| The expansion in automation, digitalization, and network communication in the health care sector provided advantage and developed concerns regarding privacy protection and data security. The knowledge provided by medical and auxiliary data can reveal identity with high accuracy. The value of Electronic Medical Records comes from its content, the amount of personal information it hold, and its impact if disclosed to the public. Being identifiable based on none quasi-identifiers gives an indication of the problem complexity where data cannot be contained in one location.;Consequences of releasing medical information could be job loss, increased insurance rates, identity theft, sexual crimes, and discrimination based on health problems. Although hospitals and medical facilities are trust-worthy parties, attacks on patient's privacy can come from inside those facilities. Almost 50% of privacy violations came from a person who works inside hospital [92]. This type of attack can be classified as honest-but-curious attack (HBC) where the attacker is an honest person and authorized to access system resource but he could abuse his access rights to learn more information.;The main goal of this research is to provide a framework targeting HBC attackers whether they are active or passive in hospitals, as a known context. The framework identifies risk assessment, data segmentation, data sharing, fine granularity access rights, and patient participation in data protection as factors in a bigger formula in privacy protection.;In Risk assessment, the framework provides a process of risk assessment and the compliance with the regulations, standard, and provides a method of exchanging compliance results without disclosing the interior policy details. In the area of data sharing, the framework provides a communication protocol to build trust relationships in healthcare network where data exchanged based on a quantified trust association. The exchange process provides the ability to filter patients private data before sharing according to its sensitivity and according to patient's privacy preferences.;In access control policy, the framework provides a novel approach for fine-granularity access control where access is granted in a segment level rather than file level. The access control policy provides a solution for mutual access in the same role, granting access rights selectively, and revoking access rights using compound key structure. We provide various implementations for cryptographic access controlling and multi-level access controlling. |
