Jinfei Liu,Li Xiong

DOI: https://doi.org/10.1007/978-3-319-41576-5_5

2015-01-01

Abstract:Up till now, most medical treatments are designed for average patients. However, one size doesn't fit all, treatments that work well for some patients may not work for others. Precision medicine is an emerging approach for disease treatment and prevention that takes into account individual variability in people's genes, environments, lifestyles, etc. A critical component for precision medicine is to search existing treatments for a new patient by similarity queries. However, this also raises significant concerns about patient privacy, i.e., how such sensitive medical data would be managed and queried while ensuring patient privacy? In this paper, we (1) briefly introduce the background of the precision medicine initiative, (2) review existing secure kNN queries and introduce a new class of secure skyline queries, (3) summarize the challenges and investigate potential techniques for secure skyline queries.

Harsh Kasyap,Ugur Ilker Atmaca,Carsten Maple,Graham Cormode,Jiancong He

2024-11-08

Abstract:Financial institutions rely on data for many operations, including a need to drive efficiency, enhance services and prevent financial crime. Data sharing across an organisation or between institutions can facilitate rapid, evidence-based decision-making, including identifying money laundering and fraud. However, modern data privacy regulations impose restrictions on data sharing. For this reason, privacy-enhancing technologies are being increasingly employed to allow organisations to derive shared intelligence while ensuring regulatory compliance. This paper examines the case in which regulatory restrictions mean a party cannot share data on accounts of interest with another (internal or external) party to determine individuals that hold accounts in both datasets. The names of account holders may be recorded differently in each dataset. We introduce a novel privacy-preserving scheme for fuzzy name matching across institutions, employing fully homomorphic encryption over MinHash signatures. The efficiency of the proposed scheme is enhanced using a clustering mechanism. Our scheme ensures privacy by only revealing the possibility of a potential match to the querying party. The practicality and effectiveness are evaluated using different datasets, and compared against state-of-the-art schemes. It takes around 100 and 1000 seconds to search 1000 names from 10k and 100k names, respectively, meeting the requirements of financial institutions. Furthermore, it exhibits significant performance improvement in reducing communication overhead by 30-300 times.

Cryptography and Security

Jie Xu,Zhenxing Xu,Peter Walker,Fei Wang

DOI: https://doi.org/10.1609/aaai.v34i04.6121

2020-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Privacy concerns on sharing sensitive data across institutions are particularly paramount for the medical domain, which hinders the research and development of many applications, such as cohort construction for cross-institution observational studies and disease surveillance. Not only that, the large volume and heterogeneity of the patient data pose great challenges for retrieval and analysis. To address these challenges, in this paper, we propose a Federated Patient Hashing (FPH) framework, which collaboratively trains a retrieval model stored in a shared memory while keeping all the patient-level information in local institutions. Specifically, the objective function is constructed by minimization of a similarity preserving loss and a heterogeneity digging loss, which preserves both inter-data and intra-data relationships. Then, by leveraging the concept of Bregman divergence, we implement optimization in a federated manner in both centralized and decentralized learning settings, without accessing the raw training data across institutions. In addition to this, we also analyze the convergence rate of the FPH framework. Extensive experiments on real-world clinical data set from critical care are provided to demonstrate the effectiveness of the proposed method on similar patient matching across institutions.

Chaoyi Pang,David Hansen

2006-01-01

Abstract:The health data integration project at the E-Health Research Centre is researching ways of improving the integration of health and health rela ted data while maintaining the privacy and security of the data. One such method is to improve the mechanisms of matching patients across databases when the identifying information m ust not be revealed, even during the linkage step. Background: With health related data spread between many admin istrative and clinical databases the ability to bring the data to gether dynamically is important. This could be to support clinical based decision making, admin istrative reporting or for clinical research based access to data. Objectives: There are already mechanisms published for blind f olded record linkage. A mechanism for further strengthenin g the security and privacy of these algorithms is to encrypt the identifying data, such as name, data of birth, before performing the linkage step. However, due to the nature of enc ryption algorithms, encrypted data can only be matched exactly, limiting the ability to allow f or errors in the data. This work presents a mechanism to allow matching of encrypted data when there may be errors in the data. Methods: A public reference table which is common to both d ata custodians is used. Each value in the original data is compared to data in t he public reference table using an edit distance function. Names from the reference table w hich are within a given distance of the original data are sent to the linker. The data from the two data custodians are then compared to decide the likelihood of two records being a mat ch. Results: The method described in this paper performs better than other methods which supp ort matching of encrypted data, such as exact matching or matching using soundex. Discussion and Conclusion: The method described in this paper can be used to improve the level of record matching in tools where access to identifying data is prohibited. This meth od is currently being added to the HDI software tool as another mechanism of matching reco rds between databases.

Doyel Pal,Tingting Chen,Sheng Zhong,Praveen Khethavath

DOI: https://doi.org/10.2196/medinform.3090

IF: 3.2

2014-01-01

JMIR Medical Informatics

Abstract:BACKGROUND:Linking medical records across different medical service providers is important to the enhancement of health care quality and public health surveillance. In records linkage, protecting the patients' privacy is a primary requirement. In real-world health care databases, records may well contain errors due to various reasons such as typos. Linking the error-prone data and preserving data privacy at the same time are very difficult. Existing privacy preserving solutions for this problem are only restricted to textual data.OBJECTIVE:To enable different medical service providers to link their error-prone data in a private way, our aim was to provide a holistic solution by designing and developing a medical record linkage system for medical service providers.METHODS:To initiate a record linkage, one provider selects one of its collaborators in the Connection Management Module, chooses some attributes of the database to be matched, and establishes the connection with the collaborator after the negotiation. In the Data Matching Module, for error-free data, our solution offered two different choices for cryptographic schemes. For error-prone numerical data, we proposed a newly designed privacy preserving linking algorithm named the Error-Tolerant Linking Algorithm, that allows the error-prone data to be correctly matched if the distance between the two records is below a threshold.RESULTS:We designed and developed a comprehensive and user-friendly software system that provides privacy preserving record linkage functions for medical service providers, which meets the regulation of Health Insurance Portability and Accountability Act. It does not require a third party and it is secure in that neither entity can learn the records in the other's database. Moreover, our novel Error-Tolerant Linking Algorithm implemented in this software can work well with error-prone numerical data. We theoretically proved the correctness and security of our Error-Tolerant Linking Algorithm. We have also fully implemented the software. The experimental results showed that it is reliable and efficient. The design of our software is open so that the existing textual matching methods can be easily integrated into the system.CONCLUSIONS:Designing algorithms to enable medical records linkage for error-prone numerical data and protect data privacy at the same time is difficult. Our proposed solution does not need a trusted third party and is secure in that in the linking process, neither entity can learn the records in the other's database.

Chuan Zhang,Xingqi Luo,Weiting Zhang,Mingyang Zhao,Jinwen Liang,Tong Wu,Liehuang Zhu

DOI: https://doi.org/10.1109/bigcom61073.2023.00019

2023-01-01

Abstract:Privacy-preserving bilateral task recommendation is an emerging functionality in mobile crowdsensing, enabling two-sided matching for both task publishers and workers while ensuring the confidentiality of both participants’ attributes and task-matching policies. However, existing approaches rarely integrate fuzzy matching into privacy-preserving bilateral task recommendations, limiting the efficiency of two-sided matching because they can hardly find intersections between matched task publishers and matched workers. Intuitively leveraging fuzzy matching leaks whether the attributes of a participant satisfy a task recommendation policy. Motivated by this, this paper proposes PBTR, the first privacy-preserving bilateral task recommendation scheme that supports fuzzy matching while preserving matching privacy. Specifically, we leverage the Lagrange interpolation theorem-based secret sharing to enrich the matchmaking encryption technique to achieve fuzzy matching in bilateral task recommendations. To preserve matching privacy, we design a privacy-preserving matching proxy mechanism, where policy matches successfully if and only if the policies of both parties are satisfied. Formal security analysis proves the security of PBTR under the chosen-plaintext attack in the random oracle model. Experimental results demonstrate the feasibility of PBTR, which only requires several milliseconds to achieve privacy-preserving bilateral task recommendations.

Nan Wu,Dinusha Vatsalan,Mohamed Ali Kaafar,Sanath Kumar Ramesh

DOI: https://doi.org/10.48550/arXiv.2301.04000

2023-01-09

Abstract:Several applications require counting the number of distinct items in the data, which is known as the cardinality counting problem. Example applications include health applications such as rare disease patients counting for adequate awareness and funding, and counting the number of cases of a new disease for outbreak detection, marketing applications such as counting the visibility reached for a new product, and cybersecurity applications such as tracking the number of unique views of social media posts. The data needed for the counting is however often personal and sensitive, and need to be processed using privacy-preserving techniques. The quality of data in different databases, for example typos, errors and variations, poses additional challenges for accurate cardinality estimation. While privacy-preserving cardinality counting has gained much attention in the recent times and a few privacy-preserving algorithms have been developed for cardinality estimation, no work has so far been done on privacy-preserving cardinality counting using record linkage techniques with fuzzy matching and provable privacy guarantees. We propose a novel privacy-preserving record linkage algorithm using unsupervised clustering techniques to link and count the cardinality of individuals in multiple datasets without compromising their privacy or identity. In addition, existing Elbow methods to find the optimal number of clusters as the cardinality are far from accurate as they do not take into account the purity and completeness of generated clusters. We propose a novel method to find the optimal number of clusters in unsupervised learning. Our experimental results on real and synthetic datasets are highly promising in terms of significantly smaller error rate of less than 0.1 with a privacy budget {\epsilon} = 1.0 compared to the state-of-the-art fuzzy matching and clustering method.

Cryptography and Security,Machine Learning

Tianxi Ji,Erman Ayday,Emre Yilmaz,Pan Li

DOI: https://doi.org/10.48550/arXiv.2109.02768

2021-09-06

Cryptography and Security

Abstract:When sharing sensitive relational databases with other parties, a database owner aims to (i) have privacy guarantees for the database entries, (ii) have liability guarantees (via fingerprinting) in case of unauthorized sharing of its database by the recipients, and (iii) provide a high quality (utility) database to the recipients. We observe that sharing a relational database with privacy and liability guarantees are orthogonal objectives. The former can be achieved by injecting noise into the database to prevent inference of the original data values, whereas, the latter can be achieved by hiding unique marks inside the database to trace malicious parties (data recipients) who redistribute the data without the authorization. We achieve these two objectives simultaneously by proposing a novel entry-level differentially-private fingerprinting mechanism for relational databases. At a high level, the proposed mechanism fulfills the privacy and liability requirements by leveraging the randomization nature that is intrinsic to fingerprinting and achieves desired entry-level privacy guarantees. To be more specific, we devise a bit-level random response scheme to achieve differential privacy guarantee for arbitrary data entries when sharing the entire database, and then, based on this, we develop an $\epsilon$-entry-level differentially-private fingerprinting mechanism. Next, we theoretically analyze the relationships between privacy guarantee, fingerprint robustness, and database utility by deriving closed form expressions. The outcome of this analysis allows us to bound the privacy leakage caused by attribute inference attack and characterize the privacy-utility coupling and privacy-fingerprint robustness coupling. Furthermore, we also propose a SVT-based solution to control the cumulative privacy loss when fingerprinted copies of a database are shared with multiple recipients.

Serhat Bakirtas,Elza Erkip

2023-10-25

Abstract:The re-identification or de-anonymization of users from anonymized data through matching with publicly available correlated user data has raised privacy concerns, leading to the complementary measure of obfuscation in addition to anonymization. Recent research provides a fundamental understanding of the conditions under which privacy attacks, in the form of database matching, are successful in the presence of obfuscation. Motivated by synchronization errors stemming from the sampling of time-indexed databases, this paper presents a unified framework considering both obfuscation and synchronization errors and investigates the matching of databases under noisy entry repetitions. By investigating different structures for the repetition pattern, replica detection and seeded deletion detection algorithms are devised and sufficient and necessary conditions for successful matching are derived. Finally, the impacts of some variations of the underlying assumptions, such as the adversarial deletion model, seedless database matching, and zero-rate regime, on the results are discussed. Overall, our results provide insights into the privacy-preserving publication of anonymized and obfuscated time-indexed data as well as the closely related problem of the capacity of synchronization channels.

Information Theory

Xiaojie Zhu,Erman Ayday,Roman Vitenberg,Narasimha Raghavan Veeraragavan

DOI: https://doi.org/10.48550/arXiv.1912.02045

2020-02-04

Abstract:In this paper, we attempt to provide a privacy-preserving and efficient solution for the "similar patient search" problem among several parties (e.g., hospitals) by addressing the shortcomings of previous attempts. We consider a scenario in which each hospital has its own genomic dataset and the goal of a physician (or researcher) is to search for a patient similar to a given one (based on a genomic makeup) among all the hospitals in the system. To enable this search, we let each hospital encrypt its dataset with its own key and outsource the storage of its dataset to a public cloud. The physician can get authorization from multiple hospitals and send a query to the cloud, which efficiently performs the search across authorized hospitals using a privacy-preserving index structure. We propose a hierarchical index structure to index each hospital's dataset with low memory requirements. Furthermore, we develop a novel privacy-preserving index merging mechanism that generates a common search index from individual indices of each hospital to significantly improve the search efficiency. We also consider the storage of medical information associated with genomic data of a patient (e.g., diagnosis and treatment). We allow access to this information via a fine-grained access control policy that we develop through the combination of standard symmetric encryption and ciphertext policy attribute-based encryption. Using this mechanism, a physician can search for similar patients and obtain medical information about the matching records if the access policy holds. We conduct experiments on large-scale genomic data and show the efficiency of the proposed scheme. Notably, we show that under our experimental settings, the proposed scheme is more than $60$ times faster than Wang et al.'s protocol and $95$ times faster than Asharov et al.'s solution.

Cryptography and Security

Jiang Bian,Alexander Loiacono,Andrei Sura,Tonatiuh Mendoza Viramontes,Gloria Lipori,Yi Guo,Elizabeth Shenkman,William Hogan

DOI: https://doi.org/10.1093/jamiaopen/ooz050

2019-01-01

JAMIA Open

Abstract:Objective: To implement an open-source tool that performs deterministic privacy-preserving record linkage (RL) in a real-world setting within a large research network. Materials and Methods: We learned 2 efficient deterministic linkage rules using publicly available voter registration data. We then validated the 2 rules' performance with 2 manually curated gold-standard datasets linking electronic health records and claims data from 2 sources. We developed an open-source Python-based tool-OneFL Deduper-that (1) creates seeded hash codes of combinations of patients' quasi-identifiers using a cryptographic one-way hash function to achieve privacy protection and (2) links and deduplicates patient records using a central broker through matching of hash codes with a high precision and reasonable recall. Results: We deployed the OneFl Deduper (https://github.com/ufbmi/onefl-deduper) in the OneFlorida, a state-based clinical research network as part of the national Patient-Centered Clinical Research Network (PCORnet). Using the gold-standard datasets, we achieved a precision of 97.25 similar to 99.7% and a recall of 75.5%. With the tool, we deduplicated similar to 3.5 million (out of similar to 15 million) records down to 1.7 million unique patients across 6 health care partners and the Florida Medicaid program. We demonstrated the benefits of RL through examining different disease profiles of the linked cohorts. Conclusions: Many factors including privacy risk considerations, policies and regulations, data availability and quality, and computing resources, can impact how a RL solution is constructed in a real-world setting. Nevertheless, RL is a significant task in improving the data quality in a network so that we can draw reliable scientific discoveries from these massive data resources.

Xun Yi,Elisa Bertino,Fang-Yu Rao,Kwok-Yan Lam,Surya Nepal,Athman Bouguettaya

DOI: https://doi.org/10.1109/tkde.2019.2912748

IF: 9.235

2020-08-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:In this paper, we consider a scenario where a user queries a user profile database, maintained by a social networking service provider, to identify users whose profiles match the profile specified by the querying user. A typical example of this application is online dating. Most recently, an online dating website, Ashley Madison, was hacked, which resulted in a disclosure of a large number of dating user profiles. This data breach has urged researchers to explore practical privacy protection for user profiles in a social network. In this paper, we propose a privacy-preserving solution for profile matching in social networks by using multiple servers. Our solution is built on homomorphic encryption and allows a user to find out matching users with the help of multiple servers without revealing to anyone the query and the queried user profiles in clear. Our solution achieves user profile privacy and user query privacy as long as at least one of the multiple servers is honest. Our experiments demonstrate that our solution is practical.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Jie Zhou,Jiao Deng,Shengke Zeng,Mingxing He,Xingwei Liu

DOI: https://doi.org/10.1016/j.comnet.2024.110891

IF: 5.493

2024-11-24

Computer Networks

Abstract:With the diversification of data sources and the massive growth of datasets, data retrieval has become increasingly complex and time-consuming. In the traditional retrieval method, if a user wants to query multiple datasets, the general approach is to retrieve them one by one in order, which may lead to duplication of work and waste of resources. Private set intersection is a specific issue in secure multi-party computation. It allows several participants, each holding different sets, to jointly calculate the intersection of their sets without revealing any information other than the intersection. This method is naturally suitable for data fusion. In this work, we propose a secure fuzzy retrieval protocol for multiple datasets. First, we use private set intersection technology to fuse multiple datasets. Then, we perform secure retrieval based on this fused dataset, effectively avoiding the waste of resources caused by separate retrievals, thereby maximizing resource efficiency. It is worth mentioning that the protocol proposed in this paper can also be used for fuzzy retrieval to improve the user's search experience. More importantly, the protocol can maximize privacy protection during the retrieval process, including strict protection of sensitive information such as retrieval keywords, ensuring that user data and query intentions will not be leaked during the entire retrieval process. Finally, we provide a rigorous security proof and demonstrate the effectiveness of the protocol through simulation experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Raymond Chi-Wing Wong,Yubao Liu,Jian Yin,Zhilan Huang,Ada Wai-Chee Fu,Jian Pei

2007-01-01

Abstract:Privacy-preserving data publication for data mining is to protect sensitive information of individuals in published data while the distortion to the data is minimized. Recently, it is shown that (a, k)anonymity is a feasible technique when we are given some sensitive attribute(s) and quasi- identifier attributes. In previous work, generalization of the given data table has been used for the anonymization. In this paper, we show that we can project the data onto two tables for publishing in such a way that the privacy protection for (a, k)-anonymity can be achieved with less distortion. In the two tables, one table contains the undisturbed non-sensitive values and the other table contains the undisturbed sensitive values. Privacy preservation is guaranteed by the lossy join property of the two tables. We show by experiments that the results are better than previous approaches.

Stephen E. Fienberg

DOI: https://doi.org/10.1214/088342306000000240

2006-09-11

Abstract:The growing expanse of e-commerce and the widespread availability of online databases raise many fears regarding loss of privacy and many statistical challenges. Even with encryption and other nominal forms of protection for individual databases, we still need to protect against the violation of privacy through linkages across multiple databases. These issues parallel those that have arisen and received some attention in the context of homeland security. Following the events of September 11, 2001, there has been heightened attention in the United States and elsewhere to the use of multiple government and private databases for the identification of possible perpetrators of future attacks, as well as an unprecedented expansion of federal government data mining activities, many involving databases containing personal information. We present an overview of some proposals that have surfaced for the search of multiple databases which supposedly do not compromise possible pledges of confidentiality to the individuals whose data are included. We also explore their link to the related literature on privacy-preserving data mining. In particular, we focus on the matching problem across databases and the concept of ``selective revelation'' and their confidentiality implications.

Statistics Theory

Chaojie Lv,Lan Zhang,Xiang-Yang Li

DOI: https://doi.org/10.1109/bigcom57025.2022.00025

2022-01-01

Abstract:Mobile devices and mobile applications benefit people's mobility. In some applications such as Uber and Didi, drivers and passengers (i.e., users) submit locations to the server to match each other. However, the server may be untrusted and location privacy becomes a huge concern. Users expect to enjoy matching while protecting their locations and different users have different levels of location privacy. In this paper, we consider the personalized privacy-preserving online minimum bipartite matching problem. To solve this problem, we design a Personalized Quadtree-Based privacy-preserving matching Framework (PQBF). In this framework, we propose a privacy method using the truncated Geometric Mechanism on the quadTree (GMT). GMT allows users to intuitively select generalization regions with different sizes, which is user-friendly. We then formulate the distance on the quadtree using earth mover's distance (EMD) to select the closest worker-task pair. Considering the huge time overhead of distance calculation, we provide a way to accelerate. We show that our method satisfies $\epsilon$ - geo-indistinguishability on the quadtree and give the time complexity of PQBF. Experiments on synthetic data and real data show that our mechanism is more effective than previous mechanisms in terms of total distance. PQBF saves up to 35.9% total distance than a state-of-the-art algorithm.

LIU Shu-shu,LIU An,ZHAO Lei,LIU Guan-feng,LI Zhi-xu,ZHENG Kai,ZHOU Xiao-fang

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015322

2015-01-01

Abstract:Social recommendation is a method which requires the participants of both user’s historical behavior data and social network,which generally belong to different parties,such as recommendation system service provider and social network service provider.Considering the fact that in order to maintain the value of their own data interests and user’s privacy,none of them will provide data information to the other,two privacy preserving protocols are proposed for efficient computation of social recommendation which needs the cooperation of two parties (recommendation system service provider and social network service provider).Both protocols enable two parties to compute the social recommendation without revealing their private data to each other.The protocol based on the well-known oblivious transfer multiplication has a low cost,and is suitable for the application of high efficiency requirements.And the one based on homomorphic cryptosystem has a better privacy preserving,and is more suitable for the application of higher data privacy requirements.Experimental results on the four real datasets show those two protocols are efficient and practical.Users are suggested to choose the appropriate protocol according to their own need.

Faguo Wu,Wang Yao,Xiao Zhang,Zhiming Zheng,Wenhua Wang

DOI: https://doi.org/10.1007/978-3-030-00012-7_7

2018-01-01

Abstract:In recent years, great progress has been made in global digital construction, various kinds of methods, such as encryption, isolated storage and firewall, are used to prevent information from stealing. However, the above mentioned technologies severely hinder information sharing, especially in some special areas, such as medical industries in which doctors need to share similar patient's information to improve the effectiveness of treatment. The premise of sharing information is to find the desired information on encrypted data, although identity based encryption scheme with equality test (IBEET) has been defined as a viable solution, it can only search for the ciphertext formed by the exact same plaintext. In this paper, we firstly propose an efficient identity based privacy information sharing with similarity test in cloud environment. Our scheme can search out similar data of the target data on encrypted content. Besides, we use advanced Locality-Sensitive Hashing function to generate index for data to protect the privacy information of users.

Zhenhua Chen,Luqi Huang,Guomin Yang,Willy Susilo,Xingbing Fu,Xingxing Jia

DOI: https://doi.org/10.1109/tsc.2024.3376198

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:Privacy-preserving data evaluation is one of the prominent research topics in the big data era. In many data evaluation applications that involve sensitive information, such as the medical records of patients in a medical system, protecting data privacy during the data evaluation process has become an essential requirement. Aiming at solving this problem, numerous fuzzy encryption systems for different similarity metrics have been proposed in literature. Unfortunately, the existing fuzzy encryption systems either fail to achieve attribute-hiding or achieve it, but are impractical. In this paper, we propose a new fuzzy encryption scheme for privacy-preserving data evaluation based on overlap distance, which can work in an integer domain while achieving attribute-hiding. In particular, we develop a novel approach to enable an accurate overlap distance to be fast calculated. This technique makes the number of pairing operations during decryption stage negative correlation with the size of the threshold, which is pretty practical for some applications especially with a large threshold. Additionally, we provide a formal security analysis of the proposed scheme, followed by a comprehensive experimental. Also we show that our scheme can be well applied to some scenarios, such as fuzzy keyword searchable encryption and attribute-hiding closest substring encryption.

computer science, information systems, software engineering

Chang Xu,Ningning Wang,Liehuang Zhu,Kashif Sharif,Chuan Zhang

DOI: https://doi.org/10.1109/jiot.2019.2917186

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:The integration of wearable wireless devices and cloud computing in e-health systems has significantly improved their effectiveness and availability. Patients can upload their personal health information (PHI) files to the cloud, from where the health service providers (HSPs) can obtain appropriate information to determine the health state. This system not only reduces the costs associated to healthcare but also provides timely diagnosis to save lives. However, a number of privacy concerns arise while sharing sensitive information. In this paper, we propose a novel privacy-preserving patient health information sharing scheme, which allows HSPs to access and search PHI files in a secure yet efficient manner. We make use of the searchable encryption technique with keyword range search and multikey-word search. The proposed privacy-preserving equality test protocol allows different types of numeric comparison searches on encrypted data. We also use a variant of bloom filter and message authentication code to classify PHI files, filter false data, and check integrity of search results. The simulations on real-world and synthetic data show the feasibility and efficiency of the system, and security analysis proves the privacy-preservation properties.