The healthcare system has changed as advancements in digital technology have been incorporated into our lives. A uniform and structured evolution in healthcare systems from physical documentation to electronic documentation has been observed, which has led to the rise of the healthcare industry. This evolution provides a platform for effectively and efficiently sharing healthcare data among different stakeholders [1]. Physical logs are now transformed into digitalized electronic logs, such as electronic health record (EHR), electronic medical record (EMR), and personal health information (PHI). The health information of patients managed by healthcare professionals is referred to as EHR and EMR, whereas the records and information managed by patients or their relatives are known as PHI. EHRs are legal and logical records. The use and content of EHRs are regulated so that they cannot be changed by anyone at any time. These records contain different types of patient data such as their demographics, medical histories, laboratory-test results, medication, and other sensitive information [2]. EHR systems generate, store, manage, and recover EHRs. Hence, less physical storage, time, and manpower are required to store EHRs compared to physical records. Such systems should be patient-centric, effective, efficient, and secure. An EHR system is a complex digital infrastructure comprising several key components, as shown in Figure 1. The data layer serves as a repository of patient information, medical records, laboratory results, and imaging studies. The application layer provides tools for clinical tasks such as electronic prescribing, order entry, and clinical documentation, as well as administrative functions such as billing and scheduling. The middleware layer facilitates communication among different system components and ensures data security. The infrastructure layer provides the underlying hardware and software foundations for the system. The evolution of EHR systems from traditional systems has incorporated various challenges in terms of the confidentiality, privacy, and security of EHRs [1, 3].

Cloud computing is a fast-growing area of development and is being used extensively in the healthcare sector. The cloud enables the formation, storage, and attainment of EHRs by different team members (e.g., medical assistants, laboratory staff, and patients) despite the difficulties caused by time and space. These advantages are provided by cloud services related to cost-effective storage, scalability, processing, updating, availability, and simplified access to information [4]. The migration of EHRs to cloud services liberates medical professionals from handling the EHR infrastructure. The EHR system can be interpreted as a system that not only stores large amounts of health records but also manages the arrangement of health data among different healthcare professionals. EHRs can be acquired from different resources and databases to refine accurate disease diagnosis or for other analytical purposes. However, sharing EHRs among different stakeholders can be challenging because of issues such as interoperability, data security, and privacy preservation [5]. Interoperability is defined as the ability to access and integrate data from distinct datasets to make them significant and unified. The lack of interoperability poses a barrier to healthcare providers and analytics that require a large amount of medical data. Data security is also essential because forged information can have a significant impact on the effective utilization of EHRs. Finally, EHRs contain sensitive information about patients that must be preserved from unauthorized access. The key challenges associated with EHRs include the following:

• · Data integrity: Ensuring the completeness and accuracy of EHRs and protecting them from unauthorized modifications or tampering.

• · Data confidentiality: Protecting EHRs from unauthorized access and disclosure from cloud storage as well as in transition.

• · Data availability: Ensuring the reliable access of data to authorized users, even in the case of system failure or cyber attacks.

• · Privacy preservation: Preserving the sensitive information contained in EHRs by employing some security methods such as encryption or anonymization, while still allowing access for research and analysis.

• · Access control: Employing mechanisms to control who can access which part of the data, based on their permissions.

Various studies have discussed these issues and have proposed different security methods. In this study, several methods developed to provide security and privacy preservation to EHR systems are discussed and reviewed.

The remainder of this paper is structured as follows. The schemes used to secure healthcare systems, such as cryptography, anonymization, blockchain, and data sanitization and restoration using artificial intelligence (AI), are discussed in Section 2. Challenges and limitations associated with these schemes are also discussed in this section. Finally, the review concludes with possible future research directions in Section 3.

In this section, different state-of-the-art schemes used to secure medical data and preserve the privacy of patients and data owners are discussed. These schemes are categorized according to the main techniques used to preserve privacy: cryptography, anonymization, blockchain technology, and data sanitization and restoration using AI.

2.1 Cryptography

One of the basic solutions for data security and privacy preservation of EHRs is data encryption. However, this also entails the dilemma of key-management tasks. If key management is under the control of the data owner or patients, this provides better control and improves security, but increases the burden on data owners to allocate keys to legitimate users, which restricts the flexibility of distributing data across different stakeholders [6]. Various methods have been proposed based on cryptographic algorithms for privacy preservation to enhance user trust in the cloud. Attribute-based encryption (ABE) has been claimed to provide patient-centric fine-grained access control. ABE is a public-key cryptographic scheme in which the encryption and decryption of data depend on user attributes. It is further classified into two categories: key-policy attribute-based encryption (KPABE), in which data decryption is possible only if the attributes associated with the encrypted data satisfy the access policy assigned to the secret key, and ciphertext-policy attribute-based encryption (CPABE), in which the attributes linked with the secret key must meet the access structure associated with the encrypted data to decrypt the data successfully. Additional to these two categories, other variations of ABE have been identified by researchers, such as multi-authority attribute-based encryption (MAABE), which uses multiple trusted authorities for key generation instead of a single central authority, and broadcast attribute-based encryption (bABE), which acts effectively in the case of user revocation. Several studies have focused on adopting ABE and its variations to provide a secure and privacy-preserved cloud environment for EHR systems. A summary of these schemes is presented in this section, and their features and challenges are summarized in Table 1.

A patient-centric EHR system on the basis of bABE and public-key encryption with keyword search (PKES) was presented by Narayan et al. [7]. The data is encrypted and access control is imposed on the data using bABE. The data owner encrypts the data and broadcasts it to a subset of authorized users. PKES enables the search of encrypted data using allowed keywords. However, the proposed model did not align with the algorithmic illustration of some schemes and rigid access control was enforced.

Barua et al. [8] introduced an efficient and secure patientcentric access-control scheme (ESPAC), which was based on CPABE. The authors concluded that the proposed method provides secure end-to-end communication and ensures data integrity, identity privacy, and nonrepudiation.

Li et al. [9] ensured the secure sharing of PHI stored in semi-trusted clouds using ABE. The security domain in the proposed design were divided into two domains: public and private. All physicians and medical researchers were categorized under the public domain, whereas family members and friends of patients were categorized under the private domain. Furthermore, for secure data distribution in the public and private domains, KPABE and MAABE were applied, respectively. The patients had complete charge of their data, but this also posed a burden on the patient-side application, as it was used to produce and allocate keys to the users.

Fabian et al. [10] presented an architecture for secure data sharing among organizations. ABE was used to ensure fine-grained access control, and a secret-sharing scheme was used to securely distribute the data across multiple clouds. The authors concluded that the proposed architecture is practically feasible and exhibits good performance.

Liu et al. [11] combined the features of digital signatures and CPABE to ensure privacy, integrity, and anonymity of personal healthcare data. The proposed technique is called ciphertext-policy attribute-based signcryption. The PHI is signed and encrypted by the data owner to create signcrypted data that can be saved securely to the cloud, and only authorized users are allowed to access and designcrypt the signcrypted data using the secret key. The authors concluded that the proposed scheme provided a balance between security and efficiency.

Yang et al. [12] proposed a practical solution to preserve the privacy of healthcare data on the cloud. The proposed solution considered different privacy priorities for different attributes of EHRs. Based on these priorities, the EHRs are partitioned vertically for data publishing. To access the data, various attributes are merged vertically, and an integrity check is performed. The proposed method also provides a search facility across plain and ciphered texts, where statistics and cryptography are combined to achieve a balance between privacy preservation and data utilization. The effectiveness of the proposed solution was experimentally verified.

A cloud-based EHR model that guarantees patient privacy was presented by Seol et al.. The proposed model is based on attribute-based access control (ABAC) and a combination of XML encryption and XML digital signatures is used as an extra security factor. The proposed model falls under the category of a hybrid model, as it considers both cryptographic and non-cryptographic approaches for data privacy. ABAC provides fine-grained access control, and XML encryption with an XML digital signature is used for secondary-level protection. The authors of [13] stated that the model succeeded in achieving all security evaluation factors: authorization, confidentiality, integrity, accountability, and nonrepudiation.

A framework called MSCryptoNet, which combines multi-scheme fully homomorphic encryption with deep-learning technology, was presented by Kwabena et al. [14] to preserve the privacy of healthcare systems. A method was also designed to determine the activation function for a neural network with low-degree polynomials, which was used for calculations in homomorphic encryption. The model minimized the computation and communication costs for data owners. The authors found the proposed model to be superior in terms of complexity and security compared to other state-of-the-art schemes.

2.2 Anonymization

Data anonymization, also known as data desensitization or data masking, is used to hide sensitive data. Researchers have designed various anonymization methods, including generalization, suppression, and diversity slicing, which can be used to preserve the privacy of individuals. The three anonymization models are k-anonymity [15, 16], l-diversity [17], and t-closeness [18]. These algorithms are named in increasing order of complexity. The most basic algorithm is k-anonymity, which ensures nonidentifiability of distinct records of the dataset by making a specific individual’s information (row) nondistinguishable from the information of other ‘k − 1’ individuals (rows) in the dataset. As k-anonymity is prone to several privacy attacks, such as the homogeneity attack and background-knowledge attack, a stronger model, l-diversity, was defined. It requires at least ‘l’ well-represented values to be assigned for each sensitive attribute in each of the equivalence classes while maintaining the principle of k-anonymity. Further refinement of this model is also presented, which reduces the granularity of data to preserve privacy, and is called t-closeness. A study of these anonymization models for medical data was presented by Rajendran et al. [19]. Various researchers have proposed schemes based on these models to ensure the security and privacy preservation of medical data. A summary of these schemes is presented in Table 2.

For the anonymization of structured and unstructured health data, a conceptual scheme along with a prototype system was presented by Gardner and Xiong [20]. It is an integrated system designed for the de-identification of health information. A conceptual framework that used a conditional random field-based scheme to select identifying attributes from the data and preserve the data utility using k-anonymity for the de-identification process was presented.

El Emam et al. [21] proposed a globally optimal de-identification algorithm based on the criterion of k-anonymity for the privacy protection of medical information, which was named optimal lattice anonymization. The performance of the proposed algorithm was evaluated against the most basic k-anonymity de-identification algorithms for several health datasets, and it provided minimal information loss in the least time.

A cluster-based anonymization algorithm was presented by Belsis and Pantziou [22] to preserve the privacy of a patient whose health information is being transferred to a base station through sensors. The clustering method was applied to select a cluster head that captured data from other nodes. Medical data were anonymized before being transmitted to the base station and then to the main server for further action by medical professionals. The anonymization method makes the data inseparable from the data of the other k − 1 sensors. The proposed method proved to be more effective than cryptography in terms of network utilization and time delay.

When researchers are exposed to medical information for various investigations, patients may lose their privacy even after the removal of their identity information, because the diagnosis code can be used for identity-disclosure attacks. To stop this type of data connection, a disassociation-based approach enforcing k^m-anonymity was presented by Loukides et al. [23]. This approach does not acquire diagnosis codes from patients, but provides the same analytical results. The data are partitioned into subsets to prevent identity disclosure. The scheme improves privacy and data utility compared to existing methods.

A multifactor authentication method, called suppressed k-anonymity multi-factor authentication-based Schmidt–Samoa cryptography, was proposed by Prabha and Saraswathi [24]. The proposed scheme comprises three main processes: registration, authentication, and data access. The suppression method is used in the registration process to store the private data of the client securely on the cloud server. The clients are authenticated using multi-factor information, such as one-time tokens, passwords, and conditional attributes. In the last process, data are accessed by an authenticated client by applying encryption/decryption using Schmidt-Samoa cryptography. The authors evaluated the performance of the proposed method and proved that it increased the privacy-preservation rate and reduced computational complexity compared to state-of-the-art methods.

2.3 Blockchain

Blockchain was launched in 2009 and stores data in chained blocks that are distributed in a decentralized manner [25]. It provides a peer-to-peer-based infrastructure that functions for users participating in transactions as well as for blockchain miners to facilitate transactions in the distributed ledger. A decentralized network of nodes is used to store the ledger, and the nodes are created using cryptographic processes run by miners in the network. Blockchain offers various features, including highly reliable decentralized storage, distributed ledgers, authentication, traceability, security, and immutability. It can be separated into permissionless (public) and permissioned (consortium) blockchains [6]. In a permissionless blockchain, any user can contribute to the network by creating and validating transactions and can execute a consensus protocol, and it is completely open. The most famous example of this type of blockchain is Bitcoin. In permissioned blockchain, access control is maintained, and it restricts specific actions performed by specific nodes. It is a type of closed network that requires an invitation that must be validated by a set of rules set up by a network starter. However, the nodes in this network were not equal. The most popular example of a permissioned blockchain is Hyperledger. Blockchain has applications in various sectors such as banking, healthcare, real estate, and finance. Several researchers proposed schemes based on blockchain technology to secure healthcare data. Several of these schemes are discussed in this section.

A decentralized data-management system was presented by Azaria et al. [26] to manage EHRs using blockchain technology; the proposed system was named MedRec. It provides patients with extensive, well-established records, and easy access to their health-related data across sources of information and care units. Three types of Ethereum smart contracts (register contract, patient-provider relationship contract, and summary contract) were designed to associate the medical records stored by different healthcare providers, which allowed third-party users to access the information after authentication. Utilizing blockchain properties, this system provides authentication, privacy, accountability, and secure information sharing, particularly when handling sensitive data.

An application called the Healthcare Data Gateway (HDG) was presented by Yue et al. [27] to ensure the privacy preservation of patient medical information. The application utilizes purpose-centric access, blockchain, and a simple unified indicator-centric schema that allows patients to possess, manage, and share their healthcare data without compromising privacy. By using HDG, the patients know how their data are utilized and by whom. It also ensures anonymization, communication, data backup, and recovery.

Yang and Yang [28] proposed a MedRec-based approach by embedding signcryption, a combination of digital signatures and encryption, and attribute-based authentication. The healthcare data are encrypted using a symmetric key, and an attribute key is used to encode the key. The encrypted data and keys are then signed using a private key. The discussed approach ensures the secure storage of healthcare data, authenticity of the data, and fine-grained access control.

A blockchain-based data sharing system was designed by Xia et al. [29], which used a permissioned blockchain so that only invited and verified users could access the shared storage of the data. Once users and their cryptographic identities are verified, a request to access the storage is allowed. Because all users and their actions are already recorded by the blockchain, the resulting system ensures accountability. The authors also demonstrated the efficiency and scalability of the proposed approach.

MedShare, which is a blockchain-based system that focuses on healthcare-data sharing in a trustless environment, was designed by Xia et al. [30]. The system monitors and records all actions performed by entities, such as accessing and sharing data with one another, and data transitions in a protected manner. If any offended entities are found to have breached permissions on the data, the access-control mechanism of the system revokes access to those entities. The system ensures auditing and data provenance and minimizes the risk to privacy while sharing healthcare data among different stakeholders.

MedBlock, a blockchain-based data-management system that provides easy access to electronic medical records, was proposed by Fan et al. [31]. The system addresses the problem of collecting and constructing the overall records of patients while maintaining privacy and security, as patient EMRs can be distributed to multiple hospital databases. It embeds symmetric cryptography and customized access control to ensure data security.

A multi-authority attribute-based signature scheme combined with the blockchain was discussed by Guo et al. [32] to ensure the authenticity and anonymity of electronic healthcare data. The ABE signature indicates that the message was signed by the user only if the attributes satisfied the access structure. Because of the use of multiple authorities, the scheme avoids the escrow problem and prevents collusion attacks. The authors demonstrated the security of the protocol and concluded that the cost was directly proportional to the number of attributes and authorities.

SPChain, a blockchain-based healthcare information-sharing and privacy-preserving eHealth system, was presented by Zou et al. [33] to overcome the challenges faced by various eHealth systems. The keyblocks and microblocks are evolved to store medical information so that information can be quickly retrieved. To ensure the privacy preservation of patients, SPChain uses a proxy re-encryption scheme. Its performance was evaluated in a real-world scenario, where it achieved a high throughput and resisted various attacks. The analysis results demonstrated the efficiency and feasibility of the system.

All the discussed schemes and their features and challenges are summarized in Table 3.

2.4 Data Sanitization and Restoration using AI

EHRs can be used by different stakeholders for different purposes; therefore, EHRs should be provided to stakeholders in a form that requires minimum computation for use with minimum chances of revealing patient personal or sensitive information. The sanitization of sensitive data plays an important role in securing information sharing. In the data-sanitization process, sensitive information is concealed using an optimal key to prevent its exposure to unauthorized users. It takes place at the data owner, and the sanitized data can be stored in the cloud. If an authorized user wants to access the original data, the same optimal key is required to restore the data effectively. The process of accessing the original data from the sanitized data is called data restoration. The most important aspect of the privacy preservation of EHRs using this process is the key used for data sanitization and restoration. Maximum privacy must be ensured during sanitization and maximum utility must be ensured during restoration. To minimize the data loss, the original data must be used for key generation. Different researchers have used metaheuristic algorithms for this purpose because these algorithms can effectively identify the most optimal solution from the solution space. Analyses of some of these algorithms are presented in this study.

Processes of data sanitization and data restoration have been incorporated to preserve the privacy of healthcare data. However, the accuracy achieved during the restoration process requires further improvement. Annie Alphonsa and Amudhavalli [34] presented a hybrid solution, which was a combination of a genetic algorithm and glowworm-swarm optimization algorithm. The proposed algorithm is called genetically modified glowWorm swarm optimization. The key used for data sanitization and restoration is optimized using the hybrid algorithm. The proposed algorithm was compared with other metaheuristic algorithms in terms of sanitization effectiveness, restoration effectiveness, and statistical and convergence analysis, and the proposed algorithm was proven to be efficient.

Privacy preservation of healthcare data can be achieved through a data-sanitization process. Mandala and Rao [35] introduced a hybrid optimization method by combining particle-swarm optimization (PSO) and grey-wolf optimization (GWO) to obtain the key for the sanitization and restoration processes. The proposed method is called the particle swarm velocity-aided GWO. The optimum key formed via the algorithm was used to increase sanitization and restoration effectiveness and prevent known ciphertext and plaintext attacks. The authors compared the performance of their algorithm with those of conventional schemes and found it to be more efficient.

To address the issue of low accuracy in the process of data restoration, Alphonsa and MohanaSundaram [36] introduced a hybrid optimization algorithm, GOAGA, by embedding the grass-hopper optimization algorithm (GOA) with a genetic algorithm (GA) to generate an optimum symmetric key for sanitization and restoration processes. Because the GOA can only work efficiently for single-objective problems with uncertain variables, an advanced algorithm, such as the GA, can be helpful. Therefore, the authors combined the advantages of these two algorithms to tune the control parameters and determine the optimal key. The statistics, convergence, and key sensitivity of the proposed algorithm were also analyzed with some traditional schemes, and it achieved better performance in preserving the privacy of healthcare information.

Shailaja and Rao [37] also used data sanitization and restoration to ensure the privacy preservation of medical information. The association rules are generated and fed to the data-sanitization phase, where the symmetric key that is optimally generated with the proposed opposition intensity-based cuckoo search algorithm is used for sanitizing the generated rules. The same key is used to restore the original data. The authors evaluated and analyzed the performance of this algorithm based on several parameters, such as the hiding failure rate, degree of modification, false-rule generation, and information-preservation rate. The results showed that the proposed method is superior to other conventional methods.

Ahamad et al. [28] presented the Jaya-based shark-smell optimization (J-SSO) algorithm, which is a hybridization of the Jaya algorithm and shark-smell optimization algorithm. The effectiveness of the sanitization and restoration process depends on the optimality of the key; therefore, J-SSO attained and ensured the optimality of the key by considering a multi-objective function, including the metrics of information-preservation rate, modification degree, and hiding-failure rate. The authors showed that the proposed algorithm performed better than existing methods on five different datasets and attained a faster convergence rate and minimized key sensitivity and statistical analysis.

Balashunmugaraja and Ganeshbabu [39] developed the red deer-bird swarm optimization algorithm to preserve privacy in a cloud environment. Red deer-bird swarm algorithms are embedded to attain a high convergence rate during the generation of the optimal key. The generated optimal key used for data sanitization and restoration ensures data privacy and utility. The effectiveness of the hybrid algorithm was proven against various parameters such as key-sensitivity analysis, convergence analysis, statistical analysis, known plaintext attacks, and chosen plaintext attacks.

Probability switch searched butterfly-moth flame optimization (PS-BMFO) was introduced to solve the multi-objective function based on constraints such as the information-preservation ratio, degree of modification, and hiding ratio. PS-BMFO was used to generate an optimum key that can be used for data sanitization and restoration to maintain data security and integrity while storing medical data on the cloud. It is a combination of the butterfly flame optimization (BFO) and moth flame optimization (MFO) algorithms. As BFO does not have the ability to balance exploration and exploitation and can become stuck in local optima, Rubai [40] integrated it with MFO to embed the former’s ability to solve real-time optimization problems with the latter’s ability to solve challenging problems with an unspecified search space and uncertain limitations.

A mouse-updated arithmetic optimization algorithm (MU-AOA) was proposed to enhance privacy in a cloud environment[ 41]. First, identifiable data were extracted using the augmented dynamic itemset counting method, and then sanitized using the optimally tuned key generated by combining MU-AOA with deep learning. The proposed method was proven to be superior in preserving privacy compared with conventional schemes and prevented unauthorized access.

All the discussed schemes and their features and challenges are summarized in Table 4.

The rise in cyber crimes poses a serious threat to privacy. While storing sensitive data, such as medical or healthcare data, on the cloud, data owners need assurance that their privacy will not be breached. Various techniques have been developed for this purpose. In this study, some of these techniques were reviewed. These techniques can be classified into four categories: cryptography, anonymization, blockchain, and AI-based data sanitization and restoration. The schemes discussed under these categories were summarized in Tables 1–4 along with their respective features and challenges. The challenges encountered while storing medical data in the cloud using these general techniques are outlined. Data interoperability remains a significant issue in cryptographic methods because various cloud services are incompatible. A perfect balance between data privacy and utility cannot be achieved in any of the anonymization schemes. Storing data on a public blockchain can be expensive; thus, saving the complete medical data of millions of patients on-chain is infeasible. If a central authority runs the blockchain network in a consortium blockchain, the chance of blockchain rollback by an attacker or a central authority member increases. Achieving multiple objectives, such as a low hiding ratio, degree of modification, and high information-preservation rate and privacy, while maintaining sanitization effectiveness, restoration effectiveness, and a high convergence rate without being trapped in local optima, remains a challenge. In the future, the authors will focus on achieving multiple objectives by embedding AI with machine learning so that an optimal tuned key can be generated to attain a high convergence rate while maximizing the restoration effectiveness. The combination of AI and machine learning can help identify and mask personally identifiable information in EHRs and reduce the risk of data breaches.

No potential conflict of interest relevant to this article was reported.

Table 1. Analysis of cryptographic schemes on EHR.

Table 2. Analysis of anonymization schemes on EHR.

Table 3. Analysis of blockchain schemes on EHR.

Table 4. Analysis of AI-based sanitization schemes on EHR.