AR and VR devices in the healthcare business: legal and ethical challenges

Thursday 6 July 2023

Evangelia Manika

Michalopoulou & Associates Lawgroup, Athens


Ioanna Michalopoulou

Michalopoulou & Associates Lawgroup, Athens


Aineias Spiliotis

Michalopoulou & Associates Lawgroup, Athens


The impact of AR and VR devices in the healthcare sector

Augmented reality (AR) encompasses the enrichment of the physical world by integrating computer-generated imagery through devices such as cameras, screens (eg, mobile devices), head-mounted displays (HMDs) or heads-up displays (HUDs). By effectively interacting with the physical environment, digital imagery allows for user manipulation and immersion.

Virtual reality (VR) on the other hand, involves a fully immersive experience within a virtual environment, usually requiring the use of a headset to replace the user’s visual surroundings with a simulated and interactive virtual realm. The term ‘extended reality’ is commonly used to encompass both augmented reality and virtual reality.

The healthcare sector is at the forefront of innovation, constantly driving significant advancements to improve human wellbeing. Between 2018 and 2025, a substantial growth surge is expected in the global market for AR and VR in the healthcare sector. The emergence of such technologies, exemplified by companies like Oculus Quest 2 and Microsoft HoloLens, presents new opportunities for healthcare. VR enables individuals to engage fully in simulated environments, while AR overlays virtual objects or environments onto the physical world, enhancing contextual significance. The integration of AR and VR in the healthcare sector is anticipated to have a transformative and long-lasting impact, enhancing the safety of both patients and healthcare providers, and promoting innovation.

The healthcare sector has witnessed a significant rise in the adoption of AR/VR technology to enhance medical education for students, providing them with valuable practical experience before performing actual surgical procedures. Moreover, healthcare practitioners have been able to refine their expertise by practicing complex procedures on anatomical models in a simulated environment. Augmented reality applications have the potential to assist medical professionals in generating simulations of complex scenarios or addressing physician shortages by synchronising and interconnecting multiple sensors. Additionally, the use of AR applications in surgical procedures can improve patient safety by providing surgeons with real-time data on vital signs, procedural details, equipment positioning and other relevant information. Medical practitioners use virtual interfaces of AR to visualise patients’ organs, diseases, tumours or other abnormalities, expediting procedures while ensuring patient safety and enhancing healthcare professionals’ cognitive perception.

Furthermore, the implementation of AR applications holds significant potential in assisting medical practitioners in detecting, mitigating and treating a wide range of medical conditions, ultimately leading to improved prognostic outcomes. This system demonstrates the capability to integrate data gathered from diverse sensors and present it in a cohesive interface, facilitating the identification of precise factors contributing to a patient’s medical condition. Non-invasive techniques enable healthcare professionals to monitor various structures, including veins, lesions and organs.

In the healthcare sector, VR technology has been incorporated to evaluate sensory functions in patients with motor disabilities, such as muscle weakness resulting from a stroke. AR and VR technologies can also provide patients with the benefits of comprehending medical conditions, treatment specifics, and various procedures. As a result, the significance of telemedicine has grown in recent years as patients increasingly rely on virtual consultations. The integration of VR technology has enhanced the effectiveness of this approach.

Privacy and security risks

The use of AR/VR devices introduces new privacy concerns due to the diverse technologies involved and the extensive and sensitive data collected. These devices rely on the collection of comprehensive biometric data to create immersive experiences, making it a fundamental aspect of their operation. Consequently, VR and AR present distinct security challenges, encompassing typical vulnerabilities associated with electronic devices, as well as potential risks of physical harm and leakage of highly sensitive data. Similar to computers, tablets, smartphones and other internet of things devices, any VR system is susceptible to standard cybersecurity concerns and various types of cyberthreats, necessitating proactive anticipation.

Regarding privacy considerations, it is important to highlight that AR/VR devices collect a substantial amount of personal data from users to deliver highly personalised and realistic experiences in digital environments. This includes, but is not limited to: usernames, biometric identification, location data, demographic information, personal preferences and IP addresses. Additionally, the user’s avatar, which represents their physical appearance, may disclose information such as race, gender, age, gestures and behaviour. AR/VR devices also gather data on users’ social interactions and affiliations within the virtual world or application, such as videos, images, or screenshots.

The widespread collection of biometric data by AR/VR devices gives rise to unique privacy concerns not encountered with other technologies. Furthermore, in the context of physical appearance and location data, this information is essential for the proper functioning of AR applications, which rely on knowing the user’s position relative to geographical locations and physical objects to display appropriate digital overlays. Additionally, for user safety, VR devices and applications require knowledge of the user’s location and physical surroundings to provide alerts when approaching objects or crossing predefined boundaries.

These types of data can present significant privacy risks to users if not appropriately limited or protected. Privacy concerns regarding the collected data primarily revolve around anonymity and personal autonomy, referring to individuals’ ability to control the extent to which others can identify and observe them. Unauthorised acquisition, recording, dissemination or reproduction of this data by third parties can pose privacy risks if it reveals personal information. Furthermore, the data collected by AR/VR devices may disclose information about a user’s health, resulting in the processing of special categories of personal data. According to the General Data Protection Regulation (GDPR), the processing of such special categories of personal data is generally prohibited.

In this context, it is crucial for AR/VR device companies to safeguard the collected data from unauthorised access by establishing transparent personal data protection policies. These policies should encompass all categories of collected data, outline the methods of collection, specify how the data will be used, and delineate the rights of users. To the extent possible, data collection should be limited, and legal bases for processing users’ data should always be relied on. It is vital for these companies, as providers of AR/VR equipment, to implement technical and organisational measures to protect the data from breaches. However, it should be noted that existing data protection legislation, including the GDPR, may have certain legal gaps when addressing the various data protection risks posed by AR and VR devices, given the unpredictable and ever-evolving nature of these technologies. It is likely that new approaches to privacy and security will be necessary in the near future. Policymakers and legislators should be prepared to regulate based on the actual harms caused by emerging technologies. In this regard, specific guidelines from the European Data Protection Board on privacy issues arising from the use of AR and VR would be highly beneficial.

Lastly, the use of AR/VR devices introduces additional cybersecurity risks, including hacking, social engineering, malware, ransomware and more. There are also tangible risks to the physical safety of users. For instance, during VR gaming, users can easily lose their sense of position in the real world, resulting in injuries like collisions with walls. At the very least, individuals using AR/VR devices should adhere to basic cybersecurity principles. This includes keeping the devices up to date, utilising virtual private networks (VPNs) whenever possible to enhance overall security, and adopting measures that improve the identification of other users with whom data may be shared and interactions take place.

Ethical concerns

When using AR/VR technology in healthcare, it is essential to ensure that healthcare professionals are well-versed in the three fundamental principles which underlie various contemporary ethical guidelines. These principles include respect for individuals, beneficence, and justice. In this context, it is common to reference the four ethical principles formulated by Beauchamp and Childress. These principles are:

  • Autonomy – this principle emphasises the patient’s right to make decisions regarding their treatment through informed consent.
  • Beneficence – highlighting the clinician’s responsibility to act in the best interests of the patient.
  • Non-maleficence – this principle underlines the clinician’s duty to avoid causing harm by minimising risks.
  • Justice – pertaining to the fair and equitable distribution of benefits and burdens by the clinician.

Greece’s Code of Medical Ethics outlines five principles which are based on the above ethical principles. These are:

  1. Beneficence and non-maleficence – minimising costs and maximising benefits while ensuring protection from harm.
  2. Fidelity and responsibility – encompasses professionalism and societal obligations.
  3. Integrity
  4. Justice
  5. Respect for patients’ rights and dignity – includes upholding privacy, confidentiality, and respecting patient autonomy.

Both sets of guidelines provide criteria for the ethical use of technologies in the context of clinical care. Additionally, they emphasise the importance of acquiring and implementing the necessary technical skills to safeguard patient interests, such as configuring privacy settings and employing encryption.

It is worth considering the ethical implications of a scenario where a smartphone sends prompts to a patient when passing an advertisement for discounted food supplements and subsequently alerts them when the aisle with the special offer nearby. The ethical concern lies in the algorithms having access to the patient’s preferences and attempting to influence their behaviour. This raises questions about the extent to which technology exerts influence on patients, potentially causing discomfort and altering their plans, such as shopping. While the impact of undue influence in this particular case may be deemed insignificant, it still represents a violation of autonomy. Additionally, if the algorithm responsible for enhancing the patient’s cognitive abilities was developed by a commercial entity that may receive remuneration from health and wellness vendors in grocery stores for directing the patient toward them, potential conflicts of interest must be carefully considered. Evaluating the algorithm’s potential to encroach on a patient’s autonomy requires diligent attention to such factors.


AR/VR devices and applications provide a glimpse into future healthcare which is more connected, adaptive, and enriched with immersive experiences. However, they also introduce unique challenges related to user data collection, privacy, and ethics that differ from other technologies. To harness the potential benefits while mitigating privacy risks, developers and legislators must carefully consider the potential harms associated with extensive data collection. It is crucial to approach AR/VR not as a single, monolithic technology but as a collection of diverse information-gathering technologies that provide a unified experience, particularly in the healthcare sector where the boundaries of autonomy in treatment may not be crystal entirely clear.


Ellysse Dick, ‘Balancing User Privacy and Innovation in Augmented and Virtual Reality’, ITIF, March 2021, https://itif.org/publications/2021/03/04/balancing-user-privacy-and-innovation-augmented-and-virtual-reality accessed 26 June 2023.

US FDA, ‘Augmented Reality and Virtual Reality in Medical Devices’, 7 December 2022 https://www.fda.gov/medical-devices/digital-health-center-excellence/augmented-reality-and-virtual-reality-medical-devices accessed 26 June 2023.

‘Ethical Challenges of Virtual and Augmented Reality’, Insights success Media and Technology Pvt Ltd, 31 August 2018 https://insightssuccess.com/ethical-challenges-of-virtual-and-augmented-reality accessed 26 June 2023.

Law 3418/2005, Lawspot, 23 September 2014, https://www.lawspot.gr/node/27620 accessed 26 June 2023.

Tom L Beauchamp and James F Childress, Principles of Biomedical Ethics (Oxford University Press, 2001)

Virtual Reality Security, 2022 IEEE 2nd International Conference on Intelligent Reality (ICIR), https://digitalreality.ieee.org/publications/virtual-reality-security accessed 26 June 2023.

Apple Glass, Apple Insider, June 2023 https://appleinsider.com/inside/apple-glass accessed 26 June 2023.