Content uploaded by Sangeeta Mittal
Author content
All content in this area was uploaded by Sangeeta Mittal on Oct 27, 2022
Content may be subject to copyright.
Internet of Medical Things (IoMT) Security and Privacy: A Survey
of Recent Advances and Enabling Technologies
Arpna Saxena
Research Scholar, Jaypee Institute of Information and
Technology
saxenaarpna@gmail.com
Dr. Sangeeta Mittal
Associate Professor, CSE Department, Jaypee Institute of
Information and Technology
sangeeta.mittal@jiit.ac.in
ABSTRACT
Healthcare has undergone a rapid shift from traditional to smart
health care system in recent times. The new paradigm takes a
patient-centered approach and oers a variety of benets to pa-
tients. Rapid technological developments have allowed for such a
quick shift. The Internet of medical things (IoMT) is a key com-
ponent of the development of smart health care systems. The cur-
rent pandemic situation has demonstrated that IoMT systems can
provide a quick patient diagnosis by continually monitoring their
health and perhaps saving lives in the event of an emergency. But
most IoMT devices were not built with security in mind, making
them vulnerable to cyber-attacks. Furthermore, many gadgets such
as smart sensors, wearable devices, handheld devices, and a variety
of other heterogeneous devices being connected in a network for
the smooth running of communication in healthcare make this
system more vulnerable to security and privacy attacks. Security
of IoMT devices and data is of paramount importance and critical
to protecting the lives of patients. This survey attempts to explore
applications of various recent technologies, particularly blockchain,
PUFs, and AI/ML, in terms of security, privacy, protection, integrity,
and authentication in IoMT ecosystem. In addition, insights into the
benets and limitations of existing security and privacy solutions
have been provided.
CCS CONCEPTS
•Security and privacy
→
Formal methods and theory of secu-
rity; Security requirements; Security services; Privacy-preserving
protocols; Systems security; Distributed systems security; Software
and application security; Domain-specic security and privacy ar-
chitectures.
KEYWORDS
IoMT related vulnerabilities, healthcare, privacy, security, IoMT
infrastructure
ACM Reference Format:
Arpna Saxena and Dr. Sangeeta Mittal. 2022. Internet of Medical Things
(IoMT) Security and Privacy: A Survey of Recent Advances and Enabling
Technologies. In 2022 Fourteenth International Conference on Contemporary
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specic permission and/or a
fee. Request permissions from permissions@acm.org.
IC3-2022, August 04–06, 2022, Noida, India
©2022 Association for Computing Machinery.
ACM ISBN 978-1-4503-9675-2/22/08. . . $15.00
https://doi.org/10.1145/3549206.3549301
Computing (IC3) (IC3-2022), August 04–06, 2022, Noida, India. ACM, New
York, NY, USA, 10 pages. https://doi.org/10.1145/3549206.3549301
1INTRODUCTION
The Internet of Things (IoT) is a rapidly evolving technology that
allows infrastructure, computerized machines, physical things, ap-
plications, and individuals to connect, communicate capture, and
exchange data via networking [
1
] [
2
]. The Internet of Medical
Things (IoMT) is the application of IoT in medicine and healthcare
[3] [4].
IoMT allows for machine-to-machine communication as well
as real-time data streaming between data sources(medical devices)
and data users. These devices, which include everything from blood
pressure cus for at-home usage to stretchers for hospital use have
to be equipped with sensors and Internet connectivity to be part of
IoMT. WHO predicts an 18 million health sta decit by 2030 [
5
].
IoMT has the potential to ll this gap and revolutionize healthcare.
It will also enhance the quality of medical services by enabling
ubiquitous healthcare.
Connected medical IoT devices may track patients’ health even
when they are not hospitalized. People can be enrolled for checkups
according to their vitals, and can even be remotely controlled for
how they take their drugs. This remote monitoring with immediate
feedback will be very ecient in providing proactive healthcare
to all. Medical devices and biosensors are in charge of capturing
the body’s vital signs and transferring massive amounts of raw
biological data in real-time, such as heart rate, brain signal, body
temperature, and glucose level in blood [
6
]. Data emanating from
these devices are transmitted to nearby computing devices like
the user’s mobile phone followed by some onboard processing
and sharing over medical servers in cloud. In addition, personal
servers typically include a computing analysis facility that is linked
to a local archiving database to store the patient’s initial records.
In addition, its warning system noties the patient whenever an
abnormality is detected [7]
IoMT promises a smart hospital infrastructure with all medical
facilities networked. The new facility replaces the hassle of paper
registries with an automated, centralized database and a single
management system that allows hospitals to share information,
resources, and insights quickly and optimally.
Bluetooth is primarily used in connecting wearable devices to
nearby computing devices. However, nowadays, RFID and NFC are
also available to support an ultra-low-energy short-range communi-
cation topology. As a result, they are also applicable in implantable
devices [
7
]. The aggregated data at the personal computing de-
vices is periodically directed to the medical server using Wi-Fi /
wired Internet connectivity. Typically, medium- and long-term data
IC3-2022, August 04–06, 2022, Noida, India Arpna Saxena and Sangeeta Mial
analytics are performed in the cloud. However, cloud computing ex-
periences diculties with latency and privacy. As a result, in 2017,
the term fog computing at gateways (fog devices) was coined [
8
].
This approach is used to move some cloud computing tasks closer
to smart devices in order to achieve faster computation while main-
taining privacy. It is impossible to deny that using smart medical
devices has made life easier and healthier. However, these devices
have numerous safety and security aws that endanger not only
the devices but also the patient’s life [9].
In order to deal with attacks, threats, and vulnerabilities while
data is in transit, IoMT requires an ecient and robust security
system. For several years, IoMT security has been a source of con-
cern. The purpose of this survey paper is to highlight cutting-edge
security and privacy research in the eld of IoMT. The proposed
survey is a comprehensive survey that attempts to cover all aspects
of IoMT security. It examines current security and attack techniques
for IoMT systems.
The main contributions are as follows:
1) We look at the security requirements for IoMT systems as well
as various techniques for secure data collection, transmission, and
storage.
2) We go over the various security techniques and their resistance
to various types of attacks. We contend that no single technique
can provide complete protection against the majority of known
attacks on these systems.
3) We investigate the IoMT attack surface and demonstrate the
resistance of these security techniques to such attacks. This includes
recent attacks on IoMT systems.
The remainder of the paper is structured as follows: Section 2
explains the IoMT ecosystem in detail. Section 3 discusses various
enabling technologies specically for IoMT. Section 4 goes over
IoMT Security in depth. It also describes dierent security solutions
oered by researchers. Section 5 discusses IoMT privacy issues,
challenges, and solutions. Section 6 wraps up this survey study by
discussing research gaps.
2IOMT BASED HEALTHCARE SYSTEM
Legacy healthcare system involves patients, healthcare practition-
ers, testing laboratories, medical providers, and caregivers. In IoMT
based healthcare system, apart from these some more entities are
added for automated patient monitoring and continuous health
analysis. These entities include wearable devices, and mobile apps
to rst capture and relay data to cloud-based medical servers in a
secure manner [10].
2.1 Types of IoMT devices
There are currently numerous types of IoMT devices. They are
classied into ve categories:
a) Consumer health-monitoring gadgets: Devices like smart
bands, connected weighing machines and pedometers, connect to
mobile devices via Bluetooth technology. These devices are concern-
ing because they "walk" into an environment, are not "sanctioned"
by healthcare organizations, and are unreachable on the network.
b) Internally embedded medical devices: Consider pacemakers or
other medical devices that are physically implanted in the patient
but communicate wirelessly (either with proprietary protocols or
Bluetooth). As these IoMT mobile devices are temporarily used, thus
the security of data is normally the least concern of manufacturers
and thus can be attacked by perpetrators.
c) Wearable external medical devices: This category includes
items such as portable insulin pumps, BP machines, diabetes check-
ing devices, etc. These devices are also nowadays mobile-app based
for logging and recording and thus data may be insecurely shared.
d) Stationary medical devices: These are the traditional medical
equipment like X-Ray machines, MRI scanners, and ultrasound
machines that wirelessly transmit data to various stakeholders
using low-range connection technology.
e) Medical systems and equipment from the past: Legacy sys-
tems and technology like PACs, x-ray systems, and CAT scan equip-
ment that are currently in use by the majority of hospitals and
health systems. Many of these devices are now connected to IoMT.
2.2 IoMT System Infrastructure
The Open Web Application Security Project (OWASP) denes the
following typical components in IoMT solutions [11].
a) Endpoints: According to the FDA, connected medical devices
(IoMT endpoints) are medical devices that are linked to hospital
networks, the Internet, or other medical devices. It may also include
non-medical devices such as environmental sensors that can be
used in IoMT environments.
b) Gateways: These are networking devices that help to connect
weak endpoints. They are used as a backend bridge network.
c) Back-end: Current IoT systems rely on back-end servers to run
the IoMT solution, as well as process and store data.
d) Mobile devices/applications: Mobile devices/applications are
commonly used in IoT systems to provide remote control of end-
points and back-end management, as well as instant alerts.
Fig 1. shows that the required components in an IoMT solution
may vary depending on the solution
2.3 Motivation for this study
IoT network and its connected cloud servers handle a large amount
of data, data security and privacy for users and devices are top
priorities. Hackers are actively investigating the industry, consid-
ering IoMT data to be "easy prey." When medical records are sold,
they can fetch a fortune. It’s worth noting that cybercriminals are
now targeting small private clinics as well as large public hospitals
with extensive networks of connected devices. IoMT specically
demands improved security because, unlike in other industries, a
security breach in a healthcare network can result in loss of human
lives.
3ENABLING TECHNOLOGIES FOR IOMT
SECURITY
Various technologies have been proposed to be used to address
security challenges in IoMT. These technologies namely Physically
Unclonable Function (PUF) devices, Software Dened Networks,
Articial Intelligence and blockchain can be used for security at
dierent stages of data sensing and communication.
Internet of Medical Things (IoMT) Security and Privacy: A Survey of Recent Advances and Enabling Technologies IC3-2022, August 04–06, 2022, Noida, India
Figure 1: IoMT Infrastructure
Figure 2: PUF enabled IoMT
3.1 Physically Unclonable Function (PUF)
Devices
PUF devices create a unique ngerprint for the IoMT ecosystem’s
vulnerable elements. The variations in the fabrication of these de-
vices result in unique ngerprints/signatures [
12
]. These unique
patterns can be used to generate cryptographic keys for encrypted
communication in devices making them resistant to hardware tam-
pering. Figure 2 depicts the mapping of PUF devices. In this map-
ping, the PUF devices are located in the thing layer. When it comes
to the authentication of IoMT devices in the ecosystem, these de-
vices play a critical role.
3.2 Blockchain Technology
Blockchain is a decentralized ledger that records network com-
puting node transactions. The blockchain is made up of blocks or
nodes that are linked together via a network, and the information
exchanged between any of the nodes in the network is recorded and
can be used for cross-referencing. As a blockchain is a distributed
public ledger, data shared is transparent and immutable by attackers
[
13
]. Smart contract on consortium block chain can be used to man-
age and control patient’s health records by the healthcare industry
to a patient-centric application. These contracts are designed to
be self-executing and thus do not require supervision. Ethereum
is a popular "smart contract" company that facilitates their service
on blockchain platforms [
14
]. Using such systems, patients are in
IC3-2022, August 04–06, 2022, Noida, India Arpna Saxena and Sangeeta Mial
Figure 3: Components of Blockchain based healthcare system
control of their health data. Figure 3 shows the communication
among various stakeholders via blockchain based ecosystem.
With the benet of implementing blockchain systems comes
an element of reliability as the ow of data into the healthcare
ecosystem continues to grow. Blockchain promises to meet the
growing need for healthcare infrastructure data exchange. Many
major healthcare providers have already started disseminating their
data on blockchains.
3.3 Software Dened Network (SDN)
A Software Dened Network (SDN) is a virtual network that can be
eciently managed by a software application namely “Controller”.
The controller is a middleware that connects to application logic
via Northbound APIs and health devices via Southbound API. As
the controller is the central device, it is easier to install security in
them.
In IoMTs, the network communication is divided into two parts:
(1) the data plane and (2) the control plane. The Data plane is
responsible for carrying actual trac while the control plane can
manage all the devices like sharing topological information, security
parameters, and making routing decisions. SDN (Software-Dened
Networking) is a standard method of communicating between the
data plane and the control plane. OpenFlow, Open Switch Database
Management protocol, and OpenFlow Conguration protocol (OF-
CONFIG) are examples of standard SDN protocols [
15
]. Because
the interface between the data plane and the control plane can be
made standard using a standard SDN protocol, a variety of data
from the data plane can be collected from an external server (which
could be in the cloud) using the standard OpenFlow protocol. This
allows for the development of various e-healthcare applications
that can reside on the cloud layer. One of the main goals of the SDN
- IOT framework is to address the authentication vulnerabilities
in HTTP protocol. The combination of IoMT with SDN improves
IoT operations and security by allowing full and remote control of
network setup without requiring direct contact with IoT devices.
3.4 Articial Intelligence (AI) and Machine
Learning (ML) Concepts
Precision medicine necessitate advanced diagnostics and tailored
regimens with short turnaround times. AI makes a strong case for
this by providing real-time solutions for determining new pathways
for treating specic conditions based on historical and real-time
data. AI-based solutions can be used to modify various aspects
of the healthcare ecosystem. An automated intelligent ecosystem
that spans tasks such as analyzing patient demographics, auto-
appointment scheduler, lab test scheduler, medication reminders,
etc. would go a long way in revolutionizing healthcare.
These classiers could be trained further and used to aid decision-
making processes. Natural Language Processing (NLP) is being used
to extract useful and tangible information from semi-structured
data sources like electronic health records (EHRs) [
16
]. Furthermore,
machine learning forecasts future conditions based on past data.
It predicts future conditions using supervised, unsupervised, or
reinforced learning. Also, AI/machine learning-based methods can
be used to detect DDoS and some privacy attacks.
3.5 Many-to-one Encryption Techniques
Data generated by IoMT devices should be dierentially and se-
curely accessible to various stakeholders without creating multiple
encryptions. Many-to-one encryption methods like Ciphertext Pol-
icy – Attribute-Based Encryption (CP-ABE) will be an enabling
technology for secure data sharing in the IoMT domain as various
users like doctors, lab sta, and pharmacists have dierent levels
of access to patient data. Traditional CP-ABE has been enhanced to
make the encryption, decryption, and key setup processes compu-
tationally ecient [17].
4SECURITY ISSUES IN IOMT
Various devices such as smart sensors, wearable devices, handhelds,
and many other devices are linked in a network to ensure that
communication in healthcare runs smoothly. Thus IoMT network
is heterogeneous, with dierent protocols at each layer, making
a single security solution inapplicable to all devices. Furthermore,
as the number of internet-connected devices grows, so will the
amount of data produced. It is well known that not only are IoMT
devices vulnerable to cyber-attacks but so are their data. In fact,
the most pressing issues in IoMT infrastructure today are privacy
and data disclosure [18] [19].
4.1 IoMT vulnerabilities
There are numerous aws that can compromise the security of
IoMT devices. These are some examples.
Internet of Medical Things (IoMT) Security and Privacy: A Survey of Recent Advances and Enabling Technologies IC3-2022, August 04–06, 2022, Noida, India
a) Inadequate standardization. Numerous vendors oer a wide range
of dierent devices and applications. Many of these apps and devices
do not adhere to the same set of standards.
b) Several service/product providers. When discussing the IoT in-
dustry, it is critical to remember that security issues can arise not
only in software but also in hardware. That means there are more
potential weak points, due in part to the spread of responsibility,
which may have a negative impact on product quality.
c) Inadequate testing. Devices and apps are frequently tested sepa-
rately, which can lead to serious security gaps when they launch.
d) Inadequate medical sta abilities. People who work directly with
IoMT devices are unlikely to be aware of all the peculiarities of their
operation, capacities, and settings. Healthcare professionals may
fail to notice unusual device behaviors, allowing serious threats to
go undetected.
e) A lack of necessary solutions. There aren’t many IoMT device
security solutions that involve connecting a device to a patient. The
majority of these solutions are aimed at enterprise IoT use cases.
However, the IoMT necessitates more complex specic tools to
ensure cybercriminal protection.
f) Inadequate regulation. Currently, there are no rigorous guide-
lines for protecting IoMT devices from cyberattacks. For example,
in the United States, the Food and Drug Administration (FDA) is
responsible for protecting public health by controlling the safety
of many products, including medical devices. For IoMT devices,
agencies analyze the benets and risks of their use for patients. If
the benets outweigh the risks, the device will be approved by law.
These agencies look into ethical and policy aspects and not on the
technological failure aspects.
4.2 IoMT Risks
The introduction of IoMT systems into the healthcare domain brings
with it a number of risks, which are as follows:
a. The disclosure of Personal Information can have serious conse-
quences for patients’ medical conditions as well as the hospital’s
reputation.
b. Data falsication can cause the transmitted data from any medical
device to be altered and modied, resulting in higher drug dosage
or incorrect medical description, which can lead to further medical
complications.
c. Whistleblowers are unsatised or rogue medical employees who
leak medical details and information about the hospital or patients
in exchange for bribes or as part of an organized crime activity,
endangering patients’ privacy and lives.
d. A lack of training among nurses and doctors can endanger pa-
tients’ lives, resulting in permanent disabilities or death.
e. Accuracy is still a contentious issue, and it is to blame for in-
accuracies in medical operations performed by specialized robots.
This can also have a serious impact on patients’ lives, resulting in
disabilities or fatalities.
4.3 IoMT Security Requirements
IoMT devices rely on open wireless communications, they are vul-
nerable to a variety of wireless/network attacks. Typically, such
devices allow for unauthorized access without being detected. IoMT
devices are easily hijacked, and criminals can begin manipulating
the treatment process. Some of the major security issues are as
follows:
Condentiality -The ability to keep data private while gathering,
transmitting, or storing it. Furthermore, they must be accessible
only to authorized users. Data encryption and access control lists
are the most commonly used techniques to meet this requirement.
Honesty - This refers to the ability to safeguard data against
unauthorized tampering during the collection, transmission, and
storage stages.
Accessibility - The ability to keep the IoMT systems operational
at all times. This can be accomplished by keeping the system up to
date, monitoring any changes in performance, providing redundant
data storage or transmission routes in the event of DoS attacks, and
resolving any issues as soon as possible.
Non-Repudiation- The ability to hold each authorized user ac-
countable for their actions. In other words, this criterion ensures
that no interaction in the system can be denied. This is possible
with digital signature techniques, which will be discussed later in
the paper.
Authentication - The ability to validate a user’s identity when
they access the system. Authentication validation needs to be two-
way as not only the user but serv also may be compromised in some
cases.
Permission -The ability to restrict authenticated users to only
executing commands that they are authorized to execute. Autho-
rization, like condentiality, can be achieved through the use of
proper data encryption and access control techniques.
Anonymity/ Privacy - The capability to keep the pa-
tients’/physicians’ identities hidden from unauthorized users when
they interact with the system. Privacy is a fundamental right of
each individual and patients will not appreciate it if their personal
health data is made public
4.4 Current Threats and Possible Attacks on
IoMT System
Cyber-attacks on a system aim to compromise the condential-
ity, integrity, availability, and/or authentication of a system or its
components. The intensity of attacks and damage caused by them
depends upon the skills and outreach of attackers.
1. Packet capturing attacks, also known as packet sning attacks,
involve the capture of unencrypted medical data packets and the
disclosure of their content, which includes patients’ medical condi-
tions and passwords. Wireshark is an excellent example of network
monitoring software.
2. Wiretapping is a type of attack on physical communication
medium. The actual communication lines from one site to another
site can be wiretapped for leaked electro-magnetic radiations and
information leakage.
3. Dumpster diving attacks entail searching dumpsters for any
medical information, including papers and les thrown in the bin,
such as patient records, medical prescriptions, sta names, and so
on.
4.In Message tampering / alteration attacks the attacker attempts
to compromise the data integrity of the messages exchanged. This
occurs when the attacker manipulates the received messages to
achieve his or her own objectives. As a result, doctors may make
IC3-2022, August 04–06, 2022, Noida, India Arpna Saxena and Sangeeta Mial
incorrect decisions that endanger patients’ health. To ensure data
integrity and source authentication, one of these security methods is
to use a message authentication algorithm such as a cryptographic
keyed hash function as HMAC.
5. Cloning and spoong attacks can be combined to launch a
more sophisticated attack on a medical system or device. Spoong
attacks use the cloned data to gain unauthorized access, whereas
cloning attacks duplicate the spoofed data.
6. Distributed Denial of Service (DDoS) attacks can also be carried
out concurrently from dierent geographical locations and coun-
tries. Denial of service is an attack on availability of systems which
is very critical in healthcare domain as in a matter of seconds lives
can be lost.
7. Wireless Jamming is another type of Denial of Service attack
where any attacker who is even not able to access any system can
deploy jammers to disrupt data transmission in some frequency
ranges.
8. Flooding attacks are based on overwhelming and exhausting
the medical system’s resources by injecting false information and
data into the system in order to ood it with false data and infor-
mation requests.
9. Delay Attacks cause signicant delays in the transmission of
high-priority messages. This can cause delay in decision making in
critical situations.
10. Man-in-the-Middle Attacks are the attacks on condentiality
and integrity security requirements. This attack can be both passive
and active. When the attacker is only able to intercept and reads the
contents of messages, it is considered an attack on condentiality
and as no changes are being done by attackers so termed as passive
attack too. An active attack, on the other hand, occurs when the
attacker is able to alter, manipulate, or/and modify the transmitted
data or information without the knowledge of any of the devices.
11. Masquerading Attacks occur when a wireless network relay
node is used for malicious purposes by a specic attacker. Such an
attack can constantly send false alarms about a medical emergency
and disrupt the availability of medical services.
12. Replay Attacks alter the control signal being transmitted to
another medical device, particularly when an attacker gains a high
level of system privilege and the ability to control the system’s
signals. The adversary may steal or intercept transmitted data by
redirecting it to another location.
13. Ransomware: In a ransomware attack, fraudsters can encrypt
sensitive data, such as medical records, and hold it hostage in ex-
change for money.
14. Side-Channel attacks are possible because IoMT embedded
systems have very limited physical properties. Furthermore, they
are used to recover the secret key through power consumption,
dierential power consumption, or electromagnetic analysis. In
fact, IoMT devices with Physical Non-cloneable Functions (PUF)
can protect against various implementation attacks.
Table 1 shows types of security attacks in IoMT system, as well
as their solutions and possible vulnerabilities exploited to launch
these attacks.
4.5 Recent Security Solutions in IoMT
In IoMT, medical information is typically transferred over a wireless
medium, allowing an adversary to eavesdrop on the communica-
tion channel and obtain health-related information, resulting in a
breach of the patient’s privacy. As a case study of CI, Slight[20]
proposed a lightweight authentication and key agreement model
for IoMT smart healthcare applications. Slight can mitigate some
known attacks and provide perfect forward secrecy and known-key
secrecy.
PUFs are regarded as a dependable and prominent physical se-
curity technology for developing lightweight IoT authentication
protocols. T2T(Thing To Thing) mutual authentication protocol
(T2T-MAP) [
21
] based on PUFs (Physical Unclonable Functions).
Using the physical randomness of its circuitry, the protocol em-
ploys PUFs technology to allow each Thing to uniquely identify
and authenticate itself in an IoT infrastructure. Mutual Authentica-
tion, Scalability, Key Establishment, Availability, Forward Security,
and Non-Repudiation are its primary security features. PMsec [
22
]
proposes a model based on PUFs to authenticate network devices
while also attempting to maintain system integrity. This paper fo-
cuses on cloud authentication for end devices and edge devices.
It permits no key to be stored on any server and provides a valid
scheme for authenticating CE on the IoMT network. BEdgeHealth
[
23
] combines MEC and blockchain to facilitate data ooading and
sharing in distributed hospital networks. The authors created a new
decentralized smart contract associated with IPFS that runs on top
of the MEC network and provides two major benets. For starters,
the smart contract can provide authentication and traceability in
data sharing. Second, the combination of smart contracts and IPFS
speeds up data retrieval. To address the associated security con-
cerns, Abhay Kumar Agrahari et al. [
23
] proposed an authentication
protocol for wireless body area networks that uses certicate-less
cryptography. A new two-factor authentication scheme is being
developed for Wireless Body Area Network (WBAN), where the
doctor will access patient data remotely. According to the security
analysis, it satises mutual authentication, user anonymity, and
perfect forward secrecy. As the public Internet becomes increas-
ingly vulnerable to security threats, remote user authenticated key
exchange (AKE) has emerged as a critical requirement for the secure
and dependable use of these services. REAS-TMIS [
25
] employed
authenticated encryption with associative data (AEAD) as well as
a hash function. AEAD schemes are designed specically for en-
crypted communication between IoT devices with limited resources.
Because of these AEAD features, REAS-TMIS is resource-ecient.
Furthermore, REAS-TMIS eliminates the computationally expen-
sive operations elliptic curve point multiplication and chaotic map.
Furthermore, after validating the user’s identity, REAS-TMIS pro-
vides the functionality of session key (SK) establishment for future
encrypted communication between MS and users. The framework
put forward by Ali Ghubaish et al. [
26
] covers all phases of data
and device security, from data collection to data storage and data
sharing. Abdullah Al Hayajneh et al. [
27
] provided combination of
SDN with IoT. They upgraded proxy due to which integrity and
authenticity is provided with the use of SSL/TLS layer. The results
show that MITM attack on their proposed system model is miti-
gated. Xiaoyu Li et al. in [
28
] proposed a solution to access control
Internet of Medical Things (IoMT) Security and Privacy: A Survey of Recent Advances and Enabling Technologies IC3-2022, August 04–06, 2022, Noida, India
Table 1: Attack Types in IoMT System
Type of Attacks Security Concern Solutions Possible Vulnerability(s)
Packet capturing Condentiality Encryption •Use of Open Vulnerable Protocols
•Un-encrypted public medium usage
Wiretapping Condentiality •Secure Communications •Closed
Communications
•Open Wireless Communication
•Non-Secure Channels
Dumpster diving Condentiality •Enhanced Employee Training
•Paperless Process
•Lack of Employee Training •Lack of
Awareness
Message
Tampering-Alteration
Integrity Keyed Hash Function (HMAC);
•Message Authentication
Algorithms
Absence of Message Integrity Checkers
(MICs)
Cloning & Spoong Integrity Keyed Hash Function (HMAC);
•Message Authentication
Algorithms
Absence of Message Authentication
Codes (MACs)
Distributed Denial of
Service (DDOS)
Availability
DDoS detection solutions. Anti-bot
enablers in end devices
Exploiting devices turning them into bots
Packet capturing Condentiality Encryption •Use of Open Vulnerable Protocols
•Un-encrypted public medium usage
Wiretapping Condentiality •Secure Communications •Closed
Communications
•Open Wireless Communication
•Non-Secure Channels
Dumpster diving Condentiality •Enhanced Employee Training
•Paperless Process
•Lack of Employee Training •Lack of
Awareness
Flooding Availability Timestamps, Certicate Authority,
Intrusion Detection System (IDS),
Accepting u
=
large number of connection
requests from unknown Sources
Deliberately Induced
Delay
Availability Firewalls, Timestamps, IDS Possibility of man-in-the-middle attack,
capturing proxy
Man-in-the-Middle Authentication, Integrity,
Condentiality and
Availability.
Multi-Factor authentication
scheme
Poor authentication scheme (one factor)
Masquerading Condentiality,
Authentication
Multi-Factor authentication
scheme
Poor authentication scheme (one factor)
Replay Availability, Authentication •Use of Nonces, session expiry
times, session keys
Weakness in the authentication protocol
Ransomware
Condentiality, Integrity and
Availability
Up-to-date
Anti-Virus/Anti-Malware, Avoid
Using Personal Information,
Enhanced System’s Security,
Higher Awareness
Weak Passwords, Weak Multi-Factor,
Paying Ransoms
Side channel attacks
Unintended/ un-noticed data
leakage
Hardware countermeasure (PUF)
and software randomization
processes
Trac analysis/ electromagnetic
emanations
problems by maintaining multilinear map of current authorized
accesses. Proposed scheme not only resist the potential attacks, but
also guarantee the forward and backward security.
Various research works discussed dierent technologies to au-
thenticate IoMT devices, data and applications. There is no single
solution for securing IoMT devices and applications. All these pa-
pers deployed dierent mechanism to fulll the requirement of
proposed study. Following table shows the comparison between
these studies in a glance. Table 2 shows the comparison between
dierent protocol properties discussed in these research studies.
5IOMT PRIVACY
User privacy and privacy rights are fundamental requirements for
developing user trust and condence in IoMT, connected devices,
and associated services. At the same time, IoT developments are
primarily focused on addressing privacy concerns in novel ways.
One of the most important concerns in understanding privacy
issues in IoMT would be to focus on the reasons for privacy con-
cerns. The IoMT ecosystem contains intelligent artifacts almost
everywhere, with the ability to sample and distribute information
from any location. Furthermore, the ubiquitous connectivity of
IoT via the internet plays a critical role in amplifying privacy con-
cerns. Without a unique mechanism for privacy protection, IoT’s
IC3-2022, August 04–06, 2022, Noida, India Arpna Saxena and Sangeeta Mial
Table 2: Security Requirements Addressed by Existing Techniques
Reference Solution Approach
CondentialityAuthentication Integrity
Non-
Repudiation
Availability
SLIGHT [20] Lightweight key
agreement model
✓ ✓ ✓ ✓
T2T-MAP[21] PUF ✓ ✓ ✓ ✓ ✓
PMsec[22] PUF ✓ ✓
BEdgeHealth[23] Blockchain ✓ ✓ ✓ ✓ ✓
Agrahari et al. [24] Two-factor
authentication scheme
✓ ✓ ✓
REAS-TMIS [25] AKE ✓ ✓ ✓
Ghubaish et al [26] Hierarchical access
technique with ECC
✓ ✓ ✓ ✓ ✓
Hayajneh et al. [27] SDN ✓ ✓ ✓ ✓
Table 3: Privacy Attacks and Solutions in IoMT system
Type of Attacks Solutions Possible reason(s)
Trac analysis •VPNs & Proxies •Non-Linkability
•Pseudonyms
Un-noticed side channels, semantic information leakage
Identity/Location
tracking
•Anonymity •Non-Linkability
•Pseudonyms
Unencrypted location parameter sharing, Default permissions to
access location
ubiquitous connectivity could allow for exible access to personal
information from any location on the planet.
5.1 IoMT Privacy Issues
One of the most dicult challenges in IoMT is ensuring patients’
privacy. Protecting patients’ privacy entails preventing the disclo-
sure of their true identities, as well as their location and information.
Patients must protect their private information, such as their iden-
tity, behavior, and past and present location. Furthermore, the main
privacy attacks are listed and described in Table 3 below.
1. Trac Analysis Attacks: This primarily aects patients’ privacy
as well as data condentiality. This extremely dangerous attack
involves intercepting and analyzing network trac patterns in
order to infer useful information. This is because the activities of
IoMT devices can potentially reveal enough information for an
adversary to cause malicious harm to the medical devices. More
specically, trac analysis can target specic information that can
be used to launch or support new social engineering attacks.
2. Identity/Location Tracking Attacks: An attacker may be able to
track the movements of the IoMT devices. Studying this trace can
reveal the patient’s true identity as well as personal information. As
a result, obtaining a patient’s identity can jeopardize their privacy
and possibly their life. Solutions to prevent identity disclosure and
location-based DoS are required to thwart these types of attacks.
As a result, each patient should be given a selection of certied
pseudonyms obtained from a certicate authority. The Sybil attack
is the most common. The pool of pseudonyms can be used to send
false messages to a data center while pretending to be for dierent
patients. This includes fake trac jams and false alerts that force
hospitals to respond to a fake event. The primary goal of the au-
thorities is to ensure that identities and sensitive data are protected
and veried during any communication attempt. In the event of an
issue, the system operators must intervene; however, knowing the
identity of the user is required (digital forensics).
5.2 Recent Privacy Solutions in IoMT
Ashok Kumar Das et al. proposed CSVDTF-IoMTCOVID-19 [
29
],
a new framework based on block chain technology that provides
immutability, transparency, and decentralization. The CSVDTF-
IoMTCOVID-19 framework is proposed for Covid-19 vaccine distri-
bution and tracking. The authors have successfully demonstrated
that prominent attacks against the proposed framework (CSVDTF-
IoMTCOVID-19) such as replay attacks, man-in-the-middle (MITM)
attacks, and privileged-insider attacks can be avoided. The authen-
tication performed during the registration phase safeguards the sys-
tem against these attacks. Additionally, to avoid ephemeral secret
leakage (ESL) attacks, session keys rely on both short- (temporal)
and long-term secrets. As a result, a CK-compromise adversary’s
of session keys is dicult because the adversary must compromise
both temporal and long-term secrets.
Swatee S. Nikam et al. [
30
] proposed a system in which data
from IoMT sensors is encrypted and then encrypted again while
storing and transmitting PHRs to the cloud. In this manner, it pro-
vided double security to the PHRs and authorized only authorized
individuals to control various parts of the PHRs based on the access
granted by the patients.
Internet of Medical Things (IoMT) Security and Privacy: A Survey of Recent Advances and Enabling Technologies IC3-2022, August 04–06, 2022, Noida, India
6DISCUSSION AND RESEARCH GAPS
In this paper, an overview of the security requirements, state-of-the-
art security techniques, and new types of attacks were discussed.
Side-channel attacks are vulnerable to delay-based PUF implemen-
tations [
33
], and it is recommended that countermeasures be im-
plemented in the design to prevent this type of attack. In addition,
improper PUF implementation could introduce "backdoors" into an
otherwise secure system [
34
]. PUFs introduce more entry points
for hacking into a cryptographic system, and more research into
PUF vulnerabilities is required before PUFs can be used in practical
security-related applications.
Many AI and ML-based security schemes have an obvious aw
in that machines require a ood of training data to deduce a fea-
sible model to address practical issues, and the feature-extraction
[
35
] process is also very complicated. Worse, its computation and
communication costs are extremely high. As a result, it is critical
that we develop a new ML-based security scheme with low com-
putation and communication costs. The use of blockchain in IoT
can eectively ensure the safety of IoMT service data, but as IoMT
services expand, the demand for computing resources will easily
exceed the resources that the Internet can provide, reducing the
eciency of IoT services [36].
All the proposed schemes show that since IoMT devices have
hardware constraints, therefore all authentication schemes should
be lightweight. Lightweight authentication protocol can be imple-
mented with the help of either using PUF methods or AEAD based
schemes or using edge computing concept as seen in BedgeHealth.
To make system more secure perfect forward secrecy is the de-
sired important attribute. Slight is architecture specic and authors
have proposed to implement it on hardware microcontrollers such
as AT91SAM3X8E or Cortex-M series microcontrollers as future
scope. In PMsec only device authentication has been done therefore
client-side authentication scheme is suggested for future work to
authenticate the messages from client side which are received from
server. Framework proposed by Ali Ghubaish et al. proposed no se-
cure method on loss of second factor. Also, the framework proposed
by Ashok Kumar Das et al. have discussed no AI based big data
analytics scheme specically and only few attacks are considered
for addressing security issues.
T2T-MAP protocol is designed in such a way so that each device,
i.e., Thing, stores only one eCRP about any other device. Further-
more, along with all related work protocols, it is vulnerable to race
condition-based attacks. For security purpose the proposed method
REAS-TMIS requires updating of password frequently which might
lead to increase of overhead in terms of communication on method.
7CONCLUSIONS
This paper provides a comprehensive overview of IoMT in terms of
technology development and highlights security issues. In general,
the same security constraints that apply to IoT systems apply to
IoMT systems, but because IoMT devices aect human lives, the
concern is more pronounced. As a result, ongoing developments
in the realm of IoMT security have been extensively presented in
this paper, including studies based on newer technologies such as
blockchain, PUF, AI and ML to reduce security threats to humans
and systems. Nowadays edge computing is also gaining popularity
to make IoMT protocols lightweight. So, in near future this work can
be extended primarily focusing on studying various researcher’s
works done extensively on lightweight protocols.
REFERENCES
[1]
Farahani B, Firouzi F, Chang V, Badaroglu M, Constant N, Mankodiya K.
2018. Towards fog-driven IoT eHealth: promises and challenges of IoT in
medicine and healthcare.Future Generation Computer Systems 78(7):659–676
DOI 10.1016/j.future.2017.04.036
[2]
Noor MM, Hassan WH. 2019. Current research on Internet of Things
(IoT) security: a survey. Computer Networks 148(5):283–294 DOI
10.1016/j.comnet.2018.11.025.
[3]
He D, Ye R, Chan S, Guizani M, Xu Y. 2018. Privacy in the internet of
things for smart healthcare. IEEE Communications Magazine 56(4):38–44 DOI
10.1109/MCOM.2018.1700809
[4]
Alsubaei F, Abuhussein A, Shiva S. 2019a. A framework for ranking IoMT so-
lutions based on measuring security and privacy. In: Arai K, Bhatia R, Kapoor
S, eds. Proceedings of the Future Technologies Conference. Cham: Springer
International Publishing Ag, 205–224.
[5] https://www.who.int/health-topics/health-workforce#tab=tab_1
[6]
Dang LM, Piran M, Han D, Min K, Moon H. 2019. A survey on internet of things
and cloud computing for healthcare. Electronics 8(7):768 DOI 10.3390/electron-
ics8070768.
[7]
Newaz A, Sikder AK, Rahman MA, Uluagac AS. 2020. A survey on security and
privacy issues in modern healthcare systems: attacks and defenses. Available at
https://arxiv.org/abs/2005.07359.
[8]
Rahmani AM, Gia TN, Negash B, Anzanpour A, Azimi I, Jiang M, Liljeberg P. 2018.
Exploiting smart e-Health gateways at the edge of healthcare internet-of-things:
a fog computing approach. Future Generation Computer Systems 78(7):641–658
DOI 10.1016/j.future.2017.02.014.
[9] Yaacoub J-PA, Noura M, Noura HN, Salman O, Yaacoub E, Couturier R, Chehab
A. 2020. Securing internet of medical things systems: limitations, issues and
recommendations. Future Generation Computer Systems 105(10):581–606 DOI
10.1016/j.future.2019.12.028.
[10]
T. Yaqoob, H. Abbas and M. Atiquzzaman, "Security Vulnerabilities, Attacks,
Countermeasures, and Regulations of Networked Medical Devices—A Review," in
IEEE Communications Surveys & Tutorials, vol. 21, no. 4, pp. 3723-3768, Fourth
quarter 2019, doi: 10.1109/COMST.2019.2914094.
[11]
IoT Framework Assessment - OWASP, (n.d.). https://www.owasp.org/index.php/
IoT_Framework_Assessment(accessed July 8, 2017).
[12]
Shamsoshoara A., Korenda A., Afghah F. and Zeadally S., “A survey on physical
unclonable function (PUF)-based security solutions for internet of things,” 183, p.
107593,2020.
[13]
Wang Q., Zhu X., Ni Y., Gu L. and Zhu H., “Blockchain for the IoT and industrial
IoT: A review,” Internet Things, Vol. 10, pp. 100081, 2020. Special Issue of the
Elsevier IoT Journal on Blockchain Applications in IoT Environments.
[14]
Singh A., Parizi R. M., Zhang Q., Choo K.-K. R. and Dehghantanha A., “Blockchain
smart contracts formalization: Approaches and challenges to address vulnerabili-
ties,” Comput. Security, Vol. 88, p. 101654, 2020.
[15]
Sharma S., “Towards articial intelligence assisted software dened networking
for internet of vehicles,” in Intelligent Technologies for Internet of Vehicles,
Internet of Things, N. Magaia et al., Eds. Springer Nature Switzerland AG, 2021.
[16]
Ahmed Z., Mohamed K., Zeeshan S. and Dong X., “Articial intelligence with
multi-functional machine learning platform development for better healthcare
and precision medicine,” Database, Vol. 2020, , 2020.
[17]
Shardha Porwal, Sangeeta Mittal, HE3: A hierarchical attribute based secure and
ecient things-to-fog content sharing protocol, Journal of King Saud University
- Computer and Information Sciences, Volume 34, Issue 4, 2022, Pages 1312-1325,
ISSN 1319-1578, https://doi.org/10.1016/j.jksuci.2019.08.014.-6
[18]
Xu J, Wei L, Wu W, Wang A, Zhang Y, Zhou F. 2020. Privacy-preserving data
integrity verication by using lightweight streaming authenticated data struc-
tures for healthcare cyber-physical system. Future Generation Computer Systems
108(1):1287–1296. DOI 10.1016/j.future.2018.04.018
[19]
Gupta S, Venugopal V, Mahajan V, Gaur S, Barnwal M, Mahajan H. 2020. HIPAA,
GDPR and Best Practice Guidelines for preserving data security and privacy-What
Radiologists should know. ECR 2020. Vienna: European Congress of Radiology-
ECR 2020, C-13220.
[20]
Amintoosi, Haleh, et al. "Slight: A lightweight authentication scheme for smart
healthcare services." Computers & electrical engineering 99 (2022): 107803.
[21]
Lounis, Karim, and Mohammad Zulkernine. "T2T-MAP: A PUF-Based Thing-to-
Thing Mutual Authentication Protocol for IoT." IEEE Access 9 (2021): 137384-
137405.
[22]
V. P. Yanambaka, S. P. Mohanty, E. Kougianos and D. Puthal, "PMsec: Physical
Unclonable Function-Based Robust and Lightweight Authentication in the Inter-
net of Medical Things," in IEEE Transactions on Consumer Electronics, vol. 65, no.
3, pp. 388-397, Aug. 2019, doi: 10.1109/TCE.2019.2926192.
IC3-2022, August 04–06, 2022, Noida, India Arpna Saxena and Sangeeta Mial
[23]
Nguyen, Dinh C., et al. "Bedgehealth: A decentralized architecture for edge-based
iomt networks using blockchain." IEEE Internet of Things Journal 8.14 (2021):
11743-11757.
[24]
Agrahari, Abhay Kumar, Shirshu Varma, and S. Venkatesan. "Two factor authenti-
cation protocol for IoT based healthcare monitoring system." Journal of Ambient
Intelligence and Humanized Computing (2022): 1-18.
[25]
Tanveer, Muhammad, et al. "REAS-TMIS: Resource-Ecient Authentication
Scheme for Telecare Medical Information System." IEEE Access 10 (2022): 23008-
23021.
[26]
Ghubaish, Ali, et al. "Recent advances in the internet-of-medical-things (IoMT)
systems security." IEEE Internet of Things Journal 8.11 (2020): 8707-8718.
[27]
Al Hayajneh, Abdullah, Md Zakirul Alam Bhuiyan, and Ian McAndrew. "Improv-
ing internet of things (IoT) security with software-dened networking (SDN)."
Computers 9.1 (2020): 8.
[28]
Xiaoyu Li, Min Ye, Jiahui Chen, Jianhui Chen, Yeh-Cheng Chen, "A Novel Hi-
erarchical Key Assignment Scheme for Data Access Control in IoT", Security
and Communication Networks, vol. 2021, Article ID 6174506, 12 pages, 2021.
https://doi.org/10.1155/2021/6174506
[29]
Das, Ashok Kumar, Basudeb Bera, and Debasis Giri. "AI and Blockchain-based
Cloud-assisted Secure Vaccine Distribution and Tracking in IoMT-enabled Covid-
19 Environment." IEEE Internet of Things Magazine 4.2 (2021): 26-32.
[30]
Swatee S. Nikam, Jyoti P. Kshirsagar. "Implementation of Secure Sharing of
PHR’s with IoMT Cloud" International Journal of Recent Technology and
Engineering(2019):599-602
[31]
C. for D. and R. Health, Digital Health - Cybersecurity, (n.d.).https://www.fda.
gov/MedicalDevices/DigitalHealth/ucm373213.htm (accessed October 19, 2017)
[32]
O’Dea S. 2020. Data volume of IoT connected devices worldwide 2018 and 2025.
Statistica. Available at https://www.statista.com/statistics/1017863/worldwide-
iot-connected- devices-datasize/.
[33]
Merli, Dominik; Schuster, Dieter; Stumpf, Frederic; Sigl, Georg (2011), "Side Chan-
nel Analysis of PUFs and Fuzzy Extractors", Trust and Trustworthy Computing.
4th International Conference, TRUST 2011, Pittsburgh, PA, USA, June 22–24,
2011. Proceedings, Lecture Notes in Computer Science, vol. 6740, Springer Berlin
Heidelberg, pp. 33–47, doi:10.1007/978-3-642-21599-5_3, ISBN 978-3-642-21598-8
[34]
Rührmair, Ulrich; van Dijk, Marten (2013).” PUFs in Security Protocols: Attack
Models and Security Evaluations”. 2013 IEEE Symposium on Security and Privacy
. May 19–22, 2013 San Francisco, CA, USA.
[35]
L. Xiao, X. Wan, X. Lu, Y. Zhang, and D. Wu, “IoT security techniques based on
machine learning: how do IoT devices use AI to enhance security?” IEEE Signal
Processing Magazine, vol. 35, no. 5, pp. 41–49, 2018.
[36]
Zhanyang Xu, Wentao Liu, Jingwang Huang, Chenyi Yang, Jiawei Lu, Haozhe
Tan, "Articial Intelligence for Securing IoT Services in Edge Computing: A
Survey", Security and Communication Networks, vol. 2020, Article ID 8872586,
13 pages, 2020. https://doi.org/10.1155/2020/8872586
