The Security Risk Perception
Model for the Adoption of Mobile
Devices in the Healthcare Industry
Alex Alexandrou (alex_alexandrou@fitnyc.edu)
Li-Chiou Chen (lchen@pace.edu)
Seidenberg School of Computer Science and Information Systems
Pace University
1
Goals

Understand the security risk perception of medical
practitioners regarding the use of mobile devices to
access electronic medical records

How security risk perception and other factors
would affect their behavior intention in both using
the devices and in adopting security controls
required for the devices

Compare the difference in security risk perception
between BYOD (Bring Your Own Device) and HPD
(Hospital Provided Device)
2
Research Model
Perceived Susceptibility
(PSU)
H1+
Perceived Severity
(PSE)
H10+
H2+
Perceived Security
Risk (PSR)
H6-
Security Measure
Efficacy (SME)
H3+
H7+
Intention to Use
Mobile Devices
(INU)
H8+
Perceived Easiness of
User (PEU)
Regulatory
Concern (RC)
Self-Efficacy
(SEF)
H4+
Safeguard
Cost (SAF)
H5-
Intention to Comply with
Security Control (INC)
H9+
Perceived Usefulness
(PUS)
3
Empirical Study

We visited three inpatient hospitals and their
outpatient clinics to conduct the interviews and
the web survey

An institutional review board (IRB) review
exemption is approved for each institution

A total of 264 medical practitioners participated
in our study, including nurses, physician assistants,
physicians, health care administrators, medical and
nursing students, as well as information
technology technicians
4
Data Collection

For each interview, we provided the subject with an
iPad4
◦ We first showed the subjects the EMR application (Citrix)
used in each hospital and then asked them to use it

Using the iPad4, each subject filled up the web survey
◦ demographic information and quantifiable data for the
constructs in the proposed research model

Every construct in the model is measured by three to
four 5-point Likert scale questions

Two scenarios of using mobile devices, BYOD and
HPD, are given to the subjects
5
Data Analysis

ANOVA
◦ Compare risk perception among different
subject groups and two scenarios

Structured Equation Modeling using
SmartPLS
◦ Measurement Validity
◦ Hypotheses Testing for the Research Model
6
Comparison among groups
HPD
Perceived Intention Intention
Security
to
to Use
Risk
Comply
(INU)
(PSR)
with
Security
Control
(INC)
Groups Sample Mean
Mean
Mean
Size
1
89
3.11
4.75
4.26
2
145
3.63
4.63
4.07
3
30
3.22
4.64
4.26
BYOD
Perceived Intention Intention
Security
to
to Use
Risk
Comply
(INU)
(PSR)
with
Security
Control
(INC)
Mean
Mean
Mean
3.29
3.57
3.55
4.47
3.73
4.38
3.55
2.68
2.96
Group 1: doctors & medical school students;
Group 2: nurses, nursing students and medical technician;
Group 3: IT administrators.
Scale: 1-5
7
Hypotheses Testing - HPD
Perceived Susceptibility
(PSU)
Perceived Severity
(PSE)
-0.06
0.43***
0.11*
Perceived Security
Risk (PSR)
-0.13**
Security Measure
Efficacy (SME)
0.0
-0.03
Intention to Use
Mobile Devices
(INU)
0.12
Perceived Easiness of
User (PEU)
Regulatory
Concern (RC)
Self-Efficacy
(SEF)
0.09
Safeguard
Cost (SAF)
-0.24***
Intention to Comply with
Security Control (INC)
0.05
Perceived Usefulness
(PUS)
*** model parameter is statistically significant at 99%;
** model parameter is statistically significant at 95%;
* model parameter is statistically significant at 95%;
8
Hypotheses Testing -BYOD
Perceived Susceptibility
(PSU)
0.28***
Perceived Severity
(PSE)
0.0
0.17***
Perceived Security
Risk (PSR)
0.05
Security Measure
Efficacy (SME)
Perceived Easiness of
User (PEU)
Self-Efficacy
(SEF)
0.01
0.05
0.32***
Intention to Use
Mobile Devices
(INU)
0.12*
Regulatory
Concern (RC)
Safeguard
Cost (SAF)
-0.13**
Intention to Comply
with Security Control
(INC)
0.15*
Perceived Usefulness
(PUS)
*** model parameter is statistically significant at 99%;
** model parameter is statistically significant at 95%;
* model parameter is statistically significant at 95%;
9
Implications – HPD only

Medical practitioners will be less willing to use
the mobile devices at work
◦ if they are more concern with regulations and
◦ if they think security threat on mobile devices is more
likely to occur

Security awareness education that emphasizes on
the likelihood of security threats and the negative
consequences of regulatory violation
◦ will only deter practitioners from adopting the mobile
devices at work
◦ will not encourage them to adopt security controls
10
Implications – BOYD only

Factors that encourage medical practitioners to use
their own device at work
◦ Ease of use; usefulness of the devices

Increasing the perceived security risk of medical
practitioners
◦ will increase their intention to follow up security controls
◦

IT administrators should focus on awareness campaign
that can increase practitioners’ perceived security risk
◦ the potential security threats to mobile devices
◦ the consequences of successful security attacks
11
Implications – both cases

The more medical practitioners think the
security control is costly or inconvenient,
the less likely they will adopt security
controls.

IT administrators should design security
controls that are convenient and timesaving for medical practitioners to
implement
12