Multiauthority Access Control With Anonymous Authentication for Personal Health Record

A personal health record (PHR) system is a smart health system that serves patients and doctors. A PHR is usually stored in a cloud and managed by a semitrusted cloud provider. However, there is still a possibility of the exposure of personal health information to semitrusted parties and unauthorized users. To protect the privacy of patients and ensure that patients can control their PHRs, a patient-centric PHR sharing framework is proposed in this article. In this framework, all PHRs are protected with multiauthority attribute-based encryption before outsourcing, which solves the key hosting problem and achieves fine-grained access control to PHRs. Furthermore, an anonymous authentication between the cloud and the user is proposed to ensure data integrity on the cloud while not exposing the user's identity during authentication. The proposed authentication is issued from a new online-offline attribute-based signature. It can make the encrypted PHRs resist collusion attacks and not be forged during the period of sharing, which enhances patients' control of their PHRs. Online-offline and outsourcing decryption also reduces calculation costs and improves operational efficiency. Finally, comparisons are given based on numerical experiments.