Extending Adoption of Innovation Theory with Consumer Influence: The Case of Personal Health Records (PHRs) and Patient Portals

January 2012

abstract: A long tradition of adoption of innovations research in the information systems context suggests that innovative information systems are typically adopted by the largest companies, with the most slack resources and the most management support within competitive markets. Additionally, five behavioral characteristics (relative advantage, compatibility, observability, trialability, and complexity) are typically associated with demand-side adoption. Recent market trends suggest, though, that additional influences and contingencies may also be having a significant impact on adoption of innovative information systems--on both the supply and demand-sides. The primary objective of this dissertation is to extend our theoretical knowledge into a context where consumer influence is a key consideration. Specifically, this dissertation focuses on the Personal Health Record (PHR) and patient portal market due to its unique position as a mediator between supply (ambulatory care clinic) and demand-side (patient and health consumer) interests. Four studies are presented in this dissertation and include: 1) an econometric examination of the contingencies associated with supply-side (ambulatory care clinic) adoption of patient portals, 2) a behavioral assessment of patient PHR adoption intentions, 3) an integrated latent variable and discrete choice evaluation of consumer business model preferences for digital services (PHRs), and 4) an experimental evaluation of how digital service (patient portal) feature preferences are impacted by assimilation and contrast effects. The primary contribution of this dissertation is that adoption (and adoption intentions) of consumer information systems are significantly impacted by: 1) supply-side adoption contingencies (even when controlling for dominant-paradigm adoption of innovation characteristics), and 2) demand-side consumer preferences for business models and features in the context of assimilation-contrast (even when controlling for individual differences). Overall, this dissertation contributes a new understanding of how contingent factors, consumer perceived value, and assimilation/contrast of features are impacting adoption of consumer information systems / Dissertation/Thesis / Ph.D. Information Management 2012

Information technology

Adoption of Innovations

Patient Portals

Personal Health Records (PHRs)

Achieving secure and efficient access control of personal health records in a storage cloud

Binbusayyis, Adel

January 2017

A personal health record (PHR) contains health data about a patient, which is maintained by the patient. Patients may share their PHR data with a wide range of users such as healthcare providers and researchers through the use of a third party such as a cloud service provider. To protect the confidentiality of the data and to facilitate access by authorized users, patients use Attribute-Based Encryption (ABE) to encrypt the data before uploading it onto the cloud servers. With ABE, an access policy is defined based on users' attributes such as a doctor in a particular hospital, or a researcher in a particular university, and the encrypted data can only be decrypted if and only if a user's attributes comply with the access policy attached to a data object. Our critical analysis of the related work in the literature shows that existing ABE based access control frameworks used for sharing PHRs in a storage cloud can be enhanced in terms of scalability and security. With regard to scalability, most existing ABE based access control frameworks rely on the use of a single attribute authority to manage all users, making the attribute authority into a potential bottleneck regarding performance and security. With regard to security, the existing ABE based access control frameworks assume that all users have the same level of trust (i.e. they are equally trustworthy) and all PHR data files have the same sensitivity level, which means that the same protection level is provided. However, in our analysis of the problem context, we have observed that this assumption may not always be valid. Some data, such as patients' personal details and certain diseases, is more sensitive than other data, such as anonymised data. Access to more sensitive data should be governed by more stringent access control measures. This thesis presents our work in rectifying the two limitations highlighted above. In doing so, we have made two novel contributions. The first is the design and evaluation of a Hierarchical Attribute-Based Encryption (HABE) framework for sharing PHRs in a storage cloud. The HABE framework can spread the key management overheads imposed on a single attribute authority tasked with the management of all the users into multiple attribute authorities. This is achieved by (1) classifying users into different groups (called domains) such as healthcare, education, etc., (2) making use of multiple attribute authorities in each domain, (3) structuring the multiple attribute authorities in each domain in a hierarchical manner, and (4) allowing each attribute authority to be responsible for managing particular users in a specific domain, e.g. a hospital or a university. The HABE framework has been analyzed and evaluated in term of security and performance. The security analysis demonstrates that the HABE framework is resistant to a host of security attacks including user collusions. The performance has been analyzed in terms of computational and communication overheads and the results show that the HABE framework is more efficient and scalable than the most relevant comparable work. The second novel contribution is the design and evaluation of a Trust-Aware HABE (Trust+HABE) framework, which is an extension of the HABE framework. This framework is also intended for sharing PHRs in a storage cloud. The Trust+HABE framework is designed to enhance security in terms of protecting access to sensitive PHR data while keeping the overhead costs as low as possible. The idea used here is that we classify PHR data into different groups, each with a distinctive sensitivity level. A user requesting data from a particular group (with a given sensitivity level) must demonstrate that his/her trust level is not lower than the data sensitivity level (i.e. trust value vs data sensitivity verification). A user's trust level is derived based on a number of trust-affecting factors, such as his/her behaviour history and the authentication token type used to identify him/herself etc. For accessing data at the highest sensitivity level, users are required to get special permissions from the data owners (i.e. the patients who own the data), in addition to trust value vs data sensitivity verification. In this way, the framework not only adapts its protection level (in imposing access control) in response to the data sensitivity levels, but also provides patients with more fine-grained access control to their PHR data. The Trust+HABE framework is also analysed and evaluated in term of security and performance. The performance results from the Trust+HABE framework are compared against the HABE framework. The comparison shows that the additional computational, communication, and access delay costs introduced as the result of using the trust-aware approach to access control in this context are not significant compared with computational, communication, and access delay costs of the HABE framework.

004