Previous Article in Journal
G-PFL-ID: Graph-Driven Personalized Federated Learning for Unsupervised Intrusion Detection in Non-IID IoT Systems
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
IoT
Volume 7
Issue 1
10.3390/iot7010014
IoT-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

The Network and Information Systems 2 Directive: Toward Scalable Cyber Risk Management in the Remote Patient Monitoring Domain: A Systematic Review

by
Brian Mulhern
*,
Chitra Balakrishna
and
Jan Collie
School of Computing & Communications, The Open University, Walton Hall, Milton Keynes MK7 6AA, UK
*
Author to whom correspondence should be addressed.
IoT 2026, 7(1), 14; https://doi.org/10.3390/iot7010014
Submission received: 9 December 2025 / Revised: 19 January 2026 / Accepted: 23 January 2026 / Published: 29 January 2026
(This article belongs to the Topic Applications of IoT in Multidisciplinary Areas)
Browse Figures
Versions Notes

Abstract

Healthcare 5.0 and the Internet of Medical Things (IoMT) is emerging as a scalable model for the delivery of customised healthcare and chronic disease management, through Remote Patient Monitoring (RPM) in patient smart home environments. Large-scale RPM initiatives are being rolled out by healthcare providers (HCPs); however, the constrained nature of IoMT devices and proximity to poorly administered smart home technologies create a cyber risk for highly personalised patient data. The recent Network and Information Systems (NIS 2) directive requires HCPs to improve their cyber risk management approaches, mandating heavy penalties for non-compliance. Current research into cyber risk management in smart home-based RPM does not address scalability. This research examines scalability through the lens of the Non-adoption, Abandonment, Scale-up, Spread and Sustainability (NASSS) framework and develops a novel Scalability Index (SI), informed by a PRISMA guided systematic literature review. Our search strategy identified 57 studies across major databases including ACM, IEEE, MDPI, Elsevier, and Springer, authored between January 2016 and March 2025 (final search 21 March 2025), which focussed on cyber security risk management in the RPM context. Studies focussing solely on healthcare institutional settings were excluded. To mitigate bias, a sample of the papers (30/57) were assessed by two other raters; the resulting Cohen’s Kappa inter-rater agreement statistic (0.8) indicating strong agreement on study selection. The results, presented in graphical and tabular format, provide evidence that most cyber risk approaches do not consider scalability from the HCP perspective. Applying the SI to the 57 studies in our review resulted in a low to medium scalability potential of most cyber risk management proposals, indicating that they would not support the requirements of NIS 2 in the RPM context. A limitation of our work is that it was not tested in a live large-scale setting. However, future research could validate the proposed SI, providing guidance for researchers and practitioners in enhancing cyber risk management of large-scale RPM initiatives.

Graphical Abstract

1. Introduction

The current healthcare landscape is dominated by the increased use of IoT and Internet of Medical Things (IoMT) technology to aid in the provision of more efficient and patient centered care in the patient home environment [1]. IoMT platforms, using implantable and wearable sensor devices, provide Remote Patient Monitoring (RPM) of chronic disease, ageing, and mental health conditions, among others [2]. However, the interconnectedness of the IoMT platforms and the constraints of the IoMT sensor technologies introduce significant cyber risks for both the patient and the health service ecosystem in general. Primary patient data, which are compromised through cyber-attacks, could lead to incorrect decisions by clinicians analysing compromised data, resulting in subsequent life-threatening implications for the patient [3]. Moreover, leakage of patient Personally Identifiable Information (PII) to public forums, in breach of regulatory requirements, has severe financial, reputational, and legal implications for the HCP. Healthcare data, according to the authors in ref. [4], are the largest target of cyber criminals in the USA compared to industrial or financial institutions. This is also borne out by ENISA (the European Union Agency for Cybersecurity), which in their 2023 report identified 53% of all cyber incidents as relating to healthcare providers, with patient data accounting for 30% of all targeted assets [5] (p. 3). Furthermore, the report highlights the disruptions to healthcare services resulting from cyber-attacks, which include cancellation of operations, slower patient admissions, rerouting of patients to other hospitals, and inefficiencies in treating patients due because IT systems are not functioning properly [5] (p. 25). The ENISA report highlights a major future challenge for the healthcare sector as being attacks on health data using IoMT devices and wearables as the attack vector [5] (p. 32).
Researchers have also referenced what they term “health-adjacent IoT”; that is, IoT-based technology which exists in the same smart environment as healthcare IoT or IoMT. Thomasian et al., in ref. [6], point to the rise in smart environments, with poorly secured IoT devices, offering potential hackers access to credential information and subsequent lateral movement through the smart ecosystem. A typical example of such an environment is the smart home, employing IoT-based monitoring and control of home functions such as heating, lighting, security, and entertainment, which improves the comfort and convenience of the occupants [7]. The authors here argue that these IoT systems are capable of auto-organising, sharing data and resources, and acting and reacting to environmental changes with or without human intervention. This poses a security and privacy risk to the occupants’ data, if compromised. According to Statista, smart home penetration in Europe at 77.9% in 2025 is forecast to increase to 96.8% by 2029 [8]. This would point to increasing cyber risk for Remote Patient Monitoring in the smart home.
HCP organisations, driven by government strategies which mandate improved quality, efficiency, and efficacy of patient care, are increasingly turning toward RPM/IoMT platforms as a method of care delivery [1,2]. This increases the scale of RPM, both in terms of the clinical parameters which can be measured (vertical scaling) and the numbers of patients who are being monitored in this way (horizontal scaling). NHS England provides examples of 2450 people with COPD supported across primary care networks in Yorkshire and 5500 patients with multiple conditions including COPD, heart failure, type 2 diabetes and COVID-19, supported in the Cheshire and Merseyside areas of the UK [2]. Given the current rates of smart home penetration (78%) identified in ref. [8], many of the NHS RPM initiatives are taking place in smart homes in proximity to poorly secured health-adjacent IoT, greatly increasing the cyber-attack surface for healthcare providers. HCPs, classed as essential and important entities by the Network and Information Systems (NIS 2) directive, are obliged to maintain the security and privacy of patient data and improve overall cyber resilience in their areas of responsibilities, which now includes the scaled-up RPM context [9,10]. A key issue for HCPs therefore is how to maintain and improve cyber resilience in the RPM context, given the increasing scale of RPM, which is taking place for the most part in poorly secured smart homes.
Cyber resilience is described in refs. [11,12] as the ability to detect, prevent, and recover from cyber incidents. Segovia-Ferreira et al., in ref. [13], and Scala et al., in ref. [14], link cyber risk management with cyber resilience, highlighting the difference between evaluating risk at individual component level and the cascading effect on cyber risk due to inter-component dependencies as a system scales up. Therefore, as the RPM ecosystem scales up, the level of cyber risk may scale non-linearly given the increased interconnectedness of the RPM environment. The NIS 2 legislation also identifies cyber risk management as a key component of cyber resilience, asserting that “…essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services…” [9] (Article 21, para 1).
An emerging issue therefore is how HCPs can be confident that their cyber risk management process scales as RPM initiatives scale up. Indeed, is there a level of scale up beyond which it may be dangerous for an RPM initiative to scale to, given the increased level of cyber risk? How could we evaluate a cyber risk management proposal for the RPM context from the point of view of scalability? Does cyber risk scale linearly or exponentially? These are difficult questions, but relevant to the HCP in the context of NIS 2. The aim of this research, in an effort to narrow this problem space, is to attempt to understand the scalability of cyber risk management as an element which impacts cyber resilience in the scaled-up RPM context.
Cyber risk is defined in terms of the likelihood of vulnerability in an asset being exploited by a threat, multiplied by the impact of that event [4]. The authors point out that the core elements of cyber risk management include risk assessment of information assets, and risk treatment for those risks which are deemed to be above the risk threshold for the organisation [4] (p. 5). In the RPM context of the patient’s smart home, the level of cyber risk management must be such that each patient is adequately protected irrespective of the scale of the overall RPM initiative. Moreover, as the numbers of patients involved in RPM initiatives scale up, it is important that HCP organisations remain compliant with NIS 2 from a cyber resilience perspective.
Researchers in refs. [14,15,16], who have examined cyber risk management in the RPM context have focussed on a regulatory approach involving the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF) [17], and the International Organisation for Standardisation (ISO) 27001 standard [18]. These strategies include fine-grained cyber risk assessment and risk mitigation approaches which adequately address cyber risk management in an organisational context. Within the bounds of an organisation, all aspects of information technology fall within the jurisdiction of the organisation. Cyber risk can be assessed and mitigating controls can be applied, tweaked, and audited as part of the organisational risk management policy. However, attempting to apply fine-grained controls in the private space of the patient home and carrying out subsequent audits is problematic on several levels. Firstly, auditors cannot demand access to an individual’s home to accurately assess aspects of cyber risk management. Moreover, with the increase in scale of RPM initiatives, HCP and third-party platform providers do not have the resources to individually apply or audit these controls across thousands (or tens of thousands) of individual installations. Finally, placing a high degree of trust in the ability of the patients themselves to implement and enforce cyber controls in their own environment is problematic. Applying the Unified Theory of Acceptance and Use of Technology (UTAUT), proposed by Venkatesh et al. in ref. [19], consumer ability and willingness to adopt particular aspects of technology (of which cyber risk management is one) is motivated in part by effort expectancy, performance expectancy, and facilitating conditions, and mediated by gender, age, and experience. With patients, there is the added complication of a health condition which Greenhalgh et al. in ref. [20] considered in attempting to identify the factors which influence the uptake of patient-facing technologies. The research developed the Non-adoption, Abandonment, Scale-Up, Spread, and Sustainability (NASSS) framework which argues that patients adopt technology features which are low in complexity and therefore easy to implement and understand. This leads to higher and more sustainable adoption rates among a particular patient cohort.
Other researchers chose to focus on specific threat and impact modelling approaches in the RPM context using qualitative tools such as STRIDE and DREAD and mitigated these threats through security mechanisms: encryption, authentication, and access control [21,22]. However, to effectively model risk at a patient site, access to the patient environment is required, and specific expertise, which would be well beyond the capability of most patients, is required for the risk assessment process.
Researchers also attempted to incorporate Artificial Intelligence (AI) and Machine Learning (ML) into risk management approaches to track data anomalies and quantify risk [23,24]. There are several advantages in using AI and ML, primarily the potential to automate risk management processes, particularly intrusion and incident detection and data integrity checking. This could be achieved through analyses, at the level of the individual patient, without needing physical access to the patient’s home. This would have enormous advantages in relation to scaling, as resource requirements would be minimal. However, the constrained nature of RPM technology, particularly at the sensor level, means that the compute intensive features of AI and ML are not practicable in this situation. Moreover, monitoring device heterogeneity (arising from different manufacturing processes), again at the sensor level, requires different versions of the AI and ML algorithms to be effective and creates patching and updating problems for platform providers (PPs).
A research gap emerges around cyber risk management in the increasingly scaled-up RPM context which we formally pose as our research question (RQ):
  • How can the scalability of cyber security risk management approaches be assessed in the RPM context of the patient smart home?
This is important from the point of view of the NIS 2 regulation which mandates that HCPs, who have ultimate responsibility for cyber security in all aspects of their services, including RPM, increase their cyber resilience within their domain. Previous literature reviews have examined cyber risk management in the RPM context from a process and functional perspective and have made valuable contributions in this field. For example, Segovia-Ferreira et al. in ref. [13] deal with approaches to cyber risk management of sensor devices but do not address RPM in the smart home context. Alegría et al. in ref. [25] attempt to assess the effectiveness and security quality of ISO 27001 controls in an IoMT context but also fail to address these elements in the smart home context. Talal et al. in ref. [26] identify cyber risks with real-time health monitoring in an individual smart home as being device authentication, software updates, user competencies, and sensor network vulnerabilities. However, the researchers do not address risk assessment and mitigation at scale in the RPM environment of the smart home.
To operationalise our research question around the assessment of cyber security risk management scalability, we develop two research objectives: the first (RO1) focusses on identifying the elements which impact scalability and the second (RO2) on quantifying the scalability potential of a cyber risk management approach. Our methodology employs a systematic literature review conducted through the lens of the NASSS framework to provide the supporting data for these research objectives, ultimately answering our research question. RO1 and RO2 are formally stated as follows:
  • (RO1) Identify those elements of cyber risk management approaches to RPM which would support its scalability in the smart home context.
  • (RO2) Develop a Scalability Index (SI) by which practitioners and researchers could assess the potential scalability of a cyber risk management approach in the RPM smart home context.
The remainder of the paper is structured as follows: Section 2 develops the background to RPM, NIS 2, and the NASSS framework; Section 3 deals with the systematic literature review (SLR) methodology and the Preferred Reporting Items for Systematic Reviews and Meta-Analysis (PRISMA) protocol; Section 4 presents the results of the SLR and analysis aligned with the research objectives; Section 5, through a deeper discussion in relation to the findings, explores our novel approach to assessing the scalability of cyber risk management approaches in the RPM context; Section 6 concludes with a summary of the overall research approach, the findings, and possible future research directions which would build upon this work.

2. Background and Context

2.1. Smart Healthcare and Scalability

The smart paradigm refers to the use of technologies which provide digital connectivity and enhanced services to users through technology elements including Internet of Things (IoT), cloud services, data analytics, Artificial Intelligence (AI), and 4G/5G and beyond communications [27]. The paradigm has permeated all areas of work and life, giving rise to terms such as smart factories, smart transport, smart homes, and most recently smart healthcare or Healthcare 5.0.
Healthcare 5.0, with similar goals as Industry 5.0, seeks to make healthcare more resilient and sustainable, focussed on preventative models of care, with more individualised medications and interventions, through the increased use of AI, IoMT, nano and 5G/6G technologies [28]. In this context, patients are remotely monitored in their own homes and environments through IoT connected wearable, implantable, and ambient devices, referred to as perception layer devices in the Internet of Medical Things (IoMT) [20,25,29]. These devices, usually paired with smartphone apps, capture and transmit vital patient parameters (blood oxygen levels, blood pressure, respiration rate, heart rate, etc.) through local and wide area network infrastructure (the network layer) to cloud servers (cloud/platform layer) which make the data available through an application layer to supervising clinicians at remote health centres. Because of the small form factor requirement, allowing the patient comfort, and normal mobility, these perception layer monitoring devices are designed with low power requirements and consequently constrained computing resources. The authors in Rasool et al., ref. [30] (p. 14), argue that the notable increase in these constrained perception layer devices, connected into the larger health systems, significantly expand the attack surface through which adversaries can inflict Denial of Service (DoS) attacks, firmware attacks, privilege escalation, and topology poisoning, eventually leading to a threat to human lives. This is one of the unfortunate consequences of the smart paradigm. Healthcare providers as the entities responsible for patients and data need to be aware of and understand need for a scaled-up cyber risk management strategy with this expanding attack surface.
A typical chronic disease RPM scenario, incorporating multiple co-morbidity monitoring devices, is shown in Figure 1.
In this scenario, Third-Party RPM solution providers (PPs), contracted by the Healthcare provider (HCP), provide a monitoring solution for a specific patient. In this instance, a pulse oximeter, which measures blood oxygen levels and heart rate, a respiratory rate monitor, and a blood glucose level monitor are provided in the overall RPM solution in addition to the associated smartphone apps, as well as a cloud portal where the data are made available to the HCP clinicians. Multiple solution providers may be involved in the RPM process depending on the patient condition and co-morbidities. Figure 1 shows the continuous glucose monitor provided by PP A sourced from Manufacturer 1; a pulse oximeter/heart rate monitor being provided through PP B but sourced from Manufacturer 3; and a respiratory rate monitor also provided by PP B but sourced from Manufacturer 2. In this scenario, the HCP has little knowledge of the provenance of the IoMT devices/apps involved, relying very much on the PP for quality and security assurance of the overall solution. This is a problem under NIS 2, as the HCP is very much responsible for the security of the data handled by these devices and for managing the cyber risks inherent in these devices. The scale of the problem becomes apparent when thousands of patients with multiple comorbidities are considered for which HCPs are implementing an RPM solution. Cyber risk management methodologies need to be able to scale efficiently to address the expanding attack surface provided by RPM and Healthcare 5.0.

2.2. Healthcare Cyber-Attacks

Health service organisations, due to the nature of the personal data they store and process (Personally Identifiable Information (PII) and Personal Health Information (PHI)), continue to be prime targets for cyber threat actors [31]. The expanded attack surface of healthcare has led to a number of high-profile cyber incidents in recent years. Notable among these include the Johnson & Johnson encryption weakness in their insulin pump delivery mechanism which allowed hackers to compromise the pump, thus putting diabetic patients at risk [32]; the recall of almost half a million pacemakers found to have security vulnerabilities, which, if attacked, could lead to incorrect voltage levels being applied to a patient’s heart compromise the patient’s life [33]; the 2017 WannaCry ransomware attack, attributed to a North Korean government-sponsored group, who gained access to UK National health Service (NHS) enterprise servers through a Windows OS vulnerability [34]; and the Conti group ransomware attack on the Irish health services (Health Services Executive (HSE)) in May 2020, which resulted in over 1000 HSE applications being taken offline for a period of months and exfiltrated patient data being made available on the dark web [35]. These examples are evidence of the cyber risks to which healthcare providers and patients are exposed. The currently expanding RPM context presenting a vastly enlarged attack surface will further amplify this risk exposure.

2.3. The Patient Smart Home Context

The RPM environment, in a growing number of cases, is also populated with ad-jacent smart home technology (smart energy meters, smart TV, security cameras, voice assistants, smart lighting, etc.) in addition to non-medical Wireless Body Area Net-worked (WBAN) technologies: games consoles, ear buds, laptops, etc. [36]. The authors here argue that the vast majority of this IoT-based technology comes with apps and cloud services which are known to have security flaws. Moreover, the consumers of this technology do not have the expertise to choose equipment/devices with the highest levels of security. The authors in ref. [26] point to, inter alia, poor user management, weak passwords for smart home communications devices, lack of security awareness around cyber-attacks, and low-cost sensors with minimal security measures as contributing factors in poor overall technology administration in the smart home. The authors here also point to the poor levels of security in home IoT gateways, which we argue only focus on simple tasks without considering authentication and authorisation issues. Researchers have suggested possible compromise pathways from smart home technology to adjacent IoT-based technology. The authors in ref. [37] highlight in particular the smart TV and its Wi-Fi and Bluetooth interfaces through which an attack could pivot into internal smart home networks. Researchers have also chronicled the 2016 Mirai botnet attack which saw thousands of compromised IoT-based home security cameras deliver a DDoS attack on a gaming website [38]. This IoT-based smart home technology, located near to IoT-based RPM technology, creates a complex zone of cyber vulnerabilities in the patient smart home, further increasing the attack surface in the wider RPM context.

2.4. Pilot Study

A pilot case study, carried out as part of this research in 2023, involving a HCP, a PP, and two patients (Pts) who were undergoing RPM for long COVID-19, found that several factors contributed to poor cyber security governance in the RPM environment.
Foremost among these was the primacy of the patient condition ahead of cyber security concerns, both from the point of view of the patient and of the HCP. Patients themselves acknowledged they had low cyber security awareness around the overall monitoring solution, entrusting their data security to the HCP and stressing the more important issue of their health condition. This echoed the findings in ref. [26] and a survey by Turner et al. in ref. [39] who found that families do not consider IoT devices to be significantly different from other computing devices and assume that the cyber security of these devices is managed through consumer regulations. The healthcare provider also emphasised their primary concern was for the patient’s wellbeing and put their trust in the PP in terms of ensuring data security and privacy.
In addition, PPs cited lack of access to the private space of patient homes and lack of resources to perform risk assessments at scale where there were large numbers of patients involved in the overall RPM initiative.
Another factor pointed to a lack of any government-driven policy on promoting cyber awareness in the home environment. Neither the HCPs nor PPs felt that it was their role to promote cyber awareness at this level.
The case study displayed the apparent confusion about who was responsible for cyber risk management in the RPM context; patients passing it on to the HCP and the HCP passing it on to the PP. The NIS 2 regulation attempts to address this confusion by placing responsibility firmly in the hands of the essential entity—the HCP [9]. A cyber risk strategy should therefore consider the context of the patient condition and the resource constraints of the PP.

2.5. NIS 2 Cyber Security Regulation

National and international regulations continue to evolve in response to the perceived cyber threat resulting from our increasingly interconnected landscape.
In the European Union (EU), the European Commission is enforcing its Network and Information Security (NIS 2) directive, effective October 2024, which sets out to harmonise cyber resilience measures (cyber incident reporting, cyber risk management, business continuity planning, supply chain security, and cyber hygiene training) in critical infrastructure sectors (Energy, Transport, Banking, Healthcare, Drinking Water, etc.) across member states. Moreover, penalties for non-compliance include fines of up to EUR 10 m and sanctions for upper management personnel [9], (Article 34).
The UK equivalent of the NIS directive, the Cyber Security and Resilience Bill announced in mid-2024, will strengthen current cyber resilience measures attached to critical infrastructure and services similar to NIS 2 [40].
This legislation has particular significance for healthcare providers particularly insofar as RPM is concerned. Aspects of cyber resilience identified in the regulations such as risk management, incident reporting, basic cyber hygiene, and supply chain resilience, although they remain within the responsibility of the healthcare provider (HCP), are difficult to implement in the private environment of that patient home. As indicated in Section 2.4, the PP, who is a contracted third party of the HCP, is reluctant to become involved in additional risk assessment in the patient home due to the vast numbers of homes they might have to visit, their limited resources, and the limited access to a patient home environment, to carry out a satisfactory cyber risk assessment. It is important therefore to consider a risk management methodology which scales as the number of patients in the RPM initiative scale-up which can be managed within the limited resources of the HCP/PP.

2.6. The NASSS Framework—Application to Cyber Risk Management

A study by Greenhalgh et al., ref. [20], to help predict and evaluate the success and scale-up of patient-facing technology and supporting health and social care programs, developed the Non-adoption, Abandonment, Scale-up, Spread, and Sustainability (NASSS) framework. The framework resulted from a study of six RPM technologies, including remote patient video conferencing; GPS tracking for cognitive impairment; remote monitoring for heart failure; and remote pendant alarm services. The researchers examined the aspects of the technologies, implementations, and interactions of stakeholders to identify the factors which supported or hindered the large-scale adoption of these RPM technologies. The NASSS framework, shown in Figure 2, reproduced from [20] (p. 11), essentially links the value proposition (to patient, healthcare provider, and the wider context) of adopting a patient-facing healthcare technology innovation to a thorough understanding of the patient condition (being monitored), the Adopter System (patient, healthcare staff, care givers, etc.), and the technology involved. They concluded that maintaining the value proposition mitigates project abandonment and facilitates adoption, embedding, and scale-up over time.
Further work by Hellstrand Tang et al., ref. [41], investigating complexity in Remote Patient Monitoring innovations and their implementation using the NASSS framework concluded that complexity at all levels—patient condition, the technology solution, the organisation implementing the solution, regulatory environment, and the supply chain—has a negative impact on the value proposition and hence on the scalability of a solution. The authors, however, stopped short of quantifying levels of complexity and related impacts on the value proposition. This would be valuable to solution providers and healthcare providers, as identifying these elements at an early stage would support healthcare technology adoption and scale-up. Moreover, the problem of cyber security around patient-facing healthcare technology was not considered specifically for inclusion in the NASSS framework domains in either [20] or [41]. Nevertheless, the NASSS framework has been widely adopted [42,43,44] as a methodology for assessing scale-up of patient-facing technologies.
Our approach in using the NASSS framework hinges on the premise that cyber risk management in the RPM environment is an all-embracing aspect of the technology supported “patient-facing” healthcare program. In a workplace setting, cyber security risk management underpins employee interaction with technology. In the RPM context, cyber risk is associated with all dimensions of the patient-facing technology: the specific components (monitoring devices, smart phones, apps, comms, etc.); how the technology components are implemented (interconnectedness and the organisation structure around this); how the users interact with the technology (patients, HCP, PP, care assistants, etc.); the patient context (patient condition, home setting, level of tech awareness, smart home technology, etc.); and the regulatory environment (NIS 2, GDPR, MDR). The regulatory environment is particularly important in terms of the value proposition. NIS 2 requires HCPs to improve their cyber risk management in all areas of activity, penalizing poor efforts in this regard and thus reducing the value proposition of RPM to the HCP and patient. Poor cyber risk management, either at the level of monitoring a single patient or a poorly scaled implementation, moderates the overall value proposition of RPM and hinders further adoption of a specific RPM initiative. Applying the NASSS framework in the RPM context therefore suggests that scalable cyber risk management needs to consider patient condition, the technology related to managing that condition, and the Adopter System for that condition, which is managed under the authority of the healthcare provider/organisation. Moreover, as pointed out by Hellstrand Tang et al., ref. [41], a complex cyber risk management approach in this context will have a negative impact on the value proposition, thereby reducing the scalability potential.

2.7. Research Contributions

To address the current gap in the literature as it applies to RPM in the patient smart home context, this research makes two major contributions:
  • Identifies the elements within current cyber risk management approaches which would contribute to the scalability of those approaches.
  • Develops a Scalability Index (SI) to enable comparison of cyber risk management approaches.
This will benefit both researchers and practitioners, particularly healthcare providers (HCPs) and platform providers (PPs) in comparing the scalability potential of cyber risk management approaches in the context of NIS 2.

3. Materials and Methods

In support of these objectives, we carried out a systematic review of the literature which deals with cyber security risk management in Remote Patient Monitoring, specifically in the context of the patient smart home.

3.1. The PRISMA Methodology

According to its authors, the PRISMA methodology, although originally designed for the reporting of systematic reviews which evaluate health interventions, can be used for non-health-related studies [45] and has been used in diverse fields of computing, construction, and image processing [46,47,48]. We chose the PRISMA methodology for this review because of its robustness, repeatability, and diversity of application, given that our study spans both healthcare and computing disciplines. The PRISMA 2020 statement outlines a reporting methodology across 27 sequential stages, from outlining the rationale for the review, identifying literature to be included and also excluded from the review, specifying a search strategy, data extraction, synthesis, analysis, and the interpretation of the results in the context of other evidence [45].
In selecting the studies for the review, we complied with the PRISMA 2020 statement, which included the PRISMA workflow template, the PRISMA 2020 checklist, and the PRISMA 2020 Abstract Checklist. These documents are included as part of the Supplementary Materials with this research. The key steps are outlined in the following sections.

3.1.1. Search Strategy

The search strategy adopted a two-pronged approach. Firstly, a general search was performed using the Google Scholar, Web of Science, and Scopus search engines; secondly, a targeted search of specific databases, IEEE, MDPI, Springer, Elsevier, and ACM, was carried out. In addition, the International Organisation for Standardisation (ISO), NIST, and the European Union Agency for Cybersecurity (ENISA) document repositories were searched as sources of grey literature.
The search string aligned very much with the research objectives, targeting specific keywords which were joined through Boolean operators to refine the search. The search attempted to target studies which highlighted cyber risk approaches, as opposed to purely independent cyber security measures in the RPM context. Previous ad hoc searches yielded studies which referred to “risk assessment”, “risk quantification”, and “governance” as terms associated with risk management, hence these were used in the final search string. Moreover, the term “IoMT” is not universal; several authors refer to “medical IoT”, and “Health IoT” in the same context as IoMT. These terms were also included, and the final search string was implemented as follows:
(“IoT” OR “IoMT” OR “HIoT”) AND (“Remote Patient Monitoring” OR “RPM”) AND (“Cyber Security” OR “Cybersecurity”) AND (“Risk Management” OR “Risk Quantification” OR “Risk Assessment” OR “Governance”).
In an attempt to identify studies which our search may have missed, we also employed backwards snowballing, defined in Kitchenham, et al., ref. [49] (p. 2051), as checking the references of selected papers for additional studies to include in the final selection.

3.1.2. Eligibility Criteria

Inclusion criteria targeted peer-reviewed English-language studies, covering a period from January 2016 up to March 2025, which considered cyber security risk management for Remote Patient Monitoring using IoMT technology in the patient smart home context. Studies were also considered which were designed around RPM in a hospital setting but which the authors suggested could be implemented in the patient home context.
Exclusion criteria prevented non-English-language articles or articles published prior to 2016 or which did not consider IoMT cyber security in the context of Remote Patient Monitoring or those which focussed exclusively on hospital implementations of RPM from being selected. Reasons for restricting the literature prior to 2016 included: (i) in the past ten years, there have been significant changes in the RPM landscape: technology speeds have increased, including 3G, 4G, 5G and beyond, facilitating larger and more real-time data transmissions; (ii) sensor technology has improved in terms of the range of patient parameters which can be monitored remotely; (iii) the use of smart home technology has increased; (iv) the scale of RPM initiatives has drastically increased, particularly during and after the COVID-19 pandemic; (v) there has been a marked increase in the cyber-attacks on healthcare data; and (vi) the regulatory environment affecting healthcare cyber security (GDPR, NIS 2, MDR, etc.) has changed.

3.1.3. Quality and Risk of Bias (RoB)

To minimise the risk of “experimenter” bias as described by Kitchenham et al., ref. [49] (p. 2060), we adopted the following set of criteria defined in Sale et al., ref. [50] to ensure quality in the chosen studies:
  • Appropriateness of the study design to the research question;
  • Justification of the data analysis methods used;
  • Does the strength of the evidence support the conclusions drawn;
  • Could the results be generalised to other situations.
Moreover, a sample of 30 studies were reviewed/rated by two colleagues to counter any RoB in paper selection by the primary researcher. A Cohen’s Kappa statistic was calculated at 0.8. The authors in ref. [51] point to a Kappa value of between 0.8 to 0.9 as generally reflecting strong overall agreement between raters on the selection of studies.

3.1.4. The PRISMA Workflow

Searches targeting specific databases and search engines yielded 2809 articles, as shown in Table 1.
Initial screening through the exclusion criteria and removal of duplicates left 193 articles remaining. A total of 94 articles were excluded based on title, abstract, and keywords, leaving 99 articles to be assessed on a full text read. Exclusion criteria at this point focussed on articles which did not address cyber security requirements of RPM in the patient home context and which did not meet the quality criteria set out in Section 3.1.3. Through the PRISMA protocol, we identified 54 studies which were complemented by 3 additional studies, identified through backward snowballing, yielding 57 in total. Figure 3 shows the PRISMA workflow for the paper selection.

3.2. Data Extraction and Coding

A common data extraction protocol used in systematic literature reviews, particularly in organisation research, originally developed by Denyer et al., ref. [52], and drawing on a Design Science (DS) research approach, is the Context–Intervention–Mechanism–Outcome (CIMO) protocol. Design Science, according to ref. [53], is a problem-solving paradigm aimed at creating innovative knowledge artifacts for solving real-world problems, and it is applied in many domains including healthcare, information systems, architecture, business organisation, and economics. The protocol considers a specific problem Context (C) for which the design science approach prescribes an Intervention (I) which activates a Mechanism (M) producing an Outcome (O). In terms of addressing Research Objective 1 (RO1), we classify research approaches to cyber risk management according to how each study addresses the C, I, and O elements of the protocol. We dis-regard the “M” constituent for this exercise as we consider the Mechanism to be inherent in the Intervention (I) element. For example, a qualitative risk assessment as an intervention does not trigger a separate mechanism to generate an outcome; the outcome is generated by the risk assessment process directly. The C, I, and O elements are outlined in Table 2.
In terms of “Context” (C), we are conscious of some settings in which RPM takes place (diabetes, COVID, post-operative monitoring, ageing), but we are open to discovering other contexts in which patients are remotely monitored. Coding of the “Intervention” (I) attribute considers two elements: (1) whether a qualitative/quantitative approach is considered as the risk assessment approach and (2) which risk treatment/mitigation approaches (encryption, ML, Blockchain, or specific standards controls) are applied. It is also important to understand the depth of the risk management approach. This is derived from the layers of the IoMT architecture on which the approach focusses. Some authors identify a three-layer IoMT architecture comprising Perception, Network, and Application layers [22,24], while others extend this to a four-layer model [25,54]. We choose to adopt the four-layer architecture described in Alegría et al., ref. [25] (p. 41), as this model divides the Application layer into two layers—Application and Cloud/Platform layers, which better reflects the idea of a platform provider (PP) entity and allows us to consider the associated risk. The “Outcome” (O) for each proposal refers to two questions: (1) were stakeholder roles identified and (2) was the proposal tested in any kind of simulated or live environment which would highlight any implementation issues or was it a purely theoretical proposal? The codes which emerged for Context, Intervention, and Outcome are provided in Table 3.

3.3. Research Methodology Overview

An overview of the research methodology is provided in Figure 4. Research Objective 1 (RO1) is addressed through the CIO protocol, classifying approaches to cyber risk management through elements (i) Context, (ii) Risk Assessment approach, (iii) Risk Mitigation approach, (iv) Stakeholder Role identification, and (v) How the proposal was tested.
Research Objective 2 (RO2) is addressed by mapping the C, I, and O elements, identified through RO1 to the NASSS framework elements: Condition (1), Technology (2), and Adopter System (4), described in Figure 2 (Section 2.6). The framework suggests that an overall value proposition (3) is delivered and maintained through reduced complexity in each of elements (1), (2) and (4) of the NASSS framework. We propose a metric around this value proposition—a Scalability Index (SI)—which represents the scalability potential of a particular approach and serves as a comparator across cyber risk management approaches in the RPM context. A diagrammatic representation of the overall research methodology is provided in Figure 4. The diagram shows the mapping between the five elements captured through the CIO data extraction protocol and elements (1), (2), and (4) of the NASSS framework. The Context element maps directly to the Condition element of NASSS. The Risk Assessment and Risk Treatment elements, including IoMT architecture layer considerations, map to the Technology element of NASSS. We also map the Testing and Implementation Issues to Technology, as this element considers the dependability of the technology. Here, we argue that untested cyber security approaches would be less dependable than tested systems.

4. Results

This section describes the results as they support each of our research objectives. This includes the data supporting RO1 in terms of how researchers addressed cyber risk management in RPM from the points of view of “Context” (patient condition, and care pathway), the specific risk management “Interventions” (risk assessment and risk mitigation techniques), and an assessment of the “Outcome” of the research (were stakeholder roles identified, and how was the research tested?).

4.1. Context Analysis (C)

For RPM, the analysis highlighted six discernible contexts where RPM cyber risk management was studied. The percentage breakdown of studies across these contexts and their assigned codes are shown in Figure 5.
The contexts under consideration spanned chronic disease, smart ageing, medical devices, healthy living, and what we termed the “General IoMT” context. The following sections provides examples of the application of appropriate codes to the various context.

4.1.1. General IoMT (G-IoMT)

The most common context for researchers considering cyber risk management in RPM was the general context, accounting for approx. 77% of studies. The general IoMT (G-IoMT) context refers to a generic application of IoMT devices in an RPM environment but not focussing on any specific use case or care pathway. For example, the authors in ref. [24] based their proposed risk assessment methodology on low-power, low-compute, resource-constrained IoMT devices, which when exposed to the internet can be the target of adversarial cyber-attacks. The authors in ref. [55] described their context as the broad area of e-health and telemedicine, where IoMT devices are deployed. They described the remote monitoring of patients with mild to moderate COVID-19 in their own homes as being representative of their target scenario and proposed a risk-management framework structured around the four pillars of Data Security, Regulatory Compliance, Patient Safety, and Risk Prevention. The researchers in ref. [30] defined specific use cases in the general RPM context: tracking of medicines for patients (timing, dosage, diet plans, prescribed exercises); personalised healthcare (using AI in conjunction with IoMT monitoring to provide personalised diagnosis and treatments); and Remote Patient Monitoring of infectious disease similar to COVID-19. Through a review of cyber-attacks on IoMT device types and consequent security and privacy requirements of the generic IoMT infrastructure, they concluded that any security and privacy-enforcement techniques should be incorporated into the whole life cycle of the IoMT—from design through to implementation.

4.1.2. Chronic Respiratory Context (Ch-R)

Although many authors made passing references to the COVID-19 context, approximately 7% of the articles in the survey investigated cyber risk management in the chronic respiratory (Ch-R) situations which included the COVID-19context of RPM. The authors in ref. [56] considered specifically a National Early Warning System (NEWS) for remote COVID-19 patients with mild to moderate symptoms, living in their own homes, and based on monitoring patients’ respiratory rate, oxygen saturation, systolic blood pressure, heart rate, level of consciousness, and temperature through deployed IoMT devices. In ref. [57], the authors described a proposed pilot study involving remote monitoring through IoMT devices of patients suffering from Chronic Obstructive Pulmonary Disease (COPD) or COVID-19 and the use of a personal health gateway at each patient residence which securely collects data from the IoMT sensors and transmits it to back-end cloud sensors.

4.1.3. Chronic Diabetes Context (Ch-D)

The chronic diabetes (Ch-D) context is also considered in the literature, and similar to Ch-R, it was examined in 7% of studies. For example, the authors in ref. [58] investigating data security and privacy risk in the smart city paradigm focus specifically on smart healthcare, providing an illustrative example of how their proposed framework could be tested on remote diabetes monitoring.

4.1.4. Medical Device Context (MD)

A definition of a medical device, provided in Article 2 of the EU Medical Device Regulation (MDR) 2017/745, includes, inter alia, :any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes: diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease” [59] (Article 2). Approximately 3% of studies considered cyber risk management specifically focussed on medical devices in the RPM context smart home context. For example, Kim et al. in ref. [60] focussed on what they term critical medical devices, particularly Implantable Medical Devices (IMDs) (cardiac defibrillators, insulin pumps, and deep brain stimulators) which fall under the EU Class III definition, and Rao et al. in ref. [61] considered the heart pacemaker in the RPM context.

4.1.5. Smart Ageing Context (S-Age)

Almost 5% of the papers in the study considered “Smart Ageing” in the Remote Patient Monitoring context. In ref. [62], Ianculescu et al. explore security and privacy risk management in an environment where health, motion, ambient, and lifestyle parameters are collected in relation to elderly persons via a diverse set of IoT/IoMT sensors. The authors in ref. [7] consider a blockchain Proof of Authority (PoA) consensus mechanism and smart contracts to ensure the transparency of the data collection process in remote monitoring devices in a smart home context and moreover to ensure the subject’s privacy is preserved in the subsequent use of that data. The proposed framework is theoretically tested in scenario of the smart home of an elderly resident. It captures data particular to the activities of the individual (those which a smartwatch might collect, e.g., accelerometer and gyroscope data) and data in relation to daily routines: sleeping, eating, etc., in addition to health and ambient data around humidity, air quality, lighting, etc.

4.1.6. Healthy Living (HL)

An IoT-based personal health information system is considered in ref. [63] supporting healthy living through the collection of health-related data from wearables and air quality data from ambient sensors. The information can be viewed by healthcare professionals to detect early onset of conditions or diseases. The authors propose a qualitative risk management approach based initially on a Data Flow Diagram (DFD) to evaluate the personal health data collection system use case and subsequently on the Microsoft STRIDE and DREAD threat modelling tools to estimate risk. The Healthy Living context only accounts for approximately 1% of studies.

4.1.7. Contexts—Summary

A wider sample of the literature where cyber risk management was studied in the above contexts, along with the challenges and limitations of these studies, is provided in Table 4.

4.2. Risk Management Intervention (I)

In this section, we examine the risk management interventions (I) adopted across the various contexts in the studies. As described in Table 2, “I” includes the macro risk management components: risk assessment, which is defined as “quantitative” or “qualitative”; and risk treatment/mitigation attempts to reduce risk. Both risk assessment and risk treatment were further considered with supporting AI/ML, Blockchain, Software-Defined Networking, and Security Processes, as shown in Table 3.

4.2.1. Risk Assessment Approaches

Cyber risk assessment be accomplished using qualitative, quantitative approaches, or a combination of these techniques [24,63]. Qualitative risk assessment is described in ref. [24] as an approach based on the intersection of qualifying attributes of probability of occurrence and severity of impact, and it is represented visually on a heat map as being Low, Moderate, or High. Risk is then evaluated from an overall organisational point of view and mitigated if it is above some threshold level. The authors in refs. [63,67] refer to qualitative cyber risk assessment as requiring expert opinion and the judgement, intuition, and experience of managers, indicating that there is an element of subjectivity in this approach. This could lead to variability in the risk assessment outcome, depending on the level of expertise conducting the assessment.
Quantitative cyber risk assessment, according to the authors in ref. [63], requires historical data to calculate exact probabilities of cyber event occurrence and exact impacts of loss events. In ref. [24], the researchers suggest that this is a non-consensus, deterministic approach, removing subjectivity from the eventual calculation of cyber risk. A quantitative approach has the advantage of allowing prioritisation of risk events when many risks could be considered within the same qualitative classification of “high” or “critical”. However, a major disadvantage is the complexity of implementing the approach, given the data logging and analysis required in the overall risk calculation. Moreover, in the IoMT environment, a high loss magnitude event is anything which results in injury or death to a patient; this might be difficult to quantify but could be related to court-awarded monetary settlements or insurance payouts.
Authors also refer to a combined qualitative/quantitative approach. In ref. [24], the authors suggest that a qualitative analysis is often used initially to identify the main risks, followed by a quantitative assessment to prioritise these risks. Other approaches to risk assessment include those which involve Machine Learning (ML) and those based on Regulatory Mechanisms (RMs). For example, in ref. [55], the researchers consider the regulatory requirements of the NIST and ISO frameworks, but with the addition of ML. The overall analysis of the cyber risk management approaches is provided in Figure 6.
Our analysis shows that the qualitative (QL) approach was most commonly adopted across all the studies in the review, both in terms of an individual approach (65%), and in conjunction with other approaches (14%). A purely quantitative approach was identified in 14% of the studies, with a combined qualitative/quantitative approach adopted in approximately 3% of studies overall.

4.2.2. Risk Mitigation Approaches

Our results in Table 5 show that most researchers proposed the use of Regulatory Mechanisms (RMs) (recognised standards: NIST, ISO) in cyber risk mitigation (12 studies). The next most common approaches were Security Mechanisms (SMs) (encryption, authentication mechanisms) on their own and SMs in combination with RMs (eight studies). Blockchain (BC) mitigations accounted for the next largest group (six studies). To a lesser extent, Machine Learning (ML) and Software-Defined Networking (SDN) were used in combination with the above to mitigate risk.

4.2.3. IoMT Architecture Layers Where Cyber Risk Is Studied

Figure 7 shows how the studies of cyber risk management in the review focussed on the various layers of the IoMT architecture: Perception (P), Network (N), Cloud (C), and Application (A). The results indicate that all studies addressed the Perception layer, which is understandable, as the P layer is a key feature of the IoMT architecture. The Perception layer was also the most individually addressed layer at 18%. The vast majority (70%) examined cyber risk at all four layers.

4.3. Outcome (O)

In terms of the outcome variable (O), we attempted to determine two elements across the studies: (i) how cyber risk management proposals were tested; and (ii) were HCP, PP, and Pt roles in the risk management process identified. We considered these as outcomes from the point of view of implementation. A tested proposal, either in a live or simulated environment, highlights possible implementation and efficiency issues which are pointers as to how a proposal might scale. A purely theoretical proposal, on the other hand, does not provide any implementation indicators, reducing knowledge of its scalability potential. In addition, the recognition that the major stakeholders should have roles in the overall risk management approach aligns with the NASSS framework’s Element 4, the Adopter System (staff, patient, carers). Our research methodology in Figure 4 shows the mapping from the Outcome element to the Adopter System and Technology elements of the NASSS framework.

4.3.1. Testing of Research Proposals

Approaches to testing the proposals in the literature were categorised under three codes: a purely Theoretical Proposal which was untested in the research was coded as TP; a proposal which was tested in either a live or simulated environment was coded as TS (TeSted); and a proposal which researchers indicated might respond in a particular way given theoretical data was coded as TI (Theoretical Implementation). The relative percentages of the studies which were categorised under these codes are shown in Figure 8. The data show that 55% of studies were purely theoretical and provided no evidence of testing, while only 12% underwent some live or simulated testing. A further 33% suggested how theoretical values applied at an input might affect the output, but falling short of an actual simulation.

4.3.2. Stakeholder Roles and Responsibilities

HCP staff, PP Staff, patient, and caregiver stakeholders are considered the Adopter System (Element 4) of the NASSS framework. In this element, Greenhalgh et al., in ref. [20] (p. 12), identify three issues which should be addressed by a proposed innovation: (i) staff roles and identities; (ii) what is expected of the patient and immediate caregiver, and is this achievable and acceptable to them; and (iii) what is assumed about the extended network of lay care-givers. According to the authors, if a proposal answers these questions it contributes to the value proposition of the proposal and increases its scalability potential. In terms of issues (i), we consider that the roles and responsibilities of both HCP and PP staff are addressed within this context, as both groups contribute to cyber risk management, HCPs from a governance perspective and PPs from an operational management perspective. This is supported by the authors in ref. [68] who suggest that each of HCP, PP, and Pt uses, manages, and maintains different technology components within the RPM and are responsible for safeguarding their piece against the risks associated with the RPM ecosystem [68] (p. (ii–iv)). The stakeholder outcome codes and related percentages are provided in Figure 9.
The data show that 17% of studies considered all three major stakeholders, whereas a sizeable 37% did not reference any of the major participants in cyber risk management in the RPM ecosystem. It is interesting to note that the HCP was referenced in 63% of studies, whereas the patient as a contributor to cyber risk management was referenced in only 24% of the studies. The PP role was mentioned in 40% of the studies, which is also interesting, given that the PP has responsibility for operational management of the RPM ecosystem overall. These data therefore indicate that only 17% of studies understand the importance of stakeholder roles and responsibilities in scaling their risk management proposals.

4.4. Summary of Cyber Risk Management Approaches

In answering Research Objective 1 (RO1), we categorised approaches to cyber risk management in the RPM context of the patient smart home in terms of Context, Risk Assessment Approach, Risk Mitigation Approach, Testing, and Stakeholder Identification. The following is a summary of these categorisations.
Firstly, in terms of context, researchers do not appear to be focusing on a specific patient condition or care pathway, rather they assess the application of IoMT in a general Remote Patient Monitoring sense. When specific applications are considered, they tend to be respiratory (COVID-19 and COPD) and diabetes-related. There is also a small focus on age-related application of IoMT in the remote monitoring of elderly patients in independent living scenarios. Not recognising that the patient condition determines the care pathway, care process, associated RPM technologies used, and the interaction with these technologies means that cyber risks linked to this pathway may have been overlooked. The patient context maps directly to the NASSS framework Element 1 (Condition), which has a direct impact on the scalability value proposition of a proposed innovation.
Secondly, in terms of assessing risk, most researchers adopt a qualitative measure based on subjective assessments. Some researchers use regulatory mechanisms such as NIST and ISO frameworks as the basis for their risk assessment, while others use threat modelling framework tools such as STRIDE and DREAD. Overall, these measures of cyber risk based on a combination of likelihood and impact are classified as “Severe” (a significant urgent risk exists and requires immediate remediation); “Elevated” (the risk should be mitigated within a reasonable period of time); and “Low” (risk is normal and generally acceptable, but needs continuous monitoring and may require future remediation). These approaches require skilled individuals to make subjective assessments of cyber risk in each scenario and do not support scalability where thousands of patients are monitored simultaneously. However, some authors recognising the subjectivity in these classifications propose a risk ranking based on numeric weightings applied both likelihood and impact criteria. This provides a methodology for organisations to rank and prioritise qualitative risk assessments, as opposed to absolute quantification of risk.
Risk assessment using a purely quantitative approach was evident in 14% of studies, with an additional 2% using ML to support the quantified risk measure. Risk quantification is defined by Lee in ref. [67] as requiring knowledge of the frequencies of cyber-attack types, calculating the magnitude of consequences of cyber breaches arising from the attacks, in monetary terms, and by the number of individuals affected. The authors quantify the impact of security breaches in terms of statutory fines, the cost of legal and cyber expertise to resolve the breach, the value of data released, and the cost of additional cyber mitigations. Moreover, for healthcare providers, they identify additional costs in terms of accommodating patients in other healthcare facilities, ransomware payments, large potential fines due to the release of private health data, and equipment replacement. As RPM is implemented as a medical care pathway, we should also consider adverse patient safety event risk due to cyber security incidents along that pathway.
Similar to the quantitative approach, risk assessment using a qualitative approach carried out by individuals at each patient site does not lend itself to scalability in terms of thousands of patients in an RPM ecosystem. The skills or resources would not be available to the HCP or PP to scale to these levels. Approximately 18% of studies adopted elements of AI/ML into their cyber risk assessment processes. This has potential from a scalability perspective in that AI/ML would support the automation risk management processes to deal with large numbers of patients efficiently in an RPM ecosystem.
Thirdly, in terms of risk mitigation controls, Regulatory Mechanisms (RMs), Security Mechanisms (SMs), Blockchain (BC), and Machine Learning (ML), both individually and in various combinations, were the most common approaches adopted by researchers. RMs was the single most used approach; however, as this requires the input of an individual to implement these controls, it does not scale well. RMs in combination with ML was proposed in two studies, enabling automation of elements of risk mitigation, thus allowing it to scale better. Blockchain on its own and in combination with other mitigations was proposed in 16 (28%) studies. However, there is a performance issue with BC in the constrained IoMT environment which does not lend itself to the high computing requirements of Blockchain. There are also issues in ensuring that BC, ML, and even certain levels of encryption are present on devices within the RPM ecosystem. In most instances, the solution provider (PP) implemented monitoring devices from third-party manufacturers without a full test of the devices. Ascertaining the provenance of monitoring should form part of the overall risk management approach.
Risk assessment and risk mitigation processes map directly to the “Technology” element (2) of the NASSS framework, which again directly impacts the value proposition of the proposal from the point of view of scalability.
Finally, in terms of outcomes, our review shows that the majority of studies (55%) were untested and therefore purely theoretical proposals. A small proportion, 12%, of studies which were tested either in a live or simulated environment would have produced indicators of scalability in these implementations, which would be beneficial from the HCP/PP point of view.
In terms of identification of stakeholder roles and responsibilities, which maps to Element 4 (Adopter System) of the NASSS framework, all three major stakeholders (HCP, PP, Pt) were only considered in 17% of studies, with 37% not recognising a role for any of those major stakeholders. The Adopter System impacts directly the value proposition and hence the scalability of the proposal in relation to cyber risk management in the RPM context.

4.5. Quantifying the Value Proposition; Scalability Index (SI)

We quantify the value proposition (Element 3) in the NASSS framework (Figure 2) as a Scalability Index (SI) of a cyber security risk management proposal. The value proposition depends directly on the Adopter System (organisation of stakeholders’ roles and responsibilities), the patient context (patient condition, and environment in which it is being managed), and the technology (the processes of risk assessment and risk mitigation) as shown in our research methodology diagram in Figure 4. The diagram also indicates three elements from RO1 mapping to the NASSS “Technology” element in RO2. The “Condition” and the “Adopter System” elements of NASSS only have one mapping each from RO1. This points to the Technology element of NASSS having a higher impact on the “value proposition” than the “Condition” or “Adopter System” elements. Greenhalgh et al. [20] did not attribute a weighting to any of the elements in the original NASSS framework other than to state that Patient Condition, Technology, and Adopter System all have an impact on the value proposition of scalability. In this research, we argue that because the core components of a cyber risk management approach are risk assessment, risk mitigation, and continuous testing/implementation, the impact of the “Technology” element on the value proposition should outweigh that of the ‘Condition” or “Adopter System” elements. We therefore develop a weighting system for our proposed Scalability Index (SI) based on this. The impact of the “Technology” element on value proposition is 0.5, with the “Condition” and “Adopter System” elements contributing 0.25 each to the overall Scalability Index. A description of the five data points captured for each study through the CIO protocol is described in the following items, (a) to (e):
(a)
Assess the scope of the cyber risk scenario to determine whether the proposed solution aligned with a particular healthcare condition, COPD, diabetes, COVID-19, etc., aligning an approach to a condition/care pathway would reduce the diversity of components involved, making the approach to risk assessment more scalable.
(b)
Assess whether stakeholder (HCP, PP, and Pt) roles and responsibilities in relation to cyber risk management are considered as part of the solution.
(c)
Assess whether solutions are included elements of AI/ML in the risk assessment approach (elements of AI in the solution would reduce/remove the need for human intervention and hence improve scalability).
(d)
Assess whether solutions are included elements of AI/ML in risk mitigations. This would also lend itself to automation and improve scalability.
(e)
Assess whether solutions were tested in real or simulated RPM scenarios, yielding results around the dependability of the risk management approach.
Elements (a) to (e), mapped to the NASSS framework (Figure 4), allow us to provide an evaluation of the scalability potential of the proposed solutions. Scoring metrics related to the above elements are described in Table 6.
The metrics and weightings were systematically applied across the 57 studies in the review and a Scalability Index (SI) calculated using Formula (1). The SI is provided out of a maximum possible score of 5.
S I = a 0.25 + b 0.25 + c 0.15 + d 0.15 + e 0.2

4.5.1. Scalability Index: Results

Each study was scored across elements (a) through (e) in Table 6, and the SI was evaluated using Equation (1). Scalability Index scores for each study are presented in Table 7.
The results in the SI column of Table 7 indicate a distribution of scores ranging from 0.15 to an upper value of 3.8. A frequency distribution across six SI ranges is provided in Figure 10. The mode, median, and mean of the SI distribution are calculated as 1.2, 1.5, and 1.43, respectively.
A skewed distribution has the mean pulled toward the long tail (or skew), with the median lying between the mode and the mean [99]. However, von Hippel et al., in ref. [99], also conclude that in discrete datasets such as the SI in Table 7 and Figure 10, this rule is not always consistent and often violated, particularly where the tail tends to be long, and the other side is heavy with data. In Figure 10, the low (and almost coincident) values of the mean (1.43) and the median (1.5) and the lower value of the mode (1.2) point to a right-hand skew of the data, indicating that most of the studies score quite low in terms of scalability potential. In fact, 51 out of 57 studies score 2.3 or less with one study (an outlier) extending the right “tail” of the distribution with a score of 3.8.

5. Discussion

The RPM care pathway, strongly supported by information technology, stretches from the largely unregulated patient smart home environment through to the somewhat regulated platform provider (PP) organisation to the highly regulated healthcare provider (HCP) organisation. Cyber risk can manifest itself at many points throughout this pathway, and indeed cascade both internally along the pathway and external to the pathway. The NIS 2 regulation mandates that HCPs have overall responsibility for the management of this risk as they are ultimately responsible for the patient data, staff data, and other third-party data which might be impacted by the RPM pathway.
The patient smart home context, where IoMT platforms exist near smart home technology platforms, is an environment with little cyber risk management due to the low levels of technical knowledge and technical ability of patients and carers. An earlier case study described in Section 2.4, carried out as a pilot for this research, identified that HCPs and PPs have limited access to carry out a cyber risk assessment in the patient home environment. In addition, even if the PP stakeholder did have access to the patient home, they do not have the resources in terms of time or personnel to risk assess each patient home individually, particularly for large-scale RPM deployments as identified in Section 2.2. From a healthcare provider’s point of view, the question arises: How can they ensure that their cyber risk management processes are scalable, within their limited resources, and continue to provide cyber resilience and meet regulatory requirements, particularly in relation to NIS 2? The focus of this research is on the scalability of cyber risk management approaches in the patient smart home area of this pathway, given current and planned scale up of RPM initiatives by HCPs.

5.1. Justification for the Methodology

Our Research Question (RQ) examined this topic, actioned through two research objectives (RO1 and RO2). RO1 attempts to categorise the current approaches to cyber risk management in the RPM context of the patient smart home and RO2 aims to assess the scalability potential of these approaches. Our methodology initially follows an inductive enquiry, using a Systematic Literature Review (SLR), which produced a dataset of 57 studies. We classified five cyber risk management elements (Context, Risk Assessment, Risk Mitigation/Treatment, Stakeholder Identification, and Implementation/Testing) in these studies through an adaptation of the commonly used CIMO protocol [53,100] to address RO1. We then mapped these five elements to the NASSS framework, in a novel deductive approach, to develop our Scalability Index (SI) and thus address RO2. The overall research methodology diagram is provided in Section 3.3 (Figure 4). The justification for this mapping stems from the use of the NASSS framework to assess the scalability of patient-facing technology implementations, having been originally developed from RPM case studies [20]. As cyber risk manifests itself along the same care pathway as the functional side of RPM, we argue that the scalability of cyber risk management should be assessed using a similar methodology. The NASSS framework asserts that the three central elements which impact scalability of patient-facing technologies are (i) that the technology aligns with the patient condition, (ii) that the innovation recognises the roles of the major stakeholders, in this instance, the HCP, PP and Pt, and (iii) that the technology is dependable, interoperable, and does not require complex configuration or interaction from stakeholders. High levels of complexity in any of these elements negatively impact the value proposition of the innovation and therefore the scalability of the innovation. Mapping the cyber risk management elements identified through RO1 to the NASSS framework shows how this impacts cyber risk management scalability. Examples of these impacts are detailed in the next section.

5.2. Mapping RO1 Elements to NASSS

Studies which did not propose a cyber risk management strategy in line with a specific patient condition or care pathway were deemed more complex and requiring more bedding down than a study which identified a specific condition. Studies which pro-posed the use of AI, ML, or automation in relation to risk assessment and risk mitigation processes were deemed less complex than those which proposed individual human interaction at each patient site. Studies in which proposals underwent some levels of testing were deemed less complex than those which were untested. Greenhalgh et al., in ref. [20], refer to the dependability of systems as being free standing, off-the-shelf (and thereby tested to some level) as being the most dependable and least complex, whereas an un-tested system requires what they term “close embedding in complex technical systems with significant dependability issues” [20] (p. 12). Clear definitions of stakeholder roles and responsibilities in relation to a cyber risk management proposal also contribute to a less complex implementation of the proposal. Therefore, studies which identified specific stakeholder roles or responsibilities were scored as less complex than those which did not consider these activities. Lower levels of complexity across the five data points in each study resulted in a higher scalability score.

5.3. Other Models of Scalability

In developing our scalability model, we compare it to other models which consider user adoption rates of consumer level technologies and therefore the upscaling of these innovations. The “Diffusion of Innovation Theory” (also called Innovation Diffusion Theory (IDT)) proposed by Rogers [101] identifies the three major innovation adoption components as Adopter Characteristics, Innovation Characteristics, and the Innovation Decision path (ranging from initial knowledge to persuasion to making the decision, and final implementation). These elements have relevance in the RPM context, particularly the innovation decision path, in persuading a patient to use RPM in their situation. However, the model aligns more with the commercial world of consumer technology acceptance and does not consider the voluntariness of use of technology within the context of a patient’s condition.
The Technology Acceptance Model (TAM), originally proposed by Davis [102], aims to explain the acceptance of consumer technology, based on the users’ “perceived usefulness” and “perceived ease of use” of the technology. Criticisms of the original TAM included the fact that it ignored the context of the adoption of the technology and that it does not consider social influences on the individual user to adopt. These are important considerations in terms of the adoption of a cyber security policy in an RPM context. Social influence was subsequently included as the “Subjective Norm”, “Image”, and “Voluntariness determinants of Perceived Usefulness in the updated TAM 2” [103]. The social influence of a support group for a particular patient condition would be beneficial to individual patients in adhering to a cyber policy and therefore support scalability of that policy. However, the social influence encapsulated in the three above determinants does not stem from the ideals of a support network, rather they reference one’s standing in a social group and keep up with the actions of a particular peer in the group. In the patient home environment and other such voluntary settings, compliance with cyber security policy is difficult to measure, irrespective of social influence. From the HCP and PP perspectives, identifying the RPM context is important, as there may be slight variations in the policy depending on the RPM care pathway. Also from the patient perspective, there is an additional influence of “fear” of not adopting the policy, in which case the HCP may decide against including them in the RPM initiative, again reducing the scalability potential. These factors are not accounted for in TAM/2, which would reduce its effectiveness in modelling this cyber security aspect of the RPM context.
TAM and TAM 2 have evolved over time and have been included with several other motivational models in an overarching model of user acceptance called the Unified Theory of Acceptance and Use of Technology (UTAUT), proposed in ref. [19]. The UTAUT context considers the workplace environment and proports to address mandatory and non-mandatory technologies within this setting. However, in today’s cyber-sensitive environment, there is little choice for workers but to adopt mandatory organisational technologies. The model does explain cohorts of users who may need additional support in using technology, and this would also be relevant in the RPM context. However, the RPM context is different from an organisational workplace environment; it consists of a cyber managed workplace and a cyber unmanaged patient home context. The “facilitating conditions” determinant may partially address this complex organisational setting and align with “Adopter System,” ”Healthcare Organisation”, and “Technology” elements of NASSS, but this UTAUT determinant fails to capture the specifics of these NASSS elements and their contribution to the overall value proposition of a cyber security policy and ultimate scalability potential.
Key elements in each of the previous models is that adopters have choice in the adoption or non-adoption of the innovation. In addition, the technology refers to consumer technology which consumers pay for. Applying these models to cyber security policy in the RPM context is not as clear cut. In RPM, the security policy is driven by regulation, in this case NIS 2, and unlike, for example, adopting the latest smartphone, adopters of cyber risk management (HCP, PP, Patients) cannot choose not to adopt. HCP and PP organisations cannot ignore NIS 2 and the need for scaled-up cyber risk management in RPM, exposing themselves to severe penalties and possible patient safety issues for non-compliance. Patients who do not accept cyber policy may risk being removed from an RPM program and return to a local monitoring health centre or acute hospital unit. The NASSS framework, in considering complexity in Adopter System, Condition, and Technology, is unique in considering scalability based on complexity in these elements. The framework does not suggest that fulfilment of the value proposition implies immediate scalability. On the contrary, NASSS suggests that the value proposition is a precursor of scalability; it requires tinkering by HCP/PP, rolling out to a wider community, and ongoing adaptation and embedding over time to realise scalability.

5.4. The Scalability Index (SI)

Research Objective 2 (RO2) focussed on assessing the scalability potential of current approaches to cyber risk management in the RPM context. Our novel Scalability Index, developed around the NASSS value proposition, represents an indication that the correct elements are present in the risk management proposal to ensure that adaptation and embedding over time leads to a scalable cyber risk management solution. The framework identifies the barriers to adoption and scale-up as a lack of understanding of the patient context/condition; the Adopter System (stakeholders and interactions between them); and the complexity of the technology itself. The authors in ref. [41] using the NASSS framework to study complexity in the RPM environment concluded that complexity at all levels of patient condition, technology of the solution, the organisation implementing the solution, and the regulatory environment have a negative impact on the value proposition and hence on the scalability of a solution. Complexity exists in many forms across the RPM ecosystem: relationships between the HCP, PP, and Pt stakeholders; complexity of the technology—updates, configurations, locations; complexity of the patient condition, requiring the remote monitoring of multiple co-morbidities, leading to a complex care pathway. Building on the work of Greenhalgh et al., ref. [20], and Hellstrand Tang et al., ref. [41], we argue that cyber risk management adds another layer of complexity to the RPM context. The mappings in Figure 4 and Table 6 with the associated weightings describe the relative impacts of this complexity on the scalability value proposition. In answering RO2, therefore, those aspects of the cyber risk management proposal which reduce complexity are awarded a higher score and hence increased scalability potential.
In the scoring mechanism summarised in Table 6, the weightings are calculated as a best guess estimate such that the contributions of each of the elements of the cyber risk management proposal are balanced around a mean = median = 0.2 (Standard Deviation = 0.05). However, as described in Table 6, some of these weights aggregate to reflect the higher contribution of the NASSS “Technology” element to the overall Scalability Index. An alternative weighting strategy might distribute equal weightings across the three NASSS elements. This would mean that a cyber risk management approach which focussed entirely on the patient condition and Adopter System (stakeholder roles), irrespective of the risk assessment and risk mitigation technologies, could conceivably be considered as scalable in the RPM context. This would not make sense as it neglects the core elements of cyber risk management. Similarly, a weighting strategy which allocated a much higher value to the Adopter System above “Condition” and “Technology” may rule out perfectly viable automated risk management approaches as not being potentially scalable. Our balanced weighting strategy, although not definitive, would accommodate the previous automated example, but they would be enhanced by reasonable acknowledgements of the patient condition and the Adopter System.
The overall SI calculation is provided by Equation (1), which is systematically applied to each study as shown in Table 7. The distribution of the SI results across the studies is provided in Figure 10.
Most of the study proposals in the review have a low SI, approx. 89.5% ≤ 2.3/5.0. This is accounted for by the high numbers of studies which did not consider the context in which cyber risk was being assessed (77%); the high numbers of studies which did not fully identify roles and responsibilities for the HCP, PP, and Pt stakeholders, with only (17.5%) achieving a score of 5 in category (b) in Table 7; the low numbers of studies which considered AI/ML or automation in risk assessment (17.5% scoring ≤ 3); or risk treatment (31.6% scoring ≤ 3) processes. In addition, only a small proportion of proposals provided any data related to testing carried out (10.5% scoring ≤ 3) which would be an important consideration in relation to scaling up. A single outlier in the SI data in Table 7 causes a positive skew as indicated in Figure 10. The outlier is due to the proposal in ref. [68] which is the guidance document from NIST dealing with risk management in the RPM ecosystem. Although this study scores high on context, implementation, and roles and responsibilities of stakeholders, it outlines a qualitative risk assessment and a complex risk mitigation approach referencing specific controls, which would be difficult to follow through on in a scaled-up implementation.

5.5. Using the Scalability Index (SI)

However, the research has immediate value from the HCP perspective in terms of increasing cyber resilience in the RPM context in line with the NIS 2 directive. Using the elements identified in RO1 (Section 4.5), the HCP/PP could assess the potential scalability of cyber risk management proposals based on elements (a), (b), (c), (d), and (e). At a minimum, scalable proposals should acknowledge that different care pathways through the RPM ecosystem exist, depending on the patient condition. These pathways include different monitoring devices sourced from different vendors, with various levels of inbuilt cyber protection. In addition, because the RPM pathway traverses regulated, partially regulated, and unregulated environments, proposals should acknowledge that all stakeholders (HCP, PP, Pt) have a responsibility for cyber risk management and their roles and responsibilities should be clearly outlined. On the patient side, this could mean ensuring that patients have a minimum level of knowledge around cyber security, password usage, home router configuration, up-to-date patches on smartphones, etc., as part of the RPM onboarding process. Also, proposals should include aspects of AI/ML which would facilitate automated process of risk assessment and risk mitigation. Highly intricate labour-intensive risk assessment processes are fine in one or two patient settings but not feasible in scaled up environments. Finally, proposals should show some evidence of testing which would reduce complexity from the point of view of implementation and embedding into the RPM ecosystem.
In terms of NIS 2, we think that the research supports the idea of a context-specific cyber risk management approach for RPM. The patient care pathway is the primary route for patients’ data, hence the focus of cyber risk management. HCPs should identify specific patient conditions for which RPM is relevant and set minimum guidelines based on scalability elements (a) to (e) above for cyber risk management along the care pathway. This would mean, for example, sourcing only specific pre-identified pulse oximeters and other sensors, smartphone apps, etc., for a particular condition. Moreover, all stakeholders along the pathway would understand their responsibilities around cyber risk. The Scalability Index (SI) could be used as metric for continuously evaluating cyber risk management approach along the pathway and a pointer toward increasing scale or reducing scale, hence maintaining cyber resilience.

5.6. Limitations

The Scalability Index (SI) developed as part of this research is a proposal in light of the NIS 2 mandates on HCPs to improve their cyber resilience. As a conceptual proposal, therefore, it needs to be validated in a live environment to assess its usability and accuracy. This is discussed further in Section 5.7, Future Research.
In terms of assessing the potential scalability of solutions, we did not endeavour to assess the upper limits to which cyber risk management solutions could scale. For example, the research could not predict whether a cyber risk management proposal would support the 5500 RPM initiative highlighted in Section 2.2. Our SI provides a relative metric by which the potential scalability of proposals can be compared and therefore useful to the HCP and PP stakeholders from this point of view.
This research did not consider cyber risk management approaches specifically in terms of either horizontal scaling (addition of more patients) or vertical scaling (addition of more monitoring devices on individual patients). Cyber risk may scale non-linearly depending on the cascading effects in each of these scenarios. As the RPM technologies increase, with associated additional cascading of cyber risk, this increased complexity may require the cyber risk management approach to scale non-linearly, perhaps exponentially.

5.7. Future Research

Testing at scale, however, in a real-world setting is difficult; you must decide what constitutes reasonable scale, and even then you have to consider the question—what happens if we add one more? To address this, the authors in ref. [104] (p. 20), specifically looking at healthcare technology innovations, advance the idea of pilot testing a small scalable unit before moving to full scale. They argue for open stakeholder communication and considerable experimentation as part of the data collection process around the scalable unit. Zacharioudakis et al., in ref. [105] (p. 262), assert that scalability should be evaluated across the technical dimensions of the pilot to ensure that the proposal can adapt to diverse operational needs. Future research could therefore examine the five key scalability characteristics developed in RO1 (a–e) as part of a scalable unit pilot study. The scalable unit would ideally focus on an RPM context involving a single care pathway (all patients being monitored for the same condition in exactly the same way). The unit size could be set as a fractional dimension of actual RPM contexts in use or envisaged. Data collected could focus on the sensitivity of the scalability characteristics to changes in stakeholder engagement, levels of automation, new regulations, new threats, etc., and how these, through adjusted weightings, impact the Scalability Index for the scalable unit.
Future research also could examine scaling with a view to determining a cyber risk management scale factor for a particular RPM context/condition and consider maximum levels above which it would be unsafe, from a cyber security point of view, to continue to expand the RPM initiative. The scalable limit needs to consider vertical and horizontal scaling and address the cyber governance levels within these limits.
Future research could also address the application of AI/ML to automating risk assessment and risk mitigations processes. Current manual and for the most part qualitative approaches do not lend themselves to scaling, particularly where the RPM context is associated with the private domain of the patient smart home. These are very important from the HCP perspective in maintaining cyber security governance in line with NIS 2 requirements.

6. Conclusions

This research is motivated by the requirement of the NIS 2, EU, and UK mandates requiring HCPs as critical infrastructure providers to increase their cyber resilience in the face of an expanding cyber threat landscape while simultaneously scaling up RPM operations in patient smart homes to meet increasing demand. In Section 1, we provide evidence of large-scale (thousands and multiples of this) IoMT implementations where RPM provides recognised benefits to cohorts of patients along specific care pathways. One of the major elements of cyber resilience is cyber risk management, and in this research, we consider the scalability of cyber risk management approaches as RPM initiatives scale-up. We develop a Research Question (RQ), actioned through two research objectives: RO1 to classify the elements of current approaches to cyber risk management in the RPM context; and RO2 to assess the potential scalability of those approaches from the perspectives of healthcare providers (HCPs) and their third-party platform providers (PPs). Through a systematic literature review guided by the PRISMA methodology, we identified 57 studies, from both academic and grey literature, which describe current approaches. We used a variant of the widely adopted CIMO data extraction protocol in the analysis of each study to investigate the RPM Context (C), Risk Management Interventions (I), and Stakeholder Roles and tested implementations as Outcomes (O).
Our results indicate that most of the current literature does not consider the patient context as part of their cyber risk management approach, opting instead to manage cyber risk in a general IoMT context, ignoring the particular care pathway allied to a specific patient condition. In addition, the number of studies which considered the roles and responsibilities of the major stakeholders (HCP, PP, and Pt) is low, pointing to a lack of appreciation of the patient smart home context in which cyber risk is being assessed and the potential for cascading risk effects from smart home technology. Also, most studies opted for a qualitative risk assessment approach, leading to an element of subjectivity in the risk assessment results, which can have a knock-on effect on risk mitigations. Then, most risk mitigations attempted to align with NIST or ISO regulatory frameworks, with a minority implementing some level of AI or automation which would assist in scaling up the solution. Many of the studies considered theoretical proposals, with no implementation evidence, either simulated or live.
To answer RO2, we mapped the C, I, and O elements from RO1 to the NASSS framework to develop a novel Scalability Index (SI). Applying the SI to the studies in the review yielded the results in Table 7 and Figure 10. This points to a relatively low scalability potential across most studies, with 89.5% rated at ≤2.3 out of a maximum score of 5. Current demand for large RPM solutions, as indicated in Section 1, point to an increased need for scalable cyber risk management in this context. Moreover, scalable cyber risk management is becoming ever more important for the HCP in the context of NIS 2, given the severe penalties for non-compliance. Poor scalability of solutions reduces overall cyber resilience from the HCP perspective. The research indicates recognising the patient condition and the RPM environment specific to that condition has a direct impact on the scalability of cyber risk management in that context. Moreover, identifying stakeholder roles and responsibilities and increased levels of AI and automation as part of risk assessment and risk mitigation would improve scalability of risk management approaches. HCPs and PPs could use the SI to compare cyber risk management proposals as an evaluation of their current RPM cyber risk management implementations based on the categorisations highlighted in RO1 (Context, Risk Assessment approach, Risk Mitigation Approach, Stakeholders, Testing). However, the SI metric does not define the upper limits of a scalable solution. Research gaps remain in terms of validating the SI metric in a live environment, applying AI/ML to improving scalability, and defining upper limits of cyber risk management scalability in the RPM context.
The research contributes to a greater understanding of cyber risk management in the RPM context and will be beneficial to the academic community in terms of considerations for scalability of cyber risk management approaches. Moreover, it will act as a reference for HCP practitioners in identifying scalability elements of cyber risk management solutions in the RPM context.

Supplementary Materials

The following supporting information can be downloaded at: https://www.mdpi.com/article/10.3390/iot7010014/s1, The PRISMA 2020 checklist, and the PRISMA 2020 for Abstracts Checklist are included with this submission. Ref. [106] is cited in the Supplementary Materials.

Author Contributions

Conceptualization, B.M., C.B., and J.C.; methodology, B.M., C.B. and J.C.; validation, C.B. and J.C.; formal analysis, B.M.; investigation, B.M.; writing—original draft preparation, B.M.; writing—review and editing, C.B. and J.C.; supervision, C.B. and J.C. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The original contributions presented in this study are included in the article/Supplementary Material. Further inquiries can be directed to the corresponding author(s).

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
AESAdvanced Encryption Standard
AIArtificial Intelligence
ANASTACIAAdvanced Networked Agents for Security and Trust Assessment in CPS/IOT Architectures
CAPECCommon Attack Pattern Enumeration and Classification
Ch-DChronic Diabetes
Ch-RChronic Respiratory Condition
COPDChronic Obstructive Pulmonary Disease
CRAMCyber Risk Assessment and Mitigation
CSCLComputer Supported Collaborative Learning
CSFCyber Security Framework
CUREXSecure and Private Health Data Exchange
CVECommon Vulnerabilities and Exposures
DREADDamage, Reproducibility, Exploitability, Affected users, Discoverability
ENISAEuropean Union Agency for Cybersecurity
ETSIEuropean Telecommunications Standards Institute
EUEuropean Union
EVExpected Value
GDPRGeneral Data Protection Regulation
G-IoMTGeneral IoMT
GPSGlobal Positioning System
HCPHealthcare Provider
HLHealthy Living
HSEHealth Services Executive
ICTInformation and Communications Technology
IECInternational Electro-Technical Commission
IoMTInternet of Medical Things
IoTInternet of Things
ISMSInformation Security Management System
ISOInternational Organisation for Standardisation
MDPIMultidisciplinary Digital Publishing Institute
MDRMedical Device Regulation
MFAMulti Factor Authentication
MITRE ATT&CKMITRE Corporation—Adversarial Tactics, Techniques, and Common Knowledge—Framework
MLMachine Learning
NASSSNon-adoption, Abandonment, Scale-up, Spread and Sustainability
NASSSNon-adoption, Abandonment, Scale-up, Spread and Sustainability framework
NFVNetwork Function Virtualisation
NHSNational Health Service (UK)
NIS 2EU Network and Information Security directive, 2nd Iteration
NISTNational Institute for Standards and Technology
NVDNational Vulnerability Database
PIIPersonally Identifiable Information
PPPlatform Provider
PRISMAPreferred Reporting Items for Systematic Reviews and Meta-Analysis
PtPatient
RMRegulatory Mechanism
RoBReduction of Bias
RPMRemote Patient Monitoring
S-AgeSmart Ageing
SDNSoftware Defined Networking
SIScalability Index
SLRSystematic Literature Review
SMSecurity Mechanism
STRIDESpoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege
TMAThreat Modelling and Analysis
WBANWireless Body Area Network

References

  1. NHS England. Science in Healthcare: Delivering the NHS Long Term Plan. NHS England and NHS Improvement. 2020. Available online: https://www.england.nhs.uk/wp-content/uploads/2020/03/science-in-healthcare-delivering-the-nhs-long-term-plan.pdf (accessed on 24 January 2023).
  2. NHS England. Supporting Care with Remote Monitoring. NHS England/Transformation Directorate. 2024. Available online: https://transform.england.nhs.uk/covid-19-response/technology-nhs/supporting-the-innovation-collaboratives-to-expand-their-remote-monitoring-plans/ (accessed on 11 February 2025).
  3. Arbabi, M.S.; Lal, C.; Veeraragavan, N.; Marijan, D.; Nygard, J.F.; Vitenberg, R. A Survey on Blockchain for Healthcare: Challenges, Benefits, and Future Directions. IEEE Commun. Surv. Tutor. 2023, 25, 386–424. [Google Scholar] [CrossRef]
  4. Kandasamy, K.; Srinivas, S.; Achuthan, K.; Rangan, P. IoT cyber risk: A holistic analysis of cyber risk assessment frameworks, risk vectors, and risk ranking process. EURASIP J. Inf. Secur. 2020, 2020, 8. [Google Scholar] [CrossRef]
  5. ENISA. Enisa Threat Landscape 2023; Report; European Union Agency for Cybersecurity: Athens, Greece, 2023. [Google Scholar] [CrossRef]
  6. Thomasian, N.M.; Adashi, E.Y. Cybersecurity in the Internet of Medical Things. Health Policy Technol. 2021, 10, 100549. [Google Scholar] [CrossRef]
  7. Popoola, O.; Rodrigues, M.; Marchang, J.; Shenfield, A.; Ikpehai, A.; Popoola, J. A critical literature review of security and privacy in smart home healthcare schemes adopting IoT & blockchain: Problems, challenges and solutions. Blockchain Res. Appl. 2024, 5, 100178. [Google Scholar] [CrossRef]
  8. Statista. Smart Home Outlook Europe. 2025. Available online: https://www.statista.com/outlook/cmo/smart-home/Europe (accessed on 23 September 2025).
  9. European Union. Directive (EU) 2022/2555. 2022. Available online: https://eur-lex.europa.eu/eli/dir/2022/2555 (accessed on 12 March 2025).
  10. Gov.uk. Cyber Security and Resilience Bill. 2024. Available online: https://www.gov.uk/government/collections/cyber-security-and-resilience-bill (accessed on 13 March 2025).
  11. Clark, A.; Zonouz, S. Cyber-Physical Resilience: Definition and Assessment Metric. IEEE Trans. Smart Grid 2019, 10, 1671–1684. [Google Scholar] [CrossRef]
  12. AlHidaifi, S.M.; Asghar, M.R.; Ansari, I.S. Towards a Cyber Resilience Quantification Framework (CRQF) for IT infrastructure. Comput. Netw. 2024, 247, 110446. [Google Scholar] [CrossRef]
  13. Segovia-Ferreira, M.; Rubio-Hernan, J.; Cavalli, A.; Garcia-Alfaro, J. A Survey on Cyber-Resilience Approaches for Cyber-Physical Systems. ACM Comput. Surv. 2024, 56, 202. [Google Scholar] [CrossRef]
  14. Scala, N.M.; Reilly, A.C.; Goethals, P.L.; Cukier, M. Risk and the Five Hard Problems of Cybersecurity. Risk Anal. 2019, 30, 2119–2126. [Google Scholar] [CrossRef]
  15. Shanmugam, B.; Azam, S. Risk Assessment of Heterogeneous IoMT Devices: A Review. Technologies 2023, 11, 31. [Google Scholar] [CrossRef]
  16. Nuguri, S.S.; Karthik, K.; Pusapati, V.; Kambhampati, A.; Bhamidipati, S.C.; Calyam, A.; Alarcon, M.L.; Calyam, P. Zeus: IoT-based Healthcare Data Management Security Framework for Remote Patient Monitoring. In Proceedings of the 2024 Workshop on Cybersecurity in Healthcare 2024 (HealthSec ’24), Salt Lake City, UT, USA, 14–18 October 2024; pp. 93–100. [Google Scholar] [CrossRef]
  17. National Institute for Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity, (v1.1), (NIST CSF). 2018. Available online: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (accessed on 8 December 2025).
  18. ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission): Geneva, Switzerland; CEN-CENELEC Management Centre: Brussels, Belgium, 2023. Available online: https://www.iso.org/obp/ui#iso:std:iso-iec:27001:ed-3:v1:en (accessed on 8 December 2025).
  19. Venkatesh, V.; Morris, M.G.; Davis, G.B.; Davis, F.D. User acceptance of information technology: Toward a unified view. MIS Q. 2003, 27, 425–478. [Google Scholar] [CrossRef]
  20. Greenhalgh, T.; Wherton, J.; Papoutsi, C.; Lynch, J.; Hughes, G.; A’Court, C.; Hinder, S.; Fahy, N.; Procter, R.; Shaw, S. Beyond Adoption: A New Framework for Theorizing and Evaluating Nonadoption, Abandonment, and Challenges to the Scale-Up, Spread, and Sustainability of Health and Care Technologies. J. Med. Internet Res. 2017, 19, e367. [Google Scholar] [CrossRef]
  21. Khatiwada, P.; Fauzi, M.A.; Yang, B.; Yeng, P.; Lin, J.C.; Sun, L. Threats and Risk on Using Digital Technologies for Remote Health Care Process. In Proceedings of the 8th International Conference on Sustainable Information Engineering and Technology 2023 (SIET ‘23), Badung, Indonesia, 24–25 October 2023; pp. 506–522. [Google Scholar] [CrossRef]
  22. Affia, A.A.; Finch, H.; Jung, W.; Samori, I.A.; Potter, L.; Palmer, X.L. IoT Health Devices: Exploring Security Risks in the Connected Landscape. IoT 2023, 4, 150–182. [Google Scholar] [CrossRef]
  23. Messinis, S.; Temenos, N.; Protonotarios, N.E.; Rallis, I.; Kalogeras, D.; Doulamis, N. Enhancing Internet of Medical Things security with artificial intelligence: A comprehensive review. Comput. Biol. Med. 2024, 170, 108036. [Google Scholar] [CrossRef] [PubMed]
  24. Ksibi, S.; Jaidi, F.; Bouhoula, A. Cyber-risk management within IOMT: A context-aware agent-based framework for a reliable e-health system. In Proceedings of the 23rd International Conference on Information Integration and Web Intelligence 2021 (iiWAS2021), Linz, Austria, 29 November–1 December 2021; pp. 547–552. [Google Scholar] [CrossRef]
  25. Alegría, B.; Wong, L.; Bedriñiana, D. Model for Implementing a IoMT Architecture with ISO/IEC 27001 Security Controls for Remote Patient Monitoring. In Proceedings of the 32nd Conference of Open Innovations Association (FRUCT), Tampere, Finland, 9–11 November 2022; pp. 38–48. [Google Scholar] [CrossRef]
  26. Talal, M.; Zaidan, A.A.; Zaidan, B.B.; Albahri, A.S.; Alamoodi, A.H. Smart Home-based IoT for Realtime and Secure Remote Health Monitoring of Triage and Priority System using Body Sensors: Multi-driven Systematic Review. J. Med. Syst. 2019, 43, 42. [Google Scholar] [CrossRef] [PubMed]
  27. Sovacool, B.K.; Furszyfer Del Rio, D.D. Smart home technologies in Europe: A critical review of concepts, benefits, risks and policies. Renew. Sustain. Energy Rev. 2020, 120, 1–20. [Google Scholar] [CrossRef]
  28. Mbunge, E.; Muchemwa, B.; Jiyane, S.; Batani, J. Sensors and healthcare 5.0: Transformative shift in virtual care through emerging digital health technologies. Glob. Health J. 2021, 5, 169–177. [Google Scholar] [CrossRef]
  29. Tarikere, S.; Donner, I.; Woods, D. Diagnosing a healthcare cybersecurity crisis: The impact of IoMT advancements and 5G. Bus. Horiz. 2021, 64, 799–807. [Google Scholar] [CrossRef]
  30. Rasool, R.U.; Ahmad, H.F.; Rafique, W.; Qayyum, A.; Qadir, J. Security and privacy of internet of medical things: A contemporary review in the age of surveillance, botnets, and adversarial ML. J. Netw. Comput. Appl. 2022, 201, 103332. [Google Scholar] [CrossRef]
  31. Alsubaei, F.; Abuhussein, A.; Shiva, S. Ontology-Based Security Recommendation for the Internet of Medical Things. IEEE Access 2019, 7, 48948–48960. [Google Scholar] [CrossRef]
  32. Hatzivasilis, G.; Soultatos, O.; Ioannidis, S.; Demetriou, G. Review of Security and Privacy for the Internet of Medical Things (IoMT). In Proceedings of the 15th International Conference on Distributed Computing in Sensor Systems (DCOSS), IEEE Computer Society, Santorini Island, Greece, 29–31 May 2019; pp. 457–464. [Google Scholar] [CrossRef]
  33. Bernard, R.; Bowsher, G.; Sullivan, R. Cyber security and the unexplored threat to global health: A call for global norms. Glob. Secur. Health Sci. Policy 2020, 5, 134–141. [Google Scholar] [CrossRef]
  34. US Dept. of Homeland Security. Cybersecurity & Infrastructure Security Agency. 12 May 2017. Available online: https://www.cisa.gov/uscert/ncas/alerts/TA17-132A (accessed on 9 May 2022).
  35. PricewaterhouseCoopers. Conti cyber attack on the HSE: Independent Post Incident Review—Executive Summary and Learnings for other organisations, HSE. 2021. Available online: https://cyberireland.ie/wp-content/uploads/2022/02/conti-cyber-attack-on-the-hse-full-report.pdf (accessed on 8 December 2025).
  36. Ashok, K.; Gopikrishnan, S. Statistical Analysis of Remote Health Monitoring Based IoT Security Models & Deployments from a Pragmatic Perspective. IEEE Access 2023, 11, 2621–2651. [Google Scholar] [CrossRef]
  37. Claverie, T.; Esteves, J.; Kasmi, C. Smart TVs: Security of DVB-T. In Proceedings of the Symposium on Information and Communications Security, Rennes, France, 13–15 June 2018; pp. 13–15. Available online: https://www.researchgate.net/profile/Chaouki-Kasmi/publication/325846812_Smart_TVs_Security_of_DVB-T/links/5b28c90845851509895d02af/Smart-TVs-Security-of-DVB-T.pdf (accessed on 31 March 2023).
  38. Wan, F.; Xu, K.; Xue, G.; Wang, F. IoTArgos: A Multi-Layer Security Monitoring System for Internet-of-Things in Smart Homes. In Proceedings of the IEEE INFOCOM 2020—IEEE Conference on Computer Communications, Toronto, ON, Canada, 4 August 2020; pp. 847–883. [Google Scholar] [CrossRef]
  39. Turner, S.; Pattnaik, N.; Nurse, J.R.C.; Li, S. “You Just Assume It Is In There, I Guess”: Understanding UK Families’ Application and Knowledge of Smart Home Cyber Security. In Proceedings of the ACM on Human-Computer Interaction, CSCW2, New York, NY, USA, 12 November 2022; Volume 6, p. 269. [Google Scholar] [CrossRef]
  40. Ellison, J. National Cyber Security Centre—Blog Page. 24 July 2024. Available online: https://www.ncsc.gov.uk/blog-post/legislation-help-counter-cyber-threat-cni (accessed on 12 September 2024).
  41. Hellstrand Tang, U.; Smith, F.; Karilampi, U.L.; Gremyr, A. Exploring the Role of Complexity in Health Care Technology Bottom-Up Innovations: Multiple-Case Study Using the Nonadoption, Abandonment, Scale-Up, Spread, and Sustainability Complexity Assessment Tool. JMIR Hum. Factors 2024, 11, e50889. [Google Scholar] [CrossRef] [PubMed]
  42. Hailu, R.; Sousa, J.; Tang, M.; Mehrotra, A.; Uscher-Pines, L. Challenges and facilitators in implementing remote patient monitoring programs in primary care. J. Gen. Intern. Med. 2024, 39, 2471–2477. [Google Scholar] [CrossRef] [PubMed]
  43. Hamann, P.; Knitza, J.; Kuhn, S.; Knevel, R. Recommendation to implementation of remote patient monitoring in rheumatology: Lessons learned and barriers to take. RMD Open 2023, 9, e003363. [Google Scholar] [CrossRef]
  44. James, H.M.; Papoutsi, C.; Wherton, J.; Greenhalgh, T.; Shaw, S.E. Spread, scale-up, and sustainability of video consulting in health care: Systematic review and synthesis guided by the NASSS framework. J. Med. Internet Res. 2021, 23, e23775. [Google Scholar] [CrossRef]
  45. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Chou, R.; et al. PRISMA 2020 explanation and elaboration: Updated guidance and exemplars for reporting systematic reviews. BMJ 2021, 372, 160. [Google Scholar] [CrossRef]
  46. Chung, S.; Moon, S.; Kim, J.; Kim, J.; Lim, S.; Chi, S. Comparing natural language processing (NLP) applications in construction and computer science using preferred reporting items for systematic reviews (PRISMA). Autom. Constr. 2023, 154, 105020. [Google Scholar] [CrossRef]
  47. Sokouti, M.; Sokouti, B. A PRISMA-compliant systematic review and analysis on color image encryption using DNA properties. Comput. Sci. Rev. 2018, 29, 14–20. [Google Scholar] [CrossRef]
  48. Zafar, R.O.; Rybarczyk, Y.; Borg, J. A Systematic Review of Digital Twin Technology for Home Care. ACM Trans. Comput. Healthc. 2024, 5, 20. [Google Scholar] [CrossRef]
  49. Kitchenham, B.; Brereton, P. A systematic review of systematic review process research in software engineering. Inf. Softw. Technol. 2013, 55, 2049–2075. [Google Scholar] [CrossRef]
  50. Sale, J.E.; Brazil, K. A Strategy to Identify Critical Appraisal Criteria for Primary Mixed-Method Studies. Qual. Quant. 2004, 38, 351–365. [Google Scholar] [CrossRef]
  51. McHugh, M.L. Interrater reliability: The kappa statistic. Biochem. Medica 2012, 22, 276–282. [Google Scholar] [CrossRef]
  52. Denyer, D.; Tranfield, D.; van Aken, J.E. Developing Design Propositions through Research Synthesis. Organ. Stud. 2008, 29, 393–413. [Google Scholar] [CrossRef]
  53. vom Brocke, J.; Hevner, A.; Maedche, A. Introduction to Design Science Research. In Design Science Research, Cases; Springer: Cham, Switzerland, 2020; pp. 1–13. [Google Scholar] [CrossRef]
  54. Malamas, V.; Chantzis, F.; Dasaklis, T.K.; Stergiopoulos, G.; Kotzanikolaou, P.; Douligeris, C. Risk Assessment Methodologies for the Internet of Medical Things: A Survey and Comparative Appraisal. IEEE Access 2021, 9, 40049–40075. [Google Scholar] [CrossRef]
  55. Moonsamy, A.; Ahmed, M. Developing a Comprehensive Risk Management Framework for E-Health Care Delivery. In Health Information Science, Proceedings of the International Conference on Health Information Science, Melbourne, Australia, 23–24 October 2023; Li, Y., Huang, Z., Sharma, M., Chen, L., Zhou, R., Eds.; Springer: Singapore, 2023. [Google Scholar] [CrossRef]
  56. Burke, G.; Saxena, N. Cyber risks prediction and analysis in medical emergency equipment for situational awareness. Sensors 2021, 21, 5325. [Google Scholar] [CrossRef] [PubMed]
  57. Loupos, K.; Niavis, H.; Michalopoulos, F.; Misiakoulis, G.; Skarmeta, A.; Garcia, J.; Palomares, A.; Song, H.; Dautov, R.; Vavilis, S.; et al. An inclusive lifecycle approach for IoT devices trust and identity management. In Proceedings of the 18th International Conference on Availability, Reliability and Security (ARES ’23), Benevento, Italy, 29 August–1 September 2023; pp. 1–6. [Google Scholar] [CrossRef]
  58. Witti, M.; Konstantas, D. A Secure and Privacy-preserving Internet of Things Framework for Smart City. In Proceedings of the 6th International Conference on Information Technology: IoT and Smart City (ICIT ‘18), Hong Kong, China, 29–31 December 2018; pp. 145–150. [Google Scholar] [CrossRef]
  59. European Parliament. Medical Device Regulation. 2017. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745 (accessed on 30 March 2025).
  60. Kim, D.W.; Choi, J.Y.; Han, K.H. Medical Device Safety Management Using Cybersecurity Risk Analysis. IEEE Access 2020, 8, 115370–115382. [Google Scholar] [CrossRef]
  61. Rao, A.; Carreon, N.; Lysecky, R.; Rozenblit, J. Probabilistic threat detection for risk management in cyber-physical medical systems. IEEE Softw. 2018, 35, 38–43. [Google Scholar] [CrossRef]
  62. Ianculescu, M.; Coardos, D.; Bica, O.; Vevera, V. Security and privacy risks for remote healthcare monitoring systems. In Proceedings of the 2020 International Conference on e-Health and Bioengineering (EHB), Iasi, Romania, 29–30 October 2020; pp. 1–4. [Google Scholar] [CrossRef]
  63. Tseng, T.W.; Wu, C.T.; Lai, F. Threat Analysis for Wearable Health Devices and Environment Monitoring Internet of Things Integration System. IEEE Access 2019, 7, 144983–144994. [Google Scholar] [CrossRef]
  64. Sadhu, P.K.; Yanambaka, V.P.; Abdelgawad, A.; Yelamarthi, K. Prospect of internet of medical things: A review on security requirements and solutions. Sensors 2022, 22, 5517. [Google Scholar] [CrossRef]
  65. von Solms, B.; du Toit, J. Guidelines for Cybersecurity Governance in the Internet of Medical Things. In Intelligent Computing, Proceedings of the Science and Information Conference (SAI 2023), London, UK, 13–14 July 2023; Springer: Cham, Switzerland, 2023; Volume 711, pp. 1139–1148. [Google Scholar] [CrossRef]
  66. Paganelli, A.I.; Velmovitsky, P.E.; Miranda, P.; Branco, A.; Alencar, P.; Cowan, D.; Endler, M.; Morita, P.P. A conceptual IoT-based early-warning architecture for remote monitoring of COVID-19 patients in wards and at home. Internet Things 2022, 18, 100399. [Google Scholar] [CrossRef]
  67. Lee, I. Cybersecurity: Risk management framework and investment cost analysis. Bus. Horiz. 2021, 64, 659–671. [Google Scholar] [CrossRef]
  68. NIST SP 1800–30; Securing Telehealth Remote Patient Monitoring Ecosystem. National Institute for Standards and Technology (NIST): McLean, VA, USA, 2020. Available online: https://www.nccoe.nist.gov/healthcare/securing-telehealth-remote-patient-monitoring-ecosystem (accessed on 10 January 2023).
  69. Lopatina, K.; Dokuchaev, V.A.; Maklachkova, V.V. Data Risks Identification in Healthcare Sensor Networks. In Proceedings of the 2021 International Conference on Engineering Management of Communication and Technology 2021(EMCTECH), Vienna, Austria, 20–22 October 2021; pp. 1–7. [Google Scholar] [CrossRef]
  70. Khan, M.F.; Abaoud, M. Blockchain-Integrated Security for Real-Time Patient Monitoring in the Internet of Medical Things Using Federated Learning. IEEE Access 2023, 11, 117826–117850. [Google Scholar] [CrossRef]
  71. Kavianpour, S.; Shanmugam, B.; Zolait, A.; Razaq, A. A Framework to Detect Cyber-attacks against Networked Medical Devices (Internet of Medical Things): An Attack-Surface-Reduction by Design Approach. Int. J. Comput. Digit. Syst. 2022, 11, 1289–1298. [Google Scholar] [CrossRef] [PubMed]
  72. Khatun, M.A.; Memon, S.F.; Eising, C.; Dhirani, L.L. Machine Learning for Healthcare-IoT Security: A Review and Risk Mitigation. IEEE Access 2023, 11, 145869–145896. [Google Scholar] [CrossRef]
  73. Karunarathne, S.M.; Saxena, N.; Khan, M.K. Security and privacy in IoT smart healthcare. IEEE Internet Comput. 2021, 25, 37–48. [Google Scholar] [CrossRef]
  74. Sharma, A.; Kaur, S.; Singh, M. A comprehensive review on blockchain and Internet of Things in healthcare. Trans. Emerg. Telecommun. Technol. 2021, 32, e4333. [Google Scholar] [CrossRef]
  75. Nasiri, S.; Sadoughi, F.; Tadayon, M.H.; Dehnad, A. Security requirements of internet of things-based healthcare system: A survey study. Acta Inform. Medica 2019, 27, 253–258. [Google Scholar] [CrossRef]
  76. Ali, K.A.; Alyounis, S. CyberSecurity in Healthcare Industry. In Proceedings of the 2021 International Conference on Information Technology 2021 (ICIT), Amman, Jordan, 14–15 July 2021; pp. 695–701. [Google Scholar] [CrossRef]
  77. Strielkina, A.; Illiashenko, O.; Zhydenko, M.; Uzun, D. Cybersecurity of healthcare IoT-based systems: Regulation and case-oriented assessment. In Proceedings of the IEEE 9th International Conference on Dependable Systems, Services and Technologies 2018 (DESSERT), Kyiv, Ukraine, 24–27 May 2018; pp. 67–73. [Google Scholar] [CrossRef]
  78. Spanakis, E.G.; Bonomi, B.; Sfakianakis, S.; Santucci, G.; Lenti, S.; Sorella, M.; Tanasache, F.D.; Palleschi, A.; Ciccotelli, C.; Magalini, S.; et al. Cyber-attacks and threats for healthcare—A multi-layer thread analysis. In Proceedings of the 42nd Annual International Conference of the IEEE Engineering in Medicine Biology Society (EMBC), Montreal, QC, Canada, 20–24 July 2020. [Google Scholar] [CrossRef]
  79. George-Bogdan, M.; Meşniţă, G. Healthcare under siege: The need to improve cybersecurity in the near future. In Proceedings of the E-Health and Bioengineering Conference 2022 (EHB), Iasi, Romania, 17–18 November 2022; pp. 1–4. [Google Scholar] [CrossRef]
  80. Pirbhulal, S.; Abie, H.; Shukla, A. Towards a Novel Framework for Reinforcing Cybersecurity using Digital Twins in IoT-based Healthcare Applications. In Proceedings of the IEEE 95th Vehicular Technology Conference 2022 (VTC2022-Spring), Helsinki, Finland, 19–22 June 2022; pp. 1–5. [Google Scholar] [CrossRef]
  81. Sulis, E.; Cordero, A.; Donetti, S.; Ferrero, P.; Violato, A. A Framework for Project Risk Assessment in Telehealth. In Proceedings of the IEEE/ACM Conference on Connected Health: Applications, Systems and Engineering Technologies 2021 (CHASE), Washington, DC, USA, 16–17 December 2021; pp. 216–221. [Google Scholar] [CrossRef]
  82. Waqdan, M.; Louafi, H.; Mouhoub, M. An IoT Security Risk Assessment Framework for Healthcare Environment. In Proceedings of the International Symposium on Networks, Computers and Communications 2023 (ISNCC), Doha, Qatar, 23–26 October 2023; pp. 1–8. [Google Scholar] [CrossRef]
  83. Nakamura, E.T.; Ribeiro, S.L. SenStick: A Privacy, Security, Safety, Resilience and Reliability Focused Risk Assessment Methodology for IIoT Systems Steps to Build and Use Secure IIoT Systems. In Proceedings of the Global Internet of Things Summit 2018 (GIoTS), Bilbao, Spain, 4–7 June 2018; pp. 1–6. [Google Scholar] [CrossRef]
  84. Diaz-Honrubia, A.J.; Gonzales, A.R.; Zamorano, J.M.; Jiménez, J.R.; Gonzalez-Granadillo, G.; Diaz, R. An Overview of the CUREX Platform. In Proceedings of the IEEE 32nd International Symposium on Computer-Based Medical Systems 2019 (CBMS), Cordoba, Spain, 5–7 June 2019; pp. 162–167. [Google Scholar] [CrossRef]
  85. Skierka, I.M. The governance of safety and security risks in connected healthcare. In Proceedings of the Living in the Internet of Things: Cybersecurity of the IoT 2018, London, UK, 28–29 March 2018; pp. 1–12. [Google Scholar] [CrossRef]
  86. Caballero, M.; Kavallieros, D.; Spyros, A.; Tavernarakisv, A.; Tziouvaras, A.; Bonacina, S.; Chandrarmouli, K.; Coroiu, M.; Chen, L.; Xydias, D.; et al. ICT in Healthcare: The role of IoT and the SECANT solution. In Proceedings of the 2022 IEEE International Conference on Cyber Security and Resilience 2022 (CSR), Rhodes, Greece, 27–29 July 2022; pp. 104–111. [Google Scholar] [CrossRef]
  87. Jaigirdar, F.T.; Rudolph, C.; Bain, C. Risk and Compliance in IoT- Health Data Propagation: A Security-Aware Provenance based Approach. In Proceedings of the 2021 IEEE International Conference on Digital Health 2021 (ICDH), Chicago, IL, USA, 5–10 September 2021; pp. 27–37. [Google Scholar] [CrossRef]
  88. Ahmed Alhaj, T.; Abdulla, S.M.; Iderss, M.A.; Ali, A.A.; Elhaj, F.A.; Remli, M.A.; Gabralla, L.A. A Survey: To Govern, Protect, and Detect Security Principles on Internet of Medical Things (IoMT). IEEE Access 2022, 10, 124777–124791. [Google Scholar] [CrossRef]
  89. Kioskli, K.; Fotis, T.; Mouratidis, H. The landscape of cybersecurity vulnerabilities and challenges in healthcare: Security standards and paradigm shift recommendations. In Proceedings of the ARES 2021: The 16th International Conference on Availability, Reliability and Security, Vienna, Austria, 17–20 August 2021; pp. 1–9. [Google Scholar] [CrossRef]
  90. Rathee, G.; Maheswar, R.; Sehar, S.; Bavirisetti, D.P. Towards reliable IoT communication and robust security: Investigating trusted schemes in the internet of medical things using blockchain. Sci. Rep. 2023, 13, 20671. [Google Scholar] [CrossRef]
  91. Aijaz, M.; Nazir, M.; Mohammad, M.N. Threat Modeling and Assessment Methods in the Healthcare-IT System: A Critical Review and Systematic Evaluation. SN Comput. Sci. 2023, 4, 714. [Google Scholar] [CrossRef]
  92. Al Barghuthi, N.B.; Said, H.E.; Badi, S.M.; Girija, S. Security Risk Assessment of Blockchain-Based Patient Health Record Systems. In Information Systems, Proceedings of the European, Mediterranean, and Middle Eastern Conference on Information Systems EMCIS 2022, Virtual, 21–22 December 2022; Lecture Notes in Business Information Processing; Papadaki, M., Rupino da Cunha, P., Themistocleous, M., Christodoulou, K., Eds.; Springer: Cham, Switzerland, 2022; Volume 464. [Google Scholar] [CrossRef]
  93. Ondiege, B.; Clarke, M.; Mapp, G. Exploring a new security framework for remote patient monitoring devices. Computers 2017, 6, 11. [Google Scholar] [CrossRef]
  94. Deebak, B.D.; Hwang, S.O. Federated learning-based lightweight two-factor authentication framework with privacy preservation for mobile sink in the social IOMT. Electronics 2023, 12, 1250. [Google Scholar] [CrossRef]
  95. Majeed, A.; Lee, S. Towards Privacy Paradigm Shift Due to the Pandemic: A Brief Perspective. Inventions 2022, 7, 24. [Google Scholar] [CrossRef]
  96. Mansouri, S.; Raggad, B.G. Evidential modeling for telemedicine continual security. Int. J. Comput. Sci. Netw. 2017, 6, 560–564. [Google Scholar]
  97. Mahadik, S.S.; Pawar, P.P.; Muthalagu, R.; Prasad, N.R.; Hawkins, S.-K.; Stripelis, D. Digital Privacy in Healthcare: State-of-the-Art and Future Vision. IEEE Access 2024, 12, 84273–84291. [Google Scholar] [CrossRef]
  98. Szczepaniuk, H.; Szczepaniuk, E.K. Cryptographic evidence-based cyber-security for smart healthcare systems. Inf. Sci. 2023, 649, 119633. [Google Scholar] [CrossRef]
  99. von Hippel, P.T. Mean, Median, and Skew: Correcting a Textbook Rule. J. Stat. Educ. 2005, 13, 1–13. [Google Scholar] [CrossRef]
  100. Crisan, E.L.; Covaliu, B.F.; Chis, D.M. A Systematic Literature Review of Quality Management Initiatives in Dental Clinics. Int. J. Environ. Res. Public Health 2021, 18, 11084. [Google Scholar] [CrossRef]
  101. Rogers, E.M. Diffusion of Innovations, 5th ed.; Simon and Schuster: New York, NY, USA, 2003. [Google Scholar]
  102. Davis, F.D. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 1989, 13, 319–340. [Google Scholar] [CrossRef]
  103. Venkatesh, V.; Davis, F.D. A theoretical extension of the technology acceptance model: Four longitudinal field studies. Manag. Sci. 2000, 46, 186–204. [Google Scholar] [CrossRef]
  104. Kechagioglou, P. What we know from existing Theories of Innovation. In Healthcare Innovation Success: Learning from Organisational Experience; Springer Nature: Cham, Switzerland, 2023; pp. 10–22. [Google Scholar] [CrossRef]
  105. Zacharioudakis, E.; Kakoulli, E. A scalable cybersecurity model for shared SOCs in SMEs. In Proceedings of the International Conference on Innovations in Computing Research 2025, London, UK, 24–26 August 2025; pp. 257–269. [Google Scholar] [CrossRef]
  106. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef]
Iot 07 00014 g001
Figure 1. Typical Remote Patient Monitoring scenario for a chronic disease condition.
Figure 1. Typical Remote Patient Monitoring scenario for a chronic disease condition.
Iot 07 00014 g001
Iot 07 00014 g002
Figure 2. The NASSS framework, reproduced from [20] (p. 11).
Figure 2. The NASSS framework, reproduced from [20] (p. 11).
Iot 07 00014 g002
Iot 07 00014 g003
Figure 3. PRISMA Workflow for paper selection (PRISMA 2020 statement). * Consider, if feasible to do so, reporting the number of records identified from each database or register searched (rather than the total number across all databases/registers).
Figure 3. PRISMA Workflow for paper selection (PRISMA 2020 statement). * Consider, if feasible to do so, reporting the number of records identified from each database or register searched (rather than the total number across all databases/registers).
Iot 07 00014 g003
Iot 07 00014 g004
Figure 4. Research Methodology supporting the Research Question.
Figure 4. Research Methodology supporting the Research Question.
Iot 07 00014 g004
Iot 07 00014 g005
Figure 5. RPM Contexts identified in the Systematic Literature Review.
Figure 5. RPM Contexts identified in the Systematic Literature Review.
Iot 07 00014 g005
Iot 07 00014 g006
Figure 6. How cyber risk is assessed.
Figure 6. How cyber risk is assessed.
Iot 07 00014 g006
Iot 07 00014 g007
Figure 7. IoMT Architecture Layers where Cyber Risk was considered.
Figure 7. IoMT Architecture Layers where Cyber Risk was considered.
Iot 07 00014 g007
Iot 07 00014 g008
Figure 8. Testing of Cyber Risk Management Proposals.
Figure 8. Testing of Cyber Risk Management Proposals.
Iot 07 00014 g008
Iot 07 00014 g009
Figure 9. Stakeholder Responsibilities Considered.
Figure 9. Stakeholder Responsibilities Considered.
Iot 07 00014 g009
Iot 07 00014 g010
Figure 10. Scalability Index (SI)—distribution across the studies in the review.
Figure 10. Scalability Index (SI)—distribution across the studies in the review.
Iot 07 00014 g010
Table 1. Numbers of articles identified through Search Engine and Database retrieval.
Table 1. Numbers of articles identified through Search Engine and Database retrieval.
DatabaseNo. of Papers Identified Through Search String
Google Scholar1840
IEEE731
Web of Science6
ACM Digital Library72
ScienceDirect21
Springer9
Scopus110
MDPI18
ENISA2
Total2809
Table 2. Data Extraction Approach (C, I, O).
Table 2. Data Extraction Approach (C, I, O).
RPM Context (C)Intervention (I) Outcome (O)
(i) Scenario/Patient Condition(ii) Qualitative or Quantitative Risk Assessment(iii) Risk Treatment or/Mitigation Technique(iv) Tested (simulation, practical implementation)(v) Stakeholders (HCP, PP, Pt) identified
Table 3. Codes for Context, Intervention, and Outcome elements.
Table 3. Codes for Context, Intervention, and Outcome elements.
Context (C)CodeIntervention (I)CodeOutcome (O)Code
General IoMT context—includes hospital, and Smart homeG-IoMTQualitative Risk AssessmentQLTested ProposalTS
Chronic Condition—DiabetesCh-DQuantitative Risk AssessmentQNTheoretical ProposalTP
Chronic Condition—RespiratoryCh-RSecurity Mitigation (i.e., encryption)SMTheoretical ImplementationTI
Medical Device SpecificMDRegulatory Mitigation (i.e., Standard/Control)RMHCP RoleHCP
Healthy LivingHLMachine Learning InterventionMLPP RolePP
Deep LearningDLPatient Role Pt
BlockchainBC
Software Defined NetworkingSDN
No Mitigation ProposedNM
PerceptionP
NetworkN
CloudC
ApplicationA
Table 4. Summary of RPM contexts in which studies (sample) took place.
Table 4. Summary of RPM contexts in which studies (sample) took place.
StudyResearch Objective/sContextChallenges and Limitations
[24]Define a cyber risk framework to improve trust and security in eHealth deliveryG-IoMTDifficulty in accessing the data acquisition area in the patient home
[55]Extend current cyber security risk approaches to include ethics, legal, and patient safety through AIG-IoMTThis theoretical approach did not suggest how or which AI techniques would be incorporated into current risk models
[30]Identify security and privacy challenges for IoMT device types: wearable, implantable, ingestible, stationary
Identify the mitigations required for the IoMT infrastructure to counter these attacks		G-IoMTDid not address cyber resilience at a granular level from the point of view of the healthcare provider
[64]Present an overview of the IoMT ecosystem, challenges, standards and security mechanismsG-IoMTRisk management addressed through various ISO standards—. No implementation guidelines provided
[65]Provide practical guidance for HCPs Executive and Boards of Governors around IoMT cyber security
Highlight aspects of IoMT cyber security governance which are additional to traditional cyber governance requirements		G-IoMTPointers to IoMT risk management are provided, but no clear implementation plan
[56]Investigates what cyber security considerations are implemented in a remote ventilator used in chronic respiratory condition Ch-RIn a simulated environment, the STRIDE model for qualitative risk assessment is presented. Difficulty in implementing this model in a large RPM context
[66]Develop architecture that addresses scalability, interoperability, network dynamics, context discovery, reliability, and privacy in the context of remote health monitoring of COVID-19 patients in hospitals and at homeCh-RConceptual architecture proposed which mitigates cyber risk through data encryption, secure comms channels, and a privacy consent platform based on Blockchain. Difficult to implement in resource-constrained IoMT environment
[57]The EU funded Eratosthenes project aims to develop a Trust and Identity Management Framework for IoT/IoMT devices. This framework will be distributed, automated, auditable, and privacy-respectful, effectively managing the lifecycle of IoT devicesCh-RAlthough the proposed framework purports to support the EU NIS directive, device authentication and privacy components are PUF and Blockchain-based, requiring manufacturing redesign
[58]Develop a framework to ensure citizens’ security and privacy in the smart city environmentCh-DFramework developed based on Service Level Agreement (SLA) for healthcare service. Does not consider that low-level SLA may incur high risk
[36]Develop a ranking of various IoT models across security, performance, QOS, scalability, and computational delay Ch-DThe researchers do not fully justify the use of “Low”, “Med”, “High”, and “Very High” rank attributes to their evaluation of approx. 60 security frameworks
[60]Extend the Fennigkoh and Smith model for Medical Equipment Management Programmes (MEMP) to include cyber security threats to medical devices MDDifferent HCPs use different classifications for medical devices (fixed assets or consumables), which impact the overall risk calculation based on Attack Occurrence Probability (AOP) and Attack Success Probability (ASP).
[61]Develop a system for run-time cyber threat detection, adaptive risk-based assessment, and automated mitigation response in medical device deploymentMDThe risk assessment and management unit needs to be designed into each monitoring device and be unique to each device making it difficult for HCP to scale
[62]Develop a smart-ageing Remote Healthcare Management System (RHMS) architecture for ambient assisted living (AAL) which considers cyber security and privacy risks S-AgeAlthough a list of countermeasures is specified at each layer of the proposed architecture, there are gaps in how the risk is assessed at each layer and how the mitigations would be implemented.
[7]Develop a blockchain Proof-of-Authority (PoA) consensus mechanism and smart contracts to ensure the transparency of the data collection process in remote monitoring devicesS-AgeTrack activity and medication usage by an elderly patient. PoA consensus is less compute-intensive than Proof of Work (PoW) or Proof of Stake (PoS), hence more suitable for constrained environments. However, the use of a Primary Node in PoA could lead to security breaches if node is compromised
[63]Develop a strategy to achieve information security verification and risk assessment for an IoT-based personal health information systemHLHealthy living context presented through both health-related data collected through wearables and air quality data through ambient sensors. A complex qualitative risk assessment approach followed (DFD, STRIDE, DREAD) for a very specific case. Difficult to scale to the wider RPM context
Table 5. Risk Mitigation Approaches.
Table 5. Risk Mitigation Approaches.
Mitigation ApproachNo. of Studies
Security Mechanism (SM)8
Regulatory Mechanism (RM)12
Blockchain (BC)6
Machine Learning (ML)2
No Mitigation (NM)8
BC, SDN1
SM, RM8
ML, RM2
RM, BC1
SM, BC 2
ML, SDN1
SM, ML, BC3
SM, RM, ML, BC3
Table 6. Scalability elements, metrics, and weightings.
Table 6. Scalability elements, metrics, and weightings.
Scalability ElementScoring MetricWeightingNASSS Element
(a) Patient contextValueDescription0.25Condition
0No Context Considered
5Specific Context Identified
(b) Stakeholders’ considerations0None Considered0.25Adopter System
1One Stakeholder
3Two Stakeholders
5Three Stakeholders
(c) Risk Assessment with AI/ML0AI/ML not considered0.15Technology
3AI/ML Considered across 1 or 2 Layers
5AI/ML Considered across 3 or more Layers
(d) Risk Mitigation with AI/ML0No Mitigation0.15Technology
1Security/BC/SDN
2Regulatory Approach
2AI/ML Supported
(e) Proposal tested0Not Tested0.2Technology
2Hypothetically Tested
5Tested in a Live or Simulated Environment
Table 7. Scoring of Scalability elements and resulting SI for each study.
Table 7. Scoring of Scalability elements and resulting SI for each study.
Study Ref.Context (a)Stakeholders Considered (b)Risk Assessment (c)Risk Mitigation (d)Implementation/Testing (e)Scalability Index (SI)
[24]010020.65
[68]550253.8
[55]005201.05
[36]505102.15
[4]000220.7
[15]000220.7
[25]030252.05
[21]050121.8
[26]000100.15
[69]050221.95
[30]000100.15
[29]050301.7
[64]033501.95
[70]010321.1
[71]055423.0
[65]030301.2
[66]530102.15
[72]005301.2
[56]510252.8
[67]010300.7
[22]030301.2
[73]050502.0
[74]000100.15
[75]030100.9
[76]010501.0
[77]530222.7
[78]010300.7
[62]500121.8
[60]500021.65
[79]010200.55
[54]010300.7
[80]035201.8
[81]050401.85
[82]000051.0
[83]030321.6
[31]000020.4
[63]500021.65
[84]055122.55
[85]030201.05
[86]055002.0
[87]000320.85
[88]000100.15
[7]500121.8
[89]050201.55
[57]530102.15
[58]500121.8
[90]000120.55
[91]035001.5
[92]010100.4
[93]530102.15
[94]003151.6
[95]030301.2
[6]030301.2
[96]000020.4
[61]500252.55
[97]050232.15
[98]030301.2
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Mulhern, B.; Balakrishna, C.; Collie, J. The Network and Information Systems 2 Directive: Toward Scalable Cyber Risk Management in the Remote Patient Monitoring Domain: A Systematic Review. IoT 2026, 7, 14. https://doi.org/10.3390/iot7010014

AMA Style

Mulhern B, Balakrishna C, Collie J. The Network and Information Systems 2 Directive: Toward Scalable Cyber Risk Management in the Remote Patient Monitoring Domain: A Systematic Review. IoT. 2026; 7(1):14. https://doi.org/10.3390/iot7010014

Chicago/Turabian Style

Mulhern, Brian, Chitra Balakrishna, and Jan Collie. 2026. "The Network and Information Systems 2 Directive: Toward Scalable Cyber Risk Management in the Remote Patient Monitoring Domain: A Systematic Review" IoT 7, no. 1: 14. https://doi.org/10.3390/iot7010014

APA Style

Mulhern, B., Balakrishna, C., & Collie, J. (2026). The Network and Information Systems 2 Directive: Toward Scalable Cyber Risk Management in the Remote Patient Monitoring Domain: A Systematic Review. IoT, 7(1), 14. https://doi.org/10.3390/iot7010014

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop