VCAC: A Blockchain-Based Virtual Care Access Control Model for Transforming Legacy Healthcare Information Systems and EMRs into Secure, Interoperable Patient-Centered Virtual Hospital Systems

Abstract

The rapid rise of virtual hospitals has created an urgent need for secure, interoperable, and patient-centered (PC) access to medical data across distributed healthcare environments. However, most existing hospital information systems and electronic medical records (EMRs) were not designed to support decentralized service delivery or cross-institutional collaboration. While many prior solutions advocate replacing legacy systems with new architectures, such approaches often face significant cost, integration, and adoption challenges. This paper introduces a novel blockchain-based Virtual Care Access Control (VCAC) model that extends—rather than replaces—legacy systems and EMRs to support secure data sharing across virtual hospital ecosystems. Leveraging the core features of distributed ledger technology (DLT)—including immutability, decentralized auditability, and consensus-driven access—the VCAC framework embeds a six-tier PC information classification scheme into a blockchain-based layer. This model enables fine-grained, role-based access to clinical data, supporting PC treatment in comorbidity-aware contexts, emergency access, and policy-driven governance while maintaining institutional autonomy. We demonstrate how VCAC mitigates key confidentiality, integrity, and availability risks common to legacy systems. The model is evaluated through a breast cancer outpatient use case, illustrating its practical potential to transform fragmented infrastructures into secure, interoperable, and PC virtual care platforms—without disrupting existing healthcare operations.

1. Introduction

The COVID-19 pandemic, coupled with rapid advancements in digital health technologies, has significantly accelerated the adoption of virtual healthcare models worldwide [1,2]. Virtual healthcare encompasses a broad spectrum of remote healthcare services—including teleconsultations, digital diagnostics, and remote patient monitoring—delivered beyond traditional clinical settings. Within this evolving paradigm, virtual hospitals represent a more structured and scalable approach. These institutions typically operate in a hub-and-spoke configuration, where centralized providers at secondary or tertiary care centers deliver specialized healthcare services virtually to patients located at distributed spoke facilities [3,4]. This model enhances the capacity of conventional hospitals—especially those in resource-constrained environments—to deliver accessible, cost-effective, and high-quality care.

A key enabler of successful virtual healthcare delivery is patient-centered (PC) care (also known as shared care), which places individual needs, preferences, and experiences at the center of the care process [5,6]. In virtual environments—where in-person interaction is limited—ensuring personalized, coordinated, and responsive care is essential to maintaining trust, engagement, and clinical effectiveness [7]. As virtual hospitals mature, they increasingly rely on robust, secure, and interoperable access control models to manage electronic medical records (EMRs) and exchange sensitive health information across distributed systems [8]. Achieving this level of integration and trust remains a major challenge in today’s decentralized digital health ecosystem.

Traditional hospital information systems, however, are often ill-equipped to support these evolving requirements. Their reliance on centralized EMR infrastructures creates bottlenecks in scalability, limits cross-institutional interoperability, and introduces vulnerabilities such as single points of failure and heightened cybersecurity risks [9,10]. These limitations hinder the ability of healthcare organizations to deliver seamless virtual services that require secure and dynamic data sharing across institutional boundaries.

Distributed ledger technology (DLT), particularly blockchain, has emerged as a compelling candidate for addressing these challenges. With features such as decentralized governance, cryptographic assurance, and immutable transaction records, blockchain enables secure, transparent, and tamper-resistant data storage and exchange. These capabilities align well with the needs of healthcare environments, where trust, accountability, and privacy are paramount [11,12,13]. Specifically, blockchain supports the implementation of role-based access control (RBAC) models that ensure only authorized actors can access sensitive patient data while preserving auditability and regulatory compliance [14].

Despite its promise, existing blockchain-based access control models have yet to fully address the practical realities of integrating heterogeneous legacy hospital systems into distributed virtual healthcare networks. Most prior work overlooks the complexities of preserving local autonomy while enabling secure and policy-compliant data exchange at scale. Moreover, few models such as in [15] provide the fine-grained, patient-centered access needed to deliver responsive care in virtual hospital ecosystems.

To bridge this gap, this paper introduces a blockchain-enabled virtual care access (VCAC) model that is role-based specifically designed for virtual hospital environments. The proposed VCAC model extends—rather than discards—legacy systems and EMRs to enable secure data sharing in distributed virtual hospital environments. This is achieved by combining the security and transparency of blockchain with a five-tier information classification scheme to facilitate granular, role-aware data sharing. The VCAC model overlays existing legacy infrastructure with a modular sharing layer that enables secure, policy-aligned interoperability across distributed healthcare institutions. This VCAC model approach ensures that virtual hospitals can deliver collaborative, PC care while respecting institutional boundaries and governance constraints.

This paper aims to investigate how DLT, particularly blockchain, can enhance the capabilities of legacy healthcare information systems and EMRs to operate securely and effectively within virtual hospital ecosystems. The study focuses on the challenges of policy-compliant, interoperable, and secure data sharing across decentralized environments.

Research Contributions

This paper presents a novel access control framework that addresses key interoperability and security challenges in virtual hospital ecosystems. Its main contributions include the following:

• Developing a blockchain-based VCAC model that extends—rather than replaces—legacy healthcare information systems and EMRs, thus enabling secure, patient-centered (PC) data exchange without disrupting existing infrastructure.
• Introducing a six-tier information classification scheme that maps clinical responsibilities to treatment phases, enabling fine-grained, role-based access control across institutional boundaries.
• Designing a neutral security domain that harmonizes local and collaborative policies, preserving institutional autonomy while enforcing unified access rules through distributed ledger technology.
• Demonstrating the feasibility and real-world applicability of the proposed model via a breast cancer outpatient scenario, showcasing its potential for adoption in resource-constrained healthcare settings and its adaptability to other virtual care contexts.

The remainder of this paper is organized as follows: Section 2 provides background information on virtual hospitals and the information security risks associated with legacy electronic medical records (EMRs). Section 3 outlines the challenges of incorporating legacy healthcare information systems and EMRs into virtual healthcare settings. Section 4 discusses the role of distributed ledger technology (DLT) in modernizing healthcare systems and addressing interoperability barriers. Section 5 reviews existing research on access control models and blockchain applications in EMR systems, highlighting key limitations. Section 6 details the scenario-based methodology used to design and evaluate the proposed VCAC model. Section 7 presents the design of the blockchain-based VCAC model, including the six-tier information classification scheme. Section 8 reports the evaluation results, focusing on the VCAC model’s effectiveness in mitigating threats to integrity, availability, and confidentiality. Section 9 discusses key findings, architectural implications, and directions for future work. Finally, Section 10 concludes the paper by summarizing the contributions of the VCAC model and its potential impact on secure, patient-centered virtual healthcare.

2. Virtual Healthcare Service Delivery Model: Fundamentals

2.1. The Virtual Model as the New Norm

Emerging digital technologies have transformed healthcare delivery by introducing the concept of virtual hospitals—an innovative approach to providing specialized services remotely. A virtual hospital refers to a dedicated network of secondary and/or tertiary care centers organized in a hub-and-spoke configuration [16]. In this model, clinicians at a central hub hospital deliver inpatient and outpatient care virtually to patients located at peripheral spoke hospitals through secure digital platforms [16], as illustrated in Figure 1. To ensure the effectiveness of this model, hub-based providers must be granted secure, timely, and role-based access to patient records and clinical data maintained within the spoke hospitals’ EMRs and local information systems. This access is critical for enabling informed virtual decision-making, supporting accurate diagnoses, and ensuring coordinated care delivery across the distributed network of facilities.

The primary objective of this model is to empower hospitals—particularly those in resource-constrained or remote areas—to deliver more comprehensive, accessible, and PC care via virtual clinics [17,18,19].

2.2. Virtual Healthcare and the Imperative of Patient-Centeredness

PC care remains a foundational principle of virtual healthcare, requiring secure and interoperable access to EMRs that enable personalized, coordinated, and responsive care across institutions. It emphasizes shared decision-making, continuous communication, and active patient engagement—elements that become even more critical in distributed virtual environments where physical interaction is limited [20,21,22,23].

To effectively support PC care, virtual healthcare ecosystems must facilitate seamless and secure data exchange across institutional boundaries, ensuring that complete and up-to-date EMRs are accessible to authorized care providers [20]. These systems rely heavily on interoperable digital infrastructure, secure communication channels, and responsive interfaces that maintain continuity of care in distributed clinical settings.

In summary, virtual hospitals offer a scalable, technology-enabled model for delivering healthcare services that transcend traditional geographic and organizational constraints. By embedding secure, interoperable access control into these environments, institutions can preserve continuity, trust, and personalization of care—particularly in distributed or resource-constrained settings. This context sets the stage for Section 3, which examines the limitations of legacy hospital information systems in supporting secure and collaborative virtual care.

3. Challenges in Incorporating Legacy Healthcare Information Systems and EMRs in Virtual Healthcare Settings

Legacy healthcare information systems and EMRs were developed primarily for institution-centric operations, with architectures and access models designed for use within a single hospital environment. While effective in traditional settings, these systems present significant challenges when extended to distributed virtual care ecosystems. In this section, we first outline the regulatory and data-sharing pressures that complicate integration of legacy systems into collaborative environments. We then review traditional access control models, examining their strengths and limitations, and conclude by identifying specific gaps that motivate the design of the blockchain-enabled VCAC model presented in Section 7.

3.1. The Data-Sharing vs. Data Protection Dilemma

The World Health Organization’s Global Strategy on Digital Health 2020–2025 [1] (which was extended to 2027 by member states during the 78th World Health Assembly) classifies health data as sensitive personal data or personally identifiable information, emphasizing the need for a strong legal and regulatory foundation to protect privacy, confidentiality, and data integrity. It also highlights the importance of addressing cybersecurity, trust, accountability, ethics, equity, capacity building, and data literacy. Ensuring the collection of high-quality health data—and its subsequent secure sharing—is essential for planning, commissioning, and transforming healthcare services.

At the same time, healthcare providers are entangled in a complex web of legislation, regulations, and institutional policies [24]. These frameworks—such as those governing Protected Health Information (PHI), which refers to any individually identifiable health data created, received, or transmitted by a healthcare provider—require careful balancing between making the right medical information available to the right users and protecting patient privacy. Prominent examples include the Health Insurance Portability and Accountability Act (HIPAA) in the United States, the General Data Protection Regulation (GDPR) in the European Union, and the Personal Data Protection Law (PDPL) in Saudi Arabia [24]. As a result, providers face mounting pressure to reconcile information availability and confidentiality in ways that uphold trust, accountability, and compliance with international and national data protection laws [25]. Shared care settings, particularly those involving multiple institutions, amplify this challenge, as providers must manage privacy, security, and cross-border data transfer constraints across diverse platforms [26,27,28,29].

3.2. Access Control Models in Traditional Hospital Information Systems and EMRs

Access control has long been a foundational security mechanism in healthcare systems [30]. It governs who can access specific information based on predefined policies and ensures that users interact with data according to their authorization levels. Generally, access decisions rely on three core components [31]: a Policy Storage Point (PSP), a Policy Decision Point (PDP), and a Policy Enforcement Point (PEP). These components work in tandem to enforce rules securely [31]. Furthermore, the model ensures that authenticated users access only the information they are authorized to use, as specified in policies [31,32,33].

Traditionally, access control models have been developed over the years to meet domain-specific information security needs [15,23,30,34,35]. While all models aim to regulate information flow, they differ in terms of the specific balance they strike between the three pillars of information security: confidentiality, integrity, and availability. Importantly, they share a common architectural approach involving centralized enforcement domains [31] (see Figure 2).

Figure 2 illustrates the typical interaction between the three access control components in traditional systems.

3.3. Limitations of Traditional Access Control Models

In conventional hospital settings, RBAC models have been widely implemented to regulate user permissions [30,36]. These systems allocate access rights based on predefined roles—such as physician, nurse, or administrator—and enforce the principle of “need-to-know” to safeguard sensitive patient information [37]. While RBAC offers a structured and scalable approach to managing access, its traditional implementations in healthcare often lack the flexibility required to support modern, distributed care environments [15].

In particular, legacy RBAC systems struggle to support cross-institutional access, emergency overrides, and context-aware authorization—capabilities that are increasingly essential in virtual healthcare and telemedicine settings [15]. Most of these models were originally designed for use within a single institution, enforcing access control policies solely within internal systems [20]. As a result, they are unable to extend secure policy enforcement across organizational boundaries without compromising data sovereignty or exposing sensitive information [34]. This limitation inhibits collaborative care delivery and discourages the exchange of critical patient data, especially in high-risk or privacy-sensitive scenarios.

Although RBAC can theoretically accommodate cross-institutional access by expanding privilege groups, practical deployment in virtual hospital ecosystems remains problematic. First, the number of required roles grows exponentially (“role explosion”) when accounting for diverse institutional policies, patient conditions, and treatment stages. Second, RBAC lacks native support for dynamic, context-aware conditions such as patient consent, time-of-access, or emergency overrides. Finally, RBAC enforcement is typically centralized within one institution, limiting its ability to generate immutable, verifiable audit logs across domains. These limitations illustrate why a decentralized, blockchain-based model is required for secure and transparent interoperability.

Furthermore, traditional access control models tend to emphasize confidentiality, often neglecting other core principles such as availability and integrity [38]. While protecting against unauthorized access remains fundamental, the evolving nature of healthcare demands a more balanced approach—one that ensures continuous, accurate, and secure data availability for authorized providers. The rigid structure of legacy models makes them poorly suited to support the dynamic, collaborative, and PC care that modern decentralized healthcare ecosystems require.

3.4. Information Security Threats in Legacy Hospital Information Systems and EMRs

Despite their central role in hospital operations, legacy systems and EMRs are increasingly susceptible to a range of information security threats. Recent studies have identified persistent vulnerabilities, including malware infiltration, phishing attacks, insider misuse, poor encryption practices, and misconfigured cloud services [39]. Many of these systems were not originally designed with modern threat landscapes in mind, leaving them exposed to risks that can compromise patient data confidentiality, availability, and integrity.

In distributed healthcare environments, these risks are amplified. Legacy systems often lack real-time threat detection, multi-factor authentication, or secure interoperability protocols, making them especially vulnerable when integrated into broader virtual healthcare infrastructures. These limitations pose a critical barrier to secure and collaborative care delivery, especially when sensitive patient data must be exchanged across institutional boundaries. Building on the limitations discussed above, it becomes clear that legacy hospital information systems are fundamentally ill-suited to the demands of virtual healthcare delivery.

Achieving comprehensive information security in virtual healthcare delivery is both critical and complex [29,40,41]. Legacy systems often compromise availability, limiting the accessibility of PC data to care teams at virtual points of care [20]. Research shows that current healthcare systems can interrupt treatment continuity, making them ill-suited for virtual healthcare ecosystems [27]. This is largely due to conflicting information security priorities—legacy models are tailored for disease-centered, institutional workflows and emphasize confidentiality, while virtual healthcare models demand flexibility, interoperability, and patient-centered availability.

While interoperability standards such as Health Level Seven International (HL7) and Fast Healthcare Interoperability Resources (FHIR) have advanced data sharing by establishing a common language for healthcare information exchange, they possess notable limitations. These standards primarily operate at the application layer and are focused on structuring and transmitting data—not managing access to it. As such, they offer only minimal access control capabilities and lack mechanisms for enforcing granular, role-based permissions or preserving institutional autonomy. While they can partially support data availability, they fall short in addressing the full triad of information security—confidentiality, integrity, and availability. Consequently, as healthcare systems strive for broader data exchange, they risk undermining patient privacy and data integrity. This underscores the need for a holistic access control model that not only complements existing interoperability standards but also enforces secure, policy-compliant, and role-aware access to medical data across distributed virtual hospital ecosystems.

Table 1. Identified information security threats posed by traditional hospital legacy healthcare information systems and EMRs.

Threat Category	Threat Description
Threats to Information Integrity	Human error (e.g., incorrect data entry or overwriting) Inconsistent or conflicting data across disparate systems Data tampering due to insufficient logging and audit controls
Threats to Information Availability	Ransomware attacks leading to system outages Denial-of-service (DoS) and Distributed DoS (DDoS) attacks on hospital infrastructure Disconnected systems at critical data exchange points Legacy software lacking failover or redundancy mechanisms Downtime due to poor patch management Inflexible access policies during emergencies Untraceable or manual referral management workflows Inconsistent or outdated backup and recovery protocols
Threats to Information Confidentiality	Insider misuse or unauthorized access by staff Excessive permissions due to coarse-grained access control Data leakage through misconfigured cloud services Improper disclosure of PHI via unsecured channels (e.g., fax, email)

summarizes key threats posed by traditional EMRs and hospital information systems in this context.

This study addresses the following key challenges:

• Lack of interoperability across EMRs and hospital information systems that inhibits collaboration across hospitals.
• Over-permissioned access models in legacy information systems and EMRs that compromise patient privacy and role-based precision.
• Absence of cross-institutional access control, resulting in fragmented care delivery in virtual settings.
• Limited auditability and traceability of shared information in multi-domain healthcare environments.

4. Distributed Ledger Technology and Legacy Healthcare Systems

Over the past decade, DLT has emerged as a transformative solution for enhancing transparency, security, and decentralization across multiple sectors. Among the various forms of DLT, blockchain is the most prominent. It operates by replicating data across a peer-to-peer network of nodes, eliminating reliance on a central authority while ensuring integrity, auditability, and trust through cryptographic techniques and consensus protocols.

In the healthcare sector, DLT has been increasingly explored as a means to modernize legacy information systems and address longstanding challenges in data management, interoperability, and security [42,43]. While a number of conceptual frameworks have been proposed, few studies move beyond high-level theory to offer practical strategies for integrating DLT into existing healthcare infrastructures. Most prior work does not fully account for the complexity, heterogeneity, and policy fragmentation typical of legacy environments. Critically, these approaches often overlook the need to support the gradual transition toward virtual healthcare models without disrupting institutional autonomy or compromising local access control enforcement. While confidentiality can be achieved through encryption, integrity via digital signatures, and access control via centralized key-sharing mechanisms, these approaches assume the presence of a trusted central authority. In contrast, virtual hospital ecosystems involve multiple autonomous institutions where no single entity can be relied upon to govern sensitive medical records. Blockchain provides distinct advantages in this setting: (1) decentralized trust that prevents dependency on a central custodian; (2) immutable, tamper-evident audit trails that preserve accountability across institutional boundaries; (3) a neutral governance layer that harmonizes local and collaborative policies without compromising institutional autonomy; and (4) resilience against outages and ransomware attacks through data replication across nodes. These unique properties of blockchain justify its adoption in the proposed VCAC model beyond what conventional centralized architectures can deliver.

To bridge this gap, the proposed model leverages blockchain as a foundational layer for secure and interoperable information exchange in virtual hospital ecosystems. Rather than replacing legacy systems, our approach introduces a modular DLT-based sharing layer that integrates with existing infrastructure, enabling policy-aligned, role-aware access while maintaining local governance boundaries. This strategy allows healthcare institutions to incrementally adopt decentralized capabilities without overhauling their core operational systems.

5. Related Work

Before the emergence of blockchain-based models, traditional approaches to EMR security and interoperability primarily relied on established access control models such as RBAC and Attribute-Based Access Control (ABAC). RBAC assigns users predefined roles, aligning well with structured hospital workflows but offering limited flexibility in dynamic or context-sensitive scenarios. In contrast, ABAC evaluates access based on a combination of attributes—such as user role, time, and contextual conditions—allowing for more granular and adaptive access control. Despite their strengths, both RBAC and ABAC face significant challenges in scaling across institutional boundaries due to their reliance on centralized policy enforcement. Consequently, these models typically operate effectively only within a single hospital environment and struggle to accommodate cross-organizational interoperability  [15,44].

Federated identity management frameworks have also been deployed to enable authentication across hospital systems, but they do not inherently resolve issues related to authorization and auditability [45]. Moreover, federated models often depend on centralized authorities, restricting their applicability in decentralized or patient-centered ecosystems.

Early research efforts have explored the use of DLT, particularly blockchain, to address longstanding challenges in EMR security, privacy, and interoperability. Numerous academic studies and prototypes suggest that blockchain integration can enhance the integrity, transparency, and PC control of health records [46,47,48]. A systematic review by Ettaloui et al. [48] concludes that blockchain-based EHR systems effectively resolve many security and privacy issues while improving availability, although sometimes at the expense of performance and added system complexity. Similarly, a survey by Sookhak et al. [47] catalogs various blockchain-based access control architectures in healthcare, emphasizing their potential to decentralize trust and automate enforcement through smart contracts. These architectures overcome many of the limitations of traditional models by providing immutable audit trails, decentralized policy enforcement, and transparent identity and access logging.

Notable examples include MedRec [13], a pioneering Ethereum-based system that demonstrated patient-mediated data access via smart contracts; OmniPHR [10], which proposed a distributed architecture to unify fragmented personal health records; and FHIRChain [49], which incorporated HL7 FHIR standards to facilitate secure, auditable data sharing with patient-controlled permissions. However, these systems are generally developed as standalone solutions or proof-of-concept prototypes, with limited consideration for integration with existing legacy EMRs and hospital information systems. As a result, they often require complete infrastructure replacement or parallel deployment, posing significant barriers to real-world adoption—particularly in resource-constrained healthcare settings.

Hybrid designs combining blockchain with off-chain storage (e.g., IPFS or institutional servers) have been proposed to address privacy and scalability limitations. These models typically store encrypted references or hashes on-chain while maintaining actual health data off-chain. Many leverage permissioned blockchain platforms, such as Hyperledger Fabric, to tailor visibility and performance to healthcare consortium requirements [46,47].

Despite their promise, DLT-based systems continue to face challenges related to performance, interoperability with legacy systems, and compliance with data protection regulations. Standardization efforts, intuitive user interfaces, and secure key management practices are needed for broader adoption. Nonetheless, the literature highlights the transformative potential of blockchain for access control, auditability, and secure data exchange within virtual healthcare ecosystems.

6. Materials and Methods

This study adopts a scenario-based methodology focused on a virtual healthcare environment for breast cancer outpatient treatment. The goal is to define and operationalize the foundational requirements of a secure virtual hospital ecosystem that interoperates with legacy hospital information systems while mitigating associated security risks. The methodological approach is structured into a series of interdependent steps, as illustrated in Figure 3.

The methodological steps are outlined as follows:

• Threat Analysis, Modeling, and Risk Assessment: A comprehensive threat analysis and modeling exercise was performed to identify security vulnerabilities associated with legacy EMR and hospital information systems, particularly in the context of managing patient-centered data in distributed virtual care environments. This assessment laid the foundation for determining appropriate security controls. Table 1 summarizes the key threats identified.
• Information Security Controls: Based on the risk assessment, a set of targeted controls was identified to mitigate critical threats. These security controls were designed to align with best practices in secure information governance and to strengthen the system’s resilience against data breaches and system failures.
• Information Classification Scheme: A policy-driven information classification scheme was developed to guide access control decisions in virtual care scenarios. This scheme categorizes patient data according to sensitivity and intended usage. It serves as a foundational component for enabling fine-grained, role-aware access. Further details are provided in Section 6.
• VCAC Model Design for Virtual Hospitals: Building on the classification scheme, a novel fine-grained VCAC model was designed to govern data sharing across the virtual hospital network. The model introduces an independent information layer that interfaces with legacy systems and aligns access permissions with patient treatment pathways. This study extends previous work [20] by integrating the updated classification model and blockchain infrastructure for enhanced auditability and trust.
• Blockchain Architecture Design for VCAC Model Implementation: A custom blockchain component was implemented to operationalize the access control model. This component enforces role-based access decisions using the classification scheme while maintaining integrity, availability, and confidentiality across distributed settings—key requirements for secure virtual healthcare delivery.
• System Evaluation: The final step involved evaluating the proposed system against the threat landscape defined in the initial assessment. The evaluation focused on the model’s ability to mitigate identified vulnerabilities, preserve data integrity, ensure data availability across institutional boundaries, and protect sensitive patient information in a decentralized environment.

7. Blockchain-Based VCAC Model for Breast Cancer Use Case

Building upon the threat assessment and methodological foundations described in Section 5, this section presents the core components of the proposed VCAC model: a six-tier information classification scheme and a blockchain-enabled VCAC model, both designed to secure patient data access in virtual hospital environments.

7.1. Six-Tier Information Classification Scheme Design

The access rules defined by the proposed VCAC model are based on six interrelated elements, as illustrated in Figure 4: the patient, the spoke hospital, the assigned PC care team, the roles of PC care team members, the treatment plan, and the virtual healthcare point of care. These elements form the foundation of an information classification scheme tailored to the dynamic requirements of virtual healthcare delivery.

Each patient receives care at a spoke hospital, where their data is stored locally in the EMR system. The patient is under the care of a specialized PC care team composed of healthcare practitioners aligned with their diagnosis. In cases involving comorbidities, patients may have multiple care teams for different conditions. Access control is governed by the following principles:

• Access is restricted to members of the PC care team assigned to a given patient.
• Each member may access only the subset of data required to perform their role in the designated treatment plan.
• Information is accessible only at the specific virtual healthcare point of care during active service provision.

Informed by these rules and the previously identified security threats and risks, a six-tier information classification scheme was developed. This policy-driven model categorizes patient data based on sensitivity and intended use, ensuring that access remains relevant, proportional, and compliant. As illustrated in Figure 4, the scheme enables fine-grained governance that balances data protection with continuity and personalization in virtual care delivery.

In addition to role-based assignments, the VCAC model incorporates a patient-mediated consent mechanism. Patients are issued digital consent tokens that specify (1) which care team members may access their EMRs, (2) the duration of access, and (3) the applicable treatment tiers. Smart contracts within the blockchain enforce these consent rules automatically. In emergency scenarios, a “break-glass” override allows temporary access under consensus approval, with each event immutably logged for accountability. This mechanism ensures that patient-centeredness is preserved while supporting clinical safety.

7.2. Blockchain-Based VCAC Model

The proposed solution addresses collaborative information-sharing challenges in virtual healthcare ecosystems by introducing a blockchain-based prototype system. This VCAC model overlays existing hospital information systems with an independent information layer that enables secure data exchange across spoke hospitals while supporting treatment journeys defined in virtual clinic workflows.

This blockchain layer is tightly integrated with local legacy systems, allowing care teams to retrieve service-specific data in real time via a need-to-know approach. Local access control models remain intact for physical healthcare operations, ensuring continued alignment with institutional security policies.

The VCAC model enforces protection of medical data through a collaboration-driven security policy guided by a six-tier classification scheme. This policy is implemented within a neutral security domain spanning multiple institutions, enabling secure, role-based access across providers without compromising local governance.

The VCAC model is composed of three major components:

7.2.1. Component 1: Granular Block Anatomy

Each block in the blockchain acts as a secure metadata container rather than storing full medical records. These blocks include references to data sources, treatment events, and access permissions, forming a linked chronological chain. Each block is structured into three parts: a header (identification and timestamp), a body (transaction data), and a footer (digital signatures), as illustrated in Figure 5. Metadata is mapped to six granular, interrelated access control elements reflecting the access control granularity:

• The patient receiving care;
• The spoke hospital storing patient EMRs;
• The assigned PC care team;
• The roles of care team members;
• The treatment plan in progress;
• The virtual point of care.

To clarify how VCAC leverages the blockchain without storing full EMRs, we first present the on-chain block structure (Figure 5). We then show how cross-institution enforcement is realized in the neutral domain (Figure 6), and finally present the end-to-end layered architecture that serves as both the system and security model (Figure 7).

This mapping ensures that only relevant care team members—those currently responsible for a patient’s treatment—can access appropriate data during specific clinical interactions.

7.2.2. Component 2: Neutral Layer for VCAC Model Implementation

To implement the access model, a blockchain-based security layer is designed to serve as the neutral virtual hospital domain ($D_V$). This layer governs data access across spoke hospitals and virtual clinics according to a unified collaboration-driven policy ($P_V$). It complements local organizational domains ($D_S$) that manage disease-centered policies ($P_S$).

Key control components include the Policy Storage Point ($PS{P}_V$), Policy Decision Point ($PD{P}_V$), and Policy Enforcement Point ($PE{P}_V$), which collectively enforce role-based policies using the six-tier classification scheme. This design is shown in Figure 6 [20].

The operational logic of the VCAC model is implemented through smart contracts deployed on the blockchain. These contracts govern how access requests are processed, validated, and logged. Each access request triggers a contract that evaluates the requester’s role, domain, and information tier against the six-tier classification scheme. Emergency override requests are also handled within the same contract logic under consensus-driven “break-glass” conditions.

SmartContract VCAC_AccessControl

 Input: userID u, role r, domain d, tier t

 Function RequestAccess(u, r, d, t):

   if VerifyIdentity(u) == False:

      return "Access Denied"

   if PolicyCheck(u, r, d, t) == True:

      LogAccess(u, r, d, t, "Granted")

      return "Access Granted"

   else if EmergencyFlag(u) == True:

     if ConsensusApprove(u, r, d, t) == True:

        LogAccess(u, r, d, t, "Emergency Override")

        return "Emergency Access Granted"

   LogAccess(u, r, d, t, "Denied")

   return "Access Denied"

The contract maintains auditability by recording each decision (granted, denied, or emergency override) immutably on the blockchain with a timestamp and digital signature. This ensures that all access events are transparent and verifiable, strengthening accountability across institutions.

The blockchain wrapper allows systems to apply either local ($P_S$) or collaborative ($P_V$) policies based on data context. This ensures confidentiality, integrity, and availability across security domains while preserving institutional autonomy.

The VCAC model access is mathematically represented as follows:

$$Access(u,r,d,t)=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}\mathcal{P}(u,r,d,t)=\mathrm{True}\hfill \\ 0,\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

where the variables are defined as follows:

• u is the user identity;
• r is the user’s role;
• $d\in \{D_S,D_V\}$ is the domain;
• $t\in \{T_1,T_2,\dots ,T_6\}$ is the information tier;
• $\mathcal{P}$ is the policy function, written as follows:

  $$\mathcal{P}(u,r,d,t)=\left\{\begin{array}{cc}{P}_S(u,r,t),\hfill & \mathrm{if}d=D_S\hfill \\ P_V(u,r,t),\hfill & \mathrm{if}d=D_V\hfill \end{array}\right.$$

This ensures that access is only permitted if the policy for the user’s role, domain, and tier evaluates as true. Blockchain ensures decisions are auditable and immutable.

The policy function is extended to incorporate contextual attributes, including patient consent tokens and emergency status:

$$\mathrm{Access}(u,r,d,t,\mathbf{ctx})=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}\mathsf{Policy}(u,r,d,t,\mathbf{ctx})=\mathrm{True}\hfill \\ 0,\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

where $\mathbf{ctx}=\{c,\tau ,\ell ,e\}$ comprises a valid consent token c, time window $\tau$, location ℓ, and an emergency flag e. The policy dispatcher is calculated as follows:

$$\mathsf{Policy}(u,r,d,t,\mathbf{ctx})=\left\{\begin{array}{cc}\mathsf{PS}(u,r,t,\mathbf{ctx}),\hfill & d=D_S\hfill \\ \mathsf{PV}(u,r,t,\mathbf{ctx}),\hfill & d=D_V\hfill \end{array}\right.$$

Smart contracts verify c, check $\tau$ and ℓ against t and r, and evaluate e under “break-glass” consensus rules. All decisions are immutably logged.

7.2.3. Component 3: Layered Architecture Integration of All Components

Consider a use case where a patient undergoes outpatient cancer care involving both a spoke hospital (S) and a hub hospital (H). Each has its own domain ($D_S$, $D_H$) and policy ($P_S$, $P_H$). When data transitions from $D_S$ to $D_H$, access control must persist beyond $D_S$.

The proposed architecture introduces a unified, blockchain-governed domain mediating inter-institutional data sharing. This guarantees that policy enforcement and auditability remain intact across institutions. Figure 7 depicts this layered architecture.

Together, Figure 5, Figure 6 and Figure 7 move from on-chain metadata design to cross-domain enforcement and finally to the end-to-end architecture. This sequence clarifies how VCAC records only metadata/hashes on-chain, enforces shared policies in the neutral domain, and integrates with local EMRs to preserve privacy, scalability, and institutional autonomy.

Figure 7 represents both the system and security model of the VCAC architecture. It shows how patients, spoke hospitals, hub hospitals, and blockchain nodes interact through a layered design where the neutral blockchain-mediated domain enforces shared policies across institutions. The security model assumes potential threats such as insider misuse, ransomware, and inter-institutional data leakage. These risks are mitigated through immutable blockchain audit logs, consensus-based “break-glass” overrides, fine-grained tiered access control enforced by smart contracts, and distributed ledger replication for resilience.

It is also important to highlight how blockchain integrates with the three VCAC components.

• In Component 1 (Granular Block Anatomy), blockchain blocks act as secure metadata containers, recording treatment events, role assignments, and access decisions without storing full EMRs.
• In Component 2 (Neutral Layer), smart contracts implement the six-tier classification scheme to automatically enforce cross-institutional policies.
• In Component 3 (Layered Architecture), the blockchain provides the neutral governance domain that mediates inter-institutional data sharing, storing only metadata and cryptographic proofs while full EMRs remain in local hospital systems.

This integration ensures immutability, transparency, and accountability while maintaining scalability and compliance with data protection regulations.

To formalize Component 3, define VCAC model access propagation from a source domain ($D_S$) to the virtual domain ($D_V$) as follows:

$$Acces{s}_{D_V}(u,r,t)=Access(u,r,D_V,t)\wedge Verify\left(Transfer(D_S\to D_V,u,t)\right)$$

where $Verify$ checks blockchain audit logs and cryptographic provenance. This VCAC model supports seamless yet secure collaboration while preserving PC integrity and operational sovereignty.

7.2.4. Consensus, Throughput, and Scalability Considerations

The VCAC operates in a permissioned blockchain setting suitable for regulated healthcare consortia. Ordering and commitment of access decisions follow a crash-fault-tolerant consensus among authorized nodes (e.g., RAFT-style ordering), providing finality without public mining.

Load Budget (Analytical)

Let B be block size (tx), $\Delta$ the block interval (s), and $\alpha$ the endorsement/validation overhead per tx. The steady-state decision throughput is bounded by the following:

$$\mathrm{TPS}\approx {\displaystyle \frac{B}{\Delta +\alpha }}\mathrm{and}\mathrm{Latency}\left(tx\right)\approx \Delta +\alpha +{\delta }_{\mathrm{network}}.$$

We store only access metadata/hashes on-chain; EMRs remain off-chain, reducing $\alpha$ and storage growth.

Scalability

Throughput scales with additional endorsers/orderers up to the network bottleneck. Sharding by clinical domain or geography and batching of non-urgent audit events are supported design options. These parameters are implementation-dependent and will be empirically profiled in follow-on work.

The main performance variables that influence throughput and latency are summarized in

Table 2. VCAC on-chain parameters (analytical, not measured).

Symbol	Meaning
B	Block size (transactions per block)
$\Delta$	Block interval/ordering epoch (s)
$\alpha$	Per-transaction endorsement/validation cost (s)
${\delta }_{\mathrm{network}}$	End-to-end network delay (s)

. These analytical parameters define the block size, ordering interval, and processing overhead, and serve as the basis for future empirical evaluation.

7.3. Breast Cancer Treatment Workflow: A Use Case for the VCAC Model

Consider a patient undergoing chemotherapy as part of an integrated breast cancer treatment pathway. This stage is clinically intensive and requires real-time coordination between the spoke hospital (where chemotherapy is administered) and the hub hospital (where treatment is supervised). The patient’s regimen depends on biopsy results, imaging reports, tumor marker labs, genetic profiles, and treatment response history—each mapped to specific tiers (e.g., Tier T2 for diagnostic data, T3 for treatment data, and T5 for genomic data).

• Step-by-Step Virtual Oncology Follow-Up (Synthetic Scenario)

To demonstrate the operational workflow of VCAC more concretely, we provide a synthetic step-by-step example. Consider patient P123 receiving chemotherapy at spoke hospital S-A, under the supervision of an oncologist at hub hospital H-B:

• Context binding: The patient visit (V2025-06-03) is registered at S-A. The care team role is oncologist (O45) at hub H-B.
• Consent token: Patient P123 issues a digital consent token: $c=\{\mathrm{roles}: \mathrm{oncologist}, \mathrm{radiologist}; \mathrm{tiers}: T_2,T_3,T_5;\mathrm{validity}: 2025\text{-}05\text{-}01 \mathrm{to} 2025\text{-}08\text{-}01\}$.
• Access request: The oncologist submits a VCAC request: $\langle u=O45,r=\mathrm{Oncologist},d=D_V,t=\{T_2,T_3,T_5\},\mathbf{ctx}=\{c,\tau ,\ell ,e=0\}\rangle$.
• Policy evaluation: The smart contract verifies identity, confirms that c is valid, and checks that requested tiers align with the treatment plan.
• Decision and logging: Access is granted. The blockchain logs hashes of the authorized datasets: imaging (T2: $h_{\mathrm{MRI}}$), laboratory results (T3: $h_{\mathrm{Labs}}$), and genomics (T5: $h_{\mathrm{Gen}}$).
• Off-chain retrieval: The EMR adapter at S-A resolves each hash to the corresponding local repository; only metadata and proofs are shared on-chain, while full EMRs remain in local databases.

A virtual oncologist at the hub hospital initiates a follow-up review to assess chemotherapy response and adjust the treatment plan. The VCAC system evaluates the following before granting access:

• The patient’s current treatment stage, which maps to multiple tiers (e.g., $T_3$, $T_4$, and $T_5$);
• The oncologist’s domain and role (hub hospital, treatment supervisor);
• Whether $P_V$ allows role-tier access for this clinical context;
• Whether the spoke hospital’s $P_S$ constraints have been reconciled with $P_V$ (e.g., local imaging access permissions).

If access is approved, the decision is logged on the blockchain with a timestamp and digital signature. Only the necessary metadata and references are revealed—no raw EMR data are transferred. The oncologist can view and annotate the data via a secure blockchain interface while preserving the integrity and confidentiality of local systems.

This approach ensures that the care team receives accurate PC information at the right time, based on their role and responsibility, without breaching data governance boundaries. The VCAC dynamically adapts access policies as the patient transitions across care stages, enabling a secure, compliant, and collaborative virtual care model.

• Emergency Access (“Break-Glass” Scenario)

In life-threatening situations, routine access controls must be temporarily overridden to ensure continuity of care. Consider the same patient P123 presenting at the emergency department with an acute reaction:

• Emergency flag: The triage physician (EDPhys) raises $e=1$ in the access request, signaling an emergency override.
• Consensus approval: The smart contract triggers a rapid consensus check among designated on-call approvers (e.g., senior clinicians or system administrators). Approval is scoped narrowly (e.g., Tier T3 laboratory data) and time-limited (e.g., 2 h).
• Access granted: The decision is recorded on-chain as “Emergency Override,” signed by all endorsers, and enforced immediately.
• Audit requirement: After the event, the override is subject to mandatory review. The immutable blockchain log ensures transparency and accountability, deterring misuse.

This “break-glass” procedure ensures patient safety in emergencies while maintaining strong accountability through auditability and consensus-driven approval.

8. VCAC Model Evaluation

As identified earlier, the information security threats posed by legacy healthcare systems fall into three primary categories: integrity, availability, and confidentiality (see Table 1). The proposed blockchain-based VCAC model addresses each category through targeted mechanisms. This section outlines the mitigation strategies, beginning with integrity-related threats.

8.1. Mitigating Information Integrity Threats

Maintaining the accuracy and consistency of patient data across care settings is a major challenge in legacy information systems. Integrity threats include human error, conflicting data in disparate systems, and the absence of proper audit trails. The proposed model addresses these vulnerabilities through the following mechanisms:

• Chronological data recording: The VCAC model maintains an immutable, time-stamped sequence of transactions, each representing a patient treatment point. This chronological structure allows care teams to trace the origin of erroneous data and act accordingly.
• Indelible audit trail: All blocks are cryptographically signed by care team members, ensuring data authenticity and accountability. Updates are never overwritten or deleted but appended, preserving historical accuracy for medical decision-making and legal compliance.
• System-wide consistency: By serving as a decentralized, tamper-proof source of truth, the blockchain reduces inconsistencies that arise when patient data are duplicated across fragmented systems. It eliminates the risk of conflicting records due to redundant data entry or system silos.

These mechanisms reduce the impact of human error, ensure data provenance, and support transparent decision-making in distributed care settings.

Table 3. Threats to information integrity and corresponding mitigation strategies.

Threat Description	Mitigation Strategy
Human error (e.g., incorrect data entry or overwriting)	Enforce role-based access, digital signatures, and append-only updates with audit logging in the blockchain ledger
Inconsistent or conflicting data across disparate systems	Use a shared, tamper-proof blockchain ledger as a single source of truth across all institutions
Data tampering due to insufficient logging and audit controls	Employ cryptographic signatures and immutable blockchain-based audit trails with precise timestamping

summarizes the information integrity threats and corresponding mitigation strategies.

8.2. Mitigating Information Availability Threats

Ensuring continuous and timely access to patient data remains a major limitation in legacy healthcare information systems, particularly in distributed and heterogeneous settings. These systems often suffer from fragmentation, lack of failover mechanisms, and rigid local access control policies that inhibit collaborative care. The proposed blockchain-based access control model addresses these challenges by introducing a distributed, resilient, and patient-centered access control mechanism.

• Decentralized and fault-tolerant architecture: By distributing data across multiple blockchain nodes, the system eliminates single points of failure that are commonly exploited in ransomware, DoS, or DDoS attacks. Each node maintains a synchronized copy of the ledger, supporting data replication and fault recovery.
• Orchestrated care continuity: The blockchain stores a sequential record of treatment events in cryptographically linked blocks, allowing care teams to access a longitudinal view of a patient’s medical history. This structure supports comorbidity-aware navigation of treatment data and ensures clinical information is presented in a timely, relevant, and actionable manner.
• Dynamic access for emergencies: In life-threatening scenarios, the availability of patient information must override routine access controls. The proposed model incorporates “break-glass” mechanisms using smart contracts that permit temporary access to sensitive data, governed by consensus and recorded with full transparency and auditability.
• Smart filtering and tiered visibility: To prevent cognitive overload, the system enables care team members to retrieve only relevant data using fine-grained filters based on the six-tier classification. Access permissions are enforced through cryptographic techniques and can be tailored to specific clinical roles and contexts.
• Referral and handoff readiness: Although automated referral workflows are not yet implemented, the model lays the groundwork for future integration with clinical pathway engines and business process management tools. These would allow seamless, rule-based patient handoffs between providers, preserving continuity and minimizing information loss.
• Geographically distributed resilience: By replicating the full ledger across locations, the system guarantees data availability even in the event of local infrastructure failures. Moreover, outdated nodes can be flagged or isolated using version-control policies at the blockchain level, further reducing operational risk.

Table 4. Threats to information availability and corresponding mitigation strategies.

Threat Description	Mitigation Strategy
Ransomware attacks leading to system outages	Decentralize data storage using DLT to eliminate single points of failure
DoS and DDoS attacks on hospital infrastructure	Isolate blockchain nodes from clinical interfaces and deploy redundant network nodes
Disconnected systems at critical data exchange points	Use blockchain as an intermediary layer for synchronized and reliable inter-institutional communication
Legacy software lacking failover or redundancy mechanisms	Integrate blockchain nodes with resilient cloud infrastructure and automated backup replication
Downtime due to poor patch management	Limit access to non-updated nodes by enforcing software versioning at blockchain level
Inflexible access policies during emergencies	Incorporate break-glass policies governed by smart contracts with full traceability
Untraceable or manual referral management workflows	Use blockchain to automate referrals and record provenance of care transitions
Inconsistent or outdated backup and recovery protocols	Ensure full chain replication across geographically dispersed blockchain nodes

summarizes the information availability threats and corresponding mitigation strategies.

8.3. Mitigating Information Confidentiality Threats

The needs of common collaboration-driven information access define the line between the following two conflicting information security goals: availability and confidentiality. The comorbid-oriented and fine-grained digitally signed block by care team members supports this in the proposal.

Information security policy awareness in a culture of open information is required to raise the awareness of care team members in terms of how to look at another member’s information so as to help preserve the confidentiality of shared information. The digital signature supports hospital-wide access control, whereas the smart contract supports it across hospitals. This is due to the transparency and auditability of the proposal for in-house information exchange, and the orchestrated and flexible platform is supported by the proposal for cross-organizational exchange.

Table 5. Threats to information confidentiality and corresponding mitigation strategies.

Threat Description	Mitigation Strategy
Insider misuse or unauthorized access by staff	Enforce patient-centered role-based access rules using the granular six-tier classification and blockchain-enforced policy rules
Excessive permissions due to coarse-grained access control	Use fine-grained classification scheme to constrain access to minimal necessary data
Data leakage through misconfigured cloud services	Avoid centralized cloud storage; rely on encrypted blockchain metadata and off-chain pointers
Improper disclosure of PHI via unsecured channels (e.g., fax and email)	Use blockchain-integrated APIs for secure, encrypted data exchange and audit logging

summarizes the information confidentiality threats and corresponding mitigation strategies.

8.4. VCAC Workflow Algorithm and Performance Considerations

To complement the smart contract design, Algorithm  1 provides a high-level workflow of the VCAC model. This algorithm illustrates how access requests are evaluated across local and collaborative domains.

Algorithm 1 VCAC access control workflow integrating local and virtual domain policies.

Algorithm VCAC_Workflow Input: userID u, role r, domain d, tier t 1: VerifyIdentity(u) 2: if d == LocalDomain then 3:    decision ← PolicyCheckLocal(u, r, t) 4: else if d == VirtualDomain then 5:   decision ← PolicyCheckVirtual(u, r, t) 6: end if 7: if decision == "Granted" then 8:      RecordLog(u, r, d, t, "Granted") 9:      return "Access Granted" 10: else if EmergencyFlag(u) == True then 11:      if ConsensusApprove(u, r, d, t) == True then 12:          RecordLog(u, r, d, t, "Emergency Override") 13:          return "Emergency Access Granted" 14:      end if 15: end if 16: RecordLog(u, r, d, t, "Denied") 17: return "Access Denied"

Performance Metrics

In practical implementations, blockchain introduces computational and operational overhead that must be quantified. The following performance indicators are most relevant to evaluating the VCAC model:

• Transaction latency: the time required for an access request to be validated and recorded on-chain.
• Block recording time: the time required to append a new block with the access decision.
• Data access time: the end-to-end delay from request initiation to data availability for the authorized user.

Although empirical measurement of these metrics is beyond the scope of the present scenario-based study, they are defined here to guide future simulation and pilot deployments. Incorporating these metrics will enable a quantitative comparison between blockchain-enabled and conventional centralized approaches, thereby substantiating the advantages of the proposed model.

8.5. Evaluation Design and Comparative Benchmarks

To address the need for empirical validation, we outline a structured evaluation framework for the VCAC model. This design specifies the metrics, benchmarks, and usability studies required to assess both technical performance and clinical applicability. While empirical measurement is planned for a future prototype implementation, the evaluation plan clarifies how VCAC will be compared to existing solutions such as MedRec and FHIRChain.

• Performance Metrics

The primary technical indicators are as follows:

• Transaction latency—time from access request to final blockchain log entry.
• Decision throughput—transactions per second sustained by the system.
• Access completion time—end-to-end time for a clinician to access the required off-chain EMR after on-chain validation.
• Audit verifiability—time required to trace and verify N prior access events.
• Administrative overhead—effort needed to update or revoke policies across institutions.

These metrics build on the analytical parameters defined in Table 2, providing a basis for reproducibility and comparative benchmarking.

• Qualitative Comparison

To highlight the conceptual contributions of VCAC relative to prior work,

Table 6. Qualitative comparison of VCAC with representative blockchain-based healthcare systems.

Design Axis	VCAC	MedRec	FHIRChain
Patient consent tokens	Explicit, on-chain validation	Patient-mediated pointers	Not native, FHIR access rules
Cross-institution policy	Neutral blockchain domain	App-level only	Standard-driven interoperability
On-chain storage	Metadata, hashes, access logs	Pointers to EMRs	Pointers to FHIR resources
Audit immutability	Consortium blockchain	Smart contract logs	Blockchain audit trail
Emergency override	Consensus-based break-glass	Limited	Not specified

contrasts the design features of VCAC with MedRec and FHIRChain across several axes, including patient consent, cross-institutional governance, auditability, and on-chain storage design. This contextualizes our model within the broader blockchain-for-healthcare literature.

• Usability Plan

A parallel usability evaluation is envisioned with healthcare professionals under IRB approval. Clinicians will perform task-based scenarios using synthetic EMR data, measuring task completion time, error rate, and perceived workload (NASA-TLX). This ensures that the system design not only meets technical requirements but also supports clinical workflow efficiency.

While this paper focuses on analytical modeling and scenario-based evaluation, a permissioned blockchain prototype (e.g., Hyperledger Fabric) is planned for future work to empirically measure these metrics. Pilot deployments will test decision throughput, latency, and audit verifiability under realistic workloads, and usability evaluations with healthcare professionals will validate workflow integration. These steps ensure that the VCAC model progresses from conceptual design toward practical implementation.

9. Discussion and Future Work

The results of this study demonstrate that the proposed blockchain-based VCAC model addresses core information security threats posed by legacy healthcare information systems in virtual hospital ecosystems. By embedding a granular six-tier information classification scheme into the blockchain layer, the system supports precise, context-aware, and role-driven data access across institutions while respecting existing organizational boundaries.

This VCAC model resolves several limitations of traditional access control models. For example, it enhances information integrity by ensuring that every transaction is chronologically ordered, digitally signed, and auditable. It also improves availability through decentralized ledger replication and smart contract-based emergency overrides. Confidentiality is maintained via fine-grained policy enforcement, which ensures that only authorized members of a patient-centered care team can access relevant treatment data.

However, several challenges remain. First, integrating this VCAC model into real-world hospital environments with varying legacy system architectures and differing interoperability standards presents a non-trivial implementation barrier. Second, while the model enforces robust access control policies, the issue of usability remains. System design must remain user-centered to avoid introducing additional burdens to clinicians or administrative staff. Finally, despite the benefits of blockchain immutability, mechanisms for controlled redaction or correction of inaccurate data must be explored, particularly in compliance with evolving legal regulations such as the right to rectification.

Future research directions are aimed at further strengthening the capabilities and applicability of the proposed VCAC model, including the following:

• Automated Referral Management: One limitation noted in the current model is the lack of automated inter-organizational referral processes. Future work will investigate the integration of blockchain with Business Process Management (BPM) tools to enable dynamic, rule-based clinical pathway orchestration and automated patient referrals across institutions.
• Privacy-Preserving Data Analytics: To enable population-level analysis while protecting individual privacy, future iterations of the system will explore integrating federated learning or homomorphic encryption over blockchain to support secure, privacy-aware analytics.
• Interoperability Standards Compliance: Further development is needed to align the model with international interoperability frameworks such as HL7 FHIR and IHE profiles to enhance compatibility and adoption across diverse healthcare systems.
• Scalability Testing in Real-World Environments: Simulation and pilot deployments will be conducted to evaluate performance, scalability, and resilience of the system under realistic operational loads and network conditions in virtual hospital settings.
• Regulatory and Ethical Compliance: Expanding the model to accommodate regulatory requirements, such as GDPR, HIPAA, and the Saudi Health Information Exchange Policy [50], will be essential to support cross-border and local deployments.
• Prototype Implementation and Testing: A permissioned blockchain prototype of the VCAC model will be implemented and evaluated under realistic healthcare workloads. Planned experiments will measure transaction latency, throughput, and scalability, while task-based usability studies with clinicians will assess workflow integration and adoption feasibility.

In conclusion, this work lays a strong foundation for secure, patient-centered data governance in virtual healthcare delivery. With continued refinement and integration into broader digital health initiatives, the proposed model has the potential to redefine how access to medical information is managed in decentralized care environments.

9.1. Security Analysis

The VCAC model directly addresses the confidentiality, integrity, and availability goals. First, confidentiality is preserved through patient-mediated consent tokens, fine-grained tiered access control, and cryptographically secured audit logs. Second, integrity is ensured by immutable blockchain transactions, digital signatures, and append-only audit trails that prevent retroactive tampering. Finally, availability is supported through distributed ledger replication across nodes and consensus-driven “break-glass” overrides for emergencies, which provide timely access without sacrificing auditability. Together, these mechanisms surpass the capabilities of traditional centralized or RBAC-only models.

9.2. Feasibility Analysis

The feasibility of the VCAC model lies in its overlay design, which integrates with existing EMR infrastructures without requiring disruptive system replacement. Blockchain overhead is minimized by storing only metadata, access decisions, and cryptographic hashes on-chain, while full EMRs remain in institutional systems. Deployment within permissioned blockchain frameworks such as Hyperledger Fabric ensures scalability, regulatory compliance, and interoperability across diverse healthcare environments. Although empirical benchmarking is left for future pilot studies, the scenario-based evaluation demonstrates alignment with real-world workflows and highlights practical advantages over centralized approaches, particularly in multi-institutional virtual hospital ecosystems.

10. Conclusions

Legacy access control models are insufficient for the emerging demands of virtual hospital ecosystems, particularly in ensuring secure, interoperable, and patient-centered (PC) data access. This paper introduced a novel blockchain-based access control framework (VCAC) designed to extend, rather than replace, existing electronic medical records (EMRs) and hospital information systems. The proposed solution leverages distributed ledger technology (DLT) to enable secure, role-aware, and policy-driven data sharing across distributed care environments.

At the core of this framework is a six-tier information classification scheme that aligns data sensitivity with clinical roles and treatment phases, enabling fine-grained access control. A neutral blockchain-mediated security domain was implemented to integrate local and virtual policies, preserving institutional autonomy while enforcing shared access rules across organizational boundaries. The model was evaluated using a breast cancer outpatient scenario, demonstrating its ability to maintain confidentiality, integrity, and availability without disrupting existing infrastructure.

In future work, we plan to explore the integration of fog and edge computing to optimize the model’s performance and scalability in real-world deployments. This includes addressing resource limitations in low-bandwidth environments and further enhancing support for time-sensitive PC care delivery in decentralized virtual hospital systems.