IoMT Security: Protecting Medical IoT Devices

Updated 6 April 2026

IoMT systems are networks of interconnected medical devices and sensors that require patient safety, privacy, and real-time data protection.
Layered security architectures, including secure boot, encryption, and network segmentation, are essential to mitigate vulnerabilities and lateral attacks.
Advanced methods such as AI-driven intrusion detection and lightweight cryptography enable efficient security for resource-constrained medical devices.

Internet of Medical Things (IoMT) systems security concerns the protection of network-connected medical devices, supporting infrastructure, and associated data flows in modern healthcare environments. IoMT security encompasses a heterogeneous landscape including infusion pumps, wearables, implantables, imaging equipment, network gateways, edge/cloud resources, and interfaces with Electronic Health Records (EHR). The security goals align with traditional cybersecurity (confidentiality, integrity, availability) but are extended with strict patient-safety, privacy, and real-time assurance requirements, imposing severe constraints due to device resource limitations, legacy components, and complex trust boundaries.

1. Vulnerability Taxonomy in IoMT Devices and Ecosystems

Analysis of contemporary IoMT infrastructures reveals a multi-domain attack surface, as systematically categorized for infusion pumps but generalizable across medical IoT (Yener et al., 18 Sep 2025):

Device-Level Flaws: Buffer overflows, memory corruption, sensor-manipulation attacks (e.g., adversarial inputs to closed-loop controllers), and hardware tampering. Notable are unsigned firmware artifacts and absent secure-boot mechanisms.
Authentication & Access Control Weaknesses: Hardcoded/default credentials, unvalidated update channels, poor privilege segregation, and paths for credential exhaustion/lockout DoS.
Network & Communication Issues: Use of plaintext protocols (HTTP, FTP), lack of end-to-end encryption, flat network topologies (unsegmented), and persistently open/misconfigured ports.
Data Security & Privacy Risks: PHI leakage, incomplete access and audit logging, unencrypted storage media, and static cryptographic keys with no lifecycle management.
Operational/Organizational Challenges: Outdated OSes (legacy Windows or embedded Linux), ad hoc patch management, insufficient network segmentation, and a lack of formal staff security training or third-party audits.

These vulnerabilities are routinely exploited in multi-stage attacks, with adversaries leveraging network-level entry points, propagating laterally across clinical networks, manipulating device state (e.g., infusion rates), and establishing persistence for PHI exfiltration or ransomware deployment.

2. Threat Modeling, Risk Assessment, and Metrics

IoMT threat models expand on traditional STRIDE and incorporate medical-specific considerations including patient-harm vectors, real-time requirements, and the amplification effects of lateral traversal in poorly segmented networks (Yener et al., 18 Sep 2025, Allouzi et al., 2021).

Attack Progression: Sophisticated attackers may chain network attacks with device-level exploits and operational compromise—e.g., initial foothold via FTP/HTTP, credential capture through MITM, privilege escalation, and misuse of firmware interfaces for backdoor installation.
Risk Quantification: Simple models compute risk as $Risk_i = P_i \times I_i$ , with $P_i$ empirically derived from exploit presence/prevalence and $I_i$ as a patient safety/classification severity. More detailed approaches apply CVSS metrics, e.g.,

$BaseScore = \min(\text{Impact} + \text{Exploitability},\, 10)$

with $\text{Exploitability} = 8.22 \times AV \times AC \times PR \times UI$ and $\text{Impact} = 6.42 \times (1 - (1 - C)(1 - I)(1 - A))$ , using standard CVSS parameters.

Markov-chain modeling quantifies progression from benign to attack states according to transition probabilities set by discovered vulnerabilities’ CVSS scores, providing time-dependent probabilities of compromise and guiding prioritization of mitigation investments (Allouzi et al., 2021).

Critical risk patterns include the confluence of default credentials and unsecured channels, legacy firmware, flat networks, and lax governance, underscoring the feasibility of undetected manipulation of device operation and PHI breaches.

3. Layered Security Architectures and Defense Strategies

Effective IoMT security integrates device, network, data, and organizational controls in a defense-in-depth posture (Yener et al., 18 Sep 2025, Ghubaish et al., 2023, Deb et al., 25 Jul 2025). Technical control recommendations include:

Hardware Root of Trust: Secure boot and signed firmware prevent unauthorized code execution.
End-to-End Encryption: All pump/gateway, device/cloud, and intra-hospital communication employ strong encryption (e.g., TLS 1.3, AES-128-CCM).
Mutual Authentication: PKI-enabled mutual auth between devices, gateways, and backend systems.
Network Segmentation: Micro-segmentation using VLANs and firewalls restricts lateral movement.
Access Control and Zero Trust: Dynamic, context-sensitive authorization systems employing credential-based trust negotiation (e.g., Soter zero-trust framework) with trust metrics, policies over attributes (location, device health), and negotiation protocols resilient to replay and privilege escalation (Allouzi et al., 2024).

Organizational controls involve mandatory credential rotation, formal incident response playbooks, staff training, periodic red-team exercises, and vendor contractual SLAs enforcing security updates and vulnerability disclosures. Manufacturer guidance includes shipping devices with minimized attack surface, dynamic credential provisioning, and open APIs for SIEM/SOAR platform integration.

Generalized risk frameworks (e.g., Beyrouti et al.'s Vulnerability-Oriented Risk Identification) involve asset inventory, trust boundary definition, combined technical/organizational control selection, and continuous monitoring/reassessment tailored across wearables, imaging modalities, and automation robotics (Yener et al., 18 Sep 2025).

4. Intrusion Detection and Machine Learning for IoMT Security

Anomaly and threat detection in IoMT leverages machine learning at multiple points in the architecture, addressing both classic and zero-day threats (Mohamadi et al., 2024, Si-ahmed et al., 2022, Uddin et al., 14 Aug 2025, Jaiswal et al., 3 Apr 2026, Si-ahmed et al., 2024).

Deep Learning Approaches: 1D-CNNs trained on temporally-encoded network traffic (e.g., CICIoMT2024 dataset) achieve high performance, e.g., ≥99% accuracy for binary, multi-class, and fine-grained (19-class) attack classification. Models automate feature discovery, infer temporal/structural anomalies, and display scalability advantages for multi-device, multi-protocol environments (Mohamadi et al., 2024).
Tsetlin Machine IDS: Rule-based, propositional logic models (TM-based IDS) derive human-readable, low-latency detection with high accuracy (99.5% binary, 90.7% multi-class) and robust interpretability (class-wise vote scores, activation heatmaps) (Jaiswal et al., 3 Apr 2026).
Hierarchical, Federated, and Split-Learning IDS: Multi-level frameworks deploy root anomaly classifiers (meta-learning or OCC for zero-day recognition) at edge or hub nodes (e.g., smartphones), passing only anomalies upward for attack-type disambiguation and analyst review, minimizing raw data flow and single-point-of-failure (Uddin et al., 14 Aug 2025, Si-ahmed et al., 2024, Sai et al., 1 Nov 2025). Federated and split learning support privacy-preserving, scalable model updates, overcoming communication and non-IID data challenges.

Explainable AI (e.g., SHAP) and post hoc interpretability are increasingly incorporated to support regulatory compliance, incident response, and multidisciplinary security team workflows (Si-ahmed et al., 2024).

5. Lightweight Cryptography and Practical Implementation Considerations

Resource-constraints necessitate lightweight cryptographic protocols, adaptive authentication, and minimal overhead (Auwal, 26 Sep 2025, Vaseghi et al., 2023, Vaseghi et al., 2024, Ghubaish et al., 2023).

Lightweight Encryption: AES-128-CBC or CCM mode with per-message IVs secures data in resource-limited devices (e.g., NodeMCU, ESP32 platforms). Experiments demonstrate modest tradeoffs: a 56.25% latency increase (+45 ms), a CPU increase from 30% to 45%, and power increment remains compatible with battery or solar operation (Auwal, 26 Sep 2025). Implementation with static buffers and hardware RNGs further optimizes stability.
Token-Based Authentication: One-time, time-expiring HMAC-bound tokens, anchored to device MACs, underpin efficient, replay-resilient authentication without public-key cryptography burden on-device (Vaseghi et al., 2023, Vaseghi et al., 2024).
Usability and Usability-Security Trade-offs: Practical challenges include user credential entry on small form factors, network outage handling (offline grace modes), and regulatory alignment (HIPAA/GDPR) (Vaseghi et al., 2024).
Cost Feasibility: Minimal component overhead (≤$12/device) supports deployment in under-resourced environments, with strategies for shared procurement and firmware retrofitting (Auwal, 26 Sep 2025).

6. Trust Management, Identity, and Adaptive Security

5G-enabled IoMT, clustering, and device-to-device paradigms demand dynamic trust management, reputation exchange, and adaptive response (Yang et al., 2022, Allouzi et al., 2024).

Intelligent Trust Cloud Management (ITCM): Uses interval type-2 fuzzy inference across multiple behavioral attributes (timely and successful forwarding), dynamically adapting 'trust clouds' through periodic training, recommendation, and similarity checks, reducing risk of malicious leadership in D2D clusters (Yang et al., 2022).
Zero Trust and Credential Negotiation: Soter implements a policy-driven negotiation of trust, leveraging weighted credential sets, dynamic context attributes (e.g., device health, location), and formal risk scoring, all conducted over DTLS/COSE to ensure negotiation integrity and confidentiality (Allouzi et al., 2024).

Reputation systems, trust propagation, and periodic re-evaluation support robust clustering even under time-varying wireless conditions and benign/malicious population churn.

7. Emerging Trends, Standards, and Regulatory Alignment

IoMT security frameworks increasingly incorporate blockchain for data integrity, auditability, and decentralized access control (e.g., EHR anchoring, permissioned PBFT overlays), with minimal on-chain storage to preserve scalability (Dai et al., 2020, Nkenyereye et al., 2020, Ghubaish et al., 2023). Advanced extensions (homomorphic encryption, ZKPs) are in research development for analytics and privacy.

Regulatory requirements—HIPAA (US), GDPR (EU), IEC 62304/ISO 14971 (device lifecycle/risk), IEC 80001 (networked device management), and emerging cybersecurity labeling (Singapore CSA, FDA)—mandate explicit controls for encryption, audit, access, patch management, and vulnerability disclosure (Deb et al., 25 Jul 2025).

Best-practice technical and organizational controls are summarized:

Layer	Control	Example/Standard
Device/Sensor	Secure boot, code signing, ECC	IEC 62304, hardware root-trust
Gateway	Network segmentation, IDS/IPS	ISO 27001, NIST 800-53
Network/Comms	TLS/DTLS, key management, microseg	HIPAA, GDPR
Cloud/Analytics	Audit logs, anomaly detection, blockchain	ISO 14971, FDA guidance
Org/Process	Incident response, red-team, vendor SLA	EU MDR, IEC 80001

Continuous monitoring, layered security, and a "secure-by-design" posture are essential for resilience against evolving attack capabilities and regulatory scrutiny.

The multi-layered, interdisciplinary challenge of IoMT systems security necessitates holistic integration of robust cryptographic protocols, adaptive trust management, layered IDS/AI, organizational controls, and alignment with evolving standards and threat models. The recent research synthesizes attacks, threat models, risk metrics, and mitigations into actionable frameworks for practitioners and device manufacturers (Yener et al., 18 Sep 2025, Deb et al., 25 Jul 2025, Allouzi et al., 2024, Mohamadi et al., 2024, Sai et al., 1 Nov 2025).