eHealth is being rapidly deployed. Lower cost and greater productivity attract government and healthcare enterprise to transit from traditional healthcare service to eHealth service. Security and privacy are growing concerns with the widespread deployment of eHealth and the development of next generation of eHealth services. In this paper, we discuss these security problems and propose a high-level security framework that captures required features in the next-generation eHealth infrastructure. Our framework consists of the following: (i) an adaptive trust-aware tag-based privacy control to specify which data to share and whom to share with. The fine-grained control of data access is guaranteed; (ii) a decentralized authorization that relies on trust propagation protocol to provide robust and resilient access control enforcement; and (iii) a hybrid trust management mechanism that addresses access control information depository on a cloud server. It enforces user-defined access control not only in a distributed environment but also in a privacy-preserving manner so as to minimize the disclosure of privileges and of access policies. Copyright © 2013 John Wiley & Sons, Ltd.