Abstract

Healthcare information systems are currently being migrated from paper based journals to fully digitalised information platforms. Protecting patient privacy is thus becoming an increasingly complex task, where several national and international legal requirements must be met. These legal requirements present only high-level goals for privacy protection, leaving the details of security requirements engineering to the developers of electronic healthcare systems. Our objective has been to map legal requirements for sensitive personal information to a set of reusable technical information security requirements. This paper presents examples of such requirements extracted from legislation applicable to the healthcare domain.