Future Generation Computer Systems 134 (2022) 348–360

Contents lists available at ScienceDirect

Future Generation Computer Systems

journal homepage: www.elsevier.com/locate/fgcs

A blockchain-based protocol for tracking user access to shared medical

imaging
∗
Erikson J. de Aguiar a , , Alyson J. dos Santos a,c , Rodolfo I. Meneguette a ,
Robson E. De Grande b , Jó Ueyama a
a
Institute of Mathematical and Computer Science (ICMC) - University of São Paulo (USP), Brazil
b
Department of Computer Science - Brock University, Canada
c
Instituto Federal de Ciencia e Tecnologia do Amazonas (IFAM), Brazil

article info a b s t r a c t

Article history: Modern healthcare systems are complex and regularly share sensitive data among multiple stake-
Received 15 November 2021 holders, such as doctors, patients, and pharmacists. Patients’ data has increased and requires safe
Received in revised form 22 March 2022 methods for its management. Research works related to blockchain, such as MIT MedRec, have strived
Accepted 16 April 2022
to draft trustworthy and immutable systems to share data. However, blockchain may be challenging
Available online 21 April 2022
in healthcare scenarios due to issues about privacy and control of data sharing destinations. This
Keywords: paper presents a protocol for tracking shared medical data, which includes images, and controlling
Blockchain the medical data access by multiple conflicting stakeholders. Several efforts rely on blockchain for
Privacy healthcare, but just a few are concerned about malicious data leakage in blockchain-based healthcare
Medical imaging systems. We implement a token mechanism stored in DICOM files and managed by Hyperledger Fabric
Data access Blockchain. Our findings and evaluations revealed low chances of a hash collision, such as employing
a fitting-resistance birthday attack. Although our solution was devised for healthcare, it can inspire
and be easily ported to other blockchain-based application scenarios, such as Ethereum or Hyperledger
Besu for business networks.
© 2022 Elsevier B.V. All rights reserved.

1. Introduction hospitals and research centers have been exchanging informa-

tion among various collaborators, duly authorized, to assist in
Data protection in healthcare systems has become a critical diagnosing diseases as part of the research effort [3]. Healthcare
issue due to the increased confidential and sensitive data leakage. systems implement Electronic Health Records (EHR) to register
While the amount of data in healthcare systems is at the hype, patient reports, exams, diagnoses, and other data types to ben-
we argue that data breaches are also growing. Data leakages efit doctors’ management and analysis [4]. A hospital mainly
took place from 2014 to 2019, including the one at Brazilian uses medical imaging for reporting exams among the data ex-
UNIMED healthcare private corporate [1]. In recent years, data changes, such as head, lung, or shoulder radiography. Medical
breaches in healthcare providers have resulted from a loss of imaging often relies on a standard format in the medical field, so-
around $15 million [1]. The healthcare sector reported an increase called Digital Imaging and Communications in Medicine (DICOM).
of 19.5% of the number of breaches when compared with the Such a structure is beneficial as they require common attributes
ones from sectors [1]. Researchers have been striving to provide required by the medical systems [5,6].
a higher degree of protection of personal data through laws to The healthcare industry is the one most affected by privacy
guarantee privacy, such as the General Data Protection Regulation loss. Shi et al. (2019) [7] presents a report in 2016 that describes
(GDPR) [2]. 116 data leaks in healthcare systems. Also, Ismail, Materwala,
Computational tools improve medical decision-making by and Zeadally (2019) [8] state that blockchain technology might
making easy access to data, automating tasks, and suggesting reduce risk in sharing health data. Blockchain is a technology that
decision-based algorithms. It is also essential to emphasize that can protect the medical systems and share data, such as patient
reports and medical imaging. This technology might preserve
∗ Corresponding author. security features, ensure immutable logs, provide a trustworthy
network tamper-proof-free and auditable [8]. We also argue that
E-mail addresses: [email protected] (E.J. de Aguiar),
[email protected] (A.J. dos Santos), [email protected]
blockchain relies on a platform that does not require a trusty third
(R.I. Meneguette), [email protected] (R.E. De Grande), party to manage messages in a decentralized and reliable way
[email protected] (J. Ueyama). through immutable medical records [9].

https://doi.org/10.1016/j.future.2022.04.017
0167-739X/© 2022 Elsevier B.V. All rights reserved.
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

Jin et al. (2019) [10] discuss privacy concerns in healthcare • A method of transferring responsibility to those who access
and methods to mitigate privacy issues by combining blockchain images, thus providing data accountability;
with other techniques. According to Jin et al. (2019) [10], the • An enhancement of privacy in blockchain-based healthcare
cryptographic and anonymization methods have increased the systems through robust verifiable data sharing, thus en-
ability of blockchain-based healthcare systems to protect pa- abling our system to comply with new privacy laws, such
tients’ privacy. For instance, to encrypt information, they might as the General Data Protection Regulation (GDPR) [13].
use Attribute-Based Encryption and Homomorphic Encryption. Jin
et al. (2019) [10] address K-anonymity, L-diversity, and Differen- In evaluating our prototype, our results show that the cost for
tial Privacy as anonymization methods. However, this approach applying blockchain in healthcare system networks is suitable for
views accountability as a technique to follow GDPR rules and building in a Cloud environment. We evaluated security analysis,
guarantee patients’ privacy. Our proposal manages shared tokens including the tracking token, which proved that the generated
and audits immutable logs to make the system accountable and hash is hard to collide with using the cryptography birthday
tamper-proof-free. attack1 or by brute force. The theoretical analysis revealed a low
Medical data-sharing solutions fail to address data-leakage probability of tampering with the token by a similar one. Hence,
auditing by default. A few works exploit auditing approaches we demonstrated that the blockchain cost of healthcare systems
for discovering leakages while sharing data, including medical with the tracking token is well suited to meet the new privacy
imaging. Patel (2018) [11] proposes a framework that shares laws, including the GDPR.2 Lastly, as proof of concept, we made
medical imaging through a blockchain-based architecture that evaluations with our protocol using radiology DICOM images in
is free from a trusty third party. However, we argue that this the dataset available at The Cancer Imaging Archive (TCIA) from
proposed framework is over-simplistic to ((i)) tracking medical the National Cancer Institute’s Clinical Proteomic Tumor Analysis
shared images and ((ii)) auditing data leaks. The approach still Consortium.3
misses following privacy requirements to ensure data leakage The remainder of this paper is organized as follows. Section 2
accountability. Besides, in conventional systems, the audit log contextualizes the problem that is tackled in this work. Section 3
files can maliciously become corrupted as they are mutable. describes the recent, relevant works in the field. Section 4 intro-
Medical images accumulate into a high amount of information duces the protocol and describes the methods employed to design
stored in healthcare systems, and they enable powerful features it. Section 5 reports the experimental analyses and results re-
to be used by machine learning models to extract knowledge [12]. lated to two aspects, namely network performance and security.
McBee et al. (2018) [6] surveyed the blockchain applications for Section 6 discusses the results and the key contributions of this
medical imaging, and they pointed out challenging open issues research. Finally, Section 7 concludes by providing a summary of
to be explored by researchers. They claim issues related to pri- the work, briefing its contributions, and suggesting future work
vacy, scalability, sharing, and tracking. Consequently, such claims directions.
motivated us to focus our efforts on mitigating issues related to
medical imaging privacy, tracking, and sharing. 2. Problem statement
This work sets out a protocol for sharing medical data, in-
cluding images, based on a blockchain architecture. Our protocol Across the great diversity of current intelligent and data-
allows for access tracking and a sharing of the medical imaging oriented systems, especially smart health systems, we could ob-
needed by researchers and practitioners. Unlike other previous serve there is an urgent need to track time-lined access to patient
research endeavours in this field, our work establishes a protocol data. Patient data, such as home phone numbers, are read from
for sharing and tracking images reliably while complying with digital medical records. Such record accesses are common in
privacy policies and is thus able to hold organizations accountable Brazil, where some are part of scams; they are then used to
for leaks coming from ineffective data handling. The benefits of make calls asking for cash deposits. Usually, scammers state that
our system are tracking and auditability based on blockchain be- they are calling on behalf of the hospital, purposely and wrongly
cause if we use a log register and token, they are not immutable. informing that cash is needed for the surgery costs of a family
When logs are not immutable, malicious nodes are able to tamper member. Hence, there is an urgent need to track access to pa-
with them. tients’ data and involved parts, enabling to detect and limiting
Unlike previous works, in this study the notion of a unique improper uses.
token is embedded into the DICOM files. By means of auditing, the A distributed privacy-enforcing approach avoids untrusted cen-
network administrator can promptly spot the leakages through tralized control, which might represent a single point of failure in
the logs and unique tokens through this token. In our approach, the whole healthcare system. The tracking is needed as central-
a token is a hash value embedded in the image metadata and acts ized control cannot be fully trusted. A hospital acts as a central-
as a key to audit leaked images with the support of blockchain. ized organization whose staff members might have inappropriate
In order to achieve the goals of this work, we have defined the intentions while accessing data.
following hypothesis: Governments and institutions are adapting to new standards
to enforce privacy more strictly through privacy laws and reg-
‘‘A blockchain-based protocol can ensure accountability and ulations. The General Law for Data Protection (GDPR) has been
auditability for healthcare record leakages using immutable introduced to guarantee citizens’ rights about their data [2,13].
logs and a unique token inserted in the metadata of DICOM Likewise, healthcare providers have concerns about sharing med-
file images’’. ical imaging because it contains sensitive information. For in-
stance, DICOM imaging related to X-rays contains metadata that
In summary, the main contributions and benefits of this re- can re-identify patients associated with the exam. Medical images
search work are the following: can show parts of one’s body before and after the surgery, such as
• A novel protocol that provides traceability and auditability the face and head. Those digital images should not be leaked, even
for shared medical imaging;
• A blockchain-based system that ensures that multiple stake- 1 https://www.sciencedirect.com/topics/computer-science/birthday-attack.
holders with conflicting interests are able to share medical 2 Also, in Brazil, we have the General Personal Data Protection Act (LGPD).
imaging; 3 Cancer Imaging Archive - Link.

349
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

accidentally; thus, we argue that mechanisms that help audit features depending on the texture of each image. Liao et al.
should be devised. (2020c) [20] employed a steganography method based on color
Therefore, the sharing of sensitive data, medical records, must channels to create a new color by including a channel-dependent
completely support privacy in a decentralized manner where payload partition strategy to amplify the channel. The aim of
accesses are tracked and verified. The sharing of data can only this method is to reduce the likelihood of finding embedded
be consistently implemented through a protocol that enables content in RGB (Red, Green, and Blue) channels, and it could
auditing of accesses to private data, including images. Constraints lead to distortions in textural regions to improve security. Our
to accessing and a trace mechanism can hinder data access for system focuses on medical imaging and address issues related
malicious purposes while sharing the database among several to traceability and privacy in the blockchain network to improve
stakeholders. security, performance and the ability to trace shared images.
This work focuses on medical imaging because of its critical
3. Background and related works importance in medical diagnosis as a type of media; however,
our new approach is designed to adapt to other types of files,
This section provides an overview of blockchain applied to such as electronic health records. Medical imaging incorporates
healthcare systems and research related to blockchain-based sys- valuable features from which knowledge can be obtained through
tems to track shared assets in healthcare. an analysis. Although medical imaging increases the overhead
of network resources, this type of media is rich and complex
3.1. Medical imaging – a DICOM file consists of multiple images as layers. Hence,
DICOM databases quickly reach 100 GB storage; when joined to a
Electronic healthcare systems use several data types, such blockchain network, they have significant overhead that delays
as register records, images, and video, to represent patient in- the processing of requests. In this paper, a number of issues
formation. Images are essential since they assist diagnosis and related to security in medical imaging were investigated and
contribute to physicians’ decision-making [14]. In information shared for research and advanced science.
transfer, healthcare providers use a scheme called Digital images
and Communications in Medicine (DICOM) for storing, transmit- 3.2. Blockchain in healthcare systems
ting, retrieving, processing, and displaying medical imaging infor-
mation. DICOM protocol can communicate with other physicians Blockchain and cryptocurrencies have been used for different
or researchers following similar attributes and pixels features [4]. applications in the healthcare field since they enable a system to
DICOM images have attributes, such as patient identifier, machine be decentralized, distributed, immutable, free tamper-proof, and
model, matrix of slices in grayscale, and others [4]. smart contracts-oriented (blockchain 3.0) [9]. Blockchain con-
Research on the healthcare system has investigated medical tributes to storing data in a secure shared-ledger, replicated be-
imaging to study and extract useful information to support the tween nodes by a Peer-to-Peer (P2P) network [21], and has led to
decision-making of the physician [4]. Security concerns in medi- more reliable systems for data handling. According to Chukwu and
cal imaging need to improve, and approaches are proposed, such Garg (2020) [21] the most used application is the management
as watermarking embedded in images [15]. Watermarking is a of electronic health records (EHR), which involves blockchain for
technique to improve security to sharing medical images through healthcare. The authors used a framework, such as Hyperledger
tamper detection and became image unique [16]. Qasim et al. Fabric or Ethereum, to build a network — the former is an alter-
(2019) [15] ensured both integrity and authenticity of medical native for constructing a private blockchain network customized
imaging through watermarking. The approach inserts a water- and smart contracts-oriented in Golang, JavaScript, or Java. In
mark in a smoother Region of Interest (ROI) towards authentica- contrast, Ethereum enables the building of smart contracts based
tion based on image content. It also allows integrity verification on Ether network [8].
of the shared image and protection against image-tampering [15]. The Hyperledger Fabric architecture, which follows the main
Motta et al. (2020) [17] examined a decentralized and dis- components, such as Ordering Service Nodes (OSN), Certificate
tributed information infrastructure following the standard Picture Authority (CA), world state database, and peers, applies an al-
Archive and Communication Systems (PCAS) for sharing medi- lowed blockchain. The network’s administrator defines limited
cal imaging among healthcare providers in DICOM format. They access for users. OSN is a service that obtains sorted messages
propose a method called DICOMFlow draws on infrastructure and delivers them to nodes. CA authenticates nodes of a network
for secure sharing of medical images and improve the system’s and generates private and public keys. World state database
security. DICOMFlow shares radiological exams through an In- uses Apache CouchDB4 for storing records from assets exchanged
ternet email structure and defines a global workflow for safe among nodes. Finally, peers execute and validate transactions
access to images. Different from other approaches, they propose associated with the replicated ledger. The architecture also de-
an adaptive infrastructure to manage DICOM images shared using velops smart contracts in different programming languages and
a PCAS system in diverse contexts. customizes assets structures. Among the applications that employ
Works in the literature have adopted approaches to improve Hyperledger Fabric is our proposal, which sets tools to build a
the security of the images, such as Liao et al. (2020a) [18], Liao network and smart contracts quickly [22].
et al. (2020b) [19], and Liao et al. (2020c) [20]. Liao et al. (2020a) Liu et al. (2018) [23] proposed a blockchain network for the
[18] established a framework for a forensics analysis of the han- sharing of EHRs among healthcare providers using Delegated
dling of images using a convolutional neural network (CNN). The Proof-of-stake (DPoS) to ensure patient’s privacy. The network
CNN extracted features that could detect the handling of images uses the Proof-of-stake protocol and scheme base-layers, con-
and achieved an average rate of accuracy of between 85.96% and sisted of Data Acquirement, Data Storage, and Data sharing. The
86.12%. Although the CNN achieved a good rate of accuracy, the authors enhanced privacy through a mechanism called attributed-
network has to be trained to obtain features and detect manipula- based encryption for establishing multi-level access. Each at-
tions. Liao et al. (2020b) [19] proposed a steganography strategy tribute applies a different access level Shahnaz, Qamar, and Khalid
based on image texture to determine two payload distributions (2019) [5] described a framework composed of three layers,
with the aim of improving security. The framework uses multiple
images on the cloud. The steganography image can have adaptive 4 https://couchdb.apache.org/.

350
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

namely system implementation (smart contracts), blockchain, 3.4. Remarks

and user. Off-chain with Interplanetary File Systems (IPFS) ensure
secure storage, and a user interface interacts with stakehold- Table 1 shows studies related to blockchain in healthcare,
ers [5]. and most of them apply a proof-of-concept on EHR and build a
Although Xuan et al. (2020) [24] did not address healthcare customized blockchain architecture to solve a specific issue. They
applications, they covered blockchain-based systems for sharing also employ a consensus protocol based on PoS since they are
assets. Their work outlined a blockchain model adopting incen- lighter than PoW, speed the validation process, and use a public
tives through an evolutionary game theory technique applied to blockchain network. Nevertheless, the construction of prototypes
smart contracts. The authors modeled a scheme to describe user based on public networks is not the best strategy since anyone
participation and find the best way to share data. The strategy can access the application, which is against security requirements
increases the amount of shared data for big data applications of healthcare systems [9]. In similar studies, privacy require-
since it rewards users in the network [24]. ments address only a crypto method for hiding messages; no
Al-Omar et al. (2019) [25] built a blockchain network on accountability method is applied, and no privacy regulation is
Ethereum to control access to electronic health records. Their pro- followed.
posal applies a permissionless protocol by default, called Proof- In contrast, our research approaches DICOM image sharing, as
of-work (PoW), and they add features to protect health data. in [11] but adding provenance, accountability, tracking, and policy
The primary strategy of this work is to transfer data reliably privacy. Our protocol’s main features are associated with tracking,
by using Elliptic Curve Cryptography. Even though they handle provenance, and accountability, thus meeting the requirements of
cryptographer data, it presents security and privacy issues such as LGPD privacy policies. The chief ones to be covered are lawfulness
PoW protocol can provide public information that violates privacy and transparency so that the owner is provided with the way data
rights. Regarding privacy, they address pseudo-anonymization; are handled [28]. The protocol based on a proof of concept system
however, they may suffer linkage attacks and re-identification of also enables analyses of the provenance of leaked data through
patient identity. Besides, they are not focusing on provenance and the reference token stored in the blockchain.
tracking shared data. This work also describes a method that uses a token scheme
Shen, Guo, and Yang (2019) [26] built a network without for tracking DICOM images shared among researchers, who can
using a well-known blockchain platform. They implemented a analyze the provenance of data for detecting the organization
permissioned protocol based on the Byzantine Fault Tolerance responsible for poorly handled data. Our protocol enables holders
(BFT) strategy. The network is private, where users have defined to share data so that they can collaborate with other researchers
roles to enter and access data. The handled data are electronic securely. In other words, it ensures tracking and provenance
health records containing sensitive patient information, where in linked data so that network administrators can adapt their
we needed careful management. The main target of their work systems to privacy regulations.
is to store health data in the blockchain to control and audit
the access. Furthermore, related works do not consider issues 4. Blockchain system and protocol to trace medical images
about tracking data sharing and privacy. Previous works do not shared
guarantee tracking and patient data leakage accountability; thus,
this lack motivates this work to investigate them. This section describes the components of our solution, such
as blockchain network, protocol design, protocol flow, and the
method for the token generation. Fig. 1 displays an overview of
3.3. Blockchain for medical imaging sharing
the proof-of-concept (POC) system that our protocol applied. The
roles in the figure display researchers and doctors as requesters
Section 3.1 describes the way medical imaging in DICOM for- and hospitals as providers, in which the patient is the data holder,
mat can be shared among hospitals, doctors, and research groups interacting with the hospital to make exams.
for their secure access to data of patients. Blockchain technology
enhances the security of healthcare data handling [6]; therefore,
4.1. Role players and system protocol
applications that use it gain advantages related to confidentiality
for the sharing and tracking of medical imaging. In this work, we
The system design depicted in Fig. 1 provides a big picture
focused on sharing medical imaging due to powerful features to
of role players in tracking and auditing the sharing of sensitive
support decision-making and diagnosis by physicians.
medical data. The Proof-of-Concept (PoC) comprises a blockchain
Patel (2018) [11] developed an architecture for medical imag-
network, a healthcare provider, a tracking token mechanism, a
ing sharing called images Share Network (ISN), which is based on query application interface (API), and an arbitrary application
the network of the Radiological Society of North America (RSNA) towards ensuring security. Besides, the protocol covers main al-
for transferring radiological images. ISN aims to design a network gorithms for sharing medical imaging studies, requests of the
with no trust third party, such as a hospital, where the holder of studies, and audit logs.
data transfers them directly to the user that requests them. The Researchers, doctors, and healthcare providers perform critical
authors employed a permissonless blockchain through the Proof- roles in the envisioned data sharing in the proposed design since
of-Stake consensus protocol and improved security using a public they may potentially generate data leakages. In short, the devised
and private key scheme to access the images [6,11]. tracking and auditing system contemplates the following roles:
This work address issues on sharing medical imaging due
to powerful features of images to support decision-making and • Holders. They are data owners, such as the patient who
diagnosis by physicians [12]. Artificial intelligence leads to high provides images for study.
success in solving images issues. Medical imaging can utilize tools • Provider. It is a healthcare organization that handles pa-
to improve diagnosis. However, artificial intelligence lacks access tients’ data, such as hospitals or research centers.
to data for healthcare research [27]. Our solution aims to share • Requesters. They are people or organizations that need data
medical imaging based on blockchain to provide safe and reliable for studies. They request data access to a provider that
data holders, thus sharing more data. forwards the request to the holder.
351
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

Table 1
Summary of related works.
Work Features
Asset Off-chain Blockchain platform Consensus algorithm Network type Provenance Tracking Privacy policy
[23] EHR No Unknown DPoS Unknown No No Yes
[5] EHR IPFS Ethereum PoW Permissionless No No No
[24] Anyone No Unknown Own Own No No No
[25] EHR No Ethereum PoW Permissionless No No No
[26] EHR No Unknow BFT Permissioned No No No
[11] DICOM No Unknown PoS Own No No Yes
This DICOM No Hyperledger fabric PBFT Permissioned Yes Yes Yes

Fig. 1. Proof of concept of the system designed for the tracking and auditing of shared DICOM images from a unique token.

• Researchers. They request data from providers and holders through its authentication method by Cryptography of Elliptic
to conduct research work and studies. They collect findings Curves. The requester sends a message to healthcare providers,
to advance science and a research field. Besides, they gener- and waiting for a positive or negative response (lines 6–9). If the
ally are joined to universities or institutes, and they can be data holder accepts the request, the stakeholder can access and
doctors. query their medical imaging (lines 8–9). The following algorithms
complement the protocol design, and the algorithm comprehends
The main component of our proposal comprehends a protocol the whole protocol for sharing medical imaging.
for sharing medical imaging through a blockchain structure to
Algorithm 2 aims to share images data from holder to re-
store the images files, references, and audit logs. The DICOM
searcher or doctor, so patients wait for requests. When it receives
files are stored in a server using the SSH File Transfer Protocol
a request rc ∈ RC , the system extracts the message header
(SFTP)5 to access and recover files. The protocol is composed of
and obtains the image identifier (lines 2–3). Then, the system
the following algorithms. (i) Algorithm 1 comprise the functional-
collects the image id from request aim to get images from the
ities that allow researchers and practitioners to request data for
Healthcare provider repository (line 4). The system verifies if the
studies. (ii) Algorithm 2 enables the data holder tasks to check
search returned valid images (lines 5–6), and it inserts a different
and accept a request to access its images stored on the provider.
hash token into each medical images’ metadata from the search
(iii) Algorithm 3 introduces and manages audit logs through hash
tokens stored into medical imaging; it also assists the network results (line 8). The system creates the token based on a 256-bit
admin to identify data requesters. hash value that is obtained from joining the respective patient
In Algorithm 1, researchers or doctors send requests to the identifier and access timestamps (line 7). The timestamps follow
healthcare provider that forward to the data holder to accept RFC3339,6 which considers the system’s local time to generate a
or decline to share its medical imaging. Each requester Si can large number. Finally, the system generates access logs to identify
request several images of Im that they can use in research (line 2). requesters (line 9). These logs are stored in the blockchain ledger
Before proceeding with a request, the blockchain network verifies because they are immutable, accessible, and free of tampering
whether the requester is valid, and thus it is enabled to make a (line 10). Previous works have employed different methods to
call to the system (lines 3–4). We assume that the Hyperledger prevent tampering with sensitive data. Qasim et al. (2019) [15]
Fabric framework allows organizations to ingress the network presented a method to protect images by watermarking through

5 https://datatracker.ietf.org/doc/html/rfc913. 6 https://datatracker.ietf.org/doc/html/rfc3339.

352
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

Algorithm 1: Image Request Algorithm 3: Leaked Image Auditing

Data: R: requester set; Data: UL: upload leaked images set;
BC : blockchain; BC : blockchain;
SH: stackeholder set SH: stakeholder
Result: RL: request list Result: L: logs list
1 RL ← ∅; 1 if SH ∋ BC and role(SH)! = ‘‘admin′′ then
2 foreach r ∈ R do 2 Return Error ; // SH invalid
3 if r ∋ BC then 3 L ← ∅;
4 return RL ; // r invalid 4 foreach ul ∈ UL do
5 foreach im ∈ IM and im ∈ sIM do 5 IM ← ul;
6 S ← request(im, SH); 6 foreach im ∈ IM do
7 foreach s ∈ S do 7 token ← extractHashToken(im);
8 if s == accept then 8 log ← seachLogByTokenId(token);
9 RL ∪ im; 9 if log == ∅ then
10 break; 10 continue Error ; // log is empty
11 L ∪ log
11 return RL;
12 return L;

Algorithm 2: Image Share

Data: RC : receive images set; the blockchain has requester ID; (iii) the user’s identity to check
BC : blockchain; who request images; and (iv) reference token about the request.
HP: healthcare provider
P: patient 4.2. System design
Result: IML: image request list
1 IML ← ∅; This subsection describes the abstraction of the system pro-
2 foreach rc ∈ RC do posed and how it was designed. We present all modules de-
3 imid ← rc .image.id;
veloped, such as protocol to enhance security, the blockchain
4 im ← search(imid , HP);
network, and trace mechanism.
5 if im ∋ HP then
The proposed protocols enable to enhance security and pri-
6 continue ; // no im vacy in healthcare environments, and their functionalities are
7 token ← sha256(P .id + Timestampaccess ); characterized through a bottom-up design within an electronic
8 im.metadata ← w rite(token); health information exchange system. This system demonstrates
9 log ← generate(time, P .id, im.id, token); the efficacy of enforcing data sharing through methods and mod-
10 BC ← createLog(log); els based on blockchain (see Fig. 1). Our PoC and protocol were
11 IML ∪ im; designed to address privacy concerns on the basis of access to
12 return IML; auditable and provenance features. There are papers in the liter-
ature such as Maesa, Mori, and Ricci (2019) [30], Marbouh et al.
(2020) [31] that describe provenance, tracking, and auditability
as benefits for blockchain-based systems. In healthcare settings,
Message Digest 5 (MD5) algorithm. MD5 is faster than SHA- privacy (followed by auditability) can be an essential feature, and
256 to generate a watermarking because it makes use of 128 our system seeks to address this . Finally, according to Marbouh
bits [29]. However, MD5 has several known vulnerabilities, such et al. (2020) [31] privacy in blockchain represents a system where
as no collision resistance (#CVE-2004-2761)7 ; thus, our method selective information is shared; thus, our system shares medical
presents collision resistance and more effectively enforces more imaging by granting access to selected users and tracking assets
security for patient’s images. shared by the unique token.
Algorithm 3 performs the auditing of logs by the auditing en- The first module (Module 1 requester, gray): this has an inter-
tity SH using the token as the primary key to recovering accesses face for communication among its entities (entities are roles such
over the images, including leak images. First, the log-auditing as a healthcare provider, requester, or administrator), blockchain
algorithm verifies if the current entity’s role, the role of the network, and healthcare provider (Module 2, light pink). The
stakeholder, on the blockchain is as admin (line 1–2). Then, stake- entity requests images from the API query (Module 3, green)
holder SH uploads the UL that corresponds to leaked imaging that have to be sent to the healthcare provider, and the system
(line 5), and the system collects the access token from the image registers the requester access as a log in the blockchain. When
(line 7) to identify which requester accessed the image using the the data holder decides to make an image available, the access
blockchain logs. The hash tokens in a token list are the key to log is stored, and the image is sent through the token generator
search logs that match them (line 8). At last, if the search iden- procedure. The asset remains available on the API query interface
tifies existing matching logs (line 9–10), the algorithm returns so that it can be accessed by the application stakeholders, such
a list with found attributed-value JSON log values (line 11–12). as doctors, patients, and researchers.
These values can attest the requesters who leaked the medical The blockchain-based network (Module 4 in blue color) stores
imaging. The auditing entity A then knows about the token to data towards a reliable and immutable system. The immutability
query data on blockchain about the following pieces of data: (i) of blockchain allows that data stored is not being removed; if the
where is the token related to requester; (ii) one database row on system writes data in the ledger, they are hard to erase, and it
helps to improve accountability of the system. Access logs and
7 https://nvd.nist.gov/vuln/detail/CVE-2004-2761. images’ metadata guarantee security to the system to control
353
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

tamper-proof and audit logs [32]. A smart contract implementa- logic apps, logs, distributed ledger technology, and cryptography
tion was defined for auditing the logs stored in the blockchain and hash. The POC implementation of our system design comprises a
comprises the following attributes: token identification, times- Python8 interface for clients to communicate with the blockchain
tamp access, and access level. It also includes the stakeholders network and connect to a query API in Nodejs.9
and organization that sent images and the stakeholders and or- Fig. 2 shows the process before a request is sent to obtain
ganization that requested them. The attributes defined in smart DICOM images. The Certificate Authority of blockchain checks
contracts are stored in the blockchain towards helping the admin whether the stakeholder (any role of network) is valid, and
network identify leakage. The smart contract establishes rules they can join the blockchain. After validating the stakeholder,
for transactions and receives assets, such as DICOM images [33]. the system can determine their identification and control their
The network was built in a Hyperledger Fabric structure with 10 access level to the assets. Query API requests image data from
Dockers peers, two organizations, two certificate authorities(CA)
the Blockchain, which also obtains them, but from a health-
for each organization, and one orderer.
care provider. In our POC implementation, we select DICOM
The module (Module 5, yellow) healthcare provider is an im-
images from a public dataset.10 The requester (doctor or re-
age repository from healthcare organizations. It comprises hos-
pital systems of image databases, which register file references searcher) that interacts with the system can demand images
in a blockchain network so that they can be shared with other DICOM, which were previously downloaded and stored in the
entities within a healthcare research network. The hospital uses healthcare provider of our POC system. A token is then inserted
a connector to register images in the blockchain to make them in each DICOM file when a requester demand an image and
available for researchers and doctors. the request is allowed. Next, the system sends images to the
The tracking token mechanism is the system’s main feature. healthcare provider (where images are in its database), which
It creates a hash value that, together with metadata, is inserted uses a service based on the SFTP to send the images to the query
in DICOM. This value, called ‘‘token’’, is associated with the API and make them available in the interface application.
log structure, such as the stakeholder’s identifier, and stored in The workflow implemented adopts a smart contract in
the immutable ledger in the blockchain. The following format Golang,11 the blockchain network configured with Hyperledger
was defined from algorithm SHA-256 with 256-bit message size Fabric12 in the Docker containers. In the setup of the Fabric
digest and 32-bit word [29]: token = sha256(‘‘PATIENTID ’’ + network, a bash script serves as the interface for customized
‘‘TIMESTAMPACCESS ’’). The token design is a hash value with a access to peers, channels, organizations, and orderers. Ordering
unique property that can produce traceable images in case of nodes are responsible for managing and ordering transactions
leakage or improper management. After the token generation and of organizations that can be part of the blockchain. Our POC
storage in the blockchain, the images are sent to the API interface implementation comprises a stakeholder interface and a module
to query results. healthcare provider service, which sends files and connects to
The blockchain network aims to store immutable logs and
logs stored in the Blockchain. The logs are sent as a JSON file
check image leakage, which can be audited by the token in-
and help audit images leakage using the token that links to a
serted in DICOM and metadata. Only a single stakeholder can
blockchain stakeholder.
access the image. Therefore, organizations can detect the entity
The source code of our POC implementation is available at
or stakeholder who has made the image available, analyze the
open repository blockchain token Dicom.13 This code enables
data provenance, and, by following privacy regulations, decide on
actions to be taken. researchers to replicate experiments and extend the system and
The last module incorporates the application and stakeholders protocol. It splits as a Hyperledger network representing the
(doctors, researchers, and healthcare providers). The module is blockchain configuration with docker files, certificates, and bash
designed to enable the developer to create an adaptive system scripts. Besides other folders, such as an API for direct com-
for healthcare image sharing as a friendly interface (Module 6, munication with blockchain, the shared Dicom folder contains
purple). the python scripts Server and Client to exchange files between
Ideally, any other developer using the proposed system can stakeholders and blockchain.
integrate its application seamlessly. Stakeholders use the appli- Finally, Hyperledger Fabric architecture manage keys, storing,
cation to obtain assets. At this point, the access level is defined sharing, and checking stakeholders’ credentials to access medical
with researchers and doctors through the reading of permis- imaging. According to Fabric’s documentations,14 elliptic curves
sions, where healthcare providers read and write the permission cryptography, based on algorithms of curve prime256v115 and
document. On the other hand, the healthcare provider can be a SHA256, are employed to generate public and private keys aimed
hospital that owns the data. The researcher is an individual or an at stakeholder joining the network. Each stakeholder on the net-
organization dedicated to the extraction of knowledge on health work has a role, and they can be providers, requesters, or data
data. holders. Thus, the blockchain creates digital certificates for user
login to a hospital or its wallet. All credentials are management
4.3. Protocol in the proposed system to a blockchain Certificate Authority (CA). Thus, the peer CA
manages credentials and stores on blockchain if entries are valid.
Fig. 2 shows the flow of the protocol together to algorithms
for requesting images, sharing images, and auditing logs through
the blockchain structure, as well as healthcare provider medical 8 https://www.python.org/.
imaging repository. 9 https://nodejs.org/en/.
In the sequence diagram built based on Unified Modeling Lan- 10 Cancer Imaging Archive - Link.
guage (UML), the doctors, researchers, and healthcare providers 11 https://golang.org/.
also are called stakeholders. Stakeholders query data from an 12 https://github.com/hyperledger/fabric.
interface that connects to the control line query API for request- 13 Github - https://github.com/eriksonJAguiar/Blockchain-Token-DICOM.
ing images. Query API interprets events that occurred in object 14 https://hyperledger-fabric.readthedocs.io/en/release-2.2/identity/identity.
≪: interface ≫ and relays them to the Blockchain, responsible html.
for data management, storage, devices, message broker, flow, 15 https://datatracker.ietf.org/doc/html/rfc8422.

354
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

Fig. 2. Sequence diagram describing the proposed protocol (Algorithms 1, 2, and 3): requesting, sharing, and auditing assets in the blockchain.

5. Experiments and results We set up our experiments in a server Linux, where the
POC system process the transactions is separate in Docker’s con-
We have conducted experimental analyses to demonstrate tainers to simulate the valuable components. We use the TCIA
and validate our proposal using the Hyperleger Fabric platform. dataset accessed from the SSD of the local server to create an
The platform has been set up over a Python script regarding image repository. The image repository was configured as a con-
two aspects, namely blockchain network performance and secu- tainer simulated in a local server to communicate between other
containers such as Healthcare providers, Data holders, and Re-
rity requirements quality. The evaluated security requirements
quester. In simulations, we built ten nodes as dockers containers
followed the quality of a token-generating script based on Python.
to compose a blockchain network, and each stakeholder node
communicates with Certificate Authority, Database, Orderer, and
5.1. Experimental setup API to register transactions. We simulate all nodes in a decentral-
ized network, with nodes communicating without a third party to
The experimental platform consisted of the Blockchain frame- manage transactions and share images. Finally, our simulations
work Hyperledger Fabric running on 10 Docker containers, which have actors nodes, such as Requester, Healthcare Providers, and
represented the full nodes of the network for the performance Data holder. A Requester demands an image from a Health-
evaluation. The server’s hardware comprehends an AMD Ryzen care provider that stores images in a repository and the Data
7 CPU of 32 GB Ram and Solid-state drive (SSD) for high-speed holder that allows/declines access to its data. The healthcare
data persistence in the blockchain world state database. The provider is a container that communicates with the data holder,
database used in the experiments had around 7.5 GB of DICOM requests access to data, and forwards images to the Requester af-
ter the owner is allowed. In summary, we simulate the blockchain
files from the National Cancer Institute’s dataset [34,35]. We
network and collect metrics using the Hyperledger Caliper.
sent the images from the database emulated locally, resulting
The security features validate the hypothesis based on the
in low latency to query. However, when the dataset joins with
evaluation of hash security quality. The properties of the to-
blockchain, the latency grows. We ran experiments 30 times,
ken were evaluated by Levenstein’s similarity and Shannon en-
considering results with a 95% confidence interval. We conducted tropy [36]. Token properties are essential to validate that the hash
our experiments in a single machine by simulating a distributed is collision-resistant and can be a component to help the system
environment composed of peers, healthcare providers, patients, to be tamper-proof-free.
and requesters (doctors and researchers). Likewise, we employed
the Hyperledger Caliper to organize simulations and configure 5.2. Network performance analysis
nodes, distributed machines, on the network.
Furthermore, we configure a single machine with Hyperledger The analysis of the blockchain network’s performance aimed
fabric blockchain, our API, providers, and requesters to execute at ensuring a low cost of Hyperledger Fabric network for the ex-
these algorithms. Although we used a single machine, we built change of assets, differently from Bitcoin and Ethereum. Figs. 3(a)
a simulation environment for distributed systems from Hyper- and 3(b) show the growth in CPU and memory usage, respec-
ledger Caliper.16 The environment was composed of blockchain tively. Regarding the testing execution, a significant amount of
peers, healthcare providers that store images, and requesters who transactions were submitted to transfer images between network
want to get imaging to study. peers.
The network latency was checked, as displayed in Fig. 3(c),
towards faster and more suitable transactions for healthcare sys-
16 https://github.com/hyperledger/caliper. tems. The boxplot related to each network part illustrates (i)
355
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

Fig. 3. Performance analyses of the proposed proof of concept in terms of consumption of system resources.

Table 2
Performance analysis of components in the blockchain network.
Metric Mean Median Standard deviation Maximum Minimum
CPU % 7.33 7 2.94 20 1
Hardware usage
Memory (%) 4.43 5 0.96 7 1
Storage (s) 49.96 50.50 24.84 93 1
API BC (s) 37.34 38 21.72 74 1
Network latency Orderer (s) 36.77 36 21.55 74 1
Peers (s) 45.45 46 25.21 88 1
CouchDB (s) 20.22 18 13.52 55 1

latency in image files transferred from the healthcare provider to values, namely tokens. It trailed the birthday attack model to
the requester, (ii) latency in interaction with blockchain external check possible hash collisions from similarities in the hash found
user, (iii) latency of the orderer (orderer are nodes responsible for in DICOM files [37]. The birthday paradox enabled the proba-
managing and ordering transactions of organizations) that com- bility of users of the same birthday date being in the room.
municates with all peers, (iv) latency in peers interaction with the The method can also map the hash collisions probability using
smart contract installed, and (v) latency of CouchDB Hyperledger bit numbers, such as in SHA-256 algorithm, for the counting of
Fabric database. The blockchain performance evaluation repre- collision values [38].
sents the exchange of information in a healthcare scenario. For We quantify the similarity among generated tokens, aiming to
such a use case, the network shows increasing peaks of memory analyze their properties by calculating the Levenstein distance of
and CPU. Our hardware evaluations consisted of receive trans- each token. This process represents the probability of generation
actions in blockchain from requesters to healthcare providers. of a new hash token similar to the one contained in the DICOM
The communication interval outlined for a distinct part of the file [36]. The token describes a key for auditing stakeholder access
network identified the highest latency in connection with the to DICOM images. Levenstein distance defines closer to zero, more
image files stored and peers since storage has sizeable amounts similar two values are; therefore, a token is close to another
of DICOM files and peers interact directly with blockchain, thus new one in case of a small Levenstein distance. Malicious users
causing delays. might try to generate equal hash values for tampering access and
Regarding overhead from statistical metrics, we measured a performing image leakage. Shannon’s entropy, given by Eq. (1),
central position and dispersion of the values found. Table 2 lists where each value for x1 , x2 , . . . , xn ∈ a random variable X, com-
such metrics for a summary of samples, describing the character-
pares the randomness level of the token generated. Therefore,
istics of the variables. The hardware metrics display low machine
collision attacks by brute-forcing hash values are non-feasible to
resource usage, resulting in average values of 7% CPU usage and
tamper since the probability of an attacker inferring with the
5% memory usage. The hardware quantities analyzed revealed
actual hash from a distribution pattern is very low [39].
a low variance of CPU and memory. Therefore, their values are ∑
close to the expected one — the mean value. The results also Et (X ) = − p(x)log2 p(x). (1)
showed that the hardware is suitable for applications to medical x∈X
systems since it consumes limited resources of the machines, and
it is scalable for a large number of peers using the Hyperledger Our solution requirements were validated to combine
Fabric framework. [22]. The network evaluation considered the blockchain for auditing and token hash to create unique DICOM
latency values for each part of the network. Each part of the images. The validation step analyzed the probability of the sys-
network required a longer time, around 50.50seconds on average, tem resisting attacks for hash invalidation or collision through
for sending assets to storage in the blockchain due to the large experiments.
size of the DICOM files. The blockchain network also showed high The first set of analyses investigated entropy and similarity re-
latency due to consensus mechanisms and the necessity of node garding token quality, as summarized in Table 3. Such quantities
response for validating transactions. However, Hyperledger Fabric are essential for studies on typical and variable values, obtaining
blockchain is light for sharing medical imaging compared to other a string similar to one of the tokens was generated in previous
alternatives, such as Bitcoin and Ethereum [22]. iterations.
Table 3 shows the entropy and similarity values to describe the
5.3. Security performance analysis low probability of the malicious node getting a similar tracking
token, which aims to tamper with the network. Thus, a low
We checked the quality of our proposal’s security require- probability increases the complexity of finding a valid token for
ments from the similarity and entropy of the generated hash tampering. This difficulty in tampering allows for security and
356
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

Table 3 shows the entropy peaks of higher concentrations between 0.30

Statistical analysis of security aspects. and 0.35 and values spreading with small 0.25 concentrations.
Metrics Security values The distribution shows a low probability of a parameter estimator
Similarity Entropy obtaining a value from 0.20 to 0.25 for entropy; therefore, the
Mean 52.36 3.80 entropy behavior means the values have a higher probability of
Median 55 3.81 converging towards a 0.35 entropy quantity. On the other hand,
Standard deviation 12.17 0.04 it indicates that a malicious node has a low chance of learning
Maximum 60 3.88
a token pattern for attacking the system due to higher entropy
Minimum 50 3.70
values.
Cumulative Distribution Function (CDF), illustrated in Fig. 4(b),
completed the entropy quantity analysis. We ran for theoretical
privacy even if data leaks and a malicious node invalidates its curves in normal, Gamma, and chi-square distributions compared
accountability to leakage; the high computational efforts make to empirical CDF for a normalized interval of entropy values [0, 1].
tampering infeasible. Gamma is the farthest from entropy – red line, and chi-square and
The similarity outcome with 53.36 mean value showed a long normal distributions exhibited the most similar behavior among
distance between the hash tokens generated and a new random the distributions. Chi-square – green line – best fitted the actual
token. The characterization of tokens should express distinct pat- values, thus implying an asymmetric distribution. The random-
terns — the obtaining of identical values by a malicious node is ness value of the token hampered the obtaining of a similar token
challenging. Besides, the dispersion metric for similarity quantity value.
is high since its standard deviation is 12.17 and represents scat- The last examined component is the similarity normalized
tered values that prove the randomization of those generated and to [0, 1], representing Levenstein distance, which describes the
distributed in the sample space far from the mean. behavior distance between hash tokens. Most distances represent
Entropy represents an uncertainty metric for discovering an several characteristics different from actual hash values. The PDF
attribute’s approximate value, and an attacker cannot be sure of plotted in Fig. 4(c) for the analysis of component similarity il-
the estimate of the actual value [39]. Towards entropy results, lustrates a role with peaks of maximum values. Therefore, hash
we obtained a 3.80 mean. At this point, a 0.04 standard deviation token values have a considerable distance and low probability for
showed a low probability of an attacker discovering a similar obtaining a hash with similar aspects.
token and causing conflicts to the network. Entropy also shows CDFs comprehend the similarity and entropy variables accord-
ing to normal, gamma, and chi-square distributions. Fig. 4(d)
low variability due to low standard deviation, representing most
shows the CDF behavior for similarity. The behavior of normal
values close to each other. Suppose malicious nodes know the
distribution – blue line – is comparable with that of similarity –
system’s characteristics. In that case, they might attempt to de-
red line, and Gamma distribution – orange line – has a similar
termine a value through brute force following known features.
behavior. Normal distribution fits natural distributions of the
Similarly, such attempts resemble the launching of a coin with
population around the mean and our findings of similarity is
2256 sides and the expectation of its falling on the side chosen
compatible with distribution’s population [41].
by the user attacked.
According to the literature, another method to measure the 6. Discussion and limitations
probability of hash collisions consists of using Eqs. (2) and (3)
to calculate the amount of messages sent, Nm , where BW is the In the following, we discuss the key aspects and significant
bandwidth, MZ is the message size, and T is the time spent on the contributions for each feature highlighted below:
sending [40]. Eq. (3), where n denotes the message bits number
and Nm is the amount of messages sent, calculates the probability • Data Sharing. Our proposed protocol enables the sharing
of collision P [40]. We collected packets on network by using of medical imaging among researchers, supporting secure
Wireshark tool,17 which allowed us to obtain the following val- and private exchanges for exams and helping diagnosis of
ues: BW = 9.2 GB, MZ = 671 bytes, T = 10 s, and n = 256. diseases;
• Blockchain platform. With the blockchain platform, the
NW system might be adaptive for others approaches and offer a
Nm = ×T reliable tool to build a blockchain network for the healthcare
MZ
(2) environment;
9.2 × 230
= × 10 = 147, 219, 445 messages • Consensus algorithm. We used the blockchain platform
671 Hyperledger Fabric that uses a light consensus protocol, the
Nm Practical Byzantine Fault Tolerance (PBFT). Thus, it takes less
P =
2n (3)
time to validate a transaction and generate less overhead on
147, 219, 445 the network than other blockchain platforms;
= = 1.27 × 10−69 % • Network type. Considering the healthcare environment
2256
handle sensitive data, we use a private blockchain network
The experiments resulted in a low probability of hash collision
because reliable peers control it and only specifics nodes can
— the method used was proposed by Al-Ani et al. (2019) [40] with
validate a transaction;
a 1.27 × 10−69 % chance of finding a hash token of similar value
• Provenance and Accountability. The auditing entity can use
in a complete set of tokens. For instance, a brute force attack
the trace token to provides the researcher knowledge about
hardly obtains collision values since it requires several attempts
the source of the data, and it is a safe way for researchers
and high computational costs to be effective.
to acquire data. Besides, data requesters can be accountable
Probability Density Function (PDF), which describes a parame-
if data is leaked.
ter estimator that approximates the actual values for the entropy,
• Tracking. Our protocol addresses a tracking token stored
explored the behavior of entropy variables. To plot the curves,
in a blockchain that is hard to tamper with due to hash
the values were normalized from 0 to 1 – [0, 1] interval. Fig. 4(a)
randomness. Moreover, our results prove it is hard to find
a similar token through a birthday or brute force attack to
17 https://www.wireshark.org/. tamper who leaked the data;
357
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

Fig. 4. Statistical distributions for hash quantity values.

• Privacy policy. Our approach provides a more reliable sys- The experimental results clearly answered our hypothesis,
tem for complying with privacy regulations; it addresses revealing that the applied system has large entropy. Similarity
the question of accountability with regard to data leakage implied a tracking token of hard breakage, since an attacker must
detection when the sharing is poorly handled. This process is have a more profound knowledge of the network for inferring a
based on immutable audit blockchain to find the stakeholder valid token. Besides, the system offers an interface for auditing
(who has a requester role) who requested the leakage image logs by the auditing entity to identify DICOM imaging leakages
through a token stored in the metadata. and transfer leakage accountability to the stakeholder that re-
quested the images. Therefore, stakeholders obtain images based
According to our findings, we believe the blockchain-based
on logs stored in the blockchain and use the token as the recovery
protocol for tracking shared DICOM images can contribute to
key.
auditing, provenance, and protection of healthcare systems and
provide accountability of stakeholder requests for sharing data. Experimental results also allowed to characterize the proto-
Moreover, it has responded to our following hypothesis: col’s behavior in sharing medical images based on PDF and CDF
analyses. Even though it shows a token, the behavior appears to
‘‘A protocol blockchain-base can ensure accountability and have a low probability of a malicious user getting a similar value.
auditability for healthcare record leakages using immutable The token can enhance the reliability to distribute the images, and
logs and a unique token inserted in metadata of DICOM file it guarantees who access it.
images’’. In terms of this work’s limitations, we can mention that we did
not implement an interactive interface for entity to audit logs and
For characterizing the protocol to sharing medical imaging, our
analyze provenance. Furthermore, only one image format was
research has revealed that an attacker has a low probability of
adopted in our study – DICOM. Nevertheless, we argue that other
discovering a similar token from patterns known by the network.
media formats can be easily included as our implementation
Therefore, the analyses metrics demonstrated that the random-
ness feature of the token hampers collision or birthday attacks is highly modularized. We addressed only one type of attack,
for tampering with the token in DICOM images. and our proposed approach can be tested against other types
The protocol design ensures immutable logs for auditing of attacks, such as Sybil, Distributed denial-of-service, Routing
tamper-free by the Information Technology Manager. The au- attack, and Eclipse attack [42].
diting entity can analyze the provenance of data employing the
blockchain structure, and data holders can consult the purpose 7. Conclusions and future work
of data use. The hardware metrics proved the system’s suitability
for applications to healthcare systems according to its acceptable This research article has outlined the problem statement and
latency values, throughput, CPU usage, and memory usage. The presented a protocol for tracking requesters’ access to shared
system can be added to usual healthcare systems for enhanc- medical data, including images. We have conducted several stud-
ing their security and reliability. Thus, researchers can access ies on the existing gap and identified that tracking medical imag-
traceable data for protection against leakages. ing has not been fully addressed. Hence, our work targeted this
358
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

kind of data in our proposed system . This entailed investigating References

how blockchain technology could be used as a tool both to ensure
and enhance security and privacy for data sharing. On the basis [1] A.H. Seh, M. Zarour, M. Alenezi, A.K. Sarkar, A. Agrawal, R. Kumar, R.A.
Khan, Healthcare data breaches: Insights and implications, Healthcare 8
of well-established frameworks, we implemented our prototype
(2) (2020) 133, http://dx.doi.org/10.3390/healthcare8020133.
in Hyperledger Fabric. This platform enabled us to work out a [2] J. Bernal Bernabe, J.L. Canovas, J.L. Hernandez-Ramos, R. Torres Moreno, A.
solution based on a lightweight blockchain consensus protocol Skarmeta, Privacy-preserving solutions for blockchain: Review and chal-
suitable for healthcare systems interfaces. lenges, IEEE Access 7 (2019) 164908–164940, http://dx.doi.org/10.1109/
ACCESS.2019.2950872.
The network overhead and performance revealed similar fig-
[3] Y. Flaumenhaft, O. Ben-Assuli, Personal health records, global policy and
ures towards a centralized network in terms of throughput, CPU, regulation review, Health Policy 122 (8) (2018) 815–826, http://dx.doi.org/
and memory. The proposed method and protocol demonstrated 10.1016/j.healthpol.2018.05.002.
a low probability of a malicious node obtaining an equal token. [4] B.W. Genereaux, D.K. Dennison, K. Ho, R. Horn, E.L. Silver, K. O’Donnell,
These findings show that our proposal helps in protecting against C.E. Kahn, DICOMweb: Background and application of the web standard
for medical imaging, J. Digit. Imaging 31 (3) (2018) 321–326, http://dx.
hash collisions that break the token’s security. doi.org/10.1007/s10278-018-0073-z.
Also, similarity and entropy evaluations revealed that the [5] A. Shahnaz, U. Qamar, A. Khalid, Using blockchain for electronic health
stakeholder’s brute force attacks are unfeasible for tampering or records, IEEE Access 7 (2019) 147782–147795, http://dx.doi.org/10.1109/
invalidating the tracking token. We highlight that the hash token ACCESS.2019.2946373.
[6] M.P. McBee, C. Wilcox, Blockchain technology: Principles and applications
can provide accountability and give a more secure environment
in medical imaging, J. Digit. Imaging 33 (3) (2020) 726–734, http://dx.doi.
for patients to share data. Health data access was increasingly org/10.1007/s10278-019-00310-3.
higher during the pandemic year of 2020, in which several COVID [7] M. Shi, R. Jiang, X. Hu, J. Shang, A privacy protection method for health care
patients checked in to hospitals worldwide [43]. big data management based on risk access control, Health Care Manage.
Sci. 23 (3) (2019) 427–442, http://dx.doi.org/10.1007/s10729-019-09490-4.
As future work, we aim to develop an off-chain based on a P2P
[8] L. Ismail, H. Materwala, S. Zeadally, Lightweight blockchain for healthcare,
network that provides distributed privacy and mitigates attacks IEEE Access 7 (2019) 149935–149951, http://dx.doi.org/10.1109/ACCESS.
to image databases. This work can then meet more require- 2019.2947613.
ments related to privacy regulations, such as Health Insurance [9] E.J. De Aguiar, B.S. Faiçal, B. Krishnamachari, J. Ueyama, A survey of
Portability and Accountability Act (HIPAA). Besides, our proto- blockchain-based strategies for healthcare, ACM Comput. Surv. 53 (2)
(2020) 27, http://dx.doi.org/10.1145/3376915.
col might adapt to the Ethereum network because we build [10] H. Jin, Y. Luo, P. Li, J. Mathew, A review of secure and privacy-preserving
from Hyperledger tools, and we can interact with Hyperleger medical data sharing, IEEE Access 7 (2019) 61656–61669, http://dx.doi.org/
Besu18 to build a business network based on Proof-of-work and 10.1109/ACCESS.2019.2916503.
Poof-of-Authority protocols, running our protocol to track shared [11] V. Patel, A framework for secure and decentralized sharing of medi-
cal imaging data via blockchain consensus, Health Inform. J. 25 (2018)
data.
146045821876969, http://dx.doi.org/10.1177/1460458218769699.
[12] A. Boonstra, A. Versluis, J.F.J. Vos, Implementing electronic health records
in hospitals: a systematic literature review, BMC Health Serv. Res. 14 (1)
CRediT authorship contribution statement
(2014) http://dx.doi.org/10.1186/1472-6963-14-370.
[13] P. Voigt, A.v.d. Bussche, The EU General Data Protection Regulation (GDPR):
Erikson J. de Aguiar: Conceptualization, Methodology, Formal A Practical Guide, 2017.
analysis, Writing – original draft preparation, Writing – review [14] S.A. Parah, J.A. Sheikh, F. Ahad, N.A. Loan, G.M. Bhat, Information hiding
in medical images: A robust medical image watermarking system for
& editing. Alyson J. dos Santos: Conceptualization, Methodol- E-healthcare, Multimedia Tools Appl. 76 (8) (2017) 10599–10633, http:
ogy, Formal analysis. Rodolfo I. Meneguette: Conceptualization, //dx.doi.org/10.1007/s11042-015-3127-y.
Writing – original draft preparation, Writing – review & edit- [15] A.F. Qasim, R. Aspin, F. Meziane, P. Hogg, ROI-based reversible water-
ing. Robson E. De Grande: Conceptualization, Writing – origi- marking scheme for ensuring the integrity and authenticity of DICOM
MR images, Multimedia Tools Appl. 78 (12) (2019) 16433–16463, http:
nal draft preparation, Writing – review & editing. Jó Ueyama: //dx.doi.org/10.1007/s11042-018-7029-7.
Conceptualization, Writing – review & editing. [16] A. ur Rahman, K. Sultan, N. Aldhafferi, A. Alqahtani, M. Mahmud, Reversible
and fragile watermarking for medical images, 2018 (2018) 1–7. http:
//dx.doi.org/10.1155/2018/3461382.
Declaration of competing interest [17] G.H. Motta, D.A. Araújo, J.R. Lucena-Neto, P.M. Azevedo-Marques, S.S.
Cordeiro, S.A. Araújo-Neto, Towards an information infrastructure for
medical image sharing, J. Digit. Imaging 33 (1) (2020) 88–98, http://dx.
The authors declare that they have no known competing finan-
doi.org/10.1007/s10278-019-00243-x.
cial interests or personal relationships that could have appeared [18] X. Liao, K. Li, X. Zhu, K.J.R. Liu, Robust detection of image operator
to influence the work reported in this paper. chain with two-stream convolutional neural network, IEEE J. Sel. Top.
Sign. Proces. 14 (5) (2020) 955–968, http://dx.doi.org/10.1109/JSTSP.2020.
3002391.
Acknowledgments [19] X. Liao, J. Yin, M. Chen, Z. Qin, Adaptive payload distribution in multi-
ple images steganography based on image texture features, IEEE Trans.
Dependable Secure Comput. (2020) http://dx.doi.org/10.1109/TDSC.2020.
This research was financed by São Paulo Research Foundation, 3004708.
Brazil (FAPESP, grants No. 2018/18187-3 and 2018/17335-9), and [20] X. Liao, Y. Yu, B. Li, Z. Li, Z. Qin, A new payload partition strategy in
partially by Agency Coordenação de Aperfeiçoamento Pessoal de color image steganography, IEEE Trans. Circuits Syst. Video Technol. 30
(3) (2020) 685–696, http://dx.doi.org/10.1109/TCSVT.2019.2896270.
Nível Superior - CAPES - Brazil - Finance Code 001. The authors
[21] E. Chukwu, L. Garg, A systematic review of blockchain in healthcare:
acknowledge the CPTAC program: ‘‘Data used in this publication Frameworks, prototypes, and implementations, IEEE Access 8 (2020)
were generated by the National Cancer Institute Clinical Pro- 21196–21214, http://dx.doi.org/10.1109/access.2020.2969881.
teomic Tumor Analysis Consortium (CPTAC)’’. The authors also [22] E. Androulaki, A. Barger, V. Bortnikov, C. Cachin, K. Christidis, A. De Caro, D.
thank the Instituto Federal de Educação, Ciência e Tecnologia Enyeart, C. Ferris, G. Laventman, Y. Manevich, S. Muralidharan, C. Murthy,
B. Nguyen, M. Sethi, G. Singh, K. Smith, A. Sorniotti, C. Stathakopoulou,
Amazonas - Campus Tefé. M. Vukolić, S.W. Cocco, J. Yellick, Hyperledger fabric: A distributed
operating system for permissioned blockchains, in: Proceedings of the
Thirteenth EuroSys Conference, 2018, p. 15, http://dx.doi.org/10.1145/
18 https://github.com/hyperledger/besu. 3190508.3190538.

359
E.J. de Aguiar, A.J. dos Santos, R.I. Meneguette et al. Future Generation Computer Systems 134 (2022) 348–360

[23] J. Liu, X. Li, L. Ye, H. Zhang, X. Du, M. Guizani, BPDS: A blockchain based [42] S. Aggarwal, N. Kumar, Attacks on blockchain, in: Advances in Computers,
privacy-preserving data sharing for electronic medical records, in: 2018 2021, pp. 399–410, http://dx.doi.org/10.1016/bs.adcom.2020.08.020.
IEEE Global Communications Conference, GLOBECOM 2018 - Proceedings, [43] N. Peek, M. Sujan, P. Scott, Digital health and care in pandemic times:
2018, pp. 1–6, http://dx.doi.org/10.1109/GLOCOM.2018.8647713. impact of COVID-19, BMJ Health Care Inform. 27 (1) (2020) http://dx.doi.
[24] S. Xuan, L. Zheng, I. Chung, W. Wang, D. Man, X. Du, W. Yang, M. Guizani, org/10.1136/bmjhci-2020-100166.
An incentive mechanism for data sharing based on blockchain with smart
contracts, Comput. Electr. Eng. 83 (2020) 106587, http://dx.doi.org/10. Erikson Júlio de Aguiar is a Ph.D. student in the
1016/j.compeleceng.2020.106587. Institute of Mathematics and Computer Science (ICMC)
[25] A. Al-Omar, M.Z.A. Bhuiyan, A.B. Kiyomoto, Shinsaku, M.S. Rahman, at the University of São Paulo (USP). He received
Privacy-friendly platform for healthcare data in cloud based on blockchain his M.Sc. degree in Computer Science from Univer-
environment, Future Gener. Comput. Syst. 95 (2019) 511–521, http://dx. sity of São Paulo (USP) in 2021. He completed his
doi.org/10.1016/j.future.2018.12.044. B.Sc. in Computer Science at the State University of
[26] B. Shen, J. Guo, Y. Yang, MedChain: Efficient healthcare data sharing Northern Paraná (UENP) in 2017. His main research in-
via blockchain, Appl. Sci. 9 (6) (2019) 1207, http://dx.doi.org/10.3390/ terest includes Blockchain, Security & Privacy, Machine
app9061207. Learning, Deep Learning, and Computer Vision.
[27] C.P. Langlotz, B. Allen, B.J. Erickson, J. Kalpathy-Cramer, K. Bigelow, T.S.
Cook, A.E. Flanders, M.P. Lungren, D.S. Mendelson, J.D. Rudie, G. Wang, K.
Kandarpa, A roadmap for foundational research on artificial intelligence
in medical imaging: From the 2018 NIH/RSNA/ACR/the academy work- Alyson de Jesus dos Santos received his D.Sc. degree
shop, Radiology 291 (3) (2019) 781–791, http://dx.doi.org/10.1148/radiol. in electrical engineering from Federal University of Rio
2019190613. de Janeiro (UFRJ), Brazil, in 2016 and the M.Sc. degree
[28] J.O. Silva, N. Calegari, E.S. Gomes, After Brazil’s general data protection in electrical engineering from Federal University of
law: Authorization in decentralized web applications, in: Companion of Amazonas (UFAM), Brazil, in 2011. Currently, he is a Di-
the World Wide Web Conference, 2019, pp. 819–822, http://dx.doi.org/10. rector of Information Technology at the Department of
1145/3308560.3316461. Administration and Management of Amazonas (SEAD-
[29] G.P. Reddy, A. Narayana, P.K. Keerthan, B. Vineetha, P. Honnavalli, Multiple AM), and an assistant Professor at Instituto Federal de
hashing using SHA-256 and MD5, in: Advances in Computing and Network Ciencia e Tecnologia do Amazonas (IFAM).
Communications, 2021, pp. 643–655.
[30] D.D.F. Maesa, P. Mori, L. Ricci, A blockchain based approach for the defini-
tion of auditable access control systems, Comput. Secur. 84 (2019) http:// Rodolfo Ipolito Meneguette, Bachelor of Computer Sci-
dx.doi.org/10.1016/j.cose.2019.03.016, URL https://www.sciencedirect.com/ ence from Universidade Paulista (UNIP) in 2006. Master
science/article/pii/S0167404818309398. of Computer Science from Federal University of São
[31] D. Marbouh, T. Abbasi, F. Maasmi, I.A. Omar, M.S. Debe, K. Salah, R. Carlos (UFSCar) in 2009. Doctor of Computer Science
Jayaraman, S. Ellahham, Blockchain for COVID-19: Review, opportunities, from Universidade Estadual de Campinas (UNICAMP)
and a trusted tracking system, Arab. J. Sci. Eng. 45 (12) (2020) 9895–9911, in 2013. Post-doctoral student from the University of
http://dx.doi.org/10.1007/s13369-020-04950-4. Ottawa (UOttawa) in 2017. He is currently a professor
[32] X. Li, P. Jiang, T. Chen, X. Luo, Q. Wen, A survey on the security of at the Institute of Mathematical and Computer Sciences
blockchain systems, Future Gener. Comput. Syst. 107 (2017) 1–13, http: (ICMC) at the University of São Paulo (USP). Leader of
//dx.doi.org/10.1016/j.future.2017.08.020. the Internet of Things research group with a focus on
[33] W. Cai, Z. Wang, J.B. Ernst, Z. Hong, C. Feng, V.C.M. Leung, Decentralized urban computing. His line of research is in intelligent
applications: The blockchain-empowered software system, IEEE Access 6 transport systems, vehicular networks, clouds, mobility management.
(2018) 53019–53033, http://dx.doi.org/10.1109/ACCESS.2018.2870644.
[34] National Cancer Institute Clinical Proteomic Tumor Analysis Consortium
(CPTAC), Radiology data from the clinical proteomic tumor analysis consor- Robson E. De Grande is an Associate Professor in the
tium cutaneous melanoma [cptac-cm] collection [data set], in: The Cancer Department of Computer Science at Brock University,
Imaging Archive, 2018, http://dx.doi.org/10.7937/k9/tcia.2018.odu24gze. Canada. He received his Ph.D. degree in Computer
[35] K. Clark, B. Vendt, K. Smith, J. Freymann, J. Kirby, P. Koppel, S. Moore, S. Science from the University of Ottawa, Canada, in 2012.
Phillips, D. Maffitt, M. Pringle, et al., The Cancer Imaging Archive (TCIA): His research interests include large-scale distributed
maintaining and operating a public information repository, J. Digit. Imaging and mobile systems, cloud computing, performance
26 (6) (2013) 1045–1057. modeling and simulation, computer networks, vehic-
[36] L. Metcalf, W. Casey, Cybersecurity and Applied Mathematics, 2016, pp. ular networks, intelligent transportation systems, and
1–189, http://dx.doi.org/10.1016/B978-0-12-804452-0.09992-9. distributed simulation systems, actively contributing in
[37] M.R.K. Soltanian, I.S. Amiri, Chapter 3 - Problem solving, investigating these areas. He has served as technical program and
ideas, and solutions, in: Theoretical and Experimental Methods for De- special session co-chair of several IEEE and ACM spon-
fending Against DDOS Attacks, 2016, pp. 33–45, http://dx.doi.org/10.1016/ sored conferences, including IEEE/ACM DS-RT, ACM MobiWac, ACM DIVANet,
B978-0-12-805391-1.00003-1. and IEEE DCOSS International Workshop on Urban Computing.
[38] S. Su, T. Xie, S. Lü, A provably secure non-iterative hash function resisting
birthday attack, Theoret. Comput. Sci. 654 (2016) 128–142, http://dx.doi.
Jó Ueyama is a Professor of the Institute of Mathe-
org/10.1016/j.tcs.2016.02.023.
matics and Computer Science (ICMC) at the University
[39] I. Wagner, D. Eckhoff, Technical privacy metrics: A systematic survey, ACM
of São Paulo (USP). Prof. Ueyama is also a Brazilian
Comput. Surv. 51 (3) (2018) http://dx.doi.org/10.1145/3168389.
Research Council (CNPq) fellow. He completed his Ph.D.
[40] A.K. Al-Ani, M. Anbar, S. Manickam, A. Al-Ani, DAD-match; security tech-
in computer science at the University of Lancaster
nique to prevent denial of service attack on duplicate address detection
(England) in 2006. Before joining USP, he was a re-
process in IPv6 link-local network, PLOS ONE 14 (4) (2019) 1–20, http:
search fellow at the University of Kent at Canterbury
//dx.doi.org/10.1371/journal.pone.0214518.
(England). Jó has published 53 journal articles and more
[41] D.G. Altman, J.M. Bland, Statistics notes: The normal distribution, BMJ 310
than 100 conference papers. His main research interest
(6975) (1995) http://dx.doi.org/10.1136/bmj.310.6975.298.
includes Computer Networks, Security, and Blockchain.

360