A Consortium Blockchain Framework for Decentralized Identity Management and Fine-Grained Access Control in Healthcare Information Systems

Abstract

Centralized Electronic Health Record (EHR) systems have brought with them a myriad of challenges to healthcare in the world today, which have high points of failure, diminished patient autonomy, and do not easily adjust to up-to-date regulatory standards. This essay suggests and analyses a new blockchain-based consortium that can be called HealthChain to manage the decentralization of digital identity and access control in healthcare information systems with granulated fine-grained access control. The structure combines the W3C-conformant Decentralized Identifiers (DID), Verifiable Credentials (VC) and Attribute-Based Access Control (ABAC) smart contracts running on a permissioned Ethereum network with Proof of Authority (PoA) consensus. Electronic Health Records are encrypted using the AES-256-GCM and are stored off-chain using the InterPlanetary File System (IPFS) where only the cryptographic content identifiers are stored on-chain. An initial prototype was built and tested on five simulation nodes archetyping a regional healthcare consortium: proof-of-concept. Sub-200 ms transaction latency is proven by experimental results on 30 independent trials on all critical operations, 156 ms on access requests, and 134 ms on emergency access. The success rates of IPFS in retrieving EHR files are more than 99.5 percent regardless of file sizes. Sources Usability testing with 45 users yield over 94 percent task completion among all user groups. The system has complete compliance with the HIPAA Security Rule and offers a workable architectural solution to the GDPR right-to-erasure dilemma using pseudonymous on-chain identifiers. A comparative analysis can verify that HealthChain is more effective than centralized EHR systems, federated Health Information Exchanges, and public blockchain substitutes in the patient control area, audit immutability, privacy protection, and regulatory compliance without experiencing any significant impact on clinically acceptable performance.

Introduction

The text discusses HealthChain, a blockchain-based system designed to address structural weaknesses in healthcare information systems, particularly centralized EHR management. Traditional healthcare IT systems suffer from single points of failure, poor patient control, limited interoperability, and vulnerability to data breaches, as evidenced by incidents like the Anthem breach. These shortcomings compromise security, patient autonomy, and compliance with regulations like HIPAA and GDPR.

HealthChain contributions include:

1. A four-layer consortium blockchain architecture integrating Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), Attribute-Based Access Control (ABAC) smart contracts, and IPFS off-chain storage tailored for healthcare regulations.
2. A formal access control model enabling fine-grained, attribute-driven policies without a central administrator.
3. Experimental evaluation covering performance, security, usability, and regulatory compliance, statistically validated over 30 trials.
4. A solution to the GDPR right-to-erasure vs. blockchain immutability conflict using pseudonymous on-chain IDs and deletable off-chain storage.

System Architecture:

• Application Layer: React.js dApp interface for patients, doctors, insurers, and researchers; HL7 FHIR-compliant APIs for interoperability.
• Access and Identity Layer: Implements W3C DIDs and VCs; ABAC smart contracts enforce multi-dimensional policies based on user, resource, action, and environmental attributes.
• Blockchain Layer: Permissioned Ethereum network with Proof of Authority (PoA) among institutional validator nodes; stores identifiers, hashed policy references, and access logs without PII.
• Off-Chain Storage Layer: AES-256-GCM encrypted EHRs stored in an IPFS cluster, referenced by on-chain cryptographic hashes (CIDs) to ensure integrity without exposing plaintext.

ABAC Model & Workflows:

• Access decisions require valid VCs, explicit patient consent, and fulfillment of all attribute conditions.
• Emergency access allows temporary, limited access to critical data, logged and reviewed afterward.
• GDPR erasure deletes off-chain data while keeping pseudonymous on-chain identifiers and policy hashes to maintain auditability.

Experimental Evaluation:

• Prototype tested on a private Ethereum PoA network with three-node IPFS storage.
• Smart contracts validated with symbolic execution; performance results averaged over 30 trials.

Conclusion

In this paper, the framework of a HealthChain has been described as a consortium blockchain model to decentralize the identity management and attribute-based access control in a healthcare information system. HealthChain addresses the inherent conflict between the auditability guarantees of blockchain and the privacy demands of healthcare with the help of W3C-compliant DID/s [27], Verifiable Credentials [28], ABAC smart contracts [17], and IPFS off-chain encrypted storage. Experimental testing showed latency of transactions of less than 200 ms, constant throughput of regional healthcare networks, AES-256-GCM encryption with minimal overhead and full HIPAA compliance. The pseudonymous on-chain identifier architecture offers a workable implementation of the GDPR right-to-erasure. The usability test was used to confirm that blockchain complexity could be successfully abstracted to non-technical healthcare users. Future directions will include: (1) migration of post-quantum cryptography to withstand threats of quantum computing; (2) integration of zero-knowledge proof of privacy-preserving attribute verifications; (3) Layer-2 scaling to nationwide deployments; and (4) formal ProVerif/Scyther verification of the security properties of access control protocols. HealthChain proves that the idea of patient-focused, blockchain-based healthcare data management is not only appealing in theory but also can be implemented in practice with the current technology.

References

[1] S. Nakamoto, \"Bitcoin: A Peer-to-Peer Electronic Cash System,\" White Paper, Oct. 2008. [2] A. Narayanan et al., Bitcoin and Cryptocurrency Technologies. Princeton Univ. Press, 2016. [3] M. Castro and B. Liskov, \"Practical Byzantine Fault Tolerance,\" in Proc. 3rd OSDI, 1999, pp. 173–186. [4] N. Szabo, \"The Idea of Smart Contracts,\" White Paper, 1997. [5] A. Ekblaw, A. Azaria, J. D. Halamka, and A. Lippman, \"MedRec: Using Blockchain for Medical Data Access,\" in Proc. 2nd Int. Conf. Open and Big Data, 2016, pp. 25–30. [6] R. Zhang, R. Schmidt, and J. Han, \"FHIRChain: Applying Blockchain to Securely and Scalably Share Clinical Data,\" Comput. Struct. Biotechnol. J., vol. 16, pp. 267–278, 2018. [7] M. Benchoufi and P. Ravaud, \"Blockchain Technology for Improving Clinical Research Quality,\" Trials, vol. 18, no. 1, pp. 1–5, 2017. [8] X. Liu et al., \"A Blockchain-Based Medical Data Sharing and Protection Scheme,\" IEEE Access, vol. 7, pp. 60224–60235, 2019. [9] A. Reyna et al., \"On Blockchain and Its Integration with IoT,\" Future Gener. Comput. Syst., vol. 88, pp. 173–190, 2018. [10] M. Mettler, \"Blockchain Technology in Healthcare,\" in Proc. IEEE HEALTHCOM, 2016, pp. 520–522. [11] K. Cameron, \"The Laws of Identity,\" Microsoft White Paper, 2005. [12] E. Bertino and K. Takahashi, Identity Management: Concepts, Technologies, and Systems. Artech House, 2010. [13] C. Allen, \"The Path to Self-Sovereign Identity,\" Life with Alacrity Blog, Apr. 2016. [14] A. Preukschat and D. Reed, Self-Sovereign Identity. Manning Publications, 2021. [15] R. S. Sandhu and P. Samarati, \"Access Control: Principle and Practice,\" IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994. [16] D. Ferraiolo, D. R. Kuhn, and R. Chandramouli, Role-Based Access Control, 2nd ed. Artech House, 2007. [17] E. Yuan and J. Tong, \"Attributed Based Access Control (ABAC) for Web Services,\" in Proc. IEEE ICWS, 2005, pp. 561–569. [18] D. Blumenthal and M. Tavenner, \"The \'Meaningful Use\' Regulation for Electronic Health Records,\" N. Engl. J. Med., vol. 363, no. 6, pp. 501–504, 2010. [19] M. B. Buntin et al., \"The Benefits of Health Information Technology,\" Health Aff., vol. 30, no. 3, pp. 464–471, 2011. [20] J. C. Mandel et al., \"SMART on FHIR,\" J. Am. Med. Inform. Assoc., vol. 23, no. 5, pp. 899–908, 2016. [21] J. R. Vest and B. A. Kash, \"Differing Ability to Leverage Health Information Exchange,\" Health Care Manage. Rev., vol. 41, no. 1, pp. 44–54, 2016. [22] L. Coventry and D. Branley, \"Cybersecurity in Healthcare,\" Maturitas, vol. 113, pp. 48–52, 2018. [23] C. S. Kruse et al., \"Security Techniques for the Electronic Health Records,\" J. Med. Syst., vol. 41, no. 8, p. 127, 2017. [24] U.S. Dept. Health and Human Services, \"Summary of the HIPAA Security Rule,\" HHS.gov, 2013. [25] P. Voigt and A. Von dem Bussche, The EU General Data Protection Regulation (GDPR). Springer, 2017. [26] C. Fernandes et al., \"Systematic Review of Healthcare Data Breaches,\" JMIR Med. Inform., vol. 8, no. 10, e23248, 2020. [27] W3C, \"Decentralized Identifiers (DIDs) v1.0,\" W3C Recommendation, Jul. 2022. [28] W3C, \"Verifiable Credentials Data Model v1.1,\" W3C Recommendation, Mar. 2022. [29] V. Hu, D. Ferraiolo, and D. R. Kuhn, Assessment of Access Control Systems. NIST IR 7316, 2006. [30] C. Probst et al., Eds., Insider Threats in Cyber Security. Springer, 2020. [31] A. Jøsang and S. Pope, \"User Centric Identity Management,\" in Proc. AusCERT, 2005. [32] D. Hardt, \"The OAuth 2.0 Authorization Framework,\" IETF RFC 6749, Oct. 2012. [33] A. Tobin and D. Reed, \"The Inevitable Rise of Self-Sovereign Identity,\" Sovrin Foundation, 2017.

Copyright

Copyright © 2026 Rinee Chaudhary , Sushil Kumar Sharma. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.