Assessment of Digital Health Data Procurement and Cybersecurity Consciousness among Health Personnel in Bayelsa State, Nigeria

Healthcare systems are undergoing rapid digital transformation driven by the widespread adoption of electronic health records (EHRs), health information systems, telemedicine platforms, and interoperable data infrastructures. These technologies have enhanced the efficiency of clinical documentation, improved continuity of care, strengthened diagnostic accuracy, and supported administrative decision-making. By enabling real-time generation, storage, retrieval, and exchange of patient information across healthcare levels, digital health systems have become indispensable to modern healthcare delivery.

However, this digital transition has simultaneously expanded the exposure of healthcare systems to cybersecurity threats. Health data constitute highly sensitive personal information and are therefore attractive targets for cybercriminal activities. Increasingly reported threats include ransomware attacks, phishing schemes, malware infections, insider breaches, and unauthorised access to electronic records. These incidents compromise patient confidentiality, disrupt clinical services, increase operational costs, and weaken public trust in health institutions. As a result, cybersecurity has become a core requirement in the governance and sustainability of digital health systems, extending beyond technical safeguards to include procurement practices and human behavioural factors (Kruse et al., 2017).

Digital health data procurement refers to the structured acquisition and implementation of technologies used in health information management. It involves needs assessment, system specification, vendor selection, security and compliance evaluation, contract negotiation, deployment, and maintenance planning. Ideally, procurement decisions should integrate cybersecurity requirements such as data protection standards, system resilience, and vendor accountability. However, in many low- and middle-income countries, including Nigeria, procurement processes remain largely fragmented and cost-driven, with limited incorporation of structured cybersecurity risk assessment and compliance verification (Adeleke et al., 2015). This gap contributes to the deployment of systems that may be functionally adequate but structurally vulnerable to cyber threats.

Alongside procurement weaknesses, cybersecurity consciousness among health personnel plays a critical role in safeguarding digital health systems. Cybersecurity consciousness refers to the awareness, knowledge, attitudes, and behavioural practices of health workers regarding the protection of digital health information. It includes the ability to identify cyber threats such as phishing emails, malicious links, and social engineering attempts, as well as adherence to institutional policies on password management, system access control, and incident reporting. Evidence from healthcare environments consistently shows that human factors remain a dominant cause of data breaches, particularly through unsafe practices such as password sharing, weak authentication behaviours, and failure to report security incidents.

In Bayelsa State, six health institutions are progressively implementing digital health systems within a challenging operational environment characterised by unstable electricity supply, inadequate broadband connectivity, limited cybersecurity infrastructure, and insufficient structured training opportunities for health personnel. These constraints collectively increase system vulnerability and reduce the effectiveness of existing security measures, particularly where user awareness and institutional preparedness are limited.

The COVID-19 pandemic further exposed the fragility of global digital health infrastructures. The rapid expansion of remote healthcare delivery, digital surveillance systems, and electronic health communication was accompanied by a significant rise in cyber attacks targeting healthcare institutions worldwide (World Health Organization, 2021). In Nigeria, incidents of ransomware attacks, data breaches, and system disruptions have been reported across health facilities, although the true scale is likely underrepresented due to weak detection systems, limited reporting culture, and institutional sensitivity to reputational risk.

In response, regulatory frameworks such as those introduced by the National Information Technology Development Agency (NITDA) and the Nigeria Data Protection Commission have strengthened expectations for data governance, compliance, and information security within the health sector. Despite these developments, there remains limited empirical evidence on how procurement processes incorporate cybersecurity requirements and the extent of cybersecurity consciousness among health personnel in subnational health systems such as Bayelsa State.

Against this background, this study assessed digital health data procurement practices and cybersecurity consciousness among health personnel in six selected health institutions in Bayelsa State, Nigeria.

Digital health systems are increasingly implemented in health institutions in Bayelsa State; however, uncertainty remains regarding the extent to which procurement processes incorporate adequate cybersecurity standards and whether health personnel possess sufficient cybersecurity consciousness to safeguard patient data.

Evidence from comparable Nigerian settings indicates that procurement practices often exclude formal security risk assessments and vendor compliance verification (Adeleke et al., 2015). Even where electronic systems are deployed, weaknesses in policy implementation and inadequate staff training continue to undermine system security.

In addition, health personnel frequently exhibit poor cybersecurity practices, including weak password management, credential sharing, and failure to report suspicious activities (Kruse et al., 2017). These challenges are further intensified by infrastructural constraints such as unstable power supply and limited technical support.

Empirical evidence specific to the selected health institutions in Bayelsa State remains limited. This gap restricts evidence-based policy development and weakens efforts to implement targeted cybersecurity interventions.

Against this background, the study is guided by the question: to what extent do digital health procurement practices and cybersecurity consciousness among health personnel influence the security and reliability of electronic health data systems in selected health institutions in Bayelsa State?

Digital health transformation has become a defining feature of modern healthcare systems, driven by the adoption of electronic health records (EHRs), hospital information systems, telemedicine platforms, and interoperable health data infrastructures. Empirical studies consistently show that while these systems improve efficiency, clinical decision-making, and continuity of care, they simultaneously introduce significant cybersecurity vulnerabilities, particularly in resource-constrained settings (Kruse et al., 2017; Ghosh & Ghosh, 2020). Globally, healthcare has been identified as one of the most targeted sectors for cyberattacks due to the high value and sensitivity of patient data (World Health Organization, 2021; ENISA, 2023).

Recent empirical evidence indicates that cyberattacks on healthcare systems have increased in frequency and sophistication, with ransomware attacks alone accounting for a substantial proportion of disruptions in hospital services worldwide (FBI, 2022; Iqbal et al., 2023). In Europe and North America, studies have shown that compromised procurement systems and weak vendor security standards contribute significantly to system vulnerabilities (Kuo et al., 2022; McLeod & Dolezel, 2022). These findings suggest that cybersecurity risks are not only technical but also deeply embedded in institutional procurement and governance structures.

In low- and middle-income countries (LMICs), including Nigeria, empirical studies reveal even more pronounced weaknesses. Adeleke et al. (2015) found that health information system procurement processes in Nigeria rarely include structured security risk assessments or vendor compliance verification. Similarly, Ojo and Popoola (2020) reported that most Nigerian hospitals prioritize cost and functionality over cybersecurity considerations during procurement decisions, leading to the deployment of systems with inherent security flaws.

Human factors remain a critical determinant of cybersecurity outcomes in healthcare environments. Kruse et al. (2017) and Safa et al. (2019) demonstrate that health personnel often exhibit poor cyber hygiene practices, including password sharing, weak authentication behaviours, and failure to report security incidents. These behaviours are frequently linked to limited training, high workload, and inadequate institutional enforcement. In a multi-country study, Hossain et al. (2021) found that even when awareness levels are moderate, behavioural compliance remains low due to weak organisational support and poor security culture.

Empirical studies in sub-Saharan Africa further highlight systemic challenges. In Ghana, Boateng et al. (2021) observed that hospital information systems suffer from inconsistent procurement standards and lack of cybersecurity integration at the acquisition stage. In Kenya, Wanyonyi and Kinyua (2022) reported that inadequate funding and absence of dedicated cybersecurity units significantly increase vulnerability to data breaches in public hospitals. Similar findings were reported in South Africa, where Mbanaso and Dlamini (2021) identified weak policy enforcement and limited staff capacity as major barriers to effective health data protection.

Organisational support has been widely identified as a key determinant of cybersecurity behaviour in healthcare systems. Liang and Xue (2010) argue that individual awareness alone is insufficient without supportive institutional structures that facilitate secure behaviour. This is supported by more recent empirical studies showing that hospitals with strong governance frameworks, regular training programmes, and dedicated cybersecurity teams experience significantly fewer data breaches (Koppel et al., 2020; Choi et al., 2022). Conversely, institutions with weak organisational support structures tend to exhibit higher rates of security incidents, regardless of staff awareness levels.

Procurement practices also play a central role in shaping cybersecurity outcomes. Studies by Yeng et al. (2022) and AlHogail (2021) indicate that incorporating security-by-design principles during procurement significantly reduces system vulnerabilities. However, in many developing countries, procurement remains fragmented and poorly regulated, often lacking alignment with national cybersecurity standards such as those issued by regulatory bodies like NITDA in Nigeria. This gap results in systems that are functionally operational but structurally insecure.

The COVID-19 pandemic further exposed vulnerabilities in digital health systems globally. Empirical studies show a sharp rise in cyberattacks targeting hospitals during the pandemic due to rapid digitalisation and inadequate security preparedness (WHO, 2021; ENISA, 2023). In Nigeria, Udo and Udo (2022) reported increased incidents of phishing and ransomware attacks in healthcare facilities during the pandemic period, highlighting the consequences of weak cybersecurity readiness and insufficient institutional capacity.

From a behavioural perspective, Protection Motivation Theory (Rogers, 1983) and Technology Threat Avoidance Theory (Liang & Xue, 2010) have been widely applied in empirical studies to explain cybersecurity compliance behaviour in healthcare. Recent research by Ifinedo (2021) and Chatterjee et al. (2023) confirms that perceived vulnerability, response efficacy, and organisational support significantly influence protective behaviours among health workers. However, these studies also emphasize that awareness does not automatically translate into practice, particularly where institutional reinforcement is weak.

Empirical findings from Nigeria specifically show persistent gaps between knowledge and practice. Eze and Chinedu (2020) found that while healthcare workers in Nigerian tertiary hospitals demonstrate moderate cybersecurity awareness, actual compliance with security protocols remains low. Similarly, Okoye et al. (2021) reported that inadequate training and weak policy enforcement contribute to poor cyber hygiene practices among hospital staff.

Overall, the empirical literature converges on three key issues: first, cybersecurity vulnerabilities in healthcare are largely driven by weak procurement systems; second, human behavioural factors significantly influence system security; and third, organisational support structures are critical in bridging the gap between awareness and practice. These findings provide a strong justification for examining digital health procurement practices and cybersecurity consciousness in the context of Bayelsa State health institutions, where empirical evidence remains limited.

The concepts digital health data procurement refers to the structured and policy-driven process of acquiring digital technologies used for the management of health information within healthcare institutions. It involves identifying system needs, specifying functional and security requirements, selecting vendors, evaluating compliance with technical and regulatory standards, negotiating contracts, deploying systems, and ensuring post-implementation maintenance. In addition to functionality and cost considerations, effective procurement requires explicit integration of cybersecurity requirements, interoperability standards, data integrity safeguards, scalability, and alignment with national digital health policies. In healthcare settings, weaknesses in procurement processes often translate into long-term system vulnerabilities, particularly where security assessment and vendor accountability are not adequately enforced (Adeleke et al., 2015).

Cybersecurity consciousness refers to the combined level of awareness, knowledge, attitudes, and behavioural responsiveness of individuals toward the protection of digital information systems. In healthcare environments, it reflects the extent to which health personnel can identify cyber threats such as phishing, malware, ransomware, and social engineering attacks, and their readiness to adopt preventive and corrective security measures. These include the use of strong authentication practices, adherence to password policies, secure handling of patient data, routine system updates, and prompt reporting of suspicious activities. Cybersecurity consciousness is therefore both cognitive and behavioural, shaping how effectively individuals contribute to safeguarding digital health systems against internal and external threats (Kruse et al., 2017).

Health personnel comprise all categories of staff who are directly or indirectly involved in the generation, processing, storage, transmission, or management of digital health information within healthcare institutions. This includes clinical staff such as doctors, nurses, pharmacists, and laboratory scientists, as well as non-clinical personnel such as health information management officers, administrative staff, and information technology support personnel. Their collective practices and compliance behaviours significantly influence the overall security posture of digital health systems, as human factors remain a major source of vulnerability in healthcare data environments.

Digital health data refers to all health-related information that is created, stored, processed, or transmitted in electronic formats within healthcare systems. This includes electronic medical records, laboratory and diagnostic results, radiological images, pharmacy records, billing information, and administrative datasets. These data are essential for clinical decision-making, health planning, research, and policy formulation. Ensuring their confidentiality, integrity, and availability is critical for maintaining patient trust, service continuity, and the overall reliability of healthcare delivery systems.

This study is anchored on Protection Motivation Theory (PMT) (Rogers, 1983) and Technology Threat Avoidance Theory (TTAT) (Liang & Xue, 2010), both of which provide complementary explanations for how individuals perceive digital threats and respond through protective behaviours in technology-driven environments.

Protection Motivation Theory (PMT) posits that individuals are motivated to protect themselves when they appraise a threat as both severe and likely to occur, and when they believe that recommended protective responses are effective and within their capability. These constructs are commonly expressed as perceived severity, perceived vulnerability, response efficacy, and self-efficacy (Rogers, 1983). In healthcare settings, PMT has been widely applied to explain compliance with information security policies, particularly where human behaviour is a major determinant of system vulnerability. Studies in health informatics suggest that even when awareness of cyber threats is high, low self-efficacy and weak institutional reinforcement often limit actual compliance with security protocols.

Building on PMT, Technology Threat Avoidance Theory (TTAT) (Liang & Xue, 2010) provides a more technology-specific framework by explaining how users engage in cognitive appraisal of IT-related threats and subsequently adopt avoidance behaviours. TTAT introduces coping appraisal, which evaluates both the effectiveness and cost of protective measures, alongside threat appraisal. It further explains avoidance behaviour as the outcome of perceived risk, perceived efficacy of safeguards, and perceived inconvenience of security practices.

When applied to digital health environments, TTAT helps explain why health personnel may recognize cyber risks yet fail to consistently implement protective measures such as strong password use, timely updates, or incident reporting. Prior studies in healthcare cybersecurity indicate that workload pressure, limited training, and perceived inconvenience of security protocols reduce compliance even in high-risk environments.

Together, PMT and TTAT provide a robust explanatory framework for this study. While PMT accounts for psychological motivation toward protection, TTAT extends the analysis by incorporating behavioural avoidance and practical constraints within technological systems. Their integration is particularly suitable for understanding the gap observed between cybersecurity awareness, attitudes, and actual behaviour among health personnel in digital health contexts.

METHOD AND MATERIALS

This study adopted a descriptive cross-sectional survey design to examine digital health data procurement practices and cybersecurity consciousness among health personnel in selected health institutions in Bayelsa State, Nigeria. The design is appropriate for assessing prevailing conditions, perceptions, and behaviours at a single point in time without manipulating study variables, particularly in studies involving organisational practices and information security behaviour.

The study population comprised 208 health personnel drawn from six selected health institutions, namely Kolo General Hospital, Yenagoa Hospital and Maternity, Tobis Hospital, Crest Specialist Hospital, Family Care Hospital, and GloryLand Hospital. These institutions were selected because they are actively engaged in varying stages of digital health system adoption and represent both public and private healthcare settings within the state.

Given the manageable size of the population, a census sampling technique was employed. This ensured that all 208 health personnel were included in the study, eliminating sampling error and enhancing the completeness and representativeness of the data. Respondents included clinical and non-clinical staff directly or indirectly involved in the use, management, or support of digital health information systems.

Data were collected using a structured questionnaire developed from validated instruments in previous studies on health information management and cybersecurity behaviour. The instrument was subjected to expert review to ensure content validity, clarity, and relevance to the study objectives. A pilot test was conducted in a similar but non-participating health facility to assess reliability, and necessary refinements were made prior to full administration.

Data collection was carried out over a defined period with the assistance of trained research assistants. Respondents were briefed on the purpose of the study, assured of confidentiality, and provided informed consent before participation.

Completed questionnaires were coded and analysed using the Statistical Package for the Social Sciences (SPSS) version 27. Descriptive statistics such as frequencies, percentages, means, and standard deviations were used to summarise variables, while inferential statistics including independent t-tests and Pearson correlation analysis were employed to examine group differences and relationships among key study variables. A significance level of 0.05 was adopted for all inferential analyses.

Ethical approval for the study was obtained from the Bayelsa State Ministry of Health Ethics Committee, and institutional permissions were secured from the management of all participating health facilities. All ethical principles governing human subject research, including confidentiality and voluntary participation, were strictly adhered to throughout the study.

RESULTS OF FINDINGS

A total of 196 questionnaires were completed and returned from 208 distributed, yielding a response rate of 94.2%. Table 3 presents the distribution of responses across the six selected health institutions.

Table 1: Response Rate by Institutions

Demographic Characteristics of Respondents

Table 2: Summaries respondents’ socio-demographic characteristics.

Table 2: Demographic Characteristics of Respondents (N=196)

Most respondents were aged 30–39 years (42.9%), female (54.6%), held a bachelor’s degree (60.2%), and had less than 10 years of professional experience (66.3%).

Cybersecurity Awareness

Table 3 presents the level of cybersecurity awareness among respondents.

Table 3: Cybersecurity Awareness (N=196)

Overall awareness was moderate (mean = 2.82 ± 0.88). Lower scores were observed for knowledge of institutional security policies, two-factor authentication, and reporting procedures.

Cybersecurity Attitudes

Table 4 presents respondents’ attitudes toward cybersecurity.

Table 4: Cybersecurity Attitudes (N=196)

Cybersecurity attitudes were moderately positive (mean = 3.33 ± 0.79), with strong agreement on its importance for patient safety and individual responsibility.

Cybersecurity Behaviours

Table 5 Summaries actual cybersecurity practices.

Table 5: Cybersecurity Behaviours (N=196)

Cybersecurity behaviour was low (mean = 2.38 ± 0.85), with particularly weak performance in authentication practices, training participation, and incident reporting.

Digital Health Data Procurement Practices

Table 6 presents procurement-related practices.

Table 6: Procurement Practices (N=196)

Procurement practices were generally inadequate (mean = 2.15 ± 0.92), particularly in security risk assessment and vendor compliance verification.

Comparison of Public and Private Institutions

Table 7: Independent t-test Results

No statistically significant differences were observed between public and private institutions (p > 0.05).

Correlation Analysis

Table 8: Pearson Correlation Matrix (N=196)

p < 0.01