A Patient-Centric Attribute Based Access Control Scheme for Secure Sharing of Personal Health Records Using Cloud Computing

Personal health records (PHR) are an emerging health information exchange model, which facilitates PHR owners to efficiently share their private health data among a variety of users including healthcare professionals as well as family and friends. PHRs are usually outsourced and stored in third-party cloud platforms which relieves PHR owners from the burden of managing their PHR data while achieving better availability of health data. However, outsourcing private health data raises significant privacy concerns because there is a higher risk of leaking health information to unauthorized parties. To ensure PHR owners' control of their outsourced PHR data, attribute based encryption (ABE) mechanisms have been considered. However, such existing PHR solutions suffer from inflexibility in access especially due to the limitations associated with ABE mechanisms. In this paper, we propose a patient-centric, attribute based PHR sharing scheme which can provide flexible access for both professional users such as doctors as well as personal users such as family and friends. In the proposed solution, each PHR file is encrypted and stored in a healthcare cloud along with an attribute based access policy which controls the access to the encrypted resource. We use an attribute based authorization mechanism to authorize access requesting users to access a given PHR resource based on the associated access policy while utilizing a proxy re-encryption scheme to facilitate the authorized users to decrypt the required PHR files. Furthermore, we have demonstrated that the proposed scheme can overcome the access inflexibility issues associated with the existing ABE based PHR sharing schemes while maintaining an adequate level of security and privacy.