A security risk perception model for the adoption of mobile devices in the healthcare industry

Springer Science and Business Media LLC - Tập 32 - Trang 410-434 - 2019
Alex Alexandrou1, Li-Chiou Chen1
1Department of Security, Fire, and Emergency Management, John Jay College of Criminal Justice, New York, USA

Tóm tắt

Within the past few years, we have seen increasing use of mobile devices in the healthcare environment. It is crucial to understand healthcare practitioners’ attitudes and behaviors towards adopting mobile devices and to interacting with security controls, while understanding their risks and stringent regulations in healthcare. This paper aims to understand how healthcare practitioners perceive the security risks of using mobile devices, and how this risk perception affects their intention to use the devices, and to adopt the security controls that are required. To facilitate such understanding, we propose a theory-grounded conceptual model that incorporates subjective beliefs, perception of security risk, and behavioral intentions to both use mobile devices and comply with security controls. Furthermore, we studied the behavioral intentions under two scenarios among practitioners, when healthcare institutions provided the mobile devices, called hospital-provided devices, or when practitioners used their own devices, bring-your-own-devices. Based upon our conceptual model, we conducted an empirical study, recruiting 264 healthcare practitioners from three hospitals and their affiliated clinics. Our study provided several practical implications. First, we confirmed that it is critical in healthcare institutions to have safeguards on mobile devices that are convenient for practitioners to adopt. Second, to promote security policy compliance in mobile devices and safeguard medical information, healthcare administrators must take different approaches to security depending on how they provide mobile devices to practitioners. Third, the security training for devices should deliver different messages to different occupational groups. Last but not the least, our proposed model offers new perspectives towards a better understanding of integrating perceived security risk, behavioral intention to adopt a technology, and behavioral intention to comply with security control in the healthcare industry.

Tài liệu tham khảo

Ajzen, I. 1985. From intention to actions: A theory of planned behavior. In Action-control: From cognition to behavior, ed. J. Kuhl and J. Beckman. New York: Springer. Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes 50 (2): 179–211. Astani, M., K. Ready, and M. Tessema. 2013. BYOD Issues and strategies in organizations. Issues in Information Systems 14 (2): 195–201. Blumstein, A., J. Cohen, and D. Nagin. 1977. Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. Washington, DC: National Academy of Sciences. Bulgurcu, H., H. Cavusoglu, and I. Benbasat. 2010. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3): 523–548. Burns, A.J., and M.E. Johnson. 2015. Securing health information. IT Professional 17 (1): 23–29. Chen, Y.H., and S. Barnes. 2007. Initial trust and online buyer behavior. Industrial Management & Data Systems 107 (1): 21–36. Cheng, L., Y. Li, W. Li, E. Holm, and Q. Zhai. 2013. Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security 39: 447–459. Chenoweth, T., R. Minch, R., and T. Gattiker. 2009. Application of protection motivation theory to adoption of protective technologies. In Proceedings in 42th Hawaii International conference on system sciences, 1–10, 5 Jan, Hawaii. IEEE. Conner, M., and P. Norman. 2005. Predicting health behavior. New York: McGraw-Hill International. Cook, M., and D.T. Campbell. 1979. Quasi-experimentation: Design and analysis issues for field settings. Boston: Houghton Mifflin. D’Arcy, J., A. Hovav, and D. Galletta. 2009. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20 (7): 9–98. Davis, F.D. 1986. A technology acceptance model for empirically testing new end-user information systems: Theory and results. Ph.D. dissertation, Massachusetts Institute of Technology, Boston, MA. Davis, F.D. 1989. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly 13 (3): 319–340. Efron, E., and R. Tibshirani. 1986. Bootstrap methods for standard errors, confidence intervals, and other measures of statistical accuracy. Statistical Science 1 (1): 54–75. Escobar-Rodriguez, T., and M.M. Romero-Alonso. 2013. Modeling nurses’ attitude toward using automated unit-based medication storage and distribution systems: An extension of the technology acceptance model. CIN: Computers, Informatics, Nursing 31 (5): 235–243. Fishbein, M., and I. Ajzen. 1975. Belief, attitude, intention and behavior: An introduction to theory and research. Psychological Bulletin 84: 888–918. Fornell, C., and F.L. Bookstein. 1982. Two structural equation models: LISREL and PLS applied to consumer exit-voice theory. Journal of Marketing Research 19 (4): 440–452. Garg, V., and J. Camp. 2012. End user perception of online risk under uncertainty. In Proceedings in 45th Hawaii international conference on system sciences, 3278–3287; 4 Jan, Hawaii. IEEE. Gagnon, M.P., P. Ngangue, J. Payne-Gagnon, and M. Desmartis. 2016. m-Health adoption by healthcare professionals: a systematic review. Journal of the American Medical Informatics Association 23 (1): 212–220. Gefen, D., D. Straub, and M.C. Boudreau. 2000. Structural equation modeling and regression: Guidelines for research practice. Communications of the Association for Information Systems 4 (1): 7. Hair, J.F., G.T.M. Hult, C.M. Ringle, and M. Sarstedt. 2014. A primer on partial least squares structural equation modeling (PLS-SEM). London: Sage. Hair, J.F., G.T.M. Hult, C.M. Ringle, M. Sarstedt, and K.O. Thiele. 2017. Mirror, mirror on the wall: A comparative evaluation of composite-based structural equation modeling methods. Journal of the Academy of Marketing Science 45 (5): 616–632. Henseler, J., T.K. Dijkstra, M. Sarstedt, C.M. Ringle, A. Diamantopoulos, D.W. Straub, and R.J. Calantone. 2014. Common beliefs and reality about PLS: Comments on Rönkkö and Evermann (2013). Organizational Research Methods 17 (2): 182–209. Holden, R.J., and B.T. Karsh. 2010. The technology acceptance model: Its past and its future in health care. Journal of Biomedical Informatics 43 (1): 159–172. Kim, S., K.H. Lee, H. Hwang, and S. Yoo. 2016. Analysis of the factors influencing healthcare professionals’ adoption of mobile electronic medical record (EMR) using the unified theory of acceptance and use of technology (UTAUT) in a tertiary hospital. BMC Medical Informatics and Decision Making 16 (1): 12. Koehler, N., O. Vujovic, and C. McMenamin. 2013. Healthcare professionals’ use of mobile phones and the internet in clinical practice. Journal of Mobile Technology in Medicine 2 (1S): 3–13. Kowitlawakul, Y. 2011. The technology acceptance model: Predicting nurses’ intention to use telemedicine technology. Computer Informatics Nursing 29 (7): 411–418. Lee, M.C. 2009. Factors influencing the adoption of internet banking: An integration of TAM and TPB with perceived risk and perceived benefit. Electronic Commerce Research and Applications 8 (3): 130–141. Liang, H., and Y. Xue. 2010. Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems 11 (7): 394–413. Liang, H., and Y. Xue. 2009. Avoidance of information technology threats: A theoretical perspective. MIS Quarterly 33 (1): 71–90. Ma, M., and R. Agarwal. 2007. Through a glass darkly: Information technology design, identity verification, and knowledge contribution in online communities. Information Systems Research 18 (1): 42–67. Marshall, S. 2014. IT consumerization: A case study of BYOD in a healthcare setting. Technology Innovation Management Review 4 (3). Mylonas, A., S. Dritsas, V. Tsoumas, and D. Gritzalis. 2011. Smartphone security evaluation—The malware attack case. In Proceedings of the international conference on security and cryptography SECRYPT-2011, 1825–1836; 18 Jul Athens, Greece. Ng, B., A. Kankanhalli, and C.Y. Xu. 2009. Studying users’ computer security behavior: A health belief perspective. Decision Support Systems 46 (4): 815–825. Pyszczynski, T., J. Greenberg, and S. Solomon. 1997. Why do we need what we need? A terror management perspective on the roots of human social motivation. Psychological Inquiry 8 (1): 1–20. Richter, N.F., R.R. Sinkovics, C.M. Ringle, and C. Schlaegel. 2016. A critical look at the use of SEM in international business research. International Marketing Review 33 (3): 376–404. Rhee, H.S., C. Kim, and Y.U. Ryu. 2009. Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers & Security 28 (8): 816–826. Ringle, C.M., M. Sarstedt, and R. Schlittgen. 2014. Genetic algorithm segmentation in partial least squares structural equation modeling. OR Spectrum 36 (1): 251–276. Ringle, C.M., M. Sarstedt, R. Schlittgen, and C.R. Taylor. 2013. PLS path modeling and evolutionary segmentation. Journal of Business Research 66 (9): 1318–1324. Ringle, C.M., M. Sarstedt, and D. Straub. 2012. A critical look at the use of PLS-SEM. MIS Quarterly 36 (1): iii–xiv. Rogers, R.W. 1975. A protection motivation theory of fear appeals and attitude change. The Journal of Psychology 91 (1): 93–114. Rogers, R.W. 1983. Cognitive and physiological process in fear appeals and attitudes changer: A revised theory of protection motivation. In Social psychophysiology: A sourcebook, ed. J.T. Cacioppo and R.E. Petty, 153–176. New York: Guilford. Rönkkö, M., C.N. McIntosh, J. Antonakis, and J.R. Edwards. 2016. Partial least squares path modeling: Time for some serious second thoughts. Journal of Operations Management 47: 9–27. Schifter, D.E., and I. Ajzen. 1985. Intention, perceived control, and weight loss: An application of the theory of planned behavior. Journal of Personality and Social Psychology 49 (3): 843–851. Siponen, M., A. Mahmood, and S. Pahnila. 2014. Employees’ adherence to information security policies: An empirical study. Information & Management 51 (2): 217–224. Straub, D.W., and R.J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22 (4): 441–469. Sun, Y., N. Wang, X. Guo, and Z. Peng. 2013. Understanding the acceptance of mobile health. Journal of Electronic Commerce Research 14 (2): 183–200. Tejaswini, H., and H.R. Rao. 2009. Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems 18 (2): 106–125. Venkatesh, V., T.A. Sykes, and X. Zhang. 2011. Just what the doctor ordered’: A revised UTAUT for EMR system adoption and use by doctors. In Proceedings in 44th Hawaii international conference on system sciences, 1–10; 4 Jan Hawaii. IEEE. Workman, M., W. Bommer, and D. Straub. 2008. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior 24 (6): 2799–2816. Yarbrough, Amy K., and Todd B. Smith. 2007. Technology acceptance among physicians: A new take on TAM. Medical Care Research and Review 64 (6): 650–672. Zhang, J., B.J. Reithel, and H. Li. 2009. Impact of perceived technical protection on security behaviors. Information Management & Computer Security 17 (4): 330–340.