Towards a contextual theory of Mobile Health Data Protection (MHDP): A realist perspective

doi:10.1016/j.ijmedinf.2020.104229

International Journal of Medical Informatics

Volume 141, September 2020, 104229

https://doi.org/10.1016/j.ijmedinf.2020.104229 Get rights and content

Highlights

•
We report on a realist review of Mobile Health Data Protection (MHDP).
•
The review identifies contexts, mechanisms and outcomes of MHDP failure and success.
•
MHDP failure and success impact patients’ mHealth adoption, use and satisfaction.
•
Our contextualized MHDP theory informs effective mHealth interventions in practice.

Abstract

Background

With the introduction of privacy regulations such as the California Consumer Privacy Act and the European Union General Data Protection Regulation (GDPR), effective data protection in mobile health (mHealth) is rapidly becoming a concern. However, we have a limited understanding of the contexts and mechanisms that affect the likelihood of failures and successes in mHealth data protection, and their subsequent impacts. In this review and theory development paper, we aim to address this critical knowledge gap.

Method

We conducted a systematic literature search using PubMed, Embase, and Scopus databases. To synthesize the evidence, we adopted a realist review approach and compiled the extracted information based on context-mechanism-outcome (CMO) configurations. Out of an initial set of 611 records, 19 articles met the eligibility criteria and were included.

Results

Our findings indicate that the failures and successes in data protection and their impacts (effective mHealth interventions, data protection awareness, and adoption/use of mHealth systems) depend contingently upon a number of contextual factors (systems, users, tasks, services, geographic elements) and causal mechanisms (unauthorized access, device theft, loss, and sharing, lack of cyber-hygiene, and data protection concerns for failures, and trust building activity, secure and law compliant platforms, and perceived data protection, for successes). We conceptualized the CMO configurations to provide explanations for the reported failures and successes in data protection.

Conclusion

For effective mHealth interventions, the dark side of system use (data breaches) must be mitigated and remediated. Our study offers a theoretical model that contextually explains how the mechanisms of success and failures work in mHealth.

Introduction

In the digital health era, traditional models of care delivery have been transformed thanks to information technology-enabled services and business models [[1], [2], [3]]. A prominent ecosystem for effective care delivery is mobile health (mHealth) [4,5]. Internet-connected mHealth devices provide ubiquitous access to care providers to obtain personal health data. Meanwhile, patients can easily share their health information and receive health advice [6]. However, adoption and effective use of mHealth is tempered by data protection concerns [7,8]. From the perspective of both patients and providers, failures in the protection of personal health data are highly controversial and consequential [2,9]. This concern also is reflected in the World Health Organization (WHO) reports on mHealth and digital intervention, which highlighted calls for actions, policy and legal attention to ensure effective data protection [10,11].

Researchers have also documented several cases in mHealth context where mobile app developers are not transparent about data protection and also introduce intentional or by-product risks to effective data protection [12]. Furthermore, technical assessments of mHealth apps have revealed that several supposedly secure apps in healthcare did not adequately protect patient data. For example, a recent study on data sharing of top-rated mHealth apps in four developed countries found that the majority of the included apps for analysis shared personal data with third parties, ranging from birthday and email to medical conditions, and symptoms [13]. A similar study on 79 certified clinical apps showed security vulnerabilities and breaches such as sending sensitive information without encryption and authorized access to user data [14].

Effective data protection in mHealth is a technical and social phenomenon. Apart from technical elements such as a system’s privacy and security safeguards, social elements such as patients’ trust and clinicians’ practices in using the system play important roles in mHealth data protection failure and success [[15], [16], [17]]. As evident in our literature review, there is a paucity of theories that address the context-specific social and technical aspects of mHealth data protection. To advance the knowledge in this highly important context and embarking on the realist review approach, we aim to provide a theoretical model of failures and successes in mHealth data protection that is grounded in emerging evidence. By applying this approach, we sought to answer the following overarching research questions:

1
In what circumstances (contexts and mechanisms) is mHealth data protection most likely to be failed or successful?
2
What are the potential outcomes of mHealth data protection failures or successes?

Answering these questions can enhance our understanding of health data protection and more importantly facilitates theorizing the phenomena of mHealth data protection. Thereby, we move toward theorizing the phenomena by unpacking the context-mechanism-outcome (CMO) relationships and explaining the impacts of mHealth data protection failures and successes.

The rest of this paper is organized as follows: First, we describe our methodological approach in conducting the realist review. Next, we demonstrate our results in two sections: study characteristics and main findings, followed by a discussion of the mechanisms and outcome in the mHealth context. Finally, the conclusions are presented.

Section snippets

Methods

As our research aimed to provide a contextualized explanation of failures and successes of mHealth data protection, we adopted a realist review approach. Particular assumptions that realist review has about the nature of reality and causation make this theory-driven approach different from other types of reviews [18,19]. In this perspective, causal associations are influenced by the setting and context [20].

In conducting this review, we followed systematic steps recommended by Templier and Paré

Results

Fig. 1 shows the selection process. Our electronic search returned a total of 606 records from three databases. Also, five more articles were identified through other sources (e.g., reference check), making the initial set of 611 identified records. After removing duplicates, we screened 460 records at the title/abstract level. Of these, 372 articles were excluded for various reasons, leaving 88 potentially eligible articles. We then obtained and inspected the full-text of the articles based on

Discussion

Our realist review revealed nine mechanisms as the fundamental drivers of mHealth data protection failures and success. In this section, we discuss the details of these key mechanisms and their outcomes. Building on a realist perspective, we demonstrate how mechanisms of mHealth data protection failure and success are invoked and consequently generate specific outcomes.

Conclusion

mHealth systems are designed to support caregivers and healthcare organizations, and enable patients to receive high-quality health services. It is important to use the system in a way that increases medical task performance. However, with neglecting data protection aspects, success in health service excellence simply cannot be achieved. To make an effective mHealth intervention, the dark side of system use (data breaches) must be mitigated and remediated. This requires an understanding of the

Authors' contributions

JP, SA and FF conceptualized and designed the study. JP conducted the literature search and reviewed the identified records based on inclusion/exclusion criteria. JP synthesized the included articles and formulated the initial theoretical model. JP and SA developed the final model. JP wrote a first draft of the manuscript with intellectual input from SA and FF. All authors contributed to the final version.

Declaration of Competing Interest

The authors have no competing interests to declare.

References (56)

J. Durham et al.
Explaining how unexploded ordnance clearance enhances livelihoods in the Lao PDR
Eval. Program Plann.
(2016)
O.J. Muensterer et al.
Google glass in pediatric surgery: an exploratory study
Int. J. Surg.
(2014)
J.R. Bautista et al.
Sociotechnical analysis of nurses’ use of personal mobile phones at work
Int. J. Med. Inform.
(2016)
M. Herrmann et al.
Digital transformation and disruption of the health care sector: internet-based observational study
J. Med. Internet Res.
(2018)
R. Agarwal et al.
Research commentary—The digital transformation of healthcare: current status and the road ahead
Inf. Syst. Res.
(2010)
E. Karahanna et al.
Capitalizing on health information technology to enable digital advantage in US hospitals
MIS Q.
(2019)
D. Kauw et al.
Advantages of mobile health in the management of adult patients with congenital heart disease
Int. J. Med. Inform.
(2019)
A. Roess et al.
Growth, and reality of mobile health — Another data-free zone
N. Engl. J. Med.
(2017)
L. Chen et al.
Mobile health (mHealth) channel preference: an integrated perspective of approach-avoidance beliefs and regulatory focus
J. Assoc. Inf. Syst.
(2019)
M.-P. Gagnon et al.
m-Health adoption by healthcare professionals: a systematic review
J. Am. Med. Inform. Assoc.
(2015)

I. Sim

Mobile devices and health

N. Engl. J. Med.

(2019)

J. Kwon et al.

Proactive versus reactive security investments in the healthcare sector

MIS Q.

(2014)

WHO

mHealth: New Horizons for Health Through Mobile Technologies

(2011)

WHO

WHO Guideline: Recommendations on Digital Interventions for Health System Strengthening

(2019)

A. Sunyaev et al.

Availability and quality of mobile health app privacy policies

J. Am. Med. Inform. Assoc.

(2014)

Q. Grundy et al.

Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis

BMJ

(2019)

K. Huckvale et al.

Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

BMC Med.

(2015)

S. Bucci et al.

Early psychosis service user views on digital technology: qualitative analysis

JMIR Ment. Health

(2018)

D. Leahy et al.

Use of text messaging in general practice: a mixed methods investigation on GPs’ and patients’ views

Br. J. Gen. Pract.

(2017)

J.D. Elhai et al.

How secure is mental health providers’ electronic patient communication? An empirical investigation

Prof. Psychol. Res. Pract.

(2015)

R. Pawson

The Science of Evaluation: a Realist Manifesto

(2013)

S.M. Dalkin et al.

What’s in a mechanism? Development of a key concept in realist evaluation

Implement. Sci.

(2015)

M. Templier et al.

A framework for guiding and evaluating literature reviews

Commun. Assoc. Inf. Syst.

(2015)

G. Johns

The essential impact of context on organizational behavior

Acad. Manage. Rev.

(2006)

S.R. Kirsh et al.

A realist review of shared medical appointments: how, for whom, and under what circumstances do they work?

BMC Health Serv. Res.

(2017)

H. Cooper

Research Synthesis and Meta-Analysis: a Step-by-Step Approach

(2015)

L. Dubé et al.

Rigor in information systems positivist case research: current practices, trends, and recommendations

MIS Q.

(2003)

G. Wong et al.

Internet-based medical education: a realist review of what works, for whom and in what circumstances

BMC Med. Educ.

(2010)

Cited by (12)

A systematic analysis of failures in protecting personal health data: A scoping review
2024, International Journal of Information Management
Personal health data breaches pose significant challenges to healthcare providers and clients. This study systematically analyzes 5470 records and reviews 120 articles on this theoretically and practically important topic. It summarizes the existing literature and develops an integrative model with eleven propositions explaining the multifaceted nature of health data breaches, their facilitators, and their impacts. We report on the gaps in the current literature and discuss six promising avenues of future research, including specific suggestions for multi-level analysis, use of novel methods, contributions to information systems theory, stakeholder analysis, under-explored themes, and boundary-breaching opportunities. Beyond these findings, our study offers implications for key stakeholders in healthcare settings. This study equips practitioners and researchers with a valuable model for evidence-based data breach risk management and offers guidance for future investigations, enhancing our collective understanding of personal health data breaches within healthcare.
Perceived security of BYOD devices in medical institutions
2022, International Journal of Medical Informatics
Like other computing devices mobile devices have inherent security risks. With today’s wider use of mobile devices in medical institutions, particularly the practice of ‘bring-your-own-device’ (BYOD), the risk of medical data breaches is concerning.
To investigate security risk perception and safeguard adoption of mobile devices among medical practitioners and IT administrators. Furthermore, to comprehend the perceived costs that practitioners feel these safeguards impose on them.
We conducted both quantitative and qualitative studies investigating whether age, gender and occupation have an impact on the perceived security of patient information and the behavior intentions formed when adopting BYOD. In the quantitative component, a survey was completed by 264 healthcare practitioners from three hospitals and affiliated clinics in New York City. In the qualitative component, we interviewed 36 of 264 subjects from the first study, including twelve physicians, twelve nurses, and twelve IT administrators. All participants had direct experience with BYOD devices. The length of each interview averaged forty-five minutes to an hour.
We found that physicians have a significantly higher intent to comply with safeguards, compared to nurses. IT administrators prefer an encrypted network connection and Two Factor Authentication (2FA), or a biometric authentication method for accessing Electronic Medical records (EMR). All medical practitioners believe that the biggest threat to the security of medical information is theft or misplacement of the device. Physicians and IT administrators have a better understanding of malware and Wi-Fi threats than nurses.
This research provides valuable data regarding the healthcare practitioner’s safeguard cost, attitudes and intended behaviors regarding the risks and use of mobile devices in healthcare. By understanding a user’s perceptions, we can be better aware of how to educate healthcare practitioners, and how to develop policies that will reduce costs and achieve better productivity. We can also see how these processes may be improved by accessing patient information faster and by designing technology more effectively.
Data privacy concerns and use of telehealth in the aged care context: An integrative review and research agenda
2022, International Journal of Medical Informatics
Citation Excerpt :
This context is comprised of users, systems, services (and related tasks), and data. Seminal studies in health information systems and medical informatics have emphasized contextualization approaches for building a better understanding of system use [66–69]. For example, the use of patients’ portal and Electronic Health Records have been studied in a contextualized approach [34,70].
Effective use of telehealth offers substantial benefits to older persons and aged care providers. However, data privacy concerns challenge the effective use of telehealth and subsequent business value. Through developing a theoretical model, we explain how privacy concerns can influence the adoption ad use of telehealth in this complex context.
An integrative review of empirical investigations was conducted by linking privacy concerns, telehealth use, and aged care. We searched three major databases (PubMed, Web of Science, and Scopus) for articles published until December 2020. Articles were analyzed and presented using an integrative theoretical model that we labeled CPCPO (Context-Privacy Concerns-Practice-Outcomes).
Our review revealed that privacy concerns are a contextual concept, i.e., different contexts (users, telehealth systems, aged care services, data) produce different privacy concerns. We found that privacy concerns were more voiced in home telecare and were associated with the degree of telemonitoring and surveillance. Contextual privacy concerns were related to video recording, behavioral data (e.g., sleep patterns and eating behavior), location data, and future use of data. These concerns can influence the adoption and use of telehealth. However, privacy protection practices (e.g., informed consent) can help in reducing the concerns and improving the acceptance of telehealth for older persons.
CPCPO offers contextual explanations of telehealth privacy concerns and systems use. For improving telehealth acceptance, privacy concerns of data processing (e.g., recording, collection, storage, and secondary use) must be addressed by performing data protection practices. Based on the review results, we suggest avenues for future research.
Profiling adopters (and non-adopters) of a contact tracing mobile application: Insights from Australia
2021, International Journal of Medical Informatics
Citation Excerpt :
Whereas governments have traditionally used apps for communication purposes, digital tracing is perceived to harvest information that would not usually be perceived as the government’s business (e.g. where you go and who you meet). This can trigger a host of privacy considerations and concerns about whether the right safeguards are in place to handle the information collected appropriately [14]. Political allegiance could influence download behaviour in two ways.
Many governments are using contact tracing mobile applications (CTMAs) yet public adoption of such systems has been relatively low. The main objective of this paper is to profile adopters (and non-adopters) of Australia’s COVIDSafe CTMA.
We use latent profile analysis to examine predictors of CTMA download behaviour. Specifically, we draw on a representative Australian sample (N = 2575) to examine the interplay between age, education, income, dispositional desire for privacy and political ideology on download behaviour. We examine trust in government as a mediating mechanism between profiles and download behaviour.
Our analysis produces seven profiles. Trust in government mediates the relationship between most profiles and download behaviour. A combination of wealth and education appear to be key explanatory factors of CTMA download behaviour. Two profiles -- comprising individuals with high income and education -- had the highest rates of download behaviour. Profiles with low download percentages comprised politically left-leaning participants with average to low income and education.
Our findings clearly indicate the profiles of people who are (not) likely to download a CTMA. Practical ways to improve widespread adoption include providing structural support to the more vulnerable members of society, making clear the societal benefits of downloading CTMAs, and engaging in bipartisan promotion of such apps.
Telemedicine with special focus on allergic diseases and asthma—Status 2022: An EAACI position paper
2024, Allergy: European Journal of Allergy and Clinical Immunology
Enabled Artificial Intelligence (AI) to Develop Sehhaty Wa Daghty App of Self-Management for Saudi Patients with Hypertension: A Qualitative Study
2023, Information (Switzerland)

View all citing articles on Scopus

View full text

Towards a contextual theory of Mobile Health Data Protection (MHDP): A realist perspective

Highlights

Abstract

Background

Method

Results

Conclusion

Introduction

Section snippets

Methods

Results

Discussion

Conclusion

Authors' contributions

Declaration of Competing Interest

Eval. Program Plann.

Int. J. Surg.

Int. J. Med. Inform.

Digital transformation and disruption of the health care sector: internet-based observational study

J. Med. Internet Res.

Research commentary—The digital transformation of healthcare: current status and the road ahead

Inf. Syst. Res.

Capitalizing on health information technology to enable digital advantage in US hospitals

MIS Q.

Advantages of mobile health in the management of adult patients with congenital heart disease

Int. J. Med. Inform.

Growth, and reality of mobile health — Another data-free zone

N. Engl. J. Med.

Mobile health (mHealth) channel preference: an integrated perspective of approach-avoidance beliefs and regulatory focus

J. Assoc. Inf. Syst.

m-Health adoption by healthcare professionals: a systematic review

J. Am. Med. Inform. Assoc.

Mobile devices and health

N. Engl. J. Med.

Proactive versus reactive security investments in the healthcare sector

MIS Q.

mHealth: New Horizons for Health Through Mobile Technologies

WHO Guideline: Recommendations on Digital Interventions for Health System Strengthening

Availability and quality of mobile health app privacy policies

J. Am. Med. Inform. Assoc.

Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis

BMJ

Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

BMC Med.

Early psychosis service user views on digital technology: qualitative analysis

JMIR Ment. Health

Use of text messaging in general practice: a mixed methods investigation on GPs’ and patients’ views

Br. J. Gen. Pract.

How secure is mental health providers’ electronic patient communication? An empirical investigation

Prof. Psychol. Res. Pract.

The Science of Evaluation: a Realist Manifesto

What’s in a mechanism? Development of a key concept in realist evaluation

Implement. Sci.

A framework for guiding and evaluating literature reviews

Commun. Assoc. Inf. Syst.

The essential impact of context on organizational behavior

Acad. Manage. Rev.

A realist review of shared medical appointments: how, for whom, and under what circumstances do they work?

BMC Health Serv. Res.

Research Synthesis and Meta-Analysis: a Step-by-Step Approach

Rigor in information systems positivist case research: current practices, trends, and recommendations

MIS Q.

Internet-based medical education: a realist review of what works, for whom and in what circumstances

BMC Med. Educ.