A health information system (HIS) is computer program for automating healthcare-related tasks which may store personal information. Due to the increasing demand for data sharing between HIS, organizations implement a Health Information Exchange (HIE), which is a larger system for exchanging healthcare data among institutions, providers, and repositories. One approach in implementing HIEs is through the adoption of the Service-Oriented Architecture (SOA), a design paradigm which when followed, will provide several benefits such as increased return of investment, increased organizational agility, and reduced IT burden.
One implementation of a SOA-based HIE is the Open Health Information Exchange (OpenHIE). OpenHIE has been proven to work in several countries, however, several security features such as fine-grained access control, security levels in data, and consent management are not implemented. These features can be satisfied through the implementation of an authorization scheme using Ciphertext-Policy Attribute-Based Encryption (CP-ABE). CP-ABE is a mechanism for hiding personal information by encrypting data using attributes such as administrative role, privileges, personal profile, etc.
This work evaluated the viability of CP-ABE as an authorization scheme for SOA-based HIEs such as OpenHIE. Results show that the adoption of CP-ABE will require alterations to the HIE processes that carry out healthcare-related tasks. The results also show that the adoption of CP-ABE will require additional resources to deploy the HIE. Resources include network bandwidth, storage space in servers, and number of machines/processors. More attributes and more users lead to more resources required to finish a transaction in the HIE.