Munchausen-by-IoMT Integrity Attacks

• Munchausen-by-IoMT is an integrity attack where IoMT data is falsely manipulated to simulate or hide physiological conditions, impacting clinical decisions.
• It exploits compromised credentials and UI modifications to alter telemetry and therapy logs, directly mapping digital exploits to biological risks.
• The threat highlights the urgent need for integrated cybersecurity and forensic protocols in MedTech, especially to support IPV survivors.

Munchausen-by-IoMT is an integrity-based cyber-physical attack pathway in which Internet of Medical Things (IoMT) devices or their associated ecosystems are manipulated to falsify physiological data or therapy logs, creating or fabricating medical harm through remote digital means. Such attacks parallel classic “Munchausen by proxy” abuse but exploit highly connected MedTech environments to orchestrate deception, mislead clinicians, and induce actual or apparent patient harm. The phenomenon is critically salient in contexts involving interpersonal violence (IPV), where a perpetrator may compromise therapeutic devices and records, producing acute or chronic clinical effects while concealing their actions from both the victim and their healthcare providers (Straw et al., 18 Jan 2026).

1. Threat Definition and Mechanisms

Munchausen-by-IoMT refers to integrity attacks in which IoMT platforms, such as connected insulin pumps or implantable cardiac devices, become vectors for falsifying biometric data, therapy settings, or event logs. This manipulation can be designed to simulate, exaggerate, or mask health anomalies, impacting symptom perception and clinical decision-making. A closely related mechanism is “medical gaslighting,” where compromised telemetry or edited device logs deny or discount a patient’s lived symptoms, with adversarial actors directly undermining patient-provider trust.

The attack typically exploits:

• Account or device credential compromise (e.g., passwords obtained under coercion)
• Local or remote access to device interfaces (through physical controllers or telehealth portals)
• Transmission-layer manipulation of telemetry data (intercepting or substituting wireless reports)
• UI-level modifications to device logs/treatment records

These vectors are rarely addressed by conventional MedTech security frameworks, which often prioritize defense against external, technically proficient adversaries rather than abusers operating with social access and contextual knowledge (Straw et al., 18 Jan 2026).

2. Hazard-Integrated CIA Threat Modeling

The primary modeling approach for Munchausen-by-IoMT is the hazard-integrated CIA (Confidentiality, Integrity, Availability) threat model. Each arm of the CIA triad is developed as a parallel attack tree, incorporating safety hazards identified in medical literature. For the integrity dimension, the formal definition is:

Let $T_I = (N_I, E_I, r_I, L_I)$, where:

• $N$: nodes corresponding to attack steps
• $E \subseteq N \times N$: parent-child edges (OR/AND decompositions)
• $r$: root node, representing a goal to compromise integrity
• $L: N \rightarrow H \cup \{\top\}$: labeling function assigning hazards $H_j$ (e.g., hypoglycemic seizure) or $\top$ (no direct hazard)

Subtrees under the integrity branch ($I_1$, $I_2$, $I_3$) model:

• $I_1$: Attacks on patient portals and clinician communications
• $I_2$: UI-bound access to local device logs for manipulation (medical gaslighting, Munchausen-by-IoMT)
• $I_3$: Remote manipulation of telemetry streams

Each attack tree leaf is linked to a biological hazard, enabling mapping of digital exploits directly to potential harm.

3. Attack Scenarios and Process Flow

Munchausen-by-IoMT is exemplified by specific device scenarios:

Scenario	Attack Vector	Manipulation Target
Connected Insulin Pump	Smartphone/app compromise; patient-programmer app	Glucose sensor history, insulin delivery logs
Implantable Pacemaker	Physical patient controller, unsecured UI	Arrhythmia event logs, session timestamps

Scenario 1: Insulin Pump

1. Attacker obtains access (credential theft or physical device control).
2. Edits historical glucose logs to reflect normoglycemic trends during actual hypoglycemic events.
3. Denies reality of acute symptoms to the victim using falsified device readings.
4. Submits altered telemetry or cancels clinical follow-ups, deepening deception.

Scenario 2: Pacemaker

1. Gains access via shared patient controller.
2. Deletes or shifts arrhythmia event logs.
3. Victim’s symptoms are dismissed as psychological due to “clean” device records.

These exploit chains are orchestrated to both create medical risk and undermine symptom reporting, leveraging trusted device outputs against the patient.

4. Biological and Clinical Consequences

The integrity-driven manipulation in Munchausen-by-IoMT produces immediate and delayed physiological harm:

Acute biological hazards:

• Hypoglycemic seizures, confusion, or loss of consciousness (due to insulin management attack; true lows are hidden).
• Syncopal episodes, near-fainting (arrhythmia erased from pacemaker logs).

Chronic effects:

• Repeated undetected hyperglycemia leading to diabetic retinopathy or nephropathy.

These harms are compounded by misdiagnosis, unnecessary clinical escalation or de-escalation, and erosion of patient-clinician trust as device-generated data is assumed to be authoritative (Straw et al., 18 Jan 2026).

5. Forensic and Detection Challenges

Munchausen-by-IoMT attacks demonstrate a marked gap in forensic readiness. Practitioner simulations reveal that current forensic protocols frequently overlook IoMT device ecosystems:

• MedTech devices are neglected as evidence sources.
• Assistive and reproductive devices are routinely misclassified.
• BLE broadcast artifacts (from advertisements) are not recognized or interpreted.

These detection failures render integrity attacks largely invisible in routine investigations. The mapping of digital manipulations to clinical hazards is rarely preserved, impairing attribution, harm quantification, and victim support. This suggests a significant need for development in digital evidence preservation and interpretation specifically targeting patient-technology ecosystems compromised via social-engineering or abuse-based vectors (Straw et al., 18 Jan 2026).

6. Relationship to Other IoMT Threats

While Munchausen-by-IoMT is formally situated within integrity attack pathways, the hazard-integrated CIA model contextualizes it among a spectrum of IoMT vulnerabilities:

• Confidence attacks: Compromise confidentiality (e.g., geolocation tracking from BLE broadcasts).
• Availability attacks: Induce acute or sub-acute medical harms such as glycaemic emergencies, blindness, or mood destabilization by denying access to care or altering device operation.
• Integrity attacks: Encompass both Munchausen-by-IoMT and medical gaslighting—distinguished by their focus on deceptive data manipulation—leading to erroneous treatment or symptom denial.

This integrated framework supports comprehensive threat analysis and demand for cross-disciplinary approaches combining cybersecurity, clinical safety, and abuse-aware red teaming (Straw et al., 18 Jan 2026).

7. Implications for MedTech Cybersecurity in IPV Contexts

Munchausen-by-IoMT illustrates the necessity for MedTech cybersecurity frameworks that recognize insider abuse, coercion, and contextual adversaries. The current focus on external, technically skilled attackers does not account for the multi-vector, socially mediated threat environment faced by IPV survivors reliant on digital therapeutic devices. Integrated threat modeling, forensic enhancement, and clinical awareness are essential for effective risk mitigation and patient safeguarding in the evolving IoMT landscape (Straw et al., 18 Jan 2026).