Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification
Sharing of electronic health records (EHR) across health service providers is essential and significant for prompt patient care and in facilitating medical research. With sharing, it is crucial that patients can control who can access their data and when, and guarantee the security and privacy of th...
Saved in:
Main Author: | |
---|---|
Other Authors: | |
Format: | Thesis-Doctor of Philosophy |
Language: | English |
Published: |
Nanyang Technological University
2022
|
Subjects: | |
Online Access: | https://hdl.handle.net/10356/163438 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
id |
sg-ntu-dr.10356-163438 |
---|---|
record_format |
dspace |
institution |
Nanyang Technological University |
building |
NTU Library |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
NTU Library |
collection |
DR-NTU |
language |
English |
topic |
Engineering::Computer science and engineering |
spellingShingle |
Engineering::Computer science and engineering Tan, Kheng Leong Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification |
description |
Sharing of electronic health records (EHR) across health service providers is essential and significant for prompt patient care and in facilitating medical research. With sharing, it is crucial that patients can control who can access their data and when, and guarantee the security and privacy of their data. In current literature, various system models, cryptographic techniques and access control mechanisms are proposed, which require the patient’s consent before sharing. However, most of them assume that the patient is available to authorize access to the EHR upon request. This is impractical given that the patient may not always be in a good state to provide this authorization, for example, being unconscious and requiring immediate medical attention. Thus, this thesis aims to address these gaps to ensure the secure sharing and privacy-protection of the patient’s personal EHR and autonomy of the patient to control the access to her/his identity and personal records through pre-delegation of authorization to identified parties, with verification by multi-party, in the event that s/he is not available to grant immediate access.
We first propose a holistic system architecture model and security requirements that cover the critical requirements for the secure sharing of EHR. We study the current state-of-the-art system designs and cryptographic schemes proposed by researchers to derive this system architecture model
and security requirements and aim to address the security limitations of the existing designs. We conduct security and privacy analysis on the model, and our validation shows it is viable as an
architectural model, and covers the desired security and privacy-protection requirements for secure sharing of EHR.
Next, we investigate and study the sovereignty aspects of the current digitalization transformation that pose a challenge for an individual to gain control of her/his Personally Identifiable Information (PII) relating to her/his EHR. We perform a comprehensive study on data sovereignty and digital sovereignty to lay out and compare the different aspects of these two sovereignties. We then present the study on self-sovereign identity (SSI), an emerging new identity model that has the potential to solve the problems of current systems of identification and authentication and give individuals full control of their digital identity. We elaborate its decentralized user control and secure identity model
which are critical factors for a healthcare information system in ensuring the sovereignty and privacy of the user’s records.
Finally, we propose an efficient, secure and privacy-protecting protocol that allows the patient to pre-delegate the access authorization to her/his personal EHR with multi-party verification of the
authorization. Our patient(user)-centric proposal combines Self-Sovereign Identity (SSI) concepts and model with Secure Multi-party Computation (SMPC) and Threshold Cryptography (TC) to enable secure identity and authorization verification. For the threshold SMPC approach, we adopt the block cipher encryption sharing approach and expand the original AES with Galois/Counter
Mode (AES-GCM) symmetric encryption model into a full-fledged multi-party computing and cryptographic platform. We implement two mechanisms for the block cipher encryption, namely XOR and Cascade, and conduct experiments to compare them. We conclude that the XOR mechanism can scale for larger thresholds, while Cascade performs better for a lower threshold (≤ 3). We also perform a threat analysis of the protocol and approach, and validate its correctness and complexity. We conclude that the approach can meet our objectives to achieve the security and
privacy protection of the patient’s personal EHR, as well as the autonomy of the patient to control the authorization for the access and sharing. |
author2 |
Lam Kwok Yan |
author_facet |
Lam Kwok Yan Tan, Kheng Leong |
format |
Thesis-Doctor of Philosophy |
author |
Tan, Kheng Leong |
author_sort |
Tan, Kheng Leong |
title |
Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification |
title_short |
Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification |
title_full |
Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification |
title_fullStr |
Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification |
title_full_unstemmed |
Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification |
title_sort |
secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification |
publisher |
Nanyang Technological University |
publishDate |
2022 |
url |
https://hdl.handle.net/10356/163438 |
_version_ |
1754611255722639360 |
spelling |
sg-ntu-dr.10356-1634382023-01-03T05:05:24Z Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification Tan, Kheng Leong Lam Kwok Yan School of Computer Science and Engineering Strategic Centre for Research in Privacy-Preserving Technologies & Systems kwokyan.lam@ntu.edu.sg Engineering::Computer science and engineering Sharing of electronic health records (EHR) across health service providers is essential and significant for prompt patient care and in facilitating medical research. With sharing, it is crucial that patients can control who can access their data and when, and guarantee the security and privacy of their data. In current literature, various system models, cryptographic techniques and access control mechanisms are proposed, which require the patient’s consent before sharing. However, most of them assume that the patient is available to authorize access to the EHR upon request. This is impractical given that the patient may not always be in a good state to provide this authorization, for example, being unconscious and requiring immediate medical attention. Thus, this thesis aims to address these gaps to ensure the secure sharing and privacy-protection of the patient’s personal EHR and autonomy of the patient to control the access to her/his identity and personal records through pre-delegation of authorization to identified parties, with verification by multi-party, in the event that s/he is not available to grant immediate access. We first propose a holistic system architecture model and security requirements that cover the critical requirements for the secure sharing of EHR. We study the current state-of-the-art system designs and cryptographic schemes proposed by researchers to derive this system architecture model and security requirements and aim to address the security limitations of the existing designs. We conduct security and privacy analysis on the model, and our validation shows it is viable as an architectural model, and covers the desired security and privacy-protection requirements for secure sharing of EHR. Next, we investigate and study the sovereignty aspects of the current digitalization transformation that pose a challenge for an individual to gain control of her/his Personally Identifiable Information (PII) relating to her/his EHR. We perform a comprehensive study on data sovereignty and digital sovereignty to lay out and compare the different aspects of these two sovereignties. We then present the study on self-sovereign identity (SSI), an emerging new identity model that has the potential to solve the problems of current systems of identification and authentication and give individuals full control of their digital identity. We elaborate its decentralized user control and secure identity model which are critical factors for a healthcare information system in ensuring the sovereignty and privacy of the user’s records. Finally, we propose an efficient, secure and privacy-protecting protocol that allows the patient to pre-delegate the access authorization to her/his personal EHR with multi-party verification of the authorization. Our patient(user)-centric proposal combines Self-Sovereign Identity (SSI) concepts and model with Secure Multi-party Computation (SMPC) and Threshold Cryptography (TC) to enable secure identity and authorization verification. For the threshold SMPC approach, we adopt the block cipher encryption sharing approach and expand the original AES with Galois/Counter Mode (AES-GCM) symmetric encryption model into a full-fledged multi-party computing and cryptographic platform. We implement two mechanisms for the block cipher encryption, namely XOR and Cascade, and conduct experiments to compare them. We conclude that the XOR mechanism can scale for larger thresholds, while Cascade performs better for a lower threshold (≤ 3). We also perform a threat analysis of the protocol and approach, and validate its correctness and complexity. We conclude that the approach can meet our objectives to achieve the security and privacy protection of the patient’s personal EHR, as well as the autonomy of the patient to control the authorization for the access and sharing. Doctor of Philosophy 2022-12-07T23:45:13Z 2022-12-07T23:45:13Z 2022 Thesis-Doctor of Philosophy Tan, K. L. (2022). Secure and privacy preserving sharing of personal health records with multi-party pre-authorization verification. Doctoral thesis, Nanyang Technological University, Singapore. https://hdl.handle.net/10356/163438 https://hdl.handle.net/10356/163438 10.32657/10356/163438 en This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License (CC BY-NC 4.0). application/pdf Nanyang Technological University |