A security risk perception model for the adoption of mobile devices in the healthcare industry

Within the past few years, we have seen increasing use of mobile devices in the healthcare environment. It is crucial to understand healthcare practitioners' attitudes and behaviors towards adopting mobile devices and to interacting with security controls, while understanding their risks and stringent regulations in healthcare. This paper aims to understand how healthcare practitioners perceive the security risks of using mobile devices, and how this risk perception affects their intention to use the devices, and to adopt the security controls that are required. To facilitate such understanding, we propose a theory-grounded conceptual model that incorporates subjective beliefs, perception of security risk, and behavioral intentions to both use mobile devices and comply with security controls. Furthermore, we studied the behavioral intentions under two scenarios among practitioners, when healthcare institutions provided the mobile devices, called hospital-provided devices, or when practitioners used their own devices, bring-your-own-devices. Based upon our conceptual model, we conducted an empirical study, recruiting 264 healthcare practitioners from three hospitals and their affiliated clinics. Our study provided several practical implications. First, we confirmed that it is critical in healthcare institutions to have safeguards on mobile devices that are convenient for practitioners to adopt. Second, to promote security policy compliance in mobile devices and safeguard medical information, healthcare administrators must take different approaches to security depending on how they provide mobile devices to practitioners. Third, the security training for devices should deliver different messages to different occupational groups. Last but not the least, our proposed model offers new perspectives towards a better understanding of integrating perceived security risk, behavioral intention to adopt a technology, and behavioral intention to comply with security control in the healthcare industry.