Professional Documents
Culture Documents
EHR Data
Rui Zhang, Jiqiang Liu, Zhen Han Ling Liu
School of Computer and Information Technology College of Computing
Beijing Jiaotong University Georgia Institute of Technology
Beijing, China 100044 Atlanta, GA, USA 30332-0765
Email: zhangrui.jqliu.zhan@bjtu.edu.cn Email: lingliu@cc.gatech.edu
A bstract-Security and privacy are widely recognized as First, when a patient is offered medical treatment, he expects
important and personalized requirements for access and that his medical records can only be accessed by authorized
management of Electric Health Record (EHR) data. Different
doctors, and other unauthorized doctors should not be able to
patients may have different privacy and security policies for
their EHR data in different context. In this paper we argue
read any part of his medical record.
that EHR data needs to be managed with customizable access Second, in the healthcare setting, a physician is allowed
control in both spatial and temporal dimension. We present to access the medical data of a specific patient only during
a role-based and time-bound access control model (RBTBAC) the time period of offering healthcare treatment. For example,
that provides more flexibility of both roles (spatial capability)
emergency room doctor should not be able to access any
and temporal capability to control the access of sensitive data
from time dimension. Through algorithmic combination of
medical document of a patient, once he or she has completed
role-based access control and time-bound key management, the emergency treatment of the patient and the patient has left
RBTBAC model has three salient features. First, we have the emergency room. In addition, given a patient, different
developed a privacy-aware and dynamic key structure for doctors involved should have different time intervals in terms
role-based privacy aware access and management of EHR data,
of accessibility to this patient's medical data. Furthermore,
focusing on the consistency of access authorization (including
data and time interval) with the activated role of user. In
a doctor may need to access the medical data of different
addition to role-based access, a path-invisible EHR structure patients at the same time period. Thus, we need to support
is build for preserving privacy of patients. Second, we have time-bound access and to be able to manage the accessibility
employed a time tree method for generating time granule values, of EHR data from time dimension in healthcare domain.
offering fine granularity of time-bound access authorization
Finally, it is to the best interest of some patients that their
and control. Our experimental results show that tree-like time
structure can improve the performance of the key management
doctor only know the medical data that are relevant to the
scheme significantly and RBTBAC model is more suitable than diseases currently under treatment by the doctor (such as
existing solutions for EHR data management since it offers dental disease) but should not be able to access other medical
high-efficiency and better security and privacy for patients. data (such as psychotherapy data). Therefore, in addition to
ERR data, the role-based structure of EHR data should not be
Keywords-EHR system; privacy preserving; role-based access
released to the doctors or any other users who do not hold the
control; time-bound key management; time tree
authorization to access them, since the contents of internal
nodes in such structure may contain sensitive information
I. INTRODUCTION
that can be used by healthcare professionals to infer other
diseases of the patient. Moreover, the structure of EHR data
Electric Health Record (ERR) is a shared digital record may change frequently due to the involvement of different sets
across different healthcare settings, by network-connected of healthcare providers for different medical conditions and
enterprise-wide information systems called EHR systems. On treatments. Thus, the third challenge in securing EHR access
one hand, EHR systems hold the promise to provide fast is to make the structure of EHR data and access path invisible
and on-demand access to medical documents and help reduce to users who are unauthorized or only authorized to access a
medical errors and enhance healthcare quality by providing partial component of the EHR data.
healthcare workers with decision support. On the other hand, The main challenge is to find an efficient and scalable
this openness, while being an essential feature of EHR, also approach to integrate role-based access control and time bound
exposes patients to the risks of privacy disclosure by improper key management under a coherent access control framework
authorization, misuse and abuse. Security and privacy are such that we can deliver both security and scalability required
widely recognized as important non-functional requirements for role-based and time-bound access to EHR data. However,
for access and management of EHR data. most existing time bound key management schemes [1]-[5]
We identify three main requirements for making EHR data use linear hash chain to generate time granule value, which is
access secure and privacy preserving. known to be inefficient and suffers from poor scalability when
101111 System
�/
Trust.cd Authori ty
/
/
/
/
Figure I. Security model for EHR system Figure 2. Hierarchical key structure
the size of the datasets to be protected for time-bound access of access depends on the access control policy, the role of
is huge. user (spatial constraint), and temporal constraint of the ac
In this paper, we propose a general purpose role-based cess. Consequently, with both valid system identity credential
and time-bound access control (RBTBAC) model for EHR and access credential, users can legally obtain corresponding
systems. The development of RBTBAC model is based on encrypted data from EHR databases and decrypt them in the
algorithmic combination of role-based access control and time legitimate time interval (time bound). We argue that EHR data
bound hierarchical key management such that a legitimate should be managed with customizable access control along
user of EHR system is authorized a time interval to access both spatial and temporal dimension.
EHR data based on hislher role. The RBTBAC model offers
III. ENFORCEMENT OF RBTBAC MODEL
more flexibility of both roles (spatial capability) and temporal
capability to control the access of sensitive data from time The RBTB key management scheme is the foundation of
dimension. Concretely, we have developed a privacy-aware RBTBAC model. An access key is mainly composed of three
and dynamic key structure for role-based privacy aware access parameters: a long-term class key Ki, a time granule value
and management of EHR data, focusing on the consistency of VB(t) and a set of class identities {C1Dk}' This section
access authorization (including data and time interval) with focuses on computation of the first two parameters. We first
the activated role of user. In addition we have employed a discuss the role-based key structures of RBTB key manage
time tree method for generating time granule values, offer ment scheme, and then put forward an efficient method - time
ing fine granularity of time-bound access authorization and tree for computing time granule values.
control. Through extensive experimentation, we demonstrate
A. Role-Based Key Structure
RBTBAC model not only offers better security and privacy
for access EHR data, but also provides high efficiency and A static encryption key structure is firstly constructed for en
customizability. crypting EHR data (see solid lines in Fig.2). Then a decryption
key structure is dynamically established. It aims to minimize
II. RBTBAC MODEL FOR EHR SYSTEM the number of keys hold by each user, while users still can
The reference security model mainly has three entItIeS produce multiple access keys by themselves effectively.
cooperatively to manage and control the usage of EHR data in Suppose that there are totally n doctors and m pa
security as shown in Fig.I. The trusted authority (TA) contains tients in an EHR system. Consider key tree as Fig.2, the
two parts, one is encryptor who is responsible for encrypting partially ordered set (C,::S), where the vertices are C =
various EHR data from different EHR providers into a uniform {Co,CP!,'" ,Cpm,C1,C2,'''}' In the hierarchical tree,
ciphertext format, the other is access control enforcer who is each node denotes a security class. If Ci ::S Cj, we say security
used to enforce predefined access control policies. The remote class Ci is subordinate to security class Cj. Ci -< Cj means
EHR database is a necessary component to store the encoded that Ci ::S Cj and Ci #- Cj. If Ci -< Cj and there is no Ck
composite EHR data. Additionally, an access control policy such that Ci -< Ck -< Cj , we say Ci is immediate subordinate
engine is the collector and developer for access control policies to Cj, which can be denoted by Ci -<d Cj.
under patient's control. In the encryption key tree, Co is the root of the hierar
The original medical data of a patient are collected peri chical tree. Correspondingly, Ko is the system root key used
odically from repositories of different EHR providers. Then to encrypt the data in class Co. The nodes in the second
they are encrypted and uploaded to the remote EHR database level are called patient nodes, each of them is a token of
by the encryptor. To request a set of access medical data of patient. All medical data of the patient are nested under the
a patient, user is required two types of credentials: system corresponding patient node. Therefore the corresponding key
identity credential and access credential . System credential is Kpj (j 1,2" .. , m ) is called patient master key. The keys
=
exclusive to each user and only used to log into EHR system, in following levels are encryption keys used to encrypt data in
but can not access any medical data. While an access credential homologous classes in hierarchical EHR structure (role-based
associates with an access for a set of EHR data. The scope structure of EHR data [6]). Note that, only the keys in leaf
rO,Pj = h2 (CIDoIIPj), whenever CPj --<d Co (1 :S j :S m ) . is [VB(tb),VB(te)] = FBS[V I] U ... U FBS[Vu], where VU
Then encryptor calculates Ki = hI ( Kpj Il rPj,i), where denodes the root node of a FBS. For example, time interval
rpj,i = h2 (PjIICIDi), whenever Ci --< CPj' For privacy of [tb,tel = [000, 10 1] labeled in grey in Fig.3, contains two
patient, we only publish the relationship of internal nodes with FBSs, one is rooted by node VO*, the other is rooted by node
corresponding patient node. As a result, the encrypt key of VlO*, so that it can be expressed by equation [Vooo,VlOd =
each node is only in connection with patient node, but has FBS[Vo*] U FBS[VlO*]. Therefore, any leaf node of a FBS
nothing to do with the structure of ERR. In addition, if the can be computed by the value of corresponding root node, that
structure of ERR is changed, the value rpj,i is invariable. is time granules in time interval [tb,tel [000, 10 1] can be
=
For generating decryption key, encryptor first computes computed by given values Vo* and VlO*.
doctor master key though equation KDi = hI ( Koll ro,D J , For the efficiency of computing time granule values, time
where rO,Di = h2 (C1DoIIDi). Next, encryptor establishes tree is much more efficient than linear hash chain method
the connection between doctor nodes and patient nodes. A which is used in the most existing time-bound hierarchical
weight value ai,j is assigned on the edge between doc key management schemes.
tor node and patient node. Finally encryptor computes re
lation value rDi ,Pj = h2 (DiIIPj) and a weight value IV. IMPLEMENT OF RBTBAC PROTOCOL
ai,j = hI( KoII ro,pJ/hI( KD,II rDi ,Pj). So user can correct The access of medical data is an interactive process among
ly derive the key of patient node though formula KPj = user, ERR system and ERR database. As mentioned in Section
ai,jhI( KDi Il rDi ,Pj)' II, to successfully access the encrypted medical data, the
user should be granted both system identity credential and
B. Time Tree
access credential. A RBTBAC protocol is composed of four
First of all, several concepts of different time periods sub-protocols: initialization, encryption, user registration and
involved in RBTBAC scheme need to be distinctly stated. The decryption .
whole time period is called timeline, which is the longest time
unit. It is divided into uniform small pieces, each piece slot is A. Initialization
called time granule, which is the smallest unit of time period. In this phase, system parameters for access medical records
Consecutive time granules is called time interval which will are initialized, patient master keys KPj ( 1 :S j :S m ) and class
be authorized to a user for access a set of classes of medical keys Ki are generated, and the hierarchical encryption key tree
data. is established as Fig.2.
Timeline is divided into small granules, which are numbered 1) Encryptor chooses a random integer w, a keyed RMAC
as 0, I, . . . ,z, and these time granules are mapped onto a HK, where K is the system access master key, and two
Complete Binary Tree (CBT). Take Fig.3 as an example, the one-way hash functions hI and h2.
timeline is divided into eight small time granules, which are 2) Encryptor selects a random value Ko as system root key
expressed as binary numbers ODD,... , 1 1 1. For simplicity, let which is only known to encryptor, TA and DB, and then
B( t) denote the binary expression of time granule and VB(t) computes Kpj and Ki using the method in Section III-A.
indicate the value of time granule t. The values with star in 3) Encryptor publishes rpj,k and hI, and keeps wand h2
subscript mean internal nodes in the time tree. Obviously, the secret, whenever k is a leaf node.
values of smallest time granule are labeled by leaf nodes in
the CBT. Besides, the value of each node in the CBT can be B. Encryption
calculated by the path from root node to itself. So we have Encryptor generates encryption key Ki,t for Ci (i =
following expressions, where II denotes string concatenation. 1,2, . . . ,N ) at time granule t E [0,z] and encrypts the data
Vo* = H( H(w)IIO),Vh H( H(w)11 1),'"
= of class Ci with corresponding key Ki,t . Ki,t is computed
Vooo = H( H( H( H(w)IIO)IIO)IIO),'" by Formula (1), where VB(t) is computed by the method in
Section III-B.
We observe that all time interval [tb,tel E [0,z] can be
composed of a number of Full Binary Subtrees (FBSs), that (1)
not know the system root key Ko, value CIDo and hash
a weight value ai,j are computed. Next, TA searches the
function h2 .
access control policies, if the request matches any access
2) Attack on Unauthorized Class: Suppose a doctor wants
control policy, TA retrieves the set of class identities of leaf
to derive a decryption key Kk',t of class k' which is not
nodes and finds the right internal nodes of time tree. At last,
authorized to him in consecutive time interval [tb,tel. As
TA issues the doctor an access credential, which stores in
sume that doctor Di obtains access credential containing in
formation EncPKDi (tb,te,{VU},{CIDd,rDi,Pj,ai,j) and
formation EncPKDi (tb,te,{VU},{CIDd,rDi,Pj' ai,j) and
EncPKDB (KDil tb,te,{CIDd) , with TA's signature, where
{VU} is a set of values of FBSs' root nodes, {CIDd is a EncPKDB = (KDi,tb,te,{CIDd) , where Ck -< CPj'
set of class identities of leaf nodes, PKDi is the public key
Ck' -< CPj and k -=I=- k'. To request the medical data of
class k', doctor Di must know CIDk, and send EncPKDB
of Di, and PKDB is the public key of DB.
=
Suppose a doctor Di has received an access credential from (KDi,tb,te,{CIDk'}) must have TA's signature, otherwise,
TA and has granted access time interval [tb,tel, doctor Di can DB will reject the request. Therefore, a doctor cannot forge an
read EHR data in Ck at any time granule t E [tb,tel. if there access credential to access any data in an unauthorized class
is partial order Ck -< CDi. even collusion with other doctors.
1) Doctor Di retrieves rDi,Pj and ai,j from the access 3) Attack in Unauthorized Time Interval: A doctor Di
credential with his private key and computes secret key may want to derive a decryption key Kk,t of class k in
Kpj of patient node Cpj, whenever CPj -<d CDi, where unauthorized time interval [tb',te']. We assume that in time
1 � j � m. interval [tb,tel doctor Di has right to access the data of
2) Doctor Di retrieves values rpj,k from public board and class k, that is he has access credential containing in
computes Kk hl (KPjIlrpj,k), whenever Ck -< CPj'
= formation EncPKDi (tb,te,{VU},{CIDd,rDi,Pj,ai,j) and
where Ck is a class of leaf node. EncPKDB (KDi,tb,te,{CIDd) · In time interval [tb',te'],
=
3) Doctor Di requests EHR data with system identity where tb < te < tb' < te', doctor Di tries to
credential and access credential. access data of class k. To successfully obtain the da
4) DB checks authenticity of information ta from DB, he needs an access credential with infor
EncPKDB (KDi,tb,te,{CIDd) by verifying TA's mation EncPKDi (tb',te', {vu'} ,{CIDd,rDi,Pj,ai,j) and
signature and decrypts it. Then DB verifies equation EncPKDB = (KDi,tb',te',{CIDd) . The doctor can get
KDi hl (Kollh2 (C1DoIIDi) ) . If the equation holds,
= tb', te' and {vu'} by colluding with other doctor. Again,
DB sends the encrypted data of class Ck to doctor Di. the access credential sent to DB should with TA's signature
5) In current time granule t E [tb,tel, doctor Di to guarantee the authenticity; otherwise DB will reject the
retrieves values VO, • •,VU and figures out VB(t).
• request. Thus doctor Di cannot forge an access credential to
Then doctor Di computes decryption key Kk,t = access data in any unauthorized time interval [tb', te'].
HK (KkIIVB(t)IICIDk).
B. Privacy Analysis
6) At time granule t, the protected data of class Ck can be
decrypted by doctor Di with key Kk,t. Our RBTBAC model provides better privacy for patients,
which is reflected in following three aspects.
V. ENFORCEMENT VERI FICATION First, we make use of RBTB key management to control
the access time interval of medical records based on the role
A. Security Analysis
of doctor in EHR system. Accordingly, the privacy of patient
Now we provide the security analysis of our RBTBAC can be protected both from unauthorized data and unauthorized
protocol focusing on three types of possible attacks - attacks time interval.
from the outside, attack on unauthorized class and attacks in Second, encryptor only publishes the relationship values
unauthorized time interval. between patient nodes and leaf nodes, so that doctor cannot
� '560 V ro
Ul
.c
500
/ 400 __ BT locating
i= 1279 '0
-&-BT locating+MOS
300
___ BT locating+SHA256
E 200
"" __ aT locating+SHA512
904
�-�-----'-t-LC MDS
�
(lJ 100 ____ LC SHAl60
-(>-LC SHA256
.c
I-
65
2 4 8 16 32 64 128 256 512 1024 100 200 300 400 500 600 700 800 900 1000 o ----:, "
t' ,� : ----:' -- , 3----'"
'---:3
,' , -: ----:
,k'- :...��p.:l s::.::":'i-;�i "'-:,:s.--::\i,;--;
: ,- , ;n/
The size of time interval [tb,t.,] The size of time interval [tb,tel The size of time interval [lb,lel
(a) Time for locating root nodes (b) The number of hash evaluation times (c) The total time
4 �MD5
:
•
r:= tree l
chain l
/' 242
222
__ Bintree-M05
-Bintree-SHA160
---Sintree-SHA256
3 .5 8 /' -+-Bintree-SHA384
::���:��� / 220 ",:: ��:;�;�'
2
3 -�SHA-384 �Unear-SHAI60
/
7
/ ......
'-Unear-SHA512
, � 2 16
� 2
.
V
�
i= 1.5
3
V t= 214
1--
2
r-/ � .--
�V
��������
....-
· ...---
0.
5
:l?' 282
o 100 200 300 400 500 600 700 800 900 1000
, 2
23 2. 2 , 2• 27 28 2• 2, 2 2 2 2 2 2 2 2'0
The times of hash evaluation [#1 The size of time interval [tb,tel The size of time interval [1b'lel
(a) Time for hash functions (b) The number of hash evaluation times (c) The total time
results are shown in Fig.5( c). The graphic shapes of the set of ACKNOWLEDGMENT
binary tree methods are quite flat, while the graphic shapes of The first author obtained the initial results of this research as
the set of linear chain method are steep. Therefore, our scheme a visiting PhD student at the Distributed Data Intensive Systems
is time-saving in the user side. (DiSL) lab in the school of Computer Science, Georgia Institute
of Technology under the China Scholarship Council. The first three
In summary, our RBTB key management scheme is space
authors would like to thank the partial support of this work by the
saving, more secure and more efficient than most existing National Key Basic Research Program (No.2007CB307101), China
schemes. NSF(No.K09A300150,60973112), China PCSIRT(No.IRT0707), the
Discipline Construction and Postgraduate Education Project of Bei
jing Municipal Education Commission. The last author would like to
VII. CONCLUSION
thank the partial support of this work by the medium size grant from
We have presented a practical Role Based and Time Bound NSF NetSE program and NSF CyberTrust program.