Cyber Security and Privacy Issues in Extended Reality Healthcare Applications: Scoping Review (Preprint)

Abstract

Virtual reality (VR) is a type of extended reality (XR) technology increasingly used by rehabilitation practitioners to support rehabilitation following illness or injury that affect the upper limbs. There is robust evidence articulating how consumer-grade VR presents significant cyber security implications, such as security and privacy risks with software and hardware interfaces and use of cameras. However, little is known about how these risks translate in the use of VR systems in healthcare settings. The objective of this review is to identify cyber security risks associated with clinical VR systems, and to develop guidance for health informatics and rehabilitation practitioners to support the safe use of VR in healthcare.

This scoping review aims to identify cyber security and privacy risks to XR technologies and components, including threats, attacks and attackers, with a focus on VR. Furthermore, we aim to understand how these risks can be mitigated in a clinical XR environment, in particular VR environment, by understanding the unique concerns for a healthcare setting and identifying relevant technologies, frameworks and strategies to mitigate these risks.

A scoping review of the literature performed in one database (Google Scholar) identified 482 articles from the years 2017 to 2024. After abstract screening, 53 studies were extracted for a full text review, of which 29 were included in the analysis. The review followed the PRISMA extension for Scoping Reviews, and publications were reviewed using the Covidence software. Data on technology, cyber threats and risk mitigation were extracted.

Of the included studies, 79% were published between 2020 and 2023, and 55% focused on VR. The majority identified a privacy threat or mitigation strategy or both (26 papers, 90%). 90% of the XR components investigated were head-mounted display (HMD) devices and the greatest cyber threat identified to these components was information disclosure (76%). Risk mitigation strategies were mapped against the National Institute of Standards and Technology (NIST) Cybersecurity Framework, where 62% of studies identified a preventative mitigation strategy (18/29). The least established cyber security function for XR systems was recovery after a cyber security incident, with only one potential strategy.

Findings were mapped against an enterprise risk management (ERM) model to contextualise cyber security risks for healthcare organisations. The most significant threat posited for a healthcare VR system was privacy threats, which can disclose personal data from which medical related data may be inferred, and immersive manipulation threats, which can impact user safety. Many potential mitigation strategies were identified for all types of threats, but none have been implemented beyond a proof-of-concept. None of the threats or mitigations have been studied in a healthcare context, which requires further research.