Iranian Society of Cryptology The ISC International Journal of Information Security 2008-2045 12 2 2020 07 01 Attribute-based Access Control for Cloud-based Electronic Health Record (EHR) Systems 129 140 107962 10.22042/isecure.2020.174338.458 EN Maryam Zarezadeh Department of Information Technology Engineering, University of Isfahan, Isfahan, Iran Maede Ashouri-Talouki Department of Information Technology Engineering, Faculty of Computer Engineering, University of Isfahan Mohammad Siavashi 2Department of Computer Science and Engineering, Shiraz University, Shiraz, Iran Journal Article 2019 03 07 Electronic health record (EHR) system facilitates integrating patients' medical information and improves service productivity. However, user access to patient data in a privacy-preserving manner is still challenging problem. Many studies concerned with security and privacy in EHR systems. Rezaeibagha and Mu [1] have proposed a hybrid architecture for privacy-preserving accessing patient records in a cloud system. In their scheme, encrypted EHRs are stored in multiple clouds to provide scalability and privacy. In addition, they considered a role-based access control (RBAC) such that for any user, an EHR access policy must be determined. They also encrypt the EHRs by the public keys of all users. So, for a large amount of EHRs, this scheme is not efficient. Furthermore, using RBAC for access policy makes the policy changing difficult. In their scheme, users cannot search on encrypted EHRs based on diseases and some physicians must participate in the data retrieval by a requester physician. In this paper, we address these problems by considering a ciphertext-policy attribute-based encryption (CP-ABE) which is conceptually closer to the traditional access control methods such as RBAC. Our secure scheme can retrieve encrypted EHR based on a specific disease. Furthermore, the proposed scheme guarantees the user access control and the anonymity of the user or data owner during data retrieval. Moreover, our scheme is resistant against collusion between unauthorized retrievers to access the data. The analysis shows that our scheme is secure and efficient for cloud-based EHRs. Access Control Electronic health record Attribute-Based Encryption EHR Cloud Storage https://www.isecure-journal.com/article_107962_7cbaf9384cf3835106bf2f444c0bcf65.pdf