Access Control for Multi-tenancy in Cloud-based Health Information Systems

Cloud technology can be used to support cost-effective, scalable, and well-managed healthcare information systems. However, cloud computing, particularly multitenancy, introduces privacy and security issues related to personal health information (PHI). In this paper, we designed ontological models for healthcare workflow and multi-tenancy, and then applied HIPAA requirements on the models to generate HIPAA-compliant access control policies. We used Semantic Web Rule Language (SWRL) to represent access control policies as rules, and we verified the rules with an OWL-DL reasoner. Additionally, we implemented HIPAA security rules through access control policies in a cloud-based simulated healthcare environment. More specifically, we investigated access control policy specification and enforcement for cloud based healthcare information systems using an open source cloud platform, OpenStack. The results manifest HIPAA compliance through authorization policies that are capable of addressing vulnerabilities of multi-tenancy.