Achieving Mobile-Health Privacy Using Attribute-Based Access Control

  • Vignesh Pagadala
  • Indrakshi RayEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11358)


Mobile Health (mHealth) refers to a healthcare-provision scheme which uses mobile communication devices for effective detection, prognosis and delivery of services. mHealth systems consists of sensors collecting information from patients, cell phones through which users access the data, and a cloud-based remote data store for holding health information of the patients. Healthcare data contains sensitive information and it must be protected from unauthorized access. Although role-based access control is commonly used for healthcare data, we advocate the use of attribute-based access control as it offers finer granularity of access and can be used across organizational boundaries. Specifically, we use the NIST Next Generation Access Control (NGAC) for representing the access control policies as it is efficient, expressive, and simplifies policy management. We propose an approach that allows constant time evaluation of access decisions based on using a graph database.


  1. 1.
    Avancha, S., Baxi, A., Kotz, D.: Privacy in mobile technology for personal healthcare. ACM Comput. Surv. 45(1), 3:1–3:54 (2012)CrossRefGoogle Scholar
  2. 2.
    Kotz, D.: A threat taxonomy for mHealth privacy. In: Proceedings of 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011), pp. 1–6 January 2011Google Scholar
  3. 3.
    Lomotey, R.K., Deters, R.: Mobile-based medical data accessibility in mhealth. In: Proceedings of 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering , pp. 91–100, April 2014Google Scholar
  4. 4.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRefGoogle Scholar
  5. 5.
    Elliott, A., Knight, S.: Role explosion: acknowledging the problem. In: Proceedings of the 2010 International Conference on Software Engineering Research & Practice, pp. 349–355 (2010)Google Scholar
  6. 6.
    Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-grained access control with object-sensitive roles. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 173–194. Springer, Heidelberg (2009). Scholar
  7. 7.
    Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations (draft). NIST Spec. Publ. 800(162) (2013)Google Scholar
  8. 8.
    Scholl, M., Stine, K., Lin, K., Steinberg, D.: Draft security architecture design process for health information exchanges (HIEs). Report, NIST (2009)Google Scholar
  9. 9.
    Zhang, R., Liu, L.: Security models and requirements for healthcare application clouds. In: Proceedings of 2010 IEEE 3rd International Conference on Cloud Computing, pp. 268–275, July 2010Google Scholar
  10. 10.
    Basnet, R., Mukherjee, S., Pagadala, V.M., Ray, I.: An efficient implementation of next generation access control for the mobile health cloud. In: Proceedings of 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC), pp. 131–138 (2018)Google Scholar
  11. 11.
    Ferraiolo, D., Atluri, V., Gavrila, S.: The policy machine: a novel architecture and framework for access control policy specification and enforcement. J. Syst. Architect. 57(4), 412–424 (2011)CrossRefGoogle Scholar
  12. 12.
    Mell, P., Shook, J.M., Gavrila, S.: Restricting insider access through efficient implementation of multi-policy access control systems. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats MIST@CCS, pp. 13–22 (2016)Google Scholar
  13. 13.
    Miller, J.J.: Graph database applications and concepts with neo4j. In: Proceedings of the Southern Association for Information Systems Conference, Atlanta, GA, USA, vol. 2324, p. 36 (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Computer Science DepartmentColorado State UniversityFort CollinsUSA

Personalised recommendations