Patient Confidentiality of Electronic Health Records: A Recent Review of the Saudi Literature

Health systems harbor lucrative data that can be targeted for illegal access, thus posing a serious privacy breach. In addition, patients could lose their lives or suffer permanent and irreversible harm due to such unauthorized access to health care data used in treatment. To ensure patient safety, the health care sector must integrate cybersecurity into its operations. Additionally, the health care industry must collaborate to tackle cybercrime and prevent unauthorized access to patient data. With the rapid transition from paper-based health records to electronic health records (EHRs), it is important to study, identify, and address the challenges that confront EHRs to protect patient confidentiality. The main goal of this research was to create a clear picture of the role of EHRs in the health care system of Saudi Arabia regarding patient confidentiality. This work focused on the privacy and confidentiality challenges encountered in adopting EHRs in the health care system, and the advantages of using EHRs in terms of protecting patient confidentiality. This project utilized a systematic literature review approach, and the methodology involved a careful critique of 11 recent articles. The confidentiality and privacy of patient data and information must be ensured, because the health care sector in Saudi Arabia is flawed with several security risks that may corrupt the integrity of patient data. The health care system is facing many cybercrimes whereby hackers can gain access to confidential data and patient information. Internal factors such as inexperienced medical personnel have also necessitated EHRs in Saudi Arabia. Health care workers who lack the appropriate skills in handling EHRs may cause breaches of patient data, which in turn may compromise the health and safety of the patients. Confidentiality and privacy are critical components of a reliable EHR system. EHR confidentiality has a significant impact on maintaining patient safety and security, thus enhancing patient care in Saudi Arabia. Additionally, challenges such as hackers and data breaches have slowed the adoption process among health care companies in Saudi Arabia. Health systems harbor data that can be targeted by cyber attackers, allowing hackers to gain access to confidential data and information about patients. Patients may lose their lives or suffer permanent and irreversible harm as a result of unauthorized access to health care data used in treatment. To ensure patient safety, the health care sector must integrate cybersecurity into its operations. Additionally, the health care industry must collaborate to tackle cybercrime and prevent unauthorized access to patient data. With the rapid transition from paper health records to electronic health records, it is important to identify, study, and address the challenges that confront electronic health records in terms of protecting patient confidentiality. Examples of factors that may affect patient confidentiality are healthcare security software, and relationships between health professionals.


3 Introduction
Electronic health records (EHRs) are defined by Keshta and Odeh [1] as "an electronic version of a medical history of the patient as kept by the health care provider (HCP) for some time." In addition, "it is inclusive of all the vital administrative clinical data that are in line to the care given to an individual by a particular provider." Such datasets include patient demographics, progress reports issues, medications, important signs, medical history, immunization reports, laboratory data, and radiology reports. EHRs are often referred to as electronic medical records (EMRs), which have increasingly been used with global digital transformation. However, it is important to distinguish between EMRs and EHRs. EMRs collect all paper-based charts regarding an individual patient present in the clinician's office, as a digital version. EHRs contain all information present within EMRs in digital format and overall health status datasets for the individual patient, designed for use by clinicians and health specialists from other medical specialties, if so required. EMRs include legal records created at hospitals and used as the primary source of EHR data [1].
Since their introduction in the late 1970s [2], evidence has shown a high rate of adoption of EHRs globally. The adoption rate relies on the technological development of each country to achieve a competitive level of quality of care and safety and improve patient satisfaction. EHR systems allow HCPs to monitor patients' health status online and save information from medical examinations in EHRs. The generated information may include personal information, laboratory results, medical treatments, diagnoses, medicines, vaccination status, and even certain sound and picture data. The EHR consolidates patients' medical information from many independent HCPs in the same city, nation, or across a country boundary [3].
The sharing of personal and health information over the internet and different servers/clouds located outside of the secure environment of the health care institution has created privacy, security, access, and compliance concerns [1]. Health organizations must identify methods that will assist them in securing EHRs, to ensure the trust relationship between the patient and HCPs [2]. According to Jabeen et al. [3], trust is considered an essential element in the equation because it has a substantial indirect impact on the quality of health care; the degree of trust reflects patients' perceptions of HCPs and their ability to differentiate among certain health care institutions.
Confidential information is protected by confidentiality, which restricts unauthorized access to specific information and ensures that personal information is kept safe and secure. Unauthorized access may result in data loss and, in certain cases, pose personal risks to the individual patient at multiple levels (e.g., data breaches/leaks concerning HIV and other sexually transmitted disease cases) [4]. Health information collection must adhere to legal and ethical privacy rules and regulations, such as the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the United States [4]. The main objective of these regulations is to guarantee that confidential patient information is kept private and protected from disclosure and to safeguard the hospital and its various service information [5].
According to the Cybersecurity Quarterly Bulletin report of the fourth quarter of 2020, which was published by the Saudi National Cybersecurity Authority, the health care sector ranks third in the top targeted sectors globally by 14%, unauthorized activity ranks first as the top threat, and information leakage ranks fourth in the Kingdom of Saudi Arabia (KSA) [6]. The presence of personal health data in the electronic environment endangers patient privacy and information confidentiality. Rieder et al. [7] highlighted the importance of ensuring information secrecy, without which the patient may be compelled to conceal information from the HCP. This action restricts the physician's ability to provide proper care, and the legal environment may enable political authorities to abuse administrative authority by weakening the concept of medical confidentiality itself. Samkari et al. [8] also added that, regarding health care systems, the 1 3 ultimate security objectives are confidentiality, integrity, and availability (CIA) triads. A data breach, according to the US Department of Health and Human Services, is "the illegal use or disclosure of confidential health information that compromises its privacy or security under the privacy rule and poses a sufficiently high risk of financial, reputational, or another type of harm to the affected person" [9]. In addition, cybersecurity was defined by Schatz et al. [10] as "the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and assets." The KSA ranks second among the 193 members of the Global Security Index, rising significantly from 11th in 2 years [11]. However, based on the International Communication Union index, it ranks first among Middle East countries and Asia. A long-term study of data breaches by Seh et al. [9] revealed that health care records were exposed because of both internal and external sources of the breach, including hacking, theft/loss, unauthenticated internal disclosure, and incorrect disposal of unneeded yet sensitive data.
A data breach may occur if sensitive health information is transferred or shared without appropriate authorization. Patients may lose their lives or face permanent and irreparable harm if the data used in health care treatment are compromised because of unauthorized access [4]. Hence, EHRs must not be retained for any longer than is necessary for their intended purpose. Additionally, when data are kept, transferred, and utilized, they should not be compromised. The health care sector must also incorporate cybersecurity into the health care system to safeguard patient safety. Additionally, the health care sector must work together to overcome cybercrime and forestall illegal access to patient information. EHRs are often protected by cryptography or recently by steganography; however, using cryptography in combination with steganography has generated an intriguing advancement [8]. According to a study conducted in Malaysia by Dong et al. [12], health institutions must increase their commitment to monitoring these human-associated security breaches if they must achieve effective system information protection results. Health organizations have faced significant security breaches not only because of technological mistakes but also because of an inadequate security culture, security awareness, and security management among the organizations' workers, according to the authors. The implementation of an effective information security policy compliance framework is required for every sector.
The sole reference regarding applicable legislation concerning data protection within the KSA region is the Personal Data Protection Law, which was implemented in September 2021 and requested organizations to perform multiple modifications in their routine daily operations to ensure their compliance to this novel legislation. However, this will only be enforced as of March 2023. This legislation will necessitate registration of data controller details, records of processing, increased governance on such personal data, enforce data subject rights, limit data transfers (especially outside KSA), and the enforcement of individual consent for personal data handling and storage/sharing, increased impact assessments, privacy notices, breach notification protocol implementations, together with more intense regulation over sensitive data (including health-related) [13]. This project aimed to identify and address the challenges facing EHRs regarding protecting patient confidentiality in the KSA, based on an extensive review of related literature.

Methodology
The methodology of this project was based on a systematic literature review (SLR). A web-based search was conducted using several electronic search engines, including Google Scholar, Saudi Digital Library (SDL), and PubMed, to identify different published articles. Google Scholar was used as the primary database, whereas the other two served as complementary databases.
The initial search was conducted on patient confidentiality articles in the KSA. In total, 742 results were generated that were then refined by adding more specific keywords such as "Confidential," "Confidentiality," "Breach," "Data Breach," "Electronic Health Record," "EHR," and "Saudi Arabia." The only Boolean operator used to narrow the findings was "and." Furthermore, because of the rapid progress in technology, the range of publication years was customized to only include articles from 2016 to 2021 (the last 6 years). Thus, the number of results was reduced to 162 articles.
To address the research questions, the most explicit and relevant articles were identified and retrieved. Additionally, duplicated and non-English findings were excluded, yielding 105 articles. Inclusion criteria were (a) relevance to the studied research niche; (b) Published studies in the English language; (c) peer-reviewed studies on the Saudi Arabian population; (d) studies providing original data; (e) and studies in which the sample comprised any HCP and information technologist who work in the health care sector or with patients. Exclusion criteria were (a) articles not written in the English language; (b) any type of review article; (c) articles conducted in countries other than the KSA; (d) articles that were not peer-reviewed; (e) articles published before 2016; (f) articles giving inconclusive outcomes for their study aims; or (g) articles not providing a comprehensive explanation of the conducted methodology.
Three areas guided the selection of relevant articles for analysis: confidentiality compliance of HCPs and driving factors of data breaching, challenges concerning confidentiality and security of EHRs, and the influence of confidentiality on EHR adoption. Forty-five articles were chosen for a critical and thorough evaluation of their contents after examining their abstract and conclusion. The excluded articles were used in other sections to suggest solutions and address the explored challenges relevant to the study's background. An article was considered eligible only if it provided answers to any of these three questions. Later, only 14 articles were subjected to thorough screening and analysis in this review. Both technical factors and human factors were explored, with a greater focus on the latter. Figure 1 shows the process of article selection.
We read the full-text papers to assess the quality and suitability of the remaining articles in more depth. Three papers were removed from consideration for the review process because they lacked a clear description of the conducted methodology. Finally, we only included 11 high-quality articles that were properly referenced. Eligible articles were included in Table 1 according to the authors' names, publication year, research title, publication journal, study population, data collection methodology, and project/research objectives.

Results
In this review, 11 research articles that fulfilled the eligible inclusion criteria in the methodology section were analyzed based on the three main project questions: What is the confidentiality compliance of HCPs and driving factors of data breaching? What are the challenges facing the confidentiality and security of EHRs? What is the influence of confidentiality on EHR adoption? Table 1 shows the selected articles for analysis.
All 11 articles posed a concern regarding securing privacy and confidentiality of patient information that correlated with the high adoption of EHRs or EMRs. However, in a study that assessed family physicians' attitudes toward EHR privacy and identified factors that influenced these attitudes, most believed EHRs were more secure than paper records, but some disagreed and expressed concern about data leakage. Senior physicians (P = 0.05), non-Saudi physicians (P = 0.029), and consultants (P = 0.004) all had a favorable perception of the privacy of computerized data. Many physicians agreed to share data with the Ministry of Health (53/89; 59.6%) and hospital-based research centers (49/89; 55%) but were opposed to data accessibility and sharing with insurance and pharmaceutical companies. Most respondents (48/89; 54%) disagreed with the risk of possible confidentiality loss when using EHRs [14].

Confidentiality Compliance of HCPs and Driving Factors of Data Breaching
In a descriptive study, Almulhem [15] investigated the access privilege of medical interns from various Saudi Arabian medical colleges. Almost 62.8% of the participants had access to medical records, 66.1% had access to EHRs, and 83.27% had read-only access. These participants had privileges to perform a quick search for patient records (70.1% of  Questionnaire-based survey To assess a theory-based model's utility and identify ISCB predictors among Saudi healthcare professionals medical interns who accessed EHRs and 67.1% of peers who accessed paper medical records). Three of the eleven studies were focused on analyzing the driving factors that contribute to the breaching of information security policies (ISPs) by HCPs. Furthermore, in these three articles, the possible determinants of compliance and noncompliance using certain behavior theories with few variations were discussed. Two of these studies were conducted by Altamimi et al. [16] and were focused on non-malicious behaviors of breaching by medical interns training in academic hospitals, revealing that behavioral justification was used when medical interns do not comply with ISPs for various reasons, including feeling better about not complying with ISPs. Furthermore, they demonstrate that neutralization theory may be used to explain behavior that differs from anticipated norms and that it can also be used to predict the medical interns intention to breach hospital privacy rules in the health care sector. In the third study conducted by Alanazi et al. [17], the effectiveness of the theory-based model and different information security compliance behavior (ISCB) predictions for health care professionals in the KSA government hospitals were explored. Moderating and uncommon variables (such as morality and religion) affected ISCBs, whereas demographic features (such as marital status, job experiences, and age) had no effect.

Challenges of Confidentiality and Security of EHRs
Mishah et al. [18] analyzed e-security in the KSA hospitals and found that, in most Saudi hospitals, health information technology departments were well established, while health information management departments were less prepared. The security of server rooms, data centers, and hospital information technology (IT) networks were all regarded as the cornerstones of any hospital e-security platform. Additionally, the authors found a highly contradictory practice regarding e-security in hospitals: for example, antivirus software was available in 93.75% of hospitals, but only 33.33% of hospitals kept it up to date. An IT department was well established in 83.3% of hospitals; however, e-security officers were unavailable in 83.3% of hospitals, among other situations. An intrusion prevention system was absent in 62.5% of hospitals; although 67% of hospitals' networks were accessible to the internet, only 33.33% of them were secured by a firewall, representing a significant deficiency. Remote backups are essential for hospitals, particularly in the event of a natural catastrophe or fire disaster. However, remote backups were inaccessible in 66.66% of cases. Only 4% of the studied population had a digital catastrophe plan including a system recovery exercise and restoration testing. Based on the findings of Chikhaoui et al. [19] regarding the issues that threaten the privacy and security of cloud

BMC Medical Education
Medical students from different medical colleges Self-developed survey To assess medical students' access to paper medical records and EHRs in Saudi Arabia and compare students' experience of accessing paper medical records and EHR from their perspective computing, more than half of the respondents believed that patient medical records were vulnerable to cloud computing. The data were kept secure, according to 40% of those polled, with the remaining 10% declining to respond. Comparison of the hospital data with bank data showed that most respondents claimed that "it is secured in the same way that the bank account is secured, and there is no need to be concerned about security." Additionally, several respondents expressed concern about hospital data security. Although patient privacy was jeopardized by transferring of patient information from one hospital to another, according to 85% of respondents, 5% disagreed and the remaining 10% did not respond. Almuayqil et al. [20] examined the barriers to e-health care and the use of EHRs in the KSA among potential users of a proposed framework. Citizens and IT professionals reported no issues with security or privacy. However, concern about the security and privacy of patient records was shown by most health care professionals. Most health care professionals demonstrated the issue of unauthorized access to their patient EHRs (n = 9; 52.9%). Approximately onethird of physicians complained that their patients' EHRs were not only distributed but also updated without their personal consent (n = 7; 41.2%). Furthermore, half of these health care professionals (n = 8; 47.1%) claimed that could not control the access of their patients' EHRs, and the same number of respondents indicated that they had unauthorized access to other patients' EHRs. Over half of health care professionals (n = 9; 52.9%) could not determine who should be given access to the EHRs of their patients. Additionally, much dissatisfaction was shown by most of the health care professionals because of their inability to determine and control the EHRs of their patients (n = 11; 64.7%). Additionally, a proportion of health care professionals (n = 6; 37.5%) indicated that they could control the health records of other patients. The citizens' (layperson) mean score (mean, 3.5) was the highest of the three groups of respondents. The second highest mean score was 3.2, shown by health care professionals, while the lowest mean score was shown by IT specialists, which was calculated as 2.2.

Influence of Confidentiality on EHR Adoption
According to the findings of another researcher, the participants in the study by Alsahafi et al. [21] perceived that security concerns had a substantial negative effect on their behavioral intention to use the National Electronic Health Records (NEHR) system in the Saudi setting (beta = − 0.22; P = 0.001). These figures demonstrated that worries about the security of people's health information against unauthorized access may deter health care consumers from using the NEHR system. Additionally, the researchers discovered that trust had a statistically significant beneficial impact on Saudi health care customers' behavioral intention to use the NEHR system (beta = 0.22; P = 0.001). These findings indicated that the intentions of Saudi health care consumers to use the NEHR system could be significantly influenced by their trust in government e-health applications concerning security standards, as well as health practitioners' confidentiality in handling private health-related information. Furthermore, trust had a substantial detrimental effect on perceived security concerns (beta = − 0.39; P = 0.001). These data indicated that Saudi health care customers who saw the NEHR system and the parties engaged in its administration and usage as trustworthy were more likely to have fewer privacy and security concerns, and therefore to plan to utilize it.
The survey by Jabali and Jarrar in 2018 tested the functionality of major challenges of EHRs at 15 hospitals in the Eastern Province of the KSA [22]. The survey concluded that almost seven hospitals (46.6%) implemented or were in the process of implementing an EHR system. In the KSA's Eastern Province, order entry (51.11%) is primarily made by EHR and chart review, which account for approximately 41.11%, with significant barriers to use for different documentation functions, decision support, and other tools of communication. Along with the "secure" EHR system, these results indicated that the security mechanism is not adequately protected against all kinds of threats [22].

Discussion
The confidentiality and security of EHRs play a crucial role in patient satisfaction. The KSA has made considerable progress in improving the security of EHRs through privacy rules and confidentiality principles. According to Mishah et al. [18], only a few clinical and nonclinical electronic systems use advanced and moderate e-security features, tools, well-established policies and practices to protect patient confidentiality. With the increased rate of hackers targeting patient data in Saudi's health system, evaluation of e-security and other security measures in Saudi hospitals has become compulsory to avoid potential threats that may break patient confidentiality. Therefore, improving e-security measures and developing data security rules are crucial to limit the risk of jeopardizing patient data integrity and safety [18].
The KSA has a reliable health care system that maintains trust and friendly relationships to build a confident and trustworthy public health care system. Thus, patient data management by identifying motivations and driving factors is crucial. Altamimi et al. [23] demonstrated various motivations that standardized the MIS for applications of behavioral modes when all requirements of ISPs were failed. However, the amenability of employees to adopt ISPs cannot be justified. When those employees were uncomfortable with rules, they applied neutralization approaches to suppress these issues. These applied neutralization approaches included the denial of responsibility, the denial of injury, appeal to higher loyalties, the metaphore of the ledger that reflects justifying negative actions based on past virtues, defense of necessity, and condemnation of condemners. In addition to neutralization approaches, preventive strategies are applied because these approaches are insufficient to preserve privacy regulatory rules. Therefore, Altamimi et al. [23] suggested that further research should identify more awareness approaches and training sessions (face-to-face contacts, web-based courses, and seminars) that are operational health care measures to prevent these workers from justifying their wrong behaviors. By following these strategies, health care systems may apply safety measures in the form of psychological layers for advancements in their technological systems. The support of a noncompliance system by social norms has also proven helpful. Individuals appreciate descriptive norms compared with injunctive norms.
Furthermore, factors that impact ISCB are also the determining factors in maintaining the confidentiality of EHRs, as described by Alanazi et al. [17]. Such factors include psychological behaviors, religious beliefs, cultural beliefs, personality traits, cost of compliance, norms, technology awareness, and legal issues. According to their arguments, ISCB is affected by uncommon factors such as religion or morality, whereas demographic factors such as work experience have no effect.
Alsahafi et al. [21] demonstrated that some influential factors, particularly social factors, may affect the confidentiality of EHRs. They agreed that factors such as health care consumers' perspective could impact the decisions of policy makers in planning and improving the acceptance and implementation of the NEHRs in the KSA. Therefore, the trust of health care consumers in the government's ability to ensure confidentiality and standards set regarding access to patient data plays a key role in determining the confidentiality of EHRs.
Almulhem [15] described that participants had unfettered access to medical records, and their answers to open-ended questions showed the need for appropriate regulation of such access. Compared with paper medical records, medical students had a better experience using EHRs. Various essential skills can be learned by medical students from medical records that benefit them in their future practice. The educational experience of medical students was limited when read-only access was provided. However, before granting medical students access to medical records, they should receive adequate EHR training because this enabled them to practice and use EHR systems more effectively.
However, several challenges in the adopting EHRs could also be faced by the health care system in the KSA, particularly regarding privacy issues. For example, in their study, Jabali and Jarrar [22] found that some of the obstacles met by health care organizations in implementing EHR adoption and security included resistance to change by some medical staff. Some medical personnel failed to accept the use of information technologies aimed at reducing patient data breaches. Furthermore, low and weak financing strategies were used to implement competent confidentiality EHR programs. Moreover, medical staff were insufficiently trained in the correct and secure usage of EHR systems [22].
Additionally, Chikhaoui et al. [19] described the challenges faced in EHR adoption by focusing on cloud computing. Some of the challenges included hackers who may gain access to confidential patient data, or computer viruses that may affect the integrity of patient records and information. Similarly, the portability of data using cloud computing also poses a challenge in adopting EHR systems in the KSA. However, despite these challenges, cloud computing makes health care processes more efficient by ensuring centralized data storage and processing.
Similarly, Alqahtani et al. [24] described how adopting EHRs can be improved by involving patients. In their study, the patients stated that they had the right to make decisions based on the medical care they received, the right to accept or reject treatment, and the right to formulate advance directives. Therefore, patient awareness is crucial in ensuring smooth EHR adoption because patients can make prompt decisions regarding any privacy or confidential areas in receiving health care.
Almuayqil et al. [20] explained that one of the major challenges in maintaining data integrity and security in adopting EHRs is the connectivity of information systems. Other barriers highlighted by this study included cultural barriers in technical expertise and barriers in computer skills. HCPs ranked security and privacy as the third barrier because it is common for medical records to be distributed without a patient's or doctor's consent. Additionally, issues linked to the potential of unauthorized individuals to access their patients' data were among their second primary worries. Conversely, the IT experts' group responses emphasized the importance of using different security and privacy measures to protect the confidentiality of patients' information. Therefore, health care organizations should identify such obstacles to ensure smooth adoption of EHRs and ensure confidentiality.
Physicians' perspectives on EHR privacy in the KSA were reported in the study by Alshahrani et al. [14]. The doctors agreed that EHRs, which are password-protected in specific medical software, are more private and secure than paper records and that the benefits and usefulness outweigh the dangers. Overall, the use of computers in health care was deemed to be extremely advantageous, resulting in EHR deployment in the KSA's largest institutions. These findings may help policy makers argue for the spread of EHRs. The privacy, security, and confidentiality of patient health information are not jeopardized by the EHR.
The limitations of this study were the limited availability of relevant publications in the KSA, the lack of original findings, and the biased methodology used. The strengths of this study were that the reviewed articles were systematically explored from the last 5 years of publications, which are considered relatively new. Furthermore, the study focused on the Saudi population; thus, more focused results were generated.

Conclusion
The goal of this project was to use an extensive review of related literature to identify and address the challenges facing EHRs in the KSA in terms of protecting patient confidentiality. To the best of our knowledge, literature is lacking that examines the impact of training, measures the level of awareness and current practices of HCPs in the KSA, protects patient information privacy and confidentiality from the breach, and considers technical measures. However, through extensive analysis of reliable studies and research on EHR implementation in the KSA, reliable results can be deduced. Furthermore, privacy and confidentiality are the foundation of a reliable EHR system. Some of the explored factors that affect the confidentiality of patient data include relationships among health care professionals, upgrading of health care security software, and social influencers health care consumers, among others. Therefore, if the KSA adopts the mentioned implementation strategies, factors regarding patient confidentiality, and addresses the challenges posed, the safety and care of patients will be significantly improved.
Recommendations for future studies/implementations include (a) investigating various case studies and including hospitals from other regions of the KSA; (b) performing comparative studies (e.g., between governmental and privatized hospital settings); (c) analyzing the behaviors and attitudes of various HCPs toward confidential data; (d) clarifying and comparing various HIS models; (e) further analyzing the role of leadership in the successful implementation of EHR systems; (f) analyzing physicians' roles in embracing novel EHR systems; (g) increasing EHR training program availability, with minimal knowledge gaps; (h) increasing investment in the latest EHR infrastructures; and (i) improving data handling/sharing policies within KSA hospital settings.