Security and Privacy for mHealth and uHealth Systems: a Systematic Mapping Study

TL;DR

This systematic mapping study reviews 365 research papers on security and privacy in mHealth and uHealth systems, highlighting current focus areas, gaps, and the need for practical validation to enhance real-world adoption.

Contribution

The paper provides a comprehensive classification and evaluation of existing research on security and privacy in m/uHealth, identifying under-explored areas and emphasizing the need for empirical validation.

Findings

Research mainly focuses on access control, authentication, and privacy authorization.

Data governance and policy-related research are under-represented.

Most proposed solutions lack real-world validation.

Abstract

An increased adoption of mobile health (mHealth) and ubiquitous health (uHealth) systems empower users with handheld devices and embedded sensors for a broad range of healthcare services. However, m/uHealth systems face significant challenges related to data security and privacy that must be addressed to increase the pervasiveness of such systems. This study aims to systematically identify, classify, compare, and evaluate state-of-the-art on security and privacy of m/uHealth systems. We conducted a systematic mapping study (SMS) based on 365 qualitatively selected studies to (i) classify the types, frequency, and demography of published research and (ii) synthesize and categorize research themes, (iii) recurring challenges, (iv) prominent solutions (i.e., research outcomes) and their (v) reported evaluations (i.e., practical validations). Results suggest that the existing research on security and privacy of m/uHealth systems primarily focuses on select group of control families (compliant with NIST800-53), protection of systems and information, access control, authentication, individual participation, and privacy authorisation. In contrast, areas of data governance, security and privacy policies, and program management are under-represented, although these are critical to most of the organizations that employ m/uHealth systems. Most research proposes new solutions with limited validation, reflecting a lack of evaluation of security and privacy of m/uHealth in the real world. Empirical research, development, and validation of m/uHealth security and privacy is still incipient, which may discourage practitioners from readily adopting solutions from the literature. This SMS facilitates knowledge transfer, enabling researchers and practitioners to engineer security and privacy for emerging and next generation of m/uHealth systems.