Smartphone Use and Security Challenges in Hospitals: A Survey among Resident Physicians in Germany

Although mobile devices support physicians in a variety of ways in everyday clinical practice, the use of (personal) mobile devices poses potential risks for information security, data protection, and patient safety in hospitals. We used a cross-sectional survey-based study design to assess the current state of smartphone use among resident physicians in hospitals and to investigate the relationships between working conditions, current smartphone usage patterns, and security-related behavior. In total, data from 343 participating physicians could be analyzed. A large majority (98.3%) used their smartphones during clinical practice. Of the respondents who used a smartphone during clinical practice, only 4.5% were provided with a smartphone by their employer. Approximately three-quarters of the respondents who used their smartphones for professional communication never/almost never used dedicated GDPR-compliant messenger services. Using a hierarchical regression model, we found a significant effect of the organizational resources Social Support (Supervisor) and Information Security-related Communication on security-related behavior during the selection of medical apps (App Selection). Smartphones are an important part of digital support for physicians in everyday clinical practice. To minimize the risks of use, technical and organizational measures should be taken by the hospital management, resulting, for example, in a Bring-Your-Own-Device (BYOD) initiative.


Introduction
In addition to high expectations concerning enhanced efficiency and quality in hospitals, increasing multimorbidity and complex clinical pathways require direct, easy, and quick access to and transmission of care-relevant information, independent of time and location. Mobile devices (especially smartphones and tablets) combined with digital applications (apps) already support physicians in hospitals in several ways, as numerous current mobile health studies show [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19] (Table A1). The rapid development in the field of mobile health indicates that mobile devices will increasingly be integrated into everyday clinical practice and are becoming essential devices. Furthermore, the current young generation of physicians consists of digital natives (Generation Y) who have been surrounded by digital devices since childhood and who take their private and professional use for granted [20,21].
The use of mobile devices offers a variety of options for physicians to communicate with each other, but also with hospital staff, patients, and professionals in other sectors, e.g., via calls, e-mails, messenger services, or video conferences. In addition, everyday work can easily be organized via mobile devices (e.g., using calendar functions or rosters). Together with apps, they also enable modern medical education and research while documentation and monitoring are other fields of application in clinical practice. Due to their widespread availability and highly developed cameras and screens, mobile devices are often used for clinical photography. They provide opportunities for remote access to electronic medical records and hospital information systems as information can be obtained flexibly (e.g., at home or directly at the point of care). Mobile devices also serve as diagnostic and therapeutic decision-support tools, e.g., when physicians need specific drug information or medical calculations. In addition, there is a unique possibility of integrating different sensors in smartphones and tablets or coupling with them (e.g., temperature, blood sugar), which supports diagnosis and therapy as well as (remote) patient monitoring. Here, their compactness offers a significant advantage in everyday clinical practice compared to large medical measuring devices.
However, despite the evident advantages outlined above, the use of (personal) mobile devices in clinical practice can be associated with high risks for information security, data protection, and patient safety [22][23][24]. In their case studies, Hedström et al. (2011) showed that employees in healthcare organizations are exposed to different value conflictse.g., health-care values vs. information security values-which they have to resolve quickly for each situation during their practice [25]. This poses security risks that need to be considered by the clinic management. In hospitals, information security refers to the state of full functionality of all IT systems, processes, and components, which are necessary for optimal patient care, and the protection of all information required for this. Information security must be guaranteed at all times, so continuous monitoring and rapid responses to breaches and attacks are essential. Cyber attacks on hospital information systems are no longer a rarity -a study from 2020 shows how vulnerable the German hospital landscape is to ransomware attacks [26]. Empirical research on information security-related behavior of employees at work and its supporting organizational and individual factors is a relatively new field. Researchers recognized that, in addition to the technical equipment of the organization to increase information security, it is also necessary for the employees to follow security policies and consciously use information technology (compliance) because non-compliance can lead to security breaches with far-reaching consequences for the organization. Hu et al. (2012) analyzed the role of top management, organizational culture, and individual cognitive beliefs on information security-related behavior among alumni of MIS and MBA programs and found significant effects [27]. D'Arcy and Greene (2014) examined the influence of security culture, job satisfaction, and perceived organizational support on security compliance intentions among computer-using professionals and found positive effects for security culture and job satisfaction [28]. Solomon and Brown (2020) could show relationships between organizational culture, information security culture-as an organizational subculture-and compliance. They further argued that goal orientation among employees has a stronger influence on compliance than rule orientation [29].
Since January 2022, all hospitals in Germany are obligated to implement state-ofthe-art information security measures. This is intended to avoid disruptions to hospital operations due to system failures and to ensure the availability and security of patient information [30,31]. However, personal mobile devices, especially smartphones, are often overlooked as a relevant IT resource for physicians and are not taken into account when listing and analyzing information security-critical systems and processes in hospitals.
The primary objective of this study was to systematically record and assess the current status of smartphone use in everyday clinical practice by resident physicians in hospitals. In addition, our study aims to contribute to the research on organizational measures that can promote responsible behavior in order to reduce potential risks and enhance security. A second objective was, therefore, to examine the relationships between working conditions, current smartphone usage patterns, and security-related behavior. In doing so, we want to go a step further than the studies listed in Table A1 and identify specific organizational measures to mitigate security risks.

Study Design
We used a cross-sectional survey-based study design. A structured online questionnaire in German was developed in LimeSurvey. The first page contained information on the target group, the research project, the content of the questionnaire, and the estimated processing time. After accepting the privacy policy, participants were taken to the second page with demographic questions. These were followed by the main part including seven sections: (1) Working Conditions, (2) Resilience, (3) Job Satisfaction and Work Engagement, (4) IT Resources, Information Security, and Data Protection, (5) Information Security-related Awareness and Compliance, (6) Technical Affinity and Innovative Work Behavior, and (7) Mobile Device Usage. At the end of the survey, participants had the opportunity to share their comments with us. The sections relevant to this report are explained below.
Working Conditions: To assess working conditions, we used the following scales from the Copenhagen Psychosocial Questionnaire (COPSOQ): Quantitative Demands, Predictability, Role Conflicts, Quality of Leadership, Social Support, Feedback, Sense of Community, Trust and Fairness, and Appreciation. The COPSOQ is an internationally established instrument to measure psychosocial work factors with good to very good validity and reliability for most of its scales [32] In Germany, the third version of the questionnaire, which we used in our study, was published in 2019 [33]. In contrast to the original questionnaire, we divided the Social Support and Feedback scales into two subscales each (supervisor/colleagues) to separate the social support/feedback from supervisors from the social support/feedback from colleagues, which could be rated differently, especially in hierarchical organizations. In addition, we used two scales (Uncertainty, Further Education) and two individual questions on working hours and shifts from the German instrument for stress-related job analysis for hospital physicians (ISAK) [34,35]. We also included four self-developed items regarding IT resources in the hospital because we could not find a suitable scale in the research literature.
Information Security-related Awareness and Compliance: In addition to state-ofthe-art technical information security solutions, employees of an organization should be aware of the importance of information security and trained accordingly to behave in a compliant manner. The items we used to assess information security-related awareness, self-efficacy, top management commitment, and compliance are based on the works of Hu et al. (2012) [27], D'Arcy and Greene (2014) [28], Karlsson et al. (2017) [36], and Solomon and Brown (2020) [29]. We adapted the items to the clinical situation. Overall, this resulted in four items on awareness, two on self-efficacy, one on top management commitment, and four on compliance.
Mobile Device Usage: The items on mobile device usage are based on a systematic literature review in which we analyzed 41 quantitative studies on the use of mobile devices by physicians during clinical practice. The section consists of five subcategories on specific usage patterns (Communication, Organization, Documentation and Monitoring, Diagnostic and Therapeutic Decision Support, and Knowledge Acquisition and Training), one subcategory on Mobile App Selection, and other single items on the private and professional use of mobile devices. With the subcategory Mobile App Selection, we wanted to know to what extent the participants consider security-related criteria (patient safety, data protection, and information security) when selecting a new app to support diagnosis and therapy.
All English scales and single items were translated into German, checked independently by two bilinguals, and then adapted based on their comments. We used five-point Likert scales ranging from "Never" to "Several times a day", "Never/almost never" to "Always", and "Strongly disagree" to "Strongly agree", respectively. In the Mobile App Selection scale, we added "No experience with such apps" as a sixth possible answer. To ensure content validity, the survey was reviewed by faculty members and statisticians and modified accordingly. It was then piloted with a group of residents, who highlighted and took notes on any remaining ambiguities which we corrected in the final questionnaire.

Data Collection
Data were collected between March and June 2022. Our target group comprised physicians who are currently undergoing medical specialist training/residency training in hospitals in Germany (henceforth referred to as "residents"). An invitation with a link to the online questionnaire was sent directly to the residents via e-mail or social media channels, or indirectly via our contacts in the medical field. Important contacts were chief physicians, senior physicians, university professors, hospital managers, alumni networks as well as presidents of the German medical societies. In addition, we asked medical experts with significant influence on social media platforms to share the link. The Hartmannbund, an important association of physicians in Germany, forwarded the link to its resident members.

Data Analysis
The data were first exported from Limesurvey to SPSS. Data analysis was performed with IBM SPSS Statistics 28 and only fully completed surveys were included. For all self-developed scales, the dimensionality was controlled via factor analysis using scree plots. Descriptive statistics were used to present the means, standard deviations, and frequencies. We created bar charts to visualize the results of the smartphone usage pattern analysis. Correlation coefficients were then calculated to determine the statistical relationships between smartphone usage patterns and information security-related compliance. Furthermore, a regression analysis was performed to determine the relationship between working conditions and smartphone usage patterns. For all tests, a p value of less than 0.05. was considered statistically significant.

Preliminary Analyses
A total of 611 people entered the survey, of whom 349 completed it. An exact statement on the response rate cannot be made because we do not have information on the number of residents who received the questionnaire indirectly through our contacts. Data of six participants had to be excluded due to conspicuous response patterns (4×), work in a hospital abroad (1×), and specific information in the comment section (1×). In total, data from 343 participants were included in our analyses.
The factor analysis showed that the items measuring Information security-related Awareness loaded on two factors and we subsequently divided the scale into two scales: Information security-related Awareness and Information security-related Knowledge. Further, based on the factor analysis, we divided the Smartphone Communication scale into three subscales: Communication Channels, Communication Partners (job-related), and Communication Partners (private). To determine the reliability/internal consistency, Cronbach's alpha/the Spearman-Brown coefficient was calculated for every scale. The two scales Predictability and Communication Partners (private) showed insufficient reliability (<0.7), meaning that their items were not sufficiently related. They were, therefore, excluded from subsequent correlation analyses. We further checked the assumptions of the regression and found no violations. Table 1 shows the sociodemographic characteristics of the study participants. Almost two-thirds of the participants were female (63.3%). The two age groups with the highest frequency were 31-35 years (40.8%) and 26-30 years (39.1%). There was a total of 16 specialties represented by at least two participants. Most participants were part of a residency program for Internal Medicine (22.2%). This was followed by Surgery (17.2%), Anesthesiology (14.9%), and Pediatrics and Adolescent Medicine (10.8%). Participants were almost evenly distributed across the residency levels, with the fewest residents in their 4th year (15.2%) and most residents in their 5th year or above (29.7%). The majority of the participants worked in a public hospital (61.5%), while approximately one-quarter worked in a non-profit hospital (22.7%) and 13.7% in a private hospital. Most of the hospitals were university/teaching hospitals (80.5%). The size of the hospitals (measured by the number of beds) in which the residents underwent their training varied, whereby most of them worked in a hospital with 300-800 beds (39.1%), followed by hospitals with more than 800 beds (37.6%). Only a few residents had a job in a hospital with less than 300 beds (17.5%).

Smartphone Usage
Almost all of the residents surveyed stated that they used a smartphone for private purposes (99.1%), with 97.1% of them using it several times a day. A large majority of the participants also used their smartphones during clinical practice: in the past six months, 98.3% used their smartphones in at least one of the five categories that we created (Communication, Organization, Documentation and Monitoring, Diagnostic and Therapeutic Decision Support, Knowledge Acquisition and Training). Only 1.7% of the participants always chose "Never" in all five categories and, thus, had never used their smartphone in clinical practice in the past six months. Of those who used a smartphone during clinical practice, only 4.5% were provided with a smartphone by their employer.

Communication
During clinical practice, about half of the participants used their smartphones regularly (several times a month or more) for text messages (55.1%), e-mails (49.9%), and/or phone calls (48.4%) ( Figure A1). More than a third of the residents regularly received or sent pictures (35.0%), while 28.3% regularly received or sent documents. The majority of the respondents had never made a video call/conference (71.4%) and had never used social media (78.4%) on their smartphones during clinical practice in the past six months. The residents most frequently communicated with colleagues-most of them, several times a month or more for private and/or job-related reasons (77.0%/71.1%) ( Figure A2). Smartphones were also regularly used by 39.7% of the participants to communicate with their supervisors. Approximately one-quarter of the respondents frequently communicated with staff at other hospitals. Communication with patients via smartphone was not common and 88.9% had never used it for this purpose. More than three-quarters of the residents surveyed regularly used their smartphones for private communication with their families and friends during clinical practice (82.2%).

Organization
Many residents had duty rosters and/or schedules on their smartphones-78.7% used them on a regular basis ( Figure A3). The calendar function was also commonly used (several times a month or more) by more than two-thirds of those surveyed (68.2%). Around half of the residents took notes and/or created to-do lists on their smartphones several times a month or more (51.3%).

Documentation and Monitoring
Approximately one-third of the residents regularly accessed clinical information systems via their smartphones (30.9%) and one-quarter commonly took pictures/videos of patients with their smartphones (e.g., to document wounds, injuries, or the course of treatment, or to make before-and-after pictures) (23.0%) ( Figure A4). Photographs of medical documents (e.g., X-rays, CT/MRI scans, medical records, laboratory results) were taken with a similar frequency (22.4%). The other four activities surveyed (Notes on diagnoses and procedures, Coding support, Writing reports/protocols, and Dictation of texts) were rarely carried out with the help of smartphones.

Diagnostic and Therapeutic Decision Support
In general, activities in this category were often supported by smartphones ( Figure A5). A large majority of the participants frequently used their smartphones to search for drug information (80.8%). Approximately two-thirds of the residents performed clinical calculations (e.g., for doses, scores, indices) by using their smartphones several times a month or more (68.8%). About the same number of participants regularly looked up guidelines via smartphone (65.6%) and more than half of the residents used them frequently for differential diagnoses (56.6%). In the past six months, slightly less than half of the respondents had used their smartphones to look for assistance with operations and procedures (e.g., through video tutorials) (49.3%) and almost a third even did so regularly (30.3%).

Knowledge Acquisition and Training
Around three-quarters of those surveyed carried out simple internet searches via smartphone during clinical practice on a regular basis (77.8%) ( Figure A6). During clinical practice, 44.3% read e-books on their smartphone several times a month or more and an equal number frequently carried out literature research via smartphone (45.2%). Smartphones were rarely used for patient information/education. In the past six months, 84.0% had used them once a month or less or even never for this purpose.

Medical App Usage and Selection
Of those who communicated professionally with their smartphone (N = 308), 72.1% never/almost never used special, GDPR-compliant messenger services and only 3.2% always used them ( Figure A7). Around 90% of the participants already had experience with apps to support diagnosis and therapy. When selecting such apps, most of them often or even always paid attention to content quality and topicality (96.5%) ( Figure A8). This result is in contrast to the four other safety criteria that were queried. Here, the proportion of participants with such app experience who often or always considered the respective criterion was below 50%: Information about the manufacturer/publisher (49.8%), Consequences and risks of using the app (48.4%), Seals or certifications (45.3%), and Information on data protection and information security (41.0%).

Relationships between Smartphone Usage, App Selection, and Information Security-Related Compliance
In this section, we wanted to exploratively investigate the correlations between smartphone usage patterns and information security-related compliance, as well as between the consideration of security-related criteria during app selection and information securityrelated compliance. The strength of the linear correlations was assessed according to Cohen [37]. Table A2 shows an overview of the correlations between the individual variables. There is a weak negative correlation between smartphone use across different communication channels and information security-related compliance (r = −0.155, p < 0.01). There is also a weak negative correlation between the use of smartphones for documentation and monitoring and information security-related compliance (r = −0.189, p < 0.01). There are no significant correlations between the other categories of smartphone usage and information security-related compliance. There is a moderate positive correlation (r = 0.348, p < 0.01) between the consideration of security-related criteria during app selection and information security-related compliance.

Relationship between Organizational Resources and App Selection
In this section, the aim was to analyze whether certain working conditions, especially organizational resources, have an impact on the consideration of security-related criteria when selecting an app for diagnosis and therapy. Specifically, we hypothesized that social support from colleagues and supervisors as well as information security-related communication can predict the consideration of security-related criteria during app selection. This is based on the research model of D'Arcy and Greene (2014) [28]. Table A2 shows that both of the organizational resources Social Support (Supervisor) (r = 0.191, p < 0.01) and Information Security-related Communication (r = 0.167, p < 0.01) show a weak positive correlation with the variable App Selection. A significant correlation between Social Support (Colleagues) and App Selection could not be found. There were also weak positive associations between the personal resource Affinity for Technology Interaction (ATI) (r = 0.224, p < 0.01), measured by the Ultra-Short Scale for Assessing Affinity for Technology Interaction [38], and the Residency Level (r = 0.146, p < 0.05). Therefore, ATI and residency level will serve as control variables in the following regression analysis. The hierarchical regression model for predicting safety-related behavior (App Selection) is shown in Table 2. There was a significant effect of the organizational resources Social Support (Supervisor) (β = 0.210, p = 0.001) and Information security-related Communication (β = 0.125, p = 0.026) on the dependent variable App Selection. There was no significant effect of Social Support (Colleagues) on App Selection (β = −0.069, p = 0.282). The control variables Residency Level (β = 0.109, p = 0.049) and ATI (β = 0.215, p < 0.001) also had significant effects on App Selection. Note. R 2 = 0.117. Only respondents who had experience with diagnostic and therapeutic decision support apps were included. N = 302. CI = confidence interval; LL = lower limit; UL = upper limit.

Discussion
This study demonstrates the high prevalence of smartphone use during clinical practice among resident physicians in hospitals in Germany. Well over 90% of the residents surveyed used their smartphone at work, while fewer than 5% received a smartphone from their employer for professional use. These high usage rates of personal smartphones are in line with results of other recent studies on the use of mobile devices in clinical settings, both nationally and internationally [2,3,7,11,16].
Approximately one in two respondents regularly used a smartphone at work to communicate via phone calls, text messages, and e-mails, most frequently with colleagues. Smartphones have great potential to increase the efficiency of communication in hospitals: Compared to one-way pagers and stationary phones, smartphones can have significant advantages in terms of flexibility, reception, and the convenience and efficiency of information transfer. We also asked about the use of smartphones for sending/receiving pictures and medical documents and found that more than one in four participants regularly used their smartphones for this purpose. Other studies found similar results or even higher rates for this aspect, also depending on the respective specialty [3,9,[11][12][13]. From a data-protection perspective, this is critical if private communication takes place via the same mobile device, which was the case for most our study participants, as only a few of them were provided with smartphones by their employers. This is also reinforced by the frequent private communication with friends and family, as mentioned by the participating residents. Thus, the great potential of smartphones to improve clinical communication is offset by the risks of data breaches.
The study shows that smartphones are particularly helpful in organizing day-today clinical work. The availability and use of electronic duty rosters and schedules on smartphones appear to be widespread. However, we believe that there is great potential in this field, for example, through intelligent and connected task and workflow management.
Approximately one in three residents regularly accessed clinical information systems with their smartphone as part of documentation and monitoring. The advantages of smartphones here are their high flexibility in terms of location and time of information access. For example, if no digital data are available at the point of care, accessing the clinical information system via smartphone seems to be the most efficient solution. However, there is a particular risk of breaching information security while accessing clinical information systems via smartphones.
The use of smartphones to support diagnostic and therapeutic decisions was particularly frequent among the respondents in our study. The majority of participants used their smartphones to obtain drug information, look up guidelines, and perform clinical calculations and differential diagnoses. The results are in line with those of most other studies that have investigated this topic in recent years [1][2][3][7][8][9][10][11]14,16,19]. Approximately 90% had experience with apps to support diagnosis and therapy. There is great potential for innovation and digitization in this field. However, users must also be aware of the potential risks for information security, data protection, and, in particular, patient safety. The results of the study regarding the consideration of security-related criteria when selecting an app for therapeutic and diagnostic decision support indicate that some criteria were only taken into account to a limited extent, which could lead to a security gap.
Smartphones have become important devices in everyday clinical practice and can, therefore, be seen as part of the digital transformation process in hospitals. However, our study highlighted potential risks for information security, data protection, and patient safety. Here, we see various ways in which the organization or hospital management can reduce these risks: banning the use of personal smartphones in everyday clinical practice (1), providing hospital-owned devices (2), the prevention and rapid detection of breaches with state-of-the-art IT (security) equipment (3), and training and supporting employees on security-related topics (4). In our opinion, banning the use of smartphones as a measure to increase information security might have detrimental effects on the digital transformation in hospitals and should, therefore, not be considered as a stand-alone policy. Separating private and professional use by providing a hospital-owned smartphone or a dedicated short-range communication device that is capable of performing essential tasks, such as communication, access to clinical information systems, photo taking, or calculating medical scores, could be better options. The usability of hospital-owned devices and accessible applications should be evaluated prior to the hospital-wide implementation to avoid high costs with little benefit. Improving IT and IT security equipment is an important and effective measure, as physicians are currently almost forced to use their own digital devices in everyday clinical practice to work efficiently. Apps for GDPR-compliant communication are used by very few of the participants surveyed. Especially when sensitive patient data are exchanged via smartphone, it is imperative to use GDPR-compliant (medical) messenger services. Some providers now offer a variety of additional functions that could be helpful to physicians, e.g., video calls, case creation, photo editing (e.g., for anonymization), and direct connection to the clinical information system. Their use should be considered by the clinic management. The reasons for the current low usage rates would have to be assessed in a further survey but could be due to low penetration and acceptance. In addition, physicians have to find appropriate apps to support their work themselves. The provision of quality-assured apps for the above-mentioned usage patterns, e.g., by the organization or medical societies, could increase transparency and security.
In addition to technical support, another way to minimize the risks of smartphone use in everyday clinical practice is to train and support employees. We were able to show that social support from supervisors and information security-related communication correlate positively with the consideration of security-related criteria when selecting an app for diagnosis and therapy support. We hypothesize that social support from supervisors may improve residents' job satisfaction and their sense of responsibility, which, in turn, increases compliance. Information security-related communication could provide greater awareness of possible information security-related risks and, thus, lead to greater compliance so that security-related aspects are given more consideration. Both technical and organizational support could then culminate in a Bring-Your-Own-Device (BYOD) initiative. For the secure integration of personal mobile devices into everyday clinical practice, a BYOD initiative should represent a complex network of technical and organizational measures [22,39,40].
A few limitations should be taken into account when considering and evaluating our results, one of which pertains to the study design. First, since our study was conducted in Germany, it is not possible to directly apply the results to other countries. However, our study is intended to create incentives to conduct studies in hospitals in other countries to explore organizational factors for improving safety-related behavior when using mobile devices. Second, when using an online survey, comprehension problems on the part of the participants cannot be identified and addressed. However, we believe that the approach was the most suitable for the aim of the study and the selected target group as, for example, interviews would have resulted in a much smaller sample and reduced the validity of the results. Third, the cross-sectional design does not allow us to form causal relationships between the organizational factors and the behaviors, but only correlations. Any alterations in physicians' behavior due to changes in organizational factors can only be assessed with a longitudinal design.
Even though it was an anonymous online questionnaire, the risk of social desirability bias remains, with participants trying to be much more positive about their actual smartphone use behavior. Specifically, concerning risky behaviors (e.g., sending patient images/data), such a bias might have arisen.
Furthermore, the fact that we cannot precisely determine the response rate represents another limitation. Since we do not have information on the number of residents who received the questionnaire indirectly through our contacts e.g., via chief physicians or the hospital management, we are not able to make an exact statement on the number of residents being invited, which is the basis for calculating the response rate. However, based on the information available to us, we estimate that fewer than 10% of those who received the questionnaire actually responded. If there are systematic differences between the responders and non-responders, the results of our survey may not be representative of the target population. This so-called non-response bias may threaten the external validity of our study by reducing the representativeness of the results. However, previous research suggests that physician surveys are less susceptible to non-response bias than general population studies because they are a more homogeneous study population [41]. Moreover, it is not always the case that a low response rate automatically reduces the representativeness, which is why the response rate should not be considered in isolation [42]. We believe the main reason for the low response rate was the heavy workload, which did not allow physicians the time to participate. Another indicator for the representativeness of a study is the sampling method [43]. Our study may have appealed to physicians with a higher average digital affinity than in the target population. To sum up, statistical conclusions on the entire target population should, therefore, always be drawn taking into account the supposedly limited representativeness.

Conclusions
To our knowledge, this is the first study to present findings on residents' smartphone use in hospitals and its association with security-related behavior. Smartphone use in clinical practice was very common among resident physicians in hospitals and smartphones were only rarely provided to the physicians surveyed by their employers. Instead, most of them used their own devices for a variety of different activities. This poses potential risks to information security, data protection, and patient safety in hospitals. These can potentially be reduced through the appropriate use of organizational resources. Here, our results show that organizational measures correlate significantly with security-related behavior and might be able to influence it positively.
In particular, it is a matter of adequate training and information for the employees, i.e., creating awareness of potential benefits, and innovative applications, but also for potential risks of smartphone use during clinical practice and, at the same time, integrating state-of-the-art IT and IT security equipment. These aspects, when combined in a complex BYOD initiative, could subsequently improve information security, data protection, and patient safety.