Towards Secure, Flexible and Efficient Role Based Hospital’s Cloud Management System: Case Study

INTRODUCTION: Many organizations of health care have recognized that quality of service can be improved by maintaining e-records of patient’s reports, medical histories, surgeries recordings, etc. over the multimedia cloud servers. But, the data breach is always a matter of stake for an organization as well as for the patients. OBJECTIVES: This work has considered a qualitative scenario related to multimedia e-content management for a multi-forte hospital’s cloud server. METHODS: An End-to-End Encryption with the cryptographic algorithm is applied along with an access control framework for secure transmission and storage of e-records. RESULTS: The results are presented in the form of bar graphs for the time taken to perform encryption/decryption of various media files and combo graphs for different scenarios of access control. CONCLUSION: This can provide prevention from many attacks/threats, ensures authentication and privacy along with limiting the server usage and cost.


Introduction
To maintain a trade-off between the low capacity mobile devices and the requirement of accessing heavy resources, now numerous users are moving towards the cloud usage. So, cloud computing has become a necessary and most required state particularly for mobile users which provides access to a wide variety of services and resources at any time and from any place [1]. Thereby, the cloud reduces the user's burden to many folds [2]. Nowadays, the maximum of contents shared, stored, produced, and processed via different sources like computers, satellites, smartphones, sensor networks, other medical records, and data, etc. are of multimedia category which includes video, images, gif, and audio contents. This constitutes a major section of the network traffic [3]. Mobile gadgets with minimum required configuration and less processing power stand nowhere and * Shilpi Harnal. Email:shilpi13n@gmail.com are unable to cope up with the huge manipulations and computing required by other expensive media software. This resulted in the demand for Multimedia Cloud Computing (MCC) [4]. Not only this, multimedia kind of data needs immense computing power and storage capacities but also it presents security as a major concern. Since, the computing, storage and security constraints for the multimedia content are different, this field has drawn a lot of attention and became a popular area of research. It has been also proposed by many researchers to have a separate architecture for multimedia content handling over cloud [5].
But cloud providers and cloud users are in the distinct security domains and are having a dynamic relationship between them. Usually, the major concerns for any service providers are confidentiality, integrity, access control and security of secret and private media objects [6] [7] [8]. Thus, security issues related to multimedia objects require EAI Endorsed Transactions on Pervasive Health and Technology 05 2020 -09 2020 | Volume 6 | Issue 22 | e1 Shilpi Harnal, R.K. Chauhan 2 special attention and solution to maintain the faith and interest of users. Because the integrity of the user's private multimedia files is really a matter of stake for them always. Among various challenges with multimedia cloud computing, the crucial concerns are: i. End-to-End Cryptography: End-to-End Cryptography is the most appropriate and widely approved solution for multimedia cloud security concerns to detect and protect the person's data from unauthorized access [9]. Based on the problems raised while dealing with multimedia data over cloud servers, there are some drawbacks with the existing schemes of security. Based on these limitations, the need for a fast and secure improved cryptography algorithm was raised, as only a strong end-to-end encryption technique can play a major role in the security of sensitive media data.
ii. Role-Based Access Control: As in the cloud, users are not legendary by their predefined identities. Therefore identity-based security mechanisms are not of much use. Instead, they are providing accesses based on their characteristics and attributes to achieve confidentiality and authentication [10] [11].
In order to fulfil above concerns for the private and crucial medical records of any patient, this work has applied an improved cryptography procedure for the multimedia record's storage along with End-to-End Encryption while transferring e-records to/from the hospital's cloud server [12]. Also, to deal with the requirement of proper authentication and access control techniques, an efficient and flexible role-based access control (EF-RBAC) model has been suggested [13]. The significance of the improved cryptography algorithm and of EF-RBAC for the enhancement of multimedia cloud technology can easily be illustrated by relating them with any real-world qualitative scenarios. These qualitative scenarios are better known as case studies. This paper presents a possible practical scenario or case study where the suggested cryptography algorithm and access control model can be deployed for performance enhancement. The case study has considered how sensitive e-records of patients can be maintained securely by applying these techniques and how practice sessions for the medical interns can be managed properly at a multi-forte hospital to achieve confidentiality, authentication, integrity, and security.
The following sections include the motivation for the case study, related work, methodology applied and the detailed case study for the hospital e-record -cloud management system. The further section includes the results in the form of combo graphs followed by the benefits & limitations of the proposed scenario.

Motivation for Case Study
For an organization, the data breach is always a matter of stake and can be a matter of life for an individual if any personal or sensitive multimedia content is leaked or misused. For any issue of a data breach, the organization has to face various legal issues and sometimes they have to pay high compensations. Some of the recent incidents of security breaches that came into notice are discussed below: • Outlook: The Microsoft admitted that hackers had succeeded to access many accounts of Outlook.com between January 2019 and March 2019 [14]. Microsoft confessed that they were able to view emails also. The company notified the users whose credentials were infected, but there was no clear picture for an actual number of accounts compromised. • Skype, Cortana: Another incident is where Microsoft has accepted that personal and sensitive audio conversations of consumers over Cortana virtual assistant and Skype have been listened by third-party contractors [15]. The New FAQ of Skype said that they may have audio recordings transcription, but the user's privacy is protected. They admitted that audio recordings have listened to quality checks only. • Biostar-2: One of the biometrics company Biostar-2, whose security systems are deployed all over the world was found storing the data in unencrypted form. Such biometric data as records of face recognition, fingerprint scans along with other details of more than one million people have been found in a database that is publicly accessible [16]. A team of security researchers from Israel has succeeded easily by altering the search criteria of URL to gain access to Biostar 2's database including a total of 23GB of multimedia records. This retrieved information belongs to several organizations of many countries such as India, Finland, Sri Lanka, the US, and Indonesia. • Facebook: According to a report of cyber-security (a research firm) Facebook records of about 540 million users were exposed to the service cloud of Amazon's computing [17]. This was because some of the thirdparty developers of the Facebook app uses plain sight to post their records. • Facebook again: Facebook confirmed that data of around 50 million users were at risk, as a vulnerability was exploited by the attackers in July 2017 to access the user's personal content [18]. But this was revealed later in Sep 2018. So they were unaware of how many user's data were compromised from this long time. Later in Nov 2018, a group of unknown hackers hit some other vulnerability of the website and succeeded in capturing tokens of secret access for accounts of millions of Facebook users [19]. • Apple iCloud: Around 500 private and sensitive pictures of many celebrities were disseminated on the image-board 4chan from the iCloud i.e. Apple's services suite cloud [20] [21]. Most of these celebrities were women and many of the pictures posted were having nudity. After that, these were also posted to  [19], the multiple vulnerabilities hit twitter. The company revealed the incident and also informed all the affected users. • Yahoo: As disclosed by Yahoo in 2013, accounts of their 3 billion email holders were likely compromised. The breach was revealed during mid-2016 and it was the largest ever data breach incident [22]. • Google+: After admitting two security flaws or vulnerabilities in the Google+ platform, Google had finally shut down Google+ or G+ in April 2019. These flaws in the API had exposed data of many subscribers through the friends of users using the G+ app to thirdparty developers [19] [22]. • Amazon: Because of the misconfiguration of Amazon's S3 buckets over the storage server of Amazon, the customer's data were set for anyone's access in public [23]. Even analysts at cybersecurity firm claim that elastic block storage (EBS) of Amazon they can access customer's database easily. Apart from the above-mentioned cases, a survey by Techworld also claims the breach of security at some other service providers as well, such as T-Mobile, TalkTalk, Zomato, Uber, Pizza Hut, FIFA, British Airways and Microsoft Office 365, etc. Also one of the media company Cultura Colectiva of Mexico exposed a total of 146 GB of various user's data. Another database exposed by an app named as At the Pool, includes user IDs, photos, friends, various check-ins, etc. for about 22,000 users. All these scenarios raise the need for secure end-to-end encryption during transmission and storage of sensitive e-media records of patients. Also, a strong access control mechanism is always required for providing protection against unauthorized accesses. This work fulfills both the requirements with the earlier proposed cryptography algorithm [12] and efficient & flexible role-based access control mechanism (EF-RBAC) for a hospital's cloud server [13].

Related Work
It is also important to note here that, this necessity of generating, accessing, sharing, storing, editing and transmitting media contents over unsafe internet source by millions of clients' raises issues like bandwidth, jitter, delay throughput in terms of Quality of Experience (QoE) and Quality of service (QoS). Here, another major concern is the security of sensitive and crucial media objects of clients to ensure integrity and confidentiality. Such requirements can become a kind of bottleneck for the traditional cloud providers and can lead to an unsatisfactory experience for clients [24] [25]. Akter, Gani et al. (2018) have analyzed that the use of multimedia applications and services for e-health is getting popular day by day. By this people can access their personal health records (PHRs) such as health history X-ray reports, MRI, EEG/ECG data, clinical audio-visual reports, insurance policy, and ultrasound reports electronically at any time from any location through any handheld electronic devices. It's the responsibility of health care providers to manage uploads and security of such crucial/sensitive information over the cloud. Thus, authors have proposed the usage of personal storage service over the cloud for managing these records, such as OneDrive, Dropbox and Google Drive, etc. [26].
The authors Stergiou, Psannis et al. (2018), have proposed a network of a new type that could provide more appropriate multimedia data transfer facilities. They have also discussed the use of various analysis tools and simulators tools that could be used for the study of the collection, the management, the analysis, the processing and of the storage for the rich media data of large volumes. They have measured the performance of the network with CloudSim [27]. Noura et al. (2018), have stated that while handling multimedia objects the major pronounced effects were the impact of privacy, integrity and confidentiality breaches for a media service provider. According to them, the application of encryption is the proven technique to handle these threats. They have analysed two recent cipher techniques based on the two rounds for the protection of image contents [28]. Joseph, Vazhacharickal et al. (2017), have analysed that security of multimedia contents while in storage or transmission has become extremely important with the growing demand for multimedia keeping, computation, and sharing. The authors believe that traditional techniques of encryption using DES and AES are difficult to use for encryption of multimedia data. This is because of certain features of rich multimedia contents like high redundancy is possible, large in volume and requirement of real time functioning [4]. Shankar (2018) has stated that cryptography can be the best approach to maintain availability, integrity, and confidentiality of sensitive digital data. The author has proposed an optimized RSA algorithm to ensure the secure transmission of images with high secrecy and confidentially among the sender and the intended receiver [29].
Nowadays, some application providers like WhatsApp, TextSecure and Gmail, etc. have started providing E2EE. Similar to other providers of email, the Gmail application also supports end-to-end encryption based only on Transport Level Security (TLS), according to which data is available to the server only but not accessible during transmit. Thus, many cloud users are forced to use some applications from third-party vendors to perform encryption/decryption for their critical and private information before sending it over the cloud. Such applications are well known as domain client (DC) applications. Song et al. (2014) have suggested an Encrypted Cloud i.e. EnCloud, which involves a mechanism for achieving end-to-end encryption among the service providers and cloud users, to maintain user's trust by facilitating their tasks. Hence, it proves that cloud EAI Endorsed Transactions on Pervasive Health and Technology 05 2020 -09 2020 | Volume 6 | Issue 22 | e1 applications and services could be compromised anytime without providing encryption at the end-to-end level. Anyhow, a user could not afford to lose their crucial and sensitive multimedia data at any cost [30].
According to authors Bethencourt et al. (2007), the traditional access control schemes such as mandatory or discretionary access control models cannot be applicable for an open cloud environment [31]. Role-based access control (RBAC) scheme, assigns roles to users based on their least privileges and functions required to perform a job. The Goyal et al. (2006), said that Task Role-based access control model (TRBAC) is considered as a viable scheme for the cloud computing environment. According to authors, in TRBAC access permissions can be validated dynamically based on the user's role and the task assigned to the user [32].
Another proposed variant for cloud computing by Yang et al. (2012), is the Attribute-role-based access control (ARBAC) model. For this scheme, data objects are assigned with some attributes and values. To access these object's attributes, the user has to provide that particular value and access is provided by the cloud server only after this validation is complete [33]. Some other authors as Ristenpart et al. (2009), have proposed a fine-grained keybased ARBAC model with the provision of preserving the privacy of the attribute's values corresponding to an object using the symmetric/private key encryption schemes to protect its privacy [34]. Shafiq et al. (2005), have suggested that certain roles should be fixed and static in some applications, while permissions and users for roles might be assigned dynamically [35]. Ruj et al. (2011), have proposed the involvement of a certified third party for assigning roles to users. They have also proposed to inculcate certain parameters (such as all possible timings and locations of access) to each user's profile to maintain the trust/authentication of users [36].
Thus the discussion has shown the work done by various authors in the field of security measures for multimedia cloud computing. The work in this paper has presented an improved solution for these security issues in terms of security, attacks prevention, cost, auditing, server response time and operational efficiency as discussed in further sections.

Methodology Applied for Case Study
Thus, it is clear from the above literature that the security of confidential and private data over the cloud is always an issue of stake for clients and only a strong cryptography technique with End-to-End Encryption can manage the integrity and confidentiality of data both at cloud storage and during transmission. Otherwise, the cloud will always be vulnerable to users and organizations. Also, it is clear from the literature that an effective access control mechanism can mitigate the chances of security breaches by unauthorized users and untrusted insiders.

Improved Cryptographic Framework
Applied [12] This framework applies a secure and improved symmetric procedure with the provision of randomly generating the secret key for media contents cryptography. The applied hybrid procedure is an advanced and improved version of the blowfish algorithm for better security while storing/retrieving text and other multimedia objects (like gifs, audio, images, video or any other sort of media contents) to and from the media aware cloud server. Primarily blowfish algorithm was applicable for the text files only. This proposed framework works with end-toend encryption (E2EE) policy. Thus, before transmitting any content to the server, encryption for the same is performed at the client's site and after retrieval of any content from the cloud server, the decryption is also performed at the client's end. This proposed approach guarantees a high level of privacy and security for the personal multimedia contents of patients and also it is efficient to apply over various types of multimedia objects. The general framework for the scheme is presented in figure 1 shown below: The Sequence of steps for this framework are as follows: 1. The client raises a request for any multimedia object. 2. Content manager verifies the request. 3. Analysis module verifies the availability of servers and other parameters. 4. Key manager is responsible for the availability of both asymmetric and symmetric (Skey) keys. 5. Skey is used for the encryption/decryption of media object (CT) using the improved hybrid symmetric algorithm and asymmetric encryption is used for encrypting Skey for secure transmission over the network. 6. Both encrypted object (CT) and the encrypted Skey is transmitted to another end (client or server) to maintain E2EE.

5
The detailed description and comparison of the applied improved blowfish hybrid algorithm are presented by us in the referred paper and the pictorial representation is shown in figure 2.
This improved hybrid algorithm was developed using JAVA and executed using the command-line interface. The setup was applied and tested by encrypting multimedia files of various types and sizes. Further, the encrypted files were also tested over the cloud Figure 2. The Steps of Improved Hybrid Algo. [12] 4.2. EF-RBAC Framework Applied [13] With Efficient and Flexible Role-based access control (EF-RBAC) framework system users are dynamically provided with some roles as needed and as per the policy of the organization. Accesses/Permissions are applied for the specific roles and the same permissions automatically get applied to all the users of that category or with the same role. The roles are chosen very carefully by the authorities as per the organization's requirements. Every new user is assigned with a minimum one role and one user can have multiple roles as well. The roles are assigned based on the least privilege policy. The roles and their respected users are applied with some constraints such as each user is provided with a limited number of required transactions based on their role in a day. If the user's transaction count reaches predefined threshold value, then the user's limit exceeds and the server stops listening from that user.
This scheme has added provision of gifting/borrowing transactions to/from one another (within authenticated registered users having the same role only). So that if some users do not need more number of transactions in a day, he/she can gift or borrow his/her transactions with other users of the same role to implement security mechanism to the roles of the system.
Role-based access control (RBAC) is a methodology of proscribing network accesses, which support only the roles of individual users within an enterprise. Consequently, the number of requests to the server decreases and encompasses a limit, as each user has a count on its access to cloud servers. This leads to improved/reduced response time and decreases the overhead of servers. Additionally, it provides prevention against distributed denial of service (DDoS) attacks. The detailed description of this framework is shown in figure 3 given below. • Multiple active sessions are possible at a constant time; however, there is just one active session for one active user at a time. • Each user entered in the organization is assigned with a role (Multiple roles can be allocated to a user similarly) and each role has a limit over the number of transactions that can be used. • Among the numerous roles outlined for an organization, every role has some predefined rules, attributes and transaction limits. • Every role has a specific number of tasks and every task is associated with certain permissions specific to roles. • Each user manages a personal security PIN number and also keeps a record of his/her transactions used till now. • Once transactions limit exceeds for a user, e.g. if the user 'A' makes a request for a transaction from another user 'B' having the same role, firstly user 'A' will have to seek permission from user 'B' for his/her one-time security PIN (Because user 'A' is required to provide security PIN of user 'B' before accessing transaction from user B's account). After the transaction of 'A' is over, the secure PIN is autogenerated again.
• Once this limit exceeds (e.g. of user 'A'), either the user can request a transaction from another user with the same role or the server stops taking further requests from that user's side for that specific role. • Further if any suspicious behavior is detected like a user is trying to make repetitive attempts after his limit is exceeded or if the user is trying to access a file that he/she is not authorized to access or if the user is trying to make an unauthorized update, etc., then the Role-Based access control mechanism will analyze and report the attempt to authorities.
Steps of EF-RBAC Algorithm: This work has implemented proposed Efficient and Flexible Role-Based Authentication Control (EF-RBAC) over the cloud using CloudSim (version 3.0) simulator tool to limit the number of accesses a user can have in a day and to add the provision of gifting or borrowing transactions from other users. Cloudsim tool provides an extensible and generalized seamless modeling framework.

Hospital E-Record -Cloud Management System
According to many health care organizations around the world, the quality of medical service can be improved by maintaining electronic records of patient's reports, medical histories, video recordings of surgeries, etc. over the multimedia cloud servers. This enables a patient and a doctor to access these records from any location in a costeffective manner for better health and effective resource utilization [39]. But it's been a challenging decision and task to migrate to complete electronic cloud medical systems for managing sensitive and crucial medical records of patients. Chiang et al. (2018), have performed a study to discuss advanced practices in medical technology and selfconsciousness among people regarding them [37]. Because of these factors, the usage of tools to support e-medical records has been promoted by the World Health Organization (WHO). These e-medical records facilitate the patients, doctors and medical interns to access the records online. By this efficiency of the medical system is enhanced.

Overview
This case study is taking an example of a multi-forte hospital that incorporates specialists/doctors, patients, and several medical interns. Patients having any sort of sicknesses visit the concerned doctor and get a complete check-up from them. The complete database of the patient's records is maintained over the cloud servers. By this, patients and concerned doctors can access their crucial health records (PHRs) such as health history X-ray reports, MRI, EEG/ECG data, clinical audio-visual reports, insurance policy, and ultrasound reports electronically at any time from any location through their electronic smartphones or any handheld electronic devices [26].
This case study includes a number of appointed medical interns at a multi-forte hospital. The medical intern is the one who has completed his/her medical school (degree of MBBS) of four and a half years to serve as a professional doctor in India. But these medical interns cannot practice medicine in an unsupervised manner as they do not yet have a complete license as a physician. According to the Medical Council of India to get a permanent license to practice as a primary care doctor, they have to go through a compulsory internship of one year in various fields of specialties. These medical interns are associated with experienced doctors during their one year of training.
This case study provides a better provision for managing sensitive e-Records of patients and arranging practice sessions for medical interns as well. This works with the practice of uploading videos of any surgeries performed by the specialists and private medical histories for reference to the cloud server, but only with the patient's consent. These reports and videos of any patient are very sensitive and it's the responsibility of their health care provider or administrator to manage uploads and security of such crucial information over the cloud.

Challenges with Ordinary System
Cloud has greatly relaxed the users from the burden of storage, heavy computations, etc. through its services [38]. Now users or patients, in this case, prefer to store their crucial data over the cloud servers only in encrypted formats. The major challenges with ordinary media service providers are: • If the patient's credentials and multimedia records of their reports, videos are stored in plain text format, then there is always a risk to security. • The problem arises when some other unauthorized entities desire to access the data of patients they are not authorized to access. • There may be chances that even an authorized user tries to access the data of patients they are not authorized to access. • Another problem grows when data is transmitted between cloud users and servers in an unencrypted format through untrusted networks. This can raise chances of man-in-the middle attack and also can affect the integrity and confidentiality of the data. • Also a problem of non-availability of service or denial of service (DoS) grows if any malicious user forges as an authentic user and floods the server with dummy requests. • The Problem of non-availability of service or denial of service (DoS) can also generate even if any authentic user intentionally floods the network to disturb the normal service.
Trust is the crucial factor for data sharing, storage, and transmission, as it can avoid potential risks and can overcome uncertainties. There is still a lack of proper access control and security policies over the ordinary cloud to maintain reputation and trust. Thus, this work addresses the above issues of access control, integrity, confidentiality, and security for any patient's personal and sensitive medical records.

Entities Involved with Proposed Case Study Solution
This solution work towards providing a system with flexible access with secure transmission & storage on the basis of policies/permissions decided by the hospital authorities and patient's consents. The least entities required to flexibly participate for such a secure system control are shown through the UML use case diagram in figure 4 and are described as follows: i. Patients: The person undergoing any treatment in the hospital. They can access their medical records anytime from cloud storage. ii. Doctors: A doctor is a person who performs checkups of patients and starts their treatments accordingly. Each doctor is associated with a department and can supervise/assist many medical interns. A doctor can access the records of their respective patients only.
iii. Medical Interns: They are associated with doctors of their respective departments. They are like medical trainees and appointed after their medical degree completion. They will be certified physicians only after completion of their internship. iv. Hospital Cloud Server: It's the third-party multimedia service provider cloud server. It provides storage, sharing, editing, security and backups for all the multimedia records discussed above and other credentials all the entities.

Figure 4. Entities for Case Study
The UML use case diagram of figure 4 has depicted the major functionalities of the purposed case study system for hospital cloud along with entities involved in the system. Here T_Limit represents the Transaction limit defined for any of the users belonging to a specific role. The detailed description of functionalities is covered in further sections.

Description of Proposed Solution
The general model of the proposed solution for the Hospital e-Record Cloud Management system with all the above defined entities is presented in figure 5. Here both client and server-side modules are having EF-RBAC and projected improved cryptography algorithm. The transmission of multimedia contents between the two parties is secured with E2EE using the improved algorithm [12]. Access control is provided with EF-RBAC and every access is provided based on the roles defined per entity and permissions defined for each role [13]. The steps and rules involved in the normal functionality of the Hospital e-Record Cloud Management System are shown in figure 5 and a relational schema for this system including all entities is depicted with the help of an ER Diagram in figure 6.

Figure 5. Hospital e-Record Cloud Management
System The rules are defined as follows: • Roles are defined as per entities involved except server that means the system has three defined roles as Patients, Doctors and Medical Interns. Each entity is defined by a particular ID, as included in the ER Diagram depicted in figure 6. • Each doctor and the medical intern is associated with one department, such as Pathology, Orthopedic, Dental, Emergency, Gynecology, Anesthetics, Laboratory, Cardiology, Cancer, Neurology, etc. The departments are not shown in figure 5 for the sake of simplicity, but they are part of the ER Diagram of figure 6 as essential content. • Each patient is getting treatment and concerned with one doctor only. But one doctor can treat multiple patients at the same time. Patients can upload and access their medical records to/from the media cloud server. Doctors can only be able to access the records of their specific patients only. • As per the proposed EF-RBAC scheme, the users are provided with limited transactions (T-Limit) for a day to limit the load at the server. Any limit can be decided for doctors and patients. Because generally, they are never going to exceed their transaction limit. • The problem is mainly associated with the transaction limit of medical interns. As they can overload or flood the server fully if a hospital has thousands of interns. This can result in the unavailability of servers for others and also it will increase the rental cost for the hospital.
Medical interns use the Hospital e-Record for the study of medical histories, reports and to view videos of live surgeries for their self-reference. • Thus to limit the server's load and to reduce the usage cost of the rented server, here the proposed work has limited the number of transactions to be allowed per day for each medical intern. • Assuming the limit is five for each user with a medical intern role. Side by reducing cost, this will also minimize the misuse of the system. If the limit exceeds for an intern, he/she can borrow a transaction from any other medical intern by sharing a secure PIN or the server stops answering their requests. • At last, for privacy and data breach preservation, data is encrypted with the fast and secure improved algorithm for storage as well as for transmission in encrypted form i.e. E2EE.
As discussed a case study describes the real experience of users/organizations with a cloud server. Here, the study has considered a qualitative scenario for the understanding of practical applications of discussed improved hybrid algorithm and EF-RBAC model. That is related to multimedia content management for a Hospital e-Record Management System. This can guarantee privacy and security with E2EE and helps to reduce cost by limiting server usage. It also provides prevention from many attacks and threats as discussed in further sections. Thus, it is clear from the case study that the work can be very useful if deployed with cloud applications and the advantages are very appealing.

Steps of Proposed Solution
The steps of the procedure to execute each transaction corresponding to each user with encryption/decryption of multimedia object using the hybrid algorithm are as follows:

Complexities of the Proposed Solution
As the improved hybrid algorithm is block cipher algorithm and usually works with a block of fixed size (here, each block is equivalent to 64 bits), thus the hybrid procedure is independent of the input and takes approximately the same time, i.e. O(1). But, as the input multimedia files are bigger in size and divided into M blocks during the procedure. So here, the complexity is O(M) of the hybrid algorithm, for data of M blocks to be encrypted [12].
For ordinary access control systems where there is no limit over the number of transaction's usage for users, the complexity will be difficult to measure, as the usage may vary always. But, the complexity analysis by applying the EF-RBAC scheme (embedded with the hybrid algorithm) having the limit over transactions is always possible and defined in table 1 as follows:   [12] Firstly, this section analyses and compares the rate i.e. the time consumed by the proposed improved procedure to perform encryption and decryption of multimedia erecords of various sizes and types. Thus, the proposed algorithm found to be working perfectly with a variety of files of various types and sizes such as audio, images or video files. The algorithm has shown hopeful results for every input file. The time consumed for performing encryption and decryption excluding the time of key generation, for sample media files of various types and sizes are presented in table 2.  Table 2. Sample data and time taken by the hybrid cryptography algorithm [12] The input media file's size is measured in kilobytes (KBs) units and the corresponding time taken for decryption and encryption has been measured in milliseconds (MSs). The resultant cipher text files have tested successfully over the cloud server by uploading and retrieving from the cloud without any error. The complete procedure of implementation is carried out over Pentium dual-core processor with 2GB of RAM, the results are expected to be improved with more advanced processors. • User-Blocked: yes/no, whether the user is blocked for the day or not Table 3 shows the simulation status after the execution of 57 transactions/cloudlets with CloudSim simulator. The illegal transactions are rejected by the EF-RBAC algorithm. There could be two possibilities of rejection, that is if the user tries to execute any task after the limit exceeded or secondly, if the user tries to gain access for some record for which he/she was not permitted. Here, according to table 3 for scenario-1:

Benefits
The proposed approach works on providing end-to-end encryption (E2EE) to end-users of multimedia service cloud of a multi forte hospital. Also, users are assigned roles based on the least required privileges for an object. Every access is tracked and any practice of unauthorized accesses is also captured. In nutshell, this can be said that this scheme is scalable, dynamic and support active and passive workflow in the system. Apart from these, the proposed mechanism can also provide the following benefits: • Authenticated Access only: The proposed framework assures an entity for authenticated access to their personal media records, as only an authentic entity will be able to decrypt and encrypt the secret key by applying their own private key for E2EE. • Integrity and Confidentiality: The proposed scheme also addresses the most critical and required factors for every cloud service provider that is integrity and confidentiality. Only authorized users can view the information which provides confidentiality and no access is possible during transmission of data to preserve integrity. • Accessibility and Scalability: The scheme suggested here is quite flexible and scalable enough based on the client's requirements on a pay as you use basis. • End-to-End Encryption (E2EE): E2EE is the primary feature of the proposed framework for protecting the confidential, critical and personal multimedia information of clients during transmission.

• Protection against Distributed Denial of Service
Attacks (DDoS): With limited accesses scheme this will also provide protection against distributed denial of service (DDoS) attacks. As no attacker can control the services with limited accesses. • Decreased threats on the server: It will minimize the risk of information access by the intruders by limiting the accesses for users. Also, it reduces the chance of information misuse by even authentic users, as only required information is available to them under the least privilege policy. • Reduces the cost of organization: As the model is scalable enough, the cost of management, operations, and maintenance also varies according to services availed with time. • Improved server response time & operational efficiency: It reduces server workload by limiting the per day accesses as per users/roles, unlike ordinary access control methods. This leads to higher operational potency and better response time for the servers. • Separation of duties and auditing: This model reduces conflicts by separating each permission for tasks, tasks specific to roles and roles for each user. The auditing process gets simplified by this approach. • Delegation of tasks: This policy leads to easy auditing and visibility of tasks for administration. Thus if any user is overloaded with tasks, then the administration has the choice to delegate his/her duties to different users. • Improved security as it follows the least privilege principle: As data is a valuable asset nowadays, this scheme is surely enhancing the security from suspicious attempts from internal and external users. So it is decreasing the risk of data leakage and breaches by intruders.
• Limited network usage if the organization has numerous employees: No matter the number of employees an organization hires, the network usage will always be limited. The network cost and server cost will always be measurable with the proposed scheme. • Compliance enhancing: As most of the costs are countable, it gives the ability to easily verify all the policies and activation compliances. • Safeguard against attacks: Framework presented here is efficient to apply for any media cloud service environment as it can provide complete prevention and acts as a safeguard against various attacks such as brute force attack, side-channel attacks, non-repudiation, man-in-middle attack, etc.

Limitations
Sometimes if the roles of users are changing dynamically, it may create confusion regarding which user is associated with which privileges. Roles are assigned on the basis of the least privilege principle, but still, if roles are changed frequently then some confusion may arise.

Conclusion and Future Scope
Ultimately it can be said with the firm belief that the only cloud has the potential to handle and manage the future needs of accessing media contents of any organization. Although, at the same time cloud servers and clients also have a number of security and privacy-related issues of concern that require special handling. This work has discussed a case study scenario related to multimedia content management for a Hospital e-Record Management System to describe the actual experience of users/organizations with cloud server after deployment of the improved E2EE cryptography scenario and EF-RBAC model. It is clear from the case study that it can greatly help to reduce cost, limit server usage, guarantees privacy and security, prevention from many attacks and threats, etc. Thus, it can be concluded that the work can be very useful if deployed with cloud applications and the advantages are really very appealing. The future research is possible in the area to develop an efficient and secure indexing method to quickly locate a required image or any other multimedia objects from the huge amount of encrypted multimedia files by the cloud servers.