SmartAccess: Attribute-Based Access Control System for Medical Records Based on Smart Contracts

【Author】 De Oliveira, Marcela Tuler; Reis, Lucio Henrik Amorim; Verginadis, Yiannis; Mattos, Diogo Menezes Ferrazani; Olabarriaga, Silvia Delgado

【Source】IEEE ACCESS

【影响因子】3.476

【Abstract】Cross-organisation data sharing is challenging because all the involved organisations must agree on 'how' and 'why' the data is processed. Due to a lack of transparency, the organisations need to trust that others comply with the agreements and regulations. We propose to exploit blockchain and smart contracts technologies to define an Attribute-Based Access Control System for cross-organisation medical records sharing, coined SmartAccess. SmartAccess offers joint agreement over access policies and dynamic access control besides blockchain transparency and auditability. We leverage the Attribute-Based Access Control model to implement smart contracts. We deploy and test them on a private and permissioned blockchain, transforming the access control process into a distributed smart contract execution. This paper proposes the SmartAccess system and its application in two healthcare use cases. We introduce the threat model and perform a security analysis of the system. To demonstrate the feasibility of our proposal, we implement a proof-of-concept of the smart contracts, written in Solidity language, with a size-efficient policy representation, and analyse the complexity and scalability of the contracts' functions. Furthermore, we present performance results, measuring the latency and throughput of the transactions to execute the access control functions with different blockchain network consensus setups. We also compare the performance of the SmartAccess system against two open-source Solidity implementations of smart contract-based access control, Role-based Access Control and Access Control List. Finally, we discuss the strengths and drawbacks of our proposal. SmartAccess requires the overhead of a decentralised system, but the trade-off is transparency, regulation compliance and auditability for complex cross-organisation data sharing.

【Keywords】Attribute-based access control; blockchain; cross-organisation security; electronic medical records; GDPR; healthcare information system; smart contracts

【发表时间】2022

【收录时间】2022-11-30

【文献类型】实证数据

【主题类别】

区块链应用-实体经济-医疗领域