Healthcare and data privacy requirements for e-health cloud: A qualitative analysis of clinician perspectives

Cloud computing has many benefits relevant to the healthcare industry. Although the adoption of cloud services for healthcare systems is increasing, employment of cloud services raises many security and privacy concerns for patients and healthcare providers. We still lack a clear set of requirements consented by the different stakeholders; here in particular IT and healthcare professionals. In this study, we examine whether user perspectives on requirements for e-health on the cloud are consistent with best practice guidelines and regulatory requirements. This work contributes to the requirements engineering phase for a secure e-health cloud framework developed in a European project (ASCLEPIOS, https://www.asclepios-project.eu/). We used qualitative analysis, based on in-depth interviews, to describe and characterize clinicians' perspectives on the requirements of cloud services for healthcare data security and privacy. We examined whether these user perspectives were in harmony with the regulatory framework of the General Data Protection Regulation (GDPR), and best practice guidelines of a relevant standard, ISO 18308:2011. Ten clinicians were identified and interviewed at six healthcare organizations in Norway, the Netherlands and Germany. While user perspectives were largely consistent with both GDPR and ISO, some concerning differences in access control were noted between large and small healthcare institutions.