Abstract Background Virtual reality (VR) is a type of extended reality (XR) technology that is seeing increasing adoption in health care. There is robust evidence articulating how consumer-grade VR presents significant cybersecurity and privacy risks due to the often ubiquitous and wide range of data collection and user monitoring, as well as the unique user impact of attacks due to the immersive nature of the technology. However, little is known about how these risks translate in the use of VR systems in health care settings. Objective The objective of this scoping review is to identify potential cybersecurity risks associated with clinical XR systems, with a focus on VR, and potential mitigations for them. Methods The scoping review followed the PRISMA-ScR (Preferred Reporting Items for Systematic reviews and Meta-Analyses extension for Scoping Reviews), and publications were reviewed using Covidence software. The Google Scholar database was searched using the predefined search terms. The inclusion criteria of the articles were restricted to relevant primary studies published from 2017 to 2024. Furthermore, reviews, abstracts, viewpoints, opinion pieces, and low-quality studies were excluded. Additionally, data on publication statistics, topic, technology, cyber threats, and risk mitigation were extracted. These data were synthesized and analyzed using the STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege) framework, enterprise risk management framework, and National Institute of Standards and Technology Cybersecurity Framework, as well as developing threat taxonomies. Results Google Scholar returned 482 articles that matched the search criteria. After title and abstract screening, 53 studies were extracted for a full-text review, of which 29 were included for analysis. Of these, the majority were published in the last 4 years and had a focus on VR. The greatest cyber threat identified to XR components was information disclosure followed by tampering when mapped against the STRIDE framework. The majority of risk mitigation strategies provide confidentiality and integrity and can potentially address these threats. Only 3 of 29 papers mention XR in the context of health care and none of the identified threats or mitigations have been studied in a clinical setting. Conclusions This scoping review identified privacy threats where personal and health-related data may be inferred from VR usage data, potentially breaching confidentiality, as the most significant threat posited for health care VR systems. Additionally, immersive manipulation threats were highlighted, which could potentially risk user safety when launched from a compromised VR system. Many potential mitigations were identified for these threats, but these mitigations must first be assessed for their effectiveness and suitability for health care services. Furthermore, health care services should consider the usage and governance of XR for each individual application based on risk threshold and perceived benefits. Finally, it is also important to note that this scoping review was limited by the quality and scope of the studies returned by Google Scholar.
Read full abstract