Cybersecurity in Healthcare: How Human Factors and Identity Theory Strengthen Patient Data Protection at Peramiho Mission Hospital

Illustrative Image: Cybersecurity in Healthcare: How Human Factors and Identity Theory Strengthen Patient Data Protection at Peramiho Mission Hospital
Image Source & Credit: Patrizia Foundation
Ownership and Usage Policy

A recent study by Kwesigabo, E. M., & Komba, L. I. (2025) titled “Patient Data Protection in Healthcare: A Comprehensive Assessment of Cybersecurity Best Practices among System End-Users. A Case of Peramiho Mission Hospital” published in European Journal of Applied Science, Engineering, and Technology reveals an alarming rise in data breaches between 2022 and 2024, including incidents of unauthorized disclosure, forgery, and unintended use of patient information.

“

Inadequate awareness, training, and compliance among healthcare workers are the main causes of patient data breaches.– Kwesigabo, E. M., & Komba, L. I. (2025

The study offers an in-depth analysis of vulnerabilities in patient data protection caused by human factors, focusing particularly on the behaviors and practices of healthcare system end-users such as nurses, administrative staff, and technicians. At its core, the research investigates how effectively these end-users understand and apply cybersecurity best practices to safeguard patient information within Peramiho Mission Hospital in Tanzania. It aims to identify existing cybersecurity measures, assess awareness and training levels among staff, examine common threats and breaches linked to user behavior, and recommend strategies to enhance end-user practices for stronger data security. The findings reveal an alarming rise in data breaches between 2022 and 2024, including incidents of unauthorized disclosure, forgery, and unintended use of patient information. While the availability of patient data was rated high, its integrity and confidentiality were only rated moderate. The study highlights three critical shortcomings undermining effective data protection: a limited understanding of its importance, insufficient cybersecurity training, and weak compliance monitoring and auditing mechanisms. Statistical analysis showed strong positive correlations between key human factors and overall data protection—specifically, end-user awareness (rs = 0.85), training (rs = 0.90), and compliance monitoring (rs = 0.89)—indicating that improvements in these areas significantly strengthen data security outcomes. Grounded in Identity Theory, the study emphasizes that effective cybersecurity in healthcare requires users to internalize their identity as protectors of patient data. By fostering this sense of responsibility through targeted education, continuous training, and stronger institutional oversight, healthcare institutions like Peramiho Mission Hospital can enhance patient data integrity, confidentiality, and resilience against cyber threats.

How the Study was Conducted

The study conducted at Peramiho Mission Hospital employed a mixed-methods approach, integrating both quantitative and qualitative techniques to comprehensively evaluate cybersecurity practices among healthcare system end-users. Using a cross-sectional design, the research gathered data at a single point in time across multiple departments to provide a holistic snapshot of current cybersecurity behaviors and challenges. The target population consisted of 268 system end-users from 11 departments, with a sample size of 170 determined using Slovin’s formula at a 5% confidence level. Out of these, 161 respondents completed the questionnaires, yielding a 94.7% response rate. Additionally, 10 departmental heads and one senior ICT officer were interviewed as key informants to provide managerial and technical perspectives.

The study relied on both primary and secondary data sources. The authors obtained  primary data through self-administered questionnaires distributed to system end-users and semi-structured interviews conducted with departmental heads and the ICT officer to gain deeper insights into institutional cybersecurity dynamics. Secondary data included organizational policy documents and records of past data breach incidents, which provided contextual background for analysis.

The quantitative data were analyzed using SPSS version 26 for data entry, descriptive statistics, and frequency distribution, while R version 4.3.4 was used for graphical visualization and correlation analysis. The qualitative data underwent a rigorous thematic analysis involving six key stages: familiarization with data, systematic coding, theme development, evaluation, naming, and detailed reporting.

The investigation centered on:

• Demographic characteristics of healthcare system end-users.
• Frequency and nature of patient data breaches within the institution.
• Assessment of cybersecurity practices, emphasizing awareness of data protection, adequacy of cybersecurity training, and mechanisms for compliance monitoring.

Overall, this mixed-methods design provided a robust framework for understanding how human factors, institutional policies, and technical capacities collectively influence the protection of patient data at Peramiho Mission Hospital.

What the Authors Found

The authors found that human factors, particularly low awareness, inadequate training, and poor compliance monitoring among healthcare system end-users are the primary contributors to weak patient data protection at Peramiho Mission Hospital, despite high data accessibility. Strengthening user education, accountability, and oversight is therefore essential to improving cybersecurity resilience.

Why is this important

Human Factors as the Core Vulnerability: The study highlights that most patient data breaches stem from internal human errors—such as weak passwords, credential sharing, and low awareness—rather than external cyberattacks. This identifies end-user behavior as the weakest link in healthcare cybersecurity.

Gaps in Training and Compliance Oversight: Insufficient training and the absence of regular compliance monitoring have created systemic weaknesses. Many healthcare workers view data protection as the sole responsibility of ICT staff, leading to unchecked mistakes and inconsistent security practices.

Implications for Developing Health Systems: In rapidly digitizing healthcare environments across Tanzania and other African nations, cybersecurity risks are expanding faster than protections. The study emphasizes the urgent need to strengthen institutional policies, enhance user education, and build resilient digital health infrastructures.

Evidence-Driven Path to Improvement: Strong statistical correlations between user awareness, training, and data protection demonstrate that targeted capacity building and continuous oversight can significantly enhance patient data security and institutional trust.

What the Authors Recommended

• Promote a culture where every healthcare worker recognizes their role in safeguarding patient data. Using identity theory, staff should be encouraged to view data protection as part of their professional identity, fostering shared responsibility across all levels.
• Develop regular, scenario-based training programs focused on cybersecurity and data protection. These should cover password hygiene, secure login practices, and how to identify phishing or social engineering attacks, ensuring all users are well-equipped to prevent breaches.
• Move from reactive to proactive oversight by introducing structured, system-based audits. Conduct regular internal and external reviews, and deploy automated tools to detect unusual login patterns or potential security violations.
• Adopt strict password policies that prohibit credential sharing and mandate multi-factor authentication. Encourage regular password rotations and enforce penalties for non-compliance to ensure higher levels of system security.
• Position cybersecurity as a core institutional function rather than an ICT-only responsibility. Incorporate cybersecurity performance metrics into departmental evaluations to ensure organization-wide commitment to data protection.

In conclusion, the study underscores that the greatest threat to patient data security lies not in technology but in human behavior. By fostering a culture of shared responsibility, continuous training, and proactive compliance monitoring, healthcare institutions can transform end-users into vigilant protectors of patient information—strengthening data integrity, confidentiality, and overall cybersecurity resilience.