Next Article in Journal
Personality Emulation Utilizing Large Language Models
Previous Article in Journal
Beyond Human Vision: Unlocking the Potential of Augmented Reality for Spectral Imaging
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 15
Issue 12
10.3390/app15126634
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Integral Security Pillars for Medical Devices: A Comprehensive Analysis

by
Marcela Ulloa-Zamora
1,2,*,
Cristian Barría-Huidobro
1,
Manuel Sánchez-Rubio
2 and
Lorena Galeazzi
1
1
Centro de Investigación en Ciberseguridad, Universidad Mayor de Chile, Manuel Montt 367, Providencia 7500628, Chile
2
Escuela de Doctorado, Universidad de Alcalá, calle Libreros 21 Alcalá de Henares, 28801 Madrid, Spain
*
Author to whom correspondence should be addressed.
Appl. Sci. 2025, 15(12), 6634; https://doi.org/10.3390/app15126634
Submission received: 12 May 2025 / Revised: 1 June 2025 / Accepted: 4 June 2025 / Published: 12 June 2025
Browse Figures
Versions Notes

Abstract

:
Cybersecurity is an essential component for preserving the integrity of healthcare systems, particularly in the face of the increasing adoption of interconnected medical devices, which significantly expands cyber risk exposure. A critical issue in this context is the fragmentation of knowledge regarding the security of these devices. The absence of a unified framework hampers the systematic identification of vulnerabilities and the effective implementation of protective measures. This study highlights such fragmentation by requiring the integration of seven ISO standards, nine NIST controls, one HIPAA regulation, one ENISA directive, one GDPR regulation, and one HITRUST framework, along with the review of 47 scientific articles and analysis of 27 documented vulnerabilities (CVEs). The need to consult this broad range of sources reflects both the complexity of the regulatory landscape and the lack of standardization in medical device security. Based on this review, key pillars were defined to support an integral and adaptable security model. This model provides a practical tool to strengthen digital healthcare infrastructures, facilitate continuous audits, and mitigate emerging threats, all while aligning with international standards. Furthermore, it promotes the consolidation of fragmented knowledge, helping to close security gaps and enhance the resilience of healthcare systems in a globalized environment.

1. Introduction

In the current context of the digital revolution, cybersecurity has become a fundamental pillar for ensuring the security, integrity, and reliability of healthcare systems globally [1]. The widespread adoption of advanced technologies, such as interconnected medical devices, has brought numerous benefits, but it has also increased the exposure of healthcare institutions to a broader range of cyber risks and vulnerabilities. The integration of these devices into interconnected networks presents significant opportunities to improve patient care but also poses critical challenges in terms of protecting information and the underlying technological infrastructure [2].
One of the main issues facing the healthcare community is the fragmentation of information related to the security of medical devices. Relevant data sources are scattered, making it difficult to build a coherent framework that can systematically identify and address the vulnerabilities of these devices. In this context, it is necessary to have an integrated security model that not only consolidates existing knowledge but also integrates and applies effective protection measures based on international security standards [3].
The goal of this study is to establish a clear set of fundamental pillars for the security of medical devices. Through an exhaustive analysis, the main threats and most common vulnerabilities are identified, and the security approaches used in different environments and healthcare systems are compared [4,5]. This analysis is complemented by a comprehensive review of the existing literature, covering the latest studies and international regulations, allowing for the identification of security gaps and the proposal of effective solutions.
The primary purpose of this research is to develop a practical support tool for implementing security strategies in medical devices. The study aims to provide a model that not only strengthens the security infrastructure of healthcare environments but also serves as a foundation for continuous and adaptive audits in response to emerging threats. This model is based on the principles of systematic auditing and designed to integrate effectively with Information Security Management Systems (ISMS) and align with international standards, such as the HITRUST Framework [6,7].
Finally, this work aims not only to address the current security gaps in medical devices but also to offer a broader perspective that enables its implementation in various international contexts, adapting to the specificities of each healthcare system. In this way, it is expected that this model will act as a global benchmark in risk management and cybersecurity within healthcare, contributing to the strengthening of trust and reliability in interconnected healthcare systems.
Building upon this context, the present study introduces a comprehensive methodology that integrates the analysis of international regulatory frameworks, a systematic review of the scientific literature, and a comparative evaluation of security standards applicable to medical devices. The results present an integral model grounded in conceptual pillars, designed to systematically structure the critical components of protection and to enable a coherent assessment of the most significant vulnerabilities. The discussion section further examines the distinctions between this holistic approach and conventional models focused primarily on device connectivity (IoMT), underscoring the necessity of a broader perspective that addresses the entire life cycle of medical devices and their seamless integration within healthcare systems. Finally, the conclusions emphasize the practical relevance of the proposed model as a foundational tool to support the implementation of cybersecurity strategies in clinical environments, while also highlighting its potential to inform future research aimed at the standardization and continuous enhancement of security across interconnected healthcare infrastructures.

2. Materials and Methods

The literature review method employed in this research is comprehensive, with an integrated and structured approach aimed at developing a robust theoretical model for information security in medical devices. This approach allows for a thorough and detailed analysis of the most relevant aspects related to cybersecurity in medical environments, adapted to the current needs of the healthcare sector. The research is organized into four essential phases, each focused on addressing different components of the problem, from understanding the context to developing concrete solutions. These phases are designed to facilitate a systematic and coherent process, as illustrated in Figure 1.
Details of the Research Phases:
  • Phase 1: Problem Statement
This initial phase focuses on conducting an in-depth analysis of the general context of medical device security, identifying current issues and relevant historical backgrounds. Previous developments in the field of cybersecurity are reviewed, as well as the challenges faced by the medical sector due to the increasing digitization and interconnection of its devices. This analysis establishes the necessary framework to effectively address emerging threats.
  • Phase 2: Review of Regulations, Cybersecurity Studies, and Common Vulnerabilities
In this phase, a thorough review of the existing regulations and previous studies related to cybersecurity in medical devices is conducted. Applicable regulations and regulatory frameworks are addressed, as well as the best practices adopted to protect medical infrastructure. Additionally, the most common vulnerabilities affecting these devices are identified in order to better understand the risks and weak points in current protection systems.
  • Phase 3: Presentation and Analysis of Research Results
In the third phase, the results obtained throughout the research process are presented. The proposed solutions are analyzed, evaluating their feasibility and effectiveness in practice. Additionally, key findings from the research are highlighted, including the implications of applying the security pillars model in various healthcare settings. This phase also includes the overall conclusions of the study and recommendations for future research in the field of cybersecurity for medical devices.
This comprehensive approach, divided into these four interrelated phases, enables the development of an effective and flexible security model that is capable of adapting to the changing dynamics of cybersecurity in the healthcare sector. Through this process, the goal is to provide a solid foundation for improving the protection of medical devices and, consequently, ensuring the security of sensitive data and patient privacy.
  • Phase 4: Development of the Security Pillars Model
The final phase is crucial, as creative and critical thinking methods are used to develop a security pillars model specifically designed for medical devices. This model is adapted to the specifics of medical environments and aims to provide new perspectives and innovative approaches to information security management. The development of this model is based on the knowledge gained in the previous phases, incorporating effective measures to mitigate risks and enhance protection against cyber threats.

3. Results

The following section presents the results derived from the application of the comprehensive review methodology, structured in four phases. Each stage allowed for the systematic organization and analysis of the information, contributing to a clear and well-founded understanding of the topic under investigation.

3.1. Problem Statement

In the current healthcare context, one of the main challenges that hinders the effective implementation and management of cybersecurity is the fragmentation of information related to the risks and vulnerabilities associated with medical devices. Critical information is scattered across various sources, such as international regulations, incident databases, technical studies, and recommendations from regulatory bodies and does not have a structure that facilitates its proper integration, analysis, and practical application.
The direct consequence of this fragmentation is that efforts to protect medical devices become increasingly complex, as there is no common language or structured framework to organize all relevant information. This affects the different actors within the system, from those who design and manufacture the devices to those who use and oversee them in healthcare settings, resulting in decision-making processes that are often isolated. This not only weakens the ability to respond to potential threats but also increases the margins for error and widens existing security gaps.
Although internationally recognized regulatory frameworks and technical standards do exist, including ISO/IEC, NIST, and HITRUST, their implementation in practice tends to be heterogeneous and, in many cases, partial. This situation creates a significant gap between the available technical knowledge and its effective application, thereby increasing the risk of exposure to incidents that could compromise the integrity of the healthcare system.
Considering this scenario, it becomes evident that there is a need to develop an integrated security model capable of bringing together, organizing, and interpreting the currently fragmented information, thereby facilitating its strategic use in decision-making processes. A model of this nature should be aligned with international standards, adaptable to diverse organizational contexts, and capable of guiding both the assessment and implementation of effective and sustainable protection measures.

3.2. Review of Regulations, Cybersecurity Studies, and Common Vulnerabilities

The tables detailed below provide information on regulations (Table 1, Table 2, Table 3, Table 4, Table 5 and Table 6) and vulnerabilities (Table 8), and the review of scientific literature (Table 7) enables an analysis of this information.

3.2.1. Regulations

  • ISO
There are various ISO standards that focus on information security and are relevant to medical devices. Below is a list of some of the most important ISO standards applicable in the auditing of medical device infrastructures [6].
Table 1. Main ISO standards that can be applied for auditing medical device infrastructure.
Table 1. Main ISO standards that can be applied for auditing medical device infrastructure.
NormativeYearNameDescription
ISO
27701 [8]		2019Extension to ISO/IEC 27001 [9] and ISO/IEC 27002 [10] for information privacy management.This document provides requirements and guidelines for establishing, implementing, maintaining, and improving a privacy information management system (PIMS), which is crucial for protecting personal data on medical devices.
ISO/IEC
27799 [11]		2016Managing health information security using ISO/IEC 27002Provides guidelines to support the interpretation and implementation of ISO/IEC 27002 in the healthcare sector, ensuring the protection of personal health information (PII) in health information systems.
ISO
13485 [12]		2016Quality management systems for medical devicesAlthough this standard focuses primarily on quality management systems, it includes requirements for risk management and security of software and computer systems used in medical devices.
ISO/IEC
27001 [9]		2013Information Security Management Systems (ISMSs)It establishes the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). This standard can be applied to any organization handling sensitive information, including manufacturers and suppliers of medical devices.
ISO/IEC
82304-1 [13]		2016Health informatics—health softwareGeneral requirements for health software products:
Defines quality and safety requirements for health software products, including those used in medical devices, and ensures that the software meets information security standards.
ISO/IEC
27002 [14]		2013Code of practice for information security controlsProvides guidelines for implementing information security controls based on industry best practices, applicable to medical devices to protect the confidentiality, integrity, and availability of information.
ISO/IEC
80001-1 [15]		2010Application of risk management for IT networks incorporating medical devicesProvides a framework for risk management related to integrating medical devices into information technology networks, ensuring that risks associated with information security and interoperability are addressed.
  • NIST
The National Institute of Standards and Technology (NIST) of the United States has developed multiple standards, guidelines, and publications that, although not specifically aimed at medical devices, are highly relevant to information security in this field [16].
Table 2. NIST standards that can be applied for auditing medical device infrastructure.
Table 2. NIST standards that can be applied for auditing medical device infrastructure.
NormativeYearNameDescription
NIST Cybersecurity Framework (CSF) [17]2024-A flexible, risk-based framework for improving cybersecurity in critical infrastructure, including the healthcare sector. Medical device manufacturers and users can use this framework to develop and improve cybersecurity programs.
NIST SP
800-63-3 [18]		2023Digital Identity Guidelines:Guides digital identity management; relevant for medical devices that require authentication and access control.
NIST Special Publication (SP)
800-53 Rev. 5 [19]		2020Security and Privacy Controls for Information Systems and OrganizationsProvides a catalog of security and privacy controls to protect information and information systems, including those used in medical devices.
NIST SP
800-37 Rev. 2 [20]		2018Risk Management Framework for Information Systems and OrganizationsA “System Life Cycle Approach for Security and Privacy" describes the NIST risk management framework, which can be applied to manage security and privacy risks in medical devices throughout their life cycle.
NIST SP
1800-1 [21]		2018Securing Electronic Health Records on Mobile DevicesProvides practical examples and reference architectures for protecting electronic health records on mobile devices, applicable to mobile and wearable medical devices.
NIST SP
800-82 Rev. 2 [22]		2015Guide to Industrial Control Systems (ICSs) Security:This document provides guidance on the security of industrial control systems, which may apply to certain medical devices operating in industrial or manufacturing environments.
NIST SP
800-88 Rev. 1 [23]		2014Guidelines for Media SanitizationProvides guidelines for the secure disposal of data on storage media, applicable to medical devices that store sensitive information.
NIST SP
800-30 Rev. 1 [24]		2012Guide for Conducting Risk AssessmentsGuides performing risk assessments are essential for identifying and mitigating security risks in medical devices.
NIST SP
800-66 Rev. 1 [25]		2008An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule:This document provides guidance on how to comply with the HIPAA Security Rule, which is relevant to medical devices that handle protected health data.
  • HIPAA
HIPAA, which stands for the Health Insurance Portability and Accountability Act, is US legislation enacted in 1996. Its primary objective is to protect the privacy and security of patients’ medical information and ensure the continuity of health insurance coverage [26].
Table 3. HIPAA and its supporting regulations (Privacy, Security, National Identifiers, Transactions and Codes, and Breach Notification).
Table 3. HIPAA and its supporting regulations (Privacy, Security, National Identifiers, Transactions and Codes, and Breach Notification).
NormativeYearNameDescription
HIPAA1996Original HIPAA law publishedThe original law was enacted to enhance health insurance portability, reduce fraud and the abuse in healthcare, and establish standards for the security and privacy of health information.
2000Publication of the Privacy RuleIt establishes national standards for protecting Protected Health Information (PHI), limiting its use and disclosure and granting a patient rights regarding their information.
2003Publication of the Security RuleIt requires the implementation of administrative, physical, and technical security measures to protect electronic Protected Health Information (PHI) and ensure its confidentiality, integrity, and availability.
2004Publication of the National Identifier RuleIt requires the implementation of administrative, physical, and technical security measures to protect electronic Protected Health Information (PHI) and ensure its confidentiality, integrity, and availability.
2000Publication of the Transactions and Codes RuleIt establishes standards for electronic healthcare transactions and codes, promoting standardization and simplifying administrative processes.
2009Publication of the Breach Notification RuleIt requires covered entities and their business associates to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media in the event of an unsecured Protected Health Information (PHI) breach.
  • ENISA
ENISA (European Union Agency for Cybersecurity) is not a legal regulation like HIPAA, but rather an agency that provides guidelines, recommendations, and best practices in cybersecurity. Its main objective is to promote cybersecurity across Europe [27].
Table 4. ENISA good practices for the security of healthcare services.
Table 4. ENISA good practices for the security of healthcare services.
NormativeYearNameDescription
ENISA
Good practices for the security of healthcare services [28]		2017Professional servicesIt includes consulting, audits, and technical support. Good practices encompass cybersecurity training, restricted access policies, and continuous risk management.
Remote care systemsIt includes telemedicine systems and remote patient monitoring. It is recommended to use secure connections, robust authentication, and personal and health data protection.
Building management systemsThey manage the physical infrastructure of healthcare buildings (HVAC, lighting, security). Practices include network segmentation, continuous monitoring, and regular software updates.
Clinical information systemsThey handle clinical information, such as electronic health records (EHR/EMR). Implementing role-based access controls, data encryption, and audits of access and modifications is crucial.
Cloud servicesCloud services for storing and processing health data. Best practices include vendor security assessment, encryption, and disaster recovery plans.
Identification systemsVerify the identity of users and devices. Multi-factor authentication, identity management, and monitoring of authentication activities are recommended.
Industrial control systemsThey control industrial processes in healthcare facilities. Practices include network segmentation, real-time monitoring, and regular system updates.
Medical devicesIt connected medical devices that manage patient data. Security by design, data encryption, and threat monitoring are essential.
Mobile client devicesHealthcare professionals and patients use mobile devices. Secure applications, mobile device management policies, and malware protection are recommended.
Network equipmentNetwork equipment that supports healthcare IT infrastructure. Best practices include implementing firewalls, network segmentation, and updating network firmware and software.
  • GDPR
The General Data Protection Regulation (GDPR) establishes principles and requirements for the protection of personal data within the European Union. Although there are no specific GDPR controls exclusively for medical devices, its general principles apply to any processing of personal data, including that performed by these devices [29].
Table 5. Details of the GDPR rules and principles.
Table 5. Details of the GDPR rules and principles.
NormativeYearNameDescription
GDRP2016Fundamental PrinciplesSince its adoption in 2016 and enforcement in 2018, the GDPR has established principles for processing personal data, ensuring that it is lawful, fair, transparent, and limited to specific purposes.
Informed ConsentIt requires that users expressly, informally, and freely consent to the processing of personal data, especially in the sensitive context of medical data.
2018Rights of Interested PartiesSince 2018, it has ensured rights such as access, rectification, erasure, and data portability, allowing individuals to control their personal information.
Data SecurityIt requires the implementation of appropriate technical and organizational measures to protect personal data against loss or unauthorized access, which is essential for medical devices handling sensitive data.
Data Protection Impact Assessments (DPIA)It establishes the need to conduct impact assessments when data processing involves high risks to individuals’ rights and freedoms, including situations that may arise with medical devices.
Responsibility and ComplianceManufacturers and suppliers must demonstrate compliance with GDPR requirements, maintain records of processing activities, and cooperate with data protection authorities from the date of enforcement.
  • HITRUST
HITRUST (Health Information Trust Alliance) is a non-profit organization that develops and maintains the HITRUST Information Security Framework (HITRUST CSF). This set of controls and best practices is specifically designed to manage information security risks in the healthcare sector and related industries [7].
Table 6. Description and features of the framework HITRUST.
Table 6. Description and features of the framework HITRUST.
NormativeYearNameDescription
HITRUST2007Integral ApproachIt provides a comprehensive approach to information security risk management, integrating and harmonizing multiple standards and regulations, such as HIPAA, NIST, ISO, and COBIT. This makes it easier for organizations to comply with multiple regulatory requirements using a single framework.
AdaptabilityIt is adaptable to different sizes of organizations and types of entities, from small clinics to large health systems and health-related service providers. This allows organizations to customize the implementation of controls based on their specific needs and operating environment.
Control-Based StructureThe HITRUST CSF is structured around a set of information security controls organized into domains covering critical areas such as access control, asset management, data protection, and incident response. This facilitates the assessment and continuous improvement of an organization’s security posture.
Assessment and CertificationHITRUST offers a formal assessment and certification process where organizations can independently review their compliance with the HITRUST CSF. This provides external validation that the recommended security controls and practices have been adequately implemented.
Risk Management OrientationThe HITRUST CSF framework focuses on risk management, not just the adoption of security controls. This involves ongoing risk assessment, implementing controls proportionate to those risks, and responding effectively to security incidents.
Multi-sectoral ApplicationAlthough initially developed for the healthcare sector, the HITRUST CSF also applies to other sectors that handle sensitive and critical information, such as the financial, government, and service sectors.
  • WHO
The World Health Organization (WHO) does not issue specific regulations on cybersecurity for medical devices. Its main focus is on promoting public health, coordinating international efforts, and providing guidelines on global health policies. However, other international organizations and specialized standards provide guidelines and recommendations related to cybersecurity applied to medical devices [28].

3.2.2. Literature Review

In the last decade, cybersecurity and information protection have emerged as critical research areas, driven by the rise of cyber threats and the growing need to safeguard sensitive data [30]. This literature review examines key scientific studies in these fields, aiming to identify emerging trends, current challenges, and significant technological advancements. Through an in-depth analysis of recent publications, the review seeks to provide a detailed overview of the current research landscape, highlighting the approaches and solutions proposed in the most relevant studies. As a result of this analysis, valuable information was extracted to develop an integral security pillars model focused on medical devices based on the scientific articles and data collected on the most common vulnerabilities identified by manufacturers.
  • Review of Scientific Articles
The following compilation of information presents scientific articles that address relevant topics for the creation of the integral security pillars model, such as cybersecurity, associated technologies, and studies on cyberattacks, as shown in Table 7.
Table 7. Compilation of scientific articles from 2017 to 2025.
Table 7. Compilation of scientific articles from 2017 to 2025.
YearTitleVariable
2025Cybersecurity Risk Assessment Frameworks For Engineering Databases: A Systematic Literature Review [31]Data Security, Cybersecurity Threats, Healthcare Technology, GDPR, Attacks, IoMT Devices, Framework, Threat Detection Rate, Incident Response Time, System Uptime, Cost Efficiency.
2025Intelligent two-phase dual authentication framework for Internet of Medical Things [32]Internet of Medical Things (IoMT), Authentication Framework, Dual Authentication, Elliptic Curve Diffie–Hellman (ECDH), Security, Efficiency, Computational Cost, Latency, Packet Delivery Ratio, Cyber Threats.
2025A comprehensive and systematic literature review on intrusion detection systems in the internet of medical things: current status, challenges, and opportunities [33]Internet of Medical Things (IoMT), Intrusion Detection System (IDS), Cybersecurity, Artificial Intelligence (AI), Machine Learning (ML) and Deep Learning (DL), Datasets, Security Requirements, Intrusion Detection Process, Evaluation Metrics
2025A New Model to Evaluate Signature and Anomaly Based Intrusion
Detection in Medical IoT System Using Ensemble Approach [34]		Internet of Medical Things (IoMT), Intrusion Detection System (IDS), Ensemble Learning, Machine Learning (ML), Data Traffic, Signatures and Anomalies, Cyberattacks, Signatures and Anomalies
2025A risk and conformity assessment framework to ensure security and resilience of healthcare systems and medical supply chain [35]Healthcare Sector, Digital Transformation, Internet of Medical Things (IoMT), Connected Medical Devices, Healthcare Information Infrastructure (HCII), Cybersecurity Challenges, Risk and Conformity Assessment (RCA) Framework, (ISMS), Artificial Intelligence (AI), Risk Management, Security Controls, Regulatory Compliance, Cyberattacks, Medical Devices
2025Maximizing healthcare security outcomes through AI/ML multi-label classification approach on IoHT devices [36]Cybersecurity, Internet of Health Things (IoHT), AI/ML, Multi-Label Classification, Anomaly Detection, ECU Ioht Dataset, ARP Spoofing, DoS, Nmap Port Scan, Smurf Attack, Attacks
2025Next-Gen fortified health monitoring for cyber physical systems in internet of things using logistic maps based encryption [37]Health Monitoring Systems, Internet of Things (IoT), Cyber-Physical Systems (CPS), Encryption, Chaotic Mapping, ASCON Algorithm, Data Integrity, Randomization, Computational Overhead, Lightweight Cryptography (LWC), Health Data
2025An advanced data analytics approach to a cognitive cyber-physical system for the identi-fication and mitigation of cyber threats in the medical internet of things (MIoT) [38]Medical Internet of Things (MIoT), Cognitive Cyber-Physical System (CCPS), Cyber Threats, Anomaly Detection, Gated Recurrent Units (GRUs), Dense Neural Network (DNN), Whale Optimization Algorithm (WOA), Datasets
2025Stacking Ensemble Deep Learning for Real-Time Intrusion Detection in IoMT Environ-ments [39]Internet of Medical Things (IoMT), Cyber Threats, Intrusion Detection System (IDS), Machine Learning (ML), Deep Learning (DL), Stacking Ensemble Method, Kappa Architecture, ARP Spoofing, DoS, Smurf, Port Scan, Binary Classification, Multi-Class Classification
2025Digital Health: The Cybersecurity for AI-based healthcare communication [40]AI-Based Healthcare, Cybersecurity, Digital Health, Proactive System, Ransomware Attacks, AI Algorithms, Healthcare, Communication, Digital Inclusion, AI-Based Healthcare, Evolving Threats, Scalability of Networks, Authorization Methods
2025Efficient lightweight cryptographic solutions for enhancing data security in healthcare systems based on IoT [41]Internet of Things (IoT), Health Monitoring Systems, CPS, Cryptographic Techniques, Lightweight Cryptography (LWC), Authenticated Encryption, Permutation and Substitution Techniques
Chaotic Maps, Hyper-Chaotic Systems, Fibonacci Q-Matrix, Cryptanalysis
2024Cybersecurity and use of ICT in the health sector [42]Cybersecurity, Risks, Threats, Health Sector, Digital Medical Records, Bioethical Implications, Vulnerabilities in Connected Medical Devices, Telemedicine.
2024Machine learning cryptography methods for IoT in healthcare [43]Machine Learning Cryptography Methods, IoT (Internet of Things), Healthcare
2024Cybersecurity policy framework requirements for the establishment of highly interoperable and interconnected health data spaces [44]Cybersecurity Policy, Interoperability of Health Data, Interconnectedness of Health Data Spaces.
2024The need for cybersecurity self-evaluation in healthcare [45]Cybersecurity Self-Evaluation, Healthcare.
2024Managing cybersecurity risk in healthcare settings [46]Managing Cybersecurity Risk, Healthcare Settings, Cybersecurity Threats, Environment.
2024A Review on the Application of Internet of Medical Things in Wearable Personal Health Monitoring: A Cloud-Edge Artificial Intelligence Approach [47]Internet of Medical Things (IoMT), Wearable Personal Health Monitoring, Cloud-Edge Artificial Intelligence Approach, Healthcare, IoMT System.
2024Developing a Novel Ontology for Cybersecurity in Internet of Medical Things-Enabled Remote Patient Monitoring [48]Cybersecurity, Internet of Medical Things (IoMT), Remote Patient Monitoring, Novel Ontology.
2024Vulnerability to Cyberattacks and Sociotechnical Solutions for Health Care Systems: Systematic Review [49]Vulnerability, Cyberattacks, Sociotechnical Solutions, Health Care Systems, Healthcare.
2024Cyberattacks on health care-a growing threat [50]Ransomware Attack, WannaCry, Healthcare Cyberattack, Phishing Scams, Health Care, Growing Threat.
2024QUMA: Quantum Unified Medical Architecture Using Blockchain [51]QUMA Architecture, Blockchain, Medical Sector, Security, Transparency.
2023New cybersecurity requirements for medical devices in the eu: the forthcoming european health data space, data act, and artificial intelligence act [52]Cybersecurity Requirements, Medical Devices, Health Data Space, Data Act, Artificial Intelligence, European Health.
2023Insights into security and privacy issues in smart healthcare systems based on medical images [53]Security Issues, Privacy Issues, Smart Healthcare Systems, Medical Images, Confidentiality, Unauthorized Access, Threats.
2023Cybersecurity in Internet of Medical Vehicles: State-of-the-Art Analysis, Research Challenges and Future Perspectives [54]Cybersecurity, Internet of Medical Vehicles (IoMV), State-of-the-Art Analysis, Research Challenges, Future Perspectives.
2023Attack Detection for Medical Cyber-Physical Systems–A Systematic Literature Review [55]Attack Detection, Medical Cyber-Physical Systems (Mcps), Systematic Literature Review, Synthesize.
2023Framework for a Secure and Sustainable Internet of Medical Things, Requirements, Design Challenges, and Future Trends [56]Patient Health Data, IoMT System, IoMT System Design and Implementation, Architecture, Security Measures, Healthcare Systems, System Performance and Effectiveness, User Interaction and Acceptance, Response Time, Sensitivity, Specificity, Accuracy, and Error Rates.
2022A cybersecurity culture survey targeting healthcare critical infrastructures [57]Cybersecurity Culture Survey, Healthcare Critical Infrastructures, Awareness of Cyber Threats, Security Behaviors, Compliance With Security Policies.
2022Cyber security in health: Standard protocols for IoT and supervisory control systems [58]IoT Devices, Data Breaches, Cybersecurity Budgets, Medical Equipment, Artificial Organs, Biosensors, Information, Medical Records, Networks.
2022A review on healthcare data privacy and security [59]Cloud Computing and Healthcare, Viruses and Worms, Botnets, Ransomware, Phishing, Cloud, Cyberattacks, Identify Theft, Security, Blockchain, Legal Aspect, Remote Patient Monitoring.
2021Influence of human factors on cyber security within healthcare organisations: A systematic review [60]Systematic Review, Human Factors, Cyber Security, Healthcare, Data Extraction, Risk of Bias, Cyber Risk, Economic Impact of Data Breaches, ICT Infrastructure, Cybercrime, Cyberattacks, Cybersecurity, Governance Strategies.
2021A survey on security and privacy issues in modern healthcare systems: Attacks and defenses [61]Protect Healthcare Systems, Privacy Issues, Phishing Attack, Brute Force Attack, Keylogger Attack, Man-in-the-Middle Attack, Eavesdropping Attack, Pharming Attack, Denial of Service (DoS) Attack, Healthcare Systems, Types of Attacks, Cybersecurity Countermeasures, Cybersecurity Vulnerabilities.
2020Health Care Cybersecurity Challenges and Solutions Under the Climate of COVID-19: Scoping Review [62]Endpoint Complexity, Human Factors, Phishing, Ransomware, Distributed Denial of Service (DDoS), Malware, Published Vulnerabilities, Innumerable Wireless Connected Devices, Reliance on Perimeter Defense, Remote Working Security Assurance, VPN, RDP, Integration of New Endpoint Devices with Legacy Systems.
2020Artificial intelligence in healthcare: An essential guide for health leaders [63]Artificial Intelligence (AI), Machine Learning (ML), Natural Language Processing (NLP), AI Voice Technology and Assistants, Medical Robotics, Electronic Health Records (EHRs), Clinical Decision Support, Patient Self-Management, Drug Research, Medical Imaging, Genomics, Telehealth, Big Data, Remote Healthcare.
2020Integration of cyber security in healthcare equipment [64]Operational Technologies (OTs), Information Technologies (ITs), Cyber Security Risks, Operational Risks, Healthcare Equipment, Vulnerabilities, Cyberattacks, Safety, Security Controls and Mitigation.
2020Cybersecurity in PACS and Medical Imaging: An Overview [65]PACS, Medical Imaging, Cybersecurity, Healthcare IT, Physical Mitigation Measures, Technical Mitigation Measures, Organizational Mitigation Measures, Image De-Identification, Transport Security, DICOM, Digital Signatures, Watermarking Techniques, Authenticity, Integrity, Healthcare.
2020Medical device safety management using cybersecurity risk analysis [66]MEMPs, Medical Devices, ICT, Security Threats, Cybersecurity, Risk Management, Internet of Things (IoT), Implantable Medical Devices (IMDs), Attack Occurrence Probability (AOP), Attack Success Probability (ASP), Fennigkoh Model, Smith Model, Analytic Hierarchy Process (AHP).
2020An exhaustive survey on security and privacy issues in Healthcare 4.0 [67]Healthcare 1.0 To 4.0, Electronic Healthcare Records (EHRs), Cloud Computing (CC), Fog Computing (FC), Internet of Things (IoT), Telehealthcare, Security, Privacy, Blockchain, Wearable Devices (WDs), Biometric, Network Traffic, Machine Learning (ML).
2019Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions [68]Cybersecurity, Phishing, Phishing Simulation, Health Care Delivery, Health Care Data and Systems, Email Click Rate, Employee Awareness and Training, Phishing Attacks.
2019Health care and cybersecurity: bibliometric analysis of the literature [69]Cybersecurity, Healthcare Delivery, Healthcare Information Systems, Cyberattacks, Data Breaches, Ransomware, Phishing, Security Incidents, Mitigation Measures, Vulnerabilities, Weaknesses, Exploit, Confidentiality, Integrity, Availability.
2019Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical Devices—A Review [70]Networked Medical Devices, Medical Telemetry, Security Vulnerabilities, Cyberattacks, Countermeasures, Regulations, FDA, HIPAA, GDPR.
2019Medical device vulnerability mitigation effort gap analysis taxonomy [71]Medical Devices, Vulnerabilities, Mitigation, Cybersecurity, Associated Parties, Effort, Risk Assessment, Data Breaches, Healthcare, Standards Organizations, Academia, Device Manufacturers, Including Authorities, Sensitive Data.
2019Integrated security, safety, and privacy risk assessment framework for medical devices [72]Medical Devices, Security, Safety, Privacy, Risk Assessment, FDA (Food and Drug Administration), EU (European Union), MDR (Medical Device Regulation), CVSS (Common Vulnerability Scoring System), CWE (Common Weaknesses Enumeration), Cyber Threats, Healthcare.
2018Cybersecurity in healthcare: A narrative review of trends, threats and ways forward [73]Cybersecurity, Healthcare, Medical Devices, Electronic Health Records (EHRs), Hacking, Malware, Ransomware, Insider Threats, Vulnerabilities to Exploit, WannaCry Attack, General Data Protection Regulation (GDPR), Internet of Things (IoT).
2018Cybersecurity in Hospitals: A Systematic, Organizational Perspective [74]HITECH, HIPAA, National Institute of Standards and Technology (NIST), Internal Politics, Technology Saturated Environment, Cybersecurity, FDA, Cybercriminal, Hospital Systems, Cyberattacks.
2018Cyber Attacks Classification in IoT-Based-Healthcare Infrastructure [75]Cyberattacks in IoT-Based Healthcare Infrastructure, Independent Variables, Attack Vectors/Types, Malicious Action, Infrastructure Layers, Specific Attack Classifications, Session Medjacking, Ransomware, Denial Of Service, RFID-Related Attacks, Malware Injection Attacks, Vulnerabilities, Threats, Risks, Weaknesses in IoT Systems.
2018Cybersecurity of healthcare IoT-based systems: Regulation and case-oriented assessment [76]Cybersecurity of IoT-Based Healthcare Systems, Cybersecurity, International Regulations and Standards, ISO, IEC, HIPAA, IoT Architecture, IoT Healthcare Architecture Layers, Cybersecurity Assessment, Protected Health Information (PHI), Threats and Vulnerabilities, Sensing, Network, Service, Application Interfaces.
2017Cybersecurity in healthcare: A systematic review of modern threats and trends [77]Cybersecurity Threats, Healthcare Technology, Data Breaches, Security Measures, Government Regulations and Policies, ACA, HITECH, Security, Medical Information, HIPAA, Ransomware.

3.2.3. Vulnerability and Attack Types Analysis

CVEs (common vulnerabilities and exposures) are unique identifiers assigned to known vulnerabilities and exposures in software and systems [78]. This naming system was developed to facilitate the exchange and comparison of information across various security databases and vulnerability assessment tools. Each CVE includes a brief description, the impact of the vulnerability, and links to additional resources detailing technical aspects and potential solutions. Since the primary purpose of CVEs is to provide a common standard for identifying and describing vulnerabilities, they are essential in this review to highlight trends in recorded attacks. The most recent records from 2018 to 2024 are detailed in Table 8 of the original document.
Table 8. Common vulnerabilities exposed between 2018 and 2024.
Table 8. Common vulnerabilities exposed between 2018 and 2024.
VendorModelCVEType of Attack
Philips
(Andover, MA, USA)		SureSigns VS4CVE-2020-16237Exploitable Remotely
CVE-2020-16239
CVE-2020-1624
IntelliVue MX700 and MX800CVE-2020-16216Low Attack Complexity
CVE-2019-13530Use of Hard-coded Password, Download of Code Without Integrity Check
IntelliVue MX100CVE-2020-16214Low Attack Complexity
Philips HealthSuite Health Android App, all versionsCVE-2018-19001Inadequate Encryption Strength
IntelliBridge EC 40 and 60 HubCVE-2021-33017Authentication Bypass Using an Alternate Path or Channel
GE Healthcare (Chicago, IL, USA)GE CARESCAPE B450/B650/B850CVE-2020-6961Exploitable Remotely/Low Skill Level to Exploit
CVE-2020-6962
CVE-2020-6963
CVE-2020-6964
CVE-2020-6965
CVE-2020-6966
EchoPACCVE-2024-27106Exploitation Activity
Ultrasound devicesCVE-2024-1628OS Command Injection Vulnerabilities
Imaging and Ultrasound ProductsCVE-2020-25179Information Leak
XZ UtilsCVE-2024-3094Embedded Malicious Code
Welch Allyn (Skaneateles Falls, NY, USA)Spot Vital Signs 4400CVE-2021-27410Exploitable Remotely
CVE-2021-27408
Vital Signs MonitorCVE-2024-1275Exploitable Remotely
Dräger (Lübeck, Germany)Infinity® Delta SeriesCVE-2019-6446Probability of Exploitation Activity
IBM (Armonk, NY, USA)Merge Healthcare eFilm WorkstationCVE-2024-23619Execute Code
Merge Healthcare eFilm WorkstationCVE-2024-23622Buffer Overflow
Merge Healthcare eFilm WorkstationCVE-2024-23621Buffer Overflow
CodeProjectsHealth Care hospital Management System v1.0CVE-2024-38348SQL Injection Vulnerability
Health Care hospital Management System v1.0CVE-2024-38347SQL Injection Vulnerability

3.3. Presentation of the Data and Analysis of the Results

The presentation of the data and the analysis of the results aim to offer a detailed and clear understanding of the information collected. Using tables and graphs, key variables are visualized, which allows for the intuitive identification of significant patterns, relationships, and trends. The graphs provide a visual representation of the data, facilitating the comparison, distribution, and evolution of variables over time. The tables, on the other hand, provide precision and detail, allowing for an analysis of the numerical values.

3.3.1. Analysis of the Data Obtained from the Regulations

Table 9, Table 10, Table 11, Table 12, Table 13 and Table 14 show the key variables according to each of the security regulations analyzed in this article.
The graph presents the frequency of the most relevant keywords identified in the analysis of regulations and studies related to cybersecurity in medical devices. See Figure 2.

3.3.2. Analysis of Data Extracted from the Literature Review

The analysis of the data extracted from the table reveals significant patterns and trends. To facilitate the visualization and interpretation of these findings, a series of graphs illustrating the relationships between the variables and the distribution of the values are presented below. These graphs allow for a clearer and more concise understanding of the information contained in Table 7.
The following graph illustrates the annual evolution in the number of publications related to the analyzed topic, covering the period from 2017 to 2025. See Figure 3.
The following graph shows the frequency of keyword occurrences in the studies and publications analyzed, providing an overview of the main concepts associated with the topic of cybersecurity in the healthcare sector (Figure 4).

3.3.3. Analysis of Data Extracted from the Common Vulnerabilities Exposed

The following Table 15 shows a comparison between the vulnerabilities and their relationship with the security regulations.
The following table provides a classification of attack types commonly identified in the field of cybersecurity for medical systems and devices. Each attack type is accompanied by its respective abbreviation to facilitate reference in the subsequent analysis. See Table 16 and Figure 5.

3.3.4. Result of the Analysis of the Information Obtained

ISO standards align with the systematization of information and focus on the management and administration of data, offering guidelines for the implementation of information security. Additionally, a gap was identified between the updating of these standards and technological advancements.
NIST controls provide a flexible and risk-oriented approach to strengthening cybersecurity in critical infrastructures, particularly in the healthcare sector. One key aspect is the existence of specific guidelines for digital identity management, which is crucial for medical devices that require robust authentication and access control.
The HIPAA Privacy Rule establishes national standards to protect Protected Health Information (PHI), ensuring its confidentiality and limiting its use and disclosure without patient consent. HIPAA mandates administrative, physical, and technical safeguards to protect electronic PHI, including access controls and encryption. It promotes transparency and accountability in incident management.
ENISA emphasizes the importance of cybersecurity training and the implementation of restricted access policies in the healthcare sector to prepare staff for cyber threats. It recommends security measures for remote care systems, such as telemedicine, including secure connections and robust authentication.
GDPR sets out essential principles for the processing of personal data, ensuring that it is lawful, fair, transparent, and limited to specific purposes—factors particularly relevant for medical devices. Additionally, it grants individuals rights over their personal data, such as access, rectification, deletion, and portability, promoting transparency and accountability in data handling.
The HITRUST framework offers a comprehensive approach to information security risk management by integrating standards such as HIPAA, NIST, ISO, and COBIT. This integration not only facilitates regulatory compliance but also strengthens organizational security, providing confidence that systems are well protected. It is adaptable to different types and sizes of organizations, allowing customization of controls according to specific needs.
The scientific literature review spans from 2017 to 2025, showcasing various studies focused on cybersecurity, vulnerabilities, and the detection of attacks in emerging technologies applied to infrastructures, such as blockchain and the IoT. According to the interpretation of the graphs, it is observed that in the last year, the number of scientific articles centered on key topics such as the need for clear regulatory frameworks, the security of critical infrastructure, the characterization of specific attacks, the consideration of human and organizational factors, and the adoption of rigorous analytical methodologies has doubled. This growth reflects an increasing attention towards patterns such as the intensive digitalization of the health sector, cybersecurity as a central axis, and the use of emerging technologies like artificial intelligence, advanced cryptography, and blockchain. Nevertheless, significant gaps persist related to the vulnerabilities of connected devices, the risks derived from interoperability, the challenges in the protection of new technologies, and the weaknesses linked to security culture and staff awareness, aspects that also evidence the urgency of a comprehensive socio-technical approach.
Regarding the review of recorded vulnerabilities, a trend is observed in the attacks, most of which are related to remote exploitation and malicious code injection.
There is a repetition of similar vulnerabilities in different versions or models from the same manufacturer, which may indicate structural deficiencies in secure development lifecycles.
Vulnerabilities that allow low-complexity attacks or remote exploitation represent a high real risk, as they can be easily exploited without the need for advanced tools.
Furthermore, cross-referencing using regulations such as HITRUST, NIST SP 800-53, and ISO 27001 shows a lack of systematic compliance with key controls, especially in access, secure communication, and information protection. This suggests a need to strengthen the design, testing, and maintenance of security in medical devices, particularly those with active connectivity.
It can be established that there is no one-to-one correspondence between CVEs and regulations; likewise, these regulations can be applied to many CVEs, depending on the type of control involved. Therefore, the same vulnerability can be related to several regulatory frameworks that address different aspects of the same problem: authenticity, network, monitoring, or privacy, among others.

3.4. Development of the Security Pillars Model

As a result of the development of the Integral Security Pillars for Medical Devices: A Comprehensive Analysis, a simplified and abstract representation of the design was created. This was performed to select the critical elements and define their relationships.
Various attributes were established for each element to visualize the structure and connections of the model derived from the review process, ensuring clarity and coherence. This representation was accompanied by information that facilitates its understanding and application.
The results were developed based on pillars and an integral approach to ensure both structural clarity and comprehensive coverage. From an engineering perspective, pillars refer to foundational components that support the integrity and functionality of a system, enabling modular analysis and targeted improvements. The term integral emphasizes the unification and concentration of information, allowing the model to aggregate and centralize critical aspects of security into a coherent framework that facilitates holistic assessment and implementation.
As a result, four essential elements that compose the Pillars of Security model were identified, as shown in Figure 6.
Description of the Elements of the Four Security Pillars
  • Regulations:
Regulations are an essential component of the security model for medical device infrastructure, as they provide a normative framework that guides the implementation of data protection measures. These standards and procedures help organizations identify, prevent, and mitigate risks derived from cyber threats, ensuring the confidentiality, integrity, and availability of information. In the context of medical devices, regulations are crucial not only for setting protection standards but also for monitoring and regulating the use and operation of the devices, which is vital for protecting them against current and emerging threats. National regulations, best practices, and internal laws play a central role in ensuring that devices operate safely and are protected from unauthorized or malicious access, fostering a reliable environment for healthcare delivery.
  • Model vs. Manufacturer:
Medical device manufacturers are tasked with innovating and solving technological challenges to improve healthcare and developing advanced technologies such as connected systems for diagnosis and monitoring (e.g., magnetic resonance imaging). However, it is essential to recognize that a wide range of devices has shown vulnerabilities in their software systems or communication protocols, which puts information security at risk. This element of the model emphasizes the importance of periodic updates and continuous support, providing a valuable complement to prevent and detect issues in the medical device infrastructure, enhancing protection against potential cyber threats.
  • Vulnerability and Threat Analysis:
Proactive vulnerability and threat analysis is key to strengthening the cybersecurity posture of organizations, particularly those managing medical device infrastructures. Identifying and understanding the specific vulnerabilities of each device allows organizations to correct weaknesses before they are exploited. This analysis enables periodic and systematic protection of sensitive information, helping mitigate risks and ensuring that medical device systems operate safely in an increasingly interconnected environment. The ability to prevent security breaches is a crucial component for protecting both technological infrastructure and the confidentiality of data.
  • Trends and Emerging Technologies:
Emerging technological trends and scientific advancements can have a significant impact on the landscape of cyber threats. The research and development of new technologies can not only facilitate the identification of vulnerabilities but also influence the adoption of new attack techniques and the improvement of cybersecurity measures. Innovations in areas such as artificial intelligence, the Internet of Things (IoT), the Internet of Medical Things (IoMT), and cloud computing have the potential to create both new opportunities and new risks. It is crucial to monitor these advancements to anticipate threats and strengthen the defenses of medical device systems, ensuring that security solutions adapt to new technological realities.
Mathematical Model
The Integral Security Pillars for Medical Devices are formally represented through a mathematical model based on Set Theory, which serves as a rigorous conceptual framework for structuring the system’s security architecture. See Figure 7.
The model defines four primary sets, each corresponding to a fundamental security pillar:
  • R: Regulations
  • M: Model vs. Manufacturer
  • V: Vulnerability and Threat Analysis
  • T: Trends and New Technologies
The Universal Set U
Encompasses the complete domain of elements pertinent to cybersecurity in medical devices and is mathematically expressed as
U = RMVT
The central intersection zone Ω
Represents the optimal integration state, wherein all four pillars are fully aligned. Achieving this condition ensures comprehensive and cohesive cybersecurity coverage across the medical device ecosystem, facilitating robust protection against diverse cyber threats.
Ω = RMVT

4. Discussion

The interconnection of medical devices has improved healthcare delivery but has also increased exposure to cyber threats. Despite existing regulations such as ISO, NIST, and HIPAA, vulnerabilities persist. This study analyzes the gaps in the implementation of security measures, highlighting key findings and their relation to previous research, while also discussing the implications of these results and their impact on future research and improvements in medical device security.
The results of this study reveal the growing importance of integrating a comprehensive cybersecurity approach into medical device technology, especially in the context of system interconnection and the increasing number of common vulnerabilities and exposures (CVEs) associated with these devices. The analysis of regulations and standards such as ISO, NIST, HIPAA, ENISA, GDPR, and HITRUST highlights the need for closer alignment between security policies and the practices implemented by medical device manufacturers and suppliers. While these regulations have made significant progress in information protection, the findings indicate that the effective application of these regulations in medical devices still faces major challenges, such as a lack of consistency in the implementation of security measures and the growing sophistication of cyberattacks.
Identified vulnerabilities, such as remote exploitation in Philips devices or malicious code injections in GE Healthcare products, illustrate the severity of the threats facing medical device infrastructures. These results align with previous studies that have highlighted the insufficient protection of medical devices against cyberattacks, especially when integrated into complex healthcare information networks. The discrepancy between the existing regulations and practical implementations emphasizes the need for a more robust and adaptive approach to auditing and managing the security of these devices.
Furthermore, the findings reveal that the security of medical devices relies not only on protecting information but also on the integration of risk controls that consider interoperability and vulnerability management throughout the entire lifecycle of the devices. This supports the hypothesis that cybersecurity threats should be managed with a holistic approach, covering not only IT security but also physical security, identity management, and access control.
Future research could focus on the development of adaptive security frameworks that integrate best practices from multiple standards and enable real-time audits, especially in connected healthcare environments. It would also be valuable to explore the implementation of emerging technologies, such as artificial intelligence and machine learning, for detecting and mitigating threats in interconnected medical devices. Additionally, investigating the impact of cybersecurity training for healthcare professionals, considering the interaction between human factors and technology in healthcare settings, would be highly relevant.
This study reinforces the urgency of strengthening cybersecurity capabilities in medical devices to ensure the protection of information and the integrity of healthcare services, particularly in a context where reliance on interconnected systems continues to grow.

5. Conclusions

The findings of this study underscore the pressing need to adopt a comprehensive and systematic approach to cybersecurity in medical devices. Although international regulatory frameworks, such as ISO, NIST, HIPAA, ENISA, GDPR, and HITRUST, offer valuable guidance, substantial gaps persist in the practical implementation of critical controls, particularly in areas concerning authentication, secure communications, and data protection.
The vulnerability analysis identifies recurrent patterns and risks associated with remote exploitation and malicious code injection, thereby highlighting the limitations inherent in the secure development lifecycles of connected medical devices. Furthermore, the absence of a direct correspondence between documented vulnerabilities (CVEs) and regulatory frameworks accentuates the complexity of the current regulatory landscape and reinforces the necessity for cross-disciplinary and integrated approaches.
Within this context, the proposed Integral Security Pillars Model provides a robust conceptual framework designed to align and integrate the essential components of cybersecurity. Its formal representation through Set Theory facilitates the visualization of interdependencies among regulatory standards, manufacturer responsibilities, threat intelligence, and emerging technological trends, thereby supporting the advancement towards a coherent, adaptive, and resilient cybersecurity architecture for interconnected healthcare environments.
This study proposes an integral security model for medical devices based on conceptual pillars that systematically structure the critical protection components. Through a detailed analysis of regulatory frameworks and best practices, supported by visual representations and a preliminary mathematical model, it provides a tool that facilitates the evaluation and continuous improvement of security in digital healthcare environments. This approach contributes to the standardization of criteria within a technologically and regulatory heterogeneous context and opens new research avenues for risk quantification and the secure integration of medical devices into interconnected healthcare infrastructures.
This model is independent of network architecture and focuses on the comprehensive security of the device, taking into account technical, organizational, regulatory, and interoperability factors. In other words, although it can be applied in connected environments, it is not exclusively dependent on the IoMT paradigm; rather, it aims to protect the device in any usage context.
As part of future work, the practical implementation of an audit model for medical device infrastructure is proposed, which will be theoretically validated through logical reasoning based on fundamental security principles. This implementation will include testing the model in various clinical environments and with different types of medical devices in order to assess its effectiveness in identifying and mitigating vulnerabilities in real-world scenarios.
Additionally, comparative studies are suggested to analyze the performance of the model against other existing approaches in practice, with the goal of identifying potential areas for improvement and optimization. In parallel, the development of automated tools for the application of the model could significantly facilitate audits, enhancing the efficiency and accuracy of the process.
Finally, continuous review and updates of the model are recommended, incorporating new regulations and technological advancements into the field of medical device security. This approach will ensure that the model remains relevant and effective in a constantly evolving environment, safeguarding the continued protection of medical device infrastructure against emerging cyber threats.

Author Contributions

Conceptualization, M.U.-Z. and L.G.; methodology, M.U.-Z. and L.G.; validation, M.U.-Z. and L.G.; formal analysis, M.U.-Z. and L.G.; investigation, M.U.-Z. and L.G.; data curation, M.U.-Z.; writing—original draft preparation, M.U.-Z. and L.G.; review, C.B.-H. and M.S.-R.; visualization, C.B.-H. and M.S.-R.; supervision, C.B.-H. and M.S.-R. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Yazid, A. Cybersecurity and Privacy Issues in the Internet of Medical Things (IoMT). Eig. Rev. Sci. Technol. 2023, 7, 1–21. [Google Scholar]
  2. Ogu, E.C. Cybersecurity for eHealth: A Simplified Guide to Practical Cybersecurity for Non-Technical Healthcare Stakeholders & Practitioners; Routledge: London, UK, 2021. [Google Scholar]
  3. Wong, J.; Tong, R.K. (Eds.) Medical Regulatory Affairs: An International Handbook for Medical Devices and Healthcare Products; CRC Press: Boca Raton, FL, USA, 2022. [Google Scholar]
  4. Wirth, A.G. Medical Device Cybersecurity for Engineers and Manufacturers; Artech House: Norwood, MA, USA, 2020. [Google Scholar]
  5. Arnab, R. Chapter Three: Regulatory overview. In Cybersecurity for Connected Medical Devices; Arnab, R., Ed.; Elsevier Inc.: Amsterdam, The Netherlands, 2022; pp. 46–64. [Google Scholar]
  6. ISO. Available online: https://www.iso.org/es/home (accessed on 24 June 2024).
  7. Hitrustalliance. HITRUST. Available online: https://hitrustalliance.net/ (accessed on 24 June 2024).
  8. ISO/IEC 27701:2019; Security Techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management—Requirements and Guidelines. ISO: Genewa, Switzerland, 2019.
  9. ISO/IEC 27001:2013; Information Technology—Security Techniques—Information Security Management Systems—Requirements. International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC): Geneva, Switzerland, 2013.
  10. ISO/IEC 27002:2019; Information Technology—Security Techniques—Code of Practice for Information Security Controls. International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC): Geneva, Switzerland, 2019.
  11. ISO 27799:2016; Health Informatics—Guidelines for Information Security Management in Health. International Organization for Standardization (ISO): Geneva, Switzerland, 2016.
  12. ISO 13485:2016; Medical Devices—Quality Management Systems—Requirements for Regulatory Purposes. International Organization for Standardization (ISO): Geneva, Switzerland, 2016.
  13. ISO/IEC 82304-1:2016; Health Software—Part 1: General Requirements for Product Safety and Security. International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC): Geneva, Switzerland, 2016.
  14. ISO/IEC 27002:2013; Information Technology—Security Techniques—Code of Practice for Information Security Controls. International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC): Geneva, Switzerland, 2013.
  15. ISO/IEC 80001-1:2010; Application of Risk Management for IT-Networks Incorporating Medical Devices—Part 1: Roles, Responsibilities and Activities. International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC): Geneva, Switzerland, 2010.
  16. NIST.GOB. Available online: https://www.nist.gov/ (accessed on 20 June 2024).
  17. NIST Cybersecurity Framework (CSF) 2.0; The NIST Cybersecurity Framework (CSF) 2.0; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2024.
  18. NIST Special Publication 800-63-3; Digital Identity Guidelines; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2023.
  19. NIST Special Publication 800-53, Revision 5; Security and Privacy Controls for Information Systems and Organizations; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2020.
  20. NIST Special Publication 800-37, Revision 2; Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2018.
  21. NIST Special Publication 1800-1; Securing Electronic Health Records on Mobile Devices; National Institute of Standards and Technology (NIST)/National Cybersecurity Center of Excellence (NCCoE): Gaithersburg, MD, USA, 2018.
  22. NIST Special Publication 800-82, Revision 2; Guide to Industrial Control System (ICS) Security; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2015.
  23. NIST Special Publication 800-88, Revision 1; Guidelines for Media Sanitization; National Institute of Standards and Technology; (NIST): Gaithersburg, MD, USA, 2014.
  24. NIST Special Publication 800-30, Revision 1; Guide for Conducting Risk Assessments; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2012.
  25. NIST Special Publication 800-66, Revision 1; An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2008.
  26. HHS. Available online: https://www.hhs.gov/programs/hipaa/index.html (accessed on 20 June 2024).
  27. ENISA. Available online: https://www.enisa.europa.eu/about-enisa/what-we-do (accessed on 20 June 2024).
  28. WHO. Available online: https://www.who.int/ (accessed on 20 June 2024).
  29. GDRP. EU. Available online: https://gdpr.eu/ (accessed on 20 June 2024).
  30. Jelić, L. Cybersecurity, Data Protection, and Artificial Intelligence in Medical Devices. In Inspection of Medical Devices: For Regulatory Purposes; Springer: Cham, Switzerland, 2023; pp. 417–445. [Google Scholar]
  31. Islam, M.T.; Mission, M.R.; Refat, T.K.; Kynatun, M. Cybersecurity risk assessment frameworks for engineering databases: A systematic literature review. Strateg. Data Manag. Innov. 2025, 2, 224–243. [Google Scholar] [CrossRef]
  32. Asif, M.; Abrar, M.; Salam, A.; Amin, F.; Ullah, F.; Shah, S.; AlSalman, H. Intelligent two-phase dual authentication framework for Internet of Medical Things. Sci. Rep. 2025, 15, 1760. [Google Scholar] [CrossRef]
  33. Naghib, A.; Gharehchopogh, F.S.; Zamanifar, A. A comprehensive and systematic literature review on intrusion detection systems in the internet of medical things: Current status, challenges, and opportunities. Artif. Intell. Rev. 2025, 58, 114. [Google Scholar] [CrossRef]
  34. Abdullah, A.S.; Sunil, H.J.; Nazmudeen, M.S.H. A New Model to Evaluate Signature and Anomaly Based Intrusion Detection in Medical IoT System Using Ensemble Approach. SN Comput. Sci. 2025, 6, 347. [Google Scholar] [CrossRef]
  35. Kioskli, K.; Grigoriou, E.; Islam, S.; Yiorkas, A.M.; Christofi, L.; Mouratidis, H. A risk and conformity assessment framework to ensure security and resilience of healthcare systems and medical supply chain. Int. J. Inf. Secur. 2025, 24, 90. [Google Scholar] [CrossRef]
  36. Shombot, E.S.; Dusserre, G.; Bestak, R.; Ahmed, N.B. Maximizing healthcare security outcomes through AI/ML multi-label classification approach on IoHT devices. Health Technol. 2025, 15, 539–551. [Google Scholar] [CrossRef]
  37. Sarkar, A.; Jhamb, M. Next-Gen fortified health monitoring for cyber physical systems in internet of things using logistic maps based encryption. Eng. Res. Express 2025, 7, 015305. [Google Scholar] [CrossRef]
  38. Tang, Y.; Mishra, S.; Alduaiji, N.; Shukla, P.K.; Yahya, M.; Pang, T. An advanced data analytics approach to a cognitive cyber-physical system for the identification and mitigation of cyber threats in the medical internet of things (MIoT). J. Supercomput. 2025, 81, 623. [Google Scholar] [CrossRef]
  39. Alalwany, E.; Alsharif, B.; Alotaibi, Y.; Alfahaid, A.; Mahgoub, I.; Ilyas, M. Stacking Ensemble Deep Learning for Real-Time Intrusion Detection in IoMT Environments. Sensors 2025, 25, 624. [Google Scholar] [CrossRef]
  40. Algarni, A.; Thayananthan, V. Digital Health: The Cybersecurity for AI-based healthcare communication. IEEE Access 2025, 13, 5858–5870. [Google Scholar] [CrossRef]
  41. Rasheed, A.M.; Kumar, R.M.S. Efficient lightweight cryptographic solutions for enhancing data security in healthcare systems based on IoT. Front. Comput. Sci. 2025, 7, 1522184. [Google Scholar] [CrossRef]
  42. García, C.; Goussens, A. Cybersecurity and use of ICT in the health sector. Aten. Prim. 2024, 56, 102854. [Google Scholar]
  43. Chinbat, T.; Madanian, S.; Airehrour, D.; Hassandoust, F. Machine learning cryptography methods for IoT in healthcare. BMC Med. Inform. Decis. Mak. 2024, 24, 153. [Google Scholar] [CrossRef]
  44. Luidold, C.; Jungbauer, C. Cybersecurity policy framework requirements for the establishment of highly interoperable and interconnected health data spaces. Front. Med. 2024, 11, 1379852. [Google Scholar] [CrossRef]
  45. Burke, W.; Stranieri, A.; Oseni, T.; Gondal, I. The need for cybersecurity self-evaluation in healthcare. BMC Med. Inform. Decis. Mak. 2024, 24, 133. [Google Scholar] [CrossRef] [PubMed]
  46. Clarke, M.; Martin, K. Managing cybersecurity risk in healthcare settings. In Healthcare Management Forum; SAGE Publications: Los Angeles, CA, USA, 2024; Volume 37, pp. 17–20. [Google Scholar]
  47. Putra, K.T.; Arrayyan, A.Z.; Hayati, N.; Damarjati, C.; Bakar, A.; Chen, H.C. A Review on the Application of Internet of Medical Things in Wearable Personal Health Monitoring: A Cloud-Edge Artificial Intelligence Approach. IEEE Access 2024, 12, 21437–21452. [Google Scholar] [CrossRef]
  48. Bughio, K.S.; Cook, D.M.; Shah, S.A.A. Developing a Novel Ontology for Cybersecurity in Internet of Medical Things-Enabled Remote Patient Monitoring. Sensors 2024, 24, 2804. [Google Scholar] [CrossRef]
  49. Ewoh, P.; Vartiainen, T. Vulnerability to cyberattacks and sociotechnical solutions for health care systems: Systematic review. J. Med. Internet Res. 2024, 26, e46904. [Google Scholar] [CrossRef]
  50. Lancet, T. Cyberattacks on health care—A growing threat. Lancet 2024, 403, 2263. [Google Scholar] [CrossRef] [PubMed]
  51. Balasubramaniam, A.; Surendiran, B. QUMA: Quantum Unified Medical Architecture Using Blockchain. Informatics 2024, 11, 33. [Google Scholar] [CrossRef]
  52. Biasin, E.; Yasar, B.; Kamenjasevic, E. New cybersecurity requirements for medical devices in the eu: The forthcoming european health data space, data act, and artificial intelligence act. Law Tech. Hum. 2023, 5, 43. [Google Scholar] [CrossRef]
  53. Yan, F.; Li, N.; Iliyasu, A.M.; Salama, A.S.; Hirota, K. Insights into security and privacy issues in smart healthcare systems based on medical images. J. Inf. Secur. Appl. 2023, 78, 103621. [Google Scholar] [CrossRef]
  54. Bhukya, C.R.; Thakur, P.; Mudhivarthi, B.R.; Singh, G. Cybersecurity in Internet of Medical Vehicles: State-of-the-Art Analysis, Research Challenges and Future Perspectives. Sensors 2023, 23, 8107. [Google Scholar] [CrossRef] [PubMed]
  55. Weber, S.B.; Stein, S.; Pilgermann, M.; Schrader, T. Attack detection for medical cyber-physical systems–a systematic literature review. IEEE Access 2023, 11, 41796–41815. [Google Scholar] [CrossRef]
  56. Villegas-Ch, W.; García-Ortiz, J.; Urbina-Camacho, I. Framework for a Secure and Sustainable Internet of Medical Things, Requirements, Design Challenges, and Future Trends. Appl. Sci. 2023, 13, 6634. [Google Scholar] [CrossRef]
  57. Gioulekas, F.; Stamatiadis, E.; Tzikas, A.; Gounaris, K.; Georgiadou, A.; Michalitsi-Psarrou, A.; Doukas, G.; Kontoulis, M.; Nikoloudakis, Y.; Marin, S.; et al. A cybersecurity culture survey targeting healthcare critical infrastructures. Healthcare 2022, 10, 327. [Google Scholar] [CrossRef]
  58. Santos, B.J.; Tabacow, R.P.; Barboza, M.; Leão, T.F.; Bock, E.G. Cyber security in health: Standard protocols for IoT and supervisory control systems. In Research Anthology on Securing Medical Systems and Records; IGI Global: Hershey, PA, USA, 2022; pp. 238–254. [Google Scholar]
  59. Bommareddy, S.; Khan, J.A.; Anand, R. A review on healthcare data privacy and security. In Networking Technologies in Smart Healthcare; CRC Press: Boca Raton, FL, USA, 2022; pp. 165–187. [Google Scholar]
  60. Nifakos, S.; Chandramouli, K.; Nikolaou, C.K.; Papachristou, P.; Koch, S.; Panaousis, E.; Bonacina, S. Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors 2021, 21, 5119. [Google Scholar] [CrossRef]
  61. Newaz, A.I.; Sikder, A.K.; Rahman, M.A.; Uluagac, A.S. A survey on security and privacy issues in modern healthcare systems: Attacks and defenses. ACM Trans. Comput. Healthc. 2021, 2, 1–44. [Google Scholar] [CrossRef]
  62. He, Y.; Aliyu, A.; Evans, M.; Luo, C. Health care cybersecurity challenges and solutions under the climate of COVID-19: Scoping review. J. Med. Internet Res. 2021, 23, e21747. [Google Scholar] [CrossRef]
  63. Chen, M.; Decary, M. Artificial intelligence in healthcare: An essential guide for health leaders. In Healthcare Management Forum; SAGE Publications: Los Angeles, CA, USA, 2020; Volume 33, pp. 10–18. [Google Scholar]
  64. Buzdugan, A. Integration of cyber security in healthcare equipment. In Proceedings of the 4th International Conference on Nanotechnologies and Biomedical Engineering, ICNBME-2019, Chisinau, Moldova, 18–21 September 2019; Springer International Publishing: Cham, Switzerland, 2020; pp. 681–684. [Google Scholar]
  65. Eichelberg, M.; Kleber, K.; Kämmerer, M. Cybersecurity in PACS and medical imaging: An overview. J. Digit. Imaging 2020, 33, 1527–1542. [Google Scholar] [CrossRef] [PubMed]
  66. Kim, D.W.; Choi, J.Y.; Han, K.H. Medical device safety management using cybersecurity risk analysis. IEEE Access 2020, 8, 115370–115382. [Google Scholar] [CrossRef]
  67. Hathaliya, J.J.; Tanwar, S. An exhaustive survey on security and privacy issues in Healthcare 4.0. Comput. Commun. 2020, 153, 311–335. [Google Scholar] [CrossRef]
  68. Gordon, W.J.; Wright, A.; Aiyagari, R.; Corbo, L.; Glynn, R.J.; Kadakia, J.; Kufahl, J.; Mazzone, C.; Noga, J.; Parkulo, M.; et al. Assessment of employee susceptibility to phishing attacks at US health care institutions. JAMA Netw. Open 2019, 2, e190393. [Google Scholar] [CrossRef]
  69. Jalali, M.S.; Razak, S.; Gordon, W.; Perakslis, E.; Madnick, S. Health care and cybersecurity: Bibliometric analysis of the literature. J. Med. Internet Res. 2019, 21, e12644. [Google Scholar] [CrossRef]
  70. Yaqoob, T.; Abbas, H.; Atiquzzaman, M. Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical Devices—A Review. IEEE Commun. Surv. Tutor. 2019, 21, 3723–3768. [Google Scholar] [CrossRef]
  71. Holdsworth, J.; Glisson, W.B.; Choo, K.K.R. Medical device vulnerability mitigation effort gap analysis taxonomy. Smart Health 2019, 12, 82–98. [Google Scholar] [CrossRef]
  72. Yaqoob, T.; Abbas, H.; Shafqat, N. Integrated security, safety, and privacy risk assessment framework for medical devices. IEEE J. Biomed. Health Inform. 2019, 24, 1752–1761. [Google Scholar] [CrossRef]
  73. Coventry, L.; Branley, D. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas 2018, 113, 48–52. [Google Scholar] [CrossRef]
  74. Jalali, M.S.; Kaiser, J.P. Cybersecurity in hospitals: A systematic, organizational perspective. J. Med. Internet Res. 2018, 20, e10059. [Google Scholar] [CrossRef]
  75. Djenna, A.; Saïdouni, D.E. Cyber attacks classification in IoT-based-healthcare infrastructure. In Proceedings of the 2018 2nd Cyber Security in Networking Conference (CSNet), Paris, France, 24–26 October 2018; pp. 1–4. [Google Scholar]
  76. Strielkina, A.; Illiashenko, O.; Zhydenko, M.; Uzun, D. Cybersecurity of healthcare IoT-based systems: Regulation and case-oriented assessment. In Proceedings of the 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies (DESSERT), Kyiv, Ukraine, 24–27 May 2018; pp. 67–73. [Google Scholar]
  77. Kruse, C.S.; Frederick, B.; Jacobson, T.; Monticone, D.K. Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol. Health Care 2017, 25, 1–10. [Google Scholar] [CrossRef] [PubMed]
  78. CVE.ORG. CVE. Available online: https://www.cve.org/About/Overview (accessed on 24 June 2024).
Applsci 15 06634 g001
Figure 1. Phases of the comprehensive review.
Figure 1. Phases of the comprehensive review.
Applsci 15 06634 g001
Applsci 15 06634 g002
Figure 2. Word count by occurrence. Graph showing the common key variables in the different regulations analyzed according to Table 9, Table 10, Table 11, Table 12, Table 13 and Table 14 of this article.
Figure 2. Word count by occurrence. Graph showing the common key variables in the different regulations analyzed according to Table 9, Table 10, Table 11, Table 12, Table 13 and Table 14 of this article.
Applsci 15 06634 g002
Applsci 15 06634 g003
Figure 3. Number of related articles per year.
Figure 3. Number of related articles per year.
Applsci 15 06634 g003
Applsci 15 06634 g004
Figure 4. Total words per occurrence. Top 20 words from the “Variables” column corresponding to Table 7.
Figure 4. Total words per occurrence. Top 20 words from the “Variables” column corresponding to Table 7.
Applsci 15 06634 g004
Applsci 15 06634 g005
Figure 5. Number of occurrences of attacks recorded in the analyzed CVEs.
Figure 5. Number of occurrences of attacks recorded in the analyzed CVEs.
Applsci 15 06634 g005
Applsci 15 06634 g006
Figure 6. Integral Security Pillars for Medical Devices.
Figure 6. Integral Security Pillars for Medical Devices.
Applsci 15 06634 g006
Applsci 15 06634 g007
Figure 7. Mathematical model based on Set Theory.
Figure 7. Mathematical model based on Set Theory.
Applsci 15 06634 g007
Table 9. Key variables by normative ISO.
Table 9. Key variables by normative ISO.
NormativeKey Variables
ISO 27701Privacy Information Management, Personal Data, Medical Devices
ISO/IEC 27799Health Information Security, Personal Health Information (PII), Healthcare Sector
ISO 13485Quality Management Systems, Risk Management, Medical Devices, Software Security
ISO/IEC 27001Information Security Management, Sensitive Information, ISMS (Information Security Management System)
ISO/IEC 82304-1Health Software, Quality Requirements, Safety Requirements, Information Security Standards
ISO/IEC 27002Information Security Controls, Best Practices, Confidentiality, Integrity, Availability
ISO/IEC 80001-1Risk Management, IT Networks, Medical Devices, Interoperability, Information Security
Table 10. Key variables by normative NIST.
Table 10. Key variables by normative NIST.
Normative StandardKey Variables Identified
NIST Cybersecurity Framework (CSF)Cybersecurity in critical infrastructure—Risk management—Security protections—Continuous improvement of cybersecurity programs—Applications in medical devices
NIST SP 800-63-3Digital identity—Authentication—Access control—Data privacy
NIST SP 800-53 Rev. 5Security controls—Information privacy—Information system protection—Risk management for medical systems—Medical device information security
NIST SP 800-37 Rev. 2Risk management in medical devices—Cybersecurity throughout the lifecycle—Privacy risk management—Lifecycle-based security approach
NIST SP 1800-1Protection of electronic health records (EHRs)—Security in mobile and wearable devices—Protection of personal health data—Security architectures for mobile devices
NIST SP 800-82 Rev. 2Industrial Control Systems (ICS) security—Protection of medical devices in industrial environments—ICS risk management—Compliance with industrial security standards
NIST SP 800-88 Rev. 1Secure data disposal—Media sanitization—Protection of sensitive data in medical devices—Data disposal policies for medical devices
NIST SP 800-30 Rev. 1Risk assessment—Threat and vulnerability identification—Risk mitigation methods—Medical device security assessment
NIST SP 800-66 Rev. 1HIPAA compliance—Protection of protected health data—Security in handling medical data—Security rules for devices handling health information
Table 11. Key variables by normative HIPAA.
Table 11. Key variables by normative HIPAA.
NormativeKey Variables
HIPAA (1996)Health insurance portability, fraud reduction, healthcare security, privacy standards, health info
Privacy Rule (2000)Protected Health Information (PHI), data protection, use and disclosure limits, patient’s rights
Security Rule (2003)Administrative security measures, physical security measures, technical security measures, PHI confidentiality, integrity, availability
National Identifier Rule (2004)PHI security measures, identifier standards, administrative security, technical security
Transactions and Codes Rule (2000)Electronic healthcare transactions, healthcare codes, standardization, administrative processes
Breach Notification Rule (2009)PHI breach notification, affected individuals, HHS notification, media notification, unsecured PHI breach
Table 12. Key variables by normative ENISA.
Table 12. Key variables by normative ENISA.
NormativeKey Variables
Good practices for the security of healthcare servicesSecurity in professional services, Consulting, Audits, Technical support, Cybersecurity training, Restricted access policies, Continuous risk management
Remote care systemsTelemedicine, Remote patient monitoring, Secure connections, Robust authentication, Protection of personal and health data
Building management systemsPhysical infrastructure of buildings, HVAC management, Lighting, Security, Network segmentation, Continuous monitoring, Software updates
Clinical information systemsClinical information, Electronic Health Records (EHRs/EMRs), Role-based access control, Data encryption, Audit of access and modifications
Cloud servicesCloud services, Health data storage, Vendor security assessment, Encryption, Disaster recovery plans
Identification systemsIdentity verification, Multi-factor authentication, Identity management, Monitoring of authentication activities
Industrial control systemsIndustrial processes in healthcare facilities, Network segmentation, Real-time monitoring, Regular system updates
Medical devicesConnected medical devices, Patient data management, Security by design, Data encryption, Threat monitoring
Mobile client devicesMobile devices in healthcare, Secure applications, Mobile device management policies, Malware protection
Network equipmentNetwork equipment in healthcare IT infrastructure, Firewalls, Network segmentation, Firmware and software updates
Table 13. Key variables by normative GDPR.
Table 13. Key variables by normative GDPR.
Key VariablesDescription
Fundamental PrinciplesSince its adoption in 2016 and enforcement in 2018, the GDPR has established principles for processing personal data, ensuring that it is lawful, fair, transparent, and limited to specific purposes.
Informed ConsentRequires that users expressly, informally, and freely consent to the processing of personal data, especially in the sensitive context of medical data.
Rights of Interested PartiesEnsures rights such as access, rectification, erasure, and data portability, allowing individuals to control their personal information.
Data SecurityRequires the implementation of appropriate technical and organizational measures to protect personal data against loss or unauthorized access, which is essential for medical devices handling sensitive data.
Data Protection Impact Assessments (DPIA)Establishes the need to conduct impact assessments when data processing involves high risks to individuals’ rights and freedoms, including situations that may arise with medical devices.
Responsibility and ComplianceManufacturers and suppliers must demonstrate compliance with GDPR requirements, maintain records of processing activities, and cooperate with data protection authorities.
Table 14. Key variables by normative HITRUST.
Table 14. Key variables by normative HITRUST.
CategoryVariables Key
Adaptability and CustomizationAdaptability
Compliance and CertificationAssessment and Certification
Structure and ControlsControl-Based Structure
Approach to SecurityIntegral Approach
Sector ApplicationMulti-Sectoral Application
Risk ManagementRisk Management Orientation
Table 15. Comparative table of vulnerabilities and their relation to regulations.
Table 15. Comparative table of vulnerabilities and their relation to regulations.
CVEModelType of AttackNormatives
CVE-2025-2230Philips Intellispace CardiovascularReplay attacks, authentication bypassHITRUST: AC-1, AC-4; NIST SP 800-53: AC-2; ISO 27001: A.9.1
CVE-2025-2229Philips Intellispace CardiovascularFixed AES-128 encryption key vulnerabilityHITRUST: AC-4, SC-7; GDPR: Art. 32; NIST SP 800-53: SC-12, SC-13
CVE-2020-16237Philips SureSigns VS4Exploitable remotelyHITRUST: AC-4, SC-7; ISO 27001: A.13.1
CVE-2020-16239Philips SureSigns VS4Exploitable remotelyHITRUST: AC-4, SC-7; ISO 27001: A.13.1
CVE-2020-1624Philips SureSigns VS4Exploitable remotelyHITRUST: AC-4, SC-7; ISO 27001: A.13.1
CVE-2020-16216Philips IntelliVue MX700 and MX800Low attack complexityHITRUST: AC-2, SC-5; NIST SP 800-53: AC-2
CVE-2019-13530Philips IntelliVue MX700 and MX800Hard-coded password, code download without integrity checkHITRUST: SI-1, AC-6; NIST SP 800-53: AC-5, SC-8; ISO 27001: A.14.2.5
CVE-2020-16214Philips IntelliVue MX100Low attack complexityHITRUST: AC-2, SC-5; NIST SP 800-53: AC-2
CVE-2018-19001Philips HealthSuite Health Android App, all versionsInadequate encryption strengthHITRUST: SC-13, AC-12; NIST SP 800-53: SC-12, SC-13; GDPR: Art. 32
CVE-2021-33017Philips IntelliBridge EC 40 and 60 HubAuthentication bypass using an alternate path or channelHITRUST: AC-1, AC-4; NIST SP 800-53: AC-2
CVE-2022-0922Philips E-alert FirmwareNo authentication for critical system functionalityHITRUST: AC-4, SC-12; NIST SP 800-53: AC-2
CVE-2018-14803Philips E-alert FirmwareUnauthorized disclosure of system information via HTTP headersHITRUST: AC-5, SC-4; NIST SP 800-53: SC-12; ISO 27001: A.10.1
CVE-2020-6961GE Healthcare GE CARESCAPE B450/B650/B850Exploitable remotely, low skill levelHITRUST: AC-4, SC-7; NIST SP 800-53: AC-2; ISO 27001: A.13.1
CVE-2020-6962GE Healthcare GE CARESCAPE B450/B650/B850Exploitable remotely, low skill levelHITRUST: AC-4, SC-7; NIST SP 800-53: AC-2; ISO 27001: A.13.1
CVE-2020-6963GE Healthcare GE CARESCAPE B450/B650/B850Exploitable remotely, low skill levelHITRUST: AC-4, SC-7; NIST SP 800-53: AC-2; ISO 27001: A.13.1
CVE-2020-6964GE Healthcare GE CARESCAPE B450/B650/B850Exploitable remotely, low skill levelHITRUST: AC-4, SC-7; NIST SP 800-53: AC-2; ISO 27001: A.13.1
CVE-2020-6966GE Healthcare GE CARESCAPE B450/B650/B850Exploitable remotely, low skill levelHITRUST: AC-4, SC-7; NIST SP 800-53: AC-2; ISO 27001: A.13.1
CVE-2024-27106GE Healthcare EchoPACExploitation activityHITRUST: AC-5, SI-1; NIST SP 800-53: AC-5, SI-2
CVE-2024-1628GE Healthcare Ultrasound devicesOS command injection vulnerabilitiesHITRUST: SI-2, AC-5; NIST SP 800-53: SI-3, AC-4
CVE-2020-25179GE Healthcare Imaging and Ultrasound ProductsInformation leakHITRUST: SI-3; NIST SP 800-53: SI-3; ISO 27001: A.10.1
CVE-2024-3094GE Healthcare XZ UtilsEmbedded malicious codeHITRUST: AC-4, SC-7; NIST SP 800-53: AC-4, SI-7
CVE-2021-27410Welch Allyn Spot Vital Signs 4400Exploitable remotelyHITRUST: AC-4, SC-7; ISO 27001: A.13.1
CVE-2021-27408Welch Allyn Spot Vital Signs 4400Exploitable remotelyHITRUST: AC-4, SC-7; ISO 27001: A.13.1
CVE-2024-1275Welch Allyn Vital Signs MonitorExploitable remotelyHITRUST: AC-4, SC-7; ISO 27001: A.13.1
CVE-2019-6446Dräger Infinity® Delta SeriesProbability of exploitation activityHITRUST: SI-2, SC-5; NIST SP 800-53: SI-4, SC-7
CVE-2024-23619IBM Merge Healthcare eFilm WorkstationExecute codeHITRUST: SI-1, AC-5; NIST SP 800-53: SI-5, AC-6
CVE-2024-23622IBM Merge Healthcare eFilm WorkstationBuffer overflowHITRUST: SC-8, SI-5; NIST SP 800-53: SC-7, SI-7
CVE-2024-23621IBM Merge Healthcare eFilm WorkstationBuffer overflowHITRUST: SC-8, SI-5; NIST SP 800-53: SC-7, SI-7
CVE-2024-38348CodeProjects Health Care hospital Management System v1.0SQL injection vulnerabilityHITRUST: AC-6, SI-1; NIST SP 800-53: SI-3, AC-4
CVE-2024-38347CodeProjects Health Care hospital Management System v1.0SQL injection vulnerabilityHITRUST: AC-6, SI-1; NIST SP 800-53: SI-3, AC-4
CVE-2025-0683Contec Health CMS8000 Patient MonitorExposure of private personal informationHITRUST: SI-1, AC-5; NIST SP 800-53: AC-2, SI-4
CVE-2025-1204Contec Health CMS8000 Patient MonitorHidden functionalityHITRUST: AC-6, SC-5; NIST SP 800-53: AC-5
CVE-2025-0626Contec Health CMS8000 Patient MonitorAttempts to bypass network settingsHITRUST: SC-5, AC-4; NIST SP 800-53: AC-4, SC-7
CVE-2024-12703Schneider Electric SE RemoteConnect and SCADAPackTM x70 UtilitiesRemote code execution via deserializationHITRUST: AC-5, SC-7; NIST SP 800-53: SI-5, SC-8
Table 16. List of identified attacks with their respective abbreviations according to Table 15.
Table 16. List of identified attacks with their respective abbreviations according to Table 15.
Types of AttacksAbbreviation
Exploitable remotely/low skill level to exploitER
Remote exploitRX
Buffer overflowBO
SQL injection vulnerabilitySQL
Low attack complexityLAC
Authentication bypass using an alternate path or channelABU
Embedded malicious codeEM
Execute codeEX
Exploitation activityEA
Exposure of private personal information to an unauthorized actorEPP
Hidden functionalityHF
Inadequate encryption strengthIES
Information leakIL
OS command injection vulnerabilitiesOCI
Probability of exploitation activityPIV
Replay attacks and authentication bypassRAA
The “monitor” binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP addressMB
The software does not perform any authentication for critical system functionalitySDN
The vulnerability allows for an unauthorized disclosure of system information through HTTP headersVAF
Token reuse vulnerabilityTRV
Use of hard-coded password, download of code without integrity checkUHP
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Ulloa-Zamora, M.; Barría-Huidobro, C.; Sánchez-Rubio, M.; Galeazzi, L. Integral Security Pillars for Medical Devices: A Comprehensive Analysis. Appl. Sci. 2025, 15, 6634. https://doi.org/10.3390/app15126634

AMA Style

Ulloa-Zamora M, Barría-Huidobro C, Sánchez-Rubio M, Galeazzi L. Integral Security Pillars for Medical Devices: A Comprehensive Analysis. Applied Sciences. 2025; 15(12):6634. https://doi.org/10.3390/app15126634

Chicago/Turabian Style

Ulloa-Zamora, Marcela, Cristian Barría-Huidobro, Manuel Sánchez-Rubio, and Lorena Galeazzi. 2025. "Integral Security Pillars for Medical Devices: A Comprehensive Analysis" Applied Sciences 15, no. 12: 6634. https://doi.org/10.3390/app15126634

APA Style

Ulloa-Zamora, M., Barría-Huidobro, C., Sánchez-Rubio, M., & Galeazzi, L. (2025). Integral Security Pillars for Medical Devices: A Comprehensive Analysis. Applied Sciences, 15(12), 6634. https://doi.org/10.3390/app15126634

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop