**3. BeNGAC**

Encryption is a good choice of protecting privacy and confidentiality of PHR on premises and in the cloud. Invented by Amit Sahai and Brent Waters [9], ABE and its extensions have been researched extensively and applied to PHR confidentiality and privacy protection [9–16]. However, encryption alone cannot prevent insider threat [3, 17]. Miller & Tucker [17] suggested applying access control to remediate insider threat [3, 17]. Akshay Tembhare et al. combined role-based access control (RBAC) model with ABE to protect PHR in the cloud [25]. However, RBAC is a type of traditional access control method that users are known. PHR users can be centrally known or unknown, in which next generation access control model is a better fit.

*Perspective Chapter: Blockchain-Enabled Trusted Longitudinal Personal Health Record DOI: http://dx.doi.org/10.5772/intechopen.106454*


**Table 1.** *LPHR requirements.*

This led us to choose the NIST's NGAC as an authorization model. Furthermore, NGAC meets the LPHR distributedness requirement because NGAC provides unified access control policies and resources reinforcing the policies are distributed [3, 21]. Moreover, NGAC is scalable at enterprise level [21] which "fulfills the LPHR scalability requirement" [3].

Nevertheless, in distributed system, NGAC suffers a "race condition" when access control policies are centralized while decisions making processes are localized [26]. To solve this problem, we proposed a decentralized yet distributed access control policy expression unit by using permission blockchain technology Hyperledger Fabric (HF) [3]. We introduced a novel BeNGAC model [3]. In LPHR, patients and providers trust each other, which matches the property of permissioned blockchain. The "race condition" in NGAC is eased by HF "concurrency control" [3, 27] contributed by "HF consensus" [3, 27]. The access control policy information is immutable by inheriting HF's immunizability property. The blockchain transaction audit logs are on chain while the access control policies are stored in private off-chain database [3]. Furthermore, NGAC access control policies compensate HF's weak confidentiality protection. The BeNGAC architecture is sketched in **Figure 1**. "Policy enhancement point (PEP), policy decision point (PDP), event processing point (EPP), and resource access point (RAP)" [3, 26] are distributed and act locally. The policy administration unit (PAU) consists of blockchain-enabled policy administration point (BePAP) and blockchainenabled policy information point (BePIP) that are decentralized. An application requests to access BET-LPHR. The request is processed by PEP. PEP relays the request to decision maker PDP. PDP queries the policy database BePIP via BePAP. The request is processed and a grant or deny decision is sent to the application via PEP. If the decision is to "allow", the application will send a request to access the BET-LPHR through RAP.

**Figure 1.** *BeNGAC architecture [3, 26]*
