Vol. 3 No. 1 (2023): Hong Kong Journal of AI and Medicine
Articles

Enhancing Healthcare Data Security and User Convenience: An Exploration of Integrated Single Sign-On (SSO) and OAuth for Secure Patient Data Access within AWS GovCloud Environments

PDF
  • Ashok Kumar Reddy Sadhu
Ashok Kumar Reddy Sadhu
Software Engineer, Deloitte, Dallas, Texas, USA
Cover

Published 24-06-2023

Keywords

  • Healthcare Data Security,
  • Single Sign-On (SSO),
  • OAuth,
  • Cloud Security,
  • AWS GovCloud,
  • HIPAA Compliance,
  • Patient Privacy,
  • User Experience,
  • Access Control,
  • Authorization
    • ...More
    Less
Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

How to Cite

[1]
A. Kumar Reddy Sadhu, “Enhancing Healthcare Data Security and User Convenience: An Exploration of Integrated Single Sign-On (SSO) and OAuth for Secure Patient Data Access within AWS GovCloud Environments ”, Hong Kong J. of AI and Med., vol. 3, no. 1, pp. 100–116, Jun. 2023, Accessed: Sep. 16, 2024. [Online]. Available: https://hongkongscipub.com/index.php/hkjaim/article/view/23

Abstract

The ever-increasing adoption of cloud-based healthcare applications necessitates robust security measures to ensure the confidentiality, integrity, and availability of sensitive patient data. This research paper delves into the integration of Single Sign-On (SSO) and OAuth protocols to bolster secure and seamless patient data access within healthcare applications hosted on the secure AWS GovCloud platform.

The healthcare industry faces a unique challenge: balancing the need for efficient access to patient data for improved care delivery with the paramount obligation to safeguard patient privacy. Traditional authentication methods involving individual login credentials for each application pose security risks and hinder user experience.

This paper proposes an integrated SSO and OAuth framework specifically tailored for healthcare applications hosted on AWS GovCloud. SSO centralizes user authentication, enabling a single login process to grant access to authorized applications within the healthcare ecosystem. OAuth, an authorization framework, manages delegated access to patient data, ensuring granular control over what data is shared and with whom.

AWS GovCloud offers a secure and compliant cloud environment specifically designed for government agencies and healthcare institutions subject to stringent regulatory requirements like HIPAA (Health Insurance Portability and Accountability Act). By leveraging AWS GovCloud's robust security infrastructure and compliance certifications, healthcare organizations can confidently deploy their applications while adhering to data privacy regulations.

The proposed framework utilizes a centralized identity provider (IdP) within the healthcare organization's network. This IdP serves as the single point of authentication for users accessing healthcare applications. Upon successful authentication with the IdP, SSO leverages protocols like SAML (Security Assertion Markup Language) to securely exchange user credentials with the target application hosted on AWS GovCloud.

Next, OAuth takes center stage. The healthcare application acts as a resource server, while the centralized IdP functions as an authorization server. When a user attempts to access specific patient data within the application, OAuth facilitates a secure authorization flow. The user explicitly consents to the application's request for access to specific data elements within the patient's electronic health record (EHR).

This integrated approach offers several security advantages. Firstly, by eliminating the need for multiple login credentials, the risk of password fatigue and brute-force attacks diminishes significantly. Additionally, centralized user management within the IdP allows for robust access control policies, ensuring only authorized healthcare personnel can access patient data based on their roles and responsibilities.

Furthermore, OAuth's granular access control ensures that applications only access the specific data elements required for a particular task. This minimizes the exposed data footprint, reducing the potential impact of a security breach. Finally, leveraging AWS GovCloud's built-in security features further strengthens the overall security posture of the healthcare data ecosystem.

Patient privacy remains paramount. The proposed framework incorporates robust consent management mechanisms within the OAuth flow. Patients retain complete control over what data is shared and with whom. Additionally, fine-grained access control policies within the IdP further ensure that only authorized personnel can access specific patient data elements based on the principle of least privilege.

The proposed framework adheres to stringent healthcare data privacy regulations like HIPAA. By utilizing a centralized IdP for authentication and managing user access through granular consent and authorization policies, the framework ensures compliance with relevant regulations. Additionally, deploying applications on AWS GovCloud strengthens the overall compliance posture by leveraging a pre-vetted cloud environment that meets the specific needs of the healthcare industry.

The integrated SSO and OAuth framework streamlines the user experience for healthcare personnel. By eliminating the need to manage multiple login credentials, clinicians and other authorized users can access essential patient data quickly and efficiently. This reduces cognitive burden and allows them to dedicate more time to patient care activities.

Implementing the proposed framework necessitates careful consideration of several technical challenges. Integrating disparate healthcare applications with the SSO and OAuth framework may require the development of custom APIs (Application Programming Interfaces). Additionally, ensuring robust logging and auditing capabilities to track user access and data activity is crucial.

This research lays the groundwork for further exploration. Future investigations could delve into the integration of advanced security protocols like multi-factor authentication (MFA) to further enhance access control. Additionally, research on leveraging emerging technologies like blockchain for secure data provenance and audit trails could be explored within the context of this framework.

PDF

Downloads

Download data is not yet available.

References

  1. A. Menezes, P. Oorschot, and S. Vanstone, "Handbook of applied cryptography," CRC press, 2018.
  2. D. Boneh and V. Shoup, "A practical and provably secure password-based authenticated key exchange (pake)," in Proceedings of the 2000 ACM SIGMOD international conference on management of data, pp. 356-365, 2000.
  3. J. Katz and Y. Lindell, "Introduction to modern cryptography," Chapman and Hall/CRC, 2014.
  4. R. J. Lipton and J. R. Juster, "On linear cryptanalysis of a block cipher with multiple encryption schemes," in Advances in cryptology-CRYPTO'88, pp. 386-400, Springer, 1988.
  5. M. Bellare, D. Micciancio, and P. Rogaway, "The KEM/DEM paradigm for secure message transmission," in Proceedings of the 2001 IACR International Cryptology Conference, pp. 160-177, Springer, 2001.
  6. E. Rescorla, "OAuth 2.0 authorization framework: Bearer token extension," RFC 6750, 2012.
  7. E. Johansson, "On the security of password-based cryptographic protocols," Ph.D. dissertation, Royal Institute of Technology, Stockholm, Sweden, 2000.
  8. S. Singh, "Cloud computing security: Risk management, incident response, and governance," Jones & Bartlett Learning, 2010.
  9. J. Underdahl, M. B. Grisham, T. Sands, and M. Schaffner, "Cloudy with a chance of a breach: Security considerations for cloud computing environments," Information Systems Security, vol. 19, no. 3, pp. 317-334, 2010.
  10. R. Buyya, C. S. Yeo, S. uhdhavur Parthasarathy, J. Mukherjee, and P. P. Zhou, "Cloud computing and emerging IT platforms: Vision, hype, reality," IEEE Transactions on Services Computing, vol. 5, no. 4, pp. 500-525, 2012.
  11. D. Catteddu and G. Ukoh, "A secure single sign-on protocol for the cloud," IEEE Transactions on Cloud Computing, vol. 1, no. 2, pp. 168-178, 2013.
  12. S. Khan, J. Yu, Y. Xiang, and K. R. Choo, "Collaborative intrusion detection system (cids) for cloud security: A state-of-the-art survey," IEEE Communications Surveys & Tutorials, vol. 19, no. 4, pp. 2459-2475, 2017.
  13. Singh, P. D., Kaur, R., Dhiman, G., & Bojja, G. R. (2023). BOSS: a new QoS aware blockchain assisted framework for secure and smart healthcare as a service. Expert Systems, 40(4), e12838.
  14. Y. Wang, Q. Huang, Y. Liu, and X. Qin, "Machine learning for security in cloud computing," Journal of Network and Computer Applications, vol. 170, p. 102833, 2021.
  15. R. Sandhu, E. Coyne, H. L. Feigenbaum, and J. Jaworski, "Role-based access control models," IEEE Computer, vol. 29, no. 2, pp. 34-44, 1996.
  16. V. C. D. Chou, C. Liu, J. Wang, S. S. W. Ng, K. R. Choo, and Z. Chen, "State-of-the-art on cloud-assisted healthcare services," Journal of Medical Systems, vol. 42, no. 4, p. 80, 2018.
  17. J. Bhadra, S. Jain, and A. Chaudhuri, "Security in cloud computing: A literature review," Journal of Network and Computer Applications, vol. 94, pp. 13-28, 2017.
  18. S. Yu, Y. Wang, Y. Xiang, K. R. Choo, and L. T. Yang, "A comprehensive survey on privacy preserving cloud data storage," IEEE Transactions on Services Computing, vol. 11, no. 3, pp. 471-487, 2018.
  19. HIPAA Privacy Rule, Department of Health and Human Services, Health Insurance Portability and Accountability Act

Similar Articles

You may also start an advanced similarity search for this article.