Keywords
How to Cite
Abstract
The increasing integration of medical devices with communication networks and digital systems has significantly expanded the attack surface of modern healthcare infrastructures. This scenario, driven by the advancement of the Internet of Medical Things (IoMT), introduces new cybersecurity challenges that can compromise the confidentiality of sensitive data, the integrity of systems, and, most critically, patient safety. In this context, this paper presents a systematic literature review on cyberattacks targeting medical devices, guided by four research questions: (RQ1) What types of cyberattacks have been reported against connected medical devices? (RQ2) What vulnerabilities are most frequently exploited in these devices? (RQ3) Which categories of medical devices exhibit the greatest exposure to cybersecurity risks? (RQ4) What mitigation strategies and countermeasures are proposed in the literature? The review was conducted following the PRISMA protocol, with searches performed across six academic databases (IEEE Xplore, ACM Digital Library, PubMed, Scopus, ScienceDirect, and Web of Science) covering publications from 2008 to 2024. From an initial set of 1,247 records, 58 studies were selected after applying predefined inclusion and exclusion criteria through a three-stage screening process involving title review, abstract analysis, and full-text assessment. The results indicate that the most prevalent vulnerabilities are associated with weak authentication mechanisms, insecure communication protocols, outdated firmware, and the absence of encryption. Infusion pumps emerged as the most exposed device category, with 75% of units presenting known vulnerabilities, followed by nurse call systems (48%) and implantable pacemakers and defibrillators (40%). Remote attacks via wireless communication, hospital network exploitation, and embedded software manipulation appear as the most frequently reported attack vectors. Based on these findings, a three-layer IoMT attack taxonomy is proposed, organized across the perception/sensor, network/communication, and application/system layers, contributing a structured classification framework to the field. Furthermore, the review identifies six key research gaps, including the scarcity of studies conducted in real clinical environments, the insufficient validation of lightweight security solutions for resource-constrained devices, and the absence of standardized penetration testing frameworks for IoMT. The findings underscore the urgent need for adopting security-by-design practices in medical device development, strengthening regulatory policies, and fostering international collaboration to protect digital healthcare infrastructures.
References
Armis. (2023). Armis Identifies the Riskiest Medical and IoT Devices in Clinical Environments. Armis Newsroom.
Camara, C., Peris-Lopez, P., & Tapiador, J. E. (2015). Security and Privacy Issues in Implantable Medical Devices: A Comprehensive Survey. Journal of Biomedical Informatics, 55, 272–289. https://doi.org/10.1016/j.jbi.2015.04.007
Coventry, L., & Branley, D. (2018). Cybersecurity in Healthcare: A Narrative Review of Trends, Threats and Ways Forward. Maturitas, 113, 48–52. https://doi.org/10.1016/j.maturitas.2018.04.008
Federal Bureau of Investigation – FBI. (2022). Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities. Private Industry Notification, PIN-20220912-001.
Forescout Vedere Labs. (2024). Unveiling the Persistent Risks of Connected Medical Devices. Forescout Technologies.
Halperin, D., Heydt-Benjamin, T. S., Ransford, B., Clark, S. S., Defend, B., Morgan, W., Fu, K., Kohno, T., & Maisel, W. H. (2008). Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. In 2008 IEEE Symposium on Security and Privacy (pp. 129–142). IEEE. https://doi.org/10.1109/SP.2008.31
Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2017). Cybersecurity in Healthcare: A Systematic Review of Modern Threats and Trends. Technology and Health Care, 25(1), 1–10. https://doi.org/10.3233/THC-161263
Li, C., Raghunathan, A., & Jha, N. K. (2011). Hijacking an Insulin Pump: Security Attacks and Defenses for a Diabetes Therapy System. In 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services (pp. 150–156). IEEE. https://doi.org/10.1109/HEALTH.2011.6026732
Marin, E., Singelée, D., Garcia, F. D., Chothia, T., Willems, R., & Preneel, B. (2016). On the (In)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them. In ACSAC ‘16 (pp. 226–236). ACM. https://doi.org/10.1145/2991079.2991094
Newaz, A. I., Sikder, A. K., Rahman, M. A., & Uluagac, A. S. (2021). A Survey on Security and Privacy Issues in Modern Healthcare Systems: Attacks and Defenses. ACM Computing Surveys, 54(7s), 1–44. https://doi.org/10.1145/3453176
Palo Alto Networks – Unit 42. (2022). Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization. Unit 42 Research Report.
Rushanan, M., Rubin, A. D., Kune, D. F., & Swanson, C. M. (2014). SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks. In 2014 IEEE Symposium on Security and Privacy (pp. 524–539). https://doi.org/10.1109/SP.2014.40
Sánchez-Guerrero, R., Mendoza, F. A., Díaz-Verdejo, J., Casilari, E., & Crespo, A. (2023). Cybersecurity Vulnerability Analysis of Medical Devices Purchased by National Health Services. Scientific Reports, 13, 19548. https://doi.org/10.1038/s41598-023-45927-1
Thomasian, N. M., & Adashi, E. Y. (2021). Cybersecurity in the Internet of Medical Things. Health Policy and Technology, 10(3), 100549. https://doi.org/10.1016/j.hlpt.2021.100549
U.S. Food and Drug Administration – FDA. (2023). Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – Final Guidance. FDA.
Williams, P. A. H., & Woodward, A. J. (2015). Cybersecurity Vulnerabilities in Medical Devices: A Complex Environment and Multifaceted Problem. Medical Devices: Evidence and Research, 8, 305–316. https://doi.org/10.2147/MDER.S50048