: 1405.0398, 2014.
[43] Patil, A., and Goudar, R.: ‘A Comparative Survey of
Symmetric Encryption Techniques for Wireless
Devices’, International journal of scientific &
technology research, 2013, 2, (8).
[44] Gupta, L.: ‘Security in Low Energy Body Area
Networks for Healthcare’, Conference Proceedings,
2014.
[45] Lovelit Jose, C.M., E.Poovammmal ‘A Survey On
Privacy Preservation Of Healthcare Data Using
Cryptographic Techniques ’, International Journal of
Pharmacy & Technology, December 2016, 8, (4), pp.
22322.
[46] Kekgathetse, M.: ‘An Evaluation of Current Computing
Research Aimed at Improving Online Security:
Encryption ’, February 2015.
14258