SoK: Analyzing Privacy and Security of Healthcare Data from the User Perspective

Twenty articles were randomly selected to generate overarching themes, after which three researchers evaluated the remainder of the articles. All the researchers agreed upon the themes which included: “User Studies,” “Technical Solutions,” “Frameworks,” “SOKs and Overviews,” and “Security Reviews.” Any article that included any form of user study, even if that was not the article’s primary theme, was marked in the user study category. This was specified given the user-focused aspect of the article. After conducting the first set of analyses, we performed a more detailed set of thematic analyses to categorize the user studies; following this step, we conducted a card-sorting exercise on the most relevant user studies.

After the two phases of thematic analysis, we conducted a detailed user study analysis on 129 user studies. After a thorough analysis of the complete text, 49 articles were excluded from this set for various reasons, including needing more focus on the privacy and security of healthcare patients’ data throughout the methodology, results, and discussion. For the remaining \(N=80\) articles, we extracted the quantitative and qualitative findings to assess what technical perspectives of the healthcare-focused research were conducted by the prior studies as well as the type of participant these studies were interested in such as medical professionals, patients, technical experts, or general public. Nine publications were selected at random for the purpose of conducting inter-rater reliability. Each article was categorized across five distinct categories. A team of three researchers meticulously evaluated these articles to ensure a comprehensive classification. Given that the inter-rater reliability rates exceeded 0.81 for all categories, as indicated in Table 2, the remaining publications were allocated to two out of the three researchers for coding purposes ensuing the same categorization.

Of these 80 articles, we consolidated a set of 26 articles centered around healthcare data privacy and security from all aspects, including the objective itself, the methods, the results, and the discussion. Furthermore, we conducted a card sorting exercise involving all authors on these 26 articles. This allowed us to understand these articles better and find connections and similarities between these articles. The first author started by identifying the 26 articles and generating the themes; afterward, two groups of two authors each organized the articles into the existing themes. The themes were not mutually exclusive, and groups were able to add themes when deemed necessary. For each of the articles in our corpus, we combine the card sorting results from all the authors.

Nearly half of the collection, 712 (45.85%) out of \(N=1,553\) articles, focused on proposing a technology-based solution for the privacy and security issues of the healthcare sector. The authors have proposed several technological solutions to enhance the privacy and security of the data transferred and accessed in the healthcare sector; for instance, Gupta and Metha discussed the importance of transmitting medical data over an unsecured network and proposed a chaos-based encryption scheme to secure medical images. In their algorithm, they use a combined key sequence of logistic map and Duffing map by shuffling the adjacent pixels of the medical data where the encryption and decryption keys are combined using the XOR function to obtain a single key sequence. Their proposed scheme was proven functional against access-control-based attacks [32]. Another critical focus on the technological solutions found in our collected sample was on the blockchain. For instance, Brunese et al. proposed a blockchain-based technology aimed at protecting information exchanges in hospital networks, with particular regard to magnetic resonance images by implementing formal equivalence checking to validate the network of the transiting data [33]. On a different note, Tian et al. looked into clinical prognosis prediction models based on EHR data. They developed a web service based on multi-center clinical data called POPCORN. The PrognOsis Prediction based on multi-center clinical data CollabORatioN (POPCORN) focused on the standardization of clinical data expression, the preservation of patient privacy during model training using a multivariable meta-analysis, and a Bayesian framework [34].

Of the 1,553 articles collected, 390 (25.11%) articles studied or introduced new healthcare data management frameworks. We considered an article under the theme of healthcare frameworks if the main subject of its study is a security, privacy, or design framework, or if it introduced or analyzed a legal or ethical framework. These articles mainly describe methods to design a secure and private technology for healthcare data usage. One such article, “A Security Framework for Mobile Health Applications,” introduced a security framework for mobile healthcare applications, taking usability and security into consideration [35]. Ibrahim et al. introduced a framework for securely sharing EHRs over the cloud between different healthcare professionals. This framework ensures the confidentiality, integrity, authenticity, availability, and auditability of EHRs [36]. Similarly, Zalloum and Alamlah proposed a privacy-preserving framework for medical data sharing in their article; they also designed a digital information system that restricts access to medical information unless the patient approves the access [37]. Jia et al. followed a different approach with their privacy-preserving medication adherence framework. In their proposed framework patients are given control over how their information is transmitted and shared [38].

Of the 1,553 articles analyzed, 228 (14.68%) were systematic literature reviews or overviews. These studies gave an overview of the current standards and practices followed in the healthcare sectors or consolidated the prior work on this sector while mentioning the importance of the focus on healthcare privacy and security. However, these studies should have focused on or explored the user perspective. For example, Walker et al. implemented a mixed-method systematic review by analyzing about 300,000 articles and found evidence of high heterogeneity across crude data indicating that the effectiveness of security measures varies significantly in healthcare but concluded without a solution for insider attack [39]. Similarly, Paksuniemi et al. give an overview of the wireless technologies devices and reveal the importance of implementing security measures in these technologies to enable secure patient monitoring [40]. Moreover, Wang provides an overview of the security threats imposed by smart devices which monitor patients through internet-connected technologies. Wang details two primary security-related issues for internet-based telemedicine systems that need to be addressed: (1) medical data protection needs; and (2) system design issues [41].

We classified 143 articles as a security evaluation or data breach theme if they provided an insight or assessment of the security state of the healthcare sector and the technologies used in this area. Articles were also included in this theme if they provided the state, history, or technical details on security violations in the healthcare sector. For example, one such article documents cyber security threats and methodologies in the healthcare domain, pointing out how to analyze and manage them [42]. Furthermore, Spanakis et al. introduce a multi-layer attack model providing a new attack and threat identification and analysis method. In a similar vein, Lopatina et al. analyze possible risks associated with the IoMT devices and systems and evaluate the threat impact and the cyber threat consequences on patients and the medical organizations using them as a whole [43]. Furthermore, Romanovs et al. analyze the cybersecurity healthcare situation in the world and examine the principal integration problems in telemedicine that prevent healthcare professionals from affording remote medical help safely and efficiently [44].

Of the 80 user studies in our corpus, 65% (52) were quantitative studies. From the quantitative perspective, one was a cross-sectional survey [45], another was a cross-sectional survey with repeated measures [46], and one used Q-methodology [47]. Furthermore, one study was a quantitative descriptive study [48], and one was a simulation-based study for a quantitative sample [49]. The remaining 48 articles were various forms of surveys, including online surveys, phone surveys, postal surveys, or field surveys [50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96]. On the other hand, 21.15% (11) were mixed-methods including seven articles that used multi-stage studies [97, 98, 99, 100, 101]. Furthermore, [102, 103, 104, 105, 106] used structured surveys with both open-ended and closed-ended questions. The responses were then quantitatively and qualitatively analyzed, and finally [8] did a user study on a web-based electronic healthcare records system launched by the Veterans Administration called MyHealthVet. Of other studies, one was a field study [107], one was a comparative analysis [108], six were qualitative focus group-based studies [109, 110, 111, 112, 113, 114], and nine were interview-based studies [115, 116, 117, 118, 119, 120, 121, 122, 123].

Among the 80 user studies, only two assessed a proposed technological intervention. For example, Abd-alrazaq and colleagues measured the efficiency and convenience of a mobile app for managing diabetes evaluation [120]. In this work, participants noted that one advantage of it was compliance with hospital regulations for patient data security. On the other hand, Haggstrom et al. assessed the usability of the MyHealtheVet program, where participants expressed concerns about the privacy of reviewing medical data at home [8].

One qualitative study conducted a comparison analysis on smart contract blockchains for healthcare applications [108]. Yu et al. recruited three students with no former experience in blockchain technologies to construct and test three pre-selected blockchain platforms and examined the practical aspects of the experiments. Through their study, Yu et al. established that the choice of an appropriate platform is contingent upon the specific needs of the application.

For the majority of the quantitative studies, the time taken for the completion of the study primarily occurred in a single session (Table 3) [45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 61, 62, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 92, 93, 94, 95, 96, 106], with the exception of three articles, where multiple surveys were deployed. In the first one, a survey of public perception of mobile phones’ effect on healthcare was repeated in 2013 and 2014 [91]. The findings of this study revealed a growing inclination among participants to believe that such utilization of mHealth will lead to improvements in the overall quality of healthcare. While there was no observed year-over-year growth in participants’ privacy and security worries, it is evident that participants still have significant apprehensions in this regard. The second article also conducted two surveys with a one-year gap, the first of which consisted of a baseline survey in 2012 before an educational outreach intervention and a follow-up survey in 2013 to evaluate communication between healthcare professionals [60]. This study found that the implementation of physician champion educational outreach initiatives resulted in a notable rise in the utilization of secure provider-to-provider EHR system messaging services. Finally, the last study implemented a survey on two separate occasions, initially in December 2013 and subsequently in September 2015 [63]. This was done following a modification in the EHRs system utilized by the hospital where the study was conducted. The objective of the study was to assess the level of influence exerted by the three primary categories of clinical staff (physicians, paraprofessionals, and administrative personnel) on the intention to adopt an EHRs system, as well as its underlying factors. All of the hypotheses pertaining to the personnel are validated in this study. Specifically, anxiety, self-efficacy, and trust are found to have an influence on ease of use. Additionally, ease of use, misfit, self-efficacy, and data security are found to impact the intentions to use the EHR. However, the perception of ease of use of EHR among staff and assistants does not have a significant impact on their intentions to use EHRs. Such longitudinal studies are critical to understanding how user perspectives about security and privacy can change (or do not change) over time.

As for qualitative studies, all but one of the studies were conducted in a single session. The sole exception was an evaluation of a diabetes management app for 6 to 12 weeks where participants’ interactions with the app were tracked and recorded [120]. After this phase of the study, participants were then asked to take an interview to discuss their individual experiences with the app.

Similarly, the mixed methods studies consisted of few single-session studies [8, 102, 103, 104, 105] and few comprehensive studies. One such extended study was particularly elaborate and included a postal survey to understand participants’ perceptions towards the electronic transfer of medical prescriptions [66]. This study revealed that the electronic transmission of prescription-related data is expected to be well-received by all participants. However, authors note that it is crucial to address apprehensions regarding patient confidentiality. In addition, participants accessed their EHRs for the first time and answered questions about their experience using the system. Finally, focus groups were conducted to assess participants’ attitudes towards various aspects of the EHR system [98]. Pyper et al. found that most participants were satisfied with the computer technology employed, furthermore, the majority of participants expressed that they found the act of reviewing their medical records to be beneficial and were able to comprehend the majority of the information included within, however, participants expressed apprehension on the aspects of security and confidentiality, particularly with regards to the possible exploitation of their records. Similarly, another comprehensive study used focus groups, a survey, case study cards, and co-creation workshops to measure the participants’ attitudes toward data sharing and develop standards for acceptable data sharing [97]. The participants of the focus group expressed their endorsement for the sharing of health and care data specifically to facilitate direct care, however, they were also apprehensive about the reliability and accuracy of their records, as well as potential social disapproval linked to certain diagnoses, particularly those related to mental health. Furthermore, participants expressed concerns regarding the identification of individuals, the constraints imposed by security measures, and the possibility of care allocation being influenced by information contained in their records, including their lifestyle preferences [97]. In addition, one study used surveys and semi-structured interviews to evaluate patients’ concerns about data sharing in the context of HIV patients [101]. Maiorana et al. argue that both patients and healthcare professionals demonstrate a willingness to embrace the electronic exchange of HIV patient data as a means to enhance the quality of care for a disease that has been associated with social stigma. Authors also note that the acceptability of data sharing and confidentiality is contingent upon the level of work invested in comprehending and resolving possible problems, as well as the establishment of confidence among stakeholders regarding the characteristics of the systems and their intended use [101]. This was similar to work that aimed at assessing participants’ attitudes on privacy and security of medical technologies through focus groups and a standardized questionnaire survey [99]. The results of this analysis indicated that the incorporation of medical assistive technology in home environments is contingent upon the consideration of both security and privacy factors. Particularly, the examination of data about gender, health state, and age unveiled that females and individuals in good health exhibit a greater need for stringent security and privacy measures, in comparison to men and older individuals who are experiencing health issues [99]. Finally, one article used a triangular study including observations, focus groups, and exit interviews of a gradual EHR implementation [100]. Shield et al. found that the prioritization of patient trust in physicians and the establishment of secure physician-patient interactions seem to outweigh the majority of patients’ apprehensions regarding information technology [100].

As shown in Table 3, many of the 80 articles did not report population distribution of the participants (44.44%, 8) [8, 45, 46, 47, 51, 53, 54, 55, 56, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 70, 71, 72, 73, 74, 75, 76, 77, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 92, 93, 94, 95, 99, 100, 101, 104, 105, 106, 108, 109, 110, 111, 112, 114, 115, 116, 118, 119, 122]. Most of the remainder studies were conducted in urban settings (37.5%, 6) [48, 49, 57, 78, 98, 117, 120], furthermore five studies were conducted in a rural setting [102, 103, 107, 121, 123], and six studies reported mixed populations [50, 52, 91, 96, 97, 113]. No articles reported on an exclusively suburban population setting.

Of the 80 user-focused articles, 20 focused exclusively on healthcare professionals, including medical doctors, nurses, and pharmacists [50, 54, 55, 60, 61, 63, 64, 72, 74, 75, 79, 84, 87, 88, 92, 94, 102, 103, 107, 119]. Furthermore, 13 articles studied patients and patient communities [8, 57, 58, 67, 76, 86, 89, 90, 98, 106, 110, 117, 123]. Additionally, six articles comprised of both healthcare professionals and patients [66, 100, 101, 111, 113, 120]. Similarly, six articles analyzed the perspectives of general hospital employees [69, 70, 73, 83, 118, 121] and only one article combined these participants with patients [93].

Seven articles studied non-medical experts such as IRB directors and information technology experts [53, 62, 81, 96, 104, 115, 122]; moreover, three articles studied both medical and non-medical experts [47, 77, 116]. On the other hand, only four articles recruited students for their studies [49, 78, 95, 108].

In addition to these studies, 15 articles studied the general public. However, in some articles, there were some conditions for the participants, such as a user of a specific technology or speaking a particular language [51, 52, 65, 71, 82, 97, 97, 99, 99, 105, 105, 109, 114, 114, 124]. In contrast, seven other articles did not determine the types of participants they recruited for their studies [46, 48, 56, 59, 91, 109, 112]. For these articles, we assumed that the participants were pooled from the general public.

Out of the 80 studies, most studies were conducted in the US [8, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 100, 101, 103, 104, 110, 111, 114, 116, 118, 119, 122, 123]. The second most prominent region as Europe, where 21 studies took place [45, 46, 62, 63, 64, 65, 66, 67, 68, 69, 70, 95, 96, 97, 98, 99, 109, 112, 113, 115, 117]. Moreover, eight studies were conducted in the Middle East including Iran, Jordan, Israel, Qatar, Turkey, and Lebanon [48, 53, 54, 55, 56, 57, 105, 120], and eleven other studies were organized in other Asian countries such as India, Taiwan, China, Pakistan, South Korea, Indonesia, and Malaysia [47, 49, 59, 71, 72, 73, 74, 75, 76, 77, 78]. Furthermore, four were conducted in the Oceania region, three of which [50, 51, 102] were in New Zealand and only one [52] in Australia. Only two studies were conducted in Africa, both in Nigeria [93, 107]. Similarly, only one study was conducted in South America; specifically, El Salvador [92], and two studies were transcontinental: the first one included Peru, South Africa, Thailand, and the US [106] and the second one included countries such as the US, France, and England [94]. Five studies did not specify the region where they conducted their studies [58, 60, 61, 108, 121].

The most participants reported in qualitative studies is 87 participants [110], whereas the average number of participants in these studies is 31.83. However, we noticed that studies that employed focus groups had more participants on average (55.67) than interview-based studies. The least number of participants for qualitative studies was three [108]. As for mixed-method studies, the average number of participants is 259, whereas the maximum number of participants in one study is 1,031 and the minimum number of participants is 16. Furthermore, only one quantitative study did not report the number of participants. As such, the average number of participants for the rest of the quantitative studies is 1,215.46, and the maximum number of participants in a single study is 17,000. In contrast, the minimum number of participants is six.

Through our corpus, a discerning analysis reveals a nuanced landscape of HIPAA integration within the study design of user studies. Only five scholarly articles [72, 79, 81, 116, 118] adeptly integrated HIPAA issues into their study methodology, thoroughly exploring the perceptions, and understanding of HIPAA and discerning patterns of compliance with HIPAA regulations. These research publications are notable for their thorough investigations into the convergence of healthcare data privacy and security from the perspective of users, adeptly negotiating the complexities of HIPAA rules. One such study [81] investigates the practices of information security and analyzes the patterns of behaviors that are linked to enhanced regulatory compliance. The research conducted in this study identified three distinct groups, which have been labeled as leaders, followers, and laggers. These clusters have been determined based on the observed variance in security practice patterns. According to the authors, the clusters exhibit notable distinctions in non-technical practices as opposed to technical ones. Hospitals that used a balanced approach, encompassing both technical and non-technical practices, had the best degree of compliance. In contrast, a significant majority of the remaining studies opted for a cautious approach when discussing regulatory frameworks, with seven articles [55, 56, 58, 84, 101, 104, 122] briefly addressing HIPAA and only two [112, 115] mentioning the General Data Protection Regulation (GDPR). The references encompassed a spectrum of topics, including a brief acknowledgment of the regulatory framework’s role in regulating healthcare data management, or a concise assessment of the subjects’ adherence or lack thereof to the specified regulations.

For the 26 articles most relevant to our subject matter, we conducted a card sorting exercise to reveal the specific human factor aspects studied thus far. Through this exercise, we identified a total of 12 labels about the human factors of information security in healthcare, namely: “Risk Perception,” “Data Sharing,” “EHR Interactions,” “Risk Awareness,” “Technology Adoption,” “Regulatory Compliance,” “Individual Differences,” “Secure Communications,” “Mobile Applications,” “Social Influence,” “Privacy,” and “Contact Tracing.” In the following sections, we have provided details of both the significant labels identified in this work and the user studies classified under each label. More details on these articles are available in Table 5 as well as Appendix A.

Risk perception: According to Zou et al. [125], risk perception is “a person’s subjective assessment of the probability that a specific event happens and how concerned they feel about its consequences”. However, it is challenging to circumscribe the perception of risk as risks do not have the same meaning for everyone. That is why user studies focusing on risk perception are critical, especially for the subject of healthcare data. Articles were categorized in the risk perception label when part of the study or its entirety explored participants’ attitudes, impressions, and opinions on risks related to healthcare data. Risk perception was the most frequent label in our corpus where \(61.54\%\) of the articles were labeled within this category [46, 58, 62, 74, 80, 81, 83, 90, 91, 99, 106, 109, 111, 112, 114, 117]. The results of these articles show that participants have different perceptions of risk. Shnall et al. [111] claim that several participants perceived the mobile application being tested as risky and were apprehensive about data storage, leaks, and tracking. However, the participants also declared that these risks are inevitable.

On the other hand, \(85\%\) of participants in Giguere et al.’s study did not express any concerns about data privacy [106]. This study analyzed users’ perception of the risk of using SMS for communication that consisted of several tiers of privacy-preserving safeguards, which may have caused the participants to express lower concern about data privacy. However, it was worrying to learn that few participants in the study declared passwords were obsolete, suggesting an underestimation of risk while interacting with a system misconceived to be privacy-preserving. These studies suggest that future work should further test how risk and privacy communication impact users’ perception of healthcare systems.

Data sharing: Articles were classified within this label if they explored the subject of healthcare data use and sharing either with healthcare professionals for the purposes of examining patients and diagnosis or with the research community through healthcare information commons. The 14 articles [54, 62, 64, 68, 73, 90, 91, 97, 99, 106, 109, 114, 115, 121] generally aimed at understanding the perspective of participants on responsible data sharing practices that would be acceptable to the patients but also beneficial to the research communities. Similar results were found in these articles, which indicate that patients support data sharing as long as it allows for the greater good—it benefits the public, or in case the data is shared with a healthcare professional for personal health purposes. Nonetheless, people still have reservations about the privacy and confidentiality of sensitive data, data breaches, and bias.

EHR: Electronic healthcare records systems collect essential and private data about patients’ medical history and the subsequent care they have received; as such, they store an extensive history of clinical information for each patient; not only that, they also contain personal information, such as demographics, billing data, and insurance information. As such, examining the users’ perspective and understanding of such tools is very important to improve the security of EHR. In this regard, we found eight articles [58, 80, 81, 91, 97, 104, 115, 121] in our corpus pertaining to user interactions with EHR. These articles confirm through their results that the patients and the general public have concerns over privacy and security, and are prudent about using EHR technologies. Furthermore, it was determined that providers’ reassurance and encouragement positively impact patients’ continuous and systematic usage of patient portal software in general and lowers their security concerns [58].

Risk Awareness: Despite the abundant potentialities for cyber risk in the healthcare sector [126, 127, 128], there is a startling level of naiveté among some healthcare professionals. The results from the eight articles [54, 72, 74, 79, 83, 104, 112, 121] in our corpus relevant to risk awareness, show that the knowledge levels of healthcare professionals regarding patient privacy, confidentiality, and data sharing practices are average [54] or lower [72]. It is reasonable to posit that such low security and privacy awareness among healthcare users could lead to insecure behaviors such as password sharing, improper data handling, and in some cases, a complete absence of password use [121]. Finally, it was also observed that disregarding the risks and ignoring consequences can impede security [121].

Technology Adoption: Technology generally accounts for a substantial impact on human life, and these technologies have a central place in today’s world. Some people adapted quickly, while others resisted these changes brought upon them through technological advancements. Adoption, however, is essential in the context of digital transformation to guarantee its success. Similarly, technology adoption in the healthcare domain is crucial to its development. In this regard, eight articles [46, 58, 62, 68, 79, 81, 99, 115] in our corpus examined factors and inspected participants’ requirements that would improve user acceptance and adoption of some healthcare technologies. These articles report similar results. The results reveal that the security and privacy aspects bolster the acceptance and adoption of healthcare technologies.

Regulatory Compliance: Of the 26 articles in our corpus, seven [64, 72, 73, 79, 104, 112] studied the ethical and legal aspects of healthcare data management. These articles mainly assess the HIPAA compliance of participants, as well as the cybersecurity conditions and behavior of healthcare practitioners and organizations. Notably [64, 72, 112] all show that healthcare professionals’ understanding and security awareness levels are lacking and, in all cases, were average or less than average. Furthermore, all of the studies in this label determined that there needs to be more policies and reinforcement of specific behaviors that can impede security.

Individual Differences: An article was labeled as individual differences if an analysis is done to compare results from different types of individuals or participants in general. This comparison can be based on experience level, hospital size, marriage status, country of origin, health status, or even gender. As such, we found seven articles [54, 62, 73, 81, 83, 90, 99] from our corpus that did this type of analysis. In particular, Wilkowska and Ziefle show that females and healthy adults expect and demand the highest security and privacy standards compared to males and the ailing elderly [99]. In a different study, Shrivastava et al. investigated the extent to which security policies impact health information interoperability at different levels within the same hospitals [62]. The outcomes showed that hospitals with regional and organizational level privacy regulations have 85% and 76% higher likelihood of undergoing semantic and organizational level problems, respectively. Furthermore, hospitals with one electronic medical record (EMR) used throughout the hospital are \(53\%\) and \(43\%\) less prone to technical and semantic problems, respectively, compared to hospitals with more than one EMR system.

Secure Communications: In the case of healthcare, secure communications are not just a matter of security and privacy, but they can also be a medical concern. According to the Joint Commission Center for Transforming Healthcare, “it has been estimated that 80 percent of serious medical errors involve miscommunication during the hand-off between medical providers. Most avoidable adverse events are due to the lack of effective communication.” As such, it is critical to understand the need for secure communications specific to the healthcare sector, both from the patient’s perspective and the healthcare professionals. Subsequently, we categorized five articles [64, 68, 106, 112, 117] from our corpus of 26 within this label. Most of these articles have similar results that show that patients still do not fully trust the existing communications technologies, except for Elger’s study [64] where \(85\%\) of the participants had no privacy concerns regarding using a secure SMS system for private medical communications.

Mobile Applications: As of July 2022, there were over 54,000 healthcare mobile applications in the Google Play Store alone. These applications range from medical communication apps to applications that analyze medical data to give advice. As such, these apps have become more and more valuable in the monitoring and even delivery of healthcare [129]. However, only three articles [91, 106, 111] from our corpus were related to mobile applications. These articles evaluate users’ perceptions of mobile health applications regarding privacy, security, and quality of care and analyze the factors contributing to patients’ intentions of using mobile healthcare applications. The results of these articles were somewhat different, where Schnall et al. [111] found that the majority of their participants expressed concerns over privacy and trust of their sensitive healthcare data and the people who would have access to their healthcare data. On the other hand, both Giguere et al. [106] and Richardson and Ancker’s [91] studies found that the majority of participants are unconcerned about privacy and confidentiality when using a mobile healthcare application.

Social Influence: Social influence is a type of pressure exerted by an individual or a group on a person to attempt to impose dominant norms. This influence causes the behaviors, attitudes, beliefs, opinions, or feelings of an individual or group to change as a result of contact with another individual or group. In this vein, three articles [54, 58, 114] in our corpus were categorized as social influence. These articles proved that participants were influenceable. Namely, Moqbel et al. [58] demonstrated that health professionals’ reassurance and encouragement positively impact patients’ continuous and systematic usage of patient portal software; not only that but participants were also influenced to lower their security concerns through the same encouragement. A different angle to this category was participants’ concerns about the repercussions of social influence on the security of healthcare data [114].

Privacy: There is an abundance of data circulating online, a considerable share of which can be considered private. This data has been at the center of attention, especially from big data analytics companies. This has helped increase the need for and recognition of privacy, including healthcare privacy. Most of the articles in our corpus touch upon privacy, but three of these articles [64, 73, 117] were directed exclusively towards the privacy of healthcare data. Accordingly, in their study Elger [64] assesses the knowledge and perceptions of physicians on healthcare data violations of privacy and confidentiality; through this study, the author found that barely 11% of the participants recognized all the confidentiality violations in the test cases they were presented with. On a different note, Tjora et al. examined and analyzed the usability and experiences of patients using a secure patient-physician communication system compared to their privacy expectations and perceptions of this systems [117]. The results show that although participants were not too concerned about privacy, they still avoided using the system for “intimate details.”

Contact Tracing: Out of the 26 articles in our corpus, only two [46, 58] were categorized as contact tracing. Contact tracing is identifying and evaluating people who have been in contact with an infectious disease to prevent it from being transmitted further. Contact tracing is critical in the fight against epidemics since it helps limit the number of infections. However, with the emergence of digital contact tracing applications, users have expressed privacy and security concerns [130]. These concerns stem from apprehension of data breaches or having their data collected by government entities [131]. However, this did not deter participants from approving COVID-19 contact tracing apps and recognizing the importance of these applications in the right circumstances. Kozyreva et al. [46] showed that the acceptability of privacy-encroaching measures across the four waves of COVID-19 in Germany was correlated with the participants’ risk perceptions of the pandemic.