An authentication and authorization mechanism for long-term electronic health records management

In the past five decades, major improvement on sanitation, new invention on medicines, and novel development on medical technologies had been widely deployed and adopted in modern societies. In consequence, the average lifetime of human being is much longer than it was before. Therefore, to safely establish and manage personal health records for each individual during his/her lifetime within the electronic form has gradually become an interesting topic for individual citizens and social welfare departments; the reason is that a well-maintained health records document of an individual can help doctors and hospitals know important and necessary medical and body conditions of the targeted patient in time before conducting any therapy. In this paper, we proposed an authentication and authorization protocol to manage which organization (usually a hospital) is allowed to have the access right on the long-term historical electronic health records of a targeted individual. By using the proposed scheme, a person can migrate his/her health records to a specific organization along with access right authorization. In our protocol, the cumulatively notarized signature mechanism is introduced to preserve the evidence on the ownership transfer of targeted electronic health records between two organizations. A trusted notary is used to verify the management privilege of involved organizations on those health records of targeted individuals. In addition, we show that the protocol achieves data integrity, non-repudiation for data authorization and data availability.