JMIR Publications

ABSTRACT

Background:

Current cybersecurity practices in healthcare rely on conventional measures such as firewalls, antivirus software and access controls. These approaches are inadequate against sophisticated threats. Legacy systems, limited investment, and fragmented governance leave healthcare organisations vulnerable, highlighting the need for adaptive, predictive, and real-time solutions. Although Machine Learning (ML) methods exist for strengthening healthcare cyber-resilience, there is limited clarity on how these tools are applied across different cybersecurity domains, their relevance in real-world settings, and where critical gaps remain.

Objective:

This scoping review aimed to map and categorise current ML applications in healthcare cybersecurity against the National Institute of Standards and Technology Cybersecurity Framework, version 2.0 (NIST CSF), evaluate the effectiveness of existing approaches, and identify critical gaps and implementation priorities for healthcare organisations.

Methods:

A systematic search of Ovid MEDLINE, Embase, and Scopus was conducted on peer-reviewed studies published between 2019 to 2025. Search terms included “cybersecurity”, “healthcare”, “machine learning” and “artificial intelligence”. Inclusion criteria encompassed peer-reviewed studies applying PICOS criteria to organisational-level cybersecurity interventions in healthcare systems (hospitals, clinics, health networks) with outcomes related to data privacy, healthcare data protection, and cybersecurity practice strengthening. Study selection followed the Arksey and O’Malley framework and PRISMA-ScR (Preferred Reporting Items for Systematic Reviews and Meta-Analyses extension for Scoping Reviews), independently conducted by two reviewers. Following data extraction, synthesis and thematic domain mapping based on categorisation according to the NIST CSF.

Results:

Across 45 studies 80 ML models were applied to healthcare systems cybersecurity, reflecting the broad scale and diversity of ML applications in healthcare cybersecurity. Most studies aligned with the ‘Protect’, ‘Identify’, and ‘Detect’ functions of the NIST CSF, showing a strong emphasis on security techniques for privacy-preserving, intrusion detection and risk assessment. ML models based on classic machine learning, deep learning and NLP were preferred. Only one study demonstrated real-world implementation, with the remainder limited to proof-of-concept stages. Sustained research and investment are needed to validate ML in real-world healthcare environments. These were limited by reliance on synthetic datasets and methodological heterogeneity. Barriers to real-world implementation include regulatory and infrastructural challenges. Future research efforts should focus on the development of explainable AI and representative datasets, alongside governance-focused applications.

Conclusions:

Current ML models in healthcare cybersecurity remain heavily skewed toward prevention, detection, and identification, with a notable paucity of research addressing response and governance functions, as categorised by the NIST CSF. Healthcare organisations should adopt a phased operational implementation approach beginning with high-accuracy detection systems (95-99% accuracy), progressing to privacy-preserving techniques, and ultimately developing governance frameworks. This requires sustained budgeting for infrastructure, training, and validation costs to ensure safe, reproducible deployment of ML cybersecurity solutions.