Ermakova et al. Security and Privacy System Requirements for Healthcare Cloud Proceedings of the Nineteenth Americas Conference on Information Systems, Chicago, Illinois, August 14-17, 2013. 1 Security and Privacy System Requirements for Adopting Cloud Computing in Healthcare Data Sharing Scenarios  Tatiana Ermakova Technical University of Berlin tatiana.ermakova@tu-berlin.de Benjamin Fabian Humboldt Universität zu Berlin bfabian@wiwi.hu-berlin.de Rüdiger Zarnekow Technical University of Berlin ruediger.zarnekow@tu-berlin.de ABSTRACT The emerging cloud computing technology enables new essential scenarios in healthcare, in particular those of data sharing among practitioners. Nevertheless, their security and privacy concerns still impede the wide adoption of cloud computing in this area. Although there are numerous publications in the context of cloud computing in healthcare, we found no consistent typical security and privacy system requirements framework in this domain so far. Owing to the lack of those studies and preparing the ground for creating secure and privacy-friendly cloud architectures for healthcare, we survey security and privacy system requirements for cloud-based medical data sharing scenarios using two strategies. We base on a systematic design science approach following the literature-driven requirement elicitation strategy and apply an established security requirement elicitation methodology as part of the scenario-driven strategy. Finally, we evaluate and compare the two security and privacy system requirements elicitation strategies used in this paper. Keywords Cloud Computing, Healthcare, Security, Privacy, Requirement. INTRODUCTION There are multiple new scenarios enabled through the adoption of the emerging cloud computing technology in healthcare (Loehr et al., 2010), whereas the data sharing scenarios are of high relevance to practitioners (He et al., 2010; Kanagaraj and Sumathi, 2011; Huang et al., 2011; Zhang and Lu, 2010). Nevertheless, cloud computing also faces many security and privacy challenges (Deng et al., 2011; Ekonomou et al., 2011), which raise wide concerns among patients and medical workers (Li et al., 2011b, Li et al., 2012, Chen et al., 2012a; Deng et al., 2012; Shini et al., 2012; Abbadi et al., 2011), in particular the risk of losing control over data (Chen and Hoang, 2011, Li et al., 2010). Many researchers observe a research potential with respect to the existing security and privacy preserving mechanisms (Loehr et al., 2010; Abbadi et al., 2011; Deng et al., 2011; Shini et al., 2012), while Ekonomou et al. (2011) call for establishing human trust campaigns. Although there are numerous publications in the domain of cloud computing in healthcare, to our knowledge there are few works about general and systematic security and privacy system requirements frameworks so far (Zhang and Liu, 2010; Deng et al., 2011) and none that are elicited by multilateral requirements engineering methods, which would be able to also point out potential conflicts between the requirements. With this background we aim to take first steps to close this research gap. The present work is aimed to support the TRESOR (TRusted Ecosystem for Standardized and Open cloud-based Resources) research project with healthcare practitioners (TRESOR, 2013) funded by the German Federal Ministry of Economics and Technology. To elicit security and privacy system requirements, we follow literature-driven and scenario-driven strategies. The implication of the first strategy is conducted in accordance with the design science framework proposed by Hevner et al. (2004). Based on the literature search framework introduced by vom Brocke et al. (2009), we systematically review articles published up to year 2012 dealing with security and privacy preserving mechanisms for the use of cloud computing in healthcare, then define system security and privacy requirements, and evaluate them in semi-structured interviews with different experts from the German healthcare industry. We use the requirement pattern presented by Rupp (2005, in German) to formulate the requirements. The second strategy covers security and privacy system requirements arising from specific processes and multiple stakeholders with different interests in healthcare data sharing scenarios and relies on an established security requirements elicitation methodology called Multilateral Security Requirements Analysis (MSRA) (Fabian et al.,