Symmetric Enhancement of Big Data Utilization and Protection in Healthcare in China from the Perspective of Evolutionary Game Analysis

Abstract

With the rapid development of data technologies, the high privacy sensitivity of big data in healthcare imposes higher demands on its security supervision. This paper analyzes the interactive dynamics between the behaviors of regulators and regulated entities, aiming to explore the symmetry and balance between the utilization and protection of big data in healthcare in China. A two-party evolutionary game model between regulators and regulated entities is constructed and refined by incorporating herding preference utility coefficients, and simulation analyses are performed using MATLAB. Furthermore, the main models and differences in health data regulation among the United States, the European Union, the United Kingdom, and China are discussed for broader relevance. This study finds that the fine amount imposed on regulated entities during process supervision has a significant impact on their behavior, yet it cannot eliminate unstable fluctuations in the system. Reducing the prevention costs of regulated entities is the fundamental approach for the system to achieve an equilibrium state of maximum social welfare. Herding preference utility enhances system stability, and when this utility is sufficiently strong, it may even eliminate unstable fluctuations in the system. It is suggested that regulators should carefully consider the prevention costs of regulated entities when proposing prevention requirements, implement subsidy policies when necessary, explore a new model of multi-stakeholder collaborative supervision, enhance the risk awareness of relevant organizations, and strengthen publicity and guidance, thereby achieving the goal of big data security supervision in healthcare.

1. Introduction

Data security supervision refers to the measures taken to monitor, prevent, and address data security risks and threats, aiming to protect data from leakage, theft, tampering, damage, illegal use, and other forms of misuse. This includes legally punishing illegal and criminal activities that endanger data security [1]. The Central Committee of the Communist Party of China and the State Council attach great importance to data security initiatives. The Third Plenary Session of the Twentieth Central Committee of the Communist Party of China emphasized, “Accelerate the development of the institutional mechanisms for advancing the digital economy and strengthen capacities for data security governance and supervision” [2]. The Data Security Law of the People’s Republic of China, which came into force in September 2021, stipulates that “relevant competent authorities for industry, telecommunications, transportation, finance, natural resources, health, education, science and technology, and other sectors shall be responsible for data security supervision within their respective industries and fields. Public security organs and national security organs shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, undertake data security supervision responsibilities within their respective functions. The national cyberspace administration shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, be responsible for coordinating network data security and related supervision work.” In January 2025, the National Development and Reform Commission (NDRC) and five other departments jointly issued the Implementation Plan on Improving Data Circulation Security Governance to Better Promote the Marketization and Valuation of Data Elements. The plan specifies that by the end of 2027, a data circulation security governance system characterized by clear rules, a vibrant industry, and multi-stakeholder collaboration will basically be established. This will be accompanied by more robust, compliant, and efficient data circulation mechanisms; significantly enhanced governance effectiveness; and strong safeguards for fostering a thriving data market and unlocking data value.

Big data in healthcare hold significant medical, scientific, economic, and social value. However, due to its high privacy sensitivity, the governance of big data in healthcare, which is oriented towards full utilization and unlocking of data value, faces significant challenges. Relevant reports indicate that in 2023, the volume of leaked data in China’s medical and health industry reached 902.53 million records, equivalent to approximately 344.7 GB, involving a large amount of sensitive personal information and commercial secrets [3]. While these data may be deliberately exaggerated due to the commercial motives of the releasing institution, their coverage by multiple authoritative online media outlets in China underscores the urgency of health data security supervision. Additionally, from a global perspective, as of April 2024, the number of global data security incidents has doubled compared to the same period of the previous year. Among data leakage incidents in the healthcare industry, internal management issues such as human errors, abuse of privileges, and the use of stolen credentials account for up to 70% [4]. Big data in healthcare have distinctive features, including multi-source heterogeneity, high sensitivity, high value density, and complex correlation [5]. Data security risks during utilization exist across multiple stages, such as collection, storage, use, processing, transmission, provision, and disclosure, and involve numerous complex stakeholders [6,7]. This underscores the complexity and high standards required for its security supervision.

China is exploring the authorized operation of public data. In this context, as a key component of public data, anonymized big data in healthcare will be developed and utilized through authorized operations led by local governments. However, due to risks such as re-identification and the fact that technologies like privacy computing and blockchain, which enable compliant and efficient data circulation, still require breakthroughs, data security supervision during utilization remains highly challenging. In terms of regulatory models, although active explorations and practices have been undertaken regarding data sandboxes, regulatory sandboxes, and trusted data space systems, overall, they remain in the initial stage of development. Data security supervision still relies largely on legal regulation and administrative oversight [8], with relevant government departments and data sharing platforms bearing core responsibilities in this regard. The evolutionary game approach has broad applicability in studying the behaviors of governments and platforms in data security supervision. Scholars have also largely incorporated the subjective preference utilities of game participants into evolutionary game analyses, yielding findings with stronger practical guiding significance. As an emerging field, the utilization and security supervision of big data in healthcare sees both regulators and numerous regulated entities in a phase of adaptation and exploration. Under conditions of bounded rationality, limited information, constrained knowledge, and insufficient understanding, incorporating the herding preference of both game parties can better reflect their decision-making behaviors. The innovation of this paper lies in incorporating herding preference utility into a two-party evolutionary game model to examine the game dynamics between health data regulators and regulated entities, aiming to provide policy references for big data in healthcare security supervision in China.

2. Literature Review

2.1. Data Security Supervision

In recent years, as China has placed growing emphasis on data security issues, research on data security supervision has gained momentum, with a focus on areas such as the construction and improvement of policy systems, the application and advancement of technical tools, the exploration of and reference to regulatory models, and supervision optimization for specific scenarios or data types.

In terms of the construction and improvement of policy systems, the academic community, by virtue of methods such as text analysis, comparative analysis, and case analysis, has revealed issues including insufficient supply of data security policies in China [9,10,11], the current situation and defects of data security supervision systems [12], and unclear allocation of data supervision power [13] and put forward corresponding countermeasures and suggestions. In addition, studies have been conducted, drawing lessons from international experiences in data security governance [14], and attempts have been made to explore the paradigm transformation of legal protection for data security [15].

In terms of the application and advancement of technical tools, existing studies have focused on technical means such as blockchain [16,17,18,19], trusted data spaces [20], and big data [21]. Scholars have conducted preliminary explorations on trusted data space technologies from aspects including digital trust [22], evidence-based practice [23], cultural heritage [24], cultural data circulation [25], and cross-border data flow [26]. In terms of the exploration and reference of regulatory models, scholars have conducted comparative analyses on the data security regulatory models of China, the United States, the European Union, the United Kingdom and other countries/regions from perspectives such as the overall national security concept [27], the supervision of open utilization of health and medical data [28], the supervision of personal health privacy data protection [29], and the supervision of cross-border flow [30,31]. There are also special studies on models such as regulatory sandboxes [32], collaborative supervision [33], and security audits [8], which provide useful references for optimizing China’s data security regulatory model.

In the dimension of supervision optimization for specific scenarios or data types, scholars have conducted extensive discussions on data security supervision in the context of cross-border data flow [34,35,36,37]. They have analyzed the regulatory responsibilities, paths, and models in government data opening [38,39,40]; constructed a security guarantee system for public data from the perspective of digital ecology [41]; and proposed concepts, models, and development strategies for the supervision of data element circulation in authorized operation of public data [42]. Additionally, the evolutionary game method has been applied to study the data regulatory behaviors of governments or platforms in the circulation and utilization of medical data [43] and personal information [44].

2.2. Evolutionary Game Theory

Evolutionary game theory conceptualizes all parties as bounded rational subjects. Under conditions of bounded rationality, game participants continuously make choices, engage in trial and error, and evolve, which has been widely applied to research on data security supervision behaviors between governments and platforms. For example, Yang et al. constructed a tripartite evolutionary game model involving system managers, data providers, and data demanders based on blockchain architecture for the scenario of medical data sharing [43]; Zhao et al. built a tripartite evolutionary game model including APP users, APP practitioners, and government regulatory departments to analyze the strategy evolution process of each subject in the supervision of APP personal information security [44]; and Pan et al. studied the risk classification supervision strategies for cross-border data flow by constructing a two-party evolutionary game model between the government and enterprises [37]. These studies have verified the applicability of evolutionary game theory in analyzing data security supervision and also provided a basis for this paper’s analysis of data security supervision during the circulation and utilization of big data in healthcare.

The subjective preferences of all parties in the game influence their decision-making. Results derived from incorporating preference utility into evolutionary game analysis are more practically instructive. For instance, Bai et al. applied evolutionary game analysis to study the development of the carbon financial market [45] and the carbon quota storage and lending mechanism [46], taking into account the time preferences of subjects; Pan et al. considered the impact of green preferences on government regulatory behaviors and used evolutionary game analysis to explore the tripartite game behaviors among the government, enterprises, and investment institutions in the context of green development [47]; Ding et al. analyzed the impact on the industrialization development of carbon capture and storage projects based on fairness preference [48]; Wang et al. studied the optimization of pollutant emission reduction regulatory mechanisms under limited regulatory capacity and heterogeneous risk preferences [49]; and Zhang et al. analyzed the long-term supervision mechanism for epidemic prevention and control considering herding preferences [50]. Among these, herding preference is one of the important manifestations of bounded rationality in groups [51,52] and is widely applied in the field of economic management [53]. Especially when the ambiguity of information increases in the initial stage of practical exploration, the utility of herding preference will have a significant impact on the decision-making behaviors of managers [54]. Building on the aforementioned studies and considering China’s current context, such as ambiguities in the rights and responsibilities of big data security supervision entities in healthcare and the fragmentation of regulated entities, this paper incorporates the herding preferences of various stakeholders into evolutionary game analysis to further deepen and enrich the research.

2.3. Brief Review

To summarize, existing studies have conducted extensive research on macro-level aspects of data security supervision, including policy systems, technical tools, and regulatory models; explored meso-level issues such as security supervision of cross-border data flows, public data, enterprise data, and the circulation and utilization of personal information; and made valuable attempts to investigate the security supervision of enterprise data and personal information using the evolutionary game methods at the micro-level. These efforts have laid a foundation for the present study. However, research on data security supervision in the context of big data circulation and utilization in healthcare remains scarce. Big data in healthcare, as a collection of highly sensitive personal health information and a key component of public data, is often circulated and utilized after anonymization. Against the backdrop of established policy, legal, and technological frameworks, this study examines the game dynamics among relevant parties during its circulation and utilization, incorporating the herding preferences of game participants. It aims to provide practical insights for data security supervision in China.

3. Game Model

3.1. Problem Description

The collection, storage, processing, use, and destruction of big data in healthcare involve numerous stakeholders, including medical institutions, data processing service providers, research institutions, and software/hardware service providers. China’s national standard Information Security Technology—Guidelines for Health Medical Data Security, issued at the end of 2020, explicitly categorizes these stakeholders into three groups: data controllers, processors, and users [55]. Additionally, the Implementation Plan on Improving Data Circulation Security Governance to Better Promote the Marketization and Valuation of Data Elements identifies “improving the mechanism for defining responsibilities in data circulation security” as one of its key tasks. Given the characteristics of big data in healthcare, such as high privacy sensitivity and ease of replication, these stakeholders are often required to adopt specific data security measures to minimize risks. For instance, Chinese laws outline clear prohibitions and obligations for relevant entities regarding the establishment of data security management systems, mandatory technical measures, requirements for products and services, and data security emergency plans [56]. However, in practice, due to factors like high compliance costs, stakeholders may harbor an opportunistic mindset and fail to implement relevant standards when tempted by interests, significantly elevating the risk of patient data leakage and re-identification. Regulatory authorities supervise and manage the behaviors of these regulated entities. In China, national and local data bureaus, the Ministry of Industry and Information Technology, and the National Health Commission, among others, all bear responsibilities for data security supervision. In summary, regulated entities are required to implement data security standards and take measures to ensure data security, while the regulatory authorities conduct supervision and management in accordance with relevant laws and regulations, and a binary game dynamic has been formed between the two parties.

This paper examines a two-party game between regulators (government regulatory authorities) and the regulated parties (controllers, processors, users, etc.) in the development and utilization of big data in healthcare. The regulated parties’ strategy set includes two options: {strict prevention, Opportunistic non-compliance}. The “strict prevention” strategy means that relevant organizations must adopt security measures mandated by regulatory authorities to meet standards for ensuring data security, which incurs certain compliance costs. The “Opportunistic non-compliance” strategy refers to organizations harboring an opportunistic mindset, failing to implement relevant standards or make compliance investments, thereby increasing data security risks. The regulators’ strategy set includes {strong supervision, weak supervision}. Given that governments have long tended to adopt an ex-post accountability-based regulatory strategy [37], this paper focuses more on process-oriented supervision. Strong supervision involves both process supervision and outcome supervision, while weak supervision entails only outcome supervision. Process supervision involves embedded monitoring of regulated parties’ data security protection efforts. This approach requires regulators to invest substantial costs but enables prompt identification of speculative behaviors. Outcome supervision refers to overseeing regulated parties’ data security protection behaviors based on the actual occurrence of health data security incidents, with regulatory intervention and investigations triggered when such incidents occur. Currently, China attaches great importance to health data security incidents, and technologies such as blockchain enable on-chain evidence storage [16]. Thus, outcome supervision is considered capable of promptly and accurately tracing regulated organizations involved in data security incidents.

3.2. Basic Assumptions

Assumption 1. 

Both the regulator and the regulated party are bounded rational.

Assumption 2. 

The goal of health data security protection and supervision is to minimize expenditures such as losses and costs, as they do not generate direct benefits themselves. To simplify the model, this paper abstracts from secondary variables to focus on the core mechanism, assuming that the direct benefits of all strategies for both parties are zero.

Assumption 3. 

The expenditures of the regulated party include three components: economic and reputational losses to the organization caused by data security incidents, prevention costs, and fines for opportunistic behavior. When the regulated party chooses the “strict prevention” strategy, the probability of a data security incident occurring in the organization is $a_1$; when it chooses “Opportunistic non-compliance”, the probability of such an incident is $a_2$, where $0<a_1<a_2<1$. In the event of a data security incident, the total economic and reputational losses to the regulated party are $D_1$. The regulated party incurs no prevention costs when choosing “Opportunistic non-compliance” but incurs a prevention cost $C_1$ when choosing “strict prevention”. If the regulator detects speculation by the regulated party, it will impose a fine of $F$ on the latter.

Assumption 4. 

The expenditures of the regulator include two components: social losses caused by data security incidents and supervision costs, with social losses generally exceeding supervision costs. Additionally, fines collected can be regarded as regulatory revenue. In the event of a data security incident, the total economic and reputational losses to the regulator are $D_2$, including losses of social trust, losses of available data resources caused by consequent withdrawal, etc. Since data security incidents often cause more extensive adverse social impacts compared with their impacts on the regulated parties themselves, $D_1<D_2$ (where $D_1$ refers to the losses to the regulated party as mentioned in Assumption 3). The cost of outcome supervision is $C_2$, and the cost of process supervision is $C$. Under process supervision, the regulator can promptly detect the opportunistic behaviors of the regulated party and require it to enhance prevention measures.

The payoff matrix of the game between the regulated parties and the regulators is constructed as shown in

Table 1. Payoff matrix of the game between the regulated parties and the regulators.

Regulated Parties/Regulators		Regulators
		Strong Supervision $\mathit{y}$	Weak Supervision $1-\mathit{y}$
Regulated Parties	Strict prevention $x$	$-C_1-a_1{D}_1$, $-C_2-C-a_1{D}_2$	$-C_1-a_1{D}_1$, $-C_2-a_1{D}_2$
	Opportunistic non-compliance $1-x$	$-F-C_1-a_1{D}_1$, $-C_2-C+F-a_1{D}_2$	$-a_2{D}_1$, $-C_2-a_2{D}_2$

.

3.3. Model Construction and Analysis

Based on Table 1, the expected payoffs $U_{11}$ and $U_{12}$ for the regulated party when it chooses the “strict prevention” and “Opportunistic non-compliance” strategies, respectively, and the average expected payoff $U_1$ are as follows:

$$U_{11}=y(-C_1-a_1{D}_1)+(1-y)(-C_1-a_1{D}_1)=-C_1-a_1{D}_1$$

(1)

$$U_{12}=y(-F-C_1-a_1{D}_1)+(1-y)(-a_2{D}_1)=-a_2{D}_1+y(-F-C_1-a_1{D}_1+a_2{D}_1)$$

(2)

$$U_1=x{U}_{11}+(1-x)U_{12}$$

(3)

Using the method for constructing dynamic equations, the replicator dynamics equation for the regulated party is constructed as follows:

$$f\left(x\right)=x(U_{11}-U_1)=x(1-x)(U_{11}-U_{12})=-x(x-1)({a_{2}D}_1-{a_{1}D}_1-C_1+{yC}_1+yF+{a_{1}yD}_1-{a_{2}yD}_1)$$

(4)

Similarly, the expected payoffs $U_{21}$ and $U_{22}$ for the regulator when it chooses the “strong supervision” and “weak supervision” strategies, respectively, and the average expected payoff $U_2$ are as follows:

$$U_{21}=x(-C_2-C-a_1{D}_2)+(1-x)(-C_2-C+F-a_1{D}_2)=F-C_2-C-a_1{D}_2-xF$$

(5)

$$U_{22}=x(-C_2-a_1{D}_2)+(1-x)(-C_2-a_2{D}_2)$$

(6)

$$U_2=y{U}_{21}+(1-y)U_{22}$$

(7)

Using the method for constructing dynamic equations, the replicator dynamics equation for the regulator is constructed as follows:

$$f\left(y\right)=y(U_{21}-U_2)=y(1-y)(U_{21}-U_{22})=y(y-1)(C-F+a_1{D}_2-a_2{D}_2+ xF-{a_{1}xD}_2+a_{2}x{D}_2)$$

(8)

Further, setting $f\left(x\right)=0$ and $f\left(y\right)=0$ yields five local equilibrium points of the game below: $E_1\left(\mathrm{0,0}\right)$, $E_2\left(\mathrm{0,1}\right)$, $E_3\left(\mathrm{1,0}\right)$, $E_4\left(\mathrm{1,1}\right)$, $E_5({\displaystyle \frac{-C + F + (a_{2 }-{ a}_1)D_2}{F + (a_2 - a_1)D_2}}$, 0). Among them, $E_5$ exists when 0$<{\displaystyle \frac{C}{F+D_2(a_2-a_1)}}<$1, i.e., when $F+D_2(a_2-a_1)>C$. Since the asymptotically stable solution of the replicator dynamics system in multi-population evolutionary games must be a strict Nash equilibrium [57], only the four pure strategy equilibrium points $E_1{~E}_4$ need to be considered.

According to Friedman’s method [58], the local stability of the equilibrium points in this evolutionary system can be analyzed using the local stability of the Jacobian matrix. By taking partial derivatives of $f\left(x\right)$ and $f\left(y\right)$ with respect to $x$ and $y,$ respectively, the Jacobian matrix $J$ is obtained as follows:

$$\mathrm{J}=\left[\begin{array}{cc}{\displaystyle \frac{\partial f_{\left(x\right)}}{\partial x}}& {\displaystyle \frac{\partial f_{\left(x\right)}}{\partial y}}\\ {\displaystyle \frac{\partial f_{\left(y\right)}}{\partial x}}& {\displaystyle \frac{\partial f_{\left(y\right)}}{\partial y}}\end{array}\right]=\left[\begin{array}{cc}-(2x-1)({a_{2}D}_1-a_1{D}_1-C_1+y{C}_1+yF+{a_{1}yD}_1-{a_{2}yD}_1)& -x(x-1)(C_1+F+{a_{1}D}_1-{a_{2}D}_1)\\ -y(y-1)(-F+{a_{1}D}_2-{a_{2}D}_2)& -(2y-1)(-C+F-{a_{1}D}_2+{a_{2}D}_2-xF+{a_{1}xD}_2-{a_{2}xD}_2)\end{array}\right]$$

Each of the equilibrium points $E_1~E_4$ is substituted into the Jacobian matrix, respectively. Following Friedman’s method, the eigenvalues of the Jacobian matrix are calculated, and the stability of the game’s equilibrium points has been determined as shown in

Table 2. Stability of equilibrium points in the game.

Equilibrium Point	$\mathbf{Eigenvalue} {\mathit{\lambda }}_1$	$\mathbf{Eigenvalue} {\mathit{\lambda }}_2$	Stability Conclusion	Corresponding States
$E_1\left(\mathrm{0,0}\right)$	${a_2 D}_1-{a_{1}D}_1-C_1$	$F-C-a_1{D}_2+a_2{D}_2$	Saddle OR ESS	(Opportunistic non-compliance, weak supervision)
$E_2\left(\mathrm{0,1}\right)$	$F$	$C-F+{a_{1}D}_2-{a_{2}D}_2$	Unstable	(Opportunistic non-compliance, strong supervision)
$E_3\left(\mathrm{1,0}\right)$	$C_1+{a_{1}D}_1-{a_{2}D}_1$	$-C$	Saddle OR ESS	(strict prevention, weak supervision)
$E_4\left(\mathrm{1,1}\right)$	$-F$	$C$	Unstable	(strict prevention, strong supervision)

. The MATLAB v. 2017b codes for solving equilibrium points and eigenvalues are provided in the Supplementary Materials.

According to Lyapunov’s method [59], an equilibrium point is asymptotically stable if and only if all eigenvalues of the Jacobian matrix have negative real parts. If one or more eigenvalues of the Jacobian matrix have positive real parts, the equilibrium point is unstable. When the eigenvalues include both those with zero real parts and those with negative real parts, the equilibrium point is in a critical state, and its stability cannot be determined by the signs of the eigenvalues. On this basis, the following scenarios are derived:

Scenario 1: For $E_1\left(\mathrm{0,0}\right)$, when $\left(a_2-a_1\right)\times D_1<C_1$ and $F+\left(a_2-a_1\right)\times D_2<C$, it is a local equilibrium point, and the game system is in the state of (Opportunistic non-compliance, weak supervision). In this case, the cost $C_1$ for the regulated party to adopt strict prevention is higher than the reduced data security risk loss $(a_2-a_1)\times D_1$ brought by strict prevention measures, so the regulated party chooses the Opportunistic non-compliance strategy. Meanwhile, the sum of the reduced data security risk loss (i.e., $(a_2-a_1)\times D_2$) and the fines obtained by the regulator through process supervision is lower than the cost invested in process supervision, so the regulator chooses the weak supervision strategy.

Scenario 2: For $E_2\left(\mathrm{0,1}\right)$, since $F>0$, it is an unstable point. When $F+(a_2-a_1)\times D_2>C$, the sum of the reduced data security risk loss and the fines obtained by the regulator through process supervision is higher than the cost invested in process supervision, so the regulator chooses the strong supervision strategy. In this case, if the regulated party chooses Opportunistic non-compliance, it will be punished, stopped, and forced to adopt strict prevention measures. The existence of fines prompts the regulated party to abandon the Opportunistic non-compliance strategy.

Scenario 3: For $E_3\left(\mathrm{1,0}\right)$, when $(a_2-a_1)\times D_1>C_1$, it is a local equilibrium point, and the game system is in the state of (strict prevention, weak supervision). In this scenario, the cost $C_1$ for the regulated party to implement strict prevention is lower than the reduced data security risk loss $(a_2-a_1)\times D_1$ brought by strict prevention measures, so the regulated party chooses the strict prevention strategy. In this case, the regulator would need to invest additional cost $C$ to adopt strong supervision measures, but the supervision effect is the same as that of weak supervision. Therefore, the regulator will choose the weak supervision strategy.

Scenario 4: For $E_4\left(\mathrm{1,1}\right)$, since $C>0$, it is an unstable point. If the regulator chooses the strong supervision strategy, due to the existence of the fine $F$, the regulated party is more inclined to choose the strict prevention strategy. In this case, because of the process supervision cost $C$, the regulator will adjust its strategy to weak supervision, which leads to instability. Since the purpose of supervision is to urge the regulated party to choose the strict prevention strategy, when the regulated party chooses strict prevention, the regulator is more inclined to choose the weak supervision strategy to reduce costs.

3.4. Model Improvement

The formation of groups is the basis for the emergence of herding behavior. From a social psychology perspective, herding behavior refers to the phenomenon where an individual’s attitudes or behaviors shift to align with the majority due to group pressure or guidance [60]. In decision-making scenarios, herding behavior theory seeks to examine the internal mechanism by which people follow and imitate others in decision-making, helping individuals achieve better decision outcomes [61]. As an emerging field, the utilization and security supervision of big data in healthcare involve both regulators and regulated entities, such as data controllers, processors, and service providers, who are in a stage of adapting to and exploring the field. Thus, under conditions of bounded rationality, limited information, constrained knowledge, and insufficient understanding, incorporating the herding preferences of both game parties better reflects their decision-making behaviors [54]. In real-world contexts, consider regional segmented supervision across a country’s numerous regions. For example, China has 34 provincial administrative units and 685 cities in total. Supervising municipal-level regulated entities involves a large number of local regulatory organizations alongside a massive number of regulated entities, which aligns with the group-based context in which herding preferences arise. Building on this and referencing the model construction approach adopted by Zhang et al. [50], this section refines the game model by incorporating, alongside economic considerations, the impact of herding preference utility on strategy selection by both parties in the game.

Given the uncertainty of data security incidents, we further assume that the strategy choices of both parties are influenced by the decision-makers’ herding preferences. The utility of each strategy choice for both parties comprises two components: strategy income utility and herding utility. It is assumed that the herding preference utility coefficient (the ratio of herding utility to total utility) of the regulated party is $h$, and the economic income utility coefficient is $1-h$; the herding preference utility coefficient of the regulator is $g$, and the economic income utility coefficient is $1-g$. The herding utility of both parties adopting a certain strategy is positively correlated with the proportion of choosing that strategy within the group; that is, the herding utility is an increasing function of the proportion of strategy choices. With reference to relevant studies on social impact theory [62] and information cascade theory [63] in the field of behavioral research, it is assumed that herding utility has a linear relationship with the proportion of group strategy choices, with the proportional coefficient being $K$ and $K>0$. Thus, the replicator dynamics equation, incorporating both inter-group strategic game income utility and intra-group herding utility, can be derived.

At this stage, with the incorporation of herding preference, the expected payoffs ${U_{11}}^{\prime }$ and ${U_{12}}^{\prime }$ for the regulated party when it chooses the “strict prevention” and “Opportunistic non-compliance” strategies, respectively, and the average expected payoff ${U_1}^{\prime }$ are as follows:

$${U_{11}}^{\prime }=(1-h)U_{11}+hKx$$

(9)

$${U_{12}}^{\prime }=(1-h)U_{12}+hK(1-x)$$

(10)

$${U_1}^{\prime }=x{U_{11}}^{\prime }+(1-x){U_{12}}^{\prime }$$

(11)

Similarly, with the incorporation of herding preference, the expected payoffs ${U_{21}}^{\prime }$ and ${U_{22}}^{\prime }$ for the regulator when it chooses the “strong supervision” and “weak supervision” strategies, respectively, and the average expected payoff ${U_2}^{\prime }$ are as follows:

$${U_{21}}^{\prime }=(1-g)U_{21}+gKy$$

(12)

$${U_{22}}^{\prime }=(1-g)U_{22}+gK(1-y)$$

(13)

$${U_2}^{\prime }=y{U_{21}}^{\prime }+(1-y){U_{22}}^{\prime }$$

(14)

Using the method for constructing dynamic equations, the replicator dynamics equations for the regulated party and the regulator at this stage are constructed as follows:

$$\begin{gathered} F\left(x\right)=x({U_{11}}^{\prime }-{U_1}^{\prime })=x(1-x)({U_{11}}^{\prime }-{U_{12}}^{\prime }) \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}=x\left(\right(\left(y\right(C_1+F+{a_{1}D}_1)-{a_{2}D}_1(y-1\left)\right)(h-1)-Kh(x-1)\left)\right(x-1) \\ \hspace{1em} \hspace{1em}-x((C_1+{a_{1}D}_1)(h-1)+Khx)+(C_1+{a_{1}D}_1\left)\right(h-1)+Khx) \end{gathered}$$

(15)

$$\begin{gathered} F\left(y\right)=y({U_{21}}^{\prime }-{U_2}^{\prime })=y(1-y)({U_{21}}^{\prime }-{U_{22}}^{\prime }) \\ \hspace{1em}\hspace{1em}\hspace{1em}=y(y-1)(C-F+{a_{1}D}_2-{a_{2}D}_2-Cg+Fg+Kg+Fx-{a_{1}D}_{2}g \\ \hspace{1em} \hspace{1em}+{a_{2}D}_{2}g-{a_{1}D}_{2}x+{a_{2}D}_{2}x-Fgx-2Kgy+{a_{1}D}_{2}gx-{a_{2}D}_{2}gx) \end{gathered}$$

(16)

Further, setting $f\left(x\right)=0$ and $f\left(y\right)=0$ yields nine local equilibrium points of the game. The results of the stability analysis for 4 of these pure-strategy local equilibrium points are shown in

Table 3. Stability of equilibrium points in the game incorporating herding preferences.

Equilibrium Point	$\mathbf{Eigenvalue} {\mathit{\lambda }}_1\mathit{’}$	$\mathbf{Eigenvalue} {\mathit{\lambda }}_2\mathit{’}$	Stability Conclusion	Corresponding States
$F_1\left(\mathrm{0,0}\right)$	$({a_2 D}_1-{a_{1}D}_1-C_1)(1-h)-Kh$	$(F-C-a_1{D}_2+a_2{D}_2)(1-g)-Kg$	Saddle OR ESS	(Opportunistic non-compliance, weak supervision)
$F_2\left(\mathrm{0,1}\right)$	$F(1-h)-Kh$	$(C-F+{a_{1}D}_2-{a_{2}D}_2)(1-g)-Kg$	Saddle OR ESS	(Opportunistic non-compliance, strong supervision)
$F_3\left(\mathrm{1,0}\right)$	$(C_1+{a_{1}D}_1-{a_{2}D}_1)(1-h)-Kh$	$-C(1-g)-Kg$	Saddle OR ESS	(strict prevention, weak supervision)
$F_4\left(\mathrm{1,1}\right)$	$-F(1-h)-Kh$	$C(1-g)-Kg$	Saddle OR ESS	(strict prevention, strong supervision)

. The MATLAB codes for solving equilibrium points and eigenvalues are provided in the Supplementary Materials.

3.5. Comparative Analysis

By comparing Table 2 and Table 3, and analyzing the stability of the evolutionary game equilibrium points before and after incorporating herding preference utility, the following theorems are derived:

Theorem 1. 

When decision-makers base their decisions solely on economic income utility, if an equilibrium has been achieved, the inclusion of herding utility will strengthen this equilibrium.

Proof of Theorem 1. 

It can be obtained by comparing Table 2 and Table 3:

$${{\lambda }_1}^{\prime }={\lambda }_1(1-h)-Kh$$

(17)

$${{\lambda }_2}^{\prime }={\lambda }_2(1-g)-Kg$$

(18)

Since $h$, $1-h$, $g$, $1-g,$ and $K$ are all positive, analyzing the positivity or negativity of the right-hand sides of Equations (17) and (18) shows that if ${\lambda }_1<0$, then ${{\lambda }_1}^{\prime }<0$; if ${\lambda }_2<0$, then ${{\lambda }_2}^{\prime }< 0$. From the above analysis, if the equilibrium state $E_1\left(\mathrm{0,0}\right)$ or $E_3\left(\mathrm{1,0}\right)$ has been achieved without incorporating herding preferences, all eigenvalues of the Jacobian matrix will remain negative after adding herding preferences. Therefore, the original equilibrium state will remain unchanged and be strengthened. □

Theorem 2. 

When equilibrium cannot be achieved by economic income utility alone, herding utility increases the probability of the system reaching equilibrium, with the strength of its impact being related to the herding preference coefficient.

Proof of Theorem 2. 

In the original model, since both $F$ and $C$ are positive, $E_2\left(\mathrm{0,1}\right)$ or $E_4\left(\mathrm{1,1}\right)$ are unstable points. After taking herding preferences into account, there may be cases where $F\left(1-h\right)-Kh<0$ or $C\left(1-g\right)-Kg<0$. In such scenarios, all eigenvalues of the Jacobian matrix are negative, and the system will reach an equilibrium. Furthermore, the larger the values of $h, g,$ and $K$, the smaller the values of $F(1-h)-Kh$ and $C(1-g)-Kg$ will be, which makes it more likely to facilitate the occurrence of such cases. □

Overall, herding preference exerts a positive effect on the stability of the game system. Across all scenarios, it tends to facilitate the attainment of the system’s equilibrium state.

4. Simulation Analysis

4.1. Initial Values

China attaches great importance to the security supervision of big data in healthcare and often conducts stringent investigations into security incidents such as data leakage. However, it is still exploring issues in process supervision, including who to supervise, what to supervise, how to supervise, and the intensity of supervision. Against this backdrop, consider the following initial scenario: regulators prioritize outcome supervision while neglecting process supervision. In this case, regulated parties lack awareness of data security prevention and requirements for data protection measures. Further, drawing on expert recommendations, the initial simulation parameters are set as shown in

Table 4. Initial values for simulation experiments.

Initial Values	$C_1$	$C_2$	$C$	$D_1$	$D_2$	$a_1$	$a_2$	$F$	$g$	$h$	$K$
	10	5	50	100	500	0.02	0.1	0	0	0	0

, where $C=50$ indicates that regulators face high process supervision cost, reflecting their insufficient process supervision capabilities and awareness.

Further, by taking $x=y=0.2, 0.5, 0.8$ in turn and conducting a simulation in MATLAB, the evolution result is shown in Figure 1. Namely, the initial equilibrium state of the system is (Opportunistic non-compliance, weak supervision). All simulation codes for the analyses in this section are provided in the Supplementary Materials.

4.2. Impact of Process Supervision Costs on Evolutionary Results

With accumulated experience in data security regulation, regulators have gradually strengthened process supervision alongside outcome supervision. In this context, we consider the impact of changes in various parameters on the game’s equilibrium state. By successively setting $C=30, 20, 10$ with other parameters retained as the initial values from Table 4, the evolutionary results are presented in Figure 2. As awareness of process supervision increases and costs decrease, regulators strengthen process supervision, and their final decisions stabilize in a strong supervision state. However, no punitive measures are imposed on the regulated party at this stage ($F=0$). Thus, before regulators reach a stable state of strong supervision, the proportion of regulated parties adopting the strict prevention strategy decreases; it remains unchanged once regulators achieve a stable state of strong supervision.

4.3. Impact of Penalty Amount on Evolutionary Results

Fines are a key tool for regulators in administrative regulation. This section focuses on the impact of changes in fine amounts on evolutionary outcomes, leaving aside for the moment the effects of unintended consequences such as regulatory capture [64] or reduced innovation. With $C=5$ held constant and set $F=2, 5, 8,\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{p}\mathrm{e}\mathrm{c}\mathrm{t}\mathrm{i}\mathrm{v}\mathrm{e}\mathrm{l}\mathrm{y}$, the evolutionary results are presented in Figure 3. As the penalties on regulated parties increase, they gradually adopt the strict prevention strategy. When the proportion of regulated parties adopting the strict prevention strategy rises, regulators subsequently reduce process supervision gradually, and the proportion choosing the weak supervision strategy increases, resulting in unstable fluctuations within the system. This scenario confirms that $E_2\left(\mathrm{0,1}\right)$ and $E_4\left(\mathrm{1,1}\right)$ are unstable points in the original game model; moreover, the larger the fine $F$, the faster the fluctuations emerge.

By extending the evolution period, the evolutionary results are presented in Figure 4. For $F=2$, the lower limit of fluctuations for the regulated parties (red line) gradually converges to a stable value. With $x=y=0.2$, the lower limit (the trough of the red line) initially shows a gradual upward trend early in the evolution, then stabilizes at a fixed value of approximately 0.57, as shown in Figure 4a; the same pattern holds for $x=y=0.5$, as shown in Figure 4b. For $x=y=0.7$ and $x=y=0.8$, the lower limit initially exhibits a gradual downward trend early in the evolution, then stabilizes at a fixed value of about 0.63, as shown in Figure 4c,d. Similarly, for $F=5$ and $F=8$, the lower limits stabilize at around 0.53 and 0.47, respectively. This indicates that the lower limit of fluctuations for the regulated party may be related to the penalty amount, and the higher the penalty amount, the higher the lower limit proportion of regulated parties adopting the strict prevention strategy.

4.4. Impact of Prevention Costs on Evolutionary Results

Prevention costs may be influenced by multiple factors, including technological progress, scale effects, and policy incentives. This section focuses on the impact of “cost levels” rather than “mechanisms of cost change” on evolutionary outcomes. With $C=10$ and $F=5$ held constant, and by successively reducing the prevention costs of regulated parties by setting $C_1=10, 8, 5$ while keeping other parameters unchanged, the evolutionary results are presented in Figure 5. As prevention costs decrease, regulated parties gradually adopt the strict prevention strategy, and regulators accordingly quickly adopt the weak supervision strategy, thus eventually reaching the game equilibrium state of (strict prevention, weak supervision). In this state, regulated parties implement various prevention measures at lower costs, while regulators only conduct outcome supervision, reducing investment in process supervision. From the perspective of maximizing social welfare, this represents an ideal equilibrium state for the game between both parties in real scenarios. It enables the implementation of security prevention and supervision measures for big data in healthcare while minimizing resource input from all parties.

4.5. Impact of Herding Preference Utility on Evolutionary Results

In real-world contexts, when a series of health data leakage incidents occur successively in a region, public attention to risks increases, and the herding preference coefficient $g$ of regulated entities (which tends to imitate the “strict prevention” strategy) may rise accordingly. Conversely, if regulatory authorities intensify efforts to promote “collaborative prevention” through government meetings, the herding preference coefficient $h$ of regulators (which tends to imitate the “strict supervision” strategy) may increase significantly during the policy window period. Exploring the impact of changes in herding preference coefficients $g$ and $h$ on evolutionary outcomes is therefore of crucial importance. Further, by setting $g=h=0.2$ and $K=10$ to examine how herding preference influences the decision-making behaviors of both parties in the game, we find that herding preference utility exerts a significant impact on the evolutionary results, as illustrated in Figure 6. In this scenario, the initial proportion $x$ of regulated parties adopting enhanced prevention determines the final evolutionary outcome: when $x\le 0.5$, the game ultimately stabilizes at (Opportunistic non-compliance, strong supervision); when $x>0.5$, it ultimately stabilizes at (strict prevention, weak supervision).

To examine the impact of the intensity of herding preference utility on evolutionary results, we successively set $g=h=0.1$ and $K=5$ to represent weaker herding utility, and $g=h=0.2$ and $K=10$ to represent stronger herding utility, with $F=5$ held constant. The evolutionary results are presented in Figure 7 and Figure 8. When herding utility is weak (see Figure 7), it cannot eliminate the fluctuations in the strategy choices of both parties in the game. When herding utility is strengthened to a certain degree (see Figure 8), the system ultimately stabilizes at the equilibrium state of (strict prevention, weak supervision) regardless of the initial proportions of decisions by both parties.

5. Discussion

Given China’s large population, vast volumes of health data are generated annually. Driven by the central government, local governments take the lead in the utilization of health data while assuming responsibility for administrative regulation to ensure the rational and efficient use of health data. This study incorporates herding preference utility into evolutionary game theory to explore the two-party game between regulators and regulated entities within large group scales in the Chinese context, focusing on how factors such as punishment intensity, regulatory costs, and herding intensity influence the system’s stability and equilibrium outcomes. However, the research conclusions are more applicable to scenarios dominated by local administrative regulation. Their applicability to countries and regions such as the United States and Europe warrants further in-depth investigation and discussion.

Globally, the United States adopts a multi-level regulatory model that prioritizes self-regulatory supervision by industries and data open platforms, with government regulation playing a supplementary role. On the basis of enacting the Health Insurance Portability and Accountability Act (HIPAA), which clarifies the privacy protection standards and management rules for personal health information, the U.S. government further advocates for industry self-regulation through cross-sectoral decentralized legislation [65]. It requires data processors and controllers to formulate their own data management strategies and fulfill data regulatory responsibilities. For instance, the Federal Trade Commission (FTC), as the primary regulatory authority in the field of data security and privacy, focuses its duties on overseeing the “self-regulation” of various entities [66].

The EU has established a rigorous regulatory system that prioritizes stringent, prudent legislation and oversight by dedicated institutions, with the European Health Data Space (EHDS) serving as a supplementary component for industry regulation [28]. The GDPR sets strict requirements for compliance by data controllers and data processors, establishes specialized regulatory authorities, and specifies stringent penalties to protect personal health and privacy information [29]. The EU has established the European Data Protection Board (EDPB), the European Data Innovation Board (EDIB), and the European Ombudsman (EO) as dedicated data regulatory bodies to carry out ex ante and ex post oversight. The European Health Data Space provides rules, universal standards, practices, infrastructure, and governance frameworks for the utilization of health data, though it remains in the initial exploration stage [67].

For the UK, which has left the EU, its regulatory approach primarily relies on government and technology regulation, emphasizes public participation in decision-making, and focuses on fostering a democratic and transparent regulatory environment. Relevant policies and regulations have established the basic framework for regulating health data, covering areas such as data subject rights, data compliance oversight, and improving the data access environment. At the national level, the UK Information Commissioner’s Office (ICO) and the Care Quality Commission (CQC) function as dedicated regulatory authorities for data security. The National Health Service (NHS) has established an independent Advisory Group for Data (AGD), which oversees and reviews all data access requests to the NHS to ensure transparency, accountability, quality, and consistency in the collection, use, and sharing of health data [68]. The Caldicott Guardian Committee, led by the National Data Guardian (NDG), is tasked with upholding the eight Caldicott principles for health data protection and is committed to collaborating with government departments to oversee the lawful and proper use of personal data [69].

Each country or region carries out the utilization and protection of health data in line with its specific national context. Their distinct approaches to utilization, policies and regulations, technology deployment, ethical constraints, and other aspects are characterized by unique features, and they accordingly face distinct regulatory challenges. This paper has undertaken a preliminary exploration of the balance between the circulation and regulation of health data within the Chinese context and also aims to offer useful insights for other countries.

This study may also have the following limitations. First, it only considers the two-party game between regulators and regulated entities. Future research can further explore the potential interactions among the behaviors of multiple players, such as government regulators, non-governmental regulators, regulated entities, and patient groups. Second, in terms of non-economic utility, this study only incorporates herding preference. Future studies could further consider factors such as the risk preferences of relevant subjects to conduct more comprehensive and in-depth explorations. Third, regarding specific content, to focus on core variables, the evolutionary game model in this study has been highly simplified, omitting consideration of collusive behavior between the two parties, the segmentation of regulated entities, and reputational gains and losses for both parties. Future research could address these limitations to better align with real-world scenarios. With advances in China’s data element practices, future work could further focus on mutual validation between real-world cases and relevant research conclusions. Additionally, this study preliminarily identified a specific quantitative relationship between the fine amount and the minimum proportion of regulated entities’ strategy choices. However, due to this study’s core focus and length constraints, this relationship was not discussed in depth and could be explored more thoroughly in future research.

6. Conclusions and Recommendations

6.1. Summary and Conclusions

The utilization of big data in healthcare must be predicated on ensuring data security. Regulatory authorities attach great importance to outcome-based supervision after data security incidents occur, while also exploring process-based prevention prior to such incidents. This paper focuses on the two-party game between regulators and regulated parties and examines the mutual influence between regulators’ choices of regulatory strategies and regulated entities’ choices of prevention strategies. The key conclusions are as follows:

• From the perspective of maximizing social welfare, the ideal equilibrium state of the two-party game is (strict prevention, weak supervision). In this state, regulated entities adopt various preventive measures at lower costs, reducing security risks in the circulation and utilization of health data. Regulators only conduct outcome supervision, reducing investment in process supervision and thus yielding the optimal overall social and economic benefits;
• The fine amount imposed on regulated entities during process supervision has a significant impact on their behavior, yet it cannot eliminate unstable fluctuations in the system. The existence of fines incentivizes regulated entities to adopt strict prevention strategies. The larger the fine amount, the more inclined regulated entities are to adopt strict prevention. However, as regulators seek to reduce investment in process supervision, the strategy choices of both parties exhibit continuous fluctuations;
• Reducing the prevention costs of regulated entities is the fundamental approach for the system to achieve the equilibrium state of maximum social welfare. Regulated entities are required to implement prevention measures, entailing certain cost inputs. When their cost inputs are lower than the losses from data security risks mitigated by strict prevention measures, regulated entities will adopt strict prevention strategies regardless of the existence of speculative fines;
• Herding preference utility enhances system stability, and when this utility is sufficiently strong, it may even eliminate unstable fluctuations in the system. When decision-makers base their choices on economic utility, if an equilibrium has already been reached, herding utility will reinforce this equilibrium; if no equilibrium has been reached, the herding utility of both parties in the game can drive the system toward equilibrium once it reaches a certain intensity.

6.2. Policy Recommendations

6.2.1. Enhancing the Feasibility of Protection Measures

Data controllers, processors, and users are generally required to adopt certain security protection measures and assume corresponding security responsibilities, all of which entail cost expenditures. The security prevention costs incurred by regulated entities include, on one hand, one-time fixed costs such as investment in relevant equipment and technological costs; on the other hand, they include long-term ongoing expenditures such as human resources, system and process maintenance, personnel training, and software and hardware updates. This study indicates that reducing these costs helps the system achieve the equilibrium state of maximum social welfare: (strict prevention, weak supervision). It is therefore recommended that relevant authorities prioritize the costs borne by regulated entities when formulating policies, balance cost expenditures with security protection efforts, and carefully assess the feasibility of the security prevention measures adopted by these entities. This would help avoid reluctance to circulate data due to excessively high security costs shouldered by regulated entities.

6.2.2. Implementing Subsidy Policies When Necessary

As a critical public governance measure, subsidy policies serve as a key means for government departments to influence the behavior of social organizations. Reducing the cost inputs of regulated entities through subsidy measures can help the system achieve the equilibrium of maximum social welfare. However, regulators have to weigh the increased subsidy amounts against the reduced regulatory costs. It is recommended to establish a hierarchical subsidy mechanism, set basic subsidy thresholds, and provide tiered subsidies based on institutional scale and data contribution to avoid universal subsidization. To ensure the effectiveness of subsidies, it is necessary to develop a monitoring system encompassing “ex-ante review—in-process tracking—ex-post evaluation” and establish exit and adjustment mechanisms, thereby avoiding long-term dependence by enterprises during subsidy implementation. The subsidy policy can also be implemented in phases or targeted at specific regulated entities to enhance its effectiveness while minimizing government expenditure.

6.2.3. Exploring a New Model of Multi-Stakeholder Collaborative Supervision

Currently, China primarily relies on government administrative supervision to advance the utilization and protection of health data. However, when drawing on international experiences, it is evident that regulatory models vary across countries. For instance, the United States’ platform self-regulatory model, the European Union’s data space industry regulatory model, and the United Kingdom’s Caldicott Guardian model all reflect the responsibilities and roles of different entities in the field of data security. Due to cost constraints, the existing regulatory process may suffer from system instability caused by long-term fluctuations. In contrast, the active participation of data platforms, industry associations, and public groups can significantly reduce government regulatory costs. It is recommended that China further study the applicability of different models in the Chinese context and, in light of its national conditions, explore a new model of multi-stakeholder collaborative supervision involving both the government and society.

6.2.4. Enhancing Risk Awareness and Strengthening Publicity and Guidance

Data security incidents can have severe adverse impacts on the reputation of regulated organizations and may also result in substantial economic losses, yet relevant organizations often lack sufficient awareness of these risks. Enhancing public awareness and guidance to ensure regulated organizations recognize their actual data security risks and potential losses will increase their willingness to invest in prevention, thereby helping the system achieve the equilibrium state of maximum social welfare. Furthermore, by leveraging the herding effect to guide regulated organizations in balancing economic utility and herding utility, relevant policies can be formulated to offer material and non-material incentives. Establishing positive role models and conducting publicity campaigns to foster a demonstration effect will also be effective. These measures not only enhance the safety awareness of regulated organizations but also significantly reduce government regulatory costs through the establishment of incentive mechanisms, thereby driving positive outcomes in health data security supervision.