Secure PHI Access Simulator Using Hybrid Encryption and RBAC

Abstract

Digital patient record management has become standard in modern healthcare, yet widespread adoption has brought unprecedented challenges in maintaining the confidentiality of Protected Health Information (PHI). A fundamental architectural flaw persists across most deployed systems: access restrictions operate only at the user-interface layer, leaving the underlying stored data completely unprotected against direct database intrusion. This work proposes a cryptography-first design philosophy through the development of a web-based PHI Access Simulator. The simulator binds AES-256-GCM data encryption to RSA-2048 key encapsulation, with a Role-Based Access Control (RBAC) layer that governs key issuance based on verified job roles. Three access scenarios—clinical, administrative, and unauthorized—were systematically evaluated. Results confirm that cryptographic enforcement, rather than visual concealment, produces mathematically verifiable access boundaries that remain intact even under direct database compromise.

Introduction

This study presents a browser-based healthcare data security simulator designed to protect electronic patient records (PHI) using a hybrid cryptographic approach combined with Role-Based Access Control (RBAC).

It begins by highlighting the security risks in modern digital hospitals, where interconnected systems improve efficiency but also increase vulnerability to cyberattacks. Traditional perimeter-based security (firewalls, authentication systems) is shown to be insufficient because once attackers gain valid credentials, they can access unencrypted patient data. To address this, the study shifts security from the network level to the data level by encrypting PHI itself.

The proposed system uses a hybrid encryption model: AES-256-GCM for fast encryption of medical data and RSA-2048 for securely managing encryption keys. Access to decryption keys is controlled through RBAC, ensuring only authorized roles (such as nurses or billing staff) can access specific types of data based on the principle of least privilege. Unauthorized users are fully blocked.

The literature review explains the evolution of healthcare security from perimeter-based defenses to modern cryptographic and RBAC-based systems. It highlights that hybrid encryption and role-based access are now considered best practices, but real systems often fail to fully encrypt data at rest.

The research gap identified is that most hospital systems still rely on application-layer access control, meaning data is only hidden in the interface but remains unprotected in storage. This leaves patient records vulnerable if the database is directly compromised.

The methodology involves building a browser-based simulator using HTML, CSS, and JavaScript. It demonstrates encryption of sensitive patient data, role-based key distribution, and controlled decryption workflows. A synthetic patient dataset is used to test different access scenarios.

Results show that:

• Nurses can decrypt full clinical data.
• Billing staff can only access financial information, not medical records.
• Unauthorized users receive complete access denial.

Conclusion

Healthcare data security cannot rely on visual concealment as its primary mechanism. When PHI records are stored in unprotected plaintext, any breach that reaches the database layer—regardless of the sophistication of the surrounding perimeter controls—immediately yields complete access to every patient record in the system. This structural vulnerability is not an implementation failure; it is the inevitable consequence of an architecture that conflates hiding data with protecting data. The PHI Simulator — Hybrid Model presented in this paper demonstrates an alternative architecture in which protection is embedded in the data itself. By issuing RSA-2048 decryption keys exclusively to verified RBAC roles, the system ensures that clinical PHI remains computationally opaque to any party—internal or external—who does not hold the appropriate role-assigned credentials. The experimental results confirm that this guarantee is preserved across three distinct access scenarios: a nurse obtains full clinical access, a billing clerk is cryptographically confined to financial data, and an unauthorized user is denied any data whatsoever. This work contributes a practical architectural template for organizations seeking to advance beyond perimeter-centric security toward a data-centric security posture—a transition that grows increasingly urgent as both the sophistication of external attacks and the frequency of insider-threat incidents continue to rise.

References

[1] U.S. Department of Health and Human Services, “Summary of the HIPAA Security Rule,” Office for Civil Rights, Washington, D.C. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/security/index.html [2] National Institute of Standards and Technology, “Role-Based Access Control,” ANSI INCITS 359-2004, Gaithersburg, MD: NIST, 2004. [3] National Institute of Standards and Technology, “Announcing the Advanced Encryption Standard (AES),” Federal Information Processing Standards Publication 197, Gaithersburg, MD: NIST, Nov. 2001. [4] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978. [5] Mozilla Developer Network, “Web Cryptography API,” MDN Web Docs. [Online]. Available: https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API

Copyright

Copyright © 2026 Manas Piyush, Mohammad Hasan, MD Suhail, Rahul Sardar, Dr. Bidisha Bhabani. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.