Lightweight Break-Glass Access Control System for Healthcare internet-of-Things

Healthcare Internet-of-things (IoT) has been proposed as a promising means to greatly improve the efficiency and quality of patient care. Medical devices in healthcare IoT measure patients' vital signs and aggregate these data into medical files which are uploaded to the cloud for storage and accessed by healthcare workers. To protect patients' privacy, encryption is normally used to enforce access control of medical files by authorized parties while preventing unauthorized access. In healthcare, it is crucial to enable timely access of patient files in emergency situations. In this paper, we propose a lightweight break-glass access control (LiBAC) system that supports two ways for accessing encrypted medical files: attribute-based access and break-glass access. In normal situations, a medical worker with an attribute set satisfying the access policy of a medical file can decrypt and access the data. In emergent situations, the break-glass access mechanism bypasses the access policy of the medical file to allow timely access to the data by emergency medical care or rescue workers. LiBAC is lightweight since very few calculations are executed by devices in the healthcare IoT network, and the storage and transmission overheads are low. LiBAC is formally proved secure in the standard model and extensive experiments are conducted to demonstrate its efficiency.