Dr.

Sulaiman Al Habib Medical Journal (2022) 4:126–135

https://doi.org/10.1007/s44229-022-00016-9

REVIEW ARTICLE

Patient Confidentiality of Electronic Health Records: A Recent Review

of the Saudi Literature
Nada Saddig Almaghrabi1,2 · Bussma Ahmed Bugis1

Received: 31 May 2022 / Accepted: 4 July 2022 / Published online: 22 July 2022
© The Author(s) 2022

Abstract
Background Health systems harbor lucrative data that can be targeted for illegal access, thus posing a serious privacy
breach. In addition, patients could lose their lives or suffer permanent and irreversible harm due to such unauthorized access
to health care data used in treatment. To ensure patient safety, the health care sector must integrate cybersecurity into its
operations. Additionally, the health care industry must collaborate to tackle cybercrime and prevent unauthorized access to
patient data. With the rapid transition from paper-based health records to electronic health records (EHRs), it is important
to study, identify, and address the challenges that confront EHRs to protect patient confidentiality.
Aim The main goal of this research was to create a clear picture of the role of EHRs in the health care system of Saudi Arabia
regarding patient confidentiality. This work focused on the privacy and confidentiality challenges encountered in adopting
EHRs in the health care system, and the advantages of using EHRs in terms of protecting patient confidentiality.
Methods This project utilized a systematic literature review approach, and the methodology involved a careful critique of
11 recent articles.
Results The confidentiality and privacy of patient data and information must be ensured, because the health care sector
in Saudi Arabia is flawed with several security risks that may corrupt the integrity of patient data. The health care system
is facing many cybercrimes whereby hackers can gain access to confidential data and patient information. Internal factors
such as inexperienced medical personnel have also necessitated EHRs in Saudi Arabia. Health care workers who lack the
appropriate skills in handling EHRs may cause breaches of patient data, which in turn may compromise the health and safety
of the patients.
Conclusion Confidentiality and privacy are critical components of a reliable EHR system. EHR confidentiality has a signifi-
cant impact on maintaining patient safety and security, thus enhancing patient care in Saudi Arabia. Additionally, challenges
such as hackers and data breaches have slowed the adoption process among health care companies in Saudi Arabia.

Public Interest Summary

Health systems harbor data that can be targeted by cyber attackers, allowing hackers to gain access to confidential data and
information about patients. Patients may lose their lives or suffer permanent and irreversible harm as a result of unauthorized
access to health care data used in treatment. To ensure patient safety, the health care sector must integrate cybersecurity into
its operations. Additionally, the health care industry must collaborate to tackle cybercrime and prevent unauthorized access to
patient data. With the rapid transition from paper health records to electronic health records, it is important to identify, study,

* Bussma Ahmed Bugis

bussma31311@yahoo.com
Nada Saddig Almaghrabi
nadasalmaghrabi@gmail.com
1
Department of Public Health, College of Health Sciences,
Saudi Electronic University, Riyadh, Saudi Arabia
2
Pathology and Clinical Laboratory Medicine Administration,
King Fahad Medical City, Riyadh, Saudi Arabia

13
Vol:.(1234567890)
Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135
and address the challenges that confront electronic health records in terms of protecting patient confidentiality. Examples of
factors that may affect patient confidentiality are healthcare security software, and relationships between health professionals.
Keywords Electronic health records · Saudi Arabia · Patient confidentiality · Privacy · Security
Abbreviations
CIA Confidentiality, integrity, and availability
EHR Electronic health records
EMRs Electronic medical records
GDPR General Data Protection Regulation
HCP Health care provider
HIPAA Health Insurance Portability and Accountability
Act
HIS Health information system
ISCB Information security compliance behavior
ISPs Information security policies
IT Information technology
KSA Kingdom of Saudi Arabia
NEHR National Electronic Health Records
SDL Saudi Digital Library
SLR Systematic literature review
1 Introduction
Electronic health records (EHRs) are defined by Keshta and
Odeh [1] as “an electronic version of a medical history of the
patient as kept by the health care provider (HCP) for some
time.” In addition, “it is inclusive of all the vital adminis-
trative clinical data that are in line to the care given to an
individual by a particular provider.” Such datasets include
patient demographics, progress reports issues, medications,
important signs, medical history, immunization reports,
laboratory data, and radiology reports. EHRs are often
referred to as electronic medical records (EMRs), which
have increasingly been used with global digital transforma-
tion. However, it is important to distinguish between EMRs
and EHRs. EMRs collect all paper-based charts regarding an
individual patient present in the clinician’s office, as a digital
version. EHRs contain all information present within EMRs
in digital format and overall health status datasets for the
individual patient, designed for use by clinicians and health
specialists from other medical specialties, if so required.
EMRs include legal records created at hospitals and used as
the primary source of EHR data [1].
Since their introduction in the late 1970s [2], evidence
has shown a high rate of adoption of EHRs globally. The
adoption rate relies on the technological development of
each country to achieve a competitive level of quality of care
and safety and improve patient satisfaction. EHR systems
allow HCPs to monitor patients’ health status online and
save information from medical examinations in EHRs. The
generated information may include personal information,
127
laboratory results, medical treatments, diagnoses, medicines,
vaccination status, and even certain sound and picture data.
The EHR consolidates patients’ medical information from
many independent HCPs in the same city, nation, or across
a country boundary [3].
The sharing of personal and health information over the
internet and different servers/clouds located outside of the
secure environment of the health care institution has cre-
ated privacy, security, access, and compliance concerns
[1]. Health organizations must identify methods that will
assist them in securing EHRs, to ensure the trust relationship
between the patient and HCPs [2]. According to Jabeen et al.
[3], trust is considered an essential element in the equation
because it has a substantial indirect impact on the quality
of health care; the degree of trust reflects patients’ percep-
tions of HCPs and their ability to differentiate among certain
health care institutions.
Confidential information is protected by confidentiality,
which restricts unauthorized access to specific informa-
tion and ensures that personal information is kept safe and
secure. Unauthorized access may result in data loss and, in
certain cases, pose personal risks to the individual patient
at multiple levels (e.g., data breaches/leaks concerning HIV
and other sexually transmitted disease cases) [4]. Health
information collection must adhere to legal and ethical pri-
vacy rules and regulations, such as the General Data Protec-
tion Regulation (GDPR) in Europe and the Health Insurance
Portability and Accountability Act (HIPAA) in the United
States [4]. The main objective of these regulations is to guar-
antee that confidential patient information is kept private and
protected from disclosure and to safeguard the hospital and
its various service information [5].
According to the Cybersecurity Quarterly Bulletin report
of the fourth quarter of 2020, which was published by the
Saudi National Cybersecurity Authority, the health care sec-
tor ranks third in the top targeted sectors globally by 14%,
unauthorized activity ranks first as the top threat, and infor-
mation leakage ranks fourth in the Kingdom of Saudi Arabia
(KSA) [6]. The presence of personal health data in the elec-
tronic environment endangers patient privacy and informa-
tion confidentiality. Rieder et al. [7] highlighted the impor-
tance of ensuring information secrecy, without which the
patient may be compelled to conceal information from the
HCP. This action restricts the physician’s ability to provide
proper care, and the legal environment may enable political
authorities to abuse administrative authority by weaken-
ing the concept of medical confidentiality itself. Samkari
et al. [8] also added that, regarding health care systems, the
13
128
ultimate security objectives are confidentiality, integrity,
and availability (CIA) triads. A data breach, according to
the US Department of Health and Human Services, is “the
illegal use or disclosure of confidential health information
that compromises its privacy or security under the privacy
rule and poses a sufficiently high risk of financial, reputa-
tional, or another type of harm to the affected person” [9].
In addition, cybersecurity was defined by Schatz et al. [10]
as “the collection of tools, policies, security concepts, secu-
rity safeguards, guidelines, risk management approaches,
actions, training, best practices, assurance and technologies
that can be used to protect the cyber environment and organi-
zation and assets.” The KSA ranks second among the 193
members of the Global Security Index, rising significantly
from 11th in 2 years [11]. However, based on the Interna-
tional Communication Union index, it ranks first among
Middle East countries and Asia. A long-term study of data
breaches by Seh et al. [9] revealed that health care records
were exposed because of both internal and external sources
of the breach, including hacking, theft/loss, unauthenticated
internal disclosure, and incorrect disposal of unneeded yet
sensitive data.
A data breach may occur if sensitive health information
is transferred or shared without appropriate authorization.
Patients may lose their lives or face permanent and irrep-
arable harm if the data used in health care treatment are
compromised because of unauthorized access [4]. Hence,
EHRs must not be retained for any longer than is necessary
for their intended purpose. Additionally, when data are kept,
transferred, and utilized, they should not be compromised.
The health care sector must also incorporate cybersecu-
rity into the health care system to safeguard patient safety.
Additionally, the health care sector must work together to
overcome cybercrime and forestall illegal access to patient
information. EHRs are often protected by cryptography or
recently by steganography; however, using cryptography in
combination with steganography has generated an intriguing
advancement [8]. According to a study conducted in Malay-
sia by Dong et al. [12], health institutions must increase their
commitment to monitoring these human-associated security
breaches if they must achieve effective system information
protection results. Health organizations have faced signifi-
cant security breaches not only because of technological
mistakes but also because of an inadequate security cul-
ture, security awareness, and security management among
the organizations’ workers, according to the authors. The
implementation of an effective information security policy
compliance framework is required for every sector.
The sole reference regarding applicable legislation con-
cerning data protection within the KSA region is the Per-
sonal Data Protection Law, which was implemented in
September 2021 and requested organizations to perform
multiple modifications in their routine daily operations to
13
Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135
ensure their compliance to this novel legislation. However,
this will only be enforced as of March 2023. This legislation
will necessitate registration of data controller details, records
of processing, increased governance on such personal data,
enforce data subject rights, limit data transfers (especially
outside KSA), and the enforcement of individual consent for
personal data handling and storage/sharing, increased impact
assessments, privacy notices, breach notification protocol
implementations, together with more intense regulation over
sensitive data (including health-related) [13]. This project
aimed to identify and address the challenges facing EHRs
regarding protecting patient confidentiality in the KSA,
based on an extensive review of related literature.
2 Methodology
The methodology of this project was based on a systematic
literature review (SLR). A web-based search was conducted
using several electronic search engines, including Google
Scholar, Saudi Digital Library (SDL), and PubMed, to iden-
tify different published articles. Google Scholar was used
as the primary database, whereas the other two served as
complementary databases.
The initial search was conducted on patient confidential-
ity articles in the KSA. In total, 742 results were generated
that were then refined by adding more specific keywords
such as “Confidential,” “Confidentiality,” “Breach,” “Data
Breach,” “Electronic Health Record,” “EHR,” and “Saudi
Arabia.” The only Boolean operator used to narrow the find-
ings was “and.” Furthermore, because of the rapid progress
in technology, the range of publication years was customized
to only include articles from 2016 to 2021 (the last 6 years).
Thus, the number of results was reduced to 162 articles.
To address the research questions, the most explicit and
relevant articles were identified and retrieved. Additionally,
duplicated and non-English findings were excluded, yield-
ing 105 articles. Inclusion criteria were (a) relevance to the
studied research niche; (b) Published studies in the English
language; (c) peer-reviewed studies on the Saudi Arabian
population; (d) studies providing original data; (e) and stud-
ies in which the sample comprised any HCP and informa-
tion technologist who work in the health care sector or with
patients. Exclusion criteria were (a) articles not written in
the English language; (b) any type of review article; (c) arti-
cles conducted in countries other than the KSA; (d) articles
that were not peer-reviewed; (e) articles published before
2016; (f) articles giving inconclusive outcomes for their
study aims; or (g) articles not providing a comprehensive
explanation of the conducted methodology.
Three areas guided the selection of relevant articles
for analysis: confidentiality compliance of HCPs and
driving factors of data breaching, challenges concerning
Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135
confidentiality and security of EHRs, and the influence of
confidentiality on EHR adoption. Forty-five articles were
chosen for a critical and thorough evaluation of their con-
tents after examining their abstract and conclusion. The
excluded articles were used in other sections to suggest
solutions and address the explored challenges relevant to
the study’s background. An article was considered eligible
only if it provided answers to any of these three questions.
Later, only 14 articles were subjected to thorough screening
and analysis in this review. Both technical factors and human
factors were explored, with a greater focus on the latter. Fig-
ure 1 shows the process of article selection.
We read the full-text papers to assess the quality and suit-
ability of the remaining articles in more depth. Three papers
were removed from consideration for the review process
because they lacked a clear description of the conducted
methodology. Finally, we only included 11 high-quality
articles that were properly referenced. Eligible articles were
included in Table 1 according to the authors’ names, publi-
cation year, research title, publication journal, study popu-
lation, data collection methodology, and project/research
objectives.
3 Results
In this review, 11 research articles that fulfilled the eligible
inclusion criteria in the methodology section were analyzed
based on the three main project questions: What is the con-
fidentiality compliance of HCPs and driving factors of data
Fig. 1  Steps of articles selection
129
breaching? What are the challenges facing the confidentiality
and security of EHRs? What is the influence of confidenti-
ality on EHR adoption? Table 1 shows the selected articles
for analysis.
All 11 articles posed a concern regarding securing pri-
vacy and confidentiality of patient information that corre-
lated with the high adoption of EHRs or EMRs. However,
in a study that assessed family physicians’ attitudes toward
EHR privacy and identified factors that influenced these
attitudes, most believed EHRs were more secure than paper
records, but some disagreed and expressed concern about
data leakage. Senior physicians (P = 0.05), non-Saudi phy-
sicians (P = 0.029), and consultants (P = 0.004) all had a
favorable perception of the privacy of computerized data.
Many physicians agreed to share data with the Ministry of
Health (53/89; 59.6%) and hospital-based research centers
(49/89; 55%) but were opposed to data accessibility and
sharing with insurance and pharmaceutical companies. Most
respondents (48/89; 54%) disagreed with the risk of possible
confidentiality loss when using EHRs [14].
3.1 Confidentiality Compliance of HCPs and Driving
Factors of Data Breaching
In a descriptive study, Almulhem [15] investigated the
access privilege of medical interns from various Saudi Ara-
bian medical colleges. Almost 62.8% of the participants had
access to medical records, 66.1% had access to EHRs, and
83.27% had read-only access. These participants had privi-
leges to perform a quick search for patient records (70.1% of
13
 Table 1  List of included articles for analysis
Authors, references Title
13
Almuayqil et al. [20] Ranking of E-Health barriers
faced by Saudi Arabian citi-
zens, healthcare professionals,
and IT specialists in Saudi
Arabia
Chikhaoui et al. [19] Privacy and security issues in
the use of clouds in e-health
in the Kingdom of Saudi
Arabia
Jabali and Jarrar [22] Electronic health records func-
tionalities in Saudi Arabia:
obstacles and major chal-
lenges
Altamimi et al. [16] The role of neutralization tech-
niques in violating hospitals
privacy policies in Saudi
Arabia
Alqahtani et al. [24] Assessment of the patients’
awareness regarding their
rights and responsibilities in
the major governmental hos-
pitals in Riyadh, Saudi Arabia
Mishah et al. [18] Status of e-security in Saudi
hospitals
Altamimi et al. [23] “I do it because they do it”:
social neutralization in infor- and Systems
mation security
practices of Saudi medical
interns
Alsahafi et al. [21] The acceptance of national elec- ACIS 2020 Proceedings
tronic health records in Saudi
Arabia: healthcare consumers’
perspectives
Alanazi et al. [17] Theory-based model and pre-
diction analysis of information
security compliance behavior
in the Saudi healthcare sector
Journal
Health
Communications of the IBIMA
Global Journal of Health Sci-
ence
2018 4th IEEE International
Conference on Information
Management
International Journal of Medi-
cine in Developing Countries
Computer Methods and Pro-
grams in Biomedicine
Risks and Security of Internet
Symmetry
Study population
Saudi Arabian citizens, health-
care professionals, and IT
specialists
Associates working in health
sectors in Saudi Arabia
Medium and large size hospital
stakeholders
Medical interns from selected
academic hospitals
Patients from selected hospitals Questionnaire-based survey
Healthcare IT and health
information management
professionals
Medical interns, and IT special- Semi-structured interview
ists from an academic hospital
in Saudi Arabia
Saudi citizens
Health workers from selected
healthcare centers
Data collection method
Designed questionnaire
Literature review and survey
Comprehensive survey
Questionnaire
Developed online questionnaire To examine how well Saudi
To examine the influence of
Questionnaire-based survey
Questionnaire-based survey
130
Objectives
To rank the barriers of e-health
in KSA from the perspectives
of Saudi Arabian citizens,
healthcare professionals, and IT
specialists
To examine the usage of cloud
computing in healthcare and the
privacy laws in Saudi Arabia
To assess the adoption of EHR
in Saudi public hospitals and to
identify the major challenges
To determine if the neutralization
theory can be used to anticipate
reasons for the violation of
hospitals’ privacy policies
To determine patient knowl-
edge of their rights and duties
in major public hospitals in
Riyadh, Saudi Arabia
hospitals defend their electronic
systems against e-threats that
may jeopardize patient privacy,
data confidentiality, system
integrity, patient information
availability, and other electronic
resources
social variables on medical
interns’ incentives to avoid
hospital ISPs
To investigate factors impacting
healthcare consumers’ accept-
ance of NEHRs in Saudi Arabia
To assess a theory-based model’s
utility and identify ISCB pre-
dictors among Saudi healthcare
professionals
Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135
 Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135 131

medical interns who accessed EHRs and 67.1% of peers who

access to paper medical records

and EHRs in Saudi Arabia and
views on EHR privacy and the

compare students’ experience

accessed paper medical records). Three of the eleven studies

records and EHR from their

of accessing paper medical
To assess family physicians’

variables influencing them

were focused on analyzing the driving factors that contrib-

To assess medical students’

ute to the breaching of information security policies (ISPs)
by HCPs. Furthermore, in these three articles, the possible
determinants of compliance and noncompliance using cer-

perspective
tain behavior theories with few variations were discussed.
Objectives

Two of these studies were conducted by Altamimi et al.

[16] and were focused on non-malicious behaviors of
breaching by medical interns training in academic hospi-
tals, revealing that behavioral justification was used when
medical interns do not comply with ISPs for various reasons,
including feeling better about not complying with ISPs. Fur-
Data collection method

Medical students from different Self-developed survey

thermore, they demonstrate that neutralization theory may

be used to explain behavior that differs from anticipated
Online survey

norms and that it can also be used to predict the medical

interns intention to breach hospital privacy rules in the
health care sector. In the third study conducted by Alanazi
et al. [17], the effectiveness of the theory-based model and
different information security compliance behavior (ISCB)
family medicine residents at a

predictions for health care professionals in the KSA govern-

Primary care physicians and

ment hospitals were explored. Moderating and uncommon

selected medical city

variables (such as morality and religion) affected ISCBs,

medical colleges

whereas demographic features (such as marital status, job

Study population

experiences, and age) had no effect.

3.2 Challenges of Confidentiality and Security

of EHRs
Journal of Health Informatics

Mishah et al. [18] analyzed e-security in the KSA hospitals

in Developing Countries

and found that, in most Saudi hospitals, health information

BMC Medical Education

technology departments were well established, while health

information management departments were less prepared.
The security of server rooms, data centers, and hospital
information technology (IT) networks were all regarded as
the cornerstones of any hospital e-security platform. Addi-
Journal

tionally, the authors found a highly contradictory practice

regarding e-security in hospitals: for example, antivirus soft-
health records? Family physi-

ware was available in 93.75% of hospitals, but only 33.33%

Alshahrani et al. [14]. How private are the electronic

ence with accessing medical

cians’ perspectives towards

records in Saudi Arabia: a

of hospitals kept it up to date. An IT department was well

electronic health records

Medical students’ experi-

established in 83.3% of hospitals; however, e-security offic-

ers were unavailable in 83.3% of hospitals, among other
descriptive study

situations. An intrusion prevention system was absent in

62.5% of hospitals; although 67% of hospitals’ networks
privacy

were accessible to the internet, only 33.33% of them were

secured by a firewall, representing a significant deficiency.
Title

Remote backups are essential for hospitals, particularly in

the event of a natural catastrophe or fire disaster. However,
Table 1  (continued)
Authors, references

remote backups were inaccessible in 66.66% of cases. Only

Almulhem [15]

4% of the studied population had a digital catastrophe plan

including a system recovery exercise and restoration testing.
Based on the findings of Chikhaoui et al. [19] regarding
the issues that threaten the privacy and security of cloud

13
132
computing, more than half of the respondents believed that
patient medical records were vulnerable to cloud comput-
ing. The data were kept secure, according to 40% of those
polled, with the remaining 10% declining to respond. Com-
parison of the hospital data with bank data showed that most
respondents claimed that “it is secured in the same way that
the bank account is secured, and there is no need to be con-
cerned about security.” Additionally, several respondents
expressed concern about hospital data security. Although
patient privacy was jeopardized by transferring of patient
information from one hospital to another, according to 85%
of respondents, 5% disagreed and the remaining 10% did
not respond.
Almuayqil et al. [20] examined the barriers to e-health
care and the use of EHRs in the KSA among potential users
of a proposed framework. Citizens and IT professionals
reported no issues with security or privacy. However, con-
cern about the security and privacy of patient records was
shown by most health care professionals. Most health care
professionals demonstrated the issue of unauthorized access
to their patient EHRs (n = 9; 52.9%). Approximately one-
third of physicians complained that their patients’ EHRs
were not only distributed but also updated without their
personal consent (n = 7; 41.2%). Furthermore, half of these
health care professionals (n = 8; 47.1%) claimed that could
not control the access of their patients’ EHRs, and the same
number of respondents indicated that they had unauthor-
ized access to other patients’ EHRs. Over half of health care
professionals (n = 9; 52.9%) could not determine who should
be given access to the EHRs of their patients. Additionally,
much dissatisfaction was shown by most of the health care
professionals because of their inability to determine and con-
trol the EHRs of their patients (n = 11; 64.7%). Addition-
ally, a proportion of health care professionals (n = 6; 37.5%)
indicated that they could control the health records of other
patients. The citizens’ (layperson) mean score (mean, 3.5)
was the highest of the three groups of respondents. The
second highest mean score was 3.2, shown by health care
professionals, while the lowest mean score was shown by
IT specialists, which was calculated as 2.2.
3.3 Influence of Confidentiality on EHR Adoption
According to the findings of another researcher, the par-
ticipants in the study by Alsahafi et al. [21] perceived that
security concerns had a substantial negative effect on their
behavioral intention to use the National Electronic Health
Records (NEHR) system in the Saudi setting (beta = − 0.22;
P = 0.001). These figures demonstrated that worries about
the security of people’s health information against unauthor-
ized access may deter health care consumers from using the
NEHR system. Additionally, the researchers discovered that
trust had a statistically significant beneficial impact on Saudi
13
Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135
health care customers' behavioral intention to use the NEHR
system (beta = 0.22; P = 0.001). These findings indicated
that the intentions of Saudi health care consumers to use
the NEHR system could be significantly influenced by their
trust in government e-health applications concerning secu-
rity standards, as well as health practitioners’ confidentiality
in handling private health-related information. Furthermore,
trust had a substantial detrimental effect on perceived secu-
rity concerns (beta = − 0.39; P = 0.001). These data indicated
that Saudi health care customers who saw the NEHR system
and the parties engaged in its administration and usage as
trustworthy were more likely to have fewer privacy and secu-
rity concerns, and therefore to plan to utilize it.
The survey by Jabali and Jarrar in 2018 tested the func-
tionality of major challenges of EHRs at 15 hospitals in the
Eastern Province of the KSA [22]. The survey concluded
that almost seven hospitals (46.6%) implemented or were in
the process of implementing an EHR system. In the KSA’s
Eastern Province, order entry (51.11%) is primarily made
by EHR and chart review, which account for approximately
41.11%, with significant barriers to use for different docu-
mentation functions, decision support, and other tools of
communication. Along with the “secure” EHR system,
these results indicated that the security mechanism is not
adequately protected against all kinds of threats [22].
4 Discussion
The confidentiality and security of EHRs play a crucial role
in patient satisfaction. The KSA has made considerable pro-
gress in improving the security of EHRs through privacy
rules and confidentiality principles. According to Mishah
et al. [18], only a few clinical and nonclinical electronic sys-
tems use advanced and moderate e-security features, tools,
well-established policies and practices to protect patient
confidentiality. With the increased rate of hackers targeting
patient data in Saudi's health system, evaluation of e-security
and other security measures in Saudi hospitals has become
compulsory to avoid potential threats that may break patient
confidentiality. Therefore, improving e-security measures
and developing data security rules are crucial to limit the
risk of jeopardizing patient data integrity and safety [18].
The KSA has a reliable health care system that main-
tains trust and friendly relationships to build a confident and
trustworthy public health care system. Thus, patient data
management by identifying motivations and driving factors
is crucial. Altamimi et al. [23] demonstrated various motiva-
tions that standardized the MIS for applications of behavioral
modes when all requirements of ISPs were failed. However,
the amenability of employees to adopt ISPs cannot be justi-
fied. When those employees were uncomfortable with rules,
they applied neutralization approaches to suppress these
Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135
issues. These applied neutralization approaches included the
denial of responsibility, the denial of injury, appeal to higher
loyalties, the metaphore of the ledger that reflects justifying
negative actions based on past virtues, defense of necessity,
and condemnation of condemners. In addition to neutraliza-
tion approaches, preventive strategies are applied because
these approaches are insufficient to preserve privacy regula-
tory rules. Therefore, Altamimi et al. [23] suggested that fur-
ther research should identify more awareness approaches and
training sessions (face-to-face contacts, web-based courses,
and seminars) that are operational health care measures to
prevent these workers from justifying their wrong behav-
iors. By following these strategies, health care systems may
apply safety measures in the form of psychological layers for
advancements in their technological systems. The support
of a noncompliance system by social norms has also proven
helpful. Individuals appreciate descriptive norms compared
with injunctive norms.
Furthermore, factors that impact ISCB are also the deter-
mining factors in maintaining the confidentiality of EHRs,
as described by Alanazi et al. [17]. Such factors include
psychological behaviors, religious beliefs, cultural beliefs,
personality traits, cost of compliance, norms, technology
awareness, and legal issues. According to their arguments,
ISCB is affected by uncommon factors such as religion or
morality, whereas demographic factors such as work experi-
ence have no effect.
Alsahafi et al. [21] demonstrated that some influential
factors, particularly social factors, may affect the confiden-
tiality of EHRs. They agreed that factors such as health care
consumers’ perspective could impact the decisions of policy
makers in planning and improving the acceptance and imple-
mentation of the NEHRs in the KSA. Therefore, the trust of
health care consumers in the government's ability to ensure
confidentiality and standards set regarding access to patient
data plays a key role in determining the confidentiality of
EHRs.
Almulhem [15] described that participants had unfettered
access to medical records, and their answers to open-ended
questions showed the need for appropriate regulation of
such access. Compared with paper medical records, medi-
cal students had a better experience using EHRs. Various
essential skills can be learned by medical students from
medical records that benefit them in their future practice.
The educational experience of medical students was limited
when read-only access was provided. However, before grant-
ing medical students access to medical records, they should
receive adequate EHR training because this enabled them to
practice and use EHR systems more effectively.
However, several challenges in the adopting EHRs could
also be faced by the health care system in the KSA, particu-
larly regarding privacy issues. For example, in their study,
Jabali and Jarrar [22] found that some of the obstacles met
133
by health care organizations in implementing EHR adoption
and security included resistance to change by some medi-
cal staff. Some medical personnel failed to accept the use
of information technologies aimed at reducing patient data
breaches. Furthermore, low and weak financing strategies
were used to implement competent confidentiality EHR pro-
grams. Moreover, medical staff were insufficiently trained in
the correct and secure usage of EHR systems [22].
Additionally, Chikhaoui et al. [19] described the chal-
lenges faced in EHR adoption by focusing on cloud comput-
ing. Some of the challenges included hackers who may gain
access to confidential patient data, or computer viruses that
may affect the integrity of patient records and information.
Similarly, the portability of data using cloud computing also
poses a challenge in adopting EHR systems in the KSA.
However, despite these challenges, cloud computing makes
health care processes more efficient by ensuring centralized
data storage and processing.
Similarly, Alqahtani et al. [24] described how adopting
EHRs can be improved by involving patients. In their study,
the patients stated that they had the right to make decisions
based on the medical care they received, the right to accept
or reject treatment, and the right to formulate advance direc-
tives. Therefore, patient awareness is crucial in ensuring
smooth EHR adoption because patients can make prompt
decisions regarding any privacy or confidential areas in
receiving health care.
Almuayqil et al. [20] explained that one of the major chal-
lenges in maintaining data integrity and security in adopt-
ing EHRs is the connectivity of information systems. Other
barriers highlighted by this study included cultural barriers
in technical expertise and barriers in computer skills. HCPs
ranked security and privacy as the third barrier because it
is common for medical records to be distributed without
a patient's or doctor's consent. Additionally, issues linked
to the potential of unauthorized individuals to access their
patients’ data were among their second primary worries.
Conversely, the IT experts’ group responses emphasized the
importance of using different security and privacy meas-
ures to protect the confidentiality of patients' information.
Therefore, health care organizations should identify such
obstacles to ensure smooth adoption of EHRs and ensure
confidentiality.
Physicians’ perspectives on EHR privacy in the KSA
were reported in the study by Alshahrani et al. [14]. The
doctors agreed that EHRs, which are password-protected in
specific medical software, are more private and secure than
paper records and that the benefits and usefulness outweigh
the dangers. Overall, the use of computers in health care
was deemed to be extremely advantageous, resulting in EHR
deployment in the KSA's largest institutions. These findings
may help policy makers argue for the spread of EHRs. The
13
134
privacy, security, and confidentiality of patient health infor-
mation are not jeopardized by the EHR.
The limitations of this study were the limited availabil-
ity of relevant publications in the KSA, the lack of original
findings, and the biased methodology used. The strengths of
this study were that the reviewed articles were systematically
explored from the last 5 years of publications, which are
considered relatively new. Furthermore, the study focused
on the Saudi population; thus, more focused results were
generated.
5 Conclusion
The goal of this project was to use an extensive review of
related literature to identify and address the challenges fac-
ing EHRs in the KSA in terms of protecting patient confi-
dentiality. To the best of our knowledge, literature is lacking
that examines the impact of training, measures the level of
awareness and current practices of HCPs in the KSA, pro-
tects patient information privacy and confidentiality from
the breach, and considers technical measures. However,
through extensive analysis of reliable studies and research
on EHR implementation in the KSA, reliable results can be
deduced. Furthermore, privacy and confidentiality are the
foundation of a reliable EHR system. Some of the explored
factors that affect the confidentiality of patient data include
relationships among health care professionals, upgrading of
health care security software, and social influencers health
care consumers, among others. Therefore, if the KSA adopts
the mentioned implementation strategies, factors regarding
patient confidentiality, and addresses the challenges posed,
the safety and care of patients will be significantly improved.
Recommendations for future studies/implementations
include (a) investigating various case studies and includ-
ing hospitals from other regions of the KSA; (b) perform-
ing comparative studies (e.g., between governmental and
privatized hospital settings); (c) analyzing the behaviors
and attitudes of various HCPs toward confidential data; (d)
clarifying and comparing various HIS models; (e) further
analyzing the role of leadership in the successful implemen-
tation of EHR systems; (f) analyzing physicians’ roles in
embracing novel EHR systems; (g) increasing EHR train-
ing program availability, with minimal knowledge gaps; (h)
increasing investment in the latest EHR infrastructures; and
(i) improving data handling/sharing policies within KSA
hospital settings.
Author Contributions NSA contributed to study conceptualiza-
tion, methodology, data curation, writing, original draft prepara-
tion, investigation, reviewing and editing. BAB contributed to study
13
Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135
conceptualization, methodology, data curation, visualization, valida-
tion, supervision, reviewing and editing. All authors read and approved
the final version of the manuscript.
Funding None.
Availability of Data and Material Not applicable.
Declarations
Conflict of interest None declared.
Ethics approval and consent to participate Not applicable.
Consent to publication Not applicable.
Open Access This article is licensed under a Creative Commons Attri-
bution 4.0 International License, which permits use, sharing, adapta-
tion, distribution and reproduction in any medium or format, as long
as you give appropriate credit to the original author(s) and the source,
provide a link to the Creative Commons licence, and indicate if changes
were made. The images or other third party material in this article are
included in the article's Creative Commons licence, unless indicated
otherwise in a credit line to the material. If material is not included in
the article's Creative Commons licence and your intended use is not
permitted by statutory regulation or exceeds the permitted use, you will
need to obtain permission directly from the copyright holder. To view a
copy of this licence, visit http://​creat​iveco​mmons.​org/​licen​ses/​by/4.​0/.
References
1. Keshta I, Odeh A. Security and privacy of electronic health
records: concerns and challenges. Egypt Inform J. 2020. https://​
doi.​org/​10.​1016/j.​eij.​2020.​07.​003.
2. Evans RS. Electronic health records: then, now, and in the future.
Yearb Med Inform. 2016;25:S48–61. https://​doi.​org/​10.​15265/​
IYS-​2016-​s006.
3. Jabeen F, Hamid Z, Akhunzada A, Abdul W, Ghouzali S. Trust
and reputation management in healthcare systems: taxonomy,
requirements and open issues. IEEE Access. 2018;PP:1. https://​
doi.​org/​10.​1109/​ACCESS.​2018.​28103​37.
4. Hameed SS, Hassan WH, Abdul Latiff L, Ghabban F. A system-
atic review of security and privacy issues in the internet of medi-
cal things; the role of machine learning approaches. PeerJ Comput
Sci. 2021;7: e414. https://​doi.​org/​10.​7717/​peerj-​cs.​414.
5. Masud M, Gaba G, Choudhary K, Alroobaea R, Hossain MS.
A robust and lightweight secure access scheme for cloud based
e-healthcare services. Peer-to-Peer Netw Appl. 2021;14:1–78.
https://​doi.​org/​10.​1007/​s12083-​021-​01162-x.
6. NCA National Cybersecurity Authority. https://​nca.​gov.​sa/​en.
Accessed 28 Jun 2022.
7. Rieder P, Louis-Courvoisier M, Huber P. The end of medi-
cal confidentiality? patients, physicians and the state in his-
tory. Med Humanit. 2016;42:149–54. https://​doi.​org/​10.​1136/​
medhum-​2015-​010773.
8. Samkari H, Gutub A. Protecting medical records against cyber-
crimes within Hajj period by 3-layer security. 2019. https://​doi.​
org/​10.​5281/​zenodo.​35434​55
9. Seh AH, Zarour M, Alenezi M, Sarkar AK, Agrawal A, Kumar
R, Ahmad Khan R. Healthcare data breaches: insights and
Dr. Sulaiman Al Habib Medical Journal (2022) 4:126–135
implications. Healthcare (Basel). 2020;8:133. https://​doi.​org/​10.​
3390/​healt​hcare​80201​33.
10. Schatz D, Bashroush R, Wall J. Towards a more representa-
tive definition of cyber security. J Digit Forensics Secur Law.
2017;12:53. https://​doi.​org/​10.​15394/​jdfsl.​2017.​1476.
11. SPA Saudi Arabia is second globally, first in Arab, Middle East
and Asia on global cybersecurity index the official Saudi Press
Agency. https://​www.​spa.​gov.​sa/​22480​51. Accessed 28 Jun 2022.
12. Dong K, Ali RF, Dominic PDD, Ali SEA. The effect of organiza-
tional information security climate on information security policy
compliance: the mediating effect of social bonding towards health-
care nurses. Sustainability. 2021;13:2800. https://d​ oi.o​ rg/1​ 0.3​ 390/​
su130​52800.
13. IAPP How to prepare for Saudi Arabia’s personal data protection
law (2022).
14. Alshahrani A, Jamal A, Tharkar S. How private are the elec-
tronic health records? Family physicians’ perspectives towards
electronic health records privacy. J Health Inform Dev Ctries.
2021;15(1):1–16.
15. Almulhem JA. Medical students’ experience with accessing medi-
cal records in Saudi Arabia: a descriptive study. BMC Med Educ.
2021;21:272. https://​doi.​org/​10.​1186/​s12909-​021-​02715-7.
16. Altamimi S, Storer T, Alzahrani A (2018) The role of neutralisa-
tion techniques in violating hospitals privacy policies in Saudi
Arabia. In: Proceedings of the 2018 4th international conference
on information management (ICIM), May 2018, p 133–140
17. Alanazi ST, Anbar M, Ebad SA, Karuppayah S, Al-Ani HA. The-
ory-based model and prediction analysis of information security
compliance behavior in the Saudi healthcare sector. Symmetry.
2020;12:1544. https://​doi.​org/​10.​3390/​sym12​091544.
18. Mishah N, Bukhari A, AlMutairi B, Mohreq M. Status of e-secu-
rity and privacy protection in Saudi hospitals. Comput Methods
Programs Biomed. 2019;171:5–6. https://d​ oi.o​ rg/1​ 0.1​ 016/j.c​ mpb.​
2018.​12.​012.
135
19. Chikhaoui E, Sarabdeen J, Parveen R. Privacy and security issues
in the use of clouds in e-health in the Kingdom of Saudi Arabia.
Commun IBIMA. 2017. https://​doi.​org/​10.​5171/​2017.​369309.
20. Almuayqil S, Atkins A, Sharp B. Ranking of E-health barriers
faced by Saudi Arabian citizens, healthcare professionals and IT
specialists in Saudi Arabia. Health. 2016;08:1004–13. https://​doi.​
org/​10.​4236/​health.​2016.​810104.
21. Alsahafi Y, Gay V, Khwaji A. The acceptance of national elec-
tronic health records in Saudi Arabia: healthcare consumers’ per-
spectives. In: ACIS 2020 proceedings, 2020.
22. Jabali K, Jarrar M. Electronic health records functionalities in
saudi arabia: obstacles and major challenges. Global J Health Sci.
2018;10:50. https://​doi.​org/​10.​5539/​gjhs.​v10n4​p50.
23. Altamimi S, Renaud K, Storer T. Correction to: “I do it because
they do it”: social-neutralisation in information security practices
of Saudi medical interns. In: Kallel S, Cuppens F, Cuppens-Bou-
lahia N, Hadj Kacem A, editors. Risks and security of internet
and systems. CRiSIS 2019. Lecture notes in computer science,
vol. 12026; 2020. p. 227–43. https://​doi.​org/​10.​1007/​978-3-​030-​
41568-6_​25.
24. Alqahtani N, Alsulami S, Alzamel F, AlShamekh M, Almutairi A,
AlDekhayel M, Fouhil A. Assessment of the patients’ awareness
regarding their rights and responsibilities in the major govern-
mental hospitals in Riyadh, Saudi Arabia. Int J Med Dev Ctries.
2019;3:198–203. https://​doi.​org/​10.​24911/​ijmdc.​51-​15425​86255
Publisher's Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.
13