Fine-Grained Access Control for Electronic Health Record Systems

  • Pham Thi Bach Hue
  • Sven Wohlgemuth
  • Isao Echizen
  • Dong Thi Bich Thuy
  • Nguyen Dinh Thuc
Part of the Communications in Computer and Information Science book series (CCIS, volume 124)


There needs to be a strategy for securing the privacy of patients when exchanging health records between various entities over the Internet. Despite the fact that health care providers such as Google Health and Microsoft Corp.’s Health Vault comply with the U.S Health Insurance Portability and Accountability Act (HIPAA), the privacy of patients is still at risk. Several encryption schemes and access control mechanisms have been suggested to protect the disclosure of a patient’s health record especially from unauthorized entities. However, by implementing these approaches, data owners are not capable of controlling and protecting the disclosure of the individual sensitive attributes of their health records. This raises the need to adopt a secure mechanism to protect personal information against unauthorized disclosure. Therefore, we propose a new Fine-grained Access Control (FGAC) mechanism that is based on subkeys, which would allow a data owner to further control the access to his data at the column-level. We also propose a new mechanism to efficiently reduce the number of keys maintained by a data owner in cases when the users have different access privileges to different columns of the data being shared.


Access control fine-grained access control database encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Damiani, E., De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Key Management for Multi-User Encrypted Databases. In: Proc. of the 2005 ACM Workshop on Storage Security and Survivability, pp.74–83 (2005)Google Scholar
  2. 2.
    Davida, G.I., Wells, D.L., Kam, J.B.: A Database Encryption System with Subkeys. ACM Transactions on Database Systems 6(2), 312–328 (1981)MathSciNetCrossRefGoogle Scholar
  3. 3.
    De Capitani di Vimercati, S., Foresti, S, Jajodia, S., Paraboschi, S., Samarati, P.: Over-encryption: Management of Access Control Evolution on Outsourced Data. In: VLDB, pp. 123–134 (2007)Google Scholar
  4. 4.
    El-khoury, V., Bennani, N., Ouksel, A.M.: Distributed Key Management in Dynamic Outsourced Databases: a Trie-based Approach. In: First Int. Conf. on Advances in Databases, Knowledge, and Data Applications, pp. 56–61 (2009)Google Scholar
  5. 5.
    European Commission, Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities, L 281, 395L0046, 31–50 (1995) Google Scholar
  6. 6.
  7. 7.
    Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N.,Müller, G.: On Privacy in Medical Services with Electronic Health Records. In: IMIA SiHIS, CoMHI (2009) Google Scholar
  8. 8.
    Hacigümüs, H., Iyer, B.R., Li, C., Mehrotra, S.: Executing SQL over encrypted data in the database-service-provider model. In: SIGMOD, pp. 216–227 (2002)Google Scholar
  9. 9.
    Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule Google Scholar
  10. 10.
    Hwang, M.S., Yang, W.P.: A Two-Phase Encryption Scheme for Enhancing Database Security. J. Systems Software, Elsevier Science, 257–265 (1995)Google Scholar
  11. 11.
    Japanese Government: Act on the Protection of Personal Information (2005),
  12. 12.
    Lin, C.H., Chang, C.C., Lee, C.T.: A record-oriented cryptosystem for database sharing. In: Int. Computer Symposium, pp. 328–329 (1990)Google Scholar
  13. 13.
    Microsoft, HealthVault Privacy Policy (2009),
  14. 14.
    Sandhu, R.S.: Cryptographic implementation of a Tree Hierarchy for access control, pp. 95–98. Elsevier, Amsterdam (1988)Google Scholar
  15. 15.
    Westin, A.F.: Privacy and Freedom. Atheneum, New York (1967)Google Scholar
  16. 16.
    Zych, A., Petkovic, M., Jonker, W.: Efficient key management for cryptographically enforced access control, pp. 410–417. Elsevier Science, Amsterdam (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Pham Thi Bach Hue
    • 1
  • Sven Wohlgemuth
    • 2
  • Isao Echizen
    • 2
  • Dong Thi Bich Thuy
    • 1
  • Nguyen Dinh Thuc
    • 1
  1. 1.Faculty of Information TechnologyUniversity of Science, VNU – HCMCHo Chi Minh CityVietnam
  2. 2.National Institute of InformaticsTokyoJapan

Personalised recommendations