Abstract
In our progressive era of technology, digitization is becoming the link between businesses, people, processes, and data. Since digitization is now a common practice for storing and retrieving data, Electronic Health Record (EHR) management services are rapidly becoming popular as it allows users to store and access their data anywhere at any time. EHR management is bringing many benefits including easy storage, cost effectiveness, shareable with health professionals to a remote location, etc. However it is very challenging to adopt cloud-based EHR services, due to the risk of data breaches and the resulting compromise of patient data. Since EHR stores very sensitive data, a number of security properties including privacy, secrecy, integrity, authenticity and availability of data must be ensured during data transmission, storing and sharing with health professionals. In this study, we have studied symmetric key based technique in designing EHR management protocol. The protocol allows the patient to handle the responsibility of authorizing data access, thus this is a patient-centric protocol. Attributes (e.g., specialization, location, affiliated hospital, etc.) of a health professional is used to delegate access to EHR of a patient, and thus attribute-based access control has been achieved. The protocol we have designed is then validated using AVISPA, an industry-strength security protocol validation tool. AVISPA has confirmed our protocol free from known attacks and confirmed the desired security properties as well.
Introduction
As Internet is becoming an intricate part of our day to day life, it is now a common practice to use its benefits and advantages to make life easier. Technology and the digital revolution are bringing benefits in many ways by providing a platform that connects people from across the globe. This might require individuals to share their private information demanding the data to be kept secured in a simple yet secured way. As the information are vulnerable to security exploits and data theft if remote servers leave the data open [32], the valuable information requires confidentiality, security and privacy [26,35]. Among the many benefits of improved technology, Electronic Health Record (EHR) management is one.
EHR is any health related information or data of patient stored digitally using electronic methods maintaining top notch security to assure privacy. This information can only be accessed instantly by authorized users, e.g., doctors or the patients themselves. EHR contains sensitive information including patients’ medical and treatment histories, administrative and billing data, prescriptions provided by the doctors, medical test reports, personal information (e.g., age, weight and height), etc. Security and privacy is the prime concern as EHR contains valuable information. The EHR system can also be created to go further than typical clinical data collected in a medical institution and can add various other facilities to allow a broader view of a patient’s care [7]. For example it can allow access to tools to help doctors in making decisions about a patient’s care. As EHRs are stored digitally they can be easily shared from one place to another through electronic media via connected private networks, e.g., from one branch of a hospital to another distant branch [39]. Security and privacy are essential not only for patient health information but also for clinical care, research, payment, and healthcare policymaking. Thus various cryptographic protocols that use cryptographic techniques have been developed to achieve secured management of EHR. Various initiatives have been formed to establish the definition of standard methods for secure and inter-operable EHR exchanges, e.g., Integrating the Healthcare Enterprise (IHE) [20].

General EHR management architecture.
EHR management architecture models the system that makes it feasible to store and transfer EHR. A general and very basic EHR management architecture is shown in Fig. 1 where ‘doctor’, refers to any health professionals in general. The patient updates or stores the medical records after receiving treatment from doctor-1. The patient can also authorize doctor-1 to store the medical records on behalf of the patient to a remote EHR server. This same patient might get referred to doctor-2 for further medical treatment. Doctor-2 can view the patient’s previous record after the patient grants doctor-2 the access to data at the EHR server. This model is extended to enhance the structure in various ways to suit the need and meet the objectives of protocols or designs, applied in various works. For example [19] illustrates the incorporation of encryption-decryption function along with transaction code (TAC) service and private key generator (PKG) to provide flexibility with security.
Below we have summarized the required security properties that generally a secured EHR management should support.
In our research, we have developed a simple symmetric key based EHR management protocol. The initial version of this EHR management protocol was published in [23]. In this study, we focus to combine the advantages of attribute-based access control and the simplicity of symmetric key-based encryption and authentication. Note that the idea of attribute-based access control is adopted from Attribute-Based Encryption (ABE), which has been first introduced in [17,33] to store and share encrypted data based on public-key. In ABE, the decryption key is associated with the ciphertext through some attributes [17]. If
The protocol we have developed is patient controlled meaning only the patient-authorized health professional (e.g., a doctor) will have access to the patient’s EHR. Moreover, there will be fine grained access control, i.e., access control will be both doctor and health record specific. Although our proposal is primarily based on symmetric key, it identifies the doctors using their attributes [19,28]. We have developed protocols for both data storage and retrieval. The security properties of this protocol have been validated by modeling the protocol using Automated Validation of Internet Security Protocols and Applications (AVISPA) [3]. AVISPA is an automatic tool with industrial-strength technology for the investigation of different Internet security protocols and applications [14]. It is used equally by the developers of diverse security protocols and by academics [21,22]. In our validation, AVISPA testified the proposed protocol free from attacks.
The rest of the paper is organized as follows: Section 2 presents the existing solutions and our motivation of this work. Section 3 depicts the proposed architecture and protocols for EHR management. Section 4 introduces AVISPA briefly and then presents the model we have developed for the proposed EHR management. The results of security protocol analysis provided by AVISPA are also shown. Finally, Section 5 concludes the paper by summarizing the contribution of this paper.
The vast researches so far in securing EHR have taken various diverse approaches with focus on different areas of the total EHR management system. Some have worked with a focus on modeling and testing a proposed protocol that confirms only secrecy property or other security property requirements. While others have extended their work with a deeper evaluation study and actually verified the systems and tools within healthcare systems to examine if it supports the real life implementation or integration [29].
Classical cryptography based solutions
For wireless medical sensor networks (WMSN), a two-factor authentication protocol for health-care applications has been proposed that allows the users to be anonymous [40]. The security weaknesses and efficiency of this protocol are further improved in [36] by designing an efficient symmetric key based authentication protocol. Privacy of patient’s data is provided by ensuring secured and authorized communication in WMSN which consists of distributed sensors. The security of the proposed protocol is analyzed using a formal security proof algorithm to show the scheme is secure and is also verified by AVISPA.
A secure communication protocol between a patient at home and a doctor at a clinical center in Telecare Medical Information System (TMIS) has been designed in [2] using user authentication for the medical servers. Using cryptographic, one-way hash function, this protocol proposed a smart card based user authentication and key agreement protocol for TMIS system allowing access to several medical services of the multi-medical server. Thus, a user is able to directly communicate with the doctor of the medical server securely. The security properties of the proposed authentication scheme has been analyzed using AVISPA.
An anonymity-preserving remote user authentication protocol that uses the personal biometrics of a user, her password and the smart card is presented in [11]. The user’s biometrics is verified using BioHashing. Further efficiency of this protocol is achieved by using collision-resistant, one-way hash function and exclusive-or (XOR) operations. Several security flaws of this protocol including flaws in login and authentication, password change, protection from privileged insider attack and man-in-the middle attack have been addressed in an improved version [13]. The security analysis of the improved version has been carried out using AVISPA to prove the security of the protocol against possible passive and active attacks.
In [12] a secure and efficient password-based remote user authentication scheme using smart cards for the integrated Electronic Patient Record (EPR) information system is proposed using one-way hash function and bitwise exclusive-or (XOR) operations. This scheme overcomes the security weaknesses such as design flaws in password change phase, failures to protect privileged insider attack and lackings in the formal security verification found in the previously proposed protocol in [27] and [38]. This protocol also establishes a symmetric secret session key between the user and the server for their future secure communications. Security analysis and formal security verification are carried out using AVISPA to show the scheme is secure against passive and active attacks.
A security model has been proposed in [18] to sustain patient’s privacy and data confidentiality by using pseudonymization. In this method, both health records and patients’ information are given randomly-selected pseudonyms, which act as access tokens and allow linking of the health record with the patient. The pseudonyms are encrypted with a patient-specific secret key. Thus the authorization model is patient-centric. The patient is labeled as the data owner who maintains full control over his or her health data and is able to delegate access authorizations to trustworthy persons for particular health record. Micro controller smart-cards with integrated crypto chips are used for secured authentication. Both symmetric key and asymmetric key encryption are used in the model to provide authentication and authorization layers. This pseudonymization protocol is validated using AVISPA and is also practically demonstrated by developing a prototype. Note that pseudonymization requires a sufficiently large number of individuals and records to be effective. Moreover, it requires trustworthy depersonalization for certain kinds of health data, which can be quite difficult.
Hierarchical Key Assignment Scheme (HKAS) [8–10] is a fine-grained access control mechanism where users or participants are organized in hierarchies formed by a certain number of disjoint classes. HKAS provides some encryption keys and private information to the users of a higher class. Using that private information, the users of a higher class can derive the keys of all lower classes that are descendent of that higher class. HKAS can be successfully used for access control to selective users where hierarchy exists inside the system such as database management systems, computer networks, operating systems, military and government communications, etc.
ABE based solutions
In ABE, access policy is encoded either into the receiver’s secret key (known as Key-Policy Attribute-Based Encryption (KP-ABE)) or into the ciphertext (known as Ciphertext-Policy Attribute-Based Encryption (CP-ABE)). In KP-ABE, assume that
ABE has been incorporated in various forms to provide a secure EHR environment and flexible desired access control [19,28]. For example, [28] focuses on allowing a patient to be able to provide access to their health data based on the attribute (e.g., profession, specialization, location, etc.) of the users and also control what portions of the medical data a patient wants to share. [1] has presented a design and implementation of Electronic Medical Records (EMRs) using attribute based encryption on mobile devices. In [31], the situation where multiple data owners exist is considered and patient’s Personal Health Records (PHR) are encrypted and stored in semi-trusted servers proposing a privacy-preserving multi-authority CP-ABE scheme. Recently to overcome current EHR server limitations two approaches are explored which guarantee the security and flexibility of sharing EHR on the cloud, by proposing a new architecture called Crypt-EHR server which combines attribute based cryptography and CryptDB SQL query-searchable encryption [41].
In [25], a cloud-based EHR management solution is developed to guarantee a secure, encrypted access control and patient data security mechanism. It incorporates a semantically rich, policy based approach using Attribute Based Access Control (ABAC) [24] to contemplate a person’s access and use ABE to encrypt and store the patient EHRs. ABAC is a policy-based access control where policy, by combining different types of attributes (e.g., user attributes, resource attributes, object, environment attributes etc.), grants access rights to users.
To implement secure access control and attribute based encryption, the system extracts the user and EHR field attributes from a knowledge graph that details the roles and attributes of the different stakeholders of the medical organization along with the various relationships between them. [37] presents a secure EHR management system using ABE and Identity-Based Encryption (IBE) to encrypt medical data. IBE [34] is a flexible, public-key based encryption that does not depend on traditional certificate distribution. It can compute the public key of an entity from some general, public parameters and an identity of the entity including e-mail or telephone number. To compute the corresponding private key, Private Key Generator (PKG), a trusted third-party is needed. Once an entity receives its private key from the PKG, the entity may generate its digital signature. This digital signature is verifiable by a recipient and no certificate is needed for this process. This is known as Identity-Based Signature (IBS). Note that [37] used IBS to implement digital signatures, and blockchain technology to ensure integrity, traceability and confidentiality.
Selecting appropriate cryptographic techniques and tools
The security requirements of our proposed EHR management protocol are presented in Section 3.1.2. In designing the proposed protocol we have selected the appropriate cryptographic techniques and the validation method. In the literature, both classical cryptographic techniques (i.e., symmetric or public key based encryption, hash function, etc.) and ABE or variants of ABE (e.g., KP-ABE, CP-ABE, etc.) are widely used. The primary advantage of ABE is fine-grained access control through attributes of the users. Thus, a patient has control over her privacy and she can share a specific health data to a specific or a group of health professional(s). In spite of its different attractive features ABE based protocols are only used in mathematical and theoretical research community but have not experienced the wide scale deployment in day to day applications yet. According to [42], not all ABE based solutions have been implemented and only few of them have up-to-date libraries. On the other hand, classical cryptographic techniques are being used in numerous applications for a longtime. Open-source implementations of these techniques are readily available. Therefore, in our proposed EHR management protocol we used symmetric key based encryption, i.e., a classical cryptographic technique. However, in our design we have also successfully incorporated the attribute-based access control. Note that although [18] has some similarities with our security requirements, they have not presented any detailed protocols or validation model. To the best of our knowledge, this is the first comprehensive work that developed an attribute-based, patient-centric access control using symmetric key encryption.
We congregated research work that is similar to our pursuit of EHR involving AVISPA for validation of security properties. We have mentioned a few including [2,6,13,18,36]. Note that AVISPA has been used by wide variety of protocols in many other study work for validation of security properties [21,22,30]. Therefore, we have also selected AVISPA in validation of the security properties of our protocols.

Proposed EHR management architecture.
A general and very basic EHR management architecture is already shown in Fig. 1. By extending that EHR management architecture we have structured our proposed EHR architecture.
Proposed architecture
The structure of our proposed EHR architecture is given in Fig. 2 depicting that the EHRs are stored centrally in a data store (
Threat model
A threat model is used to identify and express the underlying threats in a security system. In the following we summarize the threats we have anticipated in the proposed EHR management protocol. We have identified the following three areas where the intruder can attempt to attack:
Communication channels: We consider the Dolev-Yao [15] channels for communications. All communication channels are considered to be a part of the public networks (e.g., the Internet). Thus, the communication channels are subjected to be attacked by the intruders. An intruder or attacker can see all the messages transmitted through these channels and has complete control over message transmission. The intruder can intercept, copy and synthesize any message, and his actions are only restricted by the restraints of the cryptographic methods used. Playing role of an entity: In our threat model, the key server ( Strength of cryptographic primitives: The hash and encryption functions being used are considered as secured and thus are not breakable by the intruder.
Security requirements
The proposed protocol has been aimed to maintain the following security requirements (
Proposed protocols
The proposed protocols are composed of two sub-protocols: data store and retrieve protocols. While designing the protocols, our target is to satisfy all the security requirements presented in the earlier section. At the same time, the threat model explained in Section 3.1.1 needs to be mitigated. Figures 3 and 4 show the data store and retrieval protocols, respectively.

The proposed protocol for storing data.

The proposed protocol for data retrieval.
The notations being used is the proposed protocol are shown in Table 1. To express the protocols we have used conventional Alice-Bob notation where,
The notations being used in this proposed protocol
Four entities or principals are involved in this proposed protocol, which are mentioned in the following:
Patient ( Doctor ( Key Server ( Data Store (
Data store protocol
Data store protocol has five messages. In the following we have explained each message of the data storing protocol and how the message ensures the Security Requirements (
Data retrieval protocol
In the following we have explained the messages of the data retrieval protocol along with the Security Requirements (SR) achieved by the messages. Note that data retrieval protocol can only be executed after the successful completion of the data store protocol.
Security model development
We have developed and verified our proposed model using AVISPA tool. The procedure used in the development model, steps with which we conducted the verification, the model and its output is described in details in this chapter. We have developed two separate AVISPA models for data storing and data retrieval protocols.
AVISPA
AVISPA is a specialized model checker for security protocols, used to verify that any proposed protocol is free from security threats. AVISPA does not evaluate the performance of the protocol under differing conditions and stresses that might help to conclude the efficiency or analyze performance of the protocol. AVISPA focuses solely on a protocol to deduce if it is totally secure or not. Ensuring the security of cryptographic protocols is the crucial function. It is a security protocol verification tool using fully automatic processes applying various analysis methods, permitting the user to use different tools for a single protocol modeling. Security protocol designs are further aided with the use of a graphical user interface Security Protocol Animator (SPAN) [16].
Architecture of AVISPA
AVISPA uses modular and expressive formal language to specify a protocol and its security properties. It depends on its back-ends, which use an automatic analytic technique to discover the existence of any flaws. The architecture of AVISPA is shown in Fig. 5. In AVISPA, protocol roles are modeled in the High-Level Protocol Specification Language (

Architecture of the AVISPA tool [4].
Security goal specification
By means of the back-end tools of AVISPA, secrecy and various forms of authentication goals could be validated. AVISPA supports four types of goal predicates:
Secrecy is tested with the help of the goal predicate
Authentication is confirmed using the goal predicates:

Roles of patient (

Roles of key server (

Functions
In the AVISPA model we have developed, there are four agent roles: patient (
HLPSL supports numerous basic data types. In the following, we list the data types that are used in our developed model:
Moreover, we used associative “.” operator for concatenation. The declarations “
These basic roles have been instantiated through the composed role,
Four parallel
AVISPA is able to validate the secrecy of any message component. As we have mentioned in Section 3.1.2, data encryption key (
Here, the labels
Modeling attributes in AVISPA
According to ABE-based authentications, the patient should have provision to select the attributes of the doctor or hospitals, based on which the doctor will be allowed to access the patient’s EHR. While modeling matching of the attributes, we use compound data type
Here, we assume that
Freshness, replay and MitM attacks
AVISPA supports a
Following our threat model, the intruder has been assumed to have the capability to play the roles of the doctor or the patient, but not the roles of the key server and datastore. Therefore, the intruder shares necessary keys (i.e.,
Inside the
To find the existence of any replay attack, we instantiate the first two identical
The intruder is playing the roles of the doctor and the patient in the last two
Model validation and result analysis
We use SPAN (Security Protocol Animator) [16], a graphical tool that provides the message sequence charts (MSC) showing the simulations steps of all messages. Figure 9 shows the protocol simulation of the model we have developed for data storing.

Protocol simulation of the model for data storing.
During protocol simulation no intruder’s role has been added. The sequences of the MSC confirm that the model we have developed is successfully exchanging all messages. AVISPA supports Dolev–Yao channels [15] (denoted by
Using

Validation output of OFMC for data store protocol.
The validation outputs of the two back-ends,

Validation output of CL-AtSe for data store protocol.
We conclude from the outputs that the AVISPA model we have developed is free from the attacks that AVISPA is able to find. Moreover, the
The major contribution of this paper is developing a symmetric key-based EHR management protocol. We have successfully introduced the attribute-based access control in symmetric-key solution for managing the access and data security of EHRs. Our system incorporates symmetric key along with a set of attributes in a unique way to create a new type of encrypted access control over these attributes that identifies which users are allowed to decrypt the encrypted data. Although the protocol we have developed is simple and has not considered many complexities that may arise during deployment in a real-life world, this AVISPA model of symmetric key-based protocol that also adds attributes can be extended to validate other complex EHR management protocols in the future.
The AVISPA model we have developed is only useful for validating security properties. However, it is not useful for performance study or determining how much overhead the security protocols will add. In future, we will focus on a comprehensive performance study with a comparative analysis of existing solutions.
