An increasing need for data exchange among different parties involved in a care cycle ranging from traditional healthcare via home healthcare to wellness services has made secure management of digitally stored health data an important issue. Today's approaches are based on traditional security mechanisms complemented with physical and administrative procedures, limiting the availability of health information and making the exchange of health records cumbersome. Digital policy management and enforcement technologies may outperform these approaches by offering (1) end-to-end privacy and security in heterogeneous networks, protecting the data independently of the infrastructure over which data travels or institutional boundaries; (2) usage control on top of attribute-based access control mechanisms, which is very important in healthcare applications; and (3) simple interoperable security architecture that allows developing systems in a network agnostic way, obviating the need for network specific security provisions and hence reducing implementation and maintenance costs.
An important component of such a security system is the attribute-based encryption scheme (ABE), in particular a ciphertext-policy ABE scheme (CP-ABE), as known from J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-Policy Attribute-Based Encryption,” Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 321-334, 2007. In this scheme the data is encrypted according to an access structure, also known as access control policy, so that only users with a suitable set of attributes can decrypt the data. To be able to decrypt the data, a user gets from the trusted authority a specific private key that corresponds to the set of attributes he/she has.
The known attribute based encryption schemes make use of a single root authority. This means that all users in the system obtain the secret keys related to their attributes from a central authority. However, in large and distributed organizations, this approach may be unpractical.
The hierarchical encryption scheme enables establishing the hierarchy of the organization, wherein some of the tasks are typically delegated to people further down in the hierarchy of the organization. The central authority will only issue the secret keys to the domain authorities. This will result in a reduction of the burden on the central authority and user convenience. Instead of contacting the central authority, users will contact their respective domain (or department) authorities to obtain their secret keys. An example of an identity-based hierarchical encryption scheme is disclosed in “Hierarchical ID-Based Cryptography”, by C. Gentry et al., ASIACRYPT 2002, LNCS 2501, pp. 548-566, Springer-Verlag Berlin Heidelberg, 2002.
US 2010/0246827 A1 discloses a method relating to user-controlled encryption. In the system, the root key is derived from a secret (e.g. biometric, password) of the patient. This root key is then used to derive a set of decryption and encryption keys. These keys conform to a hierarchy. This hierarchy implicitly specifies the capabilities of the encryption and decryption keys. For example, a decryption key at a particular level in the hierarchy could decrypt only the document that is encrypted using the corresponding encryption key.
Guojun Wang, Qin Liu and Jie Wu, “Hierarchical Attribute-Based Encryption for Fine-Grained Access Control in Cloud Storage Services,” 17th ACM Conference on Computer and Communications Security, Oct. 4-8, 2010. Hyatt Regency Chicago, Chicago, Ill., USA, discloses a hierarchical attribute-based encryption (HABE) model that combines a hierarchical identity-based encryption (HIBE) system and a ciphertext policy-attribute based encryption (CP-ABE) system, to provide access control and delegation. A HABE scheme is disclosed that makes a performance-expressivity tradeoff to achieve high performance. A domain master (DM) can be enabled to administer either the users of a domain or a disjoint set of attributes. The keys corresponding to an attribute are issued by the domain master administering that attribute. This approach has the following shortcomings: 1) The size of the ciphertext and decryption cost are dependent on the depth of the hierarchy and increase directly with the depth of the hierarchy. 2) During the encryption, the encrypter has to specify the respective domains and hierarchy, which means that if a new domain (e.g. Hospital) joins the network, the users from the newly joined member are not able to access already encrypted data even if they satisfy the access control policy.
Dan Boneh, Xavier Boyen, Eu-Jin Goh, “Hierarchical Identity Based Encryption with Constant Size Ciphertext,” Cryptology ePrint Archive: Report 2005/015 (http://eprint.iacr.org/2005/015.pdf), discloses a hierarchical identity based encryption (HIBE) system where decryption is performed using two bilinear map computations, regardless of the hierarchy depth.