Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations

  • Umberto Morelli
  • Silvio Ranise
  • Damiano Sartori
  • Giada Sciarretta
  • Alessandro TomasiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11738)


We propose an audit-based architecture that leverages the Hyperledger Fabric distributed ledger as a means to increase accountability and decentralize the authorization decision process of Attribute-Based Access Control policies by using smart contracts. Our goal is to decrease the trust in administrators and users with privileged accounts, and make the a posteriori verification of access events more reliable. We implement our approach to the use case of Electronic Health Record access control. Preliminary experiments show the viability of the proposed approach.


Access control Hyperledger fabric Distributed ledger Trust 


  1. 1.
    Alizadeh, M., Lu, X., Fahland, D., Zannone, N., van der Aalst, W.M.: Linking data and process perspectives for conformance analysis. Comput. Secur. 73, 172–193 (2018). Scholar
  2. 2.
    Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: EuroSys 2018. ACM, New York (2018).
  3. 3.
    Azaria, A., Ekblaw, A., Vieira, T., Lippman, A.: MedRec: using blockchain for medical data access and permission management. In: OBD 2016, pp. 25–30. IEEE (2016).
  4. 4.
    Introduction to oracles. Corda online documentation v3.3.
  5. 5.
    Dekker, M.A., Etalle, S.: Audit-based access control for electronic health records. Electron. Notes Theor. Comput. Sci. 168, 221–236 (2007). Scholar
  6. 6.
    Di Francesco Maesa, D., Mori, P., Ricci, L.: Blockchain based access control. In: Chen, L.Y., Reiser, H.P. (eds.) DAIS 2017. LNCS, vol. 10320, pp. 206–220. Springer, Cham (2017). Scholar
  7. 7.
    ENISA: Distributed Ledger Technology & Cybersecurity (2017).
  8. 8.
    EU: General Data Protection Regulation (GDPR) (2016).
  9. 9.
    Ferraiolo, D., Chandramouli, R., Hu, V., Kuhn, R.: A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). NIST (2016).
  10. 10.
    Fisher, B., et al.: Attribute-Based Access Control. NIST (2017).
  11. 11.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). Scholar
  12. 12.
    Hyperledger fabric documentation.
  13. 13.
    Hölbl, M., Kompara, M., Kamišalic̀ A., Nemec Zlatolas, L.: A systematic review of the use of blockchain in healthcare. Symmetry 10(10) (2018). Scholar
  14. 14.
    Hu, V., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST (2014).
  15. 15.
    Hyperledger Performance and Scale Working Group (PSWG): Hyperledger Blockchain Performance Metrics.
  16. 16.
    IETF RFC: JSON Web Token (JWT) (2015).
  17. 17.
    IETF RFC: Automatic Certificate Management Environment (ACME) (2019).
  18. 18.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). Scholar
  19. 19.
  20. 20.
    Lampson, B.: Practical principles for computer security, NATO Security through Science Series - D: Information and Communication Security, vol. 9, pp. 151–195. IOS Press (2007)Google Scholar
  21. 21.
    Liang, X., Zhao, J., Shetty, S., Liu, J., Li, D.: Integrating blockchain for data sharing and collaboration in mobile healthcare applications. In: PIMRC, pp. 1–5. IEEE (2017).
  22. 22.
    Glossary of key information security terms.
  23. 23.
    OASIS: The eXtensible Access Control Markup Language (XACML) (2013).
  24. 24.
    Dias, J.P., Sereno Ferreira, H., Martins, Â.: A blockchain-based scheme for access control in e-health scenarios. In: Madureira, A.M., Abraham, A., Gandhi, N., Silva, C., Antunes, M. (eds.) SoCPaR 2018. AISC, vol. 942, pp. 238–247. Springer, Cham (2020). Scholar
  25. 25.
    Sandhu, R., Samarati, P.: Authentication, access control, and audit. ACM Comput. Surv. (CSUR) 28(1), 241–243 (1996). Scholar
  26. 26.
    Thakkar, P., Nathan, S., Viswanathan, B.: Performance benchmarking and optimizing hyperledger fabric blockchain platform. In: MASCOTS 2018, pp. 264–276. IEEE (2018).
  27. 27.
    Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: S&P 2012, pp. 176–190. IEEE (2012).
  28. 28.
    Verizon: Data breach investigations report (2018).
  29. 29.
    Verizon: Protected health information data breach report (2018).
  30. 30.
    Yaga, D., Mell, P., Roby, N., Scarfone, K.: Blockchain Technology Overview. NIST (2018).
  31. 31.
    Zhang, P., White, J., Schmidt, D.C., Lenz, G., Rosenbloom, S.T.: FHIRChain: applying blockchain to securely and scalably share clinical data. Comput. Struct. Biotechnol. J. 16, 267–278 (2018). Scholar
  32. 32.
    Zyskind, G., Nathan, O., Pentland, A.S.: Decentralizing privacy: using blockchain to protect personal data. In: SPW, pp. 180–184. IEEE (2015).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Security & Trust, Fondazione Bruno KesslerTrentoItaly
  2. 2.EIT Master SchoolTrentoItaly

Personalised recommendations