IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO.

4, 15 FEBRUARY 2023 2893

Privacy-Aware Access Control in IoT-Enabled

Healthcare: A Federated Deep Learning Approach
Hui Lin , Kuljeet Kaur , Member, IEEE, Xiaoding Wang , Georges Kaddoum , Senior Member, IEEE,
Jia Hu , and Mohammad Mehedi Hassan , Senior Member, IEEE

Abstract—The traditional healthcare is overwhelmed by the I. I NTRODUCTION

processing and storage of massive medical data. The emergence
ITH the outbreak of the new coronavirus, the exist-
and gradual maturation of Internet-of-Things (IoT) technolo-
gies bring the traditional healthcare an excellent opportunity to
evolve into the IoT-enabled healthcare of massive data storage
W ing healthcare system is facing huge challenges in data
processing and storage [1], [2]. As the solution, Internet-of-
and extraordinary data processing capability. However, in IoT- Things (IoT) technology is the core of future smart healthcare.
enabled healthcare, sensitive medical data are subject to both IoT realizes intelligent identification, access control, data
privacy leakage and data tampering caused by unauthorized
users. In this article, an attribute-based secure access control
processing by comprehensively applying sensor technology,
mechanism, coined (SACM), is proposed for IoT-Health utiliz- network technology, artificial intelligence technology [3], etc.,
ing the federated deep learning (FDL). Specifically, we manage to the entire healthcare management for information exchange
to discover the relationship between users’ social attributes and and communication, so as to establish a real-time, efficient,
their trusts, which is the trustworthiness of users rely on their and secure reinforced healthcare (IoT-Healthcare) [4], [5].
social influences. By applying graph convolutional networks to
the social graph with the susceptible–infected–recovered model-
However, in IoT-Health, there exist serious privacy leakage
based loss function, users’ influences are obtained and then are problem and data tampering problem [6], both of which are
transformed to their trusts. For each occupation, users’ trusts caused by medical data access from unauthorized personnel.
allow them to access specific medical data only if their trusts That suggests the significance of secure access control for
are higher than the corresponding threshold. Then, the FDL is important medical data.
applied to obtain the optimal threshold and relevant access con-
trol parameters for the improvement of access control accuracy
The identity-based access control mechanisms used in tradi-
and the enhancement of privacy preservation. The experimental tional centralized computing environments, such as role-based
results show that the proposed SACM achieves accurate access access control (RBAC) and access control lists (ACLs), can
control in IoT-enabled healthcare with high data integrity and only solve the security problems, i.e., privacy leakage and data
low privacy leakage. tampering, of specific systems to a certain extent. Distributed
Index Terms—Access control, federated learning, graph con- access control of medical data in an open environment poses
volutional networks (GCNs), Internet-of-Things (IoT)-enabled severe challenges to traditional access control models and
healthcare, social attributes. mechanisms. For example, how to authenticate and autho-
rize resource requesters based on their identities and how to
solve the interoperability problem between different security
systems based on centralized access control models. Compared
with RBAC and ACL, attribute-based access control (ABAC)
relies on the authorization of the subject’s attributes and is
an effective way to establish trust relationships between unfa-
Manuscript received 23 March 2021; revised 22 June 2021 miliar parties. In ABAC, attributes of related entities (such as
and 15 July 2021; accepted 27 August 2021. Date of publication
15 September 2021; date of current version 6 February 2023. This subjects, resources, and environments) are used as the basis
work was supported by the King Saud University, Riyadh, Saudi Arabia, for authorization, rather than identities only. Thereby, ABAC
through the Researchers Supporting Project under Grant RSP2023R18. is particularly suitable for authorization and access control
(Corresponding authors: Xiaoding Wang; Jia Hu.)
Hui Lin and Xiaoding Wang are with the College of Computer in open and distributed medical systems. Plenties of ABAC
and Cyber Security, Fujian Normal University, Fuzhou, China, and also mechanisms have been investigated for decades. Apart from
with the Engineering Research Center of Cyber Security and Education the access control mechanism that utilizes the attribute-based
Informatization, Fujian Province University, Fuzhou 350117, China (e-mail:
[email protected]; [email protected]). encryption [7], the trust-based one [8] applies to medical
Kuljeet Kaur and Georges Kaddoum are with the Electrical Engineering data access control, i.e., the doctor of a higher trust should
Department, École de Technologie Supérieure, Montreal, QC H3C 1K3, be granted the authority to access patients’ medical data.
Canada (e-mail: [email protected]; [email protected]).
Jia Hu is with the Department of Computer Science, University of Exeter, However, the proper trust evaluation is an open problem.
Exeter EX4 4PY, U.K. (e-mail: [email protected]). Note that users’ trusts are closely related to their social
Mohammad Mehedi Hassan is with the Information Systems Department, influences. This is because social activities usually take place
College of Computer and Information Sciences, King Saud University, Riyadh
11543, Saudi Arabia (e-mail: [email protected]). between users of high social similarities [9]. Besides, influ-
Digital Object Identifier 10.1109/JIOT.2021.3112686 ential users are more trustworthy due to the fact that the

2327-4662 
main purpose is
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information. robust trust
evaluation
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 2894 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 4, 15 FEBRUARY 2023

centrality, the closeness centrality, and the eigenvector

centrality) are used as the input of the GCN that employs
the SIR-based loss function to obtain the user’s influence
and the trust. Based on the trust and occupation of the
user, a specific authority is given for access control.
2) To improve the access control accuracy, we adopt
the FDL to learn relevant access control parameters.
Specifically, by integrating the federated learning frame-
work and the deep reinforcement learning method (i.e.,
Twin Delayed Deep Deterministic policy gradient algo-
rithm TD3), the access control threshold is learned,
considering the privacy preservation of patients and the
integrity maintenance of medical data, and the accuracy
of access control is significantly improved.
3) The validation experiment is conducted on the real data
set. The experimental results indicate that the proposed
SACM can achieve secure access control on users in IoT-
Health with high data integrity and low privacy leakage.
The remainder of this article is organized as follows. The
related work is presented in Section II. Both system model and
attack model are introduced in Section III. The implementa-
tion details of the proposed SACM are given in Section IV.
Fig. 1. GCN and federated learning-based access control architecture for The performance of the SACM is evaluated in Section V. We
IoT-health. conclude this article in Section VI.

participation in any malicious activity might contribute to II. R ELATED W ORK

serious influence degradation. In [10], a user’s influence iden- There is an increasing interest in the access control problem
tification model InfGCN that integrates social data, graph for IoT-Healthcare and many excellent works have been
convolutional networks (GCNs), and susceptible–infected– proposed. Yang et al. [13] solved the problem of accessing
recovered (SIR) model is proposed. However, InfGCN dis- encrypted medical data by proposing both ABAC policy and
regards the construction of the social network about users. break-glass access control policy. The ABAC only requires
Moreover, the trust-based access control demands of the workers to satisfy the specific attribute set for medical data
access control threshold are elaborately designed for privacy access, while the timely access is supported by the break-glass
protection and data integrity preservation. mechanism. Roy et al. [14] proposed a fine-grained access
Based on the above analysis, we give a secure access control control mechanism for cloud computing-enabled healthcare.
architecture (see Fig. 1) based on machine learning technolo- They also provide a provable authentication mechanism for
gies [11] for IoT-Health. This architecture can be divided user access control. In [15], the collusion-resistant access
into three layers: 1) the IoT-Health application layer; 2) the control in ehealth is achieved by Edemacu et al. for secure
edge access control layer; and 3) the intelligent terminal layer. medical data sharing with the consideration of the revoca-
Specifically, the edge access control layer is composed of trust tion of attributes and users. Liu et al. [16] developed a
generation servers and access control servers responsible for multiauthority-based access control mechanism for medical
granting users specific authorities and dealing with data access services in healthcare. This mechanism is lightweight against
requests using machine learning technologies (i.e., GCN and collision attack for privacy preservation. Zhang et al. [17]
federated learning) to support a variety of IoT-healthcare achieved the fine-grained access control for the e-healthcare
applications with data provided by intelligent terminals [12]. system. They design an encryption scheme of two layers
Based on this architecture, in this article, we propose to guarantee the attribute-based medical data access control
an attribute-based secure access control mechanism, named and the privacy preservation for role attributes and access
(SACM), for IoT-Health using federated deep learning (FDL). policies with both cloud-based computation and blind data
The main contribution of this article is summarized as follows. retrieving protocol. In [18], a secure SDN-based framework
1) To achieve the secure access control, we grant each user is proposed by Meng et al. for sharing data in healthcare.
a unique authority to specific medical data. Specifically, This framework provides authorized services to patients by
we introduce the social network about users, in which effectively authenticating user devices’ MAC addresses against
each edge weight represents the connection probability identity theft. Jiang et al. [19] developed an access control
of a specific pair of users according to social similarities. and medical data sharing mechanism for personal healthcare
Then, the adjacent matrix of the neighbor graph of each utilizing the symptom matching technology. This mechanism
user in the social network and the corresponding features can achieve granular symptom matching based on a blind
of each node (i.e., the degree centrality, the betweenness signature for privacy preservation. Xu et al. [20] used the

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 LIN et al.: PRIVACY-AWARE ACCESS CONTROL IN IoT-ENABLED HEALTHCARE 2895

blockchain technology to realize the fine-grained access con- IV. I MPLEMENTATION OF THE P ROPOSED SACM
trol for large-scale medical data. In this mechanism, authorized As an intelligent access control mechanism [23], the
doctors are added/revoked based on user transactions and med- proposed strategy SACM composes of two important modules,
ical data cannot be tamper against medical disputes. In [21], namely, the social graph-based influence and trust evaluation
both access control policies and user attributes are transformed module that utilizes GCN and the trust-based access control
into vectors of proper lengths, respectively, by Sun et al. to module that employs the FDL technology.
reduce the overhead of the access process for encrypted medi-
cal data. In [22], access control and data sharing is achieved by
Fan et al. using the blockchain technology for nonrepudiation A. Social Graph-Based Influence and Trust Evaluation
and user self-certification. Utilizing Graph Convolutional Networks
All these works are devoted to the access control problem 1) Social Graph Construction: Recall that the social activ-
in IoT-Health, however, there remain two problems: 1) how ities usually take place between users who have social simi-
to obtain users’ influences and trusts based on users’ social larities. That suggests we can construct the social graph about
data and 2) how to achieve accurate and secure access control users, in which each edge is associated with a connection prob-
according to users’ trusts and occupations without exposing ability determined by the social similarity of the end user of
users’ privacy. In this article, an attribute-based SACM is this edge. To be specific, we calculate the connection prob-
proposed for IoT-Health using FDL to address these problems. ability CPij of a pair of user nodes UNi and UNj using the
cosine similarity by

UNi · UNj
CPij =   (1)
III. S YSTEM M ODEL UNi UNj 
In IoT-Health, there are serious privacy leakage and data
tampering issues, both of which are caused by unautho- where each user node UNi is an N-dimensional vector that
rized personnel accessing medical data. This indicates that consists of the user’s social data, i.e., the education back-
the importance of secure access control to important medical ground, the occupation, the social service condition, the
data. To preserve user privacy and data integrity in IoT- religion, the partisanship, etc. However, how to decide if there
Health, the trust-based access control is considered, in which exists an edge between a pair of user nodes is an open problem.
there exist three important entities, i.e., users, trust gener- In this article, we introduce the threshold such that the edge
ation servers, and access control servers. In general, each UNi UNj exists in the social graph only if CPij ≥ 0.5.
access control server executes the access control on a number Note that the kth representation of a node’s neighbors is
of users based on their trusts obtained by the trust gener- related to the (k + 1)th representation of this node in GCN.
ation servers. We assume both access control servers and That suggests the k-step network that is the k-neighbor graph
trust generation servers are semitrusted while the users are of a node is related to the kth representation of this node.
untrusted. Thereby, in this article, two type of attacks, namely, Therefore, we find the k-neighbor graph of each user node by
the data tampering attack and the privacy leakage attack, are performing the breadth-first search from it to get its neighbors,
considered. and then introduce the neighbor network of those neighbors.
1) Data Tampering Attack: Such attack is launched by 2) Trust Evaluation Using GCN and SIR Model:
unauthorized users who aim to interfere with the med- According to the previous analysis, we adopt the GCN
ical diagnosis by altering sensitive medical data either to measure the influence of each user node. Unlike the
randomly or maliciously. Since data tampering might InfGCN model [10], the features of each node, i.e., the degree
endanger patients’ lives, only authorized users are centrality, the betweenness centrality, the closeness centrality,
allowed to access patients’ medical data. To this end, and the eigenvector centrality, are considered.
the trust-based access control is considered. To be spe- 1) Degree Centrality: The degree of a node can be used to
cific, to access important medical data, users should be measure the centrality, i.e., a node that has more social
adequately trustworthy to prevent data tampering attack. connections suggests its high influence.
2) Privacy Leakage Attack: Unauthorized accesses to the 2) Betweenness Centrality: If a node is located on multiple
sensitive medical data in IoT-Healthcare will cause shortest paths between other nodes, then that this node
severe privacy leakage about patients. For example, any- is of high influence.
one rather than the doctors, who reads the medical 3) Closeness Centrality: The closeness centrality uses the
record of the patient, will seriously violate the patient’s characteristics of the entire network, i.e., the node posi-
privacy. That suggests the significance of the access con- tion in the entire structure. Compared with the between-
trol. However, to build the unified access control model, ness centrality, the closeness centrality is closer to the
users’ social data should be provided such that users’ geometric center position.
privacy is exposed. Thereby, instead of actually access 4) Eigenvector Centrality: The basic idea of the eigenvector
patients’ medical data, local access control servers pro- centrality is that the centrality of a node is a function
vide local access control models during the FDL to of the centrality of adjacent nodes. In other words, a
construct the universal access control model against the node is more influential if this node connects to other
privacy leakage attack on patients. influential nodes.

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 2896 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 4, 15 FEBRUARY 2023

We use the GCN can learn the representation of nodes using Thereby, the access control threshold should be dynamically
the graph structures and features, i.e., adjusted with fixed k, β, and λ, to minimize the privacy leak-
  age and meanwhile maximize the data integrity. To this end,
Ri+1 = φ LRi W i + Bi (2) we employ the Twin Delayed Deep Deterministic policy gra-
where Ri denotes the nodes’ representations at the ith GCN dient algorithm TD3 to learn the threshold for the construction
layer; L denotes the Laplacian of the neighbor graph which of each local access control model. In addition, given the dif-
is normalized symmetrically; Wi and Bi are weights and bias, ficulty of model training for some access control servers, we
respectively, and φ represents the nonlinear activation func- apply the federated learning framework to the TD3 algorithm
tion, i.e., ELU. In addition, the SIR-based loss function is to build the universal access control model for user privacy
employed in GCN. The reason for that is as follows. In SIR, preservation.
each node is of three states, namely, susceptible, infectious, 1) Local Access Control Model Construction Using TD3:
and recovered. Infectious nodes can infect susceptible neigh- The optimal access control threshold θ is discovered using
bor nodes and get recovered with infection rate β and recovery the DRL algorithm TD3. To be specific, for each local access
rate λ. Susceptible neighbor nodes can get infected by infec- control server, the TD3 requires an actor network π , a target
tious nodes with infection rate β, while any infectious node actor network π  , two critic networks Q1 and Q2 , and their
can get recovered with recovery rate λ. A recovered node can- target networks Q1 and Q1 . Basically, the actor network makes
not infect other neighbor nodes and get infected [24]. Let one a choice about which action a should be taken for the state
node be the first infected node, while the rest nodes are set s, while the critic networks assess this choice and prevent the
to be susceptible. The infection scale is used to measure the overestimation.
influence of the first infected node. Thereby, we can add the In the access control, each state s is presented by an
LogSoftMax module to classify the GCN outputs, the result N-dimensional vector of users’ authorities UAi , i.e., s =
of which is compared with the ground truth obtained through (UA1 , UA2 , . . . , UAN ), where UAi = 0 denotes the ith user
the SIR experiment as the loss function. In this article, we does not process the authority to access the medical data; oth-
only consider two types of users who are the most influen- erwise, UAi = 1. Then, the action a can be presented by a = θ .
tial users and the much less influential users. Thereby, the For the current state s, we choose the action a according to the
LogSoftMax module only has to provide a two-category clas- reward r. Since the access control is designed to prevent both
sification. Once the user’s influence is obtained, the trust of privacy leakage attack and data tampering attack, the reward
who is calculated by r is given to valuate access control outcome for medical data
on N users by
UTi ∝ UIi (3)

N
where UTi and UIi are the trust and the influence of the ith r= DIi − PLi . (5)
user, respectively. i
In the training process of TD3, we randomly sample N
B. Trust-Based Access Control Using Federated Deep experience to update the critic network with the loss function
Learning   1   
N
2
Be aware that the GCN can generate each user’s influence L ϑ Qi = Qi sj , aj |ϑ Qi − Yj (6)
with a set of fixed parameters (e.g., the neighbor-graph size, N
j
the infection rate, and the recovery rate). Then, by setting where
a proper trust threshold, each user will be granted a spe-    
 

cific authority for access control under the constraint of the Yj = rj + γ Qi si+1 , π si+1 |ϑ π |ϑ Qi . (7)
i=1,2
user’s occupation. For example, if the user is a doctor, whose
authority is high enough, then this user is allowed to access Thereby, we have
 
patients’ medical data; otherwise, the access is denied, i.e., a ∂L ϑ Qi
social work with an extraordinary high trust is forbidden from ϑ ←ϑ −η
Qi
.
Qi
(8)
∂ϑ Qi
accessing medical data.
Then, we update the actor network π by optimizing the
Note that the aim of implementing access control in IoT-
Healthcare is to prevent both privacy leakage attack and objective function
N    
data tampering attack. Therefore, we introduce the connec-      
tion fading factor ρ = (1 − PLi + DIi )/2, where PLi ∈ [0, 1] J ϑπ = Q1 s, a|ϑ Q1 π sj |ϑ π |s = sj , a = π sj |ϑ π
and DIi ∈ [0, 1] represent the privacy leakage and the data j
integrity of the ith user. By introducing a fading factor ρ, the (9)
connection probability of the edge between the malicious user
with
and another user in the social graph is significantly reduced as
∂J(ϑ π )
CPij ← ρCPij ϑπ ← ϑπ + ι . (10)
(4) ∂ϑ π
 
thus resulting in a lower degree of the malicious user in the Next, the parameters of target networks ϑ Q and ϑ π are
social graph. updated with a learning rate κ. When the TD3 learning process

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 LIN et al.: PRIVACY-AWARE ACCESS CONTROL IN IoT-ENABLED HEALTHCARE 2897

is converged, the local access control model is constructed. medical services. It has 60 000 employees and serves 170 000
Thereby, for each user, only if his trust is higher than the patients, including kidney dialysis centers, cardiovascular cen-
access control threshold and his occupation is a doctor, then ters, emergency centers, and nursing centers. The company
he can access the patients’ medical data. has many operating points across the country, but the com-
2) Universal Access Control Model Construction Using munication and data exchange between these operating points
Federated Learning: Considering the difficulties in access cannot guarantee the safety of patients’ medical information,
control model training, the federated learning technology and unauthorized personnel is very easy to access.
is employed. Basically, the federated learning is a unique The access control algorithm SACM proposed in this article
machine learning technology that only requires the trained is designed to prevent the occurrence of the above situa-
model from each federated learning participant, which is the tion. The algorithm is deployed on multiple access control
access control server in this article, instead of the private data servers and trust generation servers, where each access con-
set for participants’ privacy preservation, so as to build the uni- trol server performs access control for specific users based on
versal model. To be specific, each local access control server their trusts. Specifically, each user provides social data, such as
trains its own access control model using the DRL algorithm educational background, occupation, social service conditions,
TD3 as we described in the previous section and sends its religious beliefs, etc., to the trust generation server. Based on
own model to a fusion server. The fusion server generates a these data, the trust generation server first constructs a social
set of weights, each of which is assigned to a local model, to graph, where nodes represent users, edges represent social
construct a synthetic model and distribute this model to each connections between users, and the connection probability is
access control server for further training. The process is per- determined by the users’ social similarity. Then, the trust gen-
formed iteratively until the universal model is converged. In eration server uses the social graph as the input of the GCN
this article, we apply the DRL algorithm TD3 in the federated and SIR model to obtain the user’s influence and trust. Next,
learning framework to develop a TD3-based universal model the access control server grants the user corresponding author-
learning algorithm rather than trial and error. That is, for each ities based on the user’s trust and occupation, so that the user
participation condition during the federated learning, the TD3 can access the corresponding medical data. The outcome of the
finds the optimal set of weights to aggregate local models. access control on users can be measured by both privacy leak-
Specifically, we let the state s consist of the participa- age and data integrity on medical data, the trust-based access
tion condition SP of each local access control server, i.e., control results are observed after users access the medical data
s = (SP1 , SP2 , . . . , SPN  ), where SPi = 0 denotes the ith according to their authorities. The above process is performed
access control server does not join the federated learning; iteratively until the privacy leakage is minimized and the data
otherwise, SPi = 1. No doubt that the action a is the set integrity is maximized. For some access control servers with
of aggregation weights, i.e., a = (ω1 , ω2 , . . . , ωN  ). For each difficulties in model training, FDL is used to construct a uni-
state s, the action a is chosen based on the reward r. Since fied access control model to prevent patients’ privacy leakage
both privacy leakage and data integrity are considered in local and medical data tampering. Fig. 2 gives the access control
access control model training, we then give the reward r of framework for the “Fresenius Medical Care” case.
the federated learning by


N 
N V. P ERFORMANCE E VALUATION
r= DIi,j − PLi,j (11) A. Experimental Setup
i j
We evaluate the performance of the proposed SACM in
where PLi,j ∈ [0, 1] and DIi,j ∈ [0, 1] represent the privacy Python on computers equipped with i7 processor, 16-GB
leakage and the data integrity caused by the ith user of the memory, 3.2-GHZ CPU, and 64-bit win7 system. The data
kth access control server to the medical data. The parameter set we choose is the Facebook-like Social Network, which is
update of the neural networks of the TD3-based FDL is similar available at “https://toreopsahl.com/datasets/”. The Facebook-
to that given in the previous section. like Social Network originate from an online community for
students at the University of California, Irvine. The data set
C. Case Study includes the users that sent or received at least one mes-
The Office for Civil Rights (OCR) of the United States sage. This network has also been described in Patterns and
Department of Health and Human Services (HHS) is a depart- Dynamics of Users’ Behavior and Interaction. In addition, this
ment that implements the Health Insurance Portability and data set contains many nodal attributes (e.g., gender, age, and
Accountability Act (HIPAA). It is mainly responsible for pro- course attended). We randomly generate a number of mali-
tecting some basic rights of people, mainly including the cious users based on this data set with the data about 20%
right against discrimination, the right of religious freedom, deviated from the original ones. Similar to [10], in this exper-
the right of the privacy of patients’ medical information, etc., iment, there are four layers in the GCN, which is the hidden
and is responsible for investigating cases of HIPAA viola- layer of 8 units and three fully connected layers of 16, 8,
tions. In 2018, Fresenius Medical Care in the United States and 2 units, respectively. We train all parameters using the
was investigated for the leakage of patients’ privacy. As a Adam optimizer with 1e−4 weight decay, 0.0001 learning rate,
large-scale medical group in the United States, the company and 32 mini-batch size. Table I gives the parameters of this
is mainly engaged in kidney disease medical products and experiment.

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 2898 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 4, 15 FEBRUARY 2023

Fig. 2. Access control framework for the “Fresenius Medical Care” case.

TABLE I
PARAMETER S ETUP

B. Performance Metrics
The performance of the SACM is evaluated by access con-
trol accuracy, privacy leakage degree, and data integrity with
different numbers of users, numbers of medical data, and per-
centages of malicious users. To be specific, we first evaluate
the access control accuracy in false alarm rate (FAR) and
miss detection rate of SACM and SACM_U, where SACM_U
denotes the universal access control model built by the SACM.
Then, we compare both privacy leakage degree and data
integrity between SACM, SACM_U, and k-BGP [25].
1) Access Control Accuracy: Both FAR and miss detection
rate consist of the access control accuracy. Fig. 3. Access control accuracy of the SACM with different (a) numbers of
2) Privacy Leakage: The privacy leakage degree is mea- users and (b) probabilities of malicious users.
sured by the percentage of the private data exposed to
the overall data.
3) Data Integrity: The data integrity represents the percent-
age of data that remains unaltered. Observed from Fig. 3(a), we find that as the number of users
increases both MDR and FAR grow. The maximum MDR and
FAR are about 11% and 14.5%, compared with the minimum
C. Experimental Results MDR of 6% and 10%. Note that both MDR and FAR of
1) Access Control Accuracy: The access control accuracy the SACM are less than 15% at any number of users. This
is measured in Fig. 3 for SACM and in Fig. 4 for SACM_U, is because the trust-based access control is achieved utiliz-
while considering different numbers of users and different ing the DRL algorithm with users’ trusts obtained from their
percentages of malicious users. social data through the GCN with users’ social data. Then,

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 LIN et al.: PRIVACY-AWARE ACCESS CONTROL IN IoT-ENABLED HEALTHCARE 2899

In addition, the SACM_U obtains 22% of FAR and 14.5%

of MDR on average with the highest ones equal to 26% and
18%, respectively. Although the SACM_U applies the uni-
versal access control model, trustworthy users can be granted
authorities to access medical data with both FAR and MDR
nearly 8% higher than that of the SACM. Again, the federated
learning process explains the accuracy degradation.
Figs. 3 and 4 suggest the SACM can improve the access
control accuracy for IoT-Healthcare.
2) Privacy Leakage: Fig. 5 gives the privacy leakage com-
parison between SACM, SACM_U, and k-BGP considering
different probabilities of privacy exposed, numbers of users,
and probabilities of malicious users.
As shown in Fig. 5(a), it is evident that privacy leakage
degree increases as the probability of privacy exposed for all
approaches with the number of users equals to 50 and the
probability of malicious users equals to 0.5. In addition, the
privacy leakage degree increases by almost 25% for the k-BGP,
compared with 2% of the SACM_U and 1% of the SACM,
respectively. This is because although the k-BGP can achieve
access control, the privacy leakage is not considered. Besides,
both SACM and SACM_U adopt the DRL algorithm to deter-
mine the proper threshold for the access control to minimize
the privacy leakage. The results shown in Fig. 5(b) are as
Fig. 4. Access control accuracy of the SACM_U (a) with different numbers
of users and (b) probabilities of malicious users. we expected with the probability of privacy exposed equals
to 0.7 and the probability of malicious users equals to 0.5.
For example, only 7% and 3% of maximum privacy leakage
with the percentage of malicious users fixed, the SACM is for SACM_U and SACM, respectively, compared with 35% of
able to authorize honest users to access medical data. k-BGP, due to k-BGP disregards the privacy leakage degree
As shown in Fig. 3(b), we know that both MDR and FAR rather than both SACM_U and SACM. Observed from 5(c),
increase as the percentage of malicious users. When there are we find that with the percentage of malicious users grows the
35% malicious users, the SACM obtains roughly 13.5% of privacy leakage degree increases with the probability of pri-
FAR and 10% of MDR. No doubt that the highest percent- vacy exposed equals to 0.7 and the number of users equals to
age of malicious users results in the highest FAR and MDR 50. For example, nearly 65% of privacy will be exposed on
with a fixed number of users. The reason for that is as fol- average by k-BGP, compared with 9% of SACM_U and 7%
lows. Even one-third of users are malicious, the social data of of SACM. Fig. 5 indicates that the SACM can prevent privacy
users can be used to efficiently determine who are trustwor- leakage for IoT-Healthcare.
thy through GCN. Furthermore, both privacy leakage and data 3) Data Integrity: Fig. 6 presents the data integrity com-
integrity are considered in the construction of the access con- parison between SACM, SACM_U, and k-BGP considering
trol model, therefore, the trusts of malicious users can hardly different probabilities of privacy exposed, numbers of users,
be higher than the access control threshold obtained by the and probabilities of malicious users.
DRL algorithm. As shown in Fig. 6(a), it is clear that the data integrity
In Fig. 4(a), it is clear that both FAR and MDR gradually decreases as the number of medical data increases for all
grow with the number of users. The maximum FAR and MDR approaches with the number of users equals to 50 and the prob-
are around 22.5% and 18.5%, respectively, when there are 100 ability of malicious users equals to 0.5. There is a 23% drop
users. Note that both FAR and MDR are obtained using the in data integrity for k-BGP, compared with 6% of SACM_U
universal access control model of the SACM. Therefore, com- and 2% of SACM, respectively. Note that only SACM and
pared with 14.5% of FAR and 11% of MDR of the SACM that SACM_U employ the DRL-based access control mechanism
utilizes the local access control model, both FAR and MDR with the consideration of reducing both privacy leakage (see
obtained by the SACM_U that uses the universal access con- Fig. 5) and data integrity. Therefore, k-BGP obtains a much
trol model are at least 7% higher. This is because the universal less data integrity. Fig. 6(b) shows the negative effect of the
access control model is built utilizing the federated learning, number of users on the data integrity for all approaches with
the accuracy of which depends on the differences between the probability of integrity compromised equals to 0.8 and
local data sets. That explains the accuracy degradation on the the probability of malicious users equals to 0.5. Obviously,
universal model with a specific local dataset. However, the SACM and SACM_U manage to maintain the 96% and 92%
maximum FAR and MDR are less than 23%. data integrity, respectively, on average, while compared with
Observed from Fig. 4(b), we find that, with the percentage 63% of k-BGP. Observed from Fig. 6(c), we find that the data
of malicious users increase, the FAR and the MDR increase. integrity drops with the increasing percentage of malicious

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 2900 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 4, 15 FEBRUARY 2023

Fig. 5. Privacy leakage comparison between SACM, SACM_U, and k-BGP with different (a) probabilities of privacy exposed, (b) numbers of users, and
(c) probabilities of malicious users.

Fig. 6. Data integrity comparison between SACM, SACM_U, and k-BGP with different (a) probabilities of privacy exposed, (b) numbers of users, and
(c) probabilities of malicious users.

users as we expected with the number of users equals to 50 R EFERENCES

and the probability of integrity compromised equals to 0.8. [1] F. Al-Turjman and B. Deebak, “Privacy-aware energy-efficient frame-
Once again, SACM obtains the highest data integrity, that is, work using the Internet of medical things for COVID-19,” IEEE Internet
95%, compared with 92% of SACM_U and 65% of k-BGP. Things Mag., vol. 3, no. 3, pp. 64–68, Sep. 2020.
[2] S. Misra, V. Tiwari, and M. S. Obaidat, “Lacas: Learning automata-based
Fig. 6 suggests the SACM can improve the data integrity for congestion avoidance scheme for healthcare wireless sensor networks,”
IoT-Healthcare. IEEE J. Sel. Areas Commun., vol. 27, no. 4, pp. 466–479, May 2009.
[3] X. Zhou, Y. Li, and W. Liang, “CNN-RNN based intelligent recom-
mendation for online medical pre-diagnosis support,” IEEE/ACM Trans.
Comput. Biol. Bioinf., vol. 18, no. 3, pp. 912–921, May/Jun. 2021,
doi: 10.1109/TCBB.2020.2994780.
[4] M. Raza, M. Awais, N. Singh, M. Imran, and S. Hussain, “Intelligent
VI. C ONCLUSION IoT framework for indoor healthcare monitoring of Parkinson’s dis-
To prevent patients’ privacy leakage and maintain medical ease patient,” IEEE J. Sel. Areas Commun., vol. 39, no. 2, pp. 593–602,
Feb. 2021.
data integrity in IoT-Healthcare, in this article, we propose [5] S. Misra, A. Roy, C. Roy, and A. Mukherjee, “DROPS: Dynamic
an attribute-based SACM using FDL. Specifically, given the radio protocol selection for energy-constrained wearable IoT healthcare,”
fact that an influential user is considerably trustworthy, we IEEE J. Sel. Areas Commun., vol. 39, no. 2, pp. 338–345, Feb. 2021.
[6] H. Liu, X. Yao, T. Yang, and H. Ning, “Cooperative privacy preservation
introduce the social graph about users, in which each edge for wearable devices in hybrid computing-based smart health,” IEEE
weight stands for the connection probability of a specific pair Internet Things J., vol. 6, no. 2, pp. 1352–1362, Apr. 2019.
of users according to their social similarities. Then, we feed [7] Z. Guan, J. Li, L. Zhu, Z. Zhang, X. Du, and M. Guizani, “Toward delay-
tolerant flexible data access control for smart grid with renewable energy
the GCN with both neighbor graph and features of each user resources,” IEEE Trans. Ind. Informat., vol. 13, no. 6, pp. 3216–3225,
to the user’s influence and trust utilizing an SIR-based loss Dec. 2017.
function. Next, the secure access control is accomplished by [8] J. Xia, G. Cheng, S. Gu, and D. Guo, “Secure and trust-oriented edge
storage for Internet of Things,” IEEE Internet Things J., vol. 7, no. 5,
giving each user a specific authority according to their trusts pp. 4049–4060, May 2020.
and occupations. Furthermore, the FDL technology is applied [9] S. Peng et al., “An immunization framework for social networks through
to learn the access control threshold for the privacy preserva- big data based influence modeling,” IEEE Trans. Dependable Secure
Comput., vol. 16, no. 6, pp. 984–995, Nov./Dec. 2019.
tion of patients and the integrity maintenance of medical data. [10] G. Zhao, P. Jia, A. Zhou, and B. Zhang, “InfGCN: Identifying influ-
The experimental results indicate that: 1) the proposed SACM ential nodes in complex networks with graph convolutional networks,”
can achieve secure access control on users in IoT-Healthcare Neurocomputing, vol. 414, pp. 18–26, Nov. 2020.
[11] N. Pathak, S. Misra, A. Mukherjee, and N. Kumar, “HeDI: Healthcare
and 2) the SACM performs excellently with high data integrity device interoperability for IoT-based e-Health platforms,” IEEE Internet
and low privacy leakage. Things J., early access, Jan. 18, 2021, doi: 10.1109/JIOT.2021.3052066.

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 LIN et al.: PRIVACY-AWARE ACCESS CONTROL IN IoT-ENABLED HEALTHCARE 2901

[12] S. Misra, S. Moulik, and H.-C. Chao, “A cooperative bargaining solu- Kuljeet Kaur (Member, IEEE) received the B.Tech.
tion for priority-based data-rate tuning in a wireless body area network,” degree in computer science and engineering from
IEEE Trans. Wireless Commun., vol. 14, no. 5, pp. 2769–2777, Punjab Technical University, Kapurthala, India, in
May 2015. 2011, and the M.E. degree in information secu-
[13] Y. Yang, X. Liu, and R. H. Deng, “Lightweight break-glass access rity and the Ph.D. degree in computer science and
control system for healthcare Internet-of-Things,” IEEE Trans. Ind. engineering from Thapar Institute of Engineering
Informat., vol. 14, no. 8, pp. 3610–3617, Aug. 2018. and Technology (Deemed to be University), Patiala,
[14] S. Roy, A. K. Das, S. Chatterjee, N. Kumar, S. Chattopadhyay, and India, in 2015 and 2018, respectively.
J. J. P. C. Rodrigues, “Provably secure fine-grained data access control She worked as an NSERC Postdoctoral Research
over multiple cloud servers in mobile cloud computing based healthcare Fellow with the École de technologie supérieure
applications,” IEEE Trans. Ind. Informat., vol. 15, no. 1, pp. 457–468, (ETS), Université du Québec, Montreal, QC,
Jan. 2019. Canada, from 2018 to 2020. She is currently working as an Assistant
[15] K. Edemacu, B. Jang, and J. W. Kim, “Collaborative Ehealth privacy and Professor with the Electrical Engineering Department, ETS, and a Visiting
security: An access control with attribute revocation based on OBDD Researcher with the School of Computer Science and Engineering,
access structure,” IEEE J. Biomed. Health Inform., vol. 24, no. 10, Nanyang Technological University, Singapore. She has secured sev-
pp. 2960–2972, Oct. 2020. eral research articles in top-tier journals, such as IEEE W IRELESS
[16] J. Liu, H. Tang, R. Sun, X. Du, and M. Guizani, “Lightweight and C OMMUNICATIONS, IEEE T RANSACTIONS ON I NDUSTRIAL I NFORMATICS,
privacy-preserving medical services access for healthcare cloud,” IEEE IEEE T RANSACTIONS ON C LOUD C OMPUTING, IEEE T RANSACTIONS
Access, vol. 7, pp. 106951–106961, 2019. ON V EHICULAR T ECHNOLOGY , IEEE T RANSACTIONS ON M ULTIMEDIA ,
[17] W. Zhang, Y. Lin, J. Wu, and T. Zhou, “Inference attack-resistant E- IEEE T RANSACTIONS ON S MART G RID, IEEE S YSTEMS J OURNAL, IEEE
healthcare cloud system with fine-grained access control,” IEEE Trans. I NTERNET OF T HINGS J OURNAL, IEEE Communications Magazine, IEEE
Services Comput., vol. 14, no. 1, pp. 167–178, Jan./Feb. 2021. N ETWORK, IEEE T RANSACTIONS ON P OWER S YSTEMS, Future Generation
[18] Y. Meng, Z. Huang, G. Shen, and C. Ke, “SDN-based security enforce- Computer Systems, Journal of Parallel and Distributed Computing, and Peer-
ment framework for data sharing systems of smart healthcare,” IEEE to-Peer Networking and Applications (Springer), and various international
Trans. Netw. Service Manag., vol. 17, no. 1, pp. 308–318, Mar. 2020. conferences, including IEEE Globecom, IEEE ICC, IEEE PES GM, IEEE
[19] S. Jiang, M. Duan, and L. Wang, “Toward privacy-preserving symp- WCNC, IEEE Infocom Workshops, ACM MobiCom Workshops, and ACM
toms matching in SDN-based mobile healthcare social networks,” IEEE MobiHoc workshops. During her Ph.D., she received two prestigious fel-
Internet Things J., vol. 5, no. 3, pp. 1379–1388, Jun. 2018. lowships, i.e., INSPIRE Fellowship from the Department of Science and
[20] J. Xu et al., “Healthchain: A blockchain-based privacy preserving Technology, India, in 2015, and a Research Scholarship from Tata Consultancy
scheme for large-scale health data,” IEEE Internet Things J., vol. 6, Services from 2016 to 2018. Her main research interests include cloud com-
no. 5, pp. 8770–8781, Oct. 2019. puting, energy efficiency, smart grid, frequency support, and vehicle to grid.
[21] J. Sun, H. Xiong, X. Liu, Y. Zhang, X. Nie, and R. H. Deng, Dr. Kaur received the IEEE ICC Best Paper Award in 2018 from Kansas
“Lightweight and privacy-aware fine-grained access control for IoT- City, USA, the 2019 Best Research Paper Award from Thapar Institute of
oriented smart health,” IEEE Internet Things J., vol. 7, no. 7, Engineering and Technology, India, and the 2020 IEEE S YSTEMS J OURNAL
pp. 6566–6575, Jul. 2020. Best Paper Award. She serves as an Associate Editor for Security and Privacy
[22] K. Fan et al., “A secure and verifiable data sharing scheme based on (Wiley), Journal of Information Processing Systems, and Human-Centric
blockchain in vehicular social networks,” IEEE Trans. Veh. Technol., Computing and Information Sciences (Springer) and a Guest Editor for special
vol. 69, no. 6, pp. 5826–5835, Jun. 2020. issues in IEEE T RANSACTION ON I NDUSTRIAL I NFORMATICS and IEEE
[23] X.-L. Huang, Y.-X. Li, Y. Gao, and X.-W. Tang, “Q-learning- O PEN J OURNAL OF THE C OMPUTER S OCIETY. She is a Website Co-Chair
based spectrum access for multimedia transmission over cognitive of the N2Women Community. She also serves as the Vice-Chair of the IEEE
radio networks,” IEEE Trans. Cogn. Commun. Netw., vol. 7, no. 1, Montreal Young Professionals Affinity Group. She has also been the TPC
pp. 110–119, Mar. 2021. Co-Chair for IEEE Infocom in 2020 and ACM MobiCom in 2020 workshops
[24] I. M. Foppa, W. O. Kermack, and A. G. McKendrick, “A seminal contri- on DroneCom. She is a member of the IEEE Communications Society, IEEE
bution to the mathematical theory of epidemics (1927),” in A Historical Computer, IEEE Women in Engineering, IEEE Software Defined Networks
Introduction to Mathematical Modeling of Infectious Diseases, vol. 115. Community, IEEE Smart Grid Community, ACM, and IAENG.
Boston, MA, USA: Academic, 2017, pp. 59–87.
[25] M. U. Arshad, M. Felemban, Z. Pervaiz, A. Ghafoor, and W. G. Aref,
“A privacy mechanism for access controlled graph data,” IEEE
Trans. Dependable Secure Comput., vol. 16, no. 5, pp. 819–832,
Sep./Oct. 2019.

Hui Lin received the Ph.D. degree in computing Xiaoding Wang received the Ph.D. degree from
system architecture from the College of Computer the College of Mathematics and Informatics, Fujian
Science, Xidian University, Xi’an, China, in 2013. Normal University, Fuzhou, China, in 2016.
He is a Professor with the College of Computer He is an Associate Professor with the College
and Cyber Security, Fujian Normal University, of Computer and Cyber Security, Fujian Normal
Fuzhou, China, where he is currently an M.E. University, FuZhou, China. His main research
Supervisor. He has published more than 50 papers in interests include network optimization and fault
international journals and conferences. His research tolerance.
interests include mobile cloud computing systems,
blockchain, and network security.

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.
 2902 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 4, 15 FEBRUARY 2023

Georges Kaddoum (Senior Member, IEEE) Mohammad Mehedi Hassan (Senior Member,
received the Ph.D. degree (Hons.) in signal pro- IEEE) received the Ph.D. degree in computer
cessing and telecommunications from the National engineering from Kyung Hee University, Seoul,
Institute of Applied Sciences, Toulouse, France, South Korea, in 2011.
2008. He is currently a Full Professor with the
He held the ETS Research Chair in physical-layer Information Systems Department, College of
security for wireless networks. He published over Computer and Information Sciences, King Saud
200 journal and conference papers and two pending University (KSU), Riyadh, Saudi Arabia. He
patents. has authored and coauthored more than 260
Prof. Kaddoum is the recipient of the Research publications, including refereed journals (over 218
Excellence Award of the Université du Quebec in SCI/ISI-Indexed journal papers, four ESI highly
2018 and the Research Excellence Award-Emerging Researcher from ETS cited papers, and one hot paper), conference papers, books, and book
in 2019. He is also a co-recipient of the Best Papers Awards of the IEEE chapters. His research interests include cloud/edge computing, Internet
PIMRC in 2017 and the IEEE WiMob in 2014. He received the Exemplary of Things, artificial intelligence, body sensor network, big data, mobile
Reviewer Award from IEEE T RANSACTIONS ON C OMMUNICATION twice computing, cyber security, smart computing, 5G/6G network, and social
in 2015 and 2017. He is currently serving as an Associate Editor for the network.
IEEE T RANSACTIONS ON I NFORMATION F ORENSICS AND S ECURITY and Dr. Hassan is a recipient of a number of awards, including the
IEEE Communications Letters. Distinguished Research Award from College of Computer and Information
Sciences, KSU, in 2020, the Best Conference Paper Award from IEEE
International Conference on Sustainable Technologies for Industry 4.0 in
2020, the Best Journal Paper Award from IEEE S YSTEMS J OURNAL in 2018,
the Best Conference Paper Award from CloudComp in 2014 conference,
Jia Hu received the M.Eng. and B.Eng. degrees and the Excellence in Research Award from College of Computer and
in electronic engineering from the Huazhong Information Sciences, KSU, in 2015 and 2016. He has served as the
University of Science and Technology, Wuhan, Chair and the Technical Program Committee Member in numerous reputed
China, in 2006 and 2004, respectively, and the Ph.D. international conferences/workshops, such as IEEE CCNC, ACM BodyNets,
degree in computer science from the University of and IEEE HPCC. He is listed as one of the top 2% Scientists of the world
Bradford, Bradford, U.K, in 2010. in Networking and Telecommunication field. He is one of the top computer
He is a Senior Lecturer of Computer Science with scientists in Saudi Arabia as well. He is on the Editorial Board of several
the University of Exeter, Exeter, U.k. His research SCI/ISI-indexed journals. He has also played role of the guest editor of
interests include edge–cloud computing, resource several international ISI-indexed journals.
optimization, applied machine learning, and network
security. He has published over 80 research papers
within these areas in prestigious international journals and reputable interna-
tional conferences.
Dr. Hu has received the Best Paper Awards at IEEE SOSE’16 and IUCC14.
He serves on the Editorial Board of Computers & Electrical Engineering
(Elsevier) and has guest-edited many special issues on major interna-
tional journals, such as IEEE I NTERNET OF T HINGS J OURNAL, Computer
Networks, and Ad Hoc Networks. He has served as the General Co-Chair
of IEEE CIT’15 and IUCC’15 and the Program Co-Chair of IEEE ISPA’20,
ScalCom’19, SmartCity’18, CYBCONF’17, and EAI SmartGIFT’2016.

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on January 22,2025 at 02:37:30 UTC from IEEE Xplore. Restrictions apply.