Security approach to controlling access to personal health records in healthcare service

RESEARCH ARTICLE

Security approach to controlling access to personal

health records in healthcare service

Tzer-Long Chen

1

*, Yu-Ting Liao

2

_{, Yi-Fan Chang}

3

_{and Jen-Hung Hwang}

2

1 _{Department of Information Networking and System Administration, Ling Tung University, Taichung, Taiwan} 2 _{Department of Management Science, National Chiao Tung University, Hsinchu, Taiwan}

3 _{Department of Information Management, Tunghai University, Taichung, Taiwan}

ABSTRACT

The changing information technology and the constant progress of medical technologies have gradually changed traditional paper-based medical records into low-cost electronic health records. The broad application of electronic health records allows a medical information exchange model being developed, called personal health records (PHR), which are the personal health medical information managed and maintained by the user. In consideration of PHR being a patient’s health medical informa-tion, the privacy setting and the access authority have to be strictly controlled. In addition to providing users with reasonable access authorities, the PHR system has to avoid the illegal access of unauthorized single users or groups. The idea of public-key cryptosystems and Lagrange interpolating polynomial is applied to construct a high-security and efficient encryption scheme so that PHR users could execute the access system in a secure environment. Copyright © 2015 John Wiley & Sons, Ltd. KEYWORDS

personal health records (PHR); public-key cryptosystems; Lagrange interpolating polynomial *Correspondence

Tzer-Long Chen, Department of Creative Product Design, Ling Tung University, Taichung, Taiwan. E-mail: tlchen@teamail.ltu.edu.tw

1. INTRODUCTION

1.1. Preface

Paper-based patient records that were used in medical institutions occupied much space, wasted costs, and could not efficiently offer patients with perfect healthcare. Accordingly, traditional paper-based patient records are gradually developed into electronic medical records so that patients’ medical data, including medical examina-tions and medical records, could be directly delivered by medical institutions through the electronic medical record exchange center of Ministry of Health and Welfare under the agreement of patients. It could avoid unnecessary examinations and reduce the waste of social resources [1] to largely reduce medical costs and enhance the pa-tient healthcare efficiency.

Based on the advance of information technology and the popularity of the Internet, many medical services are com-pleted with information technology for the continuous patient treatment and observation, rather than patient conditions be-ing hard to be traced in the past [2]. Besides, in order to have patients manage their health conditions for actively guarding

their health, Ming Li et al. proposed patient-centered personal health records (PHR) [3] in 2010 for patients self-managing their health records, which covered all past medi-cal records, medimedi-cal history, medication, or allergic history of patients, to assist the public in understanding health.

Although the management of personal health condi-tions could be convenient and rapid, the problem of pri-vacy is worth noticing. The contents in PHR are related to patients; however, different from past medical records being managed by hospitals, patients’ personal health information is self-managed. In other words, a patient’s health information is controlled by the patient. The data security, integrity, and usability in the transformation process are important. In this case, this study would pro-pose an effective and practicable solution for information security in order to prevent private information from be-ing tampered, stolen, or lost and to reduce patient rights and medical loss.

1.2. Research motivation and objective The emerging cloud computing, with the advantages of self-service, source pool share, and high flexibility of Published online 3 December 2015 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1387

redistribution [4], allows several electronic systems trans-ferring the platforms to the cloud; medical systems appear no exception. Medical systems that are transferred to the cloud reveal the following advantages.

(1) The data share and convenient exchange allow rap-idly retrieving patients’ medical situations to reduce treatment delay.

(2) Dataflow is more flexible.

(3) The rapid and effective access to medicalfiles could largely reduce medical costs.

(4) It crosses the space limitation of hardware equipment. Establishing medical systems on the cloud therefore presents great assistance on the users.

In addition to the convenience of sharing sources, cloud computing also allows simultaneous access of several users. In this case, when several users are allowed to access to the system, the efficiency and security to access confi-dential data and different authority settings become pri-mary (e.g. authority settings for users with different access authority levels). As the confidential data in the sys-tem are patients’ health records, patient privacy needs to be guaranteed when the users (either physicians or nurses) ac-cess medical information, so as to avoid illegal acac-cess.

Accordingly, this study intends to propose a practicable and secure approach to protect the system from illegal entry. This study aims to establish a secure and efficient infor-mation security mechanism. Each authorized member of the system could assess distinct confidential files. The au-thority division has to be definite, and patients could deter-mine the users (e.g. physicians or nurses) to access the personal health records. Such a model is expected to guaran-tee the privacy and security of personal medical information. For system transaction, such as patient referral, changes of attending physician, nurses on duty, or family doctor engagement, the system adding or removing members or revising the access authority, and even updating con fiden-tial document would not appear as a loophole on the infor-mation security.

2. LITERATURE REVIEW

2.1. Electronic medical record, personal health record, and electronic health record Safran and Goldberg defined electronic medical records in 2000 that could be accessed through computers or the In-ternet: they were patients’ clinical diagnosis records and personal health treatment records, and each patient was an independent medical record system [5].

With electronic medical records, medical personnel could rapidly and efficiently master the complete medical history and medication records of patients; therefore, re-peated medication or examinations could be avoided to avoid waste and offer patients with proper treatment.

Table I shows the comparison between traditional paper-based patient records and electronic medical re-cords [5–11].

Electronic health records are electronic personal records, containing electrocardiogram, medical records, or medical images, that could be accessed through the Internet. In ad-dition to electronic medical records, they could be used as the reference for medical data and demographic data. Now-adays, many definitions about electronic patient healthcare records are proposed, and there are some overlaps among them [12]. In general situations, the two could be regarded as the same; however, there are still differences in some professionalfields (e.g. medical informatics).

In regard to current situations of introducing electronic health records to Taiwan, the investigation of Ministry of Health and Welfare, Executive Yuan, China, on electronic medical records of national medical institutions, including 538 hospitals and 4033 random check clinics, in 2005 showed the popularity of electronic health records in med-ical institutions [13]. However, the cases of exchanging electronic medical records among medical institutions are still rare. The exchange is currently experimented, but not comprehensively practiced, that the promotion of elec-tronic health records still requires efforts to the public health policies [14].

Table I. Comparison between traditional paper-based patient records and electronic medical records. Advantages and drawbacks of traditional paper-based

patient records Advantages and drawbacks of electronic medical records

It cannot be real-time or synchronically retrieved The data could be directly inquired through the system to save search time

The handwriting data are hard to recognize The reading is not affected by handwriting or broken paper Medical records in various areas could merely be

retrieved by authorized physicians

The medical records could be simultaneously retrieved by several physicians

The formats are different The format could be uniformed to solve the reading dif_ficulty

The space for storing paper-based patient records is inadequate after a long period

The space for storing medical records and the personnel expenses could be reduced

It is hard to preserve It is not easily lost or damaged, and the complete medical records could

be traced Patients’ medical data cannot be integrated so that the

medical costs are enhanced and the medical quality is reduced

It allows medical personnel inquiring patient data and statistical analyses of relevant medical data to help medical research and development, reduce medical costs, and enhance medical quality

Kahn et al. defined PHR in 2009 that it could be used for sharing health information, increasing the understanding of health, and assisting patients in healthcare [15]. In the entire medical history, the practice and development of PHR are rather late. Comparing to electronic medical records and Elec-tronic Health Record (EHR), PHR contains personal food habits, exercise habits, or behavioral activities and emotion of patients. In terms of management, it used to be uniformly managed in medical institutions but is gradually transferred to patients managing their own health records [16].

Personal health records are becoming more important in Taiwan, which is approaching aging society. PHR not only could record food and exercise habits, heartbeats, and blood pressure but also allows physicians or nurses master patient conditions in time. As the elderly suffering from Alzheimer’s disease, dementia, or epilepsy seizure might not smoothly use information products to keep the record-ing conditions of PHR [17], it becomes a critical issue to implement PHR for the elderly.

2.2. Lagrange interpolating polynomial Lagrange interpolation, a polynomial interpolation named by Joseph Lagrange who was a mathematician in the 18th century, could be used for rapidly calculating several specific dissimilarities on a plane.

Assuming n + 1 dissimilarities on a plane Ak(xk, yk),

k = 0, 1, 2, 3, …, n, where any two xk are different, the

Lagrange interpolating polynomial appears as

L xð Þ∶ ¼X

n

j¼0 yjℓjð Þx

whereℓj(x) is the Lagrange basic polynomial (or

interpola-tion funcinterpola-tion), expressed as [18]

ℓjð Þ ¼ ∏x n i¼0;i≠j x xi xj xi ¼ x x0 xj x0   … x xj1 xj xj1   x xjþ1 xj xjþ1   … x xk xj xk  

ℓj(x) shows the characteristics that the value on xjis 1, but 0

on other points xi(i≠ j). The expression is shown as in the

succeeding text. ℓjð Þ ¼x 0; i≠j 1; i ¼ j  For example,

Assuming three dissimilarities A1(0 , 5) , A2(2 , 7) , A3

(3 , 14) on a plane, the following are calculated.

ℓ1ð Þ ¼x x 2 0 2   x 3 0 3   ¼x2 5x þ 6 6 ℓ2ð Þ ¼x x 0 2 0   x 3 2 3   ¼x2þ 3x 2 ℓ3ð Þ ¼x x 0 3 0   x 2 3 2   ¼x2 2x 3

The Lagrange interpolating polynomial of the three points could be deducted as

y¼ f xð Þ ¼ 5ℓ1ð Þ þ 7ℓx 2ð Þ þ 14ℓx 3ð Þx ¼5x2 25x þ 30 6 þ 7x2_{þ 21x} 2 þ 14x2_{ 28x} 3 ¼12x2 18x þ 30 6 ¼ 2x2_{ 3x þ 5} 2.3. T.S. Chen (2012) methodology

Personal health records are a system allowing several users accessing various confidential files; different users could append, delete, revise, and inquire the system; each PHR user does not necessarily have the same access authority to the same confidential files in the system; and the quan-tity of users and confidential files is huge. In other words, each user has different authority to access confidential files, and it is complicated.

Before constructing encryption algorithms, the quantity

of confidential files should be confirmed and numbered,

and the users have to clearly set the access authority to con-fidential files. In T.S. Chen’s (2012) methodology, partial order is utilized for setting the access authority, which is uniformly established by central authority (CA). Partial or-der is defined in the succeeding text. Given a set S, the bi-nary relation「 ≼ 」 on S presents reflexive, antisymmetric, and transitive characteristics [19] so that it is suitable for setting a user’s access authority. In this method, CA records the access authority of a user Siin a set Ji, which explains

the access authority of the user Si. In this case, when the

ac-cess authority is acquired, the decryption key for con fiden-tial files could be acquired, expressed as Ji= {x|x is the

number of confidential file for Siwith authority access},

i = 1, 2, 3,…, n, and n ∈ N is acquired. For instance, the user S2could access confidential files numbered 1 and 3, and the

user S3could access confidential files numbered 1, 3, and 4.

The mathematical equation is shown as J2= {1, 3} , J3=

{1, 3, 4}. With the characteristics of partial order, J2=

{1, 3}≼ J3= {1, 3, 4} stands for S3being able to acquire

the decryption keys of S2for accessingfile1andfile3.

According to the users’ authority accessing confidential files, an access control matrix, as Figure 1 access authority control matrix, is established, where the numerical mean-ings present 1 for the users with access authority and 0 for the ones without authority access. For example, S2

has the access authority tofile1and file3, but not to file2

Applying the previous mechanism to medical institutions to construct the decryption keys (DK1, DK2,…, DK5) that

possess six independent users (S1, S2,…, S6) with individual

secret keys (H1, H2,…, H6) andfive accessible confidential

files in the access control matrix has the correspondent de-cryption keys (DK1, DK2, …, DK5). When the decryption

key for the confidential files can be acquired, the confidential files would be accessed. Figure 2 shows the situations of the users’ access authority to confidential files.

According to Figure 5 and T.S. Chen’s (2012) method-ology [20], CA establishes the polynomial Ai(x) for each

user Siand calculates as in the succeeding text.

Aið Þ ¼x ∏ m k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 8 < : 9 = ;IfH1; ⋯; Hngð Þ; f or ix ¼ 1; 2; ⋯; n∧x∈R: A1ð Þ ¼x x H2 H1 H2  x H3 H1 H3  x H4 H1 H4  x H5 H1 H5  x H6 H1 H6 IH1ð Þx A2ð Þ ¼x x H1 H2 H1  x H3 H2 H3  x H4 H2 H4  x H5 H2 H5  x H6 H2 H6 IH2ð Þx A3ð Þ ¼x x H1 H3 H1  x H2 H3 H2  x H4 H3 H4  x H5 H3 H5  x H6 H3 H6 IH3ð Þx A4ð Þ ¼x x H1 H4 H1  x H2 H4 H2  x H3 H4 H3  x H5 H4 H5  x H6 H4 H6 IH4ð Þx A5ð Þ ¼x x H1 H5 H1  x H2 H5 H2  x H3 H5 H3  x H4 H5 H4  x H6 H5 H6 IH5ð Þx A6ð Þ ¼x x H1 H6 H1  x H2 H6 H2  x H3 H6 H3  x H4 H6 H4  x H5 H6 H5 IH6ð Þx where IfH1; ⋯; H6g¼ 1; if x∈ Hf 1; ⋯; H6g 0; o:w:  is an indi-cator function to verify the legality of Hi.

Moreover, CA also establishes the polynomial Bi(y) for

each user Siand calculates as follows.

Bið Þ ¼y X u∈Ji DKu ∏ m t¼1 t≠u y t ð Þ u t ð Þ 2 4 3 5 8 < : 9 = ;IJið Þ; y∈R:y

∧Ji= {u|1≤ u ≤ m, u is the number of confidential file f or

the i user’ s authorized access}

B1ð Þ ¼y DK1 y 2 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 1 2 ð Þ 1  3ð Þ 1  4ð Þ 1  5ð Þ þDK2 y 1 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 2 1 ð Þ 2  3ð Þ 2  4ð Þ 2  5ð Þ þDK3 y 1 ð Þ y  2ð Þ y  4ð Þ y  5ð Þ 3 1 ð Þ 3  2ð Þ 3  4ð Þ 3  5ð Þ þDK4 y 1 ð Þ y  2ð Þ y  3ð Þ y  5ð Þ 4 1 ð Þ 4  2ð Þ 4  3ð Þ 4  5ð Þ þDK5 y 1 ð Þ y  2ð Þ y  3ð Þ y  4ð Þ 5 1 ð Þ 5  2ð Þ 5  3ð Þ 5  4ð Þ 2 66 66 66 66 66 66 66 66 64 3 77 77 77 77 77 77 77 77 75 IJ1ð Þy B2ð Þ ¼y DK1 y 2 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 1 2 ð Þ 1  3ð Þ 1  4ð Þ 1  5ð Þ þDK2 y 1 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 2 1 ð Þ 2  3ð Þ 2  4ð Þ 2  5ð Þ þDK3 y 1 ð Þ y  2ð Þ y  4ð Þ y  5ð Þ 3 1 ð Þ 3  2ð Þ 3  4ð Þ 3  5ð Þ þDK4 y 1 ð Þ y  2ð Þ y  3ð Þ y  5ð Þ 4 1 ð Þ 4  2ð Þ 4  3ð Þ 4  5ð Þ 2 66 66 66 66 66 66 4 3 77 77 77 77 77 77 5 IJ2ð Þy B3ð Þ ¼y DK1 y 2 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 1 2 ð Þ 1  3ð Þ 1  4ð Þ 1  5ð Þ þDK4 y 1 ð Þ y  2ð Þ y  3ð Þ y  5ð Þ 4 1 ð Þ 4  2ð Þ 4  3ð Þ 4  5ð Þ 2 66 64 3 77 75IJ3ð Þy B4ð Þ ¼ DKy 4 y 1 ð Þ y  2ð Þ y  3ð Þ y  5ð Þ 4 1 ð Þ 4  2ð Þ 4  3ð Þ 4  5ð Þ   IJ4ð Þy B5ð Þ ¼ DKy 5 y 1 ð Þ y  2ð Þ y  3ð Þ y  4ð Þ 5 1 ð Þ 5  2ð Þ 5  3ð Þ 5  4ð Þ   IJ5ð Þy B6ð Þ ¼ DKy 1 y 2 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 1 2 ð Þ 1  3ð Þ 1  4ð Þ 1  5ð Þ   IJ6ð Þy where IJið Þ ¼y 1; if y∈Ji 0; o:w:  is an indicator function to verify the user’s access authority to the decryption key DKu.

Finally, CA establishes the following equation and pub-lishes the expansion.

Figure 1. Access authority control matrix.

Figure 2. The situations of the users’ access authority to confi-dential_files.

G xð ; yÞ ¼X n

i¼1

Aið ÞBx ið Þ∧ x; y∈R:y

2.3.1. Insecurity of T.S. Chen (2012) methodology with mathematical characteristics of polynomial Ai(x)Bi(y)

When the effects of IHið Þ and Ix Jið Þ are removed, Ay i(x)

and Bi(y) present the mathematical characteristics.

Assuming y = 0, the first-order polynomial ∏nk¼1 k≠i

x Hk

ð Þ

would be acquired through a series of deduction [21].

The insecurity is proven according to Ai(x)Bi(y)

polyno-mial in the previous section.

Aið Þ ¼x x H1 Hi H1⋯ x Hi1 Hi Hi1  x Hiþ1 Hi Hiþ1⋯ x Hn Hi Hn IHið Þx ¼ ∏n k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 8 < : 9 = ;If gHi ð Þx Bið Þ ¼ by i ð Þ m1ym1þ bð Þm2i ym2þ ⋯ þ bð Þ1iyþ b i ð Þ 0 h i IJið Þy Assuming Aið ÞBx ið Þ ¼ Ay ið ÞBx  ið ÞIy f gHi ð ÞIx Jið Þy

From the previous mathematical form Ai(x)Bi(y), the

ex-pansion could be acquired, and then If gHi ð ÞIx Jið Þ could bey

neglected.

Replacing A_ið ÞBx _ið Þ for Ay ið ÞBx ið Þy

and assuming y = 0 to substitute A_ið ÞBx _ið Þy

Aið ÞBx ið Þ ¼ ∏0 n k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 2 4 3 5bð Þi 0 ¼ ∏n k¼1 k≠i bð Þ₀i 1 Hi Hk ð Þ 2 4 3 5 ∏n k¼1 k≠i x Hk ð Þ 2 4 3 5 Assumingαi¼ ∏ n k¼1 k≠i bð Þ₀i 1 Hi Hk ð Þ 2 4 3 5 Aið ÞBx ið Þ ¼ α0 i ∏ n k¼1 k≠i x Hk ð Þ 2 4 3 5

When the equation is divided by the leading coefficient αi, thefirst-order polynomial ∏

n

k¼1

k≠i

x Hk

ð Þ is proven.

2.3.2. Decrypting polynomialG(x, y) with the

mathematical characteristics ofA_i(x)B_i(y)

From the previous access authority control matrix, six users in the system could accessfive confidential files. The mathematical characteristics of Ai(x)Bi(y) could be used for

breaking the system and deducting the decryption key. The breaking process is described as in the succeeding text.

Assuming G1ðx; yÞ ¼

X6

i¼1

Aið ÞBx ið Þy

When adding a new user S7(H7) to the system, according

to T.S. Chen’s (2012) methodology, a new public polyno-mial G2(x, y) = G1(x, y) + A7(x)B7(y) is acquired. When

an-other new user S8(H8) is added, another new public

polynomial G3(x, y) = G2(x, y) + A8(x)B8(y) is acquired.

Aið ÞBx ið Þ ¼ ∏y n k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 2 4 3 5If gHi ð Þ bx i ð Þ m1ym1þ ⋯ þ bð Þ1iyþ b i ð Þ 0 h i IJið Þy ¼ ∏n k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 2 4 3 5 bð Þi m1ym1þ ⋯ þ bð Þ1iyþ b i ð Þ 0 h i 8 < : 9 = ;If gHi ð ÞIx Jið Þy ¼ ∏n k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 2 4 3 5 bð Þi m1ym1þ ⋯ þ bð Þ1iy h i þ ∏n k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 2 4 3 5bð Þi 0 8 < : 9 = ;If gHi ð ÞIx Jið Þy A_ið ÞBx _ið Þ ¼y ∏ n k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 2 4 3 5 bð Þi m1ym1þ ⋯ þ bð Þ1iy h i þ ∏n k¼1 k≠i x Hk ð Þ Hi Hk ð Þ 2 4 3 5bð Þi 0 8 < : 9 = ;

Although Ai(x) and Bi(y) are not published, the

pub-lished polynomials could be used for deducting; A7ð ÞBx 7ð Þ ¼ Gy 2ðx; yÞ  G1ðx; yÞ

A8ð ÞBx 8ð Þ ¼ Gy 3ðx; yÞ  G2ðx; yÞ

With the properties introduced in previous section, A7

(x)B7(y) and A8(x)B8(y) could be calculated:

A₇ð ÞBx ₇ð Þ ¼ α0 7 ∏ 7 k¼1 k≠7 x Hk ð Þ 2 4 3 5 ¼ α7ðx H1Þ x  Hð 2Þ x  Hð 3Þ x  Hð 4Þ x  Hð 5Þ x  Hð 6Þ zptA₈ð ÞBx ₈ð Þ ¼ α0 8 ∏ 8 k¼1 k≠8 x Hk ð Þ 2 4 3 5 ¼ α8ðx H1Þ x  Hð 2Þ x  Hð 3Þ x  Hð 4Þ x  Hð 5Þ x H6 ð Þ x  Hð 7Þ A₈ð ÞBx ₈ð Þ0 A₇ð ÞBx ₇ð Þ0 ¼ α 8 α7 x H7 ð Þ

whereα7andα8could be deducted.

(x H7) is then acquired by dividing the two. Assuming

it as 0, the secret key H7could then be easily acquired.

Similarly, when a new member S9(H9) is added,

the polynomial (x H1)(x H2)(x H3)(x H4)(x H5)

(x H6)(x H7)(x H8) could be acquired with the

pre-vious calculations. (x H8) could also be acquired after

dividing the two. That is, when two member data are continuously added to the system, the secret key of the

m 1 member could be acquired through the public

polynomial and simple calculations once the m member joins in. Information insecurity therefore is easily generated.

3. RESEARCH METHODOLOGY

3.1. User authority setting

Public health records are a system that could establish and integrate each patient’s records in different medical institu-tions. When the user needs to access to the records, he/she has to possess the access authority to the confidential files as well as the secret key. CA establishes an authority ac-cess control matrix that contains the user’s access authority to confidential files and the file quantity and contents, where 0 stands for the user without the access authority and 1 for the user with the authority, as Figure 3 member authority access matrix.

3.2. Improved T.S. Chen’s (2012)

methodology

T.S. Chen’s approach in 2012 was a simple equation with the division of new-style and old-style derivative coef fi-cients that a secret key could be easily acquired by making the equation zero. This proposed approach could exclude the effect of original parameters; when y = 0, the secret key still cannot be solved so that the security of decryption polynomial in dynamic update is ensured.

3.2.1. Methodology establishment

As described in Section 3, the mathematical characteris-tics of Ai(x)Bi(y) result in the entire decryption polynomial

being easily broken to cause the system insecurity that T.S. Chen’s (2012) methodology is improved, and more secure encryption algorithms are proposed in this study to stabi-lize the system security.

The approaches are shown as following.

Step 1: According to the authority access matrix, CA establishes new polynomials Að Þ_irð Þ andx Bð Þirð Þ aiming at each PHR user (Sy i).

Step 2: Establish a new private polynomial Að Þ_irð Þ.x Að Þirð Þ ¼x ∏ 1≤k≤n k≠i x Hk Hi Hk þ x  Hð iÞ   8 < : 9 = ;I x ð Þ Hi f g; f or i ¼ 1; 2; ⋯; n∧x∈R: where Ið Þx_H i f g¼ 1; if x∈ Hf 1; ⋯; Hng 0; o:w: 

verifies the le-gality of Hi.

Step 3: Ensure the establishment of the following conditions.

(a): When Hiis a legal secret key,Θ

r ð Þ i ð Þ ap-x pears 1, or otherwise 0. (b): Θð Þirð Þ ¼ Ix Að Þr i ð Þx ð Þ 1 f g , Θ r ð Þ i ð Þ ¼ 1 ,Hi Θð Þr i ð≠HiÞ ¼ 0.

Step 4: Establish a new private polynomial Bð Þirð Þ.y Figure 3. Member authority access matrix.

Bð Þirð Þ ¼ by i ð Þ m1ym1þ ⋯ þ bð Þ1iyþ b i ð Þ 0 h i Ið Þy Ji ; y∈R: ∧Ji¼ u

1≤ u ≤ m; u is the number of confidential file for the i user’s access authority

    where IJið Þ ¼y 1; if y∈Ji 0; otherwise 

verifies the user’s access authority to the decryption key DKu.

Step 5 Finally, CA establishes the expansion of the de-cryption polynomial and publishes as in the pre-vious text.

Gð Þr_{ðx; yÞ ¼}X n

i¼1

Að Þ_irð ÞBx ð Þ_irð Þ∧ x; y∈R:y

3.2.2. Security check of decryption polynomial Regarding the removal of the effects of Ið Þx_H

i

f gand I y ð Þ Ji,

as-suming y = 0, the secret key Hkwould not be broken to

en-sure the security of the decryption polynomial. It is proven as follows. Að Þ_irð Þ ¼x ∏ 1≤ k ≤ n k≠i x Hk Hi Hk þ x  Hð iÞ   8 < : 9 = ;I x ð Þ Hi f g; for i ¼ 1; 2; ⋯; n∧x∈R: Bð Þirð Þ ¼ by i ð Þ m1ym1þ ⋯ þ b i ð Þ 1 yþ b i ð Þ 0 h i Ið Þy Ji ; y∈R: Assuming

According to the expansion of the polynomial, the char-acteristics of If gHi ð ÞIx Jið Þ could be ignored.y

Replacing A*ið Þrð ÞB*x r ð Þ i ð Þ for Ay r ð Þ i ð ÞBx r ð Þ i ð Þy

and assuming y = 0 to substitute A*_ið Þrð ÞB*x _ið Þrð Þ,y

A*_ið Þrð ÞB*x _ið Þrð Þ ¼0 ∏ 1≤ k ≤ n k≠i x Hk Hi Hk þ x  Hð iÞ   8 < : 9 = ;b i ð Þ 0

From the previous mathematical form, it could not be factorized that it could not acquire thefirst-order polynomial

∏n 1≤ k ≤ n

k≠i

x Hk

ð Þ as the previous, and the secret key Hkcould

not be solved. The system security is implemented. 3.2.3. Security check of decryption polynomial G(r)_{(x, y)}

As the example of the system with six users accessing five confidential documents, CA constructs the decryption polynomial as in the succeeding text.

Assuming Gð Þ₁rðx; yÞ ¼X 6 i¼1 Að Þirð ÞBx r ð Þ i ð Þy

When a new user S7(H7) is added to the system, a

brand-new public polynomial Gð Þ₂rðx; yÞ ¼ Gð Þ₁rðx; yÞ þ Að Þ₇rð ÞBx ð Þ₇rð Þ is acquired. Adding another new usery S8(H8) to the system, another new public polynomial

Gð Þ₃rðx; yÞ ¼ Gð Þ₂rðx; yÞ þ Að Þ₈rð ÞBx ð Þ₈rð Þ is also acquired,y where Að Þirð Þ and Bx

r ð Þ

i ð Þ are private, while Gy r ð Þ 1 ðx; yÞ, Gð Þ₂rðx; yÞ, and Gð Þ₃rðx; yÞ are public. The testing processes are shown as follows.

Gð Þ₂rðx; yÞ  Gð Þ₁rðx; yÞ ¼ Að Þ₇rð ÞBx ð Þ₇rð Þy

Gð Þ₃rðx; yÞ  Gð Þ₂rðx; yÞ ¼ Að Þ₈rð ÞBx ð Þ₈rð Þy

Að Þ₇rð ÞBx ð Þ₇rð Þ and Ay ð Þ₈rð ÞBx ð Þ₈rð Þ could be calculated by they properties introduced in the previous section.

Að Þ_irð ÞBx ð Þ_irð Þ ¼y ∏ 1≤ k ≤ n k≠i x Hk Hi Hk þ x  Hð iÞ   8 < : 9 = ;I x ð Þ Hi f g b i ð Þ m1ym1þ ⋯ þ bð Þ1iyþ b i ð Þ 0 h i Ið Þy Ji 8 < : 9 = ; ¼ ∏ 1≤ k ≤ n k≠i x Hk Hi Hk þ x  Hð iÞ   8 < : 9 = ; b i ð Þ m1ym1þ ⋯ þ bð Þ1iyþ b i ð Þ 0 h i 8 < : 9 = ;I x ð Þ Hi f gI y ð Þ Ji A*ið Þrð ÞB*x r ð Þ i ð Þ ¼y ∏ 1≤ k ≤ n k≠i x Hk Hi Hk þ x  Hð iÞ   8 < : 9 = ; b i ð Þ m1ym1þ ⋯ þ bð Þ1iyþ b i ð Þ 0 h i 8 < : 9 = ; Að Þirð ÞBx r ð Þ i ð Þ ¼ A*y r ð Þ i ð ÞB*x r ð Þ i ð ÞIy x ð Þ Hi f gI y ð Þ Ji

A*₇ð Þrð ÞB*x ₇ð Þrð Þ ¼0 ∏ 1≤ k ≤ 7 k≠7 x Hk H7 Hk þ x  Hð 7Þ   8 < : 9 = ;b 7 ð Þ 0 ¼ x H1 H7 H1 þ x  Hð 7Þ    x H2 H7 H2 þ x  Hð 7Þ    x H3 H7 H3 þ x  Hð 7Þ    x H4 H7 H4 þ x  Hð 7Þ    x H5 H7 H5 þ x  Hð 7Þ    x H6 H7 H6 þ x  Hð 7Þ   A*8ð Þrð ÞB*x r ð Þ 8 ð Þ ¼0 ∏ 1≤ k ≤ 8 k≠8 x Hk H8 Hkþ x  H8 ð Þ   8 < : 9 = ;b 8 ð Þ 0 ¼ x H1 H8 H1 þ x  Hð 8Þ    x H2 H8 H2 þ x  Hð 8Þ    x H3 H8 H3 þ x  Hð 8Þ    x H4 H8 H4 þ x  Hð 8Þ    x H5 H8 H5 þ x  Hð 8Þ    x H6 H8 H6 þ x  Hð 8Þ    x H7 H8 H7 þ x  Hð 8Þ  

From previous deduction, merely a series of mathemat-ical forms that could no longer be factorized are acquired after dividing A*₇ð Þrð ÞB*x ₇ð Þrð Þ with A*0 ₈ð Þrð ÞB*x ₈ð Þrð Þ, so0 that the secret keys H7and H8could not be acquired in

or-der to prevent the decryption keys for S7and S8accessing

files from being deducted.

Similarly, when a member S9(H9) is added, the

follow-ings could be deducted.

A*₉ð Þrð ÞB*x ₉ð Þrð Þ ¼0 ∏ 1≤ k ≤ 9 k≠9 x Hk H9 Hk þ x  Hð 9Þ   8 < : 9 = ;bð Þ09 ¼ x H1 H9 H1 þ x  Hð 9Þ    x H2 H9 H2 þ x  Hð 9Þ    x H3 H9 H3þ x  Hð 9Þ    x H4 H9 H4þ x  Hð 9Þ    x H5 H9 H5 þ x  Hð 9Þ    x H6 H9 H6 þ x  Hð 9Þ    x H7 H9 H7þ x  Hð 9Þ    x H8 H9 H8þ x  Hð 9Þ  

A series of mathematical forms that could not be factorized anymore are still acquired after dividing two for-mulas. In this case, even though new members are contin-uously added, the secret key H9 could not be deducted

from the mathematical form, so that the system is secure. 3.3. Example

Aiming at the new public polynomial Gð Þr_{ðx; yÞ ¼} ∑n

i¼1Að Þir ð ÞBx r ð Þ

i ð Þ established in the previous section,y

the member authority access matrix in Figure 3 is used for the illustration.

3.3.1. Example: legal access authority of user Assuming that a medical researcher (S4) possesses legal

access authority to blood pressure record (file1),

electro-cardiogram (file2), and drug and allergic reaction (file4),

the secret key (H4) isfirst substituted for A

r ð Þ 4 ð Þ.x Að Þ4rð Þ ¼x ∏ 1≤ k ≤ 6 k≠4 x Hk Hi Hk þ x  Hð 4Þ   8 < : 9 = ;I H4 ð Þ H1; ⋯;H6 f g ¼ x H1 H4 H1 þ x  Hð 4Þ    x H2 H4 H2 þ x  Hð 4Þ     x H3 H4 H3 þ x  Hð 4Þ    x H5 H4 H5 þ x  Hð 4Þ    x H6 H4 H6 þ x  Hð 4Þ   IðH4Þ H1; ⋯;H6 f g Furthermore, IðH4Þ H1; ⋯;H6

f g ¼ 1 and thenAð Þ4rð Þ ¼ 1 areH4 calculated; the result of Að Þ₄rð Þ k∈ 1; 2; 3; 5; 6Hk ð f gÞ is a series of random numbers; however, thefinal value appears as 0 becauseΘð Þ_irð Þ ¼ Ix A r ð Þ i ð Þx ð Þ 1

f g ,so that it does not present

the access authority. The polynomial Að Þirð Þ could be uti-x lized for verifying the user as well as the secret key Hi

be-ing on the legal list of CA.

After confirming the medical researcher (S4) being a

le-gal user, the access authority to three confidential files of blood pressure record (file1), electrocardiogram (file2),

and drug and allergic reaction (file4) are further verified.

Replacing J4= {1, 2, 4} for B r ð Þ 4 ð Þ,y Bð Þ₄rð Þ ¼y DK1 y 2 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 1 2 ð Þ 1  3ð Þ 1  4ð Þ 1  5ð Þ þDK2 y 1 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 2 1 ð Þ 2  3ð Þ 2  4ð Þ 2  5ð Þ þDK4 y 1 ð Þ y  2ð Þ y  3ð Þ y  5ð Þ 4 1 ð Þ 4  2ð Þ 4  3ð Þ 4  5ð Þ 2 66 66 66 64 3 77 77 77 75IJ4 y ð Þ

After calculating IJ4ð Þ ¼ 1, I1 J4ð Þ ¼ 1, and I2 J4ð Þ ¼ 1,4

Bð Þ₄rð Þ ¼ DK1 1, B r ð Þ 4 ð Þ ¼ DK2 2, B r ð Þ 4 ð Þ ¼ 0 , B3 r ð Þ 4 ð Þ ¼4 DK4, and B r ð Þ

4 ð Þ ¼ 0 are further calculated to prove the5 medical researcher’s (S4) access authority to acquire the

decryption keys for blood pressure record (file1),

electro-cardiogram (file2), and drug and allergic reaction (file4).

A*₈ð Þrð ÞB*x ₈ð Þrð Þ0 A*₇ð Þrð ÞB*x ₇ð Þrð Þ0 ¼ xH1 H8H1þ x  Hð 8Þ h i  xH2 H8H2þ x  Hð 8Þ h i ⋯ xH7 H8H7þ x  Hð 8Þ h i xH1 H7H1þ x  Hð 7Þ h i  xH2 H7H2þ x  Hð 7Þ h i ⋯ xH6 H7H6þ x  Hð 7Þ h i

When the medical researcher (S4) intends to access to a

patient’s electrocardiogram (file2) for the research, the

per-sonal legal secret key H4and ID2 of the electrocardiogram

(file2) are substitute for the public polynomial G (r) (x, y) for the calculation. Gð ÞrðH4; 2Þ ¼ A r ð Þ 1 ð ÞBH4 r ð Þ 1 ð Þ þ A2 r ð Þ 2 ð ÞBH4 r ð Þ 2 ð Þ2 þ Að Þr 3 ð ÞBH4 r ð Þ 3 ð Þ þ A2 r ð Þ 4 ð ÞBH4 r ð Þ 4 ð Þ2 þ Að Þr 5 ð ÞBH4 r ð Þ 5 ð Þ þ A2 r ð Þ 6 ð ÞBH4 r ð Þ 6 ð Þ2 The decryption key (DK2) for the electrocardiogram

(file2) required by the medical researcher (S4) is hidden in

Að Þ₄rð ÞBH4 r ð Þ 4 ð Þ.2 Að Þ4rð Þ ¼H4 H4 H1 H4 H1 þ Hð 4 H4Þ    H4 H2 H4 H2 þ Hð 4 H4Þ     H4 H3 H4 H3 þ Hð 4 H4Þ    H4 H5 H4 H5 þ Hð 4 H4Þ    H4 H6 H4 H6 þ Hð 4 H4Þ   IðH4Þ H1; ⋯;H6 f g ¼ 1 Bð Þ₄rð Þ ¼2 DK1 2 2 ð Þ 2  3ð Þ 2  4ð Þ 2  5ð Þ 1 2 ð Þ 1  3ð Þ 1  4ð Þ 1  5ð Þ þDK2 2 1 ð Þ 2  3ð Þ 2  4ð Þ 2  5ð Þ 2 1 ð Þ 2  3ð Þ 2  4ð Þ 2  5ð Þ þDK4 2 1 ð Þ 2  2ð Þ 2  3ð Þ 2  5ð Þ 4 1 ð Þ 4  2ð Þ 4  3ð Þ 4  5ð Þ 2 66 66 66 66 64 3 77 77 77 77 75 IJ4ð Þ2 ¼ DK½ 10 þ DK21 þ DK401 ¼ DK2

The rest shows 0 because of inadequate information.

Að Þ1rð Þ ¼H4 H4 H2 H1 H2 þ Hð 4 H1Þ    H4 H3 H1 H3 þ Hð 4 H1Þ     H4 H4 H1 H4 þ Hð 4 H1Þ    H4 H5 H1 H5 þ Hð 4 H1Þ    H4 H6 H1 H6 þ Hð 4 H1Þ   IðH4Þ H1; ⋯;H6 f g ¼ m Að Þ2rð Þ ¼H4 H4 H1 H2 H1 þ Hð 4 H2Þ    H4 H3 H2 H3 þ Hð 4 H2Þ     H4 H4 H2 H4 þ Hð 4 H2Þ    H4 H5 H2 H5 þ Hð 4 H2Þ    H4 H6 H2 H6 þ Hð 4 H2Þ   IðH4Þ H1; ⋯;H6 f g ¼ m Að Þ3rð Þ ¼H4 H4 H1 H3 H1 þ Hð 4 H3Þ    H4 H2 H3 H2 þ Hð 4 H3Þ     H4 H4 H3 H4 þ Hð 4 H3Þ    H4 H5 H3 H5 þ Hð 4 H3Þ    H4 H6 H3 H6 þ Hð 4 H3Þ   IðH4Þ H1; ⋯;H6 f g ¼ m Að Þ5rð Þ ¼H4 H4 H1 H5 H1 þ Hð 4 H5Þ    H4 H2 H5 H2 þ Hð 4 H5Þ     H4 H3 H5 H3 þ Hð 4 H5Þ    H4 H4 H5 H4 þ Hð 4 H5Þ    H4 H6 H5 H6 þ Hð 4 H5Þ   IðH4Þ H1; ⋯;H6 f g ¼ m Að Þ6rð Þ ¼H4 H4 H1 H6 H1 þ Hð 4 H6Þ    H4 H2 H6 H2 þ Hð 4 H6Þ     H4 H3 H6 H3 þ Hð 4 H6Þ    H4 H4 H6 H4 þ Hð 4 H6Þ    H4 H5 H6 H5 þ Hð 4 H6Þ   IðH4Þ H1; ⋯;H6 f g ¼ m

m acquired from the previous equations appears as a huge disordered number; however, Að Þ₄rð Þ k∈ 1; 2; 3; 5; 6Hk ð f gÞ does not have the access authority thatΘð Þirð Þ ¼ Ix

Að Þ_irð Þx

ð Þ

1 f g could be utilized for transforming the invalid value m to 0 in order to avoid invalid operation.

Accordingly, the medical researcher (S4) could

success-fully deduct the decryption key (DK2) for the

electrocar-diogram (file2) with the following equations.

Gð ÞrðH4; 2Þ ¼ A r ð Þ 1 ð ÞBH4 r ð Þ 1 ð Þ þ A2 r ð Þ 2 ð ÞBH4 r ð Þ 2 ð Þ2 þ Að Þr 3 ð ÞBH4 r ð Þ 3 ð Þ þ A2 r ð Þ 4 ð ÞBH4 r ð Þ 4 ð Þ2 þ Að Þr 5 ð ÞBH4 r ð Þ 5 ð Þ þ A2 r ð Þ 6 ð ÞBH4 r ð Þ 6 ð Þ2 ¼ 0 þ 0 þ 0 þ 1DK2þ 0 þ 0 ¼ DK2

4. DYNAMIC ACCESS CONTROL

The so-called user orfile transaction indicates the addition and removal of members and the authority revision in the system, or the appending or removal of confidential files. Be-cause PHR systems could be transacted any time in daily life, for example, a medical researcher can no longer operate the confidential file of the patient’s electrocardiogram after com-pleting the research project, the medical researcher’s access authority to the electrocardiogram needs to be revised to dis-able the access. The responses to the user orfile transaction in the system are described as in the succeeding text.

4.1. User modification: member adding

When adding a new member to the system, CA establishes the access authority to the confidential files as well as up-dates the old public polynomial G(r)(x, y) to publish it. The steps to add a member are shown as following.

Step 1: Adding a new member Sn + 1, CA establishes a

private secret key Hn + 1.

Step 2: CA updates the private polynomial Að Þ_nþ1r ð Þx and the verification indicator Ið Þ_fx_Hnþ1g.

Að Þ_nþ1r ð Þ ¼x ∏ 1≤ k ≤ n þ1 k≠n þ1 x Hk Hnþ1 Hk þ x  Hð nþ1Þ   8 < : 9 = ;I x ð Þ Hnþ1 f g

Step 3: When Hn + 1is a legal secret key, A

r ð Þ nþ1ðHnþ1Þ appears as 1, or otherwise 0, revealing

Θð Þr nþ1ð Þ ¼ Ix Að Þ_nþ1r ð Þx ð Þ 1 f g ,Θ r ð Þ nþ1ðHnþ1Þ ¼ 1, andΘð Þnþ1r ð≠Hnþ1Þ ¼ 0.

Step 4: CA updates the private polynomial Bð Þ_nþ1r ð Þ andy the verification indicator IJnþ1ð Þ.y

Bð Þ_nþ1r ð Þ ¼y X u∈Jnþ1 DKu ∏ m t¼1 t≠u y t ð Þ u t ð Þ 2 4 3 5 8 < : 9 = ;IJnþ1ð Þ; y∈R:y

∧Jnþ1¼ fuj1 ≤ u ≤ m; u is the number of the confidential file the nþ 1 user’s access authorityg where IJnþ1ð Þ ¼y

1; if y∈Jnþ1 0; otherwise 

.

Step 5: The original public polynomial G(r)(x, y) is up-dated as Gð Þr_{ðx; yÞ.}

Gð Þr_{ðx; yÞ ¼ G}ð Þr_{ðx; yÞ þ A}ð Þr

nþ1ð ÞBx ð Þnþ1r ð Þy From the previous member adding steps, CA would es-tablish Að Þ_nþ1r ð Þ, Bx ð Þ_nþ1r ð Þ, and Jy n + 1as well as update the

verification indicators Ið Þx_H

nþ1

f g, Θ

r ð Þ

nþ1ð Þ, and Ix Jnþ1ð Þ fory

the new member Sn + 1andfinally update such information

to the original public polynomial G(r)(x, y). The entire adding process merely requires few costs for updating Sn + 1; besides, merely addition is applied to thefinal G(r)(x, y)

updating so that the calculation cost is largely reduced.

4.2. User modification: member removal

When a member no longer participates in the work related to the PHR system, the relevant operations would be prohibited. The member’s access authority to confidential files would be removed to avoid having the member steal the confidential data illegally.

Assuming to remove the member Sk, two methods are used

by CA. One is to remove the relevant parameters Að Þ_krð Þ andx Bð Þ_krð Þ to the member Sy kfrom the public polynomial.

Gð Þr_{ðx; yÞ ¼ G}ð Þr_{ðx; yÞ  A}ð Þr k ð ÞBx

r ð Þ k ð Þy

The other is to directly destroy the member’s access author-ity to confidential document and update J′_k¼ fg.

4.3. Modification of user access authority

When a PHR system user’s access authority is modified

(added or removed), CA would adjust the authority access

matrix and revise the relevant parameters with the follow-ing steps.

Step 1: CA resets the verification indicator Jiof the user’s

decryption key DKufor the access authority

J′i¼ fuj1 ≤ u ≤ m; u is the number of confidential file the i user’s access authorityg

J′iis the new authority set after the user Simodified the

ac-cess authority and CA recalculating the member authority access matrix.

Step 2: Because updating the verification indicator Jiis

closely related to Bð Þ_irð Þ, the polynomial By ð Þ_irð Þy has to be updated as B’ rið Þð Þ when CA updatesy the verification indicator Jias J′i. Finally, the up-dated public polynomial is shown as in the succeeding text. g Gð Þr_{ðx; yÞ ¼ G}ð Þr_{ðx; yÞ  A}ð Þr i ð ÞBx r ð Þ i ð Þ þ Ay r ð Þ i ð ÞBx ′ rð Þ i ð Þy The modification of the user’s authority is completed after previous steps.

4.4. Modification of confidential file:

appendingfile

When the confidential files in the system need to be

appended, CA would distribute the access authority to newfiles to each PHR user and resets the verification indi-cator Jias J′i, and the polynomial B

r ð Þ

i ð Þ is also updated asy B′ rið Þð Þ. Finally, we update the public polynomial, as in they succeeding text, to complete thefile appending.

G*ð Þrðx; yÞ ¼X n i¼1 Að Þirð ÞBx ′ rð Þ i ð Þ∧ x; y∈R:y

4.5. Modification of confidential file: file

removal

When the confidential files in the system need to be removed, CA would remove each PHR user’s access authority to such files and reset the verification indicator Jias J″i, and the poly-nomial Bð Þ_irð Þ is also updated as By ″ r_ið Þð Þ. Finally, the publicy polynomial is updated to complete thefile removal.

G**ð Þr_{ðx; yÞ ¼}X n

i¼1

Að Þ_irð ÞBx ″ r_ið Þð Þ∧ x; y∈R:y

5. SECURITY ANALYSIS

Public health records are the data with high personal pri-vacy, and a cloud system is the tool to store and share data. The security in the sharing is therefore questioned. In this study, public-key cryptography, interpolating polynomial, and access matrix are utilized for accessing data. When the mechanism is placed on the cloud system as the access control mechanism, the symmetric encryption is used to

encrypt the data for protecting the key. The access control is protected with Lagrange operation and the public-key system, where the members must be approved by CA to pass through the access matrix for accessing. Besides, each member has the accessible matrix authority; when they in-tend to attack or simulate the others’ matrices, they would have to crack the access polynomial, solve Lagrange and public-key cryptosystem, and face the decryption of sym-metric cryptosystem. The security is achieved as what is spent would be more than the security request.

The past approach mostly established a user’s access polynomial, representing that the authorized person with the key to access to encrypted files could apply the key to access confidential files. The access polynomial needs to be recalculated for dynamic update, and the more mem-bers would affect the calculation complexity. This study proposes to apply an access matrix to the dynamic update so that the altered calculation is relatively easier. More-over, access polynomial often encounters the operation security of mathematical equations. However, new param-eters are added to the calculation formula with an access matrix such that there is no such a problem.

In this section, the responses to the user orfile transac-tion analyzed the security, and the common attacks (exter-nal attack, insider attack, coordinative attack, and equation breaking attack) are examined in the actual conditions to implement the system security. The four attacks proposed in this study are described as following.

5.1. External attack

External attack refers to an attacker attempting to illegally acquire the user’s secret key and steal confidential data through the public information in the system.

As the example of this study, an attacker has to work on the sole public decryption polynomial G(r)(x, y) of the sys-tem for the external attack. Because each user (Si) could

substitute a personal private key (Hi) for the public

decryp-tion polynomial G(r)(x, y) to deduct the decryption key (DKu) for authorized confidential files, both A

r ð Þ i ð Þ andx Bð Þirð Þ have to be broken when attempting to illegally ac-y quire the decryption key. Nonetheless, an external attacker could merely acquire the public decryption polynomial G(r)(x, y) and the number of the confidential file; with inad-equate decryption information and the huge computations, the decryption key could not be effectively deducted with mathematical calculations. Even when two users are con-tinuously added, the decryption key would not be acquired because of the mathematical form not being factorized (referring to Section 3.2.3). As a consequence, an illegal at-tacker cannot acquire a patient’s medical records and some medical information through external attack.

5.2. Insider attack

Such an attack is common among system members; it usu-ally occurs when a legal user (Si) with lower authority

utilizes the public decryption polynomial G(r)(x, y) and the personal secret key (Hi) to illegally acquire the secret

keys of other legal users with higher authority so as to ille-gally acquire an unauthorized confidential document.

Based on such situations, it is assumed that a nurse (S3)

intends to access the electrocardiogram (file2) and major

surgery records (file3) to which a physician (S2) could

ac-cess; Figure 4 shows member authority access matrix. In general situations, a physician (S2) and a nurse (S3)

show the partial order relationship, denoted as S3≼ S2,

meaning that physicians have higher access authority (S2= {1, 2, 3, 4}; S3= {1, 4}) than nurses do. For this

rea-son, a nurse (S3) becomes an attacker for a physician (S2),

who attempts to substitute the personal secret key (H3) for

the public decryption polynomial G(r)(x, y) to deduct the physician’s (S2) secret key (H2) and further acquire the

electrocardiogram (file2) and major surgery records (file3)

to which merely the physician (S2) could access.

In the deduction process, a nurse (S3) could substitute

(H3, 1) and (H3, 4) for the public polynomial G (r)

(x, y) to acquire the decryption keys DK1 and DK4 for the blood

pressure records (file1) and the drug and allergic reaction

(file4). Nevertheless, the decryption key for the

electrocar-diogram (file2) and major surgery records (file3) could not

be acquired by substituting (H3, 2) and (H3, 3) for G(r)(x, y).

That is, a nurse (S3) cannot acquire the decryption keys

DK2and DK3for a physician’s (S2) access.

When a nurse (S3) intends to acquire the decryption

keys DK2and DK3for the access of a physician (S2), the

attacked targets are hidden in H2in A

r ð Þ 2 ð Þ and DKx 2and DK3hidden in B r ð Þ

2 ð Þ. As a nurse (Sy 3) could acquire the

de-cryption keys DK1 and DK4 by substituting (H3, 1) and

(H3, 4) for G (r)

(x, y), the attacker attempts to calculate the following. Gð Þr _H 3; 1 ð Þ ¼ DK1 ⇒Gð Þr _H 3; 1 ð Þ  DK1¼ 0 ⇒Að Þr 1 ð ÞBH3 r ð Þ 1 ð Þ þ A1 r ð Þ 2 ð ÞBH3 r ð Þ 2 ð Þ1 þ⋯ þ Að Þr 6 ð ÞBH3 r ð Þ 6 ð Þ  DK1 1¼ 0

Gð Þr _H 3; 4 ð Þ ¼ DK4 ⇒Gð Þr _H 3; 4 ð Þ  DK4¼ 0 ⇒Að Þr 1 ð ÞBH3 r ð Þ 1 ð Þ þ A4 r ð Þ 2 ð ÞBH3 r ð Þ 2 ð Þ4 þ⋯ þ Að Þr 6 ð ÞBH3 r ð Þ 6 ð Þ  DK4 4¼ 0

According to the previous deduction, the items, except Að Þ₃rð ÞBH3 r ð Þ 3 ð Þ and A1 r ð Þ 3 ð ÞBH3 r ð Þ

3 ð Þ, are a series of huge4 numerical values that could not be calculated (referring the calculation process to example 1 in Section 3.3.1) so that the attacker could not analyze H2from such numerical

values to acquire DK2and DK3.

Assuming that an attacker (S3) acquires A

r ð Þ 2 ð ÞBx r ð Þ 2 ð Þ, ity could not be easily broken as Að Þ₂rð Þ and Bx ð Þ₂rð Þ arey protected by individual verification indicators.

(1) An attacker (S3) intends to acquire H2-related

infor-mation hidden in the polynomial Að Þ₂rð Þ.x

Að Þ2rð Þ ¼x x H1 H2 H1 þ x  Hð 2Þ    x H3 H2 H3 þ x  Hð 2Þ     x H4 H2 H4 þ x  Hð 2Þ    x H5 H2 H5 þ x  Hð 2Þ    x H6 H2 H6 þ x  Hð 2Þ   Ið Þx H1; ⋯;H6 f g

The polynomial Að Þ₂rð Þ could verify the user and confirmx the secret key Hibeing on the CA’s legal list. A user not

legally authorized by CA could not pass the calculation of the verification indicator Ið Þx

H1; ⋯;Hn

f g . Even if the user

is legally authorized by CA, the secret key not being con-firmed by the owner would not succeed. In other words, assuming that a nurse (S3) substitutes the personal secret

key (H3) for A

r ð Þ

2 ð Þ, a series of disordered numerical valuesx would be acquired; being computed with Θð Þirð Þ ¼x I A r ð Þ i ð Þx ð Þ 1

f g , it appears as 0, presenting the failure in breaking. (2) An attacker (S3) intends to acquire DK2- and DK3

-related information hidden in the polynomial Bð Þ₂rð Þ.y Bð Þ₂rð Þ ¼y DK1 y 2 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 1 2 ð Þ 1  3ð Þ 1  4ð Þ 1  5ð Þ þDK2 y 1 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 2 1 ð Þ 2  3ð Þ 2  4ð Þ 2  5ð Þ þDK3 y 1 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 3 1 ð Þ 3  2ð Þ 3  4ð Þ 3  5ð Þ þDK4 y 1 ð Þ y  2ð Þ y  3ð Þ y  5ð Þ 4 1 ð Þ 4  2ð Þ 4  3ð Þ 4  5ð Þ 2 66 66 66 66 66 66 4 3 77 77 77 77 77 77 5 IJ2ð Þy

The user has to be authorized by CA to legally access the confidential document so as to successfully pass the confirmation with IJið Þ; otherwise, the result appears asy

0, revealing not being broken. A nurse (S3= {1, 4}) not

in the authority list of CA to access the electrocardiogram (file2) and major surgery record (file3) would not pass the

confirmation of IJ2ð Þ (Jy 2= {1, 2, 3, 4}) to acquire DK2

and DK3. Thefinal result appears as 0, showing not

suc-cessfully acquiring the decryption key.

In sum, the decryption information cannot be illegally acquired by reversely deducting the polynomial. Such a method therefore could effectively stop the attack from in-sider attacks to achieve the system security.

5.3. Collaborative attack

The difference between coordinative attack and insider at-tack lies in the quantity of atat-tackers. Insider atat-tackers refer to a legally authorized user attempting to illegally acquire the decryption key, while coordinative attackers are two or more legally authorized users cooperatively using the secret keys to deduct other system members’ secret keys

and confidential document to which an access attacker

could not access.

In the member authority access matrix established by CA, the partial order relationship exists among users; there-fore, two possible attacks are taken into account in collabo-rative attack. One is the partial order relationship between at least two and more conspired attackers and internal mem-bers who intend to attack, and the other is no partial order relationship among internal members who intend to attack. (1) Partial order relationship among at least two and more conspired attackers and internal members who intend to attack:

It is assumed that a nurse (S3) and a medical researcher

(S4) intend to access major surgery records (file3) to which

merely a physician (S2) could access, and the attackers (S3

and S4) do not have any access authority to the major

sur-gery records (file3).

From Figure 5, the attackers’ authorities are S3= {1, 4}

and S4= {1, 2, 4}, while the authority of the attacked is

Figure 5. The conspired attackers and the attacked present par-tial order relationship.

S2= {1, 2, 3, 4}. In other words, the access authority of a

physician (S2) is higher than that of a nurse (S3) and a

med-ical researcher (S4). In this case, an attacker intends to

at-tack the physician (S2) with personal decryption

information to acquire the decryption key (DK3) for major

surgery records (file3), where the information related to the

decryption key DK3is hidden in A

r ð Þ 2 ð ÞBx r ð Þ 2 ð Þ.y Að Þ₂rð Þ ¼x x H1 H2 H1 þ x  Hð 2Þ    x H3 H2 H3 þ x  Hð 2Þ     x H4 H2 H4 þ x  Hð 2Þ    x H5 H2 H5 þ x  Hð 2Þ    x H6 H2 H6 þ x  Hð 2Þ   Ið Þx H1; ⋯;H6 f g Bð Þ₂rð Þ ¼y DK1 y 2 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 1 2 ð Þ 1  3ð Þ 1  4ð Þ 1  5ð Þ þDK2 y 1 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 2 1 ð Þ 2  3ð Þ 2  4ð Þ 2  5ð Þ þDK3 y 1 ð Þ y  3ð Þ y  4ð Þ y  5ð Þ 3 1 ð Þ 3  2ð Þ 3  4ð Þ 3  5ð Þ þDK4 y 1 ð Þ y  2ð Þ y  3ð Þ y  5ð Þ 4 1 ð Þ 4  2ð Þ 4  3ð Þ 4  5ð Þ 2 66 66 66 66 66 66 4 3 77 77 77 77 77 77 5 IJ2ð Þy

Nonetheless, a nurse (S3) and a medical researcher (S4)

merely have the personal secret keys H3and H4, which

could not be used for acquiring the desired H2 with

Að Þ₂rð Þ \ but a series of disordered and huge numericalx values. Eventually, the result appears as 0 because of Θð Þr

i ð Þ ¼ Ix Að Þ_irð Þx

ð Þ

1

f g so that the result of A

r ð Þ 2 ð ÞBx r ð Þ 2 ð Þ alsoy appears as 0.

Apparently, conspired attack, similar to a single at-tacker, could not successfully break the desired decryption information.

(2) No partial order relationship between at least two and more conspired attackers and internal members who intend to attack:

It is assumed that a nurse (S3) and a medical researcher

(S4) intend to access health insurance records (file5) to

which merely a health insurance unit (S5) can access, and

the attackers (S3and S4) do not have any access authorities

to the health insurance records (file5).

From Figure 6, the attackers’ authorities are S3= {1, 4}

and S4= {1, 2, 4}, and the authority of the attacked is S5=

{5}. That is, the access authority of a health insurance unit (S5) is not related to the nurse (S3) and the medical

re-searcher (S4). In this case, attackers attempt to enhance

the probability of attacking the health insurance unit (S5)

with the decryption information to acquire the decryption key (DK5) for the health insurance records (file5), where

the information related to the decryption key DK5is hidden

in Að Þ₅rð ÞBx ð Þ₅rð Þ.y Að Þ₅rð Þ ¼x x H1 H5 H1 þ x  Hð 5Þ    x H2 H5 H2 þ x  Hð 5Þ     x H3 H5 H3 þ x  Hð 5Þ    x H4 H5 H4 þ x  Hð 5Þ    x H6 H5 H6 þ x  Hð 5Þ   Ið Þx H1; ⋯;H6 f g Bð Þ₅rð Þ ¼ DKy 5 y 1 ð Þ y  2ð Þ y  3ð Þ y  4ð Þ 5 1 ð Þ 5  2ð Þ 5  3ð Þ 5  4ð Þ   IJ5ð Þy

Nonetheless, a nurse (S3) and a medical researcher (S4)

merely have the personal secret keys H3and H4, which

could not be used for acquiring H5through A

r ð Þ

5 ð Þ but a se-x ries of disordered and huge numerical values. Eventually, it appears as 0 because ofΘð Þirð Þ ¼ Ix

Að Þ_irð Þx

ð Þ

1

f g , and the result of Að Þ₅rð ÞBx ð Þ₅rð Þ also appears as 0.y

In conclusion, in the situations of the partial order rela-tionship among system members and the quantity of at-tackers, an attacker cannot deduct the secret key of the attacked and the decryption key for the confidential docu-ment with known decryption information. This method therefore could not achieve the breaking with coordinative attack.

5.4. Equation attack

The fourth attack, equation attack, means that an attacker attempts to break mathematically with the public decryp-tion polynomial G(r)(x, y) to further illegally acquire the secret key.

Such an attack is frequently used during the transaction of a system member’s authority. As mentioned in Section 5 , when a system is adding members, removing members, or transacting the member’s access authority to confidential document, any attackers could look for feasible breaking opportunities from the transaction of public polynomial. Consequently, the public polynomial security during the authority transaction is discussed in this section. The Figure 6. No partial order relationship between conspired

transaction types of user authority mentioned in the previ-ous section is further explained.

(1) Adding member: Gð Þrðx; yÞ ¼ Gð Þrðx; yÞ þ Að Þ_nþ1r ð Þx Bð Þ_nþ1r ð Þy

When a new member is added to the system, any attacker could deduct the original public polynomial G(r)(x, y) with the updated public polynomial Gð Þr_{ðx; yÞ to acquire} Að Þ_nþ1r ð ÞBx ð Þ_nþ1r ð Þ. As discussed previously, useful informa-y tion related to the decryption could not be acquired from Að Þ_nþ1r ð ÞBx ð Þ_nþ1r ð Þ. Moreover, the decryption information stilly cannot be acquired even though new members are contin-uously added to the system (referring to Section 3.2.3). As a result, an equation attacker could not break useful de-cryption information from the member addition.

(2) Member removal: Gð Þrðx; yÞ ¼ Gð Þrðx; yÞ  Að Þ_krð Þx Bð Þkrð Þy

When a member is removed from the system, any attacker could deduct the original public polynomial G(r)(x, y) with the updated public polynomial Gð Þr_{ðx; yÞ to acquire} Að Þ_krð ÞBx ð Þ_krð Þ, which could not be used for breaking, eveny though members are continuously removed. Useful infor-mation therefore would not be acquired.

(3) Modification of authority:Gð Þrgðx; yÞ ¼ Gð Þrðx; yÞ Að Þirð ÞBx r ð Þ i ð Þ þ Ay r ð Þ i ð ÞBx ’ rð Þ i ð Þy

Different from the previous two attacks, the new public polynomial is deducted from the original one for Að Þ_irð ÞBx ð Þ_irð Þ  Ay ð Þ_irð ÞBx ′ r_ið Þð Þ . Although the results arey different, the principle for not being broken is similar; that is, when x = 0 or y = 0 is assumed, a series of huge numer-ical values would be acquired. Accordingly, an attacker could not break the relevant decryption information even when working on the transaction of the changing user authority.

Summing up the previous security analysis, the four common attacks could not successfully break the decryp-tion informadecryp-tion in this study so that the methods proposed in this study could effectively protect the system from be-ing attacked to successfully achieve system security.

6. CONCLUSION

In the access control mechanism, the process with larger computation appears on dynamic update. Several ap-proaches were used for the past access control mechanism to establish access polynomial, including the operation of participation members with the authority to access to

confidential files and keys, where the relationship between participation members is closely related to the authority operation. Ones with large authority could access several files, while the others with small authority could merely ac-cess somefiles. An access matrix is proposed in this study, in which the members are equally authorized. In compari-son with other access mechanisms, it is simpler, and the computation is smaller in dynamic update, as the matrix does not consider the relationship between members, but merely the quantity offiles, in the operation. Accordingly, the application of access matrix presents the advantage.

Patient referral and attending physician changes appear on dynamic update. In the dynamic update process, the ap-proach proposed by T.S. Chen in 2012 is applied to this study. Nevertheless, as T.S. Chen’s approach would appear as calculation weakness on the security in the dynamic up-date process, new parameters and operations are added to the approach proposed in this study to improve the opera-tion drawbacks and enhance the security. Besides, the established access matrix presents no different authority between members; all legal members have accessible au-thority but do not know the other members’ authority. It therefore could enhance the security in the dynamic update by a avoiding united attack.

Improving T.S. Chen (2012) methodology and consoli-dating the security, applying PHR to cloud computing en-vironments, and considering different access authorities of each user in the system to confidential files, the methods proposed in this study not only could protect the system members and patients’ privacy of personal health records but could also stop the entry of illegal attackers.

So far, many literatures have pointed out the conve-nience of PHR; however, they are not broadly practiced in medical institutions in Taiwan. Many medical clinics still use traditional paper-based patient records to keep pa-tients’ medical records, which is considered as the waste of cost. The possible factors in not being practiced are sum-marized as in the succeeding text.

(1) Capital problem: Large hospitals present adequate capitals to establish platforms, but small clinics could not so they still remain at the stage of tradi-tional paper-based patient records.

(2) Platform establishment problem: Current platforms for PHR have not been uniformed so that the trans-formation among platforms might result in con fi-dential data lost or error.

(3) Regulation problem: Regulations related to PHR have not been made in Taiwan. It not only involves legislation but also relates to national public health policies that the promotion is rather difficult. Once PHR could be actually practiced in various medi-cal institutions, and the secure, effective, and reliable en-cryption is constructed to prevent the cloud computing from the threat of uncertainty as well as to guarantee each user’s information security and privacy, the public welfare would be promoted.

REFERENCES

1. Seung LP, Anil VP, Pantanowitz L. Electronic medical records, Practical Informatics for Cytopathology

2014;14: 121–127.

2. Corrigan JM, Donaldson MS, Kohn LT. Crossing the Quality Chasm: A New Health System for the 21st Cen-tury. National Academy Press: Washington, DC, 2001. 3. Li M, Yu S, Ren K, Lou W. Securing personal health records in cloud computing: patient-centric and fine-grained data access control in multi-owner settings, Security and Privacy in Communication Networks 2010;50: 89–106.

4. Mell P, Grance T. Effectively and Securely Using the Cloud Computing Paradigm, National Institute of Standards and Technology, 2009.

5. Safran C, Goldberg H. Electronic patient records and the impact of the internet, International Journal of Medical Informatics 2000;60(2): 77–83.

6. Wang NY. Computer-based patient record system, The Journal of Taiwan Association for Medical informatics 1994;3: 29–33.

7. Fan BY. Health information management, Taipei: Ho-Chi Book Publishing Co, 2008.

8. Dimitropoulos LL. Privacy and security solutions for interoperable health information exchange, http:// healthit.ahrq.gov/portal/server.pt/gateway/PTARGS_0_ 241358_0_0_18/IAVR_ExecSumm.pdf, 2006. 9. Ray P, Wimalasiri J. The need for technical solutions

for maintaining the privacy of EHR, Engineering in

Medicine and Biology Society 2006;1: 4686–4689.

10. Becker MY, Sewell P. Cassandra:flexible trust man-agement, applied to electronic health records, Proceed-ings of the 17th IEEE Computer Security Foundations Workshop, 2004.

11. Jin J, Ahn GJ, Hu H, Covington MJ, Zhang X. Patient-centric authorization framework for sharing electronic health records, Proceedings of the 14th ACM Sympo-sium on Access Control Models and Technologies

SACMAT 09, 125–134, 2009.

12. Waegemann CP, Status report 2002: electronic health records: Medical Records Institute; 2002.

13. Ministry of Health and Welfare in Taiwan. Electronic medical records adoption in hospital, http://www. mohw.gov.tw/CHT/Ministry/, 2005.

14. Ministry of Health and Welfare in Taiwan. The plan of internet healthy service promotion. http://www.mohw. gov.tw/CHT/Ministry/, 2015.

15. Kahn JS, Aulakh V, Boswort A. What it takes: charac-teristics of the ideal personal health record, Health Affairs (Millwood) 2009;28(2): 369–376.

16. Iakovidis I. Towards personal health record: current situation, obstacles and trends in implementation of electronic healthcare record in Europe, International Journal of Medical Informatics 1998;52(1): 105–115. 17. Lober WB, Zierler B, Herbaugh A, Shinstrom SE, Stolyar A, Kim EH, Kim Y, Barriers to the use of a personal health record by an elderly population 2006; 514–518. 18. Smith III JO. Lagrange interpolation, center for

com-puter research in music and acoustics (CCRMA), Stanford University.

19. Deshpande JV. On continuity of a partial order, Pro-ceedings of the American Mathematical Society 1968;19(2): 383–386.

20. Chen TS, Liu CH, Chen TL, Chen CS, Bau JS. Secure dy-namic access control scheme of PHR in cloud computing, Journal of Medical Systems 2012;36(6): 4005–4020. 21. Cheng JS. An application of public key cryptosystem

on personal health records, National Chiayi University