Efficient and Secure Access Control for Sensitive Healthcare Data

Abstract

Healthcare services produce and use a great deal of sensitive personal data. But the fact is that this healthcare data has very high black market value. Now to easily access the healthcare data we can think about an access control server. So if we want to make an accesss control server for healthcare data then it has to be very secure. On the other hand, this data also needs to be easily accessible by the patient itself and authorized care givers. In this thesis we have studied an existing token-based access control solution which is being applied to protect medical data in a hospital and observed its security limitations. After that we modify that model using Multi-Authority CP-ABE, as a building block, to overcome the security limitations. We have proposed two modified models in our paper. Our first model relies on centralized MA-CP-ABE, which is based on composite order bilinear group. Since it is a centralized model, there is an central authority. In my case External IAM plays the role of Central Authority. I have used External IAM and Policy Decision Point as my two attribute authorities. This MA-CP-ABE is computed on a composite order bilinear group. According to the security analysis, my first model is adaptively secure. We have done this security analysis in standard model. Our second model relies on decentralized MA-CP-ABE, which is based on prime order bilinear group. Since it is an decentralized scheme so there is no central authority. Here also I have used External IAM and Policy Decision Point as my two attribute authorities. This MA-CP-ABE is computed on a prime order bilinear group. According to the security analysis, my second model is CPA secure. We have done this security analysis in random oracle model. Our second model is more efficient according to the computation cost than the first model whereas our first model is more efficient according to the communication cost than the second model. We have implemented the decentralized Multi-Authority CP-ABE scheme, which is the building block of our second model, to use in modified Access Control Model. We have implemented the code in Python and used Charm-crypto framework for the implementation. Because of using decryption out-sourcing our final decryption time has become constant, it does not depend on the size of the data consumer’s attribute set or on the number of attributes in access policy. Also we have implemented a modified LSSS in our thesis which is more efficient than Charm’s LSSS. We have also introduced revocation property in the scheme and provided insights on how to implement the whole access control model in this thesis.