Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification

Sharing of electronic health records (EHR) across health service providers is essential and significant for prompt patient care and in facilitating medical research. With sharing, it is crucial that patients can control who can access their data and when, and guarantee the security and privacy of th...

Full description

Saved in:
Bibliographic Details
Main Author: Tan, Kheng Leong
Other Authors: Lam Kwok Yan
Format: Thesis-Doctor of Philosophy
Language:English
Published: Nanyang Technological University 2022
Subjects:
Online Access:https://hdl.handle.net/10356/163438
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-163438
record_format dspace
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic Engineering::Computer science and engineering
spellingShingle Engineering::Computer science and engineering
Tan, Kheng Leong
Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification
description Sharing of electronic health records (EHR) across health service providers is essential and significant for prompt patient care and in facilitating medical research. With sharing, it is crucial that patients can control who can access their data and when, and guarantee the security and privacy of their data. In current literature, various system models, cryptographic techniques and access control mechanisms are proposed, which require the patient’s consent before sharing. However, most of them assume that the patient is available to authorize access to the EHR upon request. This is impractical given that the patient may not always be in a good state to provide this authorization, for example, being unconscious and requiring immediate medical attention. Thus, this thesis aims to address these gaps to ensure the secure sharing and privacy-protection of the patient’s personal EHR and autonomy of the patient to control the access to her/his identity and personal records through pre-delegation of authorization to identified parties, with verification by multi-party, in the event that s/he is not available to grant immediate access. We first propose a holistic system architecture model and security requirements that cover the critical requirements for the secure sharing of EHR. We study the current state-of-the-art system designs and cryptographic schemes proposed by researchers to derive this system architecture model and security requirements and aim to address the security limitations of the existing designs. We conduct security and privacy analysis on the model, and our validation shows it is viable as an architectural model, and covers the desired security and privacy-protection requirements for secure sharing of EHR. Next, we investigate and study the sovereignty aspects of the current digitalization transformation that pose a challenge for an individual to gain control of her/his Personally Identifiable Information (PII) relating to her/his EHR. We perform a comprehensive study on data sovereignty and digital sovereignty to lay out and compare the different aspects of these two sovereignties. We then present the study on self-sovereign identity (SSI), an emerging new identity model that has the potential to solve the problems of current systems of identification and authentication and give individuals full control of their digital identity. We elaborate its decentralized user control and secure identity model which are critical factors for a healthcare information system in ensuring the sovereignty and privacy of the user’s records. Finally, we propose an efficient, secure and privacy-protecting protocol that allows the patient to pre-delegate the access authorization to her/his personal EHR with multi-party verification of the authorization. Our patient(user)-centric proposal combines Self-Sovereign Identity (SSI) concepts and model with Secure Multi-party Computation (SMPC) and Threshold Cryptography (TC) to enable secure identity and authorization verification. For the threshold SMPC approach, we adopt the block cipher encryption sharing approach and expand the original AES with Galois/Counter Mode (AES-GCM) symmetric encryption model into a full-fledged multi-party computing and cryptographic platform. We implement two mechanisms for the block cipher encryption, namely XOR and Cascade, and conduct experiments to compare them. We conclude that the XOR mechanism can scale for larger thresholds, while Cascade performs better for a lower threshold (≤ 3). We also perform a threat analysis of the protocol and approach, and validate its correctness and complexity. We conclude that the approach can meet our objectives to achieve the security and privacy protection of the patient’s personal EHR, as well as the autonomy of the patient to control the authorization for the access and sharing.
author2 Lam Kwok Yan
author_facet Lam Kwok Yan
Tan, Kheng Leong
format Thesis-Doctor of Philosophy
author Tan, Kheng Leong
author_sort Tan, Kheng Leong
title Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification
title_short Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification
title_full Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification
title_fullStr Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification
title_full_unstemmed Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification
title_sort secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification
publisher Nanyang Technological University
publishDate 2022
url https://hdl.handle.net/10356/163438
_version_ 1754611255722639360
spelling sg-ntu-dr.10356-1634382023-01-03T05:05:24Z Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification Tan, Kheng Leong Lam Kwok Yan School of Computer Science and Engineering Strategic Centre for Research in Privacy-Preserving Technologies & Systems kwokyan.lam@ntu.edu.sg Engineering::Computer science and engineering Sharing of electronic health records (EHR) across health service providers is essential and significant for prompt patient care and in facilitating medical research. With sharing, it is crucial that patients can control who can access their data and when, and guarantee the security and privacy of their data. In current literature, various system models, cryptographic techniques and access control mechanisms are proposed, which require the patient’s consent before sharing. However, most of them assume that the patient is available to authorize access to the EHR upon request. This is impractical given that the patient may not always be in a good state to provide this authorization, for example, being unconscious and requiring immediate medical attention. Thus, this thesis aims to address these gaps to ensure the secure sharing and privacy-protection of the patient’s personal EHR and autonomy of the patient to control the access to her/his identity and personal records through pre-delegation of authorization to identified parties, with verification by multi-party, in the event that s/he is not available to grant immediate access. We first propose a holistic system architecture model and security requirements that cover the critical requirements for the secure sharing of EHR. We study the current state-of-the-art system designs and cryptographic schemes proposed by researchers to derive this system architecture model and security requirements and aim to address the security limitations of the existing designs. We conduct security and privacy analysis on the model, and our validation shows it is viable as an architectural model, and covers the desired security and privacy-protection requirements for secure sharing of EHR. Next, we investigate and study the sovereignty aspects of the current digitalization transformation that pose a challenge for an individual to gain control of her/his Personally Identifiable Information (PII) relating to her/his EHR. We perform a comprehensive study on data sovereignty and digital sovereignty to lay out and compare the different aspects of these two sovereignties. We then present the study on self-sovereign identity (SSI), an emerging new identity model that has the potential to solve the problems of current systems of identification and authentication and give individuals full control of their digital identity. We elaborate its decentralized user control and secure identity model which are critical factors for a healthcare information system in ensuring the sovereignty and privacy of the user’s records. Finally, we propose an efficient, secure and privacy-protecting protocol that allows the patient to pre-delegate the access authorization to her/his personal EHR with multi-party verification of the authorization. Our patient(user)-centric proposal combines Self-Sovereign Identity (SSI) concepts and model with Secure Multi-party Computation (SMPC) and Threshold Cryptography (TC) to enable secure identity and authorization verification. For the threshold SMPC approach, we adopt the block cipher encryption sharing approach and expand the original AES with Galois/Counter Mode (AES-GCM) symmetric encryption model into a full-fledged multi-party computing and cryptographic platform. We implement two mechanisms for the block cipher encryption, namely XOR and Cascade, and conduct experiments to compare them. We conclude that the XOR mechanism can scale for larger thresholds, while Cascade performs better for a lower threshold (≤ 3). We also perform a threat analysis of the protocol and approach, and validate its correctness and complexity. We conclude that the approach can meet our objectives to achieve the security and privacy protection of the patient’s personal EHR, as well as the autonomy of the patient to control the authorization for the access and sharing. Doctor of Philosophy 2022-12-07T23:45:13Z 2022-12-07T23:45:13Z 2022 Thesis-Doctor of Philosophy Tan, K. L. (2022). Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification. Doctoral thesis, Nanyang Technological University, Singapore. https://hdl.handle.net/10356/163438 https://hdl.handle.net/10356/163438 10.32657/10356/163438 en This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License (CC BY-NC 4.0). application/pdf Nanyang Technological University