Abstract
To date, healthcare organizations still struggle to adopt new technologies, thus making it challenging for leaders to justify the efforts of information technology (IT) implementations. Effective IT governance is essential to align IT strategies with business objectives and ensure that IT investments deliver value by improving performance and service quality for healthcare organizations. There is a lack of specific guidance on how IT governance mechanisms are implemented in healthcare settings, such as governing EMR or HIS. Finding challenges that inhibit the successful IT governance mechanisms in healthcare facilities. Preferred reporting items for systematic reviews and meta-analysis (PRISMA) are used. There are 26 empirical research papers discussing the implementation of IT that has a relationship with its governance in various health processes between 2019 and 2024, then it is synthesized to present the current issue that needs to be prioritized in implementing IT governance. Notable findings are a lack of support from top management, ineffective risk management, difficulties in achieving business-IT alignment, and overcoming resistance from staff as challenges. Meanwhile, establishing a multi-stakeholder committee from medical, IT, management, training, and support could mitigate the challenges. This review aims to provide valuable insights for practitioners, researchers, and policymakers by highlighting the need for robust IT governance that maximizes value extraction from IT into the business. This study synthesizes current IT governance challenges in healthcare for prioritizing the improvement of IT in healthcare organizations. Bridging gaps in literature and practice.
Plain Language Summary
Healthcare organizations increasingly rely on technology to improve patient care and operational efficiency. However, adopting and managing these technologies is often challenging. This study reviews 26 research papers to understand the obstacles healthcare facilities face when implementing Information Technology (IT) governance. Key challenges include insufficient support from leadership, ineffective management of IT risks, and resistance from staff. Solutions such as creating collaborative teams, providing training, and adopting structured governance practices can help address these issues. By connecting these findings to the COBIT 2019 framework, the study offers practical guidance for healthcare leaders to improve technology use and decision-making.
Keywords
Introduction
Digital transformation has become critical in many industries, including healthcare, which also relies on IT solutions for its operational and strategic activities. Conversely, healthcare organizations have been struggling to adopt new technologies, making it difficult for healthcare leaders to justify the digital transformation (Cousins et al., 2023). Investment in IT solutions could give competitive advantages for organizations, as well as healthcare. For example, in the recent COVID-19 pandemic outbreak impacting all over the world, there is a rising urgency for these transformations to ensure business continuity and the growth of healthcare services (Cousins et al., 2023). Introducing new healthcare IT solutions, particularly during crises like the COVID-19 pandemic, requires quick decision-making and adaptation to changing socio-economic conditions (Cousins et al., 2023; Tsilionis & Wautelet, 2022). Organizations should define IT governance to maximize the gain of business value from IT (Weill & Ross, 2004). The role of IT has become more significant than ever, yet healthcare organizations still face challenges in implementing IT governance (Alharbi et al., 2022). Effective IT governance is essential to align IT strategies with business goals and ensure that costly IT investments deliver value by enhancing organizational performance and service quality of healthcare facilities and services. In order to
Despite the importance of digital transformation in healthcare, the formulation of its strategy remains an emerging area with immature literature, leading to vague guidelines for practitioners, managers, and researchers (Aghakhani et al., 2024). Moreover, there are lack of specific guidance on successful digital transformation in healthcare (e.g., EMR or HIS implementation), highlighting the need for comprehensive IT governance frameworks in healthcare (Businger et al., 2020; Scott et al., 2019). The complexity of digital transformation in healthcare will be much more complicated, particularly in low and middle-income countries, due to the need for integrated and flexible healthcare information systems (Nsaghurwe et al., 2021). For instance, in the healthcare sector besides the implementation of core systems such as Electronic Medical Records (EMR), there is also a need to implement specialized solutions such as large diagnostic machines (e.g., X-Ray, CT-Scan, Ultrasonographic Machine) that should also be considered to be integrated in the Hospital Information Systems (HIS; Hanseth, 2022), also the systems needed to be interoperable and secure (Choi et al., 2023). Furthermore, there are also non-technical issues such as economic uncertainties, evolving market trends, and regulations that also need to be taken into consideration (Alharbi et al., 2022). These things are the reason why IT has a strategic role, and IT governance needs to be addressed.
The patient’s quality of care, safety, and operational performance will be improved with the implementation of IT in healthcare, which needs to be governed (Guillemette et al., 2024). IT governance in healthcare should cater to the complexity of the healthcare business model and its strict regulations to effectively manage the digital transformation in healthcare (Guillemette et al., 2024). These complexities need to be overcome by having robust IT governance, hence risks could be managed and competitiveness will be generated (Alharbi et al., 2022; Hanseth, 2022). The digital transformations also need to be tailored to specific regional requirements to ensure functionalities are enabled and aligned with clinical priorities and local values (Guillemette et al., 2024).
The literature reviews for the IT in healthcare are evolving, yet they still point to fragmented or context-sensitive understanding that lacks unified guidelines. Thatcher (2013) published literature review on IT governance in a specific context in acute healthcare settings. Similarly, Handayani et al. (2018) and Afrizal et al. (2019) highlights multi-dimensional challenges in HIS and EHR adoption, revealing that both individual and organizational barriers significantly influence IT readiness and acceptance, particularly in developing countries. How the hospital measures their digital capabilities widely uses a maturity model with (technology, people, process) as main factors revealed by Tarhan et al. (2020) without specifically addressing the need to implement IT governance. On security, Sari et al. (2022) identifies behavioral antecedents influencing security practices. Meanwhile, Heshajin et al. (2024) went beyond the strategic issue in concepting health information management frameworks, encompassing 13 principles, 11 components, and a step-by-step process. De Regge and Eeckloo (2020) explored governance on the hospital level, which found that the board configurations and engagement influence indicators such as ratings, morality, and financial efficiency.
This study will examine the challenges to the implementation of IT from the previous empirical studies, then analyze them using the IT governance mechanisms lens. The research question is “
Methods
This section discusses the methodology used in this research, the systematic literature review (SLR). The SLR was conducted to find out the current state of the research field, how far the field has gone, and what gap needs to be filled, also known as the state-of-the-art. The SLR method used in this study is PRISMA. This method is commonly used in the healthcare field to check how far the topic has been researched, used as justification to continue the work, and provide guidance for the researcher to conduct SLR clearly and completely (Page et al., 2021). There are four major steps in conducting an SLR using PRISMA, which are identification, screening, eligibility, and inclusion.
Article Eligibility Criteria
Before PRISMA is conducted, the research questions are formulated to define the scope of the search in the research database using a Boolean search to ensure the results are similar, even though each database has different syntax. The framework used to define the research question is PICO (population, intervention, comparison, and outcome). Here are the explanations of PICO according to (Kitchenham & Charters, 2007):
Population
The research subject was impacted by the intervention. In the context of software engineering, it could have a specific role (e.g., application developer, manager, etc.) or role category (e.g., beginner, professional, expert, etc.) or organizations within an industry (e.g., telecommunication companies, IT vendors, etc.).
Intervention
Could be the target methodology, tools, technology, or specific procedure. For example, how to conduct testing on application development, or a new methodology to estimate effort on application development.
Comparison
The way to compare each intervention such by methodology, tools, technology, or procedure. Usually, these comparisons are done between conventional methods that are already widely used with the newly proposed method, commonly referred to as the control treatment.
Outcome
Result or effect obtained through intervention. The results obtained should be relevant to real-world conditions, such as increased reliability, decreased production cost, or optimizing time from development to release.
Table 1 describes the breakdown of research questions with PICO formulation. After that, the inclusion criteria were also formulated to help filter research that was in line with the PICO formulation. These are six inclusion criteria:
PICO Formulations.
Information Sources
The source of the article in this SLR only uses scientific articles as stated in the inclusion criteria, in addition to only including research with empirical data. Then, the sources use five databases subscribed to by Universitas Indonesia. Those databases are Scopus, ProQuest, ScienceDirect, JSTOR, and Taylor and Francis. They were chosen because of the quality of the journal articles and conference proceedings. Also, on those databases, there are plenty of articles on Information Systems and related topics. Also, it already covers most of the best-quality articles needed.
Search Strategy
The search strategy is to execute Boolean search queries in each database that have already been adjusted to each platform’s syntax. After the result is obtained, it will be screened by title and abstract, where the included articles will suit the inclusion criteria. Here is the pseudo-query executed in each database. The filters used in each database are publication year between 2019 and 2024, research paper or conference, and search by “abstract, title, or keyword.” The data were searched and analyzed between July 2024 and November 2024.
Boolean Pseudo-Query for Each Database.
Study Data Recording
This section discusses how the article data will be managed and collected. Table 2 describes the data recording process in the SLR.
Data Recording.
Study Results Extraction and Analysis Strategy
The studies that are selected then undergo quality appraisal using Mixed Methods Appraisal Tool (MMAT), version 2018, developed by Hong et al. (2018). This step is essential because it allows researchers to systematically evaluate the methodological quality of diverse empirical studies, including qualitative, quantitative, and mixed methods. The MMAT provides a structured framework to identify strengths and weaknesses in study design and reporting, ensuring the reliability and validity of the evidence synthesized in systematic mixed studies reviews. Additionally, MMAT’s comprehensive approach helps in making standardized judgments about the credibility and relevance of studies, which supports transparent and rigorous decision-making in research synthesis.
Hong et al. (2018) also highlights that conducting quality appraisal with the MMAT supports the integration between multiple research methodologies within a single review, which is often challenging due to variation in study designs. The tool helps reviewers not only to gage the quality of included studies but also to inform sensitivity analyses without excluding studies based solely on their methodological limitations. MMAT emerged from the medical field, which has several types of quantitative such as randomized controlled trials, non-randomized, and descriptive. In the IT/IS field, the quantitative research is mostly descriptive. Hence, we only use it for our assessments. The MMAT questions used for each type were displayed in Table 3.
MMAT’s Questions (Hong et al., 2018).
Study Results Extraction and Synthesis Strategy
The selected results are then extracted and synthesized using thematic synthesis according to Thomas and Harden (2008) to create coding, descriptive themes, and analytical themes. They argued this method enabled them to stay “close” to the results of the primary studies, synthesizing them in a transparent way, and facilitating the explicit production of new concepts and hypotheses. The synthesis was first done inductively, where each topic is classified into a theme. After the themes are created, it is mapped deductively into IT governance building blocks (structure, processes, and mechanisms), which are considered from (De Haes & Van Grembergen, 2009) and include technology as additional factors to cater to themes that are not relevant to building blocks. Each theme is also mapped with COBIT 2019 by analyzing the similarity between the theme and the objective definition. Only the most relevant COBIT 2019 objectives are mapped into the theme.
Results
The Boolean search query is executed, and then the time range is only between 2019 and 2024. After that, the initial search results are obtained. Table 4 is the summary of each database on the initial search.
Results on Initial Search.
Next, after the records were identified, records from another source that were considered relevant were also included in the screening process. The screening process filtered the article through the title and abstract. In the eligibility process, 71 articles pass through a scoping review to meet inclusion criteria, while some articles turn out not to have empirical data or are not relevant to the topic. After that, 29 articles were included in the MMAT assessment. Then, the remaining 26 articles included articles to be discussed in the qualitative synthesis. Figure 1 describes the result summary within each process in the PRISMA. The MMAT assessment was shown in Multimedia Appendix 1.
PRISMA Results.
The remaining 26 papers are included in qualitative synthesis, which is where data were extracted. The data extracted includes the demographics, topic focus, methodology, and finally, the cases where the challenges of IT Governance implementation are discussed. The research papers grouped by journal or conference that were published are shown in Multimedia Appendix 2.
Research Demographics
Each research paper is grouped into a topic that is relevant to their research. Eight topics were determined by the focus area in healthcare that those papers were discussing. A summary of all research topics is presented in Table 5. The topic of care coordination and quality improvement discusses patient outcomes enhancement by leveraging digital transformation, real-time data analytics, and strategic IT management. Examples such as implementing online patient surveys for hospital quality and safety assurance (Barnett et al., 2019), developing a framework for value creation through capabilities (Ghosh et al., 2023), and maturity & performance assessment using a management model for hospitals (Guillemette et al., 2024).
Research Topic Focus Grouping.
The topic focused on digital transformation discusses strategic development on embedding technology to streamline operational clinical processes. Presenting a conceptual model for digital transformation strategy with a generic set of strategic objectives (Aghakhani et al., 2024), analyzing how to build resilience in Health Information Technology (HIT) services through organizational learning that could drive digital transformation (Cousins et al., 2023), a longitudinal case study of healthcare digital transformation in a country (Hanseth, 2022), and developing checklists for digital transformation planning (Scott et al., 2019).
The health data management topic focuses is discussing about development and implementation of frameworks and practices that can ensure secure, transparent, and effective handling of the data. The papers discuss developing strategic governance, risk, and compliance (GRC) frameworks for a rapidly changing healthcare market (Alharbi et al., 2022), analyzing the importance of healthcare data governance (Alvarez-Romero et al., 2023), the impact of Health Information Exchange (HIE) on hospital data breach risks (Choi et al., 2023), assessing the impact on cyber risk using Protection Motivation Theory (PMT; Jain et al., 2023), developing a framework for effective Electronic Health Record (EHR) management (Masuda et al., 2019), and studying a country implementing nationwide HIE (Nsaghurwe et al., 2021).
Health Information Technology (HIT) discusses the technological tools and systems that could be strategically integrated to enhance patient care, improve operational efficiency, and support innovation in healthcare. The papers discuss mechanisms that drive innovation pace and scalability for integrated digital remote care (Ajer & Øvrelid, 2023), analyzing HIT implementation in the patient safety learning laboratory (Businger et al., 2020), analyzing relationships between HIT and organizational innovation capabilities (Esdar et al., 2021), enhancing HIT strategic planning by integrating BSC and COBIT (Moinzad & Akbarzadeh, 2022), analyzing the importance of mobile phone-based healthcare solutions (Pai & Alathur, 2021), and tracking technologies’ impact on hospital characteristics and governance (Zhu et al., 2022).
Furthermore, healthcare services refer to the delivery of specific healthcare solutions from providers to patients. The papers discuss the integration of respiratory services between hospitals and local providers (Banks et al., 2020), e-Health intervention model on pediatric care (Castor et al., 2023), e-Prescribing optimization in hospitals through interoperability (Heeney et al., 2023), and analyzing opportunities for interoperability in mother and childcare (Lazuardi et al., 2021).
Finally, strategically structuring the healthcare business to define the role of IT that could enhance and align overall organizational performance is the focus of the topic of healthcare business modeling. The research papers are developing a model-driven IT governance process tested on hospitals (Wautelet, 2019) and extending it to include strategic agility(Tsilionis & Wautelet, 2022).
Other demographic data extracted from the research papers are countries, research sample subjects, and research methodology. The countries are grouped by developed and developing, which how developed countries considered through economic (income per capita, per capita gross domestic products, and level of industrialization) and non-economic (human development index) factors (Majaski, 2022). Table 6 shows the results of the countries classification. Table 7 shows the research sample subject that is grouped into individual and organizational. Table 8 shows the methodology used by research papers.
Countries Where the Research Conducted.
Research Sample Subject.
Research Methodology.
Conceptual Framework
As part of corporate governance, IT governance plays a significant role in enabling the success of company or organization objectives. Although there are many definitions of ITG, the most accepted definition were according to De Haes et al. (2020) due to its dissemination to de facto framework of IT governance, which is COBIT. The definition is “
The main building blocks were constructed by De Haes et al. (2020), Peterson (2004), Weill and Ross (2004), where the IT governance implementation consists of the holistic measurement of processes, structures, and relational mechanisms. Structures involve the organizational structure, responsibility, and accountability for making IT decisions while aligning between IT and business decision-making functions (e.g., IT steering committee). Processes refer to the formalization and institutionalization of strategic IT decision-making and monitoring procedures while maintaining daily behavior consistent with defined policy and providing feedback (e.g., IT portfolio management). Relational mechanisms represent active participation and collaboration among stakeholders in the organization. While it is encapsulated into the IT governance construct, it then influences the business IT alignment and results in delivering business value from IT, which was validated by Wu et al. (2015) and visualized in Figure 2. The building blocks of IT governance are also visualized in Figure 3 in the IT governance dimension.
Conceptual Model of IT governance and alignment value model (De Haes et al., 2020; Wu et al., 2015).
Conceptual framework.
The results from SLR were extracted and synthesized qualitatively with thematic synthesis. After the themes were found deductively, we inductively mapped them into predetermined dimensions from the building blocks of IT governance, which are structure, process, and relational mechanisms (De Haes et al., 2020; Peterson, 2004; Weill & Ross, 2004). The technological capabilities added as a dependent construct to assess the desired behavior it should possess while supporting business IT alignment, and then providing IT business value. The extracted variables are the themes that were found in each research paper, then grouped by the similarity of discussions. Figure 3 visualizes the conceptual framework in which IT governance influences desired technological capability.
The summary of these challenges and their mitigation grouped by theme are presented in the table in each subsection. Table 9 summarizes the challenges and mitigations for structure dimensions. For process, relational mechanisms and technological capabilities respectively in Tables 10 to 12.
Theme, Challenges, and Mitigation for Structure Dimension.
Theme, Challenges, and Mitigation for Process Dimension.
Theme, Challenges, and Mitigation for Relational Mechanisms Dimension.
Theme, Challenges, and Mitigation for Technological Capabilities Dimension.
Structure Dimension
The structure dimension consists of top management influences, governance structures, regulatory compliance, and risk management. Top management influence refers to active involvement, commitment, and endorsement from top management, which is crucial to establishing central governance arrangement, advocacy, and support for making progress in the implementation of IT governance in the hospital (Ajer & Øvrelid, 2023; Guillemette et al., 2024; Zhu et al., 2022). IT resources and capabilities need to be governed to align IT initiatives in the hospital that have goals to improve overall hospital performance (Guillemette et al., 2024). Lack of adequate support from top management can significantly hinder the successful implementation of IT governance (Moinzad & Akbarzadeh, 2022).
Governance structures refer on how the organizational workflow and operations governed such as work arrangement and service types (Zhu et al., 2022). It can be configured as centralized, decentralized, or hybrid based on business requirements (e.g., workflow management, work arrangement, service type). Centralized governance has higher rates of adoption rates (Zhu et al., 2022), but decentralized governance could have faster decision-making (Scott et al., 2019) and better flexibility for innovation (Wieland-Jorna et al., 2023), while hybrid could combine the advantages and disadvantages of both. This is indicating governance structure should be considered for balancing standardization and customization, then it will result in effective implementation (Esdar et al., 2021; Scott et al., 2019). The challenges to implementing this are lack of coordination in the early stage resulting in uncoordinated efforts and investment and a disjointed IT landscape (Hanseth, 2022). Other challenges are strong leadership to maintain the governance structure (Lazuardi et al., 2021; Scott et al., 2019), slow and conservative decision-making that cannot cater rapidly changing health environment (e.g., COVID-19; Cousins et al., 2023), cultural and process differences (Heeney et al., 2023), obtaining permission to implement new services (Businger et al., 2020), ensuring information reliability (Pereira de Souza et al., 2021), siloed and different in maturity between different units (Barnett et al., 2019), and complexity in modeling and breaking down structures (Wautelet, 2019).
Regulatory compliance refers to adherence to laws, regulations, and guidelines that govern healthcare systems. Usually, it complies with national regulations where the health organization taking place, which is complex and needs medical knowledge (Jain et al., 2023) and will be difficult to maintain if do not have proper IT governance (Alharbi et al., 2022). The challenges are the complexity of standardizing policies, technical framework, and quality standards due to strict regulations, but the standardization can have benefits such as reducing the impact of cybersecurity attacks (Choi et al., 2023; Guillemette et al., 2024; Lazuardi et al., 2021). Other challenges in this theme are how to comply with security and risk (Castor et al., 2023), balancing compliance on policies that are not supporting healthcare innovation (e.g., India does not allow mHealth, but it is needed in the COVID-19 situation; Biasiotto et al., 2023; Pai & Alathur, 2021), and ethical compliance related to patient data and information processing that is used for secondary purposes (e.g., research, clinical audit; Alvarez-Romero et al., 2023).
Risk management refers to identifying, assessing, and mitigating potential risks to IT systems. The implementation of new or maintaining existing technological solutions possesses risks that one should be aware of. The first 3 years of implementation of IT systems are crucial, there are several risks (e.g., cybersecurity attacks, data breach, IT misalignment) that need to be catered to by robust IT governance (Alharbi et al., 2022; Choi et al., 2023), misalignment of integrating it could have risk to inefficiencies and increasing risk in project (Moinzad & Akbarzadeh, 2022). The challenge for implementing this when to make sure it’s safe for exchanging data (Choi et al., 2023), including when new technological innovations are implemented (e.g., live medical streaming; Barnett et al., 2019). Another challenge that needs to be aware of is the cohesiveness between new and old technology that is being implemented (Moinzad & Akbarzadeh, 2022), defining granular complex authorization table (Biasiotto et al., 2023), and interpreting all the risks in a model (Tsilionis & Wautelet, 2022).
Process Dimension
The process dimension consists of business-IT alignment, project management, performance and conformance, and change management. The business-IT alignment refers to the strategic coordination and integration of an organization’s business objectives with its IT initiatives, ensuring that technology enhances overall business goals. One major challenge is to ensure alignment, which is crucial for effective IT governance by evaluating new IT services with organizational goals (e.g., business and data needs; Aghakhani et al., 2024; Alvarez-Romero et al., 2023). Another challenge is to align with the clinician’s needs and workflow, as misalignment could lead to resistance to use by clinicians (Scott et al., 2019). There are also challenges when aligning with corporate governance, its continuity beyond business strategies, and re-evaluation (Tsilionis & Wautelet, 2022). Last, the challenge is to define the balance between exploitation and innovation (ambidextrous behavior; Cousins et al., 2023).
Project management refers to coordinating oversight of time, cost, and scope to ensure IT initiatives are delivered on schedule, within budget, and meet defined objectives. It is needed to manage the limited resources that organizations have by prioritizing their use. One of the challenges faced by health facilities is prioritizing the use of resources. It can be handled by defining its structures, for example, an organization with centralized governance is considered more manageable for prioritizing than decentralized governance (Zhu et al., 2022), considering the complexity of resource structure in healthcare. There is also a lack of clear guidelines for implementing and assessing IT governance in healthcare (Aghakhani et al., 2024). Another challenge is the financial ability of firms to implement IT governance (Aghakhani et al., 2024; Ajer & Øvrelid, 2023; Alharbi et al., 2022; Cousins et al., 2023; Ghosh et al., 2023; Jain et al., 2023; Masuda et al., 2019), which includes assessing maturity (Guillemette et al., 2024) and appropriate spending within budget (Moinzad & Akbarzadeh, 2022), considering significant investment in IT (Barnett et al., 2019). The scope and expectations of IT governance consist of multiple dimensions, which need to be realistic and achievable (Businger et al., 2020; Moinzad & Akbarzadeh, 2022). Time is limited; it should be allocated sufficiently to deliver the quality of the defined scope of IT governance implementation while still meeting the budget (Ajer & Øvrelid, 2023; Nsaghurwe et al., 2021).
Performance and conformance refer to collecting, validating, and evaluating organizations and their people to perform and conform to agreed-upon processes and practices that have been established for IT governance. Performance for IT governance is measured by the maturity of management practices that support hospital processes, with the challenge being the process of implementing it (Guillemette et al., 2024). Another challenge to achieving a high maturity level is how to conform the process to the people, to prevent bypassing the governance committee and making decisions outside the established process (Ghosh et al., 2023).
Change management refers to systematically planning, implementing, and guiding organizational changes to ensure the smooth adoption of new technologies, processes, and practices. Effective change management is crucial for IT governance, but hospitals still face challenges in implementing it (Ghosh et al., 2023). The challenges are when change occurs in interconnected systems that can unintentionally trigger change in another part of the system, causing errors and confusion (Ghosh et al., 2023; Scott et al., 2019). Decision-making should be dynamic and quick to respond during emergencies such as COVID-19 or other outbreaks (Tsilionis & Wautelet, 2022). Change that includes external stakeholders also needs their support; otherwise, it cannot be fulfilled (Heeney et al., 2023).
Relational Mechanisms Dimension
The relational mechanisms dimension consists of relationship management among related stakeholders, lack of trust and resistance to change, and manpower management. Relationship management among related stakeholders refers to fostering effective collaboration and communication between various parties (e.g., different healthcare units, external entities). The challenges include socio-technical complexity in balancing various stakeholders’ interests in adopting common standards and governance structures (Hanseth, 2022). We should also ensure related stakeholders (e.g., management, medical staff, IT professionals) are involved in IT governance processes for supporting and understanding the initiatives. Fostering continuous collaboration and collaboration between team members, IT unit, and other healthcare functions, and external stakeholders (e.g., vendors, regulators), even though it is time-consuming and needs to align terms for mutual understanding (Businger et al., 2020; Castor et al., 2023; Guillemette et al., 2024; Lazuardi et al., 2021; Nsaghurwe et al., 2021).
Lack of trust and resistance to change refer to the reluctance of the stakeholders (e.g., healthcare professionals, patients) to adopt new IT solutions due to users not trusting the systems related to several factors (e.g., adequacy of technology in meeting their needs, perceived impact on the workflow). The challenges include simplifying the number of systems the organization has, minimizing redundancy in authorization that does not align with workflow optimization goals (Ajer & Øvrelid, 2023). Lack of integrated IT systems contributes to poor communication and mistrust between units or inter-organizations(Banks et al., 2020). The complexity of developing standards systems between units or inter-organizations (Masuda et al., 2019), addressing the needs of the users (Pai & Alathur, 2021), and obtaining consent from related stakeholders whose data is used and stored in the systems (Biasiotto et al., 2023; Wieland-Jorna et al., 2023).
Manpower management refers to recruiting, training, and retaining skilled personnel effectively while ensuring the staff has the necessary expertise. The challenges lack of expertise, training, and understanding of IT governance (Alharbi et al., 2022; Pai & Alathur, 2021), which requires continuous education and training of the related stakeholders that directly use the systems, especially for senior clinicians who may find it inconvenient and distracting (Ajer & Øvrelid, 2023). Technical talent shortage due to lower salaries than in technical roles in other sectors (Nsaghurwe et al., 2021). Managing workload between units and organizations by implementing a proper definition of responsibility and accountability, especially when referring patients from one healthcare facility to another (Banks et al., 2020).
Technology Capabilities Dimension
Technology dimensions refer to system reliability, system limitation/flexibility, integration, interoperability, technology standardization, and security & privacy. System reliability refers to the ability of IT systems and technologies to consistently perform their intended functions without failure. The challenges to implementing this are to balance the reliability needs and the timeline of the implementation, which can be delayed (Moinzad & Akbarzadeh, 2022). Also, choosing the right technology that can be afforded by the organization and is sophisticated enough to support the business function (Pai & Alathur, 2021).
System limitation/flexibility refers to the constraint or adaptability of IT systems in meeting the specific needs and functionalities required. The challenge that relates to IT governance is the complex nature of the healthcare business process (Zhu et al., 2022), which functionalities are often limited and not easy to implement compatibility when implementing new systems (Heeney et al., 2023), also limited IT infrastructure, especially in remote areas (Lazuardi et al., 2021). Modeling unique processes in healthcare, such as partograph, should also be provided by the systems; otherwise, the staff should manually input into the systems, which are time-consuming and lead to duplicated efforts, which are cumbersome (Banks et al., 2020).
Integration refers to the process of combining and aligning various digital systems, technologies, and data sources efficiently. Healthcare facilities often struggle when integrating with various IT systems to ensure consistent governance, risk, and compliance (Alharbi et al., 2022; Pereira de Souza et al., 2021), which could lead to a lack of uniformity in operational policies and weak governance. Legacy systems integration is challenging because implementing new standards to already operational systems is not an easy task (Nsaghurwe et al., 2021). Integrating systems is complex, requiring a flexible, agile approach, and a sufficient timeline that requires careful navigation to create impact on the organizational resources (Aghakhani et al., 2024; Castor et al., 2023), which also considers current systems both internally and externally (Ajer & Øvrelid, 2023; Jain et al., 2023). Failure to integrate with legacy systems will result in clinician resistance and operational inefficiencies (Scott et al., 2019). Lack of shared IT systems can hinder integration and effective patient care (Banks et al., 2020).
Interoperability refers to the ability of different digital systems, applications, and technologies to communicate, exchange, and utilize data effectively. The nature of IT systems in healthcare systems is fragmented with various IT solutions that are not compatible and do not communicate with each other, which has become one of the major challenges to efficient information sharing (Hanseth, 2022; Lazuardi et al., 2021), which could impact in availability of healthcare technology solutions to users (Pai & Alathur, 2021). There are lack of common standards for computer codification and interoperability (Masuda et al., 2019), with many healthcare facilities still using stand-alone information systems. Unable to transfer health data between systems is considered significant by healthcare providers (Castor et al., 2023).
Technology standardization refers to creating and implementing standard protocols across hardware, software, and communication systems in relation to medical processes or devices. Healthcare facilities that have already implemented IT solutions for a long time usually already have local needs that are difficult to standardize with current standards (Hanseth, 2022) or using custom codes and a non-standard patient unique identifier (Nsaghurwe et al., 2021), while it is also evolving to achieve a unified view of patient care that increases its complexity (Ghosh et al., 2023). Lack of standardization complicates data exchange, quality, and usability (Wieland-Jorna et al., 2023) and creates gaps in the governance structures (Heeney et al., 2023).
Security & privacy refer to measures and protocols implemented to protect sensitive data from unauthorized access and breaches. The nature of healthcare data stored in the healthcare IT systems, including Personally Identifiable Information (PII) and Electronic Protected Health Information (ePHI) is sensitive and needs to have strict security measures (Jain et al., 2023; Masuda et al., 2019). One of the major challenges is the human factors (e.g., staff, doctors, nurses); even with routine cybersecurity training, they may fail to follow the protocols, which could lead to vulnerabilities that could be exploited by attackers (Jain et al., 2023). Integration between systems that are transmitted through the network could expose sensitive patient data; it should follow secure communication standards (Castor et al., 2023). Also, complying with the regulations on storing and using data for primary (e.g., operational) or secondary (e.g., research, strategic planning) usage. For example, secondary usage on PII and ePHI only shares essential data for specific usage, and then the patient data is anonymized.
Discussions
In this section, we will discuss the synthesized conceptual framework compared to research demographics, and then also map it into the COBIT 2019 framework.
Conceptual Framework and Demographic
From selected papers, demographic assessments for each are the topics discussed, the place where it was conducted, and the research methodology. We determined there are aspects that research is focusing on, most of them focusing on HIT (seven papers) and health data management and governance (six papers). These indicate that many researchers have focused on solving the enablement of healthcare business processes through HIT, and important to manage its data and IT use to ensure the value of it is delivered to the patients. Studies that specifically address healthcare business units’ services (four papers) discuss specific requirements in each knowledge branch, yet all emphasize the importance of interoperability, integration, and patient-centered approaches. For example, in respiratory care need for specialized integration in integrating hospital and community providers because it requires ongoing and integrated oversight to manage exacerbations and long-term care effectively (Banks et al., 2020). On the other hand, pediatric care needs to focus on a heterogeneous population and family-centered care, necessitating regulatory and sociotechnical adaptations for effective eHealth use (Castor et al., 2023). With many branches of knowledge, the complexity of implementing digital transformation is also discussed in four papers. These transformations are complex that is involving multiple stakeholders such as physicians, medical workers, hospital management, patients, IT vendors regulators, who need a highly customizable and strategic approach that accounts for regulatory compliance, IT infrastructure compatibility, and workforce compatibility (Aghakhani et al., 2024; Hanseth, 2022). The rest is the care coordination (two papers) that makes sure the outcomes of the digital transformation are delivered to patients, and modeling the business units (two papers) to strategically define IT roles for overall organizational performance.
From the selected studies, most of them are conducted in more developed countries rather than developing countries. Also, the method mainly uses qualitative (including case study also qualitative) methods. These suggest that research on IT implementation in healthcare is still exploratory and needs more confirmatory research.
Mapping Conceptual Framework Into COBIT 2019
There are several frameworks for implementing IT governance in organizations, though one is COBIT (Control Objective of Information & Related Technologies), which has evolved from the framework of IT audit assignments to a de facto framework for implementing and assessing the maturity of IT governance practices in organizations (Joshi et al., 2018). The newest version is COBIT 2019, developed by ISACA (Information Systems and Audit Control Association), then become a well-known industry IT governance framework that consists of best practices for management, control, and assurance of information and related technologies (ISACA, 2018). COBIT development considers other IT standards such as ISO/IEC 38500, Information Technology Infrastructure Library (ITIL), Capability Maturity Model Integration (CMMI), and Committee of Sponsoring Organizations (COSO) Enterprise Risk Management (ERM; ISACA, 2018).
COBIT 2019 is divided into governance and management objectives which have five domains (ISACA, 2018). The governance objectives domain is only Evaluate, Direct, and Monitoring (EDM) to evaluate strategic options, direct senior management based on strategic options, and monitor achievement based on chosen strategies. The rest four domains belong to the management objectives, which are Align, Plan, and Organize (APO) to address the overall organization, strategy, and supporting activities related to I&T (information & related technologies). Build, Acquire, and Implement (BAI) to define, acquire, and implement I&T solutions and their integration into business processes. Deliver, Service, and Support (DSS) to address operational delivery and support of I&T. Monitor, Evaluate, and Assess (MEA) to address performance monitoring and conformance of I&T with internal targets, control objectives, and external requirements. Out of 40 COBIT 2019 objectives, 17 objectives were mapped to be further prioritized and analyzed within the current challenges of IT governance implementation in healthcare, because in the real-world implementation of COBIT, we should prioritize and choose which objectives could be implemented. Summary of COBIT 2019 that maps to SLR is displayed in Multimedia Appendix 3. Table 13 displays the analysis of mapping of challenges to COBIT 2019 objectives based on similarities of definition and process it possesses in the guidelines by ISACA (2018).
Mapping Conceptual Framework to COBIT 2019.
Conclusions
The role of IT has become more significant than ever, yet healthcare organizations still struggle to implement reliable IT solutions to provide value in their organizations. To do that, IT governance is considered the most important predictor of value generated from IT to the business. The framework, such as COBIT 2019 also leveraged to guide practitioners with best practices from around the world. But the COBIT 2019 objective is too wide and will be a waste of resources if not prioritized well.
Notable challenges extracted from structure dimensions are a lack of top management support, inadequate governance structures, regulatory complexities, and ineffective risk management. Challenges from the process dimension are difficulties in achieving business-IT alignment, resource management, performance measurement, and change management in a dynamic environment. Challenges from relational mechanisms are the need for enhanced stakeholder collaboration, overcoming resistance to change, and manpower limitations. Technological challenges are to ensure system reliability, feature adequacy, integration, interoperability, and security, especially considerations between legacy and new systems. These challenges that are extracted from this literature review will hopefully help practitioners, researchers, and policymakers with important challenges that need to be prioritized.
Limitations
The limitations of the research include only empirical studies from other research. The discussion for determining the theme is only based on authors with potential bias because most of the research papers do not explicitly study COBIT 2019 as their governance framework. Also, the mapping of the theme with COBIT 2019 only considers the definition of each theme and its objectives. The next step of the research should validate the data with practitioners in healthcare to strengthen the findings of this review paper and further implement the solution with a case study.
Footnotes
Appendix 1
MMAT Assessment.
Scale (inclusive):
0 to 1.9 = Low
2 to 3.9 = Medium
4 to 5 = High
Only high-quality papers will be included in the synthesis.
Appendix 2
Research Paper Database Sources.
| Journal/Conference | Database | Article(s) | Journal/conference rating |
|---|---|---|---|
| Australian Health Review | ProQuest | Barnett et al. (2019), Scott et al. (2019) | 2019: Q2 (0.566) |
| BMC Medical Informatics and Decision Making | ProQuest | Nsaghurwe et al. (2021), Heeney et al. (2023) | 2021: Q2 (0.833) |
| 2023: Q1(1.022) | |||
| BMJ Open | Scopus | Banks et al. (2020) | 2020: Q1 (1.132) |
| Enterprise Information Systems | Taylor & Francis | Aghakhani et al. (2024) | 2024: Q1 (0.888) |
| Health Research Policy and Systems | Scopus | Alvarez-Romero et al. (2023) | 2023: Q1 (1.563) |
| Health Science Report | Others | Moinzad and Akbarzadeh (2022) | 2022: Q2 (0.543) |
| Health Service Insights | ProQuest | Ajer and Øvrelid (2023) | 2023: Q1 (0.922) |
| Health Systems | Taylor & Francis | Guillemette et al. (2024) | 2024: Q3 (0.377) |
| Historical Social Research / Historische Sozialforschung | JSTOR | Hanseth (2022) | 2022: Q3 (0.22) |
| Information and Software Technology | ScienceDirect | Tsilionis and Wautelet (2022) | 2022: Q1 (1.182) |
| International Journal of Advanced Computer Science and Applications | ProQuest | Alharbi et al. (2022) | 2022: Q3 (0.258) |
| International Journal of Health Governance | Scopus | Pai and Alathur (2021) | 2023: Q3 (0.354) |
| International Journal of Medical Informatics | ScienceDirect | Choi et al. (2023), Cousins et al. (2023) | 2023: Q1 (1.11) |
| JMIR Medical Informatics | ProQuest | Esdar et al. (2021) | 2021: Q2 (0.805) |
| JMIR Pediatrics and Parenting | ProQuest | Castor et al. (2023) | 2022: Q2 (0.801) |
| Journal of Computer Information Systems | Taylor & Francis | Ghosh et al. (2023) | 2023: Q2 (0.778) |
| Journal of Knowledge Management | ProQuest | Pereira de Souza et al. (2021) | 2020: Q1 (1.841) |
| Journal of Medical Internet Research | Others | Zhu et al. (2022) | 2022: Q1 (1.992) |
| Journal of Organizational Computing and Electronic Commerce | Taylor & Francis | Jain et al. (2023) | 2023: Q2 (0.523) |
| Journal of the American Medical Informatics Association | Scopus | Businger et al. (2020) | 2020: Q1 (1.614) |
| The Journal of Systems and Software | ScienceDirect | Wautelet (2019) | 2019: Q1 (0.772) |
| Americas Conference on Information Systems | Scopus | Masuda et al. (2019) | A |
| International Conference on Business Information Systems | Scopus | Lazuardi et al. (2021) | N/A |
| Total Articles | 26 |
Appendix 3
Descriptions of Related COBIT 2019 Objectives (Summarized from: COBIT 2019 Guidelines).
| Objective name | Description | Practice example | Related theme |
|---|---|---|---|
| EDM01 – Ensure Governance Framework | Analyze and articulate the requirements for I&T governance. Develop and maintain governance components with clarity of authority and responsibilities to achieve enterprise mission, goals, and objectives. | Evaluate, direct, and monitor the governance systems. | • Top Management Influences (Structure) |
| EDM02 – Ensure Benefits Delivery | Optimize the business value from investment in business process, I&T services, and I&T assets. | Establish investment target. Then, evaluate, direct, and monitor value optimization. | • Business-IT Alignment (Process) |
| APO01 – Managed I&T Management Framework | Design the management system for enterprise I&T based on enterprise goals and other design factors. Implement all required components of the management systems based on the design. | Design, communicate, and implement the management systems and process. |
• Governance Structures |
| Define and implement organizational structure, roles and responsibilities, policies and procedures, infrastructure, services, and applications. | |||
| Optimize IT function and manage continual improvement of IT. | |||
| APO03 – Managed Enterprise Architecture | Establish common architecture consisting a business process, information, data, application, and technology architecture layres. Develop key models and practices that describe target architecture that inline with enterprise and I&T strategy. Define requirements for taxonomy, standards, guidelines, procedures, templates, and tools, then provide linkage on those components. | Develop vision, define reference architecture, select opportunities and solutions, define architecture implementation, and provide enterprise architecture services. | • Integration (Technology) |
| APO07 – Managed Human Resources | Provide a structured approach to ensure optimal recruitment/acquisition, planning, evaluation, and development of human resource (both internal and external). | Acquire and maintain staffing. Identify key IT personnel. Maintain skills and competencies. Recognize/rewards job performance. Plan, track, and manage human resources. | • Manpower Management (Relational Mechanisms) |
| APO08 – Managed Relationships | Manage relationships with business stakeholders in a formalized and transparent way that ensure mutual benefits & trust, open, and transparent communication to focus on achieving the strategic goals within the constraint of budgets and risk tolerance. | Understand business expectations, align I&T strategy with business and identify opportunities. Manage business relationships. Coordinate and communicate. Provide input for continual service improvement. | • Relationship Management Among Related Stakeholders/ Collaboration (Relational Mechanisms) |
| APO12 – Managed Risk | Continually identify, assess, and reduce I&T related risk within tolerance levels set by enterprise executive management. | Collect, analyze, maintain, articulate, define action portfolio, and respond to risks. | • Risk Management (Structure) |
| APO13 – Managed Security | Define, operate, and monitor a systems for information security and privacy management. | Establish, maintain, and monitor information security management systems. Define and manage information security risks treatment plan. | • Security and Privacy (Technology) |
| BAI03 – Managed Solutions Identification and Build | Establish and maintain identified products and services (technology, business processes and workflows) in line with enterprise requirements (incl. design, development, procurement/sourcing and partnering with vendors). Manage configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and services. | Design, develop or procure or build, test, execute, and maintain solutions. Manage change and improvements. | • System Limitation/ Flexibility (Features) (Technology) |
| BAI05 – Managed Organizational Change | Maximize the likelihood of successfully implementing sustainable enterprisewide organizational change quickly and with reduced risk. | Establish desire to change. Form team. Communicate vision. Empower role players. Enable operation and use. Embed new approaches. Sustain changes. | • Lack of Trust and Resistance to Change (Relational Mechanisms) |
| BAI06 – Managed IT Change | Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications and infrastructure. This includes change standards and procedures, impact assessment, prioritization and authorization, emergency changes, tracking, reporting, closure, and documentation. | Evaluate, prioritize, and authorize change request. Manage emergency changes. Track and report change status. Close and document changes. | • Change Management (Process) |
| BAI09 – Managed Services Agreements | Defining, establishing, and managing service level agreements (SLAs) with internal and external service providers to ensure that IT services meet business requirements for performance, availability, reliability, and support. | Develop an SLA that defines system uptime requirements (e.g., 99.9% availability), maximum acceptable downtime, response time for critical issues, and performance targets (e.g., page load time for clinical users). | • System Reliability |
| BAI11 – Managed Projects | Manage all projects that are initiated within the enterprise in alignment with enterprise strategy and in a coordinated way based on the standard project management approach. Initiate, plan, control and execute projects, and close with a post-implementation review. | Maintain standard approach for project. Initiate a project. Manage stakeholder engagement. Develop and maintain project plan. Manage project quality, risk, resources, and work packages. Monitor and control project. Close a project or do an iteration. | • Project Management (Time/Cost/Scope) |
| MEA01 – Managed Performance and Conformance | Collect, validate and evaluate enterprise and alignment goals and metrics. Monitor that processes and practices are performing against agreed performance and conformance goals and metrics. Provide reporting that is systematic and timely. | Establish monitoring approach. Set performance and conformance target. Collect, process, and analyze the data. Ensure to implement corrective actions. | • Performance and Conformance (Process) |
| MEA03 – Managed Compliance with External Requirements | Evaluate that I&T processes and I&T-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with; integrate IT compliance with overall enterprise compliance. | Identify external compliance requirements. Optimize response to external compliance. Confirm and obtain assurance of external compliance. | • Regulatory Compliance (Structure) |
Ethical Considerations
Not applicable.
Author Contributions
Ibad Rahadian Saladdin: Conceptualization, Data curation, Formal analysis, Writing – original draft. Putu Wuri Handayani: Conceptualization, Funding acquisition, Methodology, Supervision, Validation, Writing – review & editing.
Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: We want to thank the Faculty of Computer Science, Universitas Indonesia for the internal publication research grant No. NKB-19/UN2.F11.D/HKP.05.00/2025.
Declaration of Conflicting Interests
The author(s) declared the following potential conflicts of interest with respect to the research, authorship, and/or publication of this article: The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Data Availability Statement
Share upon reasonable request – The data will be available upon request.