隨著個人資料保護意識的抬頭，電子病歷等特種個人資料的保護議題也隨之熱絡，電子病歷系統是大量儲存特種個人資料的資訊系統，因此如何保護病歷的機密性、完整性、病患個人隱私及避免醫療糾紛的不可否認性即成為此領域研究的重點。而電子病歷的載體也隨著科技及網路的進步，從單機伺服器、雲端運算到目前熱門的區塊鏈技術。區塊鏈應用除廣為人知的比特幣外，在系統設計上可利用其分散式電子帳本的概念，輔以鏈外檔案儲存功能及確保檔案之完整性，再結合智能合約的設計及儲存於鏈上的中介資料，即可完整建構一去中心化的資料儲存鏈。
在本論文中，我們提出一個應用於區塊鏈之電子病歷系統安全框架，以達成在無中央發卡機構及中央電子病歷交換中心的狀態下，讓加入本框架之醫療機構皆可發行智慧卡，且可利用該卡在非發卡之醫事機構進行身分鑑別並且可順利的進行電子病歷交換。該框架包含以區塊鏈為主的電子病歷鏈架構、鏈下儲存機制、運行於電子病歷鏈上的智能合約、多因子身分鑑別技術及屬性授權機制。利用區塊鏈非實名特性存放中介資料，輔以鏈下儲存機制，可在電子病歷鏈中保護病患隱私；透過智能合約的設計，結合不同醫事機構間資訊的傳遞並可隨時增減加入電子病歷鏈的醫事機構數量；透過多因子身分鑑別機制可確保醫事人員及病患的合法身分；最後利用結合角色的屬性授權技術，將電子病歷鏈分為粗粒度授權及細粒度授權兩階段，讓不同身分的醫事人員讀取不同的電子病歷模組，並增加隱私記號，讓病患自由選擇此份病歷是否可與無相關之專科醫師分享，進一步保護病患的隱私。最後透過急診醫師部分的授權設計，讓失去意識的病患也可透過授權處理讓醫師能及時獲取無意識病患的過往病歷資料，理解病患過往病史，以即時的處理病患。
本安全框架，也經過適當的安全分析，可抵禦常見的威脅，包含：竊聽攻擊、字典及窮舉攻擊、偽造攻擊、重送攻擊、中間人攻擊及離線密碼猜測攻擊等。預期本框架可在無中央控管機構之狀態下，對醫事機構及病患提供更有彈性地的服務，並同時保障病患的隱私及各醫事機構的資料安全控管。

With the conscious awakening of personal information protection, how to protect individuals’ electronic medical records has become a critical issue all over the world. Electronic Medical Record System (EMRS) stores sensitive personal information and medical records of each corresponding individual. Therefore, how to support confidentiality and integrity of medical records stored in an ERMS, protect individual privacy and provide the undeniability in medical disputes have become a very important and interesting research topic. As system architecture of EMRS evolves from Client-Server, Cloud to Blockchain, new generation of EMRS utilizes smart contract, one of blockchain technologies, to construct a decentralized ledger system to store medical transaction metadata and introduces off-chain file storage with data integrity functionality on personal medical files.
In this dissertation, we propose a secure framework for EMRS with blockchain technologies such that all medical institutions, which have joined the proposed EMRS framework, allow a patient to acquire its own EMRs in different medical institutions by using a smart-card-based patient identity card issued by one of the medical institutions. This framework adopts blockchain technology to form EMR chain to record all medical transaction metadata, support off-chain EMR storage mechanism, utilizes smart contracts to perform various operations on the EMR chain and EMRs, provides multi-factor authentication mechanism to identify patients and hospital workers, and offers fine-granularity attribute-based access control scheme for different roles and individuals among medical institutions.
Security analysis was conducted for the proposed secure framework to prove the proposed framework is secure. Major security threats were considered in this analysis: eavesdropping attack, dictionary and exhaustive attack, forgery attack, replay attack, man in the middle attack and offline guessing attack. The proposed framework provides robust data security to medical institutions and patients with a distributed framework architecture and supports the privacy of patients at the same time.

[1] Yasin A., Caner D., Bekir B. K., Ugur Y. and Esra N. Y., “Blockchain Network-based Electrical Vehicle Charging Platform with Multi-Criteria Decision Support System”, 2019 1st International Informatics and Software Engineering Conference (UBMYK), 2019.
[2] Asaph A., Ariel E. Thiago V. and Andrew L., “Medrec: Using Blockchain for Medical Data Access and Permission Management”, 2016 2nd International Conference on Open and Big Data (OBD), 2016.
[3] Balamurugan B., Gnana S. N., Monisha V. and Saranya V., “A Honey Bee Behaviour Inspired Novel Attribute-Based Access Control Using Enhanced Bell-Lapadula Model in Cloud Computing”, International Confernce on Innovation Information in Computing Technologies, 2015.
[4] Valentina C., Aniello C. Kim K. R. C. and Christian E., “Healthcare-Related Data in the Cloud: Challenges and Opportunities”, IEEE Cloud Computing, 3(6): pp. 10-14, 2016.
[5] Byungrae C., Jaehyun S. and Jongwon K., “Design of Attribute-Based Access Control in Cloud Computing Environment”, Proceedings of the International Conference on IT Convergence and Security, 2011.
[6] Shuvra C., Ravi S. and Ram K., “On the Feasibility of Attribute-Based Access Control Policy Mining”, 2019 IEEE 20th International Conference on Information Reuse and Integration for Data Science (IRI), 2019.
[7] Chinling C., Yeonglin L., Chihcheng C. and Yingluen C., “A Smart Card-Based Mobile Secure Transaction System for Medical Treatment Examination Reports”, International Journal of Innovative Computing, Information and Control, 7(5 A): pp. 2257-2267, 2011.
[8] Yuyi C. Junchao Lu and Jinnke J., “A Secure EHR System Based on Hybrid Clouds”, Journal of Medical Systems, 36(5): pp. 3375-3384, 2012.
[9] Xu C., Fulong C., Dong X., Hui S., Cheng H. and Zhuyun Q., “Blockchain-Based Secure Authentication Scheme for Medical Data Sharing”, Singapore: Springer Singapore, 2019.
[10] Shekha C., Khandakar A., Hua W. and Frank W., “Security and Privacy-Preserving Challenges of e-Health Solutions in Cloud Computing”, IEEE Access, 7: pp. 74361-74382, 2019
[11] Konstantinos C. and Michael D., “Blockchains and Smart Contracts for the Internet of Things”, IEEE Access, 4: pp. 2292-2303, 2016
[12] Ed C. and Timothy R., “ABAC and RBAC: Scalable, Flexible, and Auditable Access Management”, IT Professional, (3): pp. 14-16, 2013.
[13] Gaoying C., Yuchen Q. Lin L. and Bin L., “Application of Block Chain in Multi-Level Demand Response Reliable Mechanism”, 2017 3rd International Conference on Information Management (ICIM), 2017.
[14] Ni D., Huaji S., Yuan C. and Jiahu G., “Attribute Based Access Control (ABAC)-Based Cross-Domain Access Control in Service-Oriented Architecture (SOA)”, 2012 International Conference on Computer Science and Service System, 2012.
[15] Daveze N., Dubaele R., Hokayem J., Nussbaum M. and Carvalhasis F., “Block-Chain-Based Personal Data Hosting”, 2018 IEEE 9th International Conference on Software Engineering and Service Science (ICSESS), 2018
[16] David F. and Ravi S., “Role-Based Access Controls”, Proceedings of 15th NIST-NCSC National Computer Security Conference, 1992.
[17] Yvo G. D., “Threshold Cryptography”, European Transactions on Telecommunications, 5(4): pp. 449-458, 1994.
[18] Whitfield D. and Martin E. H., “New Directions in Cryptography”, IEEE Transactions on Information Theory, 22(6): pp. 644-654, 1976.
[19] Sharad D., Karuna P. J. and Seung G. C., “Multi Authority Access Control in a Cloud EHR System with MA-ABE”, 2019 IEEE International Conference on Edge Computing (EDGE), 2019.
[20] Robert H. D., Liora A., Sandy B., Calvin B. Fred M. B. and Ammon S., “HL7 Clinical Document Architecture, Release 2”, Journal of the American Medical Informatics Association, 13(1): pp. 30-39, 2006
[21] Alevtina D., Zhigang X., Samuel R., Michael S. and Fusheng W., “Secure and Trustable Electronic Medical Records Sharing Using Blockchain, AMIA Annual Symposium Proceedings, 2017.
[22] Alevtina D., Zhigang X., Samuel R., Michael S. and Fusheng W., “How Blockchain Could Empower eHealth: An Application for Radiation Ontology, VLDB Workshop on Data Management and Analytics for Medicine and Healthcare, 2017.
[23] Ariel E., Asaph A., John D. H. and Andrew L., “A Case Study for Blockchain in Healthcare: “MedRec” Prototype for Electronic Health Records and Medical Research Data”, Proceedings of IEEE Open and Big Data Conference, 2016.
[24] David F., Ravi S., Serban G., Richard K. D. and Ramaswamy C., “Proposed NIST Standard for Role-Based Access Control”, ACM Transactions on Information and System Security (TISSEC), 4(3): pp. 224-274, 2001
[25] Randike G., Renato I. and Tony S., “Privacy Oriented Access Control for Electronic Health Records”, e-Journal of Health Informatics, 2012.
[26] Hao G., Wanxin L., Mark N. and Chienchung S., “Access Control for Electronic Health Records with Hybrid Blockchain-Edge Architecture”, 2019 IEEE International Conference on Blockchain (Blockchain), 2019.
[27] Rui G., Huixian S., Qinglan Z. and Dong Z., “Secure Attribute-Based Signature Scheme with Multiple Authorities for Blockchain in Electronic Health Records Systems”, IEEE Access 6: pp. 11676-11686, 2018.
[28] John D. H., Gil A., William J. B., Tory C., Kevin A. C., Vikram D., Florence D. H., Manouchehr M., Dennis A. P., Ana R. and Anh L. N., “Top 10 Blockchain Predictions for the (Near) Future of Healthcare”, Blockchain in Healthcare Today, 2019.
[29] Lei H., Eunchang C. and Dohyeun K., “A Novel EMR Integrity Management based on a Medical Blockchain Platform in Hospital. Electronics, 8(4): pp. 467, 2019.
[30] US Department of Health and Human Services, “HIPAA Administrative Simplification Regulation Text”, 2013.
[31] Vincent C. H., David F., Rick K., Alan J. L., Margaret M. C., Adam S., Kenneth S., Robert M. and Karen S., “Guide to Attribute Based Access Control (ABAC) Definition and Considerations”, NIST Special Publication, 800(162), 2013.
[32] Vincent C. H., Richard K. D., David F. and Jeffrey V., “Attribute-Based Access Control”, Computer, 48(2): pp. 85-88, 2015.
[33] Pei H., Linke G., Ming L. and Yuguang F., “Practical Privacy-Preserving ECG-Based Authentication for IoT-Based Healthcare”, IEEE Internet of Things Journal, 6(5): pp. 9200-9210, 2019.
[34] Xin J., Ram K. and Ravi S., “A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC”, IFIP Annual Conference on Data and Applications Security and Privacy, pp. 41-55, 2012.
[35] Gabriel K., Caroline B., Elizaphan M. and Stephen N., “Blockchain Technology: Is This the Solution to EMR Interoperability and Security Issues in Developing Countries”, 2018 IST-Africa Week Conference (IST-Africa), pp. 1-8, 2018.
[36] Samer K., Patrick C. and Dianxiang X., “Model-Based Testing of Obligatory ABAC Systems”, 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 405-413, 2018.
[37] Leonard J. K. and Eric J. T., “Unpatients-Why Patients Should Own Their Medical Data”, Nature Biotechnology, 33(9): pp. 921, 2015.
[38] Paul K., Joshua J. and Jenjamin J., “Differential Power Analysis”, 19th Annual International Cryptology Conference Advances in Cryptology-CRYPTO’99, pp. 388-397, 1999.
[39] Kolvart M., Margus P. and Addi R., “Smart Contracts”, The Future of Law and eTechnologies, pp. 133-147, 2016.
[40] Kumar K. P., Prakash K. K., Prem K. R. and Sinega S., “A Survey on Secure Data Access Control in E-HealthCare Monitoring System”, International Journal of Pure and Applied Mathematics, 118(20): pp. 2225-2229, 2018.
[41] Kumar K. P., Kanishka B. u., Mythili J. and Mythilimeena D., “A Survey on Secure Medical Care Authentication in Cloud”, International Journal of Pure and Applied Mathematics, 118(20): pp. 2221-2224, 2018.
[42] Tsungting K., Hyeoneui K., and Lucila O., “Blockchain Distributed Ledger Technologies for Biomedical and Health Care Applications”, Journal of the American Medical Informatics Association, 24(6): pp. 1211-1220, 2017
[43] Wenjin L., Yidong L., Yingpeng S. and Hong S., “A Secure Anonymous Authentication Scheme for Electronic Medical Records Systems”, 2016 IEEE 13th International Conference on e-Business Engineering (ICEBE), pp. 48-55, 2016.
[44] Michael L., “Electronic Medical Records: Confidentiality, Care, and Epidemiology”, IEEE Security and Privacy, 11(6): pp. 19-24, 2013.
[45] Xueping L., Juan Z., Sachin S., Jihong L. and Danyi L., “Integrating Blockchain for Data Sharing and Collaboration in Mobile Healthcare Applications”, 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC), pp.1-5, 2017.
[46] Jingwei L., Xiaolu L., Lin Y., Hongli Z., Xiaojiang D. and Mohsen G., “BPDS: A Blockchain Based Privacy-Preserving Data Sharing for Electronic Medical Records”, 2018 IEEE Global Communications Conference (GLOBECOM), pp. 1-6, 2018.
[47] Meiping L., Cheng Y. and Yana Z., “Secure and Efficient Attribute-Based Access Control Optimization Scheme for EMR System”, DEStech Transactions on Computer Science and Engineering, 2020.
[48] Paul T. S. L., “Medical Record System Using Blockchain, Big Data and Tokenization”, International conference on information and communications security, 2016.
[49] Liu, S. and S. He., Application of block chaining technology in finance and accounting field, 2019 International Conference on Intelligent Transportation, Big Data & Smart City (ICITBS), pp. 254-261, 2019.
[50] Wei L., Zhu S. S., Mundie T. and Krieger U., “Advanced Block-Chain Architecture for e-Health Systems”, 2017 IEEE 19th International Conference on e-Health Networking, Applications and Services (Healthcom), pp. 1-6, 2017.
[51] Jim L. and Mengda H., “ABAC Requirements Engineering for Database Applications”, 2019 International Symposium on Theoretical Aspects of Software Engineering (TASE), pp. 33-40, 2019.
[52] Gabor M., “Blockchain: Solving the Privacy and Research Availability Tradeoff for EHR data: A New Disruptive Technology in Health Data Management”, 2017 IEEE 30th Neumann Colloquium (NC), pp. 135-140, 2017.
[53] Quazi M. and Muhammad R., “A Robust Authentication Model Using Multi-Channel Communication for eHealth Systems to Enhance Privacy and Security”, 2017 8th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 255-260, 2017.
[54] Manoj R., Abeer A., Prasad P. W. C., Nectar C. and Salih A., “Hybrid Secure and Scalable Electronic Health Record Sharing in Hybrid Cloud”, 2017 5th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud), pp. 185-190, 2017.
[55] Messerges T. S., Dabbish E. A. and Sloan R. H., “Examining Smart-Card Security Under the Threat of Power Analysis Attacks”, IEEE Transactions on Computers, 51(5): pp. 541-552, 2002.
[56] Matthias M., “Blockchain Technology in Healthcare: The Revolution Starts Here”, 2016 IEEE 18th International Conference on e-Health Networking, Applications and Services (Healthcom), pp. 1-3, 2016.
[57] Tiantian M., Jian S., Xin J. and Jinfeng L., “Fine-Grained and Efficient Access Control in E-health Environment”, Journal of Internet Technology, 20(7): pp. 2169-2176, 2019.
[58] Satoshi N., “Bitcoin, A Peer-to-Peer Electronic Cash System”, Bitcoin – URL: https://bitcoin.org/bitcoin.pdf, 2008.
[59] Mitsuaki N., “Information Sharing for Supply Chain management Based on Block Chain Technology”, 2017 IEEE 19th Conference on Business Informatics (CBI), pp. 140-149, 2017.
[60] Michael N., Gomber P., Hinz O. and Schiereck D., “Blockchain”, Business & Information Systems Engineering, 59(3): pp. 183-187, 2017.
[61] Marcela T. O., Lucio H. A., Ricardo C. C., Flavio L. S., Debora C. M., Celio V. A., Natalia C. F., Silvia D. O., Dianne S. V. M. and Diogo M. F. M., “Towards a Blockchain-Based Secure Electronic Medical Record for Healthcare Applications”, ICC 2019 - 2019 IEEE International Conference on Communications (ICC), pp. 1-6, 2019.
[62] Jayanta K. P. and Mandal J. K., “A Random Block Length Based Cryptosystem Through Multiple Cascaded Permutation-Combinations and Chaining of Blocks”, 2009 International Conference on Industrial and Information Systems (ICIIS), pp. 26-31, 2009.
[63] Choonsik P. and Kaoru K., “New Eigamal Type Threshold Digital Signature Scheme”, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 79(1): pp. 86-93, 1996.
[64] Harsha S. G. P. and Vladimir A. O., “Blockchain Based Delegatable Access Control Scheme for a Collaborative E-Health Environment”, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), pp. 1204-1211, 2018.
[65] Vidhya R., Tanesh K., An B., Madhusanka L. and Mika Y., “Secure and Efficient Data Accessibility in Blockchain Based Healthcare Systems”, 2018 IEEE Global Communications Conference (GLOBECOM), pp. 206-212, 2018.
[66] Khaled R., Zhu Y., Hongxin H. and Gailjoon A., “AR-ABAC: A New Attribute Based Access Control Model Supporting Attribute-Rules for Cloud Computing”, 2015 IEEE Conference on Collaboration and Internet Computing (CIC), pp. 28-35, 2015.
[67] Ronald L. R., Adi S. and Leonard M. A., “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM, 21(2): pp. 120-126, 1978.
[68] Alex R., Cristiano A. D. C., Rodrigo D. R. R., Valter F. D. S., Jose R. G. and Douglas C. S., “Analyzing the Performance of a Blockchain-Based Personal Health Record Implementation, Journal of Biomedical Informatics, 9(2): pp. 103-140, 2019.
[69] Ravi S., Edward J. C., Feinstiein H. L. and Youman C. E., “Role-Based Access Control Models, Computer, 29(2): pp. 38-47, 1996.
[70] Bingqing S., Jingzhi G. and Yilong Y., “MedChain: Efficient Healthcare Data Sharing via Blockchain”, Applied Sciences, 9(6): pp. 1207-1230, 2019.
[71] Varun S., Arpit M. and Anchal Y., “An Authenticated and Secure Electronic Health Record System”, 2019 IEEE Conference on Information and Communication Technology, pp. 1-5, 2019.
[72] Ashish S., Umesh C., Shivesh K. and Kakali C., “A Secure Access Control Model for E-health Cloud”, TENCON 2019 IEEE Region 10 Conference (TENCON), pp. 2329-2334, 2019.
[73] Ashish S. and Kakali C., “Trust Based Access Control Model for Securing Electronic Healthcare System”, Journal of Ambient Intelligence and Humanized Computing, 10(11): pp. 4547-4565, 2019.
[74] Kritika S. and Suresh K., “Comparison of RBAC and ABAC Security Models for Private Cloud”, 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), pp. 584-587, 2019.
[75] Melanie S., “Blockchain: Blueprint for A New Economy”, O'Reilly Media Inc, 2015.
[76] Pinyaphat T. and Chian T., “User Authentication Algorithm with Role-Based Access Control for Electronic Health Systems to Prevent Abuse of Patient Privacy”, 2017 3rd IEEE International Conference on Computer and Communications (ICCC), pp. 1019-1124, 2017.
[77] Bhavesh T., Prashanth P., Ravula J. R. and Kotaro K., “PACEX: PAtient-Centric EMR eXchange in Healthcare Systems Using Blockchain”, 2019 IEEE 10th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 954-960, 2019.
[78] Tzuwei T., Chengyi Y. and Chientsai L., “Designing Privacy Information Protection of Electronic Medical Records”, 2016 International Conference on Computational Science and Computational Intelligence (CSCI), pp. 75-80, 2016.
[79] Yong W., Yuan M., Keyu X., Zhenyan L. and Ming L., “A Role-Based Access Control System Using Attribute-Based Encryption”, 2018 International Conference on Big Data and Artificial Intelligence (BDAI), pp. 128-133, 2018.
[80] Zhe X., Zengxiang L., Yong L., Ling F., Weiwen Z., Thanarit L. and Rick S. M. G., “EMRShare: A Cross-Organizational Medical Data Sharing and Management Framework Using Permissioned Blockchain”, 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS), pp. 998-1003, 2018.
[81] Yilong Y., Xiaoshan L., Peng L., Wei K., Bingqing S. and Zhiming L., “Medshare: A Novel Hybrid Cloud for Medical Resource Sharing Among Autonomous Healthcare Providers”, IEEE Access, 6, pp. 46949-46961, 2018.
[82] Kuohui Y., Naiwei L., Tzongchen W., Tachih Y. and Horngtwu L., “Analysis of An eHealth Care System with Smart Card based Authentication”, 2012 Seventh Asia Joint Conference on Information Security, pp. 59-61, 2012.
[83] Xiao Y., Huiju W., Dawei J., Mingqiang L. and Wei J., “Healthcare Data Gateways: Found Healthcare Intelligence on Blockchain with Novel Privacy Risk Control”, Journal of Medical Systems, 40(10): pp. 218-225, 2016.
[84] Jie Z., Nian X. and Xin H., “A Secure System for Pervasive Social Network-Based Healthcare, IEEE Access, 4, pp. 9239-9250, 2016.
[85] Xiaoshuai Z. and Stefan P., “Blockchain Support for Flexible Queries with Granular Access Control to Electronic Medical Records (EMR)”, 2018 IEEE International Conference on Communications (ICC), pp. 1-6, 2018.
[86] Xiaoshuai Z., Stefan P. and Zixiang M., “Block-Based Access Control for Blockchain-Based Electronic Medical Records (EMRs) Query in eHealth”, 2018 IEEE Global Communications Conference (GLOBECOM), pp. 1-7, 2018.
[87] Zibin Z., Shaoan X., Hongning D., Xiangping C. and Huaimin W., “An Overview of Blockchain Technology: Architecture, Consensus, and Future Trends”, 2017 IEEE International Congress on Big Data (BigData Congress), pp. 557-564, 2017.
[88] Zibin Z., Shaoan X., Hongning D., Xiangping C. and Huaimin W., “Blockchain Challenges and Opportunities: A Survey”, International Journal of Web and Grid Services, 14(4): pp. 352-375, 2018.
[89] Guy Z., Oz N. and Alex S. P., “Decentralizing Privacy: Using Blockchain to Protect Personal Data”, 2015 IEEE Security and Privacy Workshops, pp. 180-184, 2015.
[90] 潘天佑，資訊安全概論與實務 (第三版)，基峰資訊股份有限公司，2012。
[91] 賴溪松、韓亮、張真誠，近代密碼學及其應用，旗標出版股份有限公司，2003。
[92] 黃明祥、林詠章，資訊與網路安全概論，2017。