ACPHIS Medal 2023 Winner - Dr Javad Pool
Dr Javad Pool was awarded the 2023 ACPHIS Medal after completing his PhD thesis titled "Data Protection and Effective Use of Health Information Systems: A Cybersecurity Perspective" at the University of Queensland, Australia (UQ).
​
​[ORCID: 0002-8499-9282]
​
Supervisory team:
-
Dr Saeed Akhlaghpour (UQ)
-
Dr Farhad Fatehi (UQ)
-
Prof Andrew Burton-Jones (UQ)
​
Link to thesis:
About the award winning thesis
Digitalization of healthcare presents opportunities for improving the quality of healthcare services and promises economic benefits. However, the success and benefits of digital health cannot be actualized without considering health data protection practices and effective use in the process of healthcare service delivery. Despite the criticality of protecting health data in the system use lifecycle, there is a paucity of research investigating this complex phenomenon from data protection successes and failures perspectives. This incomplete view limits the understanding of academics and practitioners on how health information systems can be effectively used and contribute to organizational goals. In this thesis, I aim to address this problem through seven studies in different technological and organizational contexts including healthcare services, digital health, electronic health records, mobile health, and telehealth.
​
Study #1 systematically analyzes and integrates published studies on personal health data breaches. I identified 2,145 relevant articles and included 70 articles for thematic analysis and subsequent development of an integrative hybrid model. The model identifies and explains the triggers, facilitators, and impacts of personal health data breaches. I report on the gaps in the current literature and discuss directions for future research. The findings of this review, as a problem identification study, informed the subsequent six studies.
​
Study #2 aims to enhance our understanding of the contexts and mechanisms that affect the likelihood of failures and successes in mobile health data protection, and their subsequent impacts. To build a theoretical model, I applied a realist approach based on context-mechanism-outcome configurations. Findings indicate that the failures and successes in data protection and their impacts (effective mobile health (mHealth) interventions, data protection awareness, and adoption/use of mHealth systems) depend contingently upon several contextual factors and mechanisms (unauthorized access, device theft, loss, and sharing, lack of cyber-hygiene, and data protection concerns for failures; and trust-building activity, secure and law-compliant platforms, and perceived data protection for successes).
​
Study #3 explains how privacy concerns can influence the adoption and use of telehealth in the complex context of aged care. Findings reveal that the concept of privacy concerns is contextual, i.e., different contexts (users, telehealth systems, aged care services, data) produce different privacy concerns. Results highlight that privacy concerns are more voiced in home telecare and are associated with the degree of telemonitoring and surveillance. Contextual privacy concerns are related to video recording, behavioral data, location data, and future use of data. These concerns can influence the adoption and use of telehealth. However, privacy protection practices (e.g., informed consent) can help to reduce the concerns and improve the acceptance of telehealth for older persons.
​
Study #4 builds on representation theory and uses a cybernetic-based view to propose a new theory of effective use tailored to the data protection context: the theory of Personal Data Protection (PDP)-aware use. This study offers new insights into data protection and effective use, both of which are paramount for organizational success with information systems.
​
Study #5 builds on longitudinal qualitative data on a state-wide digital health transformation project to contextually theorize the practices for protecting health data. The study reveals five types of health data protection-in-practice, namely data minimization, informal encoding, accuracy, improving cyber-awareness, and appropriate access management. The results provide new insights to information systems use (especially, effective use), and highlight practices that can improve health data protection.
​
Study #6, through qualitative analyses of three datasets collected between 2015 and 2021, theorizes challenges to the effective use of information systems (IS) and data protection in Australian health services. I propose a contextualized theory of ‘health records misuse’ with two overarching dimensions: data misfit and improper data processing. The study explains sub-categories of data misfit (availability misfit, meaning misfit, and place misfit) as well as sub-categories of improper data processing (improper interaction, and improper data recording and use). Findings demonstrate how health records misuse arises in socio-technical systems, and impacts health service delivery and patient safety.
​
Study #7 uses a mixed-methods approach to identify failure factors in health data protection and provide explanations to enrich the understanding of effective data protection. The study, through a literature review and a three-round Delphi study, leads to the identification and ranking of 30 failure factors. In the second phase, a qualitative study is conducted to develop a model of failures in data protection based on the general framework of People-Process-Technology. It provides a theoretical explanation of how failure factors could lead to data breaches.
​
Overall, these studies collectively contribute to the current body of knowledge and theories in information privacy, information security, and system use through developing new theories and extending effective use theory in the context of data protection. This thesis offers theoretical and practical insights that enhance our understanding of successes and failures in data protection and help organizations in successful data protection and devising mitigation policies to minimize the risk of data breaches.