Benefits and Risks of Shadow IT in Health Care: A Narrative Review of the Literature



Shadow IT, Information Security, Health care, Regulations, Review


Currently, health care institutions are confronted with practices related to Shadow IT (SIT) that allow employees to improve their efficiency through tools that complement corporate-provided IT resources. Although SIT practices can be beneficial, they also create additional vulnerabilities and access points for cyberthreats in institutions where patient data are regarded as sensitive. Therefore, this research addresses the following question: What are the benefits and risks of SIT-related practices in health care? Based on a narrative review of the literature, including 220 articles, this research highlights several specificities of the health care context and their impact on research related to IT adoption and information security behaviors. In terms of managerial contributions, we formulate several proposals to better manage SIT-related risks, such as staff awareness and zero trust solutions. We also contribute to the academic literature by highlighting the interest of questioning specific drivers of reverse IT adoption, the phenomenon of pseudo-compliance and the impact of neutralization techniques. We also make several proposals for future research, such as studying the impact of emergency situations on the behavior of health care personnel.

Author Biographies

Paméla Baillette, University of Bordeaux, IRGO Research Center

Paméla Baillette is Associate Professor in Management Science-Information Systems at the University of Bordeaux, France. She is member of the research center IRGO-Bordeaux. Her current research interests include behavioral issues related to information security, technological and management innovation, and traceability related to agribusiness management. She has published research papers in International Journal of Information Management, Systèmes d’Information et Management, Revue Internationale P.M.E., Journal of Organizational Change Management, International Small Business Journal, Production Planning & Control, and Journal of Global Information Management.

Yves Barlette, Montpellier Business School

Dr. Yves BARLETTE is a Full Professor of Information Systems at the Montpellier Business School, France. His current research focuses on behavioral issues related to information security, and on the digital transformation of organizations. He has 19 publications appearing in journals such as Systèmes d’Information et Management, International Journal of Information Management, Journal of Organizational Change Management, Journal of Global Information Management, and Production Planning & Control. He also authored 14 books and book chapters.

Jean-François Berthevas, La Rochelle University School of ManagementCEREGE Research Center

Dr. Jean-Francois Berthevas is Associate Professor of Information Systems at La Rochelle University School of Management, France. He is member of the Centre de Recherche en Gestion (CEREGE, Poitiers & La Rochelle). His current research focuses on information security and behavioral issues, and on the digital transformation of organizations. He has been Director of the School of Management at the University of Orleans (France). He has 21 years of experience in business, including 10 years as an IT specialist and 7 years as manager in the field of telecommunications and cybersecurity in major companies (IBM GNS, AT&T GNS, Engie). He has published an article in the Systèmes d’Information et Management journal.



Abassi, I., & van Schaik, R. (2019). The Netherlands – first GDPR fine imposed: Eur 460,000. Accessed April 27, 2021.

Adler, P.S., Kwon, S.-W., & Heckscher, C. (2008). Professional work: The Emergence of Collaborative Community. Organizational Science, 19(2), 359–376.

Ajzen, I. (1991). The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211.

Ali, O., Shrestha, A., Soar, J, & Fosso Wamba, S. (2018). Cloud computing-enabled healthcare opportunities, issues, and applications: A systematic review. International Journal of Information Management, 43, 146-158.

Alter, S. (2014). Theory of Workarounds. Communications of the Association for Information Systems, 34(55), 1041-1066.

Alvesson, M., & Sandberg, J. (2020). The problematizing review: A counterpoint to Elsbach and Van Knippenberg’s argument for integrative reviews. Journal of Management Studies, 57(6), 1290-1304.

Anderson, C.L., & Agarwal, R. (2010). Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(33), 613–643.

Anderson, C., Baskerville, R.L., & Kaul, M. (2017). Information Security Control Theory: Achieving a Sustainable Reconciliation Between Sharing and Protecting the Privacy of Information. Journal of Management Information Systems, 34(4), 1082-1112.

Angst, C.M., Block, E.S., D’Arcy, J., & Kelley, K. (2017). When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches. MIS Quarterly, 41(3), 893-916.

Baillette, P., Barlette, Y., & Leclercq-Vandelannoitte, A. (2018). Bring Your Own Device in Organizations: Extending the Reversed Adoption Logic to Security Paradoxes for CEOs and End Users. International Journal of Information Management, 43, 76-84.

Barlette, Y., & Fomin, V.V. (2009). The adoption of Information Security Management Standards: A Literature Review. In Knapp K.J. (ed.), Cyber-Security & Global Information Assurance: Threat, analysis and response solutions, pp. 119-140, IGI Global, USA.

Barlette, Y., Gundolf, K., & Jaouen, A. (2017). CEOs’ Information Security Behavior in SMEs: Does Ownership Matter? Systèmes d'Information et Management, 22(3), 7-45.

Barlette, Y., & Jaouen, A. (2019). Information security in SMEs: determinants of CEOs’ protective and supportive behaviors. Systèmes d'Information et Management, 24(3), 7-40.

Bautista, J.R. (2019). Nurses’ Use of Smartphones for Work Purposes in the Philippines: Predictors, Outcomes, and Issues. Doctoral thesis, Nanyang Technological University, Singapore.

Bautista, J.R., Rosenthal, S., Lin, T.T.C., & Theng, Y.L. (2018). Predictors and outcomes of nurses’ use of smartphones for work purposes. Computers in Human Behavior, 84, 360-374.

Beauvais, B., Richter, J.P., & Kim, F.S. (2019). Evaluating the influence of patient safety performance on hospital financial outcomes. Health Care Management Review, 44(1), 2-9.

Behrens, S. (2009). Shadow Systems: The Good, the Bad and the Ugly. Communication of the ACM, 52(2), 124-129.

Bergman, M., Johansson, P., Lundberg, S., & Spagnolo, G. (2016). Privatization and quality: Evidence from elderly care in Sweden. Journal of Health Economics, 49, 109-119.

Berthevas, J-F. (2021). How protection motivation and social bond factors influence information security behavior. Systèmes d’Information et Management, 26(2), in press.

Bitglass. (2018). Bitglass 2018 BYOD Report: More Than Half of Companies See Rise in Mobile Security Threats. Accessed April 27, 2021.

Bitglass. (2021). Healthcare Breach Report. Hacking and IT Incidents on the Rise. Accessed April 27, 2021.

Bouras, A. (2015). Quality tools to improve the communication level in the surgery department at a local hospital. Computers in Human Behavior, 51, 843–851.

Bourdon, I., & Ologeanu-Taddei, R. (2019). De la difficile cohabitation des technologies d’information officielles et fantômes : le cas des pratiques photographiques numériques dans un établissement de santé. Management & Avenir, 112, 81-99.

Breslin, D., & Gatrell, C. (2020). Theorizing through literature reviews: The miner-prospector continuum. Organizational Research Methods, 1-29,

Brew-Sam, N., & Chib, A. (2019). How do smart device apps for diabetes self-management correspond with theoretical indicators of empowerment? An Analysis of App Features. International Journal of Technology Assessment in Health Care, 35(2), 150-159.

Califf, C., Sarker, S., & Sarker, S. (2020). The Bright and Dark Sides of Technostress: A Mixed-Methods Study Involving Healthcare IT. MIS Quarterly, 44(2), 809-856.

Carvalho, J.V., Rocha, A., Vasconcelos, J., & Abreu, A. (2019). A health data analytics maturity model for hospitals information systems. International Journal of Information Management, 46, 278-285.

Chen, L., Baird, A., & Rai, A. (2019). Mobile Health (mHealth) Channel Preference: An Integrated Perspective of Approach-Avoidance Beliefs and Regulatory Focus. Journal of the Association for Information Systems, 20(12), 1743-1773.

Chiang, K.F., & Wang, H.H. (2016). Nurses’ experiences of using a smart mobile device application to assist home care for patients with chronic disease: A qualitative study. Journal of Clinical Nursing, 25(13-14), 2008-2017. 10.1111/jocn.13231

Chua, C., Storey, V., & Chen, L. (2014). Central IT or Shadow IT? Factors shaping users’ decision to go rogue with IT. 36th International Conference on Information Systems (ICIS), Auckland, New Zealand.

Ciborra, C. (2002). The labyrinths of information: challenging the wisdom of systems. Oxford University Press, Oxford.

CNIL. (2021). Personal Data Security Guide. Accessed April 27, 2021.

Cooper, Z., & Scott Morton, F. (2021). 1% Steps for Health Care Reform: implications for health care policy and for researchers. Health Services Research,

Davis, F.D. (1989). Perceived Usefulness, Perceived Ease of Use, and user Acceptance of Information Technology. MIS Quarterly, 13(3), 319-340.

Davis, J. (2021). Healthcare Cyberattacks Doubled in 2020, with 28% Tied to Ransomware, Health IT Security. Accessed April 27, 2021.

De Kok, A., Lubbers, Y., & Helms, R.W. (2015). Mobility and Security in the New Way of Working: Employee Satisfaction in a Choose Your Own Device (CYOD) Environment. 9th Mediterranean Conference on Information Systems (MCIS), Greece, 73-92.

De Kok, A., Van Zwieten, J., & Helms, R.W. (2016). Attitude towards NWOW and Activity Based Working: Activity Patterns and Change Perspectives. 17th European Conference on Knowledge Management, Ulster University Northern Ireland, UK, 1-2 September.

Department of Veterans Affairs (2018). Review of Alleged Unsecured Patient Database at the VA Long Beach Healthcare System. Accessed April 27, 2021.

DiBenigno, J. (2018). Anchored personalization in managing goal conflict between professional groups: The case of U.S. Army mental healthcare. Administrative Science Quarterly, 63(3), 526–569.

DiMartino, L., Birken, S., Hanson, L., Trogdon, J., Clary, A., Weinberger, M., Reeder-Hayes, K., & Weiner, B. (2018). The influence of formal and informal policies and practices on health care innovation implementation: A mixed-methods analysis. Health Care Management Review, 43(3), 249-260.

Dinev, T., & Hu, Q. (2007). The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems, 8(7), 386–408.

Doargajudhur, M.S., & Dell, P. (2019). Impact of BYOD on organizational commitment: an empirical investigation. Information Technology & People, 32(2), 246-268.

Drummond, M., Torbica, A., & Tarricone, R. (2020). Should health technology assessment be more patient centric? If so, how?. The European Journal of Health Economics, 21(8), 1117-1120.

Dutot, V, Bergeron, F., Rozhkova, K., & Moreau, N. (2018). Factors Affecting the Adoption of Connected Objects in e-Health: A Mixed Methods Approach. Systèmes d’Information et Management, 23(4), 31-66.

Embrey, B. (2020). The top three factors driving zero trust adoption. Computer Fraud & Security, 2020(9), 13-15.

Epané, J.P., Weech-Maldonado, R., Hearld, L., Menachemi, N., Sen, B., O’Connor, S., & Ramamonjiarivelo, Z. (2019). Hospitals’ use of hospitalists: Implications for financial performance. Health Care Management Review, 44(1), 10-18.

European Commission. (2021). Data protection in the EU. Accessed April 28, 2021.

Everson, J., & Adler-Milstein, J. (2020). Sharing information electronically with other hospitals is associated with increased sharing of patients. Health Services Research, 55(1), 128-135.

Faber, S., Van Geehuizen, M., & De Reuver, M. (2017). EHealth adoption factors in medical hospitals: A focus on the Netherlands. International Journal of Medical Informatics, 100, 77-89.

Ferneley, E., & Bell, F. (2006). Using bricolage to integrate business and information technology innovation in SMEs. Technovation, 26, 232-241.

Ferraro, N. (2020). Health Prognosis on the Security of IoMT Devices? Not Good. Accessed April 27, 2021.

Flaumenhaft, Y., & Ben-Assuli, O. (2018). Personal health records, global policy and regulation review. Health Policy, 122(8), 815-826.

Flynn, G.A., Polivka, B., & Behr, J.H. (2018). Smartphone use by nurses in acute care settings. Computers, Informatics, Nursing, 36(3), 120-126.

Forbes (2019). Shadow IT: You Can’t Protect What You Can’t See. Accessed April 27, 2021.

Forman, R., Shah, S., Jeurissen, P., Jit, M., & Mossialos, E. (2021). COVID-19 vaccine challenges: What have we learned so far and what remains to be done?. Health Policy. 125(5), 553-567.

Foth, M. (2016). Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence. European Journal of Information Systems, 25, 91–109.

Freedman, S., Golberstein, E., Huang, T.-Y., Satin, D.J., & Smith, L.B. (2021). Docs with their eyes on the clock.? The effect of time pressures on primary care productivity. Journal of Health Economics, 77, 102442.

Fürstenau, D., & Rothe, H. (2014). Shadow IT systems: discerning the good and the evil. 22nd European Conference on Information Systems (ECIS). Tel Aviv, Israel.

Fürstenau, D., Rothe, H., & Sandner, M. (2017). Shadow Systems, Risk, and Shifting Power Relations in Organizations. Communications of the Association for Information Systems, 41, 43-61.

Ganasegeran, K., Renganathan, P., Rashid, A., & Al-Dubai, S. (2017). The m-Health revolution: exploring perceived benefits of WhatsApp use in clinical practice. International Journal of Medical Informatics, 97, 145-151.

Gardiyawasam Pussewalage, H.S., & Oleshchuk, V.A. (2016). Privacy preserving mechanisms for enforcing security and privacy requirements in E-health solutions. International Journal of Information Management, 36, 1161–1173.

Gaspar, K., Portrait, F., Van der Hijden, E., & Koolman, X. (2020). Global budget versus cost ceiling: a natural experiment in hospital payment reform in the Netherlands. The European Journal of Health Economics, 21, 105-114.

Goth, G. (2014). Nurses Use Personal Smartphones for Care Despite Lack of Support, Security Issues. Health Data Management. Accessed April 27, 2021.

Gozman, D., & Willcocks, L. (2015). Crocodiles in the Regulatory Swamp: Navigating the Dangers of Outsourcing, SaaS and Shadow IT. 36th International Conference on Information Systems (ICIS), Fort Worth, USA.

Green, B.N., Johnson, C.D., & Adams, A. (2006). Writing narrative literature reviews for peer-review journals: Secrets of the trade. Journal of Chiropractic Medicine, 5, 101-117.

Greenhalgh, T., Thorne, S., & Malterud, K. (2018). Time to challenge the spurious hierarchy of systematic over narrative reviews?. European Journal of Clinical Investigation. 48(6), e12931.

Gregory, R.W., Kanager, E., Henfridsson, O., & Ruch, T.J. (2018). IT Consumerization and the Transformation of IT Governance. MIS Quarterly, 42(4), 1225-1253.

Gulacti, U., Lok, U., Hatipoglu, S., & Polat, H. (2016). An analysis of WhatsApp usage for communication between consulting and emergency physicians. Journal of Medical Systems, 40(6), 130.

Györy, A., Cleven, A., Uebernickel, F., & Brenner, W. (2012). Exploring the shadows: IT governance approaches to user-driven innovation. 20th European Conference on Information Systems (ECIS), Barcelona, Spain.

Haag, S. (2015). Appearance of Dark Clouds? - An Empirical Analysis of Users’ Shadow Sourcing of Cloud Services. 12th International Tagung Wirtschaftsinformatik, Osnabrück, S., 1438–1452.

Haag, S., & Eckhardt, A. (2014). Normalizing the Shadows: The Role of Symbolic Models for Individuals’ Shadow IT Usage. 35th International Conference on Information Systems (ICIS), Auckland, New Zealand.

Haag, S., & Eckhardt, A. (2015). Justifying Shadow IT Usage. 19th Pacific Asia Conference on Information Systems (PACIS), Singapore.

Haag, S., & Eckhart, A. (2017). Shadow-It. Business & Information Systems Engineering, 59(6), 469–473.

Haag, S., Eckhart, A., & Schwartz, A. (2019). The Acceptance of Justifications among Shadow IT Users and Nonusers – An Empirical Analysis. Information & Management, 56(5), 731–741.

Habib, J., Béjean, M., & Dumond, J.P. (2017). Appréhender les transformations organisationnelles de la santé numérique à partir des perceptions des acteurs. Systèmes d’Information et Management, 22(1), 39-69.

Habib, J., Yatim, F., & Sebai, J. (2019). Analyse des facteurs influençant l’émergence des pratiques de télémédecine : le cas des Maisons de Santé en France. Systèmes d’Information et Management, 24(1), 47-85.

Haluza, D., & Jungwirth, D. (2014). ICT and the future of health care: aspects of doctor-patient communication. International Journal of Technology Assessment in Health Care, 30(3), 298-305.

Hanelt, A., Bohnsack, R., Marz, D., & Antunes Marante, C. (2021). A systematic review of the literature on digital transformation: insights and implications for strategy and organizational change. Journal of Management Studies. 58(5), 1159-1197.

Harrington, S.J. (1996). The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly, 20(3), 257-278.

Harris, J, Ives, B, & Junglas, I. (2012). IT consumerization: when gadgets turn into enterprise IT tools. MIS Quarterly Executive, 11, 9–112.

He, W. (2020). Using the internet of things to fight virus outbreaks. Accessed May 31, 2021.

He, W., Zhang, Z., & Li, W. (2021). Information technology solutions, challenges, and suggestions for tackling the COVID-19 pandemic. International Journal of Information Management, 57, 102287.

Henderson, J., & Venkatraman, N. (1993). Strategic Alignment: Leveraging information technology for transforming Organizations – Technical. IBM Systems Journal, 32(1), 4-16.

Holmgren, A.J., Phelan, J., Jha, A.K., & Adler-Milstein, J. (2021). Hospital organizational strategies associated with advanced HER adoption. Health Services Research,

Howell O’Neill, P. (2020). A wave of ransomware hits US hospitals as coronavirus spikes. MIT Technology Review. Accessed April 27, 2021.

Huber, T., Shortell, S., & Rodriguez, H. (2017). Improving Care Transitions Management: Examining the Role of Accountable Care Organization Participation and Expanded Electronic Health Record Functionality. Health Services Research, 52(4), 1494-1510.

Huff, A.S. (2008). Designing research for publication. Thousand Oaks: Sage.

Huitfeldt, I. (2021). Hospital reimbursement and capacity constraints: Evidence from orthopedic surgeries. Health Policy,

Hulstaert, F., Ruether, A., Demotes, J., & Melien, Ø. (2020). Closing the cycle of innovation in healthcare in Europe. International Journal of Technology Assessment in Health Care, 36(2), 75-79.

ISO. (2021). Health informatics — Information security management in health using ISO/IEC 27002. Accessed April 30, 2021.

Jarrahi, M.H., Crowston, K., Bondar, K., & Katzy, B. (2017). A pragmatic approach to managing enterprise IT infrastructures in the area of consumerization and individualization of IT. International Journal of Information Management, 37(6), 566-575.

Johnston, M., King, D., Arora, S., Behar, N., Athanasiou, T., Sevdalis, N., & Darzi, A. (2015). Smartphones let surgeons know WhatsApp: an analysis of communication in emergency surgical teams. American Journal of Surgery, 209(1), 45–51.

Johnstone, S. (2020). A viral warning for change. Covid-19 versus the Red Cross: Better Solutions Via Blockchain and Artificial Intelligence. University of Hong Kong Faculty of Law Research Paper, 2020/005.

Jokonya, O. (2016). Towards a Critical Systems Thinking Approach during IT Adoption in Organisations. Procedia Computer Science, 100, 856-864.

Jones, A., Blake, J., Adams, M. Kelly, D., Mannion, R., & Maben, J. (2021). Interventions promoting employee “speaking-up” within healthcare workplaces: A systematic narrative review of the international literature. Health Policy, 125(3), 375-384.

Junglas, I., Goel, L., Ives, B., & Harris, J. (2019). Innovation at work: The relative advantage of using consumer IT in the workplace. Information Systems Journal, 29, 317–339.

Kadimo, K., Kebaetse, M.B., Ketshogileng, D., Seru, L.E., Sebina, K.B., Kovarik, C., & Balotlegi, K. (2018). Bring-your-own-device in medical schools and healthcare facilities: A review of the literature. International Journal of Medical Informatics, 119, 94-102.

Kahn, R.L, Wolfe, D.M., Quinn, R.P, Snoek, J.D., & Rosenthal, R.A. (1964). Organizational stress: Studies in role conflict and ambiguity. New York: John Wiley and Sons.

Khando, K., Gao, S., Islam, S.M., & Salman, A. (2021). Enhancing employees’ information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106, 102267.

Kane, G.C. (2015). How Digital Transformation Is Making Health Care Safer, Faster and Cheaper. MIT Sloan Management Review, 57(1), 41-47.

Karahanna, E., Chen, A., Liu, Q.B., & Serrano, C. (2019). Capitalizing on health information technology to enable digital advantage in U.S. Hospitals. MIS Quarterly, 43(1), 113-140.

Kauta, N.J., Groenewald, J., Arnolds, D., Blankson, B., Omar, A., Naidu, P., Naidoo, M., & Chu, K. (2020). WhatsApp mobile health platform to support fracture management by non-specialists in South Africa. Journal of the American College of Surgeons, 230(1), 37-42.

Kaw, J.A., Loan, N.A., Parah, S.A., Muhammad, K., Sheikh, J.A., & Bhat, G.M. (2019). A reversible and secure patient information hiding system for IoT driven e-health. International Journal of Information Management, 45, 262-275.

Keil, M., Park, E.H., & Ramesh, B. (2018). Violations of health information privacy: The role of attributions and anticipated regret in shaping whistle‐blowing intentions. Information Systems Journal, 28, 818–848.

Kerr, D., Houghton, L., & Burgess, K. (2007). Power Relationship that Lead to the Development of Feral Systems. Australasian Journal of Information Systems, 14(2), 141-152.

Kerravala, Z. (2020). ‘Shadow IoT’ is becoming a big problem. Here’s what you can do about it. Silicon Angle. Accessed April 28, 2021.

Khanna, V., Sambandam, S., Gul. A., & Mounasami, V. (2015). “WhatsApp”ening in orthopedic care: a concise report from a 300-bedded tertiary care teaching center. European Journal of Orthopaedic Surgery & Traumatology, 25(5), 821-826.

Klotz, S., Kopper, A., Westner, M., & Strahringer, S. (2019). Causing Factors, Outcomes, and Governance of Shadow IT and Business-managed IT: A Systematic Literature Review. International Journal of Information Systems and Project Management, 7, 15–43.

Kumar, M., Singh, J.B., Chandwani, R., & Gupta, A. (2020). “Context” in healthcare information technology resistance: A systematic review of extant literature and agenda for future research. International Journal of Information Management, 51, 102044.

Kwon, J., & Johnson, M.E. (2013). Health-care security strategies for data protection and regulatory compliance. Journal of Management Information Systems, 30(2), 41-65.

Kwon, J., & Johnson, M.E. (2018). Meaningful Healthcare Security: Does Meaningful-use Attestation Improve Information security performance? MIS Quarterly, 42(4), 1043-1067.

Lapointe, L., & Rivard, S. (2005). A Multilevel Model of Resistance to Information Technology Implementation. MIS Quarterly, 29(3), 461–491.

Laumer, S., Maier, C., & Weitzel, T. (2017). Information quality, user satisfaction, and the manifestation of workarounds: a qualitative and quantitative study of enterprise content management system users. European Journal of Information Systems, 26(4), 333–360.

Leclercq-Vandelannoitte, A. (2015). Managing BYOD: how do organizations incorporate user-driven IT innovations? Information Technology & People, 28(1), 2-33.

Leclercq-Vandelannoitte, A., & Bertin, E. (2018). From sovereign IT governance to liberal IT governmentality? A Foucauldian analogy. European Journal of Information Systems, 27(3), 326-346.

Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45(April), 13-24.

Li, H., Yoo, S., & Kettinger, W.J. (2021). The Roles of IT Strategies and Security Investments in Reducing Organizational Security Breaches. Journal of Management Information Systems, 38(1), 222–245.

Lian, J.-W., Yen, D.C., & Wang, Y.-T. (2014). An exploratory study to understand the critical factors affecting the decision to adopt cloud computing in Taiwan hospital. International Journal of Information Management, 34(1), 28-36.

Liu, F., Ngai, E., & Ju, X. (2019). Understanding mobile health service use: An investigation of routine and emergency use intentions. International Journal of Information Management, 45, 107-117.

Lovell, T. (2020). Making privacy work. Healthcare IT News. Accessed April 27, 2021.

MacNeil, M., Koch, M., Kuspinar, A., Juzwishin, D., Lehoux, P., & Stolee, P. (2019). Enabling health technology innovation in Canada: Barriers and facilitators in policy and regulatory processes. Health Policy, 123(2), 203-214.

Mallmann, G.L., Maçada, A.C.G., & Eckhardt, A. (2018). We are social: a social influence perspective to investigate shadow IT usage. 26th European Conference on Information Systems (ECIS), Portsmouth, UK.

Marsan, J., Audebrand, L.K., Croteau, A.-M., & Magnin, G. (2017). Healthcare service innovation based on information technology: The role of social values alignment. Systèmes d’Information et Management, 22(1), 97-127.

Marshall, E.G., Power, M., Edgecombe, N., & Andrew, M.K. (2020). Above and beyond: A qualitative study of the work of nurses and care assistants in long term care. Work, 65(3), 509-516.

Marshall, S. (2014). IT Consumerization: A Case Study of BYOD in a Healthcare Setting. Technology Innovation Management Review, 4(3), 14-18.

Martin, G., Khajuria, A., Arora, S., King, D., Ashrafian, H., & Darzi, A. (2019). The impact of mobile technology on teamwork and communication in hospitals: a systematic review. Journal of the American Medical Informatics Association, 26(4), 339-355.

McLeod, A., & Dolezel, D. (2018). Cyber-analytics: Modeling factors associated with healthcare data breaches. Decision Support Systems, 108, 57–68.

Meglio, O., & Risberg, A. (2011). The (mis)measurement of M&A performance: A systematic narrative literature review. Scandinavian Journal of Management, 27, 418-433.

Mignerat, M., Mirabeau, L., & Proulx, K. (2019). Comportements stratégiques autonomes et pressions institutionnelles : le cas du BYOD. Systèmes d’Information et Management, 24(2), 7-46.

Mitchell, R., & Boyle, B. (2020). Professional faultlines and interprofessional differentiation in multidisciplinary team innovation: The moderating role of inclusive leadership. Health Care Management Review, 27,

Mobasheri, M.H., King, D., Johnston, M., Gautama, S., Purkayastha, S., & Darzi, A. (2015). The ownership and clinical use of smartphones by doctors and nurses in the UK: a multicentre survey study. BMJ Innovations, 00, 1-8.

Moon, B., & Chang, H. (2014). Technology acceptance and adoption of innovative smartphone uses among hospital employees. Healthcare Informatics Research, 20(4), 304-312.

Moore, G.C., Benbasat, I. (1991). Development of an instrument to measure the perceptions of adopting an information technology innovation. Information Systems Research, 2(3), 192–222.

Moore, S., & Jayewardene, D. (2014). The use of smartphones in clinical practice. Nursing management, 21(4), 18-22.

Morquin, D. (2019). Comment améliorer l’usage du Dossier Patient Informatisé dans un hôpital ? : vers une formalisation habilitante du travail intégrant l’usage du système d’information dans une bureaucratie professionnelle. Thèse de doctorat, Université de Montpellier, France.

Morquin, D., & Ologeanu-Taddei, R. (2018). The Electronic Medical Record: Standardization Issues and Personalization of Information for Health Professionals. In: Paganelli, C. (ed.), Confidence and Legitimacy in Health Information and Communication, pp.251-272, ISTE-Wiley, UK.

Moshi, M., Tooher, R., & Merlin, T. (2018). Suitability of current evaluation frameworks for use in the health technology assessment of mobile medical applications: a systematic review. International Journal of Technology Assessment in Health Care, 34(5), 464-475.

Mossialos, E., Thomson, S., & Ter Linden, A. (2004). Information technology law and health systems in the European Union. International Journal of Technology Assessment in Health Care, 20(4), 498–508.

Motulsky, A., Wong, J., Cordeau, J.P., Pomalaza, J., Barkun, J., & Tamblyn, R. (2017). Using mobile devices for inpatient rounding and handoffs: an innovative application developed and rapidly adopted by clinicians in a pediatric hospital. Journal of the American Medical Informatics Association, 24(e1), e69-e78.

Moyer, J.E. (2013). Managing mobile devices in hospitals: A literature review of BYOD policies and usage. Journal of Hospital Librarianship, 13(3), 197-208.

Mueller, M., Klesel, M., Heger, O., & Niehaves, B. (2016). Empirical insights on individual innovation behavior: A qualitative study on IT-Consumerization. Pacific Asia Conference on Information Systems (PACIS), Chiayi, Taiwan.

Myers, N., Starliper, M., Summers, S., & Wood, D. (2017). The Impact of Shadow IT Systems on Perceived Information Credibility and Managerial Decision Making. Accounting Horizons, 31(3), 105–123.

Myles, L., Paradis, E., Gropper, M.A., Kitto, S., Reeves, S., & Pronovost, P. (2017). An ethnographic study of health information technology use in three intensive care units. Health Services Research, 52(4), 1330-1348.

Nasajpour, M., Pouriyeh, S., Parizi, R.M., Dorodchi, M., Valero, M., & Arabnia, H.R. (2020). Internet of Things for Current COVID-19 and Future Pandemics: an Exploratory Study. Journal of Healthcare Informatics Research, 4, 325-364.

Nasirpouri Shadbad, F., & Biros, D. (2021). Understanding Employee Information Security Policy Compliance from Role Theory Perspective. Journal of Computer Information Systems,

NIST. (2003). Building an Information Technology Security Awareness and Training Program. Accessed May 31, 2021.

NIST. (2015). Guide to Application Whitelisting. Accessed May 31, 2021.

NIST. (2020). Zero Trust Architecture. Accessed May 31, 2021.

Nokia. (2019). Nokia Threat Intelligence Report 2019. Accessed May 31, 2021.

Ologeanu-Taddei, R. (2019). Generative mechanisms of projects related to Enterprise Systems use in Bureaucracies: An embedded case study in a French hospital. Systèmes d’Information et Management, 24(3), 41-65.

Orlikowski, W.J., & Hofman, J.D. (1997). An improvisational model for change management: the case of groupware technologies. MIT Sloan Management Review, 38(2), 11-21.

Ortbach, K., Köffer, S., Bode, M., & Niehaves, B. (2013). Individualization of Information Systems-Analyzing Antecedents of IT Consumerization Behavior. 34th International Conference on Information Systems (ICIS), Milan, Italy.

Palanisamy, R., Norman A.A., & Mat Kiah, M.L. (2020). BYOD Policy Compliance: Risks and Strategies in Organizations, Journal of Computer Information Systems,

Palo Alto. (2021). What is a Zero Trust Architecture. Accessed May 31, 2021.

Parks, R., Xu, H., Chu C.-H., & Lowry, P.B. (2017). Examining the intended and unintended consequences of organisational privacy safeguards. European Journal of Information Systems, 26, 37–65.

Patel, N., Siegler, J., Stromberg, N., Ravitz, N., & Hanson, C. (2016). Perfect Storm of inpatient communication needs and an innovative solution utilizing smartphones and secured messaging. Applied Clinical Informatics, 7(3), 777–789.

Patriotta, G. (2020). Writing impactful review articles. Journal of Management Studies, 57(6), 1272-1276.

Prasopoulou, E. (2017). A Half-Moon on My Skin: A Memoir on Life with an Activity Tracker. European Journal of Information Systems, 26(3), 287–297.

Pulleyblank, R., Laudicella, M., & Olsen, K.R. (2021). Cost and quality impacts of treatment setting for type 2 diabetes patients with moderate disease severity: Hospital- vs. GP-based monitoring. Health Policy.

Rodriguez, R., Svensson, G., & Ferro, C. (2021). Assessing the future direction of sustainable development in public hospitals: Time-horizon, path and action. Health Policy, 125(4), 526-534.

Rogers, E.M. (1962). Diffusion of innovations. The Free Press of Glencoe, New York.

Rowe, F. (2020). Contact tracing apps and values dilemmas: A privacy paradox in a neo-liberal world. International Journal of Information Management, 55, 102178.

Sarkar, S., Vance, A., Ramesh, B., Demestihas, M., & Wu, D.T. (2020). The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context. Information Systems Research, 31(4), 1240-1259.

Schultz, C., Zippel-Schultz, B., & Salomo, S. (2012). Hospital innovation portfolios: Key determinants of size and innovativeness. Health Care Management Review, 37(2), 132-143.

Sharma, R., & Kshetri, N. (2020). Digital healthcare: Historical development, applications, and future research directions. International Journal of Information Management, 53, 102105.

Silic, M., & Back, A. (2014). Shadow IT – A view from behind the curtain. Computers & Security, 45, 274-283.

Silic, M., Barlow, J.B., & Back, A. (2017). A new perspective on neutralization and deterrence: predicting shadow IT usage. Information & Management, 54, 1023–1037.

Singh, R., Mindel, V., & Mathiassen, L. (2017). IT-Enabled Revenue Cycle Transformation in Resource-Constrained Hospitals: A Collaborative Digital Options Inquiry. Journal of Management Information Systems, 34(3), 695-726.

Singh, S., & Song, P. (2013). Nonoperating revenue and hospital financial performance: Do hospitals rely on income from nonpatient care activities to offset losses on patient care? Health Care Management Review, 38(3), 201-210.

Skovgaard, L., Wadmann, S., & Hoeyer, K. (2019). A review of attitudes towards the reuse of health data among people in the European Union: The primacy of purpose and the common good. Health Policy, 123(6), 564-571.

Soomro, Z.A., Shah, M.H., & Ahmed, J. (2016). Information security management needs more holistic approach: a literature review. International Journal of Information Management, 36(2), 215–225.

Stahl, B.F., Doherty, N.F., & Shaw, M. (2012). Information security policies in the UK healthcare sector: a critical evaluation. Information Systems Journal, 22, 77–94.

Steiner, P. (2014). Investment in health technologies calls for lessons to be learned. International Journal of Healthcare Management, 7(1), 3-4.

Stephens, K., Zhu, Y., Harrison, M., Iyer, M., Hairston, T., & Luk, J. (2017). Bring Your Own Mobile Device (BYOD) to the Hospital: Layered Boundary Barriers and Divergent Boundary Management Strategies. 50th Hawaii International Conference on System Sciences (HICSS), Hawaii, USA.

Støme, L., Moger, T., Kidholm, K., & Kværner, K. (2019). Early assessment of innovation in a healthcare setting. International Journal of Technology Assessment in Health Care, 35(1), 17-26.

Sykes, G.M., & Matza, D. (1957). Techniques of neutralization: A theory of delinquency. American Sociological Review, 22(6), 664–670.

Tanenbaum, W.A. (2016). IT systems put security into health care cybersecurity. Journal of Health Care Compliance, 21-26.

Tanriverdi, H., Rai, A., & Venkatraman, V. (2010). Research commentary-reframing the dominant quests of information systems strategy research for complex adaptive business systems. Information Systems Research, 21(4), 822-834.

Tarricone, R., Amatucci, F., Armeni, P., Banks, H., Borsoi, L., Callea, G., Ciani, O., Costa, F., Federici, C., Torbica, A., & Marletta, M. (2021). Establishing a national HTA program for medical devices in Italy: Overhauling a fragmented system to ensure value and equal access to new medical technologies. Health Policy, 125(5), 602-608.

Templier, M., & Paré, G. (2018). Transparency in literature reviews: an assessment of reporting practices across review types and genres in top IS journals. European Journal of Information Systems, 27(5), 503-550.

Thenoz, E. (2020). Gestion des usages des technologies numériques dans les organisations : une approche qualitative par le contrôle organisationnel et les chartes informatiques. Systèmes d’information et Management, 25(3), 51-86.

Thompson, R.L., Higgins, C.A., & Howell, J.M. (1991). Personal Computing: Toward a Conceptual Model of Utilization. MIS Quarterly, 15(1), 124-143.

Tierney, E., Hannigan, A., Kinneen, L., May, C., O’Sullivan, M., King, R., Kennedy, N., & MacFarlane, A. (2019). Interdisciplinary team working in the Irish primary healthcare system: Analysis of ‘invisible’ bottom-up innovations using Normalisation Process Theory. Health Policy, 123(11), 1083-1092.

Tran, K., Morra, D., Lo, V., Quan, S., & Wu, R. (2014). The use of smartphones on general internal medicine wards: a mixed methods study. Applied Clinical Informatics, 5(3), 814-823.

Triandis, H.C. (1977). Interpersonal Behavior. Brooke/Cole, Monterey, CA.

Tu, Z., Turel, O., Yuan, Y., & Archer, N. (2015). Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination. Information & Management, 52, 506-517.

U.S. Congress. (2011). Code of Federal Regulations - Title 45. U.S. Government Printing Office.

Valtolina, S., Barricelli, B., & Di Gaetano, S. (2019). Communicability of traditional interfaces VS chatbots in healthcare and smart home domains. Behaviour & Information Technology, 39(1), 108-132.

Van Schalkwyk, M.C., Bourek, A., Kringos, D.S., Siciliani, L., Barry, M.M., De Maeseneer, J., & McKee, M. (2020). The best person (or machine) for the job: Rethinking task shifting in healthcare. Health Policy, 124(12), 1379-1386.

Venkatesh, V., Morris, M.G., Davis, G.B., & Davis, F.D. (2003). User acceptance of information technology: Toward a unified view. MIS Quarterly, 27(3), 425-478.

Venkatesh, V., Thong, J.Y.L., & Xu, X. (2012). Consumer Acceptance and Use of Information technology: Extending the Unified Theory of Acceptance and Use of Technology. MIS Quarterly, 36(1), 157-178.

Vukovic, V., Favaretti, C., Ricciardi, W., & de Waure, C. (2018). Health technology assessment evidence on e-health/m-health technologies: evaluating the transparency and thoroughness. International Journal of Technology Assessment in Health Care, 34(1), 87-96.

Walker, D, Lawrence, J., & Yeager, V. (2020). Progress and challenges with connecting hospitals with the public health system. Health Services Research, 55(S1), 128-129.

Walterbusch, M., Fietz, A., & Teuteberg, F. (2017). Missing cloud security awareness: investigating risk exposure in shadow IT. Journal of Enterprise Information Management, 30(4), 644–665.

Wani, S., Rabah, S., AlFadil, S., Dewanjee, N., & Najmi, Y. (2013). Efficacy of communication amongst staff members at plastic and reconstructive surgery section using smartphone and mobile WhatsApp. Indian Journal of Plastic Surgery, 46(3), 502–505.

Warkentin, M., Johnston A.C., Shropshire, J., & Barnett, W.D. (2016). Continuance of protective security behavior: A longitudinal study. Decision Support Systems, 92, 25-35.

Weeger, A., Wang, X., Gewald, H., Raisinghani, M., Sanchez, O. Grant, G., & Pittayachawan, S. (2020). Determinants of Intention to Participate in Corporate BYOD-Programs: The Case of Digital Natives. Information Systems Frontiers, 22, 203–219.

Weng, R., Huang, C.-Y., & Lin, T.-E. (2013). Exploring the cross-level impact of market orientation on nursing innovation in hospitals. Health Care Management Review, 38(2), 125-136.

Wu, I.-L., Li, J.-Y., & Fu, C.-Y. (2011). The adoption of mobile healthcare by hospital’s professionals: An integrative perspective. Decision Support Systems, 51, 587–596.

Yang, C.G., & Lee, H.-J. (2016). A study on the antecedents of healthcare information protection intention. Information Systems Frontiers, 18, 253–263.

Yang, C.W., Yan, Y.-H., Fang, S.-C., Inamdar, S.N., & Lin, H.-C. (2018). The association of hospital governance with innovation in Taiwan. The International Journal of Health Planning and Management, 33(1), 246-254.

Zimmermann, S., & Rentrop, C. (2014). On the Emergence of Shadow IT – A Transaction Cost-Based Approach. 22nd European Conference on Information Systems (ECIS), Tel Aviv, Israel.

Zimmermann, S., Rentrop, C., & Felden, C. (2017). A Multiple Case Study on the Nature and Management of Shadow Information Technology. Journal of Information Systems, 31(1), 79–101.



How to Cite

Baillette, P., Barlette, Y., & Berthevas, J.-F. (2022). Benefits and Risks of Shadow IT in Health Care: A Narrative Review of the Literature. Systèmes d’Information Et Management (French Journal of Management Information Systems), 27(2), 59–96. Retrieved from



Empirical research