Mitigating virtual reality cyber risks in healthcare

You put on your VR headset for stroke therapy. The next thing you learn is that bad actors have captured data and images from your therapeutic journey into extended reality.  

Is this a scene from a movie with bad ratings on Rotten Tomatoes? Unfortunately, in the new world of IoMT (Internet of Medical Things) this possibility has become a reality (no pun intended).  

Virtual reality (VR) and Mixed reality (MR) in healthcare are no longer just emerging technology. Extended reality (XR), the umbrella term for both, has shown significant benefits, such as enhanced surgical training, therapy for mental health conditions, and patient education.  

However, they also introduce several cybersecurity risks that must be addressed to protect patient data, ensure system integrity, reinforce patient safety, and maintain trust in healthcare providers.   

Here are some of the primary cybersecurity risks associated with XR in healthcare:  

Data privacy and confidentiality

• Personal health information (PHI) exposure: VR systems can collect and process sensitive health data, which must be protected under regulations like HIPAA in the United States. Unauthorized access to VR systems could lead to breaches of PHI. 
• User data collection: VR applications often collect extensive data about users, including biometric data, which could be exploited if not properly secured. 

Device and network security

• Device vulnerabilities: VR headsets and other related hardware may have security flaws that can be exploited by attackers to gain unauthorized access. 
• Network Attacks: Since VR systems often rely on network connectivity for data transmission, they are susceptible to network-based attacks such as man-in-the-middle (MitM), denial of service (DoS), and data interception. 

Software security

• Application security: VR applications may contain vulnerabilities that can be exploited by cybercriminals to gain control over the system or to extract sensitive information. 
• Patching and updates: Regular software updates are crucial for security, but ensuring all VR devices and applications are up-to-date can be challenging in a healthcare setting. 

User authentication and authorization

• Weak authentication: Inadequate authentication mechanisms can lead to unauthorized access to VR systems. Ensuring robust user authentication (e.g., multi-factor authentication) is vital.
   
• Authorization controls: Proper access controls must be implemented to ensure that only authorized personnel can access sensitive data and functionalities within the VR systems. 

Physical Security

• Device theft or loss: VR devices, being portable, can be easily stolen or lost, leading to potential data breaches if the devices are not encrypted or otherwise secured. 
• Environmental controls: Ensuring the physical environment where VR systems are used is secure from unauthorized access is also important. 

Integration with Other Systems

• Interoperability risks: VR systems often need to integrate with other healthcare information systems (e.g., electronic health records (EHRs), creating additional attack surfaces. 
• Data integrity: Ensuring the integrity of data as it is transferred between VR systems and other healthcare systems is crucial to prevent tampering or corruption. 

Human factors

•  User training: Lack of proper training for healthcare professionals using VR can lead to security lapses, such as phishing attacks or misuse of devices. 
• Insider threats: Employees or contractors with legitimate access to VR systems could potentially misuse them, either maliciously or unintentionally. 

Mitigation strategies

• Encryption: Encrypt data both at rest and in transit to protect sensitive information from unauthorized access. 
• Access controls: Implement strict access control measures and ensure that users have the minimum necessary access to perform their duties. 
• Security awareness training: Educate healthcare professionals about cybersecurity best practices and the specific risks associated with VR technology. 
• Incident response plan: Develop and maintain an incident response plan to quickly address any security breaches or incidents. 

VR Governance 

For all the reasons mentioned above, governing VR deployment can be trick since it spans some of the most advanced technology deployments in the enterprise.  

By addressing these cybersecurity risks, healthcare organizations can better protect their VR systems and the sensitive data they handle, ensuring that the benefits of VR technology can be fully realized in improving patient safety and outcomes.