Health Information Exchange (HIE) allows various providers to electronically share patient health information, enhancing healthcare delivery through coordinated patient care. A primary concern in HIES is the need for explicit authorization of information exchange in an auditable manner. However, we find that existing approaches for authorization in health information systems exhibit several drawbacks in meeting the needs of HIE, with non-cryptographic approaches lacking a secure and reliable mechanism for access policy enforcement, while cryptographic approaches being too expensive, complex and limited in specifying policies. This paper aims to overcome these drawbacks by presenting a simple and efficient patient centric authorization protocol for information sharing in cloud-based HIE systems. The proposed protocol is built using a novel trapdoor hash-based proxy signature scheme, and ensures that the authorization is authentic with respect to both providers and patients, and complies with the established access control policies. Features of the proposed protocol include auditability, non-interactive and on-demand operation, and specification and secure/reliable enforcement of flexible access control policies. A detailed security and performance analysis shows that the proposed protocol is provably secure against forgery under the discrete log assumption, and achieves the best overall performance compared to other well-known schemes in the literature.

• 出版日期2017-6