Privacy-Preserving Data Sharing using Multi-layer Access Control Model in Electronic Health Environment

Electronic Health Data (EHD) is an emerging health information exchange model that facilitates healthcare providers and patients to e ﬃ ciently store and share their private healthcare information from any place and at any time as per demand. Generally, Cloud services provide the infrastructure by reducing the cost of storing, processing and updating information with improved e ﬃ ciency and quality. However, the privacy of Electronic Health Records (EHR) is a signiﬁcant hurdle while outsourcing private health data in the cloud because there is a higher peril of leaking health information to unauthorized parties. Several existing techniques are able to analyse the security and privacy issues associated with e-healthcare services. These methods are designed for single database, or databases, with an authentication centre and thus cannot adequately protect the data from insider attacks. Therefore, this research study mainly focusses on how to ensure the patient privacy while sharing the sensitive data between same or di ﬀ erent organisations as well as healthcare providers in a cloud environment. This paper proposes a multi-layer access control mechanism named MLAC Model to construct a secure and privacy-preserving EHR system that enables patients to share their data with stakeholders. In this paper, we use a Dual layer access control model named Pseudo-Role Attribute based access control (PR-ABAC) mechanism that integrates attributes with roles for the secure sharing of EHR between multiple collaborators. The proposed framework also uses the concept of Provenance to ensure the Integrity of patient data. This work is expected to provide a foundation for developing security solutions against cyber-attacks, and thus contribute to the robustness of healthcare information sharing environments.


Introduction
EHD (also known as electronic health records or computerised patient records) is a systematic collection of electronic health information about individual patients or populations [1].Such records include a whole range of data including demographics, medical Shekha Chenthara, Khandakar Ahmed and Frank Whittaker the country.Over 90% of Australian medical service providers have adopted EHD systems, as the value of EHDs can provide vital information for medical resource allocation, medical research, and improved healthcare.According to a national survey : 94% of providers reported that their EHR makes records readily available at point of care, 88% reported that their EHR produces clinical benefits for the practice, 75% of providers reported that their EHR allows them to deliver better patient care [2].However, the transition from paper-based to EHR systems poses some unique challenges for privacy and confidentiality, security, data integrity and availability.
As Cloud computing is emerging as a new computing paradigm in healthcare sector [3], it not only facilitates the exchange of electronic medical records (EMR) among healthcare providers or organisations, but also acts as a medical record storage center.As the health data is increasing day-by-day in the big data epoch, cloud plays an important role for data storage by providing virtually unlimited storage that can be accessed over the Internet [4].That facilitates healthcare providers and patients to create, manage and access healthcare information from any place and at any time per demand.Cloud services provide the infrastructure by reducing the cost of storing, processing and updating information with improved efficiency and quality.As computerised medical records are integrated into one place, data can be accessed from different places by different users and this increases the risk of invasion of privacy.Since most of the data are sensitive, strictly confidential and stored on a third-party server where the owner does not have direct access, entails serious threats in terms of data privacy [5] and security [6].Patient with chronic conditions and associated sensitive information need to be securely shared and accessed by healthcare providers.This project will focus on identifying the most appropriate method to share private information between multiple healthcare providers in the patients' care team and the patient and their family or carers in the cloud environment.
Hence, EHRs in healthcare is facing problems with privacy breaches and unauthenticated record access in the recent years, the prime most one is related to privacy [7] and security of medical data [6].The issues range from malware attacks that compromise the integrity of systems and confidentiality of patients to distributed denial-of-service (DDoS) which can disrupt facilities ability to provide patient care.In healthcare systems, for instance, cyber-attacks like Ransomware can have ramifications beyond financial loss and breach of privacy [8].Earlier this year, hackers broke into the databases of Community Health Systems (CHS), one of the largest hospital groups in the United States, and accessed personal health information, name, address and personal data including social security numbers from around 4.5 million patients.Hackers from Internet vigilante group Anonymous also targeted several hospitals, launching a DDoS attack on the hospital website as an act of hacktivism [9].So, there is an indispensable need to protect the privacy, security, confidentiality, integrity, and availability of protected health information (PHI) in EHR [10].In this context, Cyber security is utmost required to prevent, detect, and act on unauthorized access to health system and its impact towards social, economic, political and cultural conflicts.Therefore, the primary research question is to strengthen the security infrastructure by providing protection mechanism in e-health care [11] aiming towards patients' confidence and thereby providing privacy [12] to EHD.The research work mainly focusses on how to ensure the patient privacy while sharing the data between same or different organisations as well as healthcare providers in a cloud environment.It emphasises on how we can access and transfer the data efficiently in a cloud arena.The main research questions include: RQ1: What are the challenges and how to overcome those while sharing the data between different healthcare providers?RQ2: How to implement privacy preserved healthcare data storage?RQ3: How to maintain Integrity of the Electronic Health Data?

Individual Objectives
This research aims to build a multi-party framework that effectively and securely stores, access and share patient data between the different organisation and healthcare providers while preserving patient confidentiality.The overall aim of the research is to develop a secure and efficient task-based multiparty framework thereby strengthen the security infrastructure in health care aiming towards patients' confidence in e-health care and thus providing security and privacy to EHD.It also points to strengthening the data security to prevent a possible breach of data by providing efficient Access Control Mechanisms for data sharing on EHD database federations.To achieve the overarching aim of the project the following individual objectives are identified: The individual objectives 1.Initially, the research will focus on how appropriate access control mechanisms can be applied to EHD for ensuring the data privacy so that the system will be immune to both inside and outside attacks.This will also reduce the cost of managing access control to Privacy-Preserving Data Sharing using Multi-layer Access Control Model in Electronic Health Environment encrypted EHD and thus provide a practical solution to data mining on encrypted EHD database federations; our research will improve population health knowledge to the benefit of Australians' wellbeing.
2. Data is encrypted and stored in a third-party system like Cloud.Since the data is stored in an encrypted form, normal searching schemes cannot be applied.We should have some 'searchable database' implementation to query the data.Otherwise, either the entire data should be downloaded to the local system, decrypt and search OR decrypt in the cloud system itself and search and retrieve only the required files.The former approach results in high bandwidth consumption and the latter results in a security violation.
3. Up to what extent, the access control should be implemented.In some cases, table level access control is sufficient whereas, in others, access control should be implemented to rows, columns and to each cell.E.g., an orthopaedic doctor needs to access only rows related to orthopaedic data.An insurance person should have access to the insurance related details and not to medical records.
4. Focus to improve privacy protection against insider attacks and to provide security in data storage.Our research will be protecting patient data against both outsider and insider attacks, which uses the concept of provenance thereby, maintain the confidentiality and integrity of the data.Our work will empower medical research thereby this work will develop a privacy-preserving Electronic Health Data federation system.
The rest of the paper is organised as follows.Section 2 describes the contribution from academic and practical view and section 3 describes an intensive analysis of existing security and privacy preserving mechanisms.Section 4 describes the methodology and conceptual framework and section 5 as conclusion.

Contributions
Here we discuss the academic contribution and practical contribution of this research towards privacy preservation of healthcare records.

Contribution to Knowledge
The significance of the research is that it provides a practical solution to privacy-preserving data mining over EHD database federations, which will have important and comprehensive impacts.In particular, it will improve protection from insider attacks.As existing solutions are very vulnerable to insider attacks due to unauthorised access our research will provide protection based on access control models, making it impossible for medicare personnel along with employees of other organisations to jointly breach the system.The other significant factor is that it will reduce the cost of managing access control to encrypted EHDs.This will also empower medical research.The main innovation of the research is twofold.One is, joint authentication by a federation of organisations, immune to insider attacks: we will develop an EHD system with no authentication centre but a joint authentication mechanism by t out of n parties; in this way, individual parties, administrators do not have access to the encrypted EHDs and effectively block unauthorised access by insider attacks.Second innovation is to develop an access control mechanism for privacy protection of EHRs thereby securing data in Healthcare Information system.

Statement of Significance
Privacy and security of Big Data is gaining prominence nowadays due to its high proliferation and utility as a result of recent developments in Information and Communication Technology(ICT) such as social networking, IoT (Internet of things) Big data analytics and Cloud computing.Nowadays, cyber-attacks are on the rise, and it affects more in the area of health care sector at an alarming rate.Criminals and cyber threat actors often look to exploit the vulnerabilities that are associated with life-critical services that are aimed to improve the treatment and patient care, especially, with new technologies.These issues range from malware attacks that compromises the integrity of systems and privacy of patients to distributed denial of service (DDoS) which can disrupt facilities' ability to provide patient care.In healthcare systems, for instance, cyber-attacks like Ransomwares can have ramifications beyond financial loss and breach of privacy.In this context, the current project focuses on protecting the privacy of patients by strengthening security to prevent possible breach of data.The proposed work will build a system that effectively and securely share confidential patient data among several organisations that protects the data from both outsider and insider attacks.The main significance of the research is that it provides a practical solution to privacy-preserving data sharing over EHD database federations that could lead to improved comprehensiveness, coordination, efficiency, effectiveness, value of care, as well as the satisfaction of patients and providers.This work focusses on providing patient-centred care and primary care meeting important needs of patients, service providers and General Practitioners (GPs).This will also ensure excellent patient care and privacy i.e. paramount for healthcare organisations, including hospitals, medical centres, independent physicians' groups and insurance providers.Another main aspect is that protection of EHD that is stored in third party cloud can be achieved

Literature Review
EHDs, also known as electronic or computerised patient records, refer to a whole range of data including demographics, medical histories, medication and allergies, immunisation status, laboratory test results, radiology images and billing information [1].As most of this EHD contain sensitive data, data breach is a major concern.Therefore, in order to protect the confidential data from possible data breaches, strict privacy preserving mechanisms have to be employed.To protect the privacy of patient data, access control [13] mechanisms and encryption techniques are being used nowadays.Taxonomy of the privacy preserving approaches in the e-Health cloud is portrayed in Fig. 1 There are several research investigations conducted in my study area by leading scientists, and the prominent ones that are reported in the literature, for instance, by Xun Yi et al.This work provides a solution to protect the privacy of patient data under multiparty framework where all EHRs are encrypted with common public key and an encrypted EHR can be decrypted only by the cooperation of all parties.This solution is built on Public Key Infrastructure (PKI) based on EIGamal Threshold public key encryption scheme [1].This scheme uses modular exponentiation which is less expensive and re-encryption is not required.This prevents any server and collusion of up to N-1 servers and therefore can succeed from inside attack and outside attacks.This scheme achieves n server joint authentication over only one database.Attribute-based encryption (ABE)presented by Sahai et al [14] is a cryptographic primitive based on the Public Key Encryption where the messages can be encrypted and decrypted on the basis of user attributes.In this, a cipher text can be decrypted only when the attributes and the decryption keys [15]are available.It is a public key encryption in which Secret key of the user and Cipher text are dependent upon attributes.Decryption of cipher text is possible if the attributes of CT matches with attributes of secret key.In KP-ABE, using the master key, owner encrypts the data such that a cipher text is labelled with a set of attributes.In KP-ABE, keys associated with the access structure should be equal to the user's secret key for decryption.
In cipher text-policy attribute-based encryption (CP-ABE) a user's private-key is associated with a set of attributes and a cipher text specifies an access policy over a defined universe of attributes within the system.In CP-ABE, Cipher text will have the access structure embedded in it and users can have their attributes saved in their secret keys.Multiauthority attribute-based encryption (MA-ABE) allows the users keys to be collectively generated by multiple trusted authorities that are responsible for governing the subsets of the users attributes.Broadcast cipher textpolicy attribute-based encryption (bABE) is effective in direct revocation of the user keys without the need of refreshing system parameters or data encryption.bABE ensures the health data confidentiality, but it causes increased computational overheads in enforcing the access policies [6].Yu et al [16] addressed the issues of concurrently achieving the fine-grained access, scalability and confidentiality of the outsourced data.
Here the data encrypted by a single user is shared with multiple users by distributing the keys.In the proposed approach the tasks of re-encrypting the data files and updating of the secret keys are delegated to the cloud servers [17].To deal with the heavy computation overheads caused by re-encryption of data files and update of secret key, the KP-ABE, PRE and lazy reencryption are combined.
Narayan et al [18] proposed an attribute-based infrastructure for the EHR where the patients encrypt their EHR files using the bABE.This approach solves the key management issues by using the users attribute for data encryption allowing every user to have only one private key for their attribute set for decryption.This approach also allows users to carry and healthcare providers to perform keyword-based searches on the encrypted patients' records without revealing the keywords or partial matches to the cloud system.The keyword search functionality is provided by combining the bABE and the Public-Key Encryption with Keyword Search (PEKS).Ibraimi et al [19] proposed a multiauthority scheme for protecting EHD across different domains.The limitation of the work is that they are not designed for database federations of many medical organisations.Li et al [20] used ABE to manage access control [21] over the health data in multi-owner, multi-authority and multiuser cloud environment.The study was performed in which patients are capable of setting their own preferences, generating the decryption keys using the MA-ABE and distributing keys to the authorized users.The proposed scheme is claimed to be flexible in supporting efficient and on-demand revocation of user access rights and also suffers from excessive computational overhead at the data owner side.To encrypt the patient health record, ABE can be used.The disadvantage is that it is unable to handle the situations where data access rights are granted based on the users' identities instead of the attributes [22].From this discussion it is succinct that the non-cryptographic approaches can never be truly secure in public clouds because they are susceptible to information disclosure by some insiders or other hackers.This can be applicable only in private clouds to a desired level because the infrastructure in such cases is trusted [6].
Narayan [18]proposed a patient centric cloud based EHR system by incorporating symmetric key cryptography, public key cryptography and an attribute based architecture.This method includes encrypting the patient health data being encrypted by the patient using a symmetric key and also a metadata file which includes description of the file, attribute based access policy, location information encrypted using broadcast CP-ABE and stored in a cloud platform.This method supports direct revocation without re-encryption of data but has a higher computational cost on patient end where all re-encryption and updating of access policies are handled by the patient side [18].Another downside is that the Trusted Authority can access all the encrypted files.Barua et al [23] used the mechanisms of proxy re-encryption and ABE to develop a more sophisticated cloud based solution.However it does not required external party for key distribution, it leads to a single point of failure and also creates key escrow while managing all attributes with a single authority.In order to resolve the issue Li et al [24] introduced a cloud based health record sharing scheme using both KP-ABE and MA-ABE schemes.This solution exerts some level of computational cost on the user side.Comparison of privacy preserving cryptographic approaches and non-cryptographic approaches is portrayed in Table I and II respectively.
In Table I and II, , symbols represent whether a particular privacy-preserving requirement is fulfilled or not, and -represents that a particular requirement is not discussed.The Abbreviations such as IN-Integrity, CO -Confidentiality, AU -Authenticity, NR-Nonrepudiation, AC -Accountability , AN -Anonymity, UN -Unlinkability.In EHR systems as most of the data are strictly confidential and stored in a third party cloud, Access control mechanisms are equally ineludible and vital as Encryption techniques.Access control is a fundamental security barrier for data privacy in a healthcare information [13] system which limits who can access and operate the documents in an EHR system.Harsha et al [25] proposed a patientcentric attribute based scheme in which each PHR (personal health record) file is encrypted and stored in a healthcare cloud along with an attribute based access policy which controls the access to encrypted resource and also utilizes a proxy re-encryption scheme to facilitate the authorized users to decrypt the required PHR files.This scheme is resistant against attacks mounted via attribute collusion as well as capable of provisioning on-demand user revocation.Suhair and Rajendra [26] presented a framework which eliminates the limitations of RBAC (Role based access control) and ABAC( Attribute-Based Access Control).This work proposed a BiLayer Access control(BLAC) to integrate attributes with roles in which an access request is checked against pseudoroles before checking the rules within the policy.R.Sandhu et al [27] [28] proposed RBAC [29] in which subjects are assigned to roles and roles are associated with permissions that defines which operations can be performed over which objects.This scheme has several drawbacks of expensive process to define and structure roles, supports only predefined and static policies, cannot support dynamically changing environments [30], and also RBAC's coarse-granularity causes inside attacks [31] .Yuan and Tong [32] proposed ABAC in which each subject's specific attributes are used to define access policies for access permission.ABAC resolves issues of RBAC but it has two problems.First, ABAC is complex due large number of rules that needed to be checked for access decisions and secondly for n attributes ABAC may require 2n possible rules [30].

Methodology and Conceptual Framework
This work proposes a multi-layer access control mechanism, MLAC Model to construct a secure and privacy-preserving EHR system that enables patients to share their data among stakeholders in a cloud environment.This framework proposes a novel access control mechanism for preserving the privacy of EHRs, which incorporates integrity and privacy issues to make access control decisions in the cloud environment.
We propose a novel Pseudo-Role Attribute based access control mechanism (PR-ABAC) which is a multilayer mechanism that combines the advantages of both Role based access control (RBAC) mechanism [24] and Attribute based access control (ABAC) [28].This multi-layer access control model being proposed integrate attributes with roles combining the advantages of RBAC and ABAC and also uses the concept of provenance thereby aims at assuring two fundamental security properties confidentiality and integrity of the sensitive data in the healthcare domain.

An overview of MLAC Model
The proposed MLAC model uses the concept of pseudorole, which is defined as a set of static attributes of subjects (users).A pseudorole can be defined as a job function.Subjects' attributes are categorized as static (when attributes values typically do not change) such as Name, ID, Gender, Provider, Department, Location and dynamic (when attribute values change frequently) such as age etc.This model uses static attributes to generate the pseudoroles, and static as well as dynamic attributes are used in policies to constrain pseudoroles.Fig. 2 presents an overview of the PR-ABAC model.
In PR-ABAC, subjects are associated with pseudoroles, which includes a set of static attributes and objects are associated with policies, which specify how attributes are considered for access requests.When an access request is made, the policy associated with the requested object is first checked with the Provenance database to see whether the corresponding data is available to grant access according to Provenance rules and if not, it checks with the (first layer) to see whether the requester has the required pseudorole or not.If so, rules within the policies are then checked for additional fine-grained constraints (second layer) to approve or deny the access request.Initially, the policy will check whether the subject requesting access to an object holds the needed Provenance rules to grant or deny access.Then the policy associated with the requested object checks to see whether the requester has the required pseudorole or not .If so, next each rule is checked to see if the access conforms to the specified values for subject, object, action and environment attributes, otherwise access is denied.This three-step process inspires the name Multi-Layer access control policy which permits fine-grained decisions.This work will demonstrate the applicability of PR-RBAC model to healthcare information sharing environments.MLAC model is formally described using the tuple: M = (S, O, E, A, PR, P, SPR, OP), Where S is a set of subjects(users) with a predefined set of attributes in which SATT could be provider, department, location etc, O is a set of objects that are accessed by subjects with a set of attributes OATT that could be patient name, medical record number, E is the environment with a predefined set of attributes EATT could be access time, system mode.A is a set of actions with a predefined set of attributes AATT could be read, write, modify etc. PR is a set of pseudoroles that are composed of n attributes that is described in section 4.2.P is a set of policies for fine-grained access control consists of two elements: a Boolean function named Pseudorole, Provenance rule and a set of zero or more rules.A policy structure is shown in Fig. 3, and components of the MLAC model is shown in Fig. 4. SPR is the subject-pseudorole assignment that is a one-to-many mapping from pseudoroles to subjects and OP is the object-policy assignment relation that is a one-to-many mapping from policies to objects.A General Algorithm for the MLAC model is described in Fig. 5.

Algorithm for the Management of Access Control
This algorithm shows the ability of our MLAC model to precisely define the customized policies for the management of Access Control that uses this model.The algorithm shown in Fig. 5 allows or denies access to an object on the basis of the inputs that it receives.The possible inputs are Object identifier (object id) i.e. the identifier of the clinical document in the EHR system, to which access is required, user identifier (subject id) is the identifier of the subject who requires to operate on the object, role indicates the role associated with the user in the EHR system, Operation is the action required on the object and access mode is the mode of access such as normal and emergency mode.The output of the algorithm is PERMIT only if all the access conditions are satisfied.
Each user (clinician) is associated with a private key Sk and a common public key PK associated with the cloud server.The steps are as follows.
•Access Req (AReq): Takes as Input the identity of clinician Cid, the XACML query as the access structure specifying the finer attributes (T), common public key

Pseudorole Generation
In PR-ABAC, pseudoroles will be generated from static attributes [33] of subjects.Here we use the values of the attributes associated with all subjects to generate pseudoroles.Table 3 shows the Subjects' Attributes and Fig. 4 shows how corresponding pseudoroles will be generated.Depending on the number of attributes used for generating pseudoroles, a tree based structure is used to identify the number of pseudoroles.If n attributes are used to generate pseudoroles, m1 x m2 x m3 x . . .x mn is the total number of generated pseudoroles where mn is the number of total different values for attribute n.However, the meaningful pseudoroles is a subset of these pseudoroles.Example in Table 3 used three attributes (Provider, Department, Location) as static subject attributes that generates 18 distinct pseudoroles as shown in Fig. 6.
To preserve the privacy of patient records, a few access control rules are defined in this use case as follow: Health records are split into three sections: (1) demographic, (2) clinical, and (3) billing.
1) Subjects are not allowed to delete records in any section 2) Physicians and nurses are allowed to read and modify records within demographic and clinical sections for patients who are under their responsibility in normal and emergency situations 3) Physicians and nurses are allowed to read and modify records within demographic and clinical sections for non-patients in emergency situations 4) Adminisitrative staff are allowed to grant access to authorized users 5) Billing staff are allowed to read and modify records within billing section

Development of Access Policies
To preserve the privacy of patient records, access control rules are defined.Based on the rules and the structure of health records, some access policies are defined.To enforce the access rules, we can create access policy accordingly such as health records within the clinical section, health record within clinical section associated to psychiatric data with separate access policy, health records within the demographic section are associated with another policy, billing section with another policy and so on according to the requirement of organisation.An example of an access policy within the clinical section is given in Fig. 7.

Implementation and Evaluation
To demonstrate the feasibility of our approach, we develop a secure EHR sharing system in cloud environment based on our design discussed in figure 6.The core EHRs aggregation and sharing logic will be implemented using ASP.NET framework using Csharp programming technologies.This framework is supported with an implementation using extensible access control markup language(XACML) for deploying access control policies.Here we use MySQL server as database server.
A Authentication Authentication between healthcare providers and EHR sharing cloud is achieved through a PKI ( Public Key Infrastructure) managed by EHR cloud application.
Each communication between them is signed with sender's private key so that the receiver can verify the signature.Any request from an unregistered party, not participating in the EHR sharing cloud, trying to communicate with a healthcare provider will be rejected.
B Authorization and Access Control Authorization and Access Control are enforced by giving the requesting healthcare providers access to only the EHR information requested.This work uses RBAC and ABAC access control paradigm for authorization.
C Confidentiality This framework is planning to use a symmetric key encryption by means of a symmetric key to encrypt and decrypt patients' shared EHR information to preserve confidentiality.The requesting healthcare provider will generate the symmetric key.

D Integrity
Integrity will be achieved by using 'Data Provenance'.

E Privacy Analysis
For the EHR database D, we say that our access control preserves data privacy of each EHR in D is accessible to authorized clinicians only.Our access control protocols and SQL preserve data privacy for the EHR Database D.

Evaluation
In this work, we are planning to evaluate the performance of our framework in terms of System Time Overhead, Number of Pseudoroles to generate, Number of policies required for efficient electronic health record access, Computational complexity and cost required for the implementation.

Conclusion
Data Privacy and Security are facing innumerable challenges nowadays due to recent advances in Information and Communication Technology (ICT) viz Social networking, IoT (Internet of Things), Big Data analytics, Cloud Computing etc.The breach of data in Healthcare is more critical since it compromises the privacy and security of individuals at stake.Hence there is an imminent need to protect the EHR against security breaches by strengthening the security infrastructure in healthcare to ensure the patient confidentiality.This research develops a secure and flexible multilayer framework based EHR sharing scheme in a cloud environment which satisfies the intended privacy and integrity requirements.To ensure patient centric EHR sharing, it is important to achieve fine-grained access, our scheme uses a multi-layer access control mechanism which facilitates the EHR users to transfer and share the resources effectively.In addition, the proposed scheme introduces the concept of Provenance to ensure Data Integrity.

Figure 1 .
Figure 1.Taxonomy of the privacy preserving approaches in the e-Health cloud

Figure 5 .
Figure 5. Algorithm for Access Control

Figure 7 .
Figure 7. Policy within Clinical Section

Table 2 .
Comparison of Privacy Preserving Non-Cryptographic Mechanisms