Medical Gaslighting in IoMT Attacks

• Medical gaslighting is defined as a cyber-physical attack where adversaries manipulate IoMT device parameters and falsify logs to mask dangerous physiological events.
• The methodology involves hazard-integrated CIA threat models that map attack trees and quantify clinical risks through probability and severity metrics.
• Forensic readiness strategies recommend BLE scanning, evidence preservation, and clinical log cross-referencing to detect tampered telemetry and mitigate harm.

Medical gaslighting, in the context of the Internet of Medical Things (IoMT) and Interpersonal Violence (IPV), denotes a distinct class of integrity-based cyber-physical system (CPS) attacks. Here, an adversary leverages remote or coerced access to a victim’s connected medical devices to surreptitiously induce physiological symptoms, while simultaneously falsifying telemetry or suppressing device logs such that clinical record review yields no evidence of the experienced disturbances. The resultant mismatch between a patient’s symptomatology and purported device data systematically erodes the victim’s confidence in their own bodily perceptions—constituting digital “crazymaking” or medical gaslighting (Straw et al., 18 Jan 2026).

1. Definition and Phenomenology of Medical Gaslighting

Medical gaslighting is operationalized as an integrity attack pathway wherein abusers manipulate medical device parameters (e.g., insulin dose scheduling, pacemaker pacing thresholds) to provoke acute or chronic pathophysiological events, such as hypoglycaemia or bradycardia. Concomitantly, adversaries suppress, forge, or sanitize device logs—typically via manufacturer APIs or telemetry exploits—ensuring clinical review reflects physiologically normal data. Victims, faced with discordant device records and personal symptoms, internalize doubt or self-blame, reinforcing the abuser’s psychological leverage [(Straw et al., 18 Jan 2026), Table 1].

2. Formal Structure: Hazard-Integrated CIA Threat Modeling

The investigative framework leverages an augmented Confidentiality–Integrity–Availability (CIA) threat model that integrates medical hazard data from adverse-event taxonomies. The model is formalized thus:

Let $\mathcal{T} = \{T_C, T_I, T_A\}$ denote threat classes (Confidentiality, Integrity, Availability). For each $T_c \in \mathcal{T}$, construct an attack tree:

$$A_c = \bigvee_{i=1}^{n} \left(\bigwedge_{j=1}^{m_i} \mathrm{Cond}_{c,i,j}\right)$$

Each leaf $\mathrm{Cond}_{c,i,j}$ represents an adversarial step (e.g., UI-bound access, protocol exploit). Hazards $H: A_c \to \mathcal{H}$ map attack paths to clinical harm (retinal damage, seizure, syncope). Risk per path is defined as:

$$\mathrm{Risk}_{c,i} = P\left(A_{c,i}\right) \times \sum_{h \in H(A_{c,i})} \mathrm{Sev}(h)$$

Here, $P(·)$ is the adversarial likelihood, and $\mathrm{Sev}(·)$ the clinical severity aggregated across hazards. This structure enables direct mapping of IoMT exploits to short- and long-term biological consequences within clinical safety frameworks [(Straw et al., 18 Jan 2026), Section 3].

3. Integrity Attack Orchestration Scenarios

The integrity attack tree details principal adversarial routes through device compromise. Prominent scenarios include:

A. Insulin Pump Gaslighting

• Adversary acquires UI or programmer app access via shared credentials.
• Manufacturer API is used to overwrite or delete CGM logs proximate to planned hypoglycaemic events.
• Insulin bolus is remotely scheduled (target $<$ 3 mmol/L glucose).
• Symptoms (dizziness, sweating, confusion) ensue.
• Clinical review of CGM cloud portal reveals normal readings.
• Victim experiences self-doubt due to discordant symptom–data reports.

B. Pacemaker Gaslighting

• Remote telemetry channel exploited for firmware updates.
• Pacing threshold raised, allowing intermittent bradycardia.
• Synthetic pacing logs are injected into cloud telemetry, concealing arrhythmic events.
• Symptoms (near-syncope, light-headedness) are documented.
• Physician review yields “normal” heart-rate histograms; complaints dismissed as psychological.

These scenarios typify device-augmented digital gaslighting mechanisms within the IoMT/IPV landscape [(Straw et al., 18 Jan 2026), Section 3.2].

4. Biological Consequences of Integrity Manipulations

Medical gaslighting produces both acute and chronic patient harms, mapped in the hazard-integrated model:

Gaslighting Mechanism	Acute Effect	Chronic Effect
Insulin pump log/dose tamper	Hypoglycaemia: seizure, LOC	Retinopathy, nephropathy, neuropathy
Pacemaker log/threshold tamper	Bradycardia: syncope, cardiac arrest risk	Arrhythmogenic remodeling, heart failure

Acute manifestations follow single attack instances (e.g., hypoglycaemia leading to loss of consciousness), while chronic sequelae arise from repeated integrity attacks, potentially degrading cognition, mood, and organ function over time [(Straw et al., 18 Jan 2026), Figure 1; Malouf & Brust 1985; Hippisley-Cox & Coupland 2016].

5. Forensic Readiness and Evidence Detection

The paper’s immersive simulation delineates critical gaps in forensic readiness for detecting gaslighting-based integrity abuse. Recommendations include:

Scene-Level Triage:

• Deploy portable BLE sniffers to enumerate device advertisements (e.g., CGM sensors, programming modules).
• Maintain “ID sheets” for implant and assistive device cataloging.

Evidence Preservation:

• Archive device pairing logs (via smartphone/cloud backups).
• Apply Faraday containment or disable wireless features to prevent remote tampering.
• Photograph device identifiers and screen traces.

Forensic Analysis:

• Cross-reference device timestamps with victim-reported symptoms to detect temporal discrepancies.
• Utilize vendor forensic tools to recover deleted therapy logs from device storage.
• Involve clinical experts to interpret anomalous patterns in device data.

Legal and Procedural Integration:

• Standardize protocols for subpoenaing cloud-based device telemetry.
• Train safeguarding personnel to treat medical gaslighting as a digital crime within forensic paradigms, not merely a psychological phenomenon.

These recommendations target key failure points in current MedTech incident response and evidence workflows, highlighting the necessity for IoMT-aware triage, device cataloging, and clinical forensic collaboration [(Straw et al., 18 Jan 2026), Section 5.3].

6. Implications for Device Security and IPV Safeguarding

The identification of medical gaslighting as a modality of integrity attack within IoMT/IPV contexts demands enhanced device defenses—such as robust authentication, tamper-evident logging, and audit trail integrity. Improved forensic capabilities, encompassing BLE scanning, clinical-forensic integration, and multi-vector threat awareness, are requisite for successful detection and adjudication. A plausible implication is the need to address both technical and sociomedical factors in the design of patient–technology ecosystems to preempt and remediate gaslighting attacks (Straw et al., 18 Jan 2026).

7. Clinical and Research Significance

Medical gaslighting, as mapped in hazard-integrated threat models, reframes a previously under-recognized cyber-physical abuse pathway and demonstrates the necessity of merging CPS security, clinical hazard mapping, and digital forensics. The distinctive threat environment for IPV survivors using therapeutic devices underscores the urgency for coordinated action by device vendors, healthcare providers, and forensic specialists. This suggests broader applications of hazard-integrated CIA modeling in emerging MedTech domains and calls for empirical validation via further immersive simulations and cross-disciplinary research.