Security and Privacy for mHealth and uHealth Systems: a Systematic Mapping Study

An increased adoption of mobile health (mHealth) and ubiquitous health (uHealth) systems empower users with handheld devices and embedded sensors for a broad range of healthcare services. However, m/uHealth systems face significant challenges related to data security and privacy that must be addressed to increase the pervasiveness of such systems. This study aims to systematically identify, classify, compare, and evaluate state-of-the-art on security and privacy of m/uHealth systems. We conducted a systematic mapping study (SMS) based on 365 qualitatively selected studies to (i) classify the types, frequency, and demography of published research and (ii) synthesize and categorize research themes, (iii) recurring challenges, (iv) prominent solutions (i.e., research outcomes) and their (v) reported evaluations (i.e., practical validations). Results suggest that the existing research on security and privacy of m/uHealth systems primarily focuses on select group of control families (compliant with NIST800-53), protection of systems and information, access control, authentication, individual participation, and privacy authorisation. In contrast, areas of data governance, security and privacy policies, and program management are under-represented, although these are critical to most of the organizations that employ m/uHealth systems. Most research proposes new solutions with limited validation, reflecting a lack of evaluation of security and privacy of m/uHealth in the real world. Empirical research, development, and validation of m/uHealth security and privacy is still incipient, which may discourage practitioners from readily adopting solutions from the literature. This SMS facilitates knowledge transfer, enabling researchers and practitioners to engineer security and privacy for emerging and next generation of m/uHealth systems.


I. INTRODUCTION
S MART systems and infrastructures rely on mobile and pervasive technologies to offer end-users with portable and context-sensitive services that range from social networking, mobile commerce, to smart and connected health care [1], [2]. Considering service-driven computing for smart systems, the future of smart healthcare is hyper-connected, highly pervasive, and personalized [3]. Mobile and pervasive technologies for mobile health (mHealth) and ubiquitous health (uHealth) systems provide a wide range of wellness and fitness applications as well as clinical and medical systems [4], [5]. m/uHealth fitness applications (apps for short) and medical systems impact activities and practices of individuals, patients, medical professionals, and health service providers [6]. Central to this technological revolution for m/uHealth systems -providing smart and connected health care -is context-sensitive information and health critical data. A typical example of this is an individual's diet and exercise routine (e.g., context-sensitive information) and its impact on person's health such as blood pressure, body weight and any disease (e.g., health critical data). It has been widely recognized that healthcare data is one of the most valuable assets to the health services providers and medical/health technologies (MedTech) companies [7]. VOLUME X, 2020 1 arXiv:2006.12069v1 [cs.CR] 22 Jun 2020 m/uHealth apps and systems have proven to be critically important for collecting, processing, and analyzing health data to generate actionable insights for all the stakeholders. However, there are increasing concerns and challenges for the security and privacy of the data gathered, processed and stored by m/uHealth apps and systems [8], [9]. A recently study by Gartner highlights the importance of human and technological aspects of security and risk management for privacy and security practices of healthcare service providers [10]. Security and privacy breaches in healthcare information systems have serious negative impacts to its data subjects. Such impacts can range from embarrassment and reputation damage to various forms of discrimination that adversely affects the rights and freedoms as well as physical and mental health of individuals [11]- [13].
Given that security and privacy concerns have emerged as the most challenging aspects for healthcare information systems, there is an urgent need to fully understand and address the security and privacy issues of m/uHealth apps from software system' lifecycle perspective [14]. The lifecycle includes but is not limited to requirement analysis, design, implementation, testing, and deployment of m/uHealth systems. With an increasing trend to provide health services through mobile/ubiquitous technologies, there is a growing body of research on identifying challenges, proposing solutions, and highlighting open issues related to security and privacy aspects of m/uHealth systems [15]. For example, researchers have proposed architectures [16], implemented algorithms [17] and mechanisms to establish infrastructures [17] for addressing the security and privacy of healthcare systems. An ever increasing number of healthcare systems are being developed by adopting security engineering practices and recommendations provided by the relevant agencies such as [18].
Given the growing body of published research on security and privacy of m/uHealth systems, there are increasing needs and opportunities to carry out secondary studies to consolidate the knowledge and evidence being produced for ease of access for practitioners and researchers. That is why a number of researchers have surveyed the literature on security and privacy for mHealth (e.g., [15], [19], [20]). However, the existing reviews tend to limit the scope to mHealth systems (using smartphones, tablets and wearable sensors), but they do not explicitly include more pervasive and context-sensitive uHealth systems. Moreover, the existing reviews have focused on very specific security controls used in m/uHealth systems, such as biometrics, authentication, and key exchange schemes [21], [22]. Hence, the existing research and specifically survey based studies (detailed in a dedicated section) lack a broader view on the topic, i.e., explicitly comprising both mHealth and uHealth as well as dealing with security and privacy controls related issues for the class of m/uHealth systems. To support the engineering of m/uHealth systems with security and privacy aspects embedded right from the beginning [16], [17], there is a need to systematically select, review, and synthesize the published research on security and privacy of m/uHealth systems. Review and synthesis of published research helps to classify, compare, and evaluate the strengths and limitations of the state-of-the-art in the area under investigation.
To address the above goals, we have carried out a Systematic Mapping Study (SMS) [23] of the peer-reviewed literature on security and privacy for m/uHealth systems. To complement the SMS, we also performed an in-depth thematic analysis of the studies that have been evaluated in practice, discussing the reported solutions, their evaluation strategies and the impacts on the industry scale systems. We are not aware of any other effort that has carried out a SMS for identifying, classifying, comparing, and communicating the existing research and its implications to the relevant stakeholders (i.e., researchers, practitioners, policy-makers, healthcare providers, and broader society). Hence, this SMS provides an overview of the topic in terms of: 1) research and contribution types; 2) research trends and taxonomy; 3) challenges and solutions for security and privacy controls; 5) m/uHealth application categories; and, 6) role of various devices and technologies in m/uHealth systems. Bibliographical information and trends of research also pinpoint the predominant areas of research, under-researched areas and gaps, as well as the future research directions.
The core results of this SMS highlight that the existing research on m/uHealth system frequently emphasises the use of security and privacy controls of a small group of families, considering the NIST 800-53 control families. The predominant research trends reflect: 1) system and communication protection, 2) identification and authentication, 3) system and information integrity, 4) access control, 5) individual participation and 6) privacy authorisation. Researchers are mostly focused on investigating most traditional families of security and privacy controls, however, other areas such as data governance, security and privacy policies and program management remain under-investigated even though they are crucial for dealing with security and privacy at an organizational level. The primary contributions of this SMS are: • Classification and comparison of the existing and emerging solutions for security and privacy for m/uHealth in the form of systematic maps, classification taxonomy, and illustrative trends. • Evaluation focused analysis of the solutions -implemented in practice -to identify commons themes and appraising the quality of these evaluation studies.
Empirical evidence along with research and development of security and privacy solutions is lacking and research studies need to be carefully evaluated before academic solutions can be adopted or extended in an industrial context. The results of this SMS can be beneficial for: • Researchers who are interested in quickly identifying the existing research that can help to formulate new hypothesis to be tested and propose innovative solutions for the emerging challenges of security and privacy of m/uHealth systems.
• Practitioners who want to understand the solutions reported in the academic literature to provide architectural models, implementation strategies and evaluation frameworks that can be evaluated for industrial adoption. This papers is structured as follows. Section II discusses context and background details for security and privacy of m/uHealth systems. Section III reviews related surveys to justify the scope and contribution of the proposed SMS. Section IV presents research methodology. Section V, Section VI, and Section VII discuss the core results of the SMS. Section VIII reviews the results to present the critical findings of the SMS. Section IX presents validity threats to the SMS. Section X concludes the paper.

II. BACKGROUND
In this section, we contextualize the security and privacy issues of m/uHealth systems, as illustrated in Figure 1. First, we discuss mHealth and uHealth in the context of electronic healthcare (eHealth) systems (Section II-A). Second, we conceptualize security and privacy, their interrelations, standards and legal frameworks (Section II-B). The concepts and terminologies introduced in this section are used throughout the paper.

A. EHEALTH, MHEALTH AND UHEALTH
Since the late 90's, the term of electronic health (eHealth) is used to refer to healthcare processes and practices supported by Information and Communication Technologies (ICT) [24]. There are various forms of eHealth systems, such as telemedicine, Electronic Health Records (EHR) and Healthcare Information Systems. mHealth is the practice of eHealth assisted by smartphones and other mobile devices, used to collect, analyze, process, transmit and store health services related information from sensors and other biomedical systems [24], as in Figure 1. The paradigm of uHealthdriven by ubiquitous computing 1 -is as an advancement of mHealth systems that exploit ubiquitous devices and sensors to enable on-the-go health monitoring and care [5]. uHealth is fast emerging as a pervasive technology that uses a large range of sensors and actuators deployed in an environment (e.g., homes, hospitals or workplaces) or used by individuals (e.g., worn/implanted on-body sensors) to support the delivery of healthcare, monitoring, and improving individuals' physical and mental health [26]. As in Figure 1, m/uHealth systems empower their users with anytime/anywhere sensors, applications and networks that collect context-sensitive health critical data in the form of blood pressure, heart rate and body temperature to diagnose health related problems [26]. As illustrated in Figure 1, user/citizes/patients can exploit their on-body sensors that can monitor their health related information (a.k.a. medical profiles) that can be shared with medical professionals at a distributed loca-tions. Medical professionals can use their mobile devices for medical consultation and data stored on health care servers could be shared with other professionals or health care units. Despite the offered benefits by m/uHealth systems, one of the most critical challenges for this class of systems relates to security and privacy of an individual's personal data and health critical information [14].

B. SECURITY AND PRIVACY
In a healthcare environment, security and privacy of information systems is critical for achieving trust and high-quality services [14]. Although the terms security and privacy tend to be used interchangeably across research, the concepts have in fact fundamental differences that should be taken into account when dealing with m/uHealth systems. In general, security of computing systems targets the protection and safeguarding of hardware, software and information, and typically boils down to three core concepts [27]: (1) confidentiality, the concealment of information or resources; (2) integrity, the trustworthiness of data resources; prevention of improper or unauthorized change; and, (3) availability, the ability to use the information or resource desired. Privacy, in turn is not simply a technical concept. It is a fundamental human right, both in terms of physical privacy and information privacy [28]. Here we are particularly interested in the latter, i.e., privacy in the context of health critical data being produced and consumed by m/uHealth systems. Although there is no absolute agreement on the definition of privacy, in this paper we consider the proposition of Westin [29]: "Privacy is the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others." Informational privacy overlaps with the concept of confidentiality, such as the authorized access or disclosure of information and notions of secrecy, access-control, sharing and protection of information [14], [30]. However, in order to create privacy-aware systems other aspects such as openness and transparency, purpose specification and limitation and informed consent also need to be put in place. Although computer security is an essential pillar for achieving privacy, it should be clear that privacy cannot be satisfied solely on the basis of managing security [31]. Figure 1, per the model and guidelines for secure mobile and ubiquitous systems from [32], we highlight that the security and privacy issues for health critical data can be categorized into four main categories. These include security and privacy of (1) data produced and consumed by mobile and ubiquitous devices, (2) data transmitted over wireless networks, (3) information residing on healthcare servers, and (4) policies and regulations for m/uHealth systems (detailed later). For example, as in Figure 1 shows a user can exploit his/her body sensors to collect health critical data such as heartbeat, body temperature, and blood pressure VOLUME X, 2020 referred to as Health Profile. The Health Profile is composed of personal information (e.g., age, gender or location) and health critical data (e.g., blood pressure, body temperature or pulse rate). Consider Figure 1, a typical scenario can be a compromised device or sensor for unauthorized access to user's health profile with an intent for delivering personalized advertisement, or leakage of personal information for social profiling.. Such and alike scenarios that breach security and privacy protocols of m/uHealth systems can limit users' trust and adoption of such systems [19], [20].

D. POLICIES AND REGULATIONS FOR SECURITY AND PRIVACY
In the past years, some regulations have been enacted such as the European General Data Protection Regulation (EU GDPR) [33] and the California Consumer Privacy Act (CCPA) [34], giving individuals more power over their data and putting more limitations on the ways data is collected, analyzed and used by organisations. At the same time, standardisation bodies have been providing guidance to systems architects in terms of engineering secure and privacypreserving systems. Examples are the NIST's revised list of security and privacy controls (NIST 800-53 2 ) and Privacy Engineering Program (PEP 3 ), and the ISO's standard on privacy engineering for system life cycle processes (ISO/IEC 2 https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft 3 https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering TR 27550: 2019 4 ). Achieving compliance and implementing standards is particularly interesting in the context of mHealth and uHealth systems, because they are relatively new technologies and the security and privacy challenges have not been fully understood yet [35], [36]. This discussion is also elaborated in this paper, putting in perspective the current advances of m/uHealth and recent changes in the context of policies and regulations for security and privacy of m/uHealth systems.

III. THE EXISTING SURVEYS AND SYSTEMATIC REVIEWS ON SECURITY AND PRIVACY OF M/UHEATLH
In this section, we review the most relevant survey-based (secondary research) studies that focus on privacy and usability, security, and other relevant aspects for health critical software systems with a particular focus on m/uHealth. We justify the scope and contributions of the proposed SMS based on a systematic comparison of the existing survey based studies in Table 1.

A. PRIVACY AND USABILITY ISSUES IN MHEALTH SYSTEMS
Security and privacy of mHealth "apps" is among the most focused research domain in the context of secure and private mobile and ubiquitous systems. Researchers usually investigate the existing legal frameworks and academic literature in the area of mHealth in order to provide guidelines and recommendations to users (e.g., patients, clinicians or administrative people) and developers of mHeath apps [19], [20], [37], [39]. Some researchers have also defined a criteria for assessing and comparing mHealth apps, providing a security and privacy "score" in order to better communicate the potential risks of such systems to its end-users [38]. Some systematic reviews have focused on privacy and usability issues in mHealth systems [40] or networking issues for security and privacy of mHealth apps [41]. However, these studies are restricted to the investigation of mHealth apps developed for tablets and smartphones and Body Sensor Networks (BSNs). That is, the existing literature explicitly focuses on mHealth systems but falls short of addressing security and privacy issues for uHealth systems, which are being increasingly adopted in smart healthcare that is driven by IoTs and sensors-driven technologies [16].

B. SECURITY IN TELEMEDICINE AND MHEALTH SYSTEMS
Considering telemedicine as an essential component of eHealth systems, some systematic reviews have focused security controls for such systems [4]. A typical example of this is multi-layer systematic reviews for user authentication in telemedicine and mHealth systems, using body sensor information and finger vein biometric verification [21] and sensor-based smart phones [22]. In such reviews, the prime focus of the investigation is authentication and key exchange protocols for secure telemedicine. These surveys review a myriad of schemes have been proposed for mHealth systems, typically addressing mutual authentication of users and application providers as well as for device authentication (e.g., mobile devices and sensors).

C. SECURITY AND PRIVACY OF HEALTH CRITICAL SYSTEMS
In recent years, a number of systematic reviews and surveys have targeted security and privacy for health critical systems. For instance, the work of [42] focuses on security and privacy issues of implantable medical devices. Also, a great deal of attention has been given to Wireless Body Area Networks (WBANs) in the context of mHealth [45], [46]. Such surveys have primarily focused on WBANs in terms of wireless medical sensor networks [43], Distributed Denial of Service (DDoS) attacks [44] and body-to-body sensor networks [47].
There are some reviews that have investigated Internet of Things (IoT) for medical applications [48]- [50], as well as cloud-based EHRs [51] and Mobile Cloud Computing [52]. These reviews represent a concentrated body of knowledge about the challenges and solutions on security for resource-VOLUME X, 2020 constrained devices and cloud services, so as to ensure confidentiality of data in-transit (over network) and at-rest (residing in devices or servers). It is also worth mentioning that some systematic reviews go beyond the scope of security and privacy, addressing ethics altogether in the context of mHealth apps [53] and passive data collection in healthcare [54].
Conclusive summary: We have discussed the progression and limitations of the existing research in terms of surveybased secondary studies that enable or enhance the security and privacy of m/uHealth systems. In order to justify the scope and contributions of the proposed SMS, an objective comparison is presented in Table 1. Table 1 acts as a structured catalogue to classify and compare the existing research and the needs for futuristic research and development of security and privacy enabled m/uHealth. Unlike the existing surveys, the proposed SMS explicitly considers privacy controls, apart from the traditional security controls. This greater demand for privacy-by-design is in part a consequence of the recent privacy laws enacted in the European Union and United States (i.e., GDPR and CCPA). This SMS aims to address both security and privacy and explicitly includes uHealth as part of mHealth systems.

IV. RESEARCH METHOD FOR SMS
In order to plan, conduct, and document this SMS, we followed the evidence based software engineering approach and specifically adhered to the guidelines to conduct systematic reviews and mapping studies from [23]. We developed the research protocol to be followed at each step of this SMS. The details of the research protocol for this study are provided in [55]). Hence, the full details of the research protocol for this study are not provided in this paper. An illustrative view of the adopted research method is presented in Figure 2 that highlights three phases of research and each phase comprises of two tasks. Each phase has an outcome. For example, the initial phase named Planning the Mapping Study comprises of two tasks that relate to (i) identification of the needs and (ii) specification of the research questions for the mapping study. The outcome of this phase is scope and objectives of the SMS in terms of research questions that need to be investigated. SMS planning is the precondition for the later phases of the methodology. By adopting well-known methodology from [23] as in Figure 2, we aim to strengthen the findings, support objective interpretation of results, minimize any bias, and enable reproducible results. In the remainder of this section, we discuss the three phases of the research methodology.

A. PHASE I -PLANNING A MAPPING STUDY 1) Identify the needs for SMS
Despite a lot of attention and published research, there is no effort to systematically identify and investigate a collective impact of the existing research on secure and private m/uHealth systems. A systematic investigation of the stateof-the-art on secure and private m/uHealth systems can high-light the research progression, maturation, emerging trends and futuristic challenges that are currently lacking in the literature. In order to ensure that no prior survey, mapping study, or systematic review (i.e., secondary studies) have been conducted, we searched the most prominent digital libraries including IEEE, ACM, Springer, Science Direct and Scopus along with indexing engine Google Scholar (search date 02/10/2019). The search string that we executed on these digital libraries and indexing engines to locate any secondary studies on security and privacy of m/uHealth systems is shown in Listing 1. Based on Listing 1, none of the retrieved literature (in. Section II, Table 1) was related to the outlined research questions in Section IV-A2 that motivated the need for this SMS.

2) Specifying the research questions
To conduct the mapping study and present its results, we specify a number of Research Questions (RQs) for this SMS. The scope of this SMS is limited to finding and discussing the answers to the RQs that have motivated this study. The RQs and their respective objective(s) are described below: A  various research themes -reflecting the body of knowledge -that helps us to investigate the strengths and limitations of the existing research. RQ-4 What is the state of existing evaluation studies on security and privacy for m/uHealth systems? Objective(s): Provide a clear picture of the existing research that has been properly evaluated. Evaluation of the existing research reflects the strength of the solutions in terms of their practical applicability and validation.

B. PHASE II -CONDUCTING A MAPPING STUDY
As per Figure 2, this phase involves searching and qualitative assessment of the relevant literature that is included for review to conduct the SMS, detailed as below.

1) Search the relevant literature
In order to search the relevant literature, we selected the Scopus digital library that indexes more than five thousand publishers, including highly relevant sources such as Elsevier, Springer, MEDLINE, EMBASE, IEEE Xplore and ACM. In order to search the relevant studies in Scopus, we considered the outlined RQs (from Section IV-A1) to compose the search string based on the key terms that are presented in Table 2. We decided to limit the time period for our searches, a 5-year period (i.e., from year 2015 -2019). A pilot search based on the search string in Listing 2 suggested there was little to no relevant publications on the topic before under investigation before the Year 2015. Therefore, in order to avoid an exhaustive search and minimize the risk of identifying a large number of irrelevant studies, we set the search criteria to only cover the literature from Year 2015 to 2019 that helped us to retrieve a total of 1249 potentially relevant publications. We also limited the search to peer reviewed scientific publications and book chapters that excludes any white papers, technical report or unpublished work.

2) Study inclusion -screening and qualitative assessment
We followed a two step process of screening and qualitative assessment for selecting the most relevant publications for review out of the initial set of 1249 potentially relevant papers. We developed The details of the selection process can be found in the study's research protocol available at [55].

3) Synthesize qualitatively the selected literature
The last task of the Phase II is the classification of the studies using systematic maps. We also conducted an evaluation and focused analysis of the papers that have been implemented in practice. The construction of the SMS's classification facets as well as the detailed explanation of the qualitative assessment of the evaluation studies can be found in the research protocol [55]. VOLUME X, 2020

C. PHASE III -DOCUMENTING A MAPPING STUDY
As per Figure 2, the last phase of the SMS, i.e., Documenting the Mapping Study is detailed in the remainder of this paper. The results documentation is based on investigating the RQs (in Section IV-A) and presenting their findings. The results documentation is classified as (a) Research Demography and Mapping (as First Stage in Section V) and (b) Research Solutions and their Evaluations (as Second Stage in Sections VI and VII). As part of the documentation, the critical finding of the SMS are reviewed and validity threats to the SMS results are also presented (in Section VIII and Section IX respectively). The artefacts used and created in this study are publicly available in a replication package, which can be found at [56]. The replication package includes the database search queries, the answer sets of these queries and the maps of the categorised papers and patterns.

V. DEMOGRAPHY ANALYSIS BASED ON TYPES, FREQUENCY AND VENUES OF THE PUBLICATIONS
In this section, we answer RQ-1 and RQ-2 that focus on demography analysis of published research on security and privacy of m/uHealth systems. In the demography analysis we aim to investigate the types of published research and frequency of publications during a specific year or a range of years (in Section V-A). We also identify prominent venues of publications (Section V-B). As per the research method (in Figure 2), demography analysis relates to first stage analysis and documentation of the topic under investigation. Specifically, the Stage 1 mapping highlights progression of research over the years in terms of numbers of publications, diversity in terms of types of publications, and publication venues as sources of research emergence.

A. ANALYZING FREQUENCY AND THE TYPES OF THE PUBLISHED RESEARCH
To answer RQ-1, we analysed the types and the frequencies of the published research from years 2015 to 2019 as shown in Figure 3. As discussed earlier (Section IV-B), through our pilot searches, we could not identify any relevant publication before 2015 on the topic, whereas 2019 (02/10/2019) represents the cut-off point of our literature search as shown in Figure 3. For fine-grained analysis and interpretation of Figure 3, we provide complementary information in terms of: (a) types of research publications in Figure 4, (b) types of research contributions in Figure 5, (c) number of publications on family of security and privacy controls in Figure 6, (d) number of publications on common types of m/uHealth applications in Figure 7, and (e) number of publications on technologies being used to enable m/uHealth applications in Figure 8. All of the above-mentioned quantitative analysis are detailed later in this section to highlight progression and diversity of the published research on secure and private m/u-Health systems. Figure 3 has two main dimensions. The first dimension includes the frequency of the publications in terms of the total number of the studies published during the respective years (projected along y-axis). The second dimension presents the diversity of the published research in terms of different types of publications such as conference proceedings or journal articles during each year (projected along y-axis). In this second dimension, the papers are classified as Review, Conference Paper, Book Chapter and Article (as provided by Scopus). The unified view of Figure 3 highlights the total number and the types of the published research.  [P286, P289, P322] addresses privacy (vis-a-vis GDPR),"cyber"-security, blockchain and IoT to enable secure and private m/uHealth systems. Another observation in Figure 3 is about more than doubled journal articles that theoretically represent the detailed presentation of the research challenges, the proposed solutions and rigorous evaluations. For example, the study [P346] published in Journal of Medical Internet Research provides fine-grained presentation of an open-source platform for processing mHealth data using sensors, wearables and mobile devices. 5 The notation [P n], P stands for Primary studies and n represents a number (n = 1, 2, , 365) refers to 365 primary studies that have been selected for review, in this mapping study, presented in [55] (Appendix A). The notation also maintains a distinction between bibliography ('References'), primary studies for this review (Appendix A, [55]), and the Evaluation Research (ER) (Appendix B, [55]).  Figure 4 highlights the types of research publications across 6 different well established categories that have been adopted from [57]. For example, Figure 4 shows that the most number of the publications as Solution Proposals (i.e., 301 studies) and the least number as Experience Papers (i.e., 7 studies only). Solution Proposals represent novel ideas that formulate an innovative solution to already established or emerging solutions for security and privacy of m/uHealth system. For example, the studies [P58, P135, P337] represent the solution proposals for security and privacy frameworks for ubiquitous IoT systems, sensor-based remote monitoring, and mHealth apps, respectively. Further details about each type of the research publications as shown in Figure 4 can be found in [57]. The primary intent of Figure 4 is to represent the diversity of the published research in the context of the well established categories of the research publication types.
2) Types of the research contributions Figure 5 shows different types of research contributions across 7 distinct categories that have been adopted from [58], [59]. Specifically, Figure 5 shows that the most types of the research contributions are in the form of Model (i.e., 175 studies) and the least type as Theory (i.e., 01 study). Research contributions categorized as Model focus on the representation of the observed reality by concepts. For example, the studies [P30, P73] that represent a mathematical models in the form of cryptographic schemes for authentication and key agreement. Further details about each type of the research contribution as shown in Figure 5 can be found in [58], [59]. The aim of presenting the data in Figure 5 is to provide a high-level view of different research contributions as the constituent elements of the published literature that vary from tools (enabling automation), to lessons learned (recommendation and guidelines), and frameworks (integrated development environments) to enable or enhance the security and privacy of m/uHealth Systems.
3) Number of the publications on the families of the privacy and security controls Figure 6 shows studies distributed across a total of twenty security and privacy control families according to NIST-  8062 standard [31]. The vast majority of existing solutions implement controls from the families of system and communication protection (SC, n = 273) and identification and authentication (IA, n = 228), which are typical security controls for confidential communication (i.e., encryption), and user or device authentication. Organisational aspects addressed by families such as planning (PL, n = 1) and personal security (PS, n = 0) are under-represented in the existing research. Figure 7 presents the different types of health applications that were reported in the reviewed studies. This classification is based on the World Health Organization (WHO) reports on eHealth and mHealth technologies that have been reported by all the affiliated countries [4]. The applications for patient remote monitoring (n = 241) (e.g., use mobile devices or sensor tracking of vital signs) and for patient records (n = 138) (e.g., personal health records or electronic health records) are still the most traditional mHealth systems. On VOLUME X, 2020  the other hand, the mHealth application categories for health call centers and helplines (n = 4), as well as public health emergencies (n = 4) have not been the usual targets with respect to security and privacy research. Figure 8 shows the types of used technologies that enable various m/uHealth systems. This classification was created by the authors using the keywording method, and thus forming groups of closely related keywords. Not surprisingly, the use of mobile phones (or smatphones) is by far the most used type of technology (n = 306), followed by sensors and IoT devices (n = 157). Technologies such as RFID (n = 17), Blockchain (n = 11), Smartcard (n = 7) and NFC (n = 5)

5) Number of the publications on technologies being used to enable m/uHealth applications
have not yet been extensively addressed.

B. PROMINENT VENUES OF THE PUBLISHED RESEARCH
We now answer RQ-2 that is aimed at identifying and discussing the venues of the publications. Table 3 provides a structured catalogue to provide all the relevant information about the prominent venues of the reviewed publications. The prominent venues refer to any journal or conference proceedings etc. with a specific minimum number of publications (i.e., at least 06 published studies). The results from our pool of the selected publications indicate that an increasing number of papers are being published every year (see Figure  3). A vast majority of the publications fall into the categories of journal articles (n = 197) and conference papers (n = 164). There are dozens of publications venues where the reviewed papers have been published. That means the published research on security and privacy of m/uHealth is sparsely distributed in different journals, conference proceedings and books. There are nine venues that cover nearly 20% of the total number of the reviewed papers, as shown in Table  3. All other venues have the lower number of publication, ranging from 1 to 4 papers only. Table 3 also shows that the venues are mostly journals positioned in the top quartiles (i.e., Q1 and Q2) according the the Scientific Journal Rankings (JCR 6 ). High accumulated citations are particularly presented on journals, namely the Future Generation Computer Systems, the IEEE Access and the Journal of Medical Systems. Comparatively, journal venues have a much higher accumulated number of citations when compared to the conference venues. Publishers are concentrated in Europe (i.e., Germany, Switzerland and the Netherlands) and North America (i.e., USA and Canada). Table 3 shows a diversity of publication venues that include but not limited to computer science and systems, embedded systems, medical and intelligent systems. For example, the publication venue named Future Generation Computer Systems (FGCS) categorized as computer science and systems journal has a total of 7 publications [P215, P242, P249, P261, P282, P344, P355] that specifically focus on security of advanced technologies, such as mHealth social networks, cyber-physical networks, edge computing, IoT and big data systems.

VI. RESEARCH MAPPING BASED ON THE EXISTING SOLUTIONS FOR THE SECURITY AND PRIVACY OF M/UHEALTH SYSTEMS
In this section, we answer RQ-3 driven by the mapping of the existing research as illustrated in Figure 9 and Figure  10, corresponding to our second-stage analysis and documentation (as in Figure 2). We provide the research mapping that identifies the state-of-the-art in terms of the existing solutions and their prime contribution(s) to support security and privacy of m/uHealth systems (Section VI-A).

A. MAPPING OF THE EXISTING SOLUTION FOR THE SECURE AND PRIVATE M/UHEALTH
This section answers RQ-4 to present a systematic map of the existing solutions. First we present the mapping between the types of the research contributions and the types of the security and privacy control families (Section VI-A1). We then present the mapping between the types of the applications and the types of the technologies being used to support the security and privacy of m/u-Health systems (Section VI-A2)

1) Mapping between the Research Contributions and the Security and Privacy Control Families
The first systematic map produced in this SMS is shown in Figure 9. The systematic map works as a matrix (based on x/y-axis) that unifies (a) three distinct facets to their (b) corresponding evidence as detailed below.
Facets of systematic mapping -According to Figure 9, these are presented as: • Research type facet is adopted from Figure 4 that is central to map research contributions and control families, drawn on y-axis of Figure 9. • Contribution type facet presented on x-axis at left of Figure 9 draws different types of research contributions adopted from Figure 5. • Security and Privacy control families facet presented on x-axis at the right of Figure 9 draws different types of security and privacy control families from Figure 6. Evidence for systematic mapping -The published evidence for the systematic mapping refers to the reviewed studies (Appendix A [55]) that are relevant to a particular map that are presented as bubbles plotted in Figure 9.
• Evidence for Contributions is presented on y-axis at the left of Figure 9 that provides a mapping between the research types and its particular contributions. For example, based on this mapping we can interpret that there are a total of 42 published papers (e.g., [P1, P22, P28]) that focus on the validation of the tools developed to enable or enhance the security and privacy of m/uHealth systems. For example, the study reported in [P22] presents a mHealth systems for securely transmitting personal bio data. To validate the proposed tool, the authors implemented it and carried a controlled experiment by spoofing the communication channel to demonstrate confidentiality. Alternatively, we can view that there are no opinion or philosophical papers about tool support for the security and privacy of m/uHealth systems. • Evidence for security and privacy control families is presented on y-axis at the right of Figure 9 that provides a mapping between the research types and the security and privacy control families. For example, this mapping can help us to interpret that in our mapping study a total of 141 solutions have been proposed (e.g. [P44, P51, P56]) that exploit Access Control as a mechanism to enable or enhance the security and privacy of m/uHealth. For example, a study [P51] presents the solutions as a security framework for mHealth systems that implements a role-based access control mechanisms to achieve authorised access to health data. Based on the mapping, we can also see that there is no validation of Awareness and Training to support security and privacy.
Based on Figure 9, there can be multiple and diverse interpretations about the existing research. An exhaustive detail about each possible types of interpretation is not possible. However, we provide some examples and guidelines below that can help a reader to identify and interpret the available information as per their needs. These examples include:  For example, the studies [P279, P306] as validation research demonstrate that is feasible to perform privacypreserving search/querying over mHealth data, even though further studies are warranted to evaluate of the proposed solutions in practice.

2) Mapping between the types of applications and the types of technologies
The second systematic map produced in this SMS is shown in Figure 10.
Facets of systematic mapping -According to Figure 10, these are presented as: • Research type facet, as aforementioned, is drawn on yaxis of Figure 9, central to map application types and used technologies. • Application type facet presented on the x-axis at left of Figure 10 draws different types of m/uHealth applications adopted from Figure 7. • Used technology facet presented on x-axis at the right of Figure 10 draws different types of the used technologies from Figure 8. Evidence for systematic mapping -The published evidence for systematic mapping that are relevant to this map are presented as bubbles plotted in Figure 10.
• Evidence for Applications is presented on the y-axis at the left of Figure 10, providing a mapping between the research types and its application categories. For instance, it is possible to interpret that a total 200 studies (e.g., [P4, P13, P14]) are solution proposals for the patient monitoring systems. For example, the paper [P13] provides a solution in the form of a mHealth patient monitoring emergency alert system. • Evidence for the used technologies is presented on the y-axis at the right of Figure 10 that provides a mapping between the research types and the used technologies. This mapping shows for example that 47 studies (e.g., [P23, P62]) that used mobile phones as their enabling technologies have also been evaluated. The work reported in [P62] is an example of a privacy-aware telemonitoring systems for patient with chronic heart failure that has been evaluated in practice.

VII. EVALUATION STUDIES ON THE SECURITY AND PRIVACY OF M/UHEALTH SYSTEMS
In this section we answer RQ-4 by presenting the existing evaluation studies on security and privacy of m/uHealth systems. The answer to the above mentioned question help us to investigate the evaluation research (i.e., Research Type facet in Figure 9 and Figure 10). Investigating the studies on the evaluation research pinpoints the existing or innovative methods and techniques being adopted or developed to validate the proposed solution (presented in Section VI). Moreover, an explicit discussion on the solution evaluation and the evaluation studies streamline the rigor of the published research and its validation. All studies in the Evaluation Research facet intersect the topics of (1) security, (2) privacy and (3) m/uHealth. However, these studies usually put more emphasis on one of the topics. For instance, a study that reports a mHealth intervention mainly emphasises the health outcomes (e.g., use of a weight-loss app [ER02]). Although the authors also claim to have the security and privacy controls implemented, these controls are not the focus of the study or of its evaluation. A summary of the Evaluation Research in respect to their main emphasis is shown in Table 4. As per the methodology, in this second-stage analysis, we are especially interested in the evaluation process in terms of the security and privacy technologies (as per Table 4, the studies with the emphasis on 'privacy', 'security', and 'security and privacy', i.e., n = 13 + 12 + 3 = 28, ) and to the extent that they have been evaluated in the current state of the research. That is not to say that the evaluation process regarding healthcare and health outcomes is of less importance, rather there has been extensive research on the evaluation and maturity of m/uHealth systems already [6], [60], as opposed to their security and privacy technologies.
In the remainder of this section, first, some general comments are provided on the very few studies that put emphasis in healthcare and that at the same time show a significant amount of evidence of evaluation of its security and privacy components. Next, an in-depth presentation of the themes is provided, configuring the thematic analysis in five broad groups: (1) security and privacy evaluation strategies (Tables  5 and 6); (2) identified problems in industry (Table 7); (3) solutions as security and privacy models and frameworks (Table 8); (4) solutions as security and privacy assessment methodologies (Table 9); and, (5) solutions as security and privacy systems and applications (Table 10). Lastly, a detailed score card for the quality assessment of the studies with the emphasis on security and privacy is provided in Table 11.

A. OVERVIEW OF THE EVALUATION RESEARCH
As per the SMS results, it is often the case that authors are more focused on evaluating health outcomes for a given solution instead of evaluating "non-functional requirements" related to security and privacy (see Table 4). Other studies are more focused on the performance, feasibility, usability and acceptability of systems. For such studies, security and privacy features do exist in the systems, but they are not targeted in the evaluation process. However, a few exceptions were found in which the studies actually do significant evaluation of the implemented security and privacy technologies, even though the main emphasis is on healthcare.
This study has identified that some studies describe the overall issues, such as lack of compliance with privacy laws, insufficient/lacking privacy policies and app vulnerabilities in their studies (i.e., [ER02,ER07,ER24,ER43]). A few studies also go as far as proposing or using the methods for privacy policy assessments (i.e., [ER07, ER24]), and privacy models (i.e., [ER05]). Sometimes, the privacy analysis is part of a broader system specification assessment (i.e., [ER09]) or app assessment criteria (i.e., [ER24]). Other studies address the security related issues to a greater extent, by means of performing a security analysis (i.e., [ER43]) or implementing a security framework (i.e., [ER41]). Given that, these studies are further discussed along with the thematic analysis, together with the studies that emphasise security and privacy.
As a general trend, it is also worth noting that half of the evaluation studies (n = 26, 50%) performed a thirdparty evaluation of the existing solutions in the market, e.g., mHealth apps, privacy policies, mobile devices and wearables, communication protocols or standards. This is very important because many researchers are acting as the thirdparty evaluator, performing privacy and security analyses and providing an unbiased evaluation of the existing solutions. As a result, they help identify problems in the industry as well as to provide recommendations to m/uHealth developers and practitioners.
In the following subsections, the studies are categorised in themes, as explained in Section IV. We have closely clustered the themes in the provided tables to facilitate the analysis. A sentence that captures an emblematic example is provided for each theme as well as the studies that fall into it.

B. EVALUATION STRATEGIES FOR SECURITY AND PRIVACY
Many strategies have been used to evaluate the security-and privacy-related models and solutions in the selected studies. This first group of the themes summarises the evaluation strategies evidenced in the selected studies (see Tables 5  and 6), making it the most important group in this thematic analysis. These evaluation strategies consist of the explicit use of the methods or methodologies for the evaluation purposes. Some studies propose a more general assessment of apps, represented in the themes App Critical Content Analysis and App General Assessments. These studies assess the quality of apps, considering privacy just as one of the sub-components of the assessment (i.e., [ER37,ER24,ER42]). Nonetheless, in the theme App Privacy Assessment, the studies go further, extensively assessing privacy, checking for app's required permissions, consent strategies, privacy policies, transparency and purpose specification (i.e., [ER19,ER29,ER36]).
Authors sometimes create and use their own ad-hoc evaluation methodology for security and privacy. However, as detailed in the next sections, many studies either propose a new methodology for the assessments or adopt an existing approach from the literature. In either case, they contribute by typically evaluating the existing solutions already available in the market. Also, standing out among the themes in Table  5, many studies carried out Privacy Policy Assessments or calculate a Privacy Policy Transparency Score for a given number of mHealth apps.

C. EVALUATING RESEARCH IN THE INDUSTRIAL CONTEXT
The industry can benefit from several of the reviewed studies that have evaluated the m/uHealth solutions in the market (see Table 7). As a result of the evaluation process, such studies are able to Identify App Attacks (i.e., [ER11]) and Identify App Vulnerabilities (i.e., [ER01,ER11,ER20,ER27,ER43]). Another group of studies evaluated wearables and wireless connectivity to Identify Flawed Protocols (i.e., VOLUME X, 2020  [ER16,ER23,ER26]) and Remote Attacks to HeartBeat-Based Security (i.e., [ER44]). Most remarkably, several studies (n = 9) reported that the available apps have shown a Lack of Privacy Policies (e.g., non-existent, insufficient, unclear or unreadable). Among such studies, Compliance was a recurring theme (n = 13), whether with respect to the current privacy laws or the security standards, many m/uHealth solutions were found to be non-compliant.

D. EVALUATION RESEARCH -SOLUTIONS AS MODELS AND FRAMEWORKS
Despite the evaluation processes per se, we also provide a panorama of the security and privacy solutions that have been proposed and evaluated in the context of m/uHealth. Solutions essentially fall into three groups: (1) security and privacy models and frameworks (theoretical); (2) security and privacy assessment methods (risk-driven analysis); and, (3) security and privacy systems and applications (technologies). Models and frameworks (see Table 8) depart from a theoretical solution for a problem, that are later implemented and evaluated in practice. Some proposed Security frame- works, using a wide array of cryptographic mechanisms for achieving CIA (i.e., [ER12,ER41]). A couple of the reviewed papers have developed specific cryptographic mechanisms for Key Distribution Schemes (i.e., [ER18]) or Privacy Data Release (i.e., [ER15]). There is also a study describing a Privacy model for mHealth apps (i.e., [ER05]) and another defining a Security testing environment to analyze the app's communication and data handling (i.e., [ER01]).

E. EVALUATION RESEARCH -SOLUTIONS AS SECURITY AND PRIVACY ASSESSMENTS METHODS
A major part of the solutions, in the evaluation studies, is devoted to various approaches for assessing the security and privacy in m/uHealth systems. These solutions tend to be risk-driven, proposing new methodologies for identifying threats, calculating risks and selecting controls. As mentioned, some methodologies take on a broader perspective, yet addressing security and privacy as part of their App Assessment Criteria and System Specification Assessment (i.e., [ER24, ER42,ER09]). Only one study proposes an App Security and Privacy Assessment Methodology reviewing the aspects of both, security and privacy, of various apps (i.e., [ER36]). Geared toward privacy, some studies specialise in Information Privacy Risk Scores and Privacy Heuristic Eval-

F. EVALUATION RESEARCH -SOLUTIONS AS SECURITY AND PRIVACY TECHNOLOGIES
The last group of the themes refers to two particular studies that describe the implementation of the security and privacy controls. The first one is a Graphical User Interface for Communicating Privacy Risks as a transparency-enhancing tool, allowing users to analyse and compare apps in respect to privacy risks (i.e., [ER10]). Another solution is a Trust-Based Intrusion Detection Systems for Medical Smartphone Networks that establish a level of trust among devices used in healthcare environments (i.e., [ER28]). "We also describe the conceptual framework adopted to address the hospital security requirements for implementation. " [ER12] 1 [ER12] Security Framework "A data security framework was designed to ensure the security of data, which was stored locally and transmitted over public networks." [ER41] 1 [ER41] Key Distribution Scheme "A key distribution scheme based on a group send-receive model (GSRM

G. QUALITY ASSESSMENT
Apart from the thematic analysis, we also assessed the quality of the evaluation studies using eleven research dimensions and the quality of the reported evidences (see Table 11). As explained in Section IV, for this quality assessment we followed the approach introduced in [61]. Overall, the studies received an average score of 8.57 (out 11) on the quality assessment. A vast majority of the evaluation studies offers a sound research paper, with clearly defined aims and contributions. Main points of concern are around the research design and sampling items, which consequently also negatively affect other factors. For example, one study [ER04] has a cumulative score of 9.5 (see Table 11), that indicates that the study is indeed a research paper (Res), i.e., not only a viewpoint or opinion, with clear aims (Aim) and context (Con), and details its research design (RDs). In this study, however, the sample (Sam) was rather small, and there is no control group (Ctr), which affects the data collection (DCo) data analysis (DAn). Lastly, in this study, the authors also explicitly stated the possible biases (Bia), main findings (Fin); and value (Val) to other areas.
For the studies that achieved a cumulative score of 10 (e.g., [ER19,ER34]), the authors have done an excellent work in detailing all aspects of the reported research. However, the studies with low cumulative score (e.g., [ER11,ER14]), we found that important explanations were missing, particularly on the research design as well as details on data collection and analysis, which negatively impacted the overall research VOLUME X, 2020 "Applying to the source code techniques of reverse engineering, we will try to perform an analysis that allows us to carry out the security check of the Android application HeartKeeper. [...] It can be applied to audit security on any other Android application." [ER11] 1 [ER11] Security Testing Method "we propose a testing method for Android mHealth apps which is designed using a threat analysis, considering possible attack scenarios and vulnerabilities specific to the domain" [ER20]

[ER20]
Security Vulnerability Assessment Method "Specific configuration of our evaluation testbed and then covers the methodology used for our testing procedures." [ER26] 2 [ER23] [ER26] System Specification Assessment "We describe a "system specification assessment" of several SMS text messaging applications [...]" [ER09] 1 [ER09] findings and value. Besides, it is also worth noting that none of the evaluation studies have reported using a control group in their research. We found that 15 (out of 28) studies presented a clear and detailed description of the research design and methodology. Authors of these studies have carefully created or adopted "The information privacy risk score and the graphical user interface are designed to enable users to better comprehend information privacy risks across multiple apps" [ER10]

[ER10]
Trust-Based IDS for MSNs "In this work, we focus on the detection of malicious devices in MSNs [Medical Smartphone Networks] and design a trust-based intrusion detection approach based on behavioral profiling." [ER28] 1 [ER28] assessments artefacts as part of their methodology, making it clear what is going to be evaluated and how, enabling a high-level of research reproducibility. Most of the studies evaluated the existing apps, their privacy policies or wearable device, and their authors would typically select a sample of a category of applications for this evaluation. In 13 of the evaluation studies, the samples were small, which limits the extent of the evaluation of a new method for the security or privacy assessment, and thus also limiting the generalisability of the findings and the overall research value.
Regarding the data collection and analysis, 18 studies on each category provided sufficient description in their methodologies. Other studies mentioned their data collection and analysis procedures, but the descriptions were too brief (e.g., lacking information about sources, surveys, or interview processes) or did not provide enough explanation and justification. Most of the studies (n = 24) defined an evaluation strategy to assess, test or scan security and privacy issues, so that the authors could have fairly evaluate the solutions in an unbiased manner. Lastly, we considered that the scores for the research findings and value were 17 and 15 respectively, mainly looking if the authors were clearly stating the research findings and the value of the research to the broader community. However, we found that the findings and the value scores were also negatively influenced by the quality of the research design and other processes.

VIII. REVIEW AND DISCUSSION OF THE SMS RESULTS
After answering all the RQs individually, in this section, we review and discuss the core findings of the mapping study on the security and privacy of m/uHealth systems. This discussion is aimed at demonstrating the collective impact of the existing research in terms of its strengths and limitations by highlighting the under-/over-researched areas, perceived trends and potential gaps based on the evidences from the literature. In the remainder of this section, we refer to the respective figures (Figure 3 to Figure 10) as illustrations and tables as structured information (Table 7 to Table 11) that complement the review provided here.

A. STAGE I ANALYSIS: TYPES, FREQUENCY, AND VENUES OF THE RESEARCH PUBLICATIONS
Stage I analysis primarily focus on demographics of the published research, specifically in terms of types, frequency and prominent venues of the research publications that are reviewed below.

1) Types and frequency of the published research (RQ-1)
The results in Figure 3 shows a steady increase in the number of publications on the topic. Over the years since the first published study on the topic in 2015, 90% of the publications have been published in scientific journals and conference proceedings. Most of the contributions, as shown in Figure  4, are in the form of solution proposals, usually applying some kind of validation through prototyping, performance analysis or user studies. However, only about 60/365 (i.e., 16.5%) publications have reported proper evaluation of the systems, i.e., with real-life deployment and medium to large scale testing with end users, such as [ER40,ER41]. Although validation is the first step before starting any stage evaluation, it is important that researchers take such initiatives further and deploy the proposed solutions in real systems with real users. Validation of prototypes tend to be of rather limited scope, with simplified assumptions that often do not represent the level of complexity that exists in the environment of m/uHealth technologies, such as [P279, P306]. Validation methods also tend to focus on bench-marking a set of variables for performance analysis (e.g., time consumption, memory requirements or usability), instead of fully engaging with all users, stakeholders, and real problems that need to be solved. Specifically, the reported solutions tend to compete for performance benchmarks or even argue for higher levels of security and privacy, but the question remains that do they really address an existing problem in people's lives? What is the impact of the improved performance? Essentially, rigorous evaluation brings to surface the more tangible relevance of the research, so as to avoid creating solutions to artificial problems, or even starting with a solution and only then trying to find the problem to use it.

2) Prominent venues of the publications (RQ-2)
Another important finding relates to the publication venues (in Table 3). The area of m/uHealth has seen much growth during the past decade, but the contributions are rather sparsely distributed in a large number of scientific journals and conferences. In fact, this SMS does not seem to reveal any major leading venue in the field. Even the top nine venues listed in Table 3 only represent 20% of the mapped studies such as [P114, P134], leaving a large majority, almost 80%, of the studies are thinly distributed among dozens of other publication venues. These top venues, however, do include prominent journals with significant impact factors as well as proceedings from well-known conferences. It is also worth noticing that more than half of these top venues have a rather VOLUME X, 2020 general research scope and four of them are in the field of health informatics as a broad. The topic of security and privacy for m/uHealth is actually highly specialised and the existing research frequently falls into sub-tracks of the existing journals and conferences. For instance, the Journal of Medical Internet Research has the sister Journal of mHealth and uHealth, which has security and privacy as one of its tracks.

B. STAGE II ANALYSIS: THE EXISTING SOLUTIONS AND VALIDATION RESEARCH
Stage II analysis present the mapping of the existing solutions and their evaluations for engineering secure and private m/u-Health systems that are reviewed below.

C. EXISTING SOLUTIONS OF THE SECURITY AND PRIVACY OF M/UHEALTH (RQ-3)
The systematic map presented in Figure 9 allows us to observe an interesting phenomena that most publications (≈ 85%) match only six out of the twenty control families. In these twenty families, NIST's special publication 800-53 provides us with a total of 276 security and privacy controls. The top six families with the most matches (see Figure 6) account for a total of 105 controls (i.e., SC = 41, AC = 23, SI = 19, IA = 12, IP = 6, P A = 4). A closer look at these six families reveals that they cover the most fundamental security and privacy controls, such as confidential communication (encryption) (e.g., [P160, P161]), authentication and key exchange (e.g., [P29, P30]), information integrity (e.g., [P139, P140]), authorisation and access control [P146, P159], individual participation and sharing of personal data (e.g., [P185]), and audit and accountability (e.g., [P182]). These controls are mostly technical, i.e., the use technology to reduce vulnerabilities and can be installed and configured providing protection automatically. On the one hand, the research focus on such controls exhibit an emphasis from the community about getting the basics of the security and privacy right, given that their correct implementation can indeed solve a vast majority of threats faced by m/uHealth systems. On the other hand, less focus is given to organisational and managerial controls (e.g., [P81, P358]). Such under-represented control families are however critical to the operation of organisations using m/uHealth systems. There are a few hypotheses that could explain such observation: a) these areas are not viewed as critical as the others; b) researchers in security and privacy as well as m/uHealth practitioners may lack expertise in such areas; c) researchers may have a technical bias, and prefer to limit the scope to specific requirements of m/uHealth systems rather than organisational ones. Nonetheless, implementing organisational controls such as data governance strategies and establishing security and privacy policies are indeed critical to the successful operation of any organisation, and even more if processing personal health data. More emphasis on such controls families is in fact warranted, specially for m/uHealth initiatives being deployed in low-and middle-income countries, usually covering highly vulnerable populations.
Future research could focus on the under-represented control families. Many of these controls families tend to address vulnerabilities related to broader aspects of an organisation (e.g., risk assessment, incident response, awareness and training and program management), instead of purely technical controls that can be implemented in a particular m/uHealth system.
It is important to stress that strategies of security and privacy by design are technical approaches to a social problem [62], i.e., the fundamental human right to privacy. Security mechanisms and privacy-enhancing technologies cannot fix a broken business model. Organisational change is therefore indispensable for establishing a culture of security and privacy across all departments and divisions in a company.

D. EVALUATION STUDIES ON THE SECURITY AND PRIVACY OF M/UHEALTH SYSTEMS (RQ-4)
As described in Tables 5 and 6, most of the studies either evaluate a set of mHealth apps or their privacy policies (e.g., [ER04,ER06,ER34]). Empirical evidence on evaluation concentrates mainly in mHealth systems instead of uHealth systems (e.g., involving wearables, sensors networks or IoT in general). The reviewed studies used various approaches to evaluate the existing solutions, which we organised in a number of groups and themes. The first group of the evaluation strategies (Table 5), comprises the themes of App Critical Content Analysis and App General Assessments with a total of 3 studies [ER37,ER24,ER42]. These studies prescribe a general assessment, geared towards quality and safety, considering privacy to a limited extent, which is not sufficient for security and privacy compliance.
On the other hand, two other groups concentrate on such specialised assessments (Table 5), specifically for mHealth apps. For privacy, the theme of App Privacy Assessments containing 3 studies [ER19,ER29,ER36], and for security the group of themes on App Security Analysis, App Security Audit and App Vulnerability Scanning with 6 studies in total [ER01,ER20,ER36,ER43,ER11,ER27]. These studies offer more suitable approaches for evaluating security and privacy of mHealth apps. Nonetheless, the assessment strategies vary greatly, and the future research could integrate these security/privacy assessments in an unified framework for mHealth apps. Such integrated frameworks can also include the work on the theme of Server-Side Security Analysis (( Table 6)), i.e., jointly considering apps, servers, and thirdparty servers. This would be useful as a recommendation system built in line with the existing security and privacy standards and regulations in the health sector.
The privacy policies for mHealth apps were the most commonly evaluated artefacts (  [ER34]. These assessments focus on the transparency and openness of mHealth apps, i.e., clearly defining what personal data is collected and processed and for which purposes, in easy and understandable language. This study has also revealed that there are a diverse set of privacy evaluation approaches that tend to rely on manual inspection as well as automatic measurement of text complexity. We see an opportunity for further research on comparing and integrating the evaluation approaches. Making privacy policies more understandable is critical for achieving users' informed consent under different privacy regulations (e.g., EU GDPR).
Lastly, on the evaluation approaches, the themes of Wearable Security Assessment and Wireless Communication Security with 3 and 1 studies respectively ( Table 6). These studies essentially evaluate the security of pairing wearable devices and the (lack of security) in the communication channels, e.g., due to misconfiguration or transmission of health data in plain text. Such studies help evaluate widely used devices in the market and wireless technologies (e.g., Fitbit, Bluetooth and NFC), demonstrating security attacks and potential data breaches. Here we also see that an integrated framework can be developed for security and privacy wearables and IoT devices.

1) Quality of Evaluation Studies
Overall, the quality of the reported evaluations for the existing solutions achieved a good mark of 8.57 (out 11) as shown in Table 11. In fact, six evaluation studies achieved 10 marks, qualifying them among the top ranked studies (i.e., [ER19,ER34,ER39,ER47,ER33,ER44]). These studies share a clear presentation addressing all the quality criteria. These studies clearly establish the research aims and context, detail the methodology and carry out the evaluation, describing all steps from the study design to the data collection and analysis.
To put things in the perspective, four of these studies focused on evaluating privacy policies of mHealth apps ( [ER19,ER34,ER39,ER47]). They carefully describe their research plan and gather a significant number of mHealth apps and their privacy policies for evaluation (ranging from 64 [ER19] up to 600 apps [ER47]). The evaluation follows a very structured and replicable review process, usually checking if the privacy policies are available, their readability, the quality of the content and compliance with the existing regulations. Likewise, in [ER33] describes a server-focused security analysis, comprising 60 apps that were observed to communicate with 823 servers. The servers were then analysed using a set of security tools (i.e., BProxy, testssl script and Qualys SSL Labs), also enabling a replicable collection and analysis of data. The last study [ER44], evaluates the security of heartbeat-based mechanisms (biometric authentication) against a specific attack (i.e., remote photoplethysmography). Six subjects participated in the study, enabling the collection of video sequences from which individual heartbeats were detected correctly and accurately from a distance, proving the attack feasibility.

2) State of the Evaluation Studies
In this systematic review we found that out of 350+ papers that proposed a new solutions in the area, a vast majority, 173, of the papers are limited to a validation study. There were only 52 studies that performed evaluation in practice; there were only 28 studies that focused on the security and privacy solutions for m/uHealth (e.g., [ER04,ER11,ER18]). This suggests that the empirical evidence is rather limited and most of the proposed solutions, that have only been validated, still need to be properly evaluated.
Almost all evaluation studies concentrate in the area of mHealth apps. A small portion of the evaluation studies addressed security and privacy for more advanced uHealth systems, such as: (a) on wearables, Internet of Things (IoT) and Internet of Medical Things (IoMT) [ER26,ER23,ER35]; (b) the use of devices and standards on medical sensor networks [ER48, ER18,ER16]; and, (c) working with biometric sensors for authentication [ER44].
In the field of mHealth systems there has been a greater emphasises on two specific areas, i.e., (a) security and privacy for mHealth apps (e.g., [ER19,ER20,ER27]), and (b) assessments of mHealth apps' privacy policies (e.g., [ER01,ER34]). It is imperative to further develop the proposals in these areas. Both groups of studies can be additionally analysed and compared, so as to account for multiple dimensions of security and privacy, towards an integrated framework for assessing mHealth systems.

IX. THREATS TO VALIDITY OF THE SMS
We now present some threats to the validity of this mapping study. As in Figure 2 (Section IV), we followed the guidelines and recommendations to conduct the mapping study from [23] that provides a systematic and objective manner to plan, conduct and document the SMS. However, customizations to the pre-defined methodological steps may lead to some bias and limitations that represent threats to the validity of this SMS, as detailed below.

A. THREAT I -LIMITATIONS OF THE SMS PLAN
The first threat relates to the planning of the SMS in terms of identifying the needs and justifications for such a mapping study. Considering the number of the existing secondary studies (as in Table 1), during the planning phase, there is a need to outline the scope of the mapping study that does not overlap the existing research contributions. In order to avoid the risk of overlapping scope, we executed the search string (Listing 1) to ensure that there do not exist any secondary studies on a similar topic. The results of the search string (Section IV-A1) did not return any relevant secondary study that focuses on the security and privacy of m/uHealth systems. Another important aspect of planning an SMS is to outline the research questions that provide the basis for an objective investigation of the studies being reviewed in the SMS. If the RQs are not explicitly stated or omit the key topics, the results of a mapping study can be flawed, overlooking the key information. In order to avoid this threat, VOLUME X, 2020 we outlined a number of RQs and objective for each of the RQ (Section IV-A2) that aim to find answers about the frequency, progression, existing challenges, solution and emerging research. We tried our best to minimize any bias or limitations during the planning phase to define the scope and objectives of the SMS. Once the SMS plan was created, it was cross checked (e.g., review of existing secondary studies, refinement of RQs) independently in an effort to minimize the limitations of the SMS plan before proceeding to the next phases.

B. THREAT II -CREDIBILITY OF THE LITERATURE SEARCH PROCESS
After SMS planning, the next threat relates to the identification and selection of the literature that is selected for review in an SMS. The process of selecting the papers to be reviewed is a critical step as if the relevant papers are missed, the results of a SMS may be flawed. We followed a two-steps process (Section IV-B2), referred as literature screening and qualitative assessment, to minimize the threats to the selection process of the reviewed papers in this SMS. Also, this SMS restricts the selection of publications to one scientific database, i.e., Scopus. This decision was made due to the sheer volume of publications retrieved from just one source. Scopus was nonetheless chosen since the previous systematic reviews have shown that the searches in this platform alone result in a far reaching number of papers that would otherwise just be duplicated papers if other databases such as IEEE Xplore, ACM and PubMed are being searched independently [63]- [65]. Furthermore, the mapping studies are extendable and other scientific databases could be considered provided that the other researchers have enough resources to do so. In this SMS, we also narrowed the search to a five-year period (i.e., 2015-2019) in order to concentrate on the state-of-theart in science as well as to keep the study viable. Based on a step-wise search process, we are confident that we have tried to minimise the limitations related to (i) excluding or overlooking any relevant study of (ii) including the irrelevant or low quality study that can impact the results and their documentation in a SMS.

C. THREAT III -POTENTIAL BIAS IN SMS DOCUMENTATION
The last threat relates to the potential bias in synthesising the data from the review and documenting the results. This means if there are some limitations in the data synthesis they have a direct impact on the results of this SMS. Typical examples of such limitations could be flawed research taxonomy, incorrect identification of research themes (identified challenges and proposed solutions) and mismatch of emerging research trends. In order to minimise the bias in synthesising and documenting the results, we have created the taxonomies and the research facets (detailed in our research protocol [55]). There were two researchers involved in synthesising the results for which the extracted data and synthesis were cross checked by an independent researcher in order to ensure the consistency. Apart from that, this SMS also offers a complete replication package that conveniently enables other researchers to reproduce and/or extend this review (described in Section IV-C).

X. CONCLUSION
The seminal work on ubiquitous computing by Mark Weiser [25] proposed that: "The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it." Today, m/uHealth technologies carry Weiser's vision towards a pervasive and ubiquitous healthcare, promising access to health services anywhere and anytime. In the past decade countless m/uHealth initiatives have been reported across nations of all income levels. The provision of health services through mobile and ubiquitous devices has started revolutionising the health care systems across the globe. For example, the high income countries are leveraging the sophisticated remote patient monitoring systems, with real-time analytics and emergency response facilities; the low and middle income countries are empowering front-line workers with mHealth systems for treatment adherence and public health surveillance in unserved and under-served communities.
However, the increasing number of security attacks and data privacy compromises are proving to be the barriers to full adoption of m/uHealth systems. Researchers have been producing a significant amount of solutions, practices, tools and guidelines to address the security and privacy challenges of m/uHealth systems. This study has systematically selected, analyzed and synthesized the relevant literature on the security and privacy of m/uHealth systems using an evidencebased software engineering methodology, systematic mapping study. The results of this study are expected to be beneficial and insightful for the research community, developers and practitioners to quickly figure out and understand the security and privacy challenges of m/uHealth systems and to determine the areas of future research.
Contributions and implications of the SMS: This SMS has identified and mapped the most of the research on security and privacy of m/uHealth systems using the technical controls for safeguarding health data. Far less attention is given to other non-technical and organisational controls, even though they are critical for every organisation. Most part of the research papers also propose new solutions that are only validated, instead of evaluated in practice. That indicates that more rigorous evaluation processes need to be adopted by researchers in order to strengthen the scientific evidence, and thus, foster widespread adoption of security and privacy solutions in the context of m/uHealth systems.
The key contributions of this SMS are: • Classify and compare the existing and emerging solutions, challenges and trends for security and privacy for m/uHealth. • Provide an evaluation focused analysis of the solutionsimplemented in practice -to identify commons themes and appraising the quality of these evaluation studies.
The findings of this SMS can help: • Researchers who are interested in a quick identification of the existing research. • Practitioners who want to understand academic solutions that could be adopted in an industrial context. Needs for futuristic systematic reviews: For future work, additional systematic reviews in the field would be beneficial, whether in the form of systematic literature reviews or mapping studies. For instance, literature reviews could focus on specific control families (e.g., focus solely on individual participation), types of application or technologies. Literature reviews or mapping studies can also be conducted for overrepresented areas, since they can be narrowed-down and further analysed (e.g., if feasible, perhaps at a control-level instead of a family-level). . M. ALI BABAR is currently a Professor with the School of Computer Science, The University of Adelaide. He is an Honorary Visiting Professor with the Software Institute, Nanjing University, China. He is the Director of Cyber Security Adelaide (CSA), which incorporates a node of recently approved the Cyber Security Cooperative Research Centre (CSCRC), whose estimated budget is around A$140 Millions over seven years with A$50 Millions provided by the Australia Government. In the area of Software Engineering education, he led the University's effort to redevelop a Bachelor of Engineering (software) degree that has been accredited by the Australian Computer Society and the Engineers Australia (ACS/EA). Prior to joining The University of Adelaide, he spent almost seven years in Europe (Ireland, Denmark, and U.K.) working as a Senior Researcher and an Academic. Before returning to Australia, he was a Reader of software engineering with Lancaster University. He has established an Interdisciplinary Research Centre, Centre for Research on Engineering Software Technologies (CREST), where he leads the research and research training of more than 20 (12 Ph.D. students) members. Apart from his work having industrial relevance as evidenced by several R&D projects and setting up a number of collaborations in Australia and Europe with industry and government agencies, his publications have been highly cited within the discipline of Software Engineering as evidenced by his H-index is 48 with 8855 citations as per Google Scholar on June 20, 2020. He leads the theme on Platform and Architecture for Cyber Security as a Service with the Cyber Security Cooperative Research Centre. He has authored/coauthored more than 220 peer-reviewed publications through premier Software Technology journals and conferences. VOLUME X, 2020