Privacy-Preserving Healthcare System for Clinical Decision-Support and Emergency Call Systems

Healthcare centers always aim to deliver the best quality healthcare services to patients and earn their satisfaction. Technology has played a major role in achieving these goals, such as clinical decision-support systems and mobile health social networks. These systems have improved the quality of care services by speeding-up the diagnosis process with accuracy, and allowing caregivers to monitor patients remotely through the use of WBS, respectively. However, these systems’ accuracy and efficiency are dependent on patients’ health information, which must be inevitably shared over the network, thus exposing them to cyber-attacks. Therefore, privacy-preserving services are ought to be employed to protect patients’ privacy. In this work, we proposed a privacy-preserving healthcare system, which is composed of two subsystems. The first is a privacy-preserving clinical decision-support system. The second subsystem is a privacy-preserving Mobile Health Social Network (MHSN). The former was based on decision tree classifier that is used to diagnose patients with new symptoms without disclosing patients’ records. Whereas the latter would allow physicians to monitor patients’ current condition remotely through WBS; thus sending help immediately in case of a distress situation detected. The social network, which connects patients of similar symptoms together, would also provide the service of seeking help of near-by passing people while the patient is waiting for an ambulance to arrive. Our model is expected to improve healthcare services while protecting patients’ privacy.


Introduction
The PHR is the essential asset of any healthcare center (Hospitals, clinics, ... etc.).Physicians depend on it to record the patient's medical history, and to refer to it during diagnosis.Due to the fact that PHRs are computerized nowadays, they are subject to various attacks; and therefore, precautions must be taken to preserve their privacy.Furthermore, many applications such as CDSS and MHSN are used to improve healthcare services.CDSS is a system used by physicians to help them decide which disease class the diagnosed patient's symptoms belong to; it is based on a knowledge base that is extracted from experts and/or literature [1].Moreover, MHSNs are social networks of patients and caregivers, where the latter observe the patients remotely through Wireless Body Sensors (WBS) attached to their bodies, and communicate the patient's current status to caregivers periodically.Therefore, distress situations could be detected at the moment, and help could be sent immediately.In addition to the emergency call service, there is the social feature that would connect patients together.However, all of these systems depend on the phi; hence, the improvement of care they provide could be on the expense of the privacy of the patients [2] [3] [4].In this study, we explore different healthcare systems to design a model that would enhance the medical care services provided to patients while preserving the privacy of their PHR.and improve the quality of healthcare services provided by healthcare centers.Moreover, we intend to design the CDSS on a cloud, which its classification model will be trained and tested without accessing the original data.Furthermore, we plan to exploit the advantages of MHSN to provide a social network that would aid physicians in monitoring their patients from a distance, and also linking patients together for support and comfort.Finally, we aim to improve the solutions available in the existing studies, and propose them as one system.

Methodology
In order to go on with our research, we will need to conduct the following steps: 1) Design our two subsystem models for a Privacy Preserving Clinical Decision-Support System (PPCDSS), and a Privacy Preserving Emergency Call System (PPECS).
• PPCDSS: This system consists of two parts, training and testing: -Training include building a decision tree model without disclosing patients' PHI.
-Testing the classifier will be conducted by classifying new patients.
• PPECS: This system starts by each patient being hooked with a wbsn for sensing their vital signs and transmit them to the PDA for processing, and setting patient's preferences of whom they wish to come to the rescue (helper).The system requires the design of: 1) Access policy matrix which forms the patients' preferences of who to help.
2) The emergency call system.
4) The symptoms matching algorithm.
2) Insure the security of both subsystems through mathematical security proofs.

Contributions
Healthcare systems seek technology to enhance their performance while aiming to keep patients comfortable.Systems such as CDSS and MHSN provide the services to improve physicians' productivity and patients' satisfaction [2] [3] [4].However, because these systems depend on transmitting patients' PHI through a network, that leaves the PHI vulnerable for attacks.Therefore, privacy-preserving systems are necessary to protect patients' privacy over these systems.
In our work, we propose a model consisted of two subsystems.The first subsystem, PPCDSS, will provide a CDSS with a privacy-preserving feature to protect patients' PHI.The second subsystem, PPECS, is an MHSN which allows physicians to monitor patients remotely without disclosing patients' PHI to unauthorized persons.Below, we list our contributions to the field: 1) We will merge the existing services in the literature in one model.
The existing systems in the literature, [2]  2) We will use decision trees as the data mining technique for the CDSS.
Studies in section 2 have shown that decision trees are more accurate than NBC in medical diagnosis.
3) Our model allows to hide the votes of each hospital than each other; thus, no hospital can know which hospital objects to which tree(s).
The study in [5] protected each party's dataset by regenerating the ensemble and not revealing the objecting party objected to which tree(s) (Figure 1(a)).By using a cloud we eliminate the need of regenerating the ensemble (Figure 1(b)).
4) We will limit the access to the cloud's functions to health institutions, thus making the system be more secure (Figure 2 The PPCDSS in [3] gives access to the cloud to three different parties (Figure 2(a)).

Organization
The rest of the paper will be organized as follows.In Section 2, we provide a background on the current state of healthcare systems and followed by the related work in Section 2. The proposed model is listed in Section.In Section 9 we lay a motivational scenario for our proposed model.Finally, the conclusion in Section 17.

Background
Healthcare centers have taken advantage of technology to improve their services for a long time.For instance, they have turned to electronic health records instead of paper based for fast access and for environmental reasons.However, distributed patient information over different systems is still a problem.This problem has caused dissatisfaction of patients for being examined multiple times by different physicians and thus wasting the times of both [1].Therefore, K.
Leonard in [6] have stressed on the need to give patients the control of their health records, in addition to have one existing copy to give physicians fast access to the patient's medical history, and therefore enhance their health services.Below, we display examples of healthcare systems which helped in ceasing this problem.

Clinical Decision-Support System
The process of medical diagnosis is described as follows.The physician first start by collecting facts about the patient's medical history, physical examination, and laboratory tests.Then, the physician will begin to evaluate the symptoms and signs to make a list of all possible diseases.Finally, he will perform differential diagnosis by excluding one disease after another from the list until the diagnosis is fit into one category of diseases.As simple as it sounds, this process is considered complex [7].Therefore, a solution to ease this process was needed to enhance physician's performance, and clinic's medical services.
Clinical Decision-Support Systems (CDSS) are defined to be any computer software developed to assist physicians in making clinical decisions using patient's medical history and clinical data [8] by providing them with patient-specific clinical information to enhance the quality of medical services [9].
Moreover, they were proven to improve patient's results, costs of care [1], and clinician's behavior by providing alerts, reminders, and treatment plans [10].
Hence, there was a growing interest in deploying CDSS in healthcare centers [1].
However, due to its nature of dealing with sensitive information, its evaluation is based on its accuracy, not physicians' performance improvement [10].Therefore, the accuracy of these systems must be properly validated and tested to avoid patient morbidity.This is done by validating the system knowledge and advice to assure they are accurate, consistent, and complete [11].Furthermore, CDSS uses machine learning techniques, such as nave Bayes or decision trees, to build their systems.Moreover, the privacy preservation of patient's information in the system is another important concern [3].

Wireless Body Sensors Network
Patients with chronic diseases suffer from wasting their time at hospitals for monitoring their vital signs.Moreover, patients may undergo an emergency situation and cannot call for help.All these scenarios are possible and may happen at any time.One solution to this problem is to attach the wearable sensors to the patients for remote monitoring.This system is called mobile healthcare systems (m-healthcare) [4].These wearable sensors form a wban, where the attached sensors will collect the vital signs of the patient and report them periodically to a device held by the patient; the latter will then forward the collected data to the healthcare centers [12].They are considered as non-expensive solusions, which may provide a life log of sensed vital signs [13].Furthermore, in case of an emergency, the carried device will detect the situation and alert the healthcare system to send an ambulance [4].Therefore, m-healthacre systems will enhance the healthcare monitering systems [14].

Mobile Healthcare Social Network
M-healthcare systems were improved to add a social networking feature.In mobile healthcare social networks (MHSN), in addition to m-healthcare's monitoring and emergency services [2] [4], they may offer social networking between the patients themselves by connecting the ones with similar symptoms for experience exchange and support [15].Due to these advances in healthcare technologies, nowadays, healhcare service centers are increasingly adapting MHSN into their systems for its convenience and efficiency [12].However, the transmission of a patient's health information (PHI) raises a security issue.PHIs should be protected from attackers and eavesdropper in the network [2] [4].

Privacy-Preserving Healthcare Systems
To preserve the privacy of patients' PHI, encryption is used.For instance, homomorphic encryption can be used to hide the meaning of the patients' PHI before feeding them to the decision support system for training.Also, attributebased encryption is useful because it helps patients in deciding who to access their PHI in the medical social networks.Moreover, secure techniques for matching patients with similar symptoms will allow patients of similar conditions to communicate safely without leaking PHI details. matching.In this section, we briefly overview the studies related to our work to build an understanding of the current state of technology and their issues.

Related Work
Privacy-preserving Healthcare Systems: Ledley and Lusted [7] are considered the pioneers in addressing the area of clinical decision-support systems (CDSS).They have explained the complicated process of diagnosing patients, and how computers can help physicians in excelling this process.They have proposed different models, using different mathematical disciplines, such as symbolic logic and probability (nave Bayes).Their work was the landmark of later studies in this field [8].For example, [16] have presented the first Bayesian classifier for congenital heart disease patients.The model was based on the patient's symptoms, electrocardiograph results, and physical exam.Furtherly, the work in [17] described the challenges faced by intensive care unit physicians in diagnosing and treating infectious diseases; and therefore, discussed more than a few models, including nave Bayes, which could be deployed in the future of clinical practice.The early studies of clinical decision-support systems focused on the goal of improving the healthcare services by providing timely patient-specific information without turning the attention to the importance of preserving the patient's privacy.However, the work in [3] proposes a Privacy-preserving Patient-centric Clinical Decision support system (PPCD), which is based on Nave Bayesian classifier, to aid physicians and care givers in diagnosing patients while preserving their privacy.The system collects and aggregates patients' symptoms and diseases to train the Nave Bayesian classifier.The classifier is then used by physicians and patients to diagnose and retrieve results respectively.
Privacy-Preserving Decision Tree: is the task of generating decision trees from multiple party datasets without revealing private datasets to other parties [18].The privacy-preserving techniques used varied between encryption and secret sharing schemes.The study in [18] used homomorphic encryption and digital envelope to construct a collaborative decision tree classification model without disclosing private datasets to other participating parties.Another model proposed by [19] used a semi-trusted commodity server.In their model, the data is vertically split among parties.Furthermore, the authors in [20] proposed a privacy preserving model using polynomials and fully homomorphic encryption; where decision trees are expressed in polynomials.Using oblivious transfer, the study in [21] [22] designed a privacy preserving decision tree model for constructing a classification model out a dataset divided between two parties, without revealing one's dataset to the other.Moreover, a study in [23] proposed a privacy preserving decision tree model over multiple parties using ID3; they have constructed the model to exchange the proportions needed to calculate the information gain through Secret Sharing Scheme (SSS).Another study in [5] proposed an RDT model for constructing a classifier between two parties; homomorphic encryption was used to encrypt leaf vectors.
Ciphertext Policy Attribute Based Encryption.The first CPABE was proposed by [24].In their construction, the secret key is associated with a set of de- The access policies in their work are based on access tree structures.Moreover, their scheme thwarts collusion attack by randomizing users' keys in a way to prevent them from combining the keys.Because decryption process is recursive, which is expensive, they have also proposed an optimization solution.Later studies, [25] [26] [27], came to improve [24].In [27] the authors presented a scheme for CPABE that is expressive, efficient, and provably secure.It allows access control to be specified in terms of any access formula over the system attributes.While the works in [25] [26] have improved the efficiency or achieved higher level of security.Another comparative study in [28] have proposed a simple and effective scheme of CPABE using a single AND gates on positive and negative attributes.Their results show that they have achieved shorter decryption time than [24], and shorter secret key and ciphertext.Although their scheme show better performance results at a certain range of attribute numbers than [24], it imposes a limitation on the system for not being able to handle more expressive types of access policy structures.
Fully Homomorphic Encryption.Gentry's profound work has laid the foundations for FHE [29].He solved the accumulated noise problem through bootstrapping.Bootstrapping involved blind partial decryption of the ciphertext to remove the noise.In other words, after performing a number of homomorphic operations on the ciphertext, decrypting and re-encrypting will produce a fresh-noise-free ciphertext [30].Until today, there are plenty of attempts to present a practical FHE in literature [29] [31] [32] [33] [34].Those papers covered many applications.However, Cloud computing is considered the main application of HE.Other applications included electronic-voting, multiparty computation, information retrieval, and database encryption delegations [35].
Opportunistic Computing.It is a framework which uses opportunistic communication between two devices for resources and services sharing.It became an interesting field for research and development [36].The study in [37] addresses the problem of storing and executing an application that surpasses the memory resources available on a single node.Their work was based on dividing the code into a number of modules that are cooperating opportunistically.The original application is executed by running its subset of tasks at the corresponding node, which in turn provides services to neighboring node.The study in [4] has presented and exemplary work in opportunistic mobile social networks in the field of healthcare systems.Realizing the importance of real-time monitoring of patients of chronic diseases outside the hospital, they have proposed a system which takes advantage of nearby person's (helper) smartphone when the patient's smartphone is running low on power.Furthermore, a user-centric twophase access control policy was designed to ensure patient's privacy; hence, a helper should be a medical user with similar symptoms according to a user-predefined threshold.An implementation of this work was illustrated in [38].
The literature in this area remains scarce.

Proposed Model
In this section, we describe our proposed model through a descriptive scenario (4.1) and overall detailed description (4.2).  will be used to look for a nearby person for help.Normally, Bob would have been signed up with his customized PDA.Moreover, the nearby person may act as a relay to rebroadcast the call for help to broaden the search area, or he may be another patient using the same MHSN, a physician, or a paramedic.The latter two, physician or paramedic, will rush to the location upon receiving the call, and if the predefined settings in the PDA approve them as helpers.Bob will receive proper first aid while waiting for the ambulance.

Descriptive Scenario
The above scenario will require Bob to have a sufficient power on his PDA.
However, since this can not be guaranteed, a solution is needed for such case.
Opportunistic Computing may overcome this problem.Bob's PDA in this situation will first look for a nearby agent/proxy before searching for help.The agent/ proxy's role is to act on behalf of Bob in searching for helpers.Therefore, the Communications and Network consequences of having low energy on Bob's PDA could be avoided using opportunistic computing.

System Description
In our model, we aim to provide a system that enhances the medical services in hospitals and health institutions.We focus on two primary aspects in health services, diagnosis and emergency calls.In the former, it is widely known that it's not a straight forward process, which requires multiple steps to go through in order to reach the most proper diagnosis [7].Moreover, in case of patients of chronic diseases, physicians wish to monitor their vital signs around the clock, however, it is hard to keep the patients in hospitals just for reading their vital signs periodically to detect abnormal conditions the moment they occur.Therefore, we propose a system that addresses the above problems with privacy preserving.
Before we start with the system description, we will identify the main parties involved in the system as shown in Figure 3: 1) Trusted Authority (TA): which is responsible for key management during setup.
2) Cloud: consists of three units:  3) Hospitals (healthcare centers): provides the system with the historical medical data (HMD).And, it uses the diagnosis unit inside the cloud to classify new symptoms.
4) Patients: are system users who has symptoms and disease class, and are being remotely monitored.
5) Relay user: is a passing-by system user who doesn't meet the patient's criteria of a helper, and can only receive the encrypted patient's health information (PHI) and re-broadcast them to other passing-by users.
6) Helpers: are system users who could be a patient, physician, or paramedic.
7) Proxies or Agents: other system users who are patients with similar symptoms.
Since our focus is on diagnosis and emergency calls, we divide our model into two subsystems, the ppcdss, and the ppecs.The overall system model is depicted in Figure 4.

Privacy-Preserving Clinical Decision-Support System (PPCDSS)
First, we start with the diagnosis part of the system.In practice, physicians collect patient's vital signs and symptoms to decide on their diagnosis.This symptom-disease matching process could be accomplished through different sets of processes.However, they all require numerous and time consuming steps [7].In our model, we propose a design for a CDSS (Clinical Decision-Support Sys- .As the name implies, SDT is composed of one decision tree that is built from the whole dataset.On the other hand, RF and RDT are ensembles of decision trees.Each RF tree is built from a random subset of the whole dataset; whereas, each RDT tree is randomly built from the whole dataset.In our model, each hospital will locally build its own RF/ RDT ensemble, and send it to the cloud; there, the final ensemble will be formed and sent back (Figure 4(e), Figure 4(f)).Hospitals now can perform diagnosis locally using their decision model.Finally, the classification results will be securely forwarded to the patient's PDA upon request (Figure 4(g), Figure 4(h)).
Below we describe each decision model in details.
Single Decision Tree (SDT) Model: In this model, the goal is to build an SDT from the datasets of all hospitals put together (whole dataset).However, to maintain the privacy of each hospital's dataset, we use the cloud to act like a coach and direct each dataset owner (hospitals) where to split their data (Figure 4(d)).the process starts by having each hospital evaluate the proportions for each attribute that are needed to calculate the Entropy (E) and Information Gain (IG).Then, the evaluated proportions will be fully homomorphically encrypted and transmitted to the cloud (Figure 5 This iterative process will continue until the complete decision tree is built at each hospital site. Random Forest (RF) Model: A random forest is an ensemble of SDTs, where each one is built out of a random subset of the whole dataset.Since our whole dataset is considered as the aggregated datasets of all hospitals, we can think of each single dataset is a random horizontal subset.Therefore, each hospital can generate its own random forest and transmit it to the cloud (Figure 6(a)).There, the ensemble aggregator (Figure 6(b)) will form the initial global ensemble by removing any redundant trees.The output of the previous step will be handed over to the Electronic Vote Manager (EVM) (Figure 6(c)); in which it will send it to all hospitals to review and vote (Figure 6(d)).Each hospital will review the initial ensemble and vote out any tree that it considers revealing knowledge of its own dataset, then it will send its vote back to the cloud (Figure 6(e)).Each vote can only be seen by the cloud, thus, hiding the identity of the objecting hospital from the others.Finally, the EVM will remove the voted out trees from the ensemble, and then transmits the final global ensemble to all hospitals (Figure 6(f)).Although no security, nor privacy techniques were used in this model, the privacy was achieved through hiding the original datasets.
Random decision tree (RDT) Model: RDTs are an ensemble of randomly generated decision trees based on the whole dataset attributes.This variation of decision trees doesn't use the example in the dataset; however, it predefined a random tree height value, then it will randomly pick an attribute name to build the tree until the predefined height is reached.Finally, the last level of each tree will be of empty leaves.the process will continue until a certain number of trees are built.At this stage, the trees are only made-up of attributes but no classes.
The next step is to assign to each leaf node a vector; the length of the vector is Then, each hospital will encrypt the leaf vectors homomorphically to keep them private, and send it back to the cloud (Figure 7(h)).There, the cloud will homomorphically sum up the vectors of same trees to form the final global ensemble.Finally, the latter will be sent back to the hospitals (Figure 7(i)).
All of the above models will go through periodic updates for improving their performance.As for diagnosing new patients, it will always be done locally; thus, keeping their symptoms private.

Privacy-Preserving Emergency Call System (PPECS)
In the second part of the system model, the focus is directed towards the chronic patients who require constant monitoring.Instead of keeping them inside the hospital, they will be equipped with wireless body sensors which are connected with the patient's PDA via Bluetooth to form a wireless body sensor network (WBS).These sensors will periodically read the patient's vital signs and transmit them to the PDA, which in return, will process and transmit the data securely to the healthcare center (Figure 4(i)), therefore, allowing physicians to monitor sufficient energy on their PDA to act as a Proxy or agent and carry on the above tasks on behalf of the original patient (Figure 8(c)).However, those users who happens to be another patients using the same system, must have certain similarity with the original patient's symptoms.The threshold of similarity is decided during setup by the patient (Figure 9).The algorithm in [39] will be used to measure the similarity in symptoms between two patients.
The symptom matching algorithm works by prompting for the near-by user's symptoms vector, which is for security purposes will be transmitted as a ciphertext using homomorphic encryption.Upon receiving, the prompting party will apply homomorphic encryption on their symptoms as well, then a series of calculations and message exchanging will result in a value (λ) that would decide whether the symptoms are similar or not.Such decision is made by comparing λ to a threshold value set by the prompting party.If λ is greater than the threshold then the symptoms are considered similar, otherwise not.
With the described model, a high degree of enhancement in medical care services is expected by allowing physicians to monitor their patients from distance, and detect distress situations as they happen to offer immediate help.The proposed system also provides a diagnosing tool which aids in speeding up the diagnosis process with accuracy.

Motivational Example
This section describes the motivating case study that will be used throughout the paper.Consider Dr. Alice who is a doctor in Hospital H, and Bob who is a patient in Dr. Alice's clinic.Every time Bob visits Dr. Alice, his vital signs are taken, and he is prompted to describe how he feels.Dr. Alice then is going to apply her knowledge to determine Bob's condition.Suppose on one visit, Bob's complained about continuous need for urination, micturition pain, and burning of urethra; he also denied nausea, and lumber pain.Consecutively, Dr. Alice will employ her knowledge base to diagnose Bob's condition; in which it would lead her to inflammation of urinary bladder disease.However, these symptoms could be shared by other diseases.

Motivating Scenario of the Single Decision Tree (SDT) Model
In Nephritis of renal pelvis origin, 2 = Inflammation of urinary bladder, 3 = Both diseases).To build a decision tree out of the concatenation of the former datasets without revealing to each other will require a third party.In this case a cloud will mediate and manage the process.First, Each hospital will count the required proportions needed to calculate the entropy and information gain at the cloud.
Those proportions will be stored in a two-dimensional array for each attribute.
The number of columns will be equal to the number of possible decision classes (in our case they are 4), and the number of rows is equal to the number of possible values for each attribute (in our case they are 2 for all attributes).Each cell value will represent the number of occurrences for each class with each attribute value.For example, consider the arrays in Figure 11 for attribute Nausea at each hospital, they show that Hospital 1's dataset has three rows where Nausea = 0 and Class = 0. Furthermore, by summing the cell values of each array, the total size of the dataset is retrieved; and by summing the cell values for each column, the total number of occurrences for each class is retrieved.Therefore, these arrays hold different and valuable information useful for entropy and information gain calculations.Before each hospital sends out its array to the cloud, they will homomorphically encrypt them.There, the cloud will sum the values of the corresponding array cells; see Figure 12     ( ) It should be noted here, that all calculations are performed homomorphically; therefore, the cloud doesn't know the real values calculated.Afterwards, it will calculate the information gain using Equations ( 5) and ( 6).

Entropy Entropy
where: A : attribute name p = number of attribute values = number of array rows j a = number of occurences of value j a of attribute A = sum of row j cell values therefore: ( )

( ) ( ) ( )
Entropy Entropy 1.949 1.3252 0.6238 Repeating the same steps for each attribute we find that attribute "Urine pushing" has the maximum information gain value, and thus, the cloud will inform each hospital to split their data at that attribute and repeat the above steps for each subset of the dataset.The final result will be the generation of one SDT at each hospital site.Figure 13 shows the final decision tree.Now going back to Dr. Alice and Bob, and tracing the tree with Bob's symptoms (Nausea = 0, Lumber pain = 0, Urine pushing = 1, micturition pain = 1, Burning of Urethra = 1), Dr. Alice can confirm the inflammation of urinary bladder disease.

Motivating Scenario of the Privacy-Preserving Emergency
Call System (PPECS) Continuing with the example in Section 9, we assume Dr. Alice wants to keep an eye on Bob to monitor his heart condition, but without checking him in the hos-Communications and Network pital.Therefore, Bob will be equipped with WBS to monitor his vital signs, such as his pulse rate and blood tension (Figure 14(a)).Then, his PDA will be equipped with an application that will receive the transmitted vital signs via Bluetooth (Figure 14(b)).The PDA will periodically process the received data and transmit the results to the care giver via WiFi and GSM (Figure 14(c)).Furthermore, the vital signs will be encrypted to keep them safe from adversaries (Figures 14(d  as quickly as possible, the PDA application will feature a mobile health social network.This social network will exclusively include physicians, paramedics, and patients.Beside the social aspect of this network where patients may connect together and support each other; in a distress situation, a call for help could be broadcast to all users in the area.Because Bob's health record will be sent along with the call for help, he may have a preference on who should come for help, a physician, a paramedic, and/or another patient.Furthermore, he may decide how much can a receiver read from his health information.Therefore, at setup time, Bob will set the order of who he prefers to come fore help, and what information can he see.In [3] [4], either provide the emergency DOI: 10.4236/cn.2017.94018252 Communications and Network call service, the opportunistic computing framework, or the classification feature.

Figure 1 .Figure 2 .
Figure 1.Hiding of Votes.(a) All parties exchange votes without a third party; (b) with a cloud, each party is oblivious of other parties' votes.

(
WBS) and a PDA.The WBS will periodically read Bob's vital signs and communicate them to the PDA, which in return will process them and transmit the processed results to Alice in Hospital C.This way, Alice can keep a close eye on Bob while he is moving along in his life.Now let us imagine Bob being home alone and had a sudden heart attack.The PDA will immediately detect this urgent condition and will send a call for an ambulance to Hospital C, and notify Alice.Until the ambulance arrives, Bob will remain on the floor waiting for help that may take time due to long distance and/or traffic.To accelerate the first aid, a mobile health social network (MHSN) a) Single Decision Tree (SDT) unit: responsible for calculating the entropy and information gain and decide where to split the dataset.b) Random Forest (RF) unit: responsible for securely aggregating the local ensembles received from all hospitals, and then run the electronic voting manager to form the final global ensemble.c) Random Decision Tree (RDT) unit: responsible for securely aggregating the local ensembles received from all hospitals, and then run the electronic voting manager to form the initial global ensemble.Finally, it prompts each hospital to complete filling the leaf nodes of each tree in the ensemble and then securely aggregates the ensembles again to sum up the values in leaf node to form the final global ensemble.

Figure 3 .
Figure 3. System Abstract.Showing the two subsystems, PPCDSS and PPECS, and their components.

Figure 4 .
Figure 4. System Model.(a) The SDT unit; (b) the RF unit; (c) the RDT unit; (d) the encrypted proportions needed to build the SDT and the best attribute to split the dataset returned by the cloud; (e) the hospital's local RF ensemble, and the global RF ensemble returned by the cloud; (f) the hospital's local RDT ensemble, and the global RDT ensemble returned by the cloud; (g) the patient requesting for the diagnosis results after visiting the hospital; (h) the hospital response for the patient's request in (g); (i) transmitting the patient's periodically processed vital signs; (j) the call for an ambulance that could be transmitted from any user within (k); (k) the users of PPECS.

Figure 5 .
Figure 5. SDT Model.(a) The encrypted proportions for each attribute needed to calculate E and IG; (b) received proportions will be aggregated and summed for same attributes; (c) calculates entropy from aggregated proportions; (d) calculates information gain from entropy; (e) selects the attribute with maximum gain; (f) the best attribute is sent back to the hospitals.

Figure 6 .
Figure 6.RF Model.(a) The locally generated RF ensemble at each hospital; (b) the received ensembles will be aggregated in one initial global ensemble; (c) the EVM will run and manage the voting on ensemble trees; (d) the initial global ensemble is sent to the hospitals to cast their votes; (e) each hospital will return their votes to the cloud; (f) the final global ensemble after removing voted out trees is sent to each hospital.

Figure 7 .
Figure 7. RDT Model.(a) The locally generated RDT ensemble at each hospital with empty leaves; (b) the received ensembles will be aggregated in one initial global ensemble with empty leaves; (c) EVM will run and manage the voting on ensemble trees; (d) the initial global ensemble is sent to the hospitals to cast their votes; (e) each hospital will return their votes to the cloud; (f) the LVC will manage the collection and summation of leaf nodes; (g) the initial global ensemble with empty leaves will be sent to the hospitals to fill in their counts; (h) each hospital will return the ensemble back to the cloud after evaluating the leaf nodes values; (i) the final global ensemble is sent to each hospital.
for an example.Because the array values are encrypted homomorphically, the cloud is able to perform calculations but cannot know the real values.Having an array for each attribute, the cloud can calculate the values it need to evaluate the entropy and information gain.Following the example of attribute Nausea we show below how the entropy and information gain are calculated.Equation (1) shows Quinlan's [40] general for mula for calculating the entropy, and Equation (2) shows the value of entropy in our example.

Figure 11 .
Figure 11.The 2-D array for attribute Nausea at each hospital.

Figure 12 .
Figure 12.The 2-D array for attribute Nausea at the cloud after summing the values of corresponding array cells.
number of occurences of class i = sum of column i cell values D = dataset size = the sum of all array cell values therefore:

Figure 13 .
Figure 13.The decision tree generated by collaborating hospitals.

Figure 15 Figure 15 .
Figure 15.PDA setup for Bob's preference list of helpers.

Figure 16 .
Figure 16.Emergency Call System.(a) Bob having a heart attack at home; (b) the call for help package prepared by Bob's PDA; (c) a physician; (d) a paramedic; (e) another patient; (f) not a user of the social network.
, and the ciphertext is associated with an access policy describing who has the privilege to decrypt the ciphertext.When a user receives a ciphertext, he can decrypt it if his descriptive attributes satisfy the access policy.
. Alabdulkarim et al.DOI: 10.4236/cn.2017.94018256 Communications and Network scriptive attributes Consider Alice who is a cardiologist in Hospital C. Bob, who is a cardiology patient, is visiting Alice for the first time.Normally, Alice will have to collect Bob's Symptoms then apply her knowledge base to determine Bob's disease or condition.However, this task may vary in duration, and Alice has many patients to see and examine.To avoid wrong diagnoses, Alice would need assistance in making faster decisions.A CDSS would come in handy in such situation.These systems build a decision model based on a wide knowledge base of symptoms and their corresponding disease(s) collected from different hospitals.Using such systems will help Alice to speed up the diagnosis process with fewer errors.
Alice also would like to keep a constant monitoring of her chronic disease patients.So imagine Bob being diagnosed with a chronic condition.At first, Alice needs to monitor his condition without being hospitalized because Bob's condition does not require hospital admission, beside he has a family and a career that needs his presence.Therefore, Alice will equip Bob with Wireless Body Sensors