A security risk perception model for the adoption of mobile devices in the healthcare industry

Abstract

Within the past few years, we have seen increasing use of mobile devices in the healthcare environment. It is crucial to understand healthcare practitioners’ attitudes and behaviors towards adopting mobile devices and to interacting with security controls, while understanding their risks and stringent regulations in healthcare. This paper aims to understand how healthcare practitioners perceive the security risks of using mobile devices, and how this risk perception affects their intention to use the devices, and to adopt the security controls that are required. To facilitate such understanding, we propose a theory-grounded conceptual model that incorporates subjective beliefs, perception of security risk, and behavioral intentions to both use mobile devices and comply with security controls. Furthermore, we studied the behavioral intentions under two scenarios among practitioners, when healthcare institutions provided the mobile devices, called hospital-provided devices, or when practitioners used their own devices, bring-your-own-devices. Based upon our conceptual model, we conducted an empirical study, recruiting 264 healthcare practitioners from three hospitals and their affiliated clinics. Our study provided several practical implications. First, we confirmed that it is critical in healthcare institutions to have safeguards on mobile devices that are convenient for practitioners to adopt. Second, to promote security policy compliance in mobile devices and safeguard medical information, healthcare administrators must take different approaches to security depending on how they provide mobile devices to practitioners. Third, the security training for devices should deliver different messages to different occupational groups. Last but not the least, our proposed model offers new perspectives towards a better understanding of integrating perceived security risk, behavioral intention to adopt a technology, and behavioral intention to comply with security control in the healthcare industry.

This is a preview of subscription content, log in to check access.

Fig. 1

Change history

  • 05 December 2019

    Unfortunately, the co-author’s affiliation was wrongly published in the original online publication of this article. The correct affiliation should read as: Li-Chiou Chen, Department of Information Technology, Seidenberg School of Computer Science and Information Systems, Pace University.

References

  1. Ajzen, I. 1985. From intention to actions: A theory of planned behavior. In Action-control: From cognition to behavior, ed. J. Kuhl and J. Beckman. New York: Springer.

    Google Scholar 

  2. Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes 50 (2): 179–211.

    Article  Google Scholar 

  3. Astani, M., K. Ready, and M. Tessema. 2013. BYOD Issues and strategies in organizations. Issues in Information Systems 14 (2): 195–201.

    Google Scholar 

  4. Blumstein, A., J. Cohen, and D. Nagin. 1977. Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. Washington, DC: National Academy of Sciences.

    Google Scholar 

  5. Bulgurcu, H., H. Cavusoglu, and I. Benbasat. 2010. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3): 523–548.

    Article  Google Scholar 

  6. Burns, A.J., and M.E. Johnson. 2015. Securing health information. IT Professional 17 (1): 23–29.

    Article  Google Scholar 

  7. Chen, Y.H., and S. Barnes. 2007. Initial trust and online buyer behavior. Industrial Management & Data Systems 107 (1): 21–36.

    Article  Google Scholar 

  8. Cheng, L., Y. Li, W. Li, E. Holm, and Q. Zhai. 2013. Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security 39: 447–459.

    Article  Google Scholar 

  9. Chenoweth, T., R. Minch, R., and T. Gattiker. 2009. Application of protection motivation theory to adoption of protective technologies. In Proceedings in 42th Hawaii International conference on system sciences, 1–10, 5 Jan, Hawaii. IEEE.

  10. Conner, M., and P. Norman. 2005. Predicting health behavior. New York: McGraw-Hill International.

    Google Scholar 

  11. Cook, M., and D.T. Campbell. 1979. Quasi-experimentation: Design and analysis issues for field settings. Boston: Houghton Mifflin.

    Google Scholar 

  12. D’Arcy, J., A. Hovav, and D. Galletta. 2009. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20 (7): 9–98.

    Google Scholar 

  13. Davis, F.D. 1986. A technology acceptance model for empirically testing new end-user information systems: Theory and results. Ph.D. dissertation, Massachusetts Institute of Technology, Boston, MA.

  14. Davis, F.D. 1989. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly 13 (3): 319–340.

    Article  Google Scholar 

  15. Efron, E., and R. Tibshirani. 1986. Bootstrap methods for standard errors, confidence intervals, and other measures of statistical accuracy. Statistical Science 1 (1): 54–75.

    Article  Google Scholar 

  16. Escobar-Rodriguez, T., and M.M. Romero-Alonso. 2013. Modeling nurses’ attitude toward using automated unit-based medication storage and distribution systems: An extension of the technology acceptance model. CIN: Computers, Informatics, Nursing 31 (5): 235–243.

    Google Scholar 

  17. Fishbein, M., and I. Ajzen. 1975. Belief, attitude, intention and behavior: An introduction to theory and research. Psychological Bulletin 84: 888–918.

    Google Scholar 

  18. Fornell, C., and F.L. Bookstein. 1982. Two structural equation models: LISREL and PLS applied to consumer exit-voice theory. Journal of Marketing Research 19 (4): 440–452.

    Article  Google Scholar 

  19. Garg, V., and J. Camp. 2012. End user perception of online risk under uncertainty. In Proceedings in 45th Hawaii international conference on system sciences, 3278–3287; 4 Jan, Hawaii. IEEE.

  20. Gagnon, M.P., P. Ngangue, J. Payne-Gagnon, and M. Desmartis. 2016. m-Health adoption by healthcare professionals: a systematic review. Journal of the American Medical Informatics Association 23 (1): 212–220.

    Article  Google Scholar 

  21. Gefen, D., D. Straub, and M.C. Boudreau. 2000. Structural equation modeling and regression: Guidelines for research practice. Communications of the Association for Information Systems 4 (1): 7.

    Google Scholar 

  22. Hair, J.F., G.T.M. Hult, C.M. Ringle, and M. Sarstedt. 2014. A primer on partial least squares structural equation modeling (PLS-SEM). London: Sage.

    Google Scholar 

  23. Hair, J.F., G.T.M. Hult, C.M. Ringle, M. Sarstedt, and K.O. Thiele. 2017. Mirror, mirror on the wall: A comparative evaluation of composite-based structural equation modeling methods. Journal of the Academy of Marketing Science 45 (5): 616–632.

    Article  Google Scholar 

  24. Henseler, J., T.K. Dijkstra, M. Sarstedt, C.M. Ringle, A. Diamantopoulos, D.W. Straub, and R.J. Calantone. 2014. Common beliefs and reality about PLS: Comments on Rönkkö and Evermann (2013). Organizational Research Methods 17 (2): 182–209.

    Article  Google Scholar 

  25. Holden, R.J., and B.T. Karsh. 2010. The technology acceptance model: Its past and its future in health care. Journal of Biomedical Informatics 43 (1): 159–172.

    Article  Google Scholar 

  26. Kim, S., K.H. Lee, H. Hwang, and S. Yoo. 2016. Analysis of the factors influencing healthcare professionals’ adoption of mobile electronic medical record (EMR) using the unified theory of acceptance and use of technology (UTAUT) in a tertiary hospital. BMC Medical Informatics and Decision Making 16 (1): 12.

    Article  Google Scholar 

  27. Koehler, N., O. Vujovic, and C. McMenamin. 2013. Healthcare professionals’ use of mobile phones and the internet in clinical practice. Journal of Mobile Technology in Medicine 2 (1S): 3–13.

    Article  Google Scholar 

  28. Kowitlawakul, Y. 2011. The technology acceptance model: Predicting nurses’ intention to use telemedicine technology. Computer Informatics Nursing 29 (7): 411–418.

    Article  Google Scholar 

  29. Lee, M.C. 2009. Factors influencing the adoption of internet banking: An integration of TAM and TPB with perceived risk and perceived benefit. Electronic Commerce Research and Applications 8 (3): 130–141.

    Article  Google Scholar 

  30. Liang, H., and Y. Xue. 2010. Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems 11 (7): 394–413.

    Article  Google Scholar 

  31. Liang, H., and Y. Xue. 2009. Avoidance of information technology threats: A theoretical perspective. MIS Quarterly 33 (1): 71–90.

    Article  Google Scholar 

  32. Ma, M., and R. Agarwal. 2007. Through a glass darkly: Information technology design, identity verification, and knowledge contribution in online communities. Information Systems Research 18 (1): 42–67.

    Article  Google Scholar 

  33. Marshall, S. 2014. IT consumerization: A case study of BYOD in a healthcare setting. Technology Innovation Management Review 4 (3).

    Article  Google Scholar 

  34. Mylonas, A., S. Dritsas, V. Tsoumas, and D. Gritzalis. 2011. Smartphone security evaluation—The malware attack case. In Proceedings of the international conference on security and cryptography SECRYPT-2011, 1825–1836; 18 Jul Athens, Greece.

  35. Ng, B., A. Kankanhalli, and C.Y. Xu. 2009. Studying users’ computer security behavior: A health belief perspective. Decision Support Systems 46 (4): 815–825.

    Article  Google Scholar 

  36. Pyszczynski, T., J. Greenberg, and S. Solomon. 1997. Why do we need what we need? A terror management perspective on the roots of human social motivation. Psychological Inquiry 8 (1): 1–20.

    Article  Google Scholar 

  37. Richter, N.F., R.R. Sinkovics, C.M. Ringle, and C. Schlaegel. 2016. A critical look at the use of SEM in international business research. International Marketing Review 33 (3): 376–404.

    Article  Google Scholar 

  38. Rhee, H.S., C. Kim, and Y.U. Ryu. 2009. Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers & Security 28 (8): 816–826.

    Article  Google Scholar 

  39. Ringle, C.M., M. Sarstedt, and R. Schlittgen. 2014. Genetic algorithm segmentation in partial least squares structural equation modeling. OR Spectrum 36 (1): 251–276.

    Article  Google Scholar 

  40. Ringle, C.M., M. Sarstedt, R. Schlittgen, and C.R. Taylor. 2013. PLS path modeling and evolutionary segmentation. Journal of Business Research 66 (9): 1318–1324.

    Article  Google Scholar 

  41. Ringle, C.M., M. Sarstedt, and D. Straub. 2012. A critical look at the use of PLS-SEM. MIS Quarterly 36 (1): iii–xiv.

    Article  Google Scholar 

  42. Rogers, R.W. 1975. A protection motivation theory of fear appeals and attitude change. The Journal of Psychology 91 (1): 93–114.

    Article  Google Scholar 

  43. Rogers, R.W. 1983. Cognitive and physiological process in fear appeals and attitudes changer: A revised theory of protection motivation. In Social psychophysiology: A sourcebook, ed. J.T. Cacioppo and R.E. Petty, 153–176. New York: Guilford.

    Google Scholar 

  44. Rönkkö, M., C.N. McIntosh, J. Antonakis, and J.R. Edwards. 2016. Partial least squares path modeling: Time for some serious second thoughts. Journal of Operations Management 47: 9–27.

    Article  Google Scholar 

  45. Schifter, D.E., and I. Ajzen. 1985. Intention, perceived control, and weight loss: An application of the theory of planned behavior. Journal of Personality and Social Psychology 49 (3): 843–851.

    Article  Google Scholar 

  46. Siponen, M., A. Mahmood, and S. Pahnila. 2014. Employees’ adherence to information security policies: An empirical study. Information & Management 51 (2): 217–224.

    Article  Google Scholar 

  47. Straub, D.W., and R.J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22 (4): 441–469.

    Article  Google Scholar 

  48. Sun, Y., N. Wang, X. Guo, and Z. Peng. 2013. Understanding the acceptance of mobile health. Journal of Electronic Commerce Research 14 (2): 183–200.

    Google Scholar 

  49. Tejaswini, H., and H.R. Rao. 2009. Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems 18 (2): 106–125.

    Article  Google Scholar 

  50. Venkatesh, V., T.A. Sykes, and X. Zhang. 2011. Just what the doctor ordered’: A revised UTAUT for EMR system adoption and use by doctors. In Proceedings in 44th Hawaii international conference on system sciences, 1–10; 4 Jan Hawaii. IEEE.

  51. Workman, M., W. Bommer, and D. Straub. 2008. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior 24 (6): 2799–2816.

    Article  Google Scholar 

  52. Yarbrough, Amy K., and Todd B. Smith. 2007. Technology acceptance among physicians: A new take on TAM. Medical Care Research and Review 64 (6): 650–672.

    Article  Google Scholar 

  53. Zhang, J., B.J. Reithel, and H. Li. 2009. Impact of perceived technical protection on security behaviors. Information Management & Computer Security 17 (4): 330–340.

    Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Alex Alexandrou.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix 1

Background questions Sample Categories Percent
How long have you used mobile devices at home? 3 Never 1.1%
6 Less than 1 year 2.3%
52 1–5 years 19.7%
114 6–10 years 43.2%
89 11–15 years 33.7%
For what purposes have you been using mobile devices? (Please select all that apply) 129 Communication (email, conferencing)  
96 Entertainment (watching movies etc.)  
75 Games  
111 Surging the internet  
104 Work related (accessing information)  
How long have you used mobile devices at work? 37 Never 14%
35 Less than 1 year 13.3%
109 1–5 years 41.3%
51 6–10 years 19.3%
32 More than 10 years 12.1%
How long have you used electronic medical records (EMR) in the workplace? 26 Never 9.8%
83 Less than 1 year 31.4%
122 1–5 years 46.2%
21 6–10 years 8.0%
12 More than 10 years 4.5%
How frequently have you personally been affected by a computer security problem? (e.g., computer virus attacks or unauthorized access to data by hackers) 86 Never 32.6%
123 Once or twice 46.6%
30 3–5 times 11.4%
25 More than 5 times 9.5%
How much have you heard or read during the last year about computer security problems? (e.g., computer virus attacks or unauthorized access to data by hackers) 40 Never 15.2%
76 Once or twice 28.8%
55 3–5 times 20.8%
93 More than 5 times 35.2%

Survey Questionnaire (Background Questions).

Appendix 2

Survey Questions with constructs (*questions measured both HPD and BYOD scenarios).

LabelQuestions
PSUPerceived Susceptibility
Please indicate how likely the following will occur on a scale of 1–5. (1: Extremely unlikely; 2: Unlikely; 3: Possible; 4: Likely; 5: Extremely likely)
 PSU-1Mobile devices can be lost or stolen easily
 PSU-2Mobile devices cannot provide secure access to electronic medical records (EMR)
 PSU-3Mobile devices could have security problems that allow unauthorized personnel to access to (EMR)
PSEPerceived Severity
Please rate how severe the consequences will be, if the following occur, on a scale of 1–5. (1: Very Low; 2: Low; 3: Moderate; 4: Severe; 5: Very Severe)
 PSE-1Sabotage of patients’ medical information (patient records, medical images, medication management)
 PSE-2Sabotage of patients’ personal information, such as Social Security Number (SSN), credit card numbers or addresses
SMESecurity Measure Efficacy
Please indicate how much you agree with each of the following statements. Indicate on a scale of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 SME-1When using mobile devices, I am sure that certain managerial and technical procedures exist to protect patient information
 SME-2When using mobile devices, I am sure that there is an effective way of deterring hacker attacks
 SME-3When using mobile devices, I am sure that there are specific guidelines that describe acceptable use of mobile device passwords
 SME-4When using mobile devices, I am sure that there is a security policy that forbids employees from accessing computer systems that they are not authorized to use
SEFSelf-Efficacy
Please indicate how much you agree with each of the following statements. Indicate on a scale of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 SEF-1I would feel comfortable to reset or change the password of mobile devices
 SEF-2I would be able to follow the security procedures that include changing my password frequently for the mobile devices even if there was no one around to help me
 SEF-3I could follow written directions about how to reset or change my password of the mobile devices
SAFSafeguard Cost
Please indicate how much you agree with each of the following statements. Indicate on a scale of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 SAF-1Having a password is inconvenient for accessing electronic medical records (EMR)
 SAF-2Using a password will take more time away from caring for patients
 SAF-3Remembering a password is hard for me
 SAF-4Using a password on mobile devices is time-consuming
INU*Intention to use Mobile Device
If you can choose whether or not to use a mobile device in the work place, either HPD or BYOD, please indicate your views using a scale from 1 to 5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 INU-1I plan to use the mobile devices at work
 INU-2I will use the mobile devices to access Electronic Medical Records (EMR)
 INU-3I intend to use the mobile devices to access patients’ personal information
PSR*Perceived Security Risk
How do you plan on complying with security measures regarding the use of either HPD or BYOD? Please indicate your views using a scale from 1 to 5. (1-Strongly Disagree, 5-Strongly Agree)
 PSR-1The use of mobile devices to access electronic medical records (EMR) is risky
 PSR-2The use of mobile devices to access patient medical information is risky
 PSR-3The use of mobile devices to access patient personal information is risky
INC*Intention to Comply with Security Control
How much are you concerned about the following for both Hospital Provided Devices (HPD) and Bring-Your-Own-Devices (BYOD)? Please indicate your views using a scale from 1 to 5. (1-Strongly Disagree, 5-Strongly Agree)
 INC-1I will comply with organizational Information Technology (IT) security policies for the mobile device, such as securing my password
 INC-2I will not give my mobile device password to other personnel as required by security policies
 INC-3I plan to change the password on mobile devices as required by security policy for example, every three months
PEUPerceive Easiness of use Mobile Devices
Please indicate your comfort level in using mobile devices. Indicate on a scale of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 PEU-1My interaction with mobile devices is clear and understandable
 PEU-2I find mobile devices make it easier to perform my job, such as accessing patient medical information
 PEU-3Overall, I find mobile devices easy to use
PUSPerceive Usefulness of Mobile Devices
Please indicate what you think about the use of mobile devices in the workplace. Indicate on a scale of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 PUS-1Use of mobile devices can reduce the time needed to perform patient care
 PUS-2Use of mobile devices can significantly increase my productivity and allow me to spend more time in patient care activities
 PUS-3Use of mobile devices can increase the quality of patient care
RCRegulatory Concern
Please indicate your level of concern regarding the following statements. Indicate on a scale of 1–5. (1: Strongly Disagree; 2: Disagree; 3: Neutral; 4: Agree; 5: Strongly Agree)
 RC-1I am concerned that the use of mobile devices in the workplace may result in a violation of HIPAA regulations
 RC-2I am concerned that the use of mobile devices in the workplace may result in a violation of the Joint Commission’s requirements regarding IT security
 RC-3I am concerned that the use of mobile devices in the workplace may result in a violation of institutional policies

Appendix 3

Quality of Measurement and Correlations of Constructs (See Tables 5, 6, 7, 8).

Table 5 Quality of measurement for hospital-provided-devices (HPD)
Table 6 Quality of measurement for bring-your-own-device (BYOD)
Table 7 Correlations of constructs for hospital-provided-devices (HPD)
Table 8 Correlations of constructs for bring-your-own-device (BYOD)

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Alexandrou, A., Chen, L. A security risk perception model for the adoption of mobile devices in the healthcare industry. Secur J 32, 410–434 (2019). https://doi.org/10.1057/s41284-019-00170-0

Download citation

Keywords

  • Mobile devices
  • Healthcare
  • Bring-your-own-devices (BYOD)
  • Security risk perception
  • Behavioral intention
  • Security controls
  • Electronic medical records (EMR)