1 Department of Information Technology Engineering, University of Isfahan, Isfahan, Iran

2 Department of Information Technology Engineering, Faculty of Computer Engineering, University of Isfahan

3 2Department of Computer Science and Engineering, Shiraz University, Shiraz, Iran



Electronic health record (EHR) system facilitates integrating patients' medical information and improves service productivity. However, user access to patient data in a privacy-preserving manner is still challenging problem. Many studies concerned with security and privacy in EHR systems. Rezaeibagha and Mu [1] have proposed a hybrid architecture for privacy-preserving accessing patient records in a cloud system. In their scheme, encrypted EHRs are stored in multiple clouds to provide scalability and privacy. In addition, they considered a role-based access control (RBAC) such that for any user, an EHR access policy must be determined. They also encrypt the EHRs by the public keys of all users. So, for a large amount of EHRs, this scheme is not efficient. Furthermore, using RBAC for access policy makes the policy changing difficult. In their scheme, users cannot search on encrypted EHRs based on diseases and some physicians must participate in the data retrieval by a requester physician. In this paper, we address these problems by considering a ciphertext-policy attribute-based encryption (CP-ABE) which is conceptually closer to the traditional access control methods such as RBAC. Our secure scheme can retrieve encrypted EHR based on a specific disease. Furthermore, the proposed scheme guarantees the user access control and the anonymity of the user or data owner during data retrieval. Moreover, our scheme is resistant against collusion between unauthorized retrievers to access the data. The analysis shows that our scheme is secure and efficient for cloud-based EHRs.


[1] Fatemeh Rezaeibagha and Yi Mu. Distributed clinical data sharing via dynamic access-control policy transformation. International journal of medical informatics, 89:25–31, 2016.

[2] Xiaohui Liang, Zhenfu Cao, Huang Lin, and Jun Shao. Attribute based proxy re-encryption with delegating capabilities. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 276–286, 2009.

[3] Josh Benaloh, Melissa Chase, Eric Horvitz, and Kristin Lauter. Patient controlled encryption: ensuring privacy of electronic medical records. In Proceedings of the 2009 ACM workshop on Cloud computing security, pages 103–114, 2009.

[4] Shivaramakrishnan Narayan, Martin Gagné, and Reihaneh Safavi-Naini. Privacy preserving ehr system using attribute-based infrastructure. In Proceedings of the 2010 ACM workshop on Cloud computing security workshop, pages 47–52, 2010.

[5] Suhair Alshehri, Stanislaw P Radziszowski, and Rajendra K Raj. Secure access for healthcare data in the cloud using ciphertext-policy attribute-based encryption. In 2012 IEEE 28th international conference on data engineering workshops, pages 143–146. IEEE, 2012.

[6] Changji Wang, Xuan Liu, and Wentao Li. Implementing a personal health record cloud platform using ciphertext-policy attribute-based encryption. In 2012 Fourth International Conference on Intelligent Networking and Collaborative Systems, pages 8–14. IEEE, 2012.

[7] Xuhui Liu, Qin Liu, Tao Peng, and Jie Wu. Dynamic access policy in cloud-based personal health record (phr) systems. Information Sciences, 379:62–81, 2017.

[8] Yan Zhu, Hongxin Hu, Gail-Joon Ahn, Mengyang Yu, and Hongjia Zhao. Comparisonbased encryption for fine-grained access control in clouds. In Proceedings of the second ACM conference on Data and Application Security and Privacy, pages 105–116, 2012.

[9] Zhaoquan Cai, Hongyang Yan, Ping Li, Zhengan Huang, and Chongzhi Gao. Towards secure and flexible ehr sharing in mobile health cloud under static assumptions. Cluster Computing, 20(3):2415–2422, 2017.

[10] Wei Li, Bonnie M Liu, Dongxi Liu, Ren Ping Liu, Peishun Wang, Shoushan Luo, and Wei Ni. Unified fine-grained access control for personal health records in cloud computing. IEEE journal of biomedical and health informatics, 23(3):1278– 1289, 2018.

[11] Maithilee Joshi, Karuna Joshi, and Tim Finin. Attribute based encryption for secure access to cloud based ehr systems. In 2018 IEEE 11th International Conference on Cloud Computing (CLOUD), pages 932–935. IEEE, 2018.

[12] Xiaoling Tao, Chao Lin, Qinglun Zhou, Yong Wang, Kaitai Liang, and Yang Li. Secure and efficient access of personal health record: a grouporiented ciphertext-policy attribute-based encryption. Journal of the Chinese Institute of Engineers, 42(1):80–86, 2019.

[13] Leyou Zhang, Gongcheng Hu, Yi Mu, and Fatemeh Rezaeibagha. Hidden ciphertext policy attribute-based encryption with fast decryption for personal health record system. IEEE Access, 7:33202–33213, 2019.

[14] Jie Huang, Mohamed Sharaf, and Chin-Tser Huang. A hierarchical framework for secure and scalable ehr sharing and access control in multicloud. In 2012 41st International Conference on Parallel Processing Workshops, pages 279–287. IEEE, 2012.

[15] Ming Li, Shucheng Yu, Kui Ren, and Wenjing Lou. Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings. In International conference on security and privacy in communication systems, pages 89–106. Springer,2010.

[16] Ming Li, Shucheng Yu, Yao Zheng, Kui Ren, and Wenjing Lou. Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE transactions on parallel and distributed systems, 24(1):131– 143, 2012.

[17] Tatiana Ermakova and Benjamin Fabian. Secret sharing for health data in multi-provider clouds. In 2013 IEEE 15th Conference on Business Informatics, pages 93–100. IEEE, 2013.

[18] Jianghua Liu, Xinyi Huang, and Joseph K Liu. Secure sharing of personal health records in cloud computing: ciphertext-policy attributebasedsigncryption. Future Generation Computer Systems, 52:67–76, 2015.

[19] Ye Li, Kaitai Liang, Chunhua Su, and Wei Wu. Dabehr: decentralized attribute-based electronic health record system with constant-size storage complexity. In International Conference on Green, Pervasive, and Cloud Computing, pages 611–626. Springer, 2017.

[20] R Charanya, S Nithya, and N Manikandan. Attribute based encryption for secure sharing of ehealth data. In Materials Science and Engineering Conference Series, volume 263, page 042030, 2017.

[21] Gandikota Ramu, B Eswara Reddy, Appawala Jayanthi, and LV Narasimha Prasad. Finegrained access control of ehrs in cloud using cpabe with user revocation. Health and Technology, 9(4):487–496, 2019.

[22] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In 2007 IEEE symposium on security and privacy (SP’07), pages 321–334. IEEE, 2007.

[23] Shangping Wang, Shasha Jia, and Yaling Zhang. Verifiable and multi-keyword searchable attribute-based encryption scheme for cloud storage. IEEE Access, 7:50136–50147, 2019.

[24] Allison Lewko and Brent Waters. Decentralizing attribute-based encryption. In Annual international conference on the theory and applications of cryptographic techniques, pages 568–588. Springer, 2011.