J Med Syst (2013) 37:9992 DOI 10.1007/s10916-013-9992-x

ORIGINAL PAPER

Privacy Preserving Index for Encrypted Electronic Medical Records Yu-Chi Chen · Gwoboa Horng · Yi-Jheng Lin · Kuo-Chang Chen

Received: 18 July 2013 / Accepted: 9 October 2013 / Published online: 26 October 2013 © Springer Science+Business Media New York 2013

Abstract With the development of electronic systems, privacy has become an important security issue in real-life. In medical systems, privacy of patients’ electronic medical records (EMRs) must be fully protected. However, to combine the efficiency and privacy, privacy preserving index is introduced to preserve the privacy, where the EMR can be efficiently accessed by this patient or specific doctor. In the literature, Goh first proposed a secure index scheme with keyword search over encrypted data based on a well-known primitive, Bloom filter. In this paper, we propose a new privacy preserving index scheme, called position index (Pindex), with keyword search over the encrypted data. The proposed index scheme is semantically secure against the adaptive chosen keyword attack, and it also provides flexible space, lower false positive rate, and search privacy. Moreover, it does not rely on pairing, a complicate computation, and thus can search over encrypted electronic medical records from the cloud server efficiently. Keywords Privacy preserving index · Electronic medical record · Keyword search · Privacy · Security

Introduction The security and privacy of electronic medical records (EMRs) have been drawn attention, because now medical systems usually adopt cloud services. Users can acquire services or aids from clouds. However, privacy protection of

Y.-C. Chen () · G. Horng · Y.-J. Lin · K.-C. Chen Department of Computer Science and Engineering, National Chung Hsing University, Taichung, Taiwan e-mail: [email protected]

personal sensitive information is a major security issue during communications, and EMRs as well. The private data in the open network server should be accessed by the owner at anytime. Furthermore, we would like that attackers cannot obtain any useful information from private data. There are many ways to protect privacy of data, for instance, depending on encryption algorithm. A user stores encrypted data in the open server, and retrieves all the encrypted data through network when he needs. Whenever the user needs a segment of those data, he retrieves all the encrypted data, and then picks needed ones. This method is secure against the hostile server or attackers, but it is quite inefficient. The large amount of data transmission is not afforded, since the user might owns weak devices in cloud computing. A new method to get rid off unnecessary data transformation is essential. Keyword search over encrypted data is presented to overcome this problem, which is also referred to as Keyword-Searchable Encryption. Nowadays, the file storage system is a common application as well as a cloud storage; for example, iCloud and Dropbox. For different purposes, multiform secure cloud services have been proposed [1–4]. However, for keywordsearchable encryption, the file server is defined as an honest-but-curious server [5–9], which means the server responds any users’ request correctly but it wants to infer the content of those data. Keyword-searchable encryption is appropriate in this system. The user is able to encrypt his data using any encryption such as DES or AES, and then attaches the searchable ciphertext which is generated by using keyword-searchable encryption. When the user needs his data, he only computes the trapdoor of keywords and send it to the server. Finally, the server tests and looks for searchable ciphertexts which correspond to the trapdoor, but it can not get any significant information from the results of search or trapdoor.

9992, Page 2 of 7

J Med Syst (2013) 37:9992

Related work The first notion, proposed by Song et al. [9], allows the user to set up individual trapdoor to search encrypted data. Song et al.’s scheme is based on the hash function, and they presented the security requirements. Since then, lots of searchable encryption schemes are more powerful using fields as tags to achieve multikeywords search [6–8] and improve the efficiency. Moreover, searchable public key encryption schemes [10–15] are practically used in the email system. There are plenty of studies have been proposed to discuss security and efficiency [16, 17]. However, most of schemes are based on pairing, a kind of complicated computation. Goh [18] proposed an index called Z-index based on Bloom filter without pairing.

The system is a centralized system and developed to deal with the state of the patient at all times [22]. It eliminates data replication since there is only one modifiable file in the storage server. Due to all the patient information storing in a single file, extracting and accessing medical data are quite effective and efficient for the examination of possible trends and long term changes. The well known standard of EMRs is HL7. For the security purpose, we would like the EMRs are accessed by the eligible doctors or hospitals. Therefore the privacy becomes an important issue in the EMRs [23]. In this paper, we consider this issue to propose a privacy preserving index for EMRs based on keyword-searchable encryption. In the proposed scheme, the eligible party is able to access EMRs securely.

Contributions In this paper, we propose an efficient secure index scheme to realize the keyword-searchable encryption to support keyword search over encrypted data. Because of pairing-freeness, our scheme is more applicable to cloud storage. We also give the formal security proof to analyze that this scheme is semantically secure against the adaptive chosen keyword attack. The rest of the paper is organized as follows. Preliminaries about the relevant research, and the assumptions are depicted in section “Preliminaries”. Then, we briefly review Goh’s scheme [18] in section “Review of Goh’s secure index scheme”. The proposed P-index and its security analysis are presented in section “Position index scheme (P-index)”. Finally, we conclude this paper in section “Conclusions”.

Framework of keyword-searchable encryption with secure index In a keyword-searchable encryption scheme, an encrypted document with secure index must follow the format: [EK (M), id, Iid ], where E is a secure symmetric encryption1 , K is the key, M is the plaintext of the document, the identity of document is denoted by id, and Iid is the secure index. Here, M could be the EMR. Definition 1 A searchable encryption scheme with secure index consists of following polynomial algorithms: – –

Preliminaries We will briefly present EMRs and the framework and security model of the secure index in section “Electronic medical record (EMR)”, “Framework of keyword-searchable encryption with secure index” and “Security model of secure index” respectively and then the hardness assumption is given in section “Hardness assumption”.

–

–

KeyGen. This algorithm sets the public parameters and

the user’s key. Trapdoor. This algorithm, run by the user, takes the keyword w and key K as input, then returns the trapdoor T which is used to search. BuildIndex. This algorithm, run by the user, takes the keyword w, the identity of the document Did and key K as input, then returns the secure index Iid . SearchIndex. The server performs the algorithm to take the trapdoor T and secure index Iid as input. Finally, it outputs 1 if it finds Iid corresponding to T ; otherwise, outputs 0.

Electronic medical record (EMR) Security model of secure index An electronic medical record is a notion providing a system to manage electronic medical or health information for individual patients [19–21]. The EMR is a digital record that can be shared across different health care settings. With networks, different hospitals can conveniently access the EMRs if needed. In addition, the EMRs are designed instead of the paperwork records. In practice, EHRs include a range of data of patients, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal statistics like age and weight, and billing information.

For proving the security, we have to consider the possible adversary’s behaviors. Usually, we adopt the security game to simulate the adaptive chosen keyword attack [18]. Formally, there are two roles in the game: one is the adversary A, and the other is challenger C . C must reply A’s queries, and finally will use A’s output to break a hard problem. 1E

is outside the scope of discussing keyword-searchable encryption. It is assumed to be a secure encryption algorithm. For more details, we can refer to [12, 18].

J Med Syst (2013) 37:9992

The interaction between A and C is modelled by the following game as follows: 1.

2.

3.

4. 5.

A adaptively queries trapdoor and secure index of keywords W = [w1 , ..., wm ] with corresponding identity of the document. When A wants to challenge, it generates set W  =  ] and a keyword pair (w , w ) to C , where [w1 , ..., wm 0 1 w0 , w1 ∈ / W  , and both of them are not queried for the trapdoor. C randomly chooses b −→ {0, 1} and takes the keyword wb into the document W  . Finally, C generates the index of keywords W  +{wb }, and then returns Ib to A. A can keep on querying the index and trapdoor with a restriction that A cannot ask for keywords w0 , w1 . Eventually, A outputs a value b .

We define that A wins this game if and only if b = b , while the adversary A has  an -advantage to win such that the advantage is AdvA 1k = |P r[bA = b] − 1/2| > . Therefore, the secure index is said to be indistinguishable against the adaptive chosen keyword attack (IND-CKA) if  is negligible.

Page 3 of 7, 9992

(1)

(2)

f (x, k) denotes fk (x) that can be efficiently computed and take x ∈ {0, 1}n and key k ∈ {0, 1}s as input. There exists Algorithm A queries to f function with most t times. If A guesses f is a Pseudorandom Function, then outputs 1; Otherwise, outputs 0. A’s advantage is denoted by       P r Af (.,k) = 1 − P r Ag = 1  < f where g is Random Function.

Pseudorandom permutation function Pseudorandom Permutation Function is 1-to-1 and randomly one-way function, would is collision resistance. If  : {0, 1}u × {0, 1}s −→ {0, 1}u is p -pseudorandompermutation with the following properties: (1)

(2)

Hardness assumption There are a few hardness assumptions described as follows. They are used to prove the security of our secure index in this paper.

(x, k) denotes k (x) that can be efficiently computed and take x ∈ {0, 1}u and key k ∈ {0, 1}s as input. There exists Algorithm A queries to  function with most t time. If A guesses  is a Pseudorandom Permutation Function, then outputs 1; Otherwise, outputs 0. A’s advantage is denoted by        P r A(.,k) = 1 − P r AE(.) = 1  < p where E is Random Permutation Function.

Pseudorandom generator Pseudorandom Generator is randomly one-way function, and it applies in stream cipher. If G : {0, 1}n −→ {0, 1}∗ is g -pseudorandom-generator with the following properties: (1)

(2)

G is a deterministic algorithm which can efficiently compute and input s ∈ {0, 1}n, then output G(s) ∈ {0, 1}∗ . There exists Algorithm A to query to G function with most t times. If A guesses G is a Pseudorandom Generator Function, then outputs 1; Otherwise, outputs 0. A’s advantage is denoted by        P r AG(s) = 1 − P r AR = 1  < g where R is a real Random Generator.

Pseudorandom function Pseudorandom Function is randomly one-way function. (i.e. input and output pair as (x1 , f (x1 , k)), (x2 , f (x2 , k)), ..., (xm , f (xm , k))), then no adversary can predict f (xm+1 , k) from xm+1 . If f : {0, 1}n × {0, 1}s −→ {0, 1}p is f -pseudorandom-function with the following properties:

Review of Goh’s secure index scheme Goh’s Z-index scheme is composed of the following algorithms: –

–

–

KeyGen(l, t): Given security parameter l and a num-

ber t, then generates a pseudorandom function f : {0, 1}k {0, 1}∗ → {0, 1}p and t independent hash functions hi : {0, 1}∗ → Z∗m−1 for all i, 1 ≤ i ≤ t. Finally, it returns the user’s key Kpriv . Trapdoor(w, Kpriv ): This algorithm takes the keyword w and key set Kpriv = [k1 , ..., kt ] as input, then computes the trapdoor T = [x1 , ..., xt ] and delivers to the server where xi = fki (w) for all i, 1 ≤ i ≤ t. BuildIndex(W, Kpriv ): This algorithm takes keyword set W = [w1 , ..., wn ] and key Kpriv = [k1 , ..., kt ] as input, where n is the number of keywords. It builds the index works as follows: (1)

For each keyword wi for 1 ≤ i ≤ n as input, this algorithm first performs Trapdoor(wi , Kpriv ) to obtain the trapdoor Ti = (x1 = fk1 (wi ), ..., xt = fkt (wi ))

9992, Page 4 of 7

(2)

(3) (4)

–

It takes x1 , ..., xt and the identity of document id as input for pseudorandom function to generate codeword y1 = fid (x1 ), ..., yt = fid (xt ). It takes the codeword y1 , ..., yt as input for hash function h1 ht to get h1 (y1 ), ..., ht (yt ). Given an array d which all bits initially are ‘0’. As Bloom Filter [24], it sets that the correspond positions h1 (y1 ), ..., ht (yt ) in array d modify to ‘1’ for total (n∗t) hash value. Building secure index Iid is completed as Fig. 1.

SearchIndex(Iid , T ): The server receives the trapdoor

T , and then this algorithm works as follows: (1)

(2)

This algorithm takes T and the identity of document id as input to compute the codeword y1 = fid (x1 ), ..., yt = fid (xt ). It takes y1 = fid (x1 ), ..., yt = fid (xt ) as input to obtain the hash values h1 (y1 ), ..., ht (yt ). It then checks positions in the array s which is based on these t values as t positions. All t positions are 1, which is denoted that the keyword w is in the document with identity id. The server returns the corresponding encrypted document to the user.

The Z-index scheme has following advantages. The time complexity of each document is O(1) for search via hash function. By the identity of document to compute codeword causes one keyword in different documents mapping to different values. Indices and encrypted documents are independent, which supports any secure symmetric encryption for documents. Indeed, the Z-index also has some disadvantage. To use Bloom filter exists the collision problem, it incurs false positive, i.e. a keyword sj is not in the set S, but by Bloom filter to check sj that is in S as showed in Fig. 2. In Goh’s Z-index, the size of the Bloom filter in array d is m bits and the false positive rate is (1/2)r , the relation is m = n ∗r/ ln 2, where n is the total number of all keywords in the all documents. n makes the index space become very large for frequent uploading new indices, since Bloom filter

J Med Syst (2013) 37:9992

Fig. 2 An example of false positive in Goh’s scheme

must provide sufficient space such as (n ∗ t) to resist the collision.

Position index scheme (P-index) In this section, we propose an efficient secure index scheme named position index (P-index, for short); moreover, we also give the security analysis of P-index. A new construction The proposed P-index scheme is a new construction composing with four algorithms as before.   – KeyGen 1l : This algorithm takes security parameter 1l to generate the secret key k ∈ {0, 1}l for the user. It decides , G, and h, where  : {0, 1}l × {0, 1}∗ → {0, 1}r is the pseudorandom permutation function, G : {0, 1}r → {0, 1}∗ is the pseudorandom generator, and h : {0, 1}∗ → {0, 1}lg n is the hash function. – Trapdoor(w, k): Takeing the keyword w and the user’s secret key k as input, the algorithm outputs the trapdoor Tw where Tw = k (w). – BuildIndex(id, W, k): Given the identity of the document id, keyword set W = {w1 , ..., wn}, and the secret key k, the algorithm generates the index Iid via the following steps: (Fig. 3 shows an example of P-index.) (1)

(2)

(3)

Fig. 1 Goh’s secure index

The algorithm takes each keyword wi from set W to get the trapdoors T1 , ..., Tn where Ti = k (wi ). It takes id and T1 , ..., Tn as input, and then computes xi = id (Ti ) and keyi =< Di , Si,1, Si,2 > for all i, 1 ≤ i ≤ n where Di , Si−1, Si−2 ∈ {0, 1}r are generated by G(Ti ⊕ id). It returns x1 , ..., xn and key1 , ..., keyn as the codewords. It builds an array d with n elements and an array s with 2n elements, whereas the length of an element is r bits. It sets y1 , ..., yn where yi = h(xi ) as a pointer and randomly and

J Med Syst (2013) 37:9992

Page 5 of 7, 9992

Correctness proof.  pi,1 = (pi,1 ⊕ Di ) ⊕ Di , in yth position of Array d.

 pi,2 = (pi,2 ⊕ Si,1 ) ⊕ Si,1 , in pi,1 th position of Array s.  ⊕ Si,2 ) ⊕ Si,2 , in pi,2 th position of Array s. pi,1 = (pi,1

According to Fig. 3, we give an example. Assume the key 1 is < D1,1 , S1,1, S1,2 >, and y  = h(id (Tw )). Firstly, we check y  th position of Array d to get p1,1 . Secondly, we keep check p1,1 th position of Array s to get p1,2 . Finally, to get p from p1,2 th position with the key S1,2 , we accept the trapdoor if p = p1,1 . Fig. 3 An example of the proposed scheme

Security analysis

(4)

–

uniformly chooses two positions pi,1 , pi,2 of the array s. Therefore, hash functions h must be different in different indices, because of different numbers for different keywords. It finally computes pi,1 ⊕ Di and inserts it into the yi th position of the array d, computes pi,2 ⊕Si,1 into the pi,1 th position of the array s, and pi,1 ⊕ Si,2 into the pi,2 th position of the array s. When the collision occurs in yi th position of the array d, a pointer linked list is using to resolve the collision. There is an example as Fig. 3 to denote the collision in which three different xi mapping to the same y  . Eventually, this algorithm returns an index Iid =< s, d, id, h >.

SearchIndex(Tw , Iid ): This algorithm, run by the server,

takes the trapdoor Tw to search the corresponding document via P-index Iid and works as follows: (1)

(2) (3)

(4)

(5)

It takes Tw to generate the codeword x = id (Tw ) and key = G(id ⊕ Tw ) =< D, S1 , S2 >. It computes y = h(x) and points yth position of the array s. If the value in yth position is empty, the algorithm outputs 0. Otherwise, it checks all values on this chain in yth position.  by decrypting The algorithm first gets pi,1  ⊕ D ) from the yth position of the array (pi,1 i  by decrypting (p ⊕ S ) d. It thus gets pi,2 i,1 i,2  from the pi,1 th position of the array s. Finally, it can get p by decrypting (p ⊕  th position of the array Si,2 ) from the pi,2   s. If p = pi,1 , it outputs 1 in which the server returns the corresponding encrypted documents to the user; otherwise, outputs 0.

The security game has been described in section “Security model of secure index”, while the adversary’s behavior is modelled by this game. Definition 2 An index is the -IND-CKA index. It is semantically secure against the adaptive chosen keyword attack in the random oracle model if and only if the advantage of adversary A is AdvA = |P r[b = b ] − 1/2| < . A’s goal is to guess keywords w0 , w1 which is in the set W  + {wb }. Theorem 1 P-index is the p -IND-CKA index assuming the pseudorandom permutation function  is p pseudorandom-permutation. Proof First we suppose that P-index is not p -INDCKA index. There exists an adversary A that has with non-negligible advantage  to win the security game. We construct an algorithm C that breaks the pseudorandom permutation function . C acts as a challenger and returns A’s queries. C simulates P-index with asking for oracle OF as random oracle. When the game finishes, C will use the A’s answer to guess whether F is a pseudorandom permutation function. A and C interact as follow:

Index & Trapdoor-queries. A produces a set W , and queries to C for the correspond index IW . C maintains OF -list to store the queries, it bases on OF -list to return BuildIndex and Trapdoor for A’s queries. If the keyword does not exist in OF -list, the OF will set a random value for this query and save into OF -list; otherwise, OF returns the value as before following OF -list. Challenge. After several queries, A generates a challenge, included a keyword set W  , and selects keyword pair (w0 , w1 ), where w0 , w1 ∈ / W  have been never

9992, Page 6 of 7

J Med Syst (2013) 37:9992

asked Trapdoor by A. The challenger C randomly choices b ∈ {0, 1} and obtain a set W  + {wb }, then computes index IW  +{wb } . Finally, C sends IW +{wb } to A. More queries. A can keep on asking BouldIndex and Trapdoor queries for keywords wi which is restricted that wi = w0 , w1 . Output. Eventually, A outputs a bit b . When b = b , C outputs 1 to denote that C guesses F is a pseudorandom permutation function; otherwise, outputs 0. C ’s output is based on A’s answer. While F is a pseudorandom permutation function(, P RP ), the environment of C ’s simulation is correct. That is said    1 AdvA = P r[b = b ] −  2    1 = P r[b = b | : P RP ] −  2    1   = P r C k (.) = 1| : P RP −  ≥ p (1) 2

If F is a real random permutation function(E, RP ), the trapdoor of w0 , w1 can not be guessed, since the trapdoor from F is real random. It also is not based on the trapdoor or the index to analysis, thus algorithm A guesses b = b with probability 1/2 as follow: P r[A|win] = |P r[b = b |E : RP ]|      = P r C k (.) = 1| : RP  = 1/2

(2)

Because of (1), (2), the advantage of C is AdvC        = P r C k (.) = 1| : P RP − P r C E(.) = 1|E : RP     1   k (.)  = P r C = 1| : P RP −  ≥ p (3) 2 With above results, we show that if the pseudorandom permutation function  is p -pseudorandom permutation, P-index is p -IND-CKA index. This is, the proof of Theorem 1 is complete, while P-index will be the IND-CKA index if and only if P-index uses the secure function to building the trapdoor. Comparisons Now we compare our scheme to Goh’s [18] in terms of space cost and false positive in Table 1. We list the following notation for comparisons.

Notation: n: number of keyword in the document n : total number of keyword in all documents

Table 1 Comparison of space and other attributes with Goh’s and the proposed scheme

Search time Index space cost False positive

Goh’s Z-IDX [18]

P-Index

O(1) O(n t) O((1/2)t )

O(1) O(nr) O((1/2)3r )

t: number of hash functions in Bloom filter r: length of an element of array s Due to n ≥ n, P-index uses more extra space to meet lower false positive rate; however, in the worst case, the space cost is total 4nr bits. To build a Bloom filter in Zindex has to predict the number of all keywords, so space cost of Z-index is n t bits. Our scheme is flexible in the space. However, it does not adopt the bilinear pairing that is a complicated computation, and thus it is more efficient than some schemes [11–15].

Conclusions In this paper, we have proposed a new secure index scheme for keyword-search over encrypted ERMs, referred to as Pindex. The main properties of P-index are flexible space and lower false positive on secure channel, and P-index maintains the efficient searching, which would be suitable for the mobile device or other lower computational machine. The proposed P-index is semantically secure against the adaptive chosen keyword attack in the random oracle model assuming that the pseudorandom permutation function is intractable to break.

Acknowledgement The research work was partially supported by the National Science Council of the Republic of China (Project Nos. NSC-96-2628-E-005076-MY3 and NSC-100-2221-E-468-014).

References 1. Fan, C. I., Huang, S. Y., Controllable privacy preserving search based on symmetric predicate encryption in cloud storage. Futur. Gener. Comput. Syst. 2012 (in Press). doi:10.1016/ j.future.2012.05.005. 2. Kaufman, L. M., Data security in the world of cloud computing. IEEE Secur. Priv. 7:61–64, 2009. 3. Subashini, S., Kavitha, V., A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34:1– 11, 2011. 4. Wang, Q., Wang, C., Ren, K., Lou, W., Li, J., Enabling public auditability and data dynamics for storage security in cloud computing. IEEE Trans. Parallel Distrib. Syst. 22:847–859, 2011.

J Med Syst (2013) 37:9992 5. Byun, J., and Lee, D., On a security model of conjunctive keyword search over encrypted relational database. J. Syst. Softw. 84:1364– 1372, 2011. 6. Byun, J., Lee, D., Lim, J., Efficient conjunctive keyword search on encrypted data storage system. In: Proceedings of EuroPKI 2006, LNCS. Vol. 4043. pp. 184–196, 2006. 7. Golle, P., Staddon, J., Waters, B., Secure conjunctive keyword search over encrypted data. In: Proceedings of Applied Cryptography and Network Security Conference, LNCS. Vol. 3089, pp. 31–45, 2004. 8. Jeong, I. R., and Kwon, J. O., Analysis of some keyword search schemes in encrypted data. IEEE Commun. Lett. 12:213–215, 2008. 9. Song, D., Wagner, D., Perrig, A., Practical techniques for searches on encrypted data. In: Proceedings of 2000 IEEE Symposium on Security and Privacy, pp. 44–55, 2000. 10. Abdalla, M. et al., Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions. J. Cryptol. 21:350–391, 2008. 11. Baek, J., Safavi-Naini, R., Susilo, W., A Public key encryption with keyword search revisited. In: Proceedings of ICCSA 2008, LNCS. Vol. 5072. pp. 1249–1259, 2008. 12. Boneh, D., Crescenzo, G. D., Ostrovsky, R., Persiano, G., Public key encryption with keyword search. In: Proceedings of EUROCRYPTO’04, LNCS. Vol. 3027. pp. 506–552, 2004. 13. Park, D. J., Kim, K., Lee, P. J., Public key encryption with conjunctive field keyword search. In: Proceedings of Information Security Applications 2004, LNCS. Vol. 3325. pp. 73–86, 2004. 14. Rhee, H. S., Park, J. H., Susilo, W., Lee, D. H., Trapdoor security in a searchable public-key encryption scheme with a designated tester. J. Syst. Softw. 83:763–771, 2010.

Page 7 of 7, 9992 15. Zhang, B., and Zhang, F., An efficient public key encryption with conjunctive-subset keywords search. J. Netw. Comput. Appl. 34:262–267, 2011. 16. Bellare, M., Boldyreva, A., O’Neill, A., Deterministic and efficiently searchable encryption. In: Proceedings of CRYPTO’07, LNCS. Vol. 4622. pp. 535–552, 2007. 17. Brinkman, R., Schoenmakers, B., Doumen, J. M., Jonker, W., Experiments with queries over encrypted data using secret sharing. In: Proceedings of Secure Data Management, LNCS. Vol. 3674. pp. 33-46, 2005. 18. Goh, E. J., Secure Indexes. The Cryptology ePrint Archive, Report 2003/216. 2004. http://eprint.iacr.org/2003/216.pdf. 19. Archer, N., and Cocosila, M., A comparison of physician preadoption and adoption views on electronic health records in Canadian medical practices. J. Med. Internet Res. 13:3, 2011. 20. Gunter, T. D., and Nicolas, T. P., The emergence of national electronic health record architectures in the United States and Australia: Models, costs, and questions. J. Med. Internet Res. 7:1, 2005. 21. Garcia-Smith, D., and Effken, J. A., Development and initial evaluation of the clinical information systems success model (CISSM). Int. J. Med. Inform. 82:539–552, 2013. 22. Li, J. S., Zhang, X. G., Chu, J., Suzuki, M., Araki, K., Design and development of EMR supporting medical process management. J. Med. Syst. 36:1193–1203, 2012. 23. Benaloh, J., Chase, M., Horvitz, E., Lauter, K., Patient controlled encryption: ensuring privacy of electronic medical records, Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW ’09). pp. 103–114, 2009. 24. Bloom, B. H., Space/Time trade-offs in hash coding with allowable errors. Commun. ACM 13:422–426, 1970.