Securing the Internet of Medical Things (IoMT): Real-World Attack Taxonomy and Practical Security Measures

TL;DR

This paper provides a comprehensive taxonomy of cyber threats to IoMT, analyzes real-world incidents, and offers practical security strategies and standards to enhance the safety and privacy of medical devices and networks.

Contribution

It introduces a detailed attack taxonomy for IoMT, analyzes historical cyber incidents, and proposes actionable security guidelines and compliance frameworks for practitioners.

Findings

Identified key attack surfaces and vulnerabilities in IoMT systems.

Highlighted critical security gaps from real-world cyber incidents.

Provided practical security measures and standardization guidance.

Abstract

The Internet of Medical Things (IoMT) has the potential to radically improve healthcare by enabling real-time monitoring, remote diagnostics, and AI-driven decision making. However, the connectivity, embedded intelligence, and inclusion of a wide variety of novel sensors expose medical devices to severe cybersecurity threats, compromising patient safety and data privacy. In addition, many devices also have direct capacity - individually or in conjunction with other IoMT devices - to perform actions on the patient, such as delivering an electrical stimulus, administering a drug, or activating a motor, which can potentially be life-threatening. We provide a taxonomy of potential attacks targeting IoMT, presenting attack surfaces, vulnerabilities, and mitigation strategies across all layers of the IoMT architecture. It answers key questions such as: What makes IoMT security different from traditional IT security? What are the cybersecurity threats to medical devices? How can engineers design secure IoMT systems and protect hospital networks from cyberattacks? By analyzing historical cyber incidents, we highlight critical security gaps and propose practical security guidelines for medical device engineers and security professionals. This work bridges the gap between research and implementation, equipping healthcare stakeholders with actionable insights to build resilient and privacy-preserving IoMT ecosystems. Finally, we present the latest standardization and compliance frameworks, that IoMT security designers should be aware of.