A Systematic Review of Radio Frequency Threats in IoMT

: In evolving technology, attacks on medical devices are optimized due to the driving force of AI, computer vision, mixed reality, and the internet of things (IoT). Optimizing cybersecurity on the internet of medical things (IoMT) and building cyber resiliency against crime-as-a-service (CaaS) in the healthcare ecosystem are challenging due to various attacks, including spectrum-level threats at the physical layer. Therefore, we conducted a systematic literature review to identify the research gaps and propose potential solutions to spectrum threats on IoMT devices. The purpose of this study is to provide an overview of the literature on wireless spectrum attacks. The papers we reviewed covered cyber impacts, layered attacks, attacks on protocols, snifﬁng attacks, ﬁeld experimentation with cybersecurity testbeds, radiofrequency machine learning, and data collection. In the ﬁnal section, we discuss future directions, including the snifﬁng attack mitigation framework in IoMT devices operating under a machine implantable communication system (MICS). To analyze the research papers about physical attacks against IoT in health care, we followed the Preferred Reporting Items for Systematic Reviews (PRISMA) guidelines. Scopus, PubMed, and Web of Science were searched for peer-reviewed articles, and we conducted a thorough search using these resources. The search on Scopus containing the terms “jamming attack” and “health” yielded 330 rows, and the investigation on WoS yielded 17 rows. The search terms “replay attack” and “health” yielded 372 rows in Scopus, while PubMed yielded 23 rows, and WoS yielded 50 articles. The search terms “side-channel attack” and “health” yielded 447 rows in Scopus, WoS yielded 30 articles, and the search terms “snifﬁng attack” and “health” yielded 18 rows in Scopus, while PubMed yielded 1 row, and WoS yielded 0 articles. The terms “spooﬁng attack” and “health” yielded 316 rows in Scopus, while PubMed yielded 5 rows, and WoS yielded 23 articles. Finally, the search terms “tampering attack” and “health” yielded 25 rows in Scopus, PubMed yielded 14 rows, and WoS yielded 46 rows. The search time frame was from 2003 to June 2022. The ﬁndings show a research gap in snifﬁng, tampering, and replay attacks on the IoMT. We have listed the items that were included and excluded and provided a detailed summary of SLR. A thorough analysis of potential gaps has been identiﬁed, and the results are visualized for ease of understanding. new strategies—deception against advanced persistent threats (APTs).


Introduction
Digital health is a promising platform to increase life expectancy and overcome the challenges that healthcare technologists must deal with. Among the promising research fields of today, the IoMT (internet of medical things)-based AR/VR (augmented reality/virtual reality) technologies strongly focus on the medical education and patient engagement areas of the healthcare ecosystem. However, digital transformation vulnerabilities are providing an opportunity to adversaries to explore less studied and little-known physical emanation attacks, including radio frequency, acoustic, ultrasonic, magnetic, photonic, seismic, infrared, electromagnetic, magnetic field temperature, and low-level vibration attacks on air gap and non-air gap source systems [1][2][3][4]. To protect high-and low-value assets, there is a need to provide physical security between personal medical devices, healthcare providers, education, and patient-centric approaches. Additionally, the evolving nature of IoT-based healthcare ecosystems requires sound medical and ethical policies to ensure cybersecurity is safe and attack-aware. Because of disruptive technologies' demanding nature and the need to accelerate the learning curve of the workforce, the IoMT sector is growing more rapidly than ever, bringing new risks and vulnerabilities. The present-day wireless attacks are not limited to NFC (near field communication) [5], (BLE) bluetooth low energy [6], LTE (long-term evolution) [7], RF (radio frequency) [8], Wi-Fi (wireless fidelity), GPS (global positioning satellite), or SATCOM (satellite communications) but extend to other wireless spectrum technologies vulnerable to quality attribute attacks on reliability, safety, security, and integrity. In hospital settings, IoMT devices pose greater cyber risks than ever due to innovation in IoMT devices [8]. Table 1 shows RF attacks by the internet of things (IoT) layer and attack area description, and Figure 1 shows the wireless device, system, and communication technologies used in the healthcare ecosystem and threats by software-defined radio devices.

Type of Attack IoT Layer Attack Area Description
Primary emulation Perception The primary transmitter/antenna emits information or spilling of information.
Spectrum sensing Perception Fake identification and observation of spectrum sensing process.
Control channel attack Network Untrusted system or process collecting confidential information of trusted system/process.

Cross-layer attack All layers
Parallel attack on all the layers of IoT.
SDR device attack All layers SDR device antenna/battery and other core part disruption.

Jamming attack All layers
Decreasing signal to interference noise ratio by blocking the information transfer between transmitter and receiver in the communication channel.
Replay attack All layers Interception of signal between transmitter and receiver to accomplish fake transmission.
Sniffing attack All layers Closely monitoring the sensitive or unauthorized information between transmitter and receiver in the communication channel.

Tampering attack All layers
Closely monitoring the sensitive or unauthorized information between transmitter and receiver in the communication channel and modification of process/parameters to compromise the system.

Denial attack All layers
Closely monitoring the sensitive or unauthorized information between transmitter and receiver in the communication channel, modification of process/parameters, and disrupting the availability.
Hospital settings are vulnerable to various attacks, such as simulation and clone attacks in LFID (low-frequency identification), privacy leakage attacks (PLA) on contactless cards, replay and brute force attacks on pressure systems, sniffing and jamming attacks on Wi-Fi, the transmission of fake uplink data, and clone the tracker attacks and LTE sniffing attacks on mobiles. Information security incidents caused by intruders and unethical hackers are becoming more common, as evident from various research efforts on the IoT security and wireless sensor networks security and challenges, including medical devices and personal body area networks. Information spilling, session hijacking, and phishing attacks are frequent in healthcare infrastructure. Moreover, attack types based on the layer are becoming common in the hospital sector due to the low level of the cyber security maturity model, penetration testing to identify the vulnerabilities, and lack of cyber security awareness among business users and stakeholders. Hospital settings are vulnerable to various attacks, such as simulation and clone attacks in LFID (low-frequency identification), privacy leakage attacks (PLA) on contactless cards, replay and brute force attacks on pressure systems, sniffing and jamming attacks on Wi-Fi, the transmission of fake uplink data, and clone the tracker attacks and LTE sniffing attacks on mobiles. Information security incidents caused by intruders and unethica hackers are becoming more common, as evident from various research efforts on the IoT security and wireless sensor networks security and challenges, including medical devices and personal body area networks. Information spilling, session hijacking, and phishing attacks are frequent in healthcare infrastructure. Moreover, attack types based on the layer are becoming common in the hospital sector due to the low level of the cyber security maturity model, penetration testing to identify the vulnerabilities, and lack of cyber security awareness among business users and stakeholders.

Radiofrequency Attacks
An RF attack is a type of hacking that does not require physical contact with the target. Electronic devices are disrupted, damaged, or interfered with by radio waves sent by the attacker. In addition to disrupting internet-connected devices, they can also affec computers, routers, printers, and other IoT devices. Software-defined radios (SDRs) are powerful tools for monitoring, intercepting, and manipulating digital communications Additionally, they open the door to the internet of things. As SDRs become more prevalent, the threat of IoT hacks will increase. Figure 1 shows the possibilities of physical layer attacks and system attacks by SDR devices. As shown in Figure 1, spoofing, eavesdropping, and man-in-the-middle attacks have a combined 50% coverage when compared to the other attacks. Additionally, spoofing and eavesdropping are more significant than man-in-the-middle attacks in that range.

Recommended Solutions
There are still organizational, technological, and governance barriers that prevent the adoption of cybersecurity in healthcare IoT, but the coronavirus disease (COVID-19) pandemic has brought to light the need for a secure IoT to coordinate the transfer of confidential information, for temperature control of medical supplies and vaccines, radio frequency-based machine implantable communication systems, wearable technologies for

Radiofrequency Attacks
An RF attack is a type of hacking that does not require physical contact with the target. Electronic devices are disrupted, damaged, or interfered with by radio waves sent by the attacker. In addition to disrupting internet-connected devices, they can also affect computers, routers, printers, and other IoT devices. Software-defined radios (SDRs) are powerful tools for monitoring, intercepting, and manipulating digital communications.
Additionally, they open the door to the internet of things. As SDRs become more prevalent, the threat of IoT hacks will increase. Figure 1 shows the possibilities of physical layer attacks and system attacks by SDR devices. As shown in Figure 1, spoofing, eavesdropping, and man-in-the-middle attacks have a combined 50% coverage when compared to the other attacks. Additionally, spoofing and eavesdropping are more significant than man-in-themiddle attacks in that range.

Recommended Solutions
There are still organizational, technological, and governance barriers that prevent the adoption of cybersecurity in healthcare IoT, but the coronavirus disease (COVID- 19) pandemic has brought to light the need for a secure IoT to coordinate the transfer of confidential information, for temperature control of medical supplies and vaccines, radio frequency-based machine implantable communication systems, wearable technologies for remote patient monitoring, and patient-controlled drug delivery systems. The need to drive greater adoption of IoT security policies in healthcare cybersecurity makes it imperative to remove some of these barriers in concerted efforts to drive greater adoption. Although external factors such as COVID-19 alone may push the adoption of these technologies, such factors cannot achieve lasting and sustained effects [9].
We aimed to systematically review the IoMT to understand the research gap and identify RF hackers' locations. Our goal was to provide the healthcare community with better understanding, literacy, and appropriate advancements, as well as bring together IoMT and physical layer scientists. Additionally, we hope that this work will foster a greater interest in integrating IoMT systems into future healthcare applications and beyond. The following are the main contributions.

1.
A description of the current state of research on internet of things (IoT) side-channel attacks.

2.
The aim of this study was to understand the research gap about sniffing and replaying IoMT attacks in the healthcare ecosystem.

3.
The research papers were reviewed top-down to facilitate our future research, including those on cybersecurity systems, cybersecurity frameworks, cyber-attacks on layers and protocols, radio frequency machine learning, and deep learning in a cybersecurity field experimentation. 4.
The conclusions we have reached, and our plans for future work are presented.
In Table 2, cyber spectrum attacks are analyzed across journals. There is a lack of research on sniffing and tampering attacks, according to the results. Our future research will be facilitated by reviewing research papers from the top down. Topics included systems for cybersecurity, cybersecurity frameworks, attacks on layers and protocols, radio frequency machine learning, and deep learning in the cybersecurity field. Table 3 shows the papers we reviewed. Table 3. Summary of SLR.

Type of Attack Section Data Method Conclusion/Result
This framework provides details related to incident insights. It classifies incidents based on external, internal, and partner-based threats. It also provides insights into hacking evidence, including IoT forensics), malware behavior, social engineering attacks, privilege misuse, and known and unintentional errors.

2 3
The key metrics on incidents are classified based on victims (size of the organization), actors, actions, assets, attributes, timelines, impacts, and repeated events.
The research explains various attacks on that three-layer IoT architecture, starting with physical attacks, jamming attacks, relay attacks, Sybil, selective forwarding, side-channel, replay, evil twin, sniffing, and spoofing.

1 3
The paper shows goal-based classification and the evolving spectrum-level vulnerabilities causing significant disruption to the OSI.
Their investigation claims that mobilityand QoS will be high for specific communication protocols.

1 3
The reverse engineering of the spectrum to retrieve those payloads and understand the protocols becomes a base process of attack strategies. The hardness scale depends on the main contributing factors: encryption, frequency band, modulation, spread spectrum, and protocols.
How asset mobility contributes to the continuous evaluation and monitoring of high-value assets and elevates risk mitigation strategies and guidelines.

2 3
The paper evaluates the reasoning behind new cybersecurity threats from radio channel-based adversaries such as cluster drones, mobile networks, satellites, marine, aeronautical, in-depth space communication, and IoT.

Type of Attack Section Data Method Conclusion/Result
Categorization of attack levels-operating system level, user interface level-and how the sensitive information flows across the process are captured for further analysis.

2 3
The inheritance of password authentication shows the infancy of research rigor and does not contribute to sniffing attacks.
This paper contributes to knowledge more than the practical implementation of design, artifacts, proof of concepts, experimentation, evaluation, and future direction.
3.3 1 4 The main idea will enhance the motivation to identify the research focus with potential questions. IoMT is operating under MICS or ISM frequency.
The architectural design and completion of the Version 1 CASE-V testbed. They developed a web-based UI framework using the MEAN.

2 4
To reduce the dependability of an external penetration tester, a low-cost testbed can be performed to improve the effectiveness and usability of CSM. According to the analysis, insider threats and associated toolsimpact levels 0 and 1 compared to a remote intruder. The author's findings proved that a low-cost testbed is possible in the corporate ecosystem.
Overview of publicly available data sets for intelligent cybersecurity intrusion detection system. Also, it proposed how ML and DL techniques can be used to analyze the raw network traffic data having real-time traffics from APT, malware, and botnets.

2 4
The research investigated the pros and cons between Machine Learning (ML) and Deep Learning (DL) algorithm support vector machines (SVM), deep belief network (DBN), recursive neural network (RNN), convolutional neural network (CNN), Fast-RNN and difference between ML and DL in terms of data and hardware dependencies, Feature processing, problem solving and execution time.
They investigated the publicly available database-IEEE, Science Direct, ACM, and Springer Link, between 1990 and 2019 to address the questions.1.ML algorithm used for endpoint detection and response (EDR)2. Alternative available for the EDR.

2 4
The research claims to analyze the Publication Trends in EDR and the techniques used for EDR.

Methodology
In our systematic review [10], we have focused on the healthcare field, healthcare, and IoT, and the section starts with the research questions and the data sources. A detailed keyword search has been listed, followed by an analysis. VOS viewer has been utilized for visualization and has helped us identify critical research papers.

Research Questions
In this study, the following research questions were addressed [11]: 1.
RQ1: How well has IoT been integrated into healthcare? 2.
RQ2: What is the current state of healthcare-RF cybersecurity research?

The Source of Data
Three electronic databases were included in the systematic review: The original research articles on IoT signal security in health care were identified using the Preferred Reporting Items for Systematic Reviews Meta-analysis (PRISMA) guidelines. Our search was for original research articles published exclusively in English between January 2002 and June 2022. This document contains PRISMA, as well as articles with full text and articles in English. We conducted a cross-disciplinary database search of research articles between inception and June 2022. To find articles published between 2012 and 2022, we used Boolean functions in electronic databases (PubMed, Scopus, and Web of Science).
In this section, we have reviewed the research papers related to the cybersecurity framework, the layered classification of IoT, and cybersecurity impacts. Then, we cascaded the studies on attacks on physical layer protocols and further reviewed radio frequency attacks (RFA) on the IoMT. For example, they were sniffing attacks, tampering attacks on vehicular sensors, and replay attacks. Our research studies use the PRISMA approach for the identification, screening, eligibility, and inclusion of research papers. Then, we used a systematic literature review (SLR) to identify papers contributing to our defined scope. Few studies and little-known information are available in the SLR approach on RF physical attacks on the IoMT and their analyzing trend through radio frequency machine learning (RFML) [12]. The core papers included in our research studies are directly associated with physical layer attacks. However, there are papers on IoT health care that provide industry and market acceptance from healthcare professionals [13]. We used the British Standards Institution [14] and the national initiative for cybersecurity careers and studies for our research [15]. The keywords are listed below. The rejected keywords are "health care," "physical attack," "SDR," "malicious," "intruder," and "adversaries." In the last decade, there has been a significant positive increase in wireless security awareness and spectrum attack awareness. The research articles from the web of science (WOS), PubMed, and Scopus are included in our study. However, physical layer research contributions are relatively modest compared to other security layers. An article was excluded if it falls in another category other than cybersecurity physical layer attacks and health.

Search Strategy and Selection Criteria
In June 2022, a search was conducted in the online digital libraries to locate the articles. An overview of the search and selection procedure is given in Figure 2

Data Collection and Visualization
We then collected data from the relevant publications to conduct our analy gathered basic information about the publications: title, authors, publication type cation domain, and publication year. The basic information we collected led us t on two fields of interest-side-channel attacks and healthcare. Figure 3 visual spectrum attack search between 2003 and 2022 through the Power BI Microsoft p [14] and shows that computer science and medical informatics had the most sp attack publications, followed by the engineering and telecommunication domain.

Data Collection and Visualization
We then collected data from the relevant publications to conduct our analysis. We gathered basic information about the publications: title, authors, publication type, publication domain, and publication year. The basic information we collected led us to focus on two fields of interest-side-channel attacks and healthcare. Figure 3 visualizes the spectrum attack search between 2003 and 2022 through the Power BI Microsoft platform [14] and shows that computer science and medical informatics had the most spectrum attack publications, followed by the engineering and telecommunication domain.
We then collected data from the relevant publications to conduct our analysis. We gathered basic information about the publications: title, authors, publication type, publication domain, and publication year. The basic information we collected led us to focus on two fields of interest-side-channel attacks and healthcare. Figure 3 visualizes the spectrum attack search between 2003 and 2022 through the Power BI Microsoft platform [14] and shows that computer science and medical informatics had the most spectrum attack publications, followed by the engineering and telecommunication domain.      A full counting relevance study is shown in Figure 5. The content is visualized based on the number of occurrences of a term exceeding 10 (143 terms from 5219). The Each term is given a relevance score. Based on this score, the most relevant term is selected. The default choice is 60% of the most relevant term. The small size of the red bubble with replay attack and the light blue bubble with side-channel attack indicate significant research gaps in those areas [17]. A full counting relevance study is shown in Figure 5. The content is visualized based on the number of occurrences of a term exceeding 10 (143 terms from 5219). The Each term is given a relevance score. Based on this score, the most relevant term is selected. The default choice is 60% of the most relevant term. The small size of the red bubble with replay attack and the light blue bubble with side-channel attack indicate significant research gaps in those areas [17].

Figure 5.
Relevance and occurrence study-full counting. Figure 6 shows the binary counting relevance study. A VOS viewer [18] ualization of the content based on the number of occurrences of a term gr (104 from 5219 terms). Each term is given a relevance score. Based on this sc relevant term is selected. The default choice is 60% of the most relevant term the replay attack, the relevant keyword topics are well connected with oth highly prone to spectrum attacks [18]. The red bubble illustrates a method research gap in relation to replay attack, and the light blue and green bub significant research gaps in the side-channel attack.   Figure 6 shows the binary counting relevance study. A VOS viewer [18] shows a visualization of the content based on the number of occurrences of a term greater than 10 (104 from 5219 terms). Each term is given a relevance score. Based on this score, the most relevant term is selected. The default choice is 60% of the most relevant term. Regarding the replay attack, the relevant keyword topics are well connected with other key terms highly prone to spectrum attacks [18]. The red bubble illustrates a method or attributes research gap in relation to replay attack, and the light blue and green bubbles indicate significant research gaps in the side-channel attack.
J. Sens. Actuator Netw. 2022, 11, x FOR PEER REVIEW 9 of 19 Figure 5. Relevance and occurrence study-full counting. Figure 6 shows the binary counting relevance study. A VOS viewer [18] shows a visualization of the content based on the number of occurrences of a term greater than 10 (104 from 5219 terms). Each term is given a relevance score. Based on this score, the most relevant term is selected. The default choice is 60% of the most relevant term. Regarding the replay attack, the relevant keyword topics are well connected with other key terms highly prone to spectrum attacks [18]. The red bubble illustrates a method or attributes research gap in relation to replay attack, and the light blue and green bubbles indicate significant research gaps in the side-channel attack. Figure 6. Relevance and occurrence study-binary counting. Figure 6. Relevance and occurrence study-binary counting.

Search Strategy and Selection Criteria
During the selection process, duplicate articles were removed, article titles were reviewed, and articles that did not pertain to IoT cybersecurity in healthcare were removed. We selected these articles based on information in our indexed database. Table 4 shows the attacks identified in WoS, Scopus, and PubMed. In Table 5, we list the attacks that are excluded. The articles that conceptualized specific use cases were retained, while those containing editorials, letters, reviews, and opinions not listed in Section 2.3 were excluded.

Data Generalization
We developed a standardized form using Microsoft Excel to evaluate the selected articles. The findings of heterogeneous studies were synthesized using a narrative review approach to describe IoT signal attack protocols, platforms, or functional prototypes. In the narrative review, individual and meta-analysis biases were not assessed, so missing data were eliminated.

Results and Discussion
The purpose of this section is to discuss the results retrieved from the publications and discuss two research questions.

1.
RQ1: How well has IoT been integrated into health care?
We completed a systematic analysis of research articles per year against research for jamming [19], replay [20], sniffing [21], spoofing [20,22], side-channel, and tampering attacks in the web of science PubMed and Scopus. The results clearly show that computer and wireless communication domains are dominant, and the research articles are distributed in sensing layer attacks of IoMT. Table 1 and Figure 4 show the search analysis of cyber spectrum attacks across journals as per the PRISMA checklist in Appendix A. The Scopus papers containing terms about "jamming attack" and "health" yielded 330 rows, and the investigation on WoS yielded 17 articles. Scopus papers containing terms about "replay attack" and "health" yielded 372 rows, PubMed yielded 23 rows, and WoS yielded 50 articles.
Scopus papers containing terms about "side-channel attack" and "health" yielded 447 rows, and articles on WoS yielded 30 articles. Scopus papers containing terms about "sniffing attack" and "health" yielded 18 rows, PubMed yielded 1 row, and WoS yielded 0 articles. Scopus for papers containing terms about "spoofing attack" and "health" yielded 316 rows, PubMed yielded five, and WoS yielded 23 articles. Scopus papers containing terms about "tampering attack" and "health" yielded 25 rows, and articles on PubMed yielded 14 rows, and articles on WoS delivered 46 articles. This row-level analysis result reveals no significant research contribution in sniffing attacks on IoMT devices, and that trend follows with tampering attacks, etc. Table 3 shows SLR from Sections 3.1-3.5 in tabular form. Section 3.1 reviews the cyber impacts and attacks on three-layer IoT architecture to identify the possibility of compromising adversaries' assets. Moreover, unethical hacking competencies and the corresponding core behaviors in weaponizing the SDR and radiofrequency to take over critical information such as client and clinical data repository from IoMT will significantly damage the entire healthcare user experience. We have well-established standard models and best practices with health level Seven international (HL7) [23] and fast health care interoperability resource (FHIR) [24] to meet health insurance portability accountability Act (HIPAA) compliance [25]. However, few studies on radio attack analysis on IoMT data and radio frequency machine learning framework have good wireless physical security risk mitigation strategies.
Section 3.2 studies attacks on physical layer protocol on the internet of things. The above review provides a roadmap for understanding RF physical attacks, including jamming, sniffing, spoofing, tampering, and replay attacks. In the upcoming Sections 3.3 and 3.4, we discuss the paper related to the testbed implementation for IoT field experimentation.

2.
RQ2: What is the current state of healthcare-RF cybersecurity research?

Cyber Impacts and Layered Attacks
Criminality is uprooted from cybercrime, regardless of the attacking layer. By understanding cyber impacts at the human and OSI layers, we gained insight into the causes and were able to deploy countermeasure strategies against powerful attacks. Prior to reviewing the physical layer attacks, we will examine layered attacks and cybersecurity frameworks.
The research [26] examines threats, vulnerabilities, and attacks. Literature reviews, surveys, articles, repositories, attacks, incidents, and more demonstrated how cybersecurity harnesses multiple dimensions of the corporate ecosystem. Cyber harness themes were examined from adversaries' perspectives. According to the research, the taxonomy will enable companies to distinguish between high-value and low-value assets and how they are directly and indirectly associated with cyber-related harms. To improve their cybersecurity management program, the paper analyzed the VERIS community database (VCDB) [27].
A reputational cyber-harm (leading to damage to public perception, brand damage, customer-corporate damage, and decreased business opportunities).
As a result of social cyber-harm, dynamic inconsistencies in public opinion are caused, cultural efficacy is disrupted, a negative impact is incurred on communities, and perceptions of organizational behavior are reduced.
The author proposes to extend their future work on an asset-oriented model for the corporate ecosystem and identifying high-value and low-value assets, and how the critical stakeholders involved in the interest of direct and indirect harm. However, this approach does not provide analytics or tools for advanced prediction or intelligent cybersecurity systems to help corporations understand cyber-harm. Despite not focusing on a specific theme, their approach was sufficiently flexible and highly scalable. The data were sourced from an open-source database. The Vocabulary for Event Recording and Incident Distribution System (VERIS) framework is loaded with open-source cybersecurity key performance indicators (OCKPI) to identify the security incident insights, increase the companies' risk mitigation strategies, and extend that framework for effective incident handling mechanism [28]. This framework provides details related to incident insights. It classifies incidents based on external, internal, and partner-based threats. It also provides insights into hacking evidence, including IoT forensics, malware behavior, social engineering attacks, privilege misuse, known and unintentional errors, and how confidentiality, integrity, and availability are affected through critical metrics.
The key metrics on incidents are classified based on victims (size of the organization), actors, actions, assets, attributes, timelines, impacts, and repeated events. Moreover, this framework provides facilities to understand the efficacy of a business continuity plan through the discovery and response process targeting how the discovery is processed, the root causes, and the corrective actions. How do you differentiate between targeted and opportunistic attack scenarios? This data-driven framework gives greater visibility and reasoning on the key performance indicators. However, the open-source community lacks the credibility of data and future support.

Cyber Security Framework
A security framework assessment matrix compares various cybersecurity framework implementation trends [29]. Authors performed through literature review and qualitative document analysis. The cybersecurity framework's assessment matrix helps identify how many items are covered. Besides, three frameworks from three countries are aligned to their country profile and risk management strategies. According to the investigation, their analysis benefits policymakers and executives doing business in three states by improving their framework strength and understanding of necessary improvements. In addition, country-specific cybersecurity implementation frameworks (CIFs) were implemented across regions, and business values were shared. Hence, evidence-based insights are developed for decision-makers from business regions to improve their existing cybersecurity frameworks. However, most action items are derived from the NIST framework except for risk governance, which had substantial quantitative empirical support. NIST's limitations are prioritized in this paper, but most action items are still inherited from NIST.
Moreover, the author used the old policy-2014 instead of the amended policy-2018 for the Australia protective security policy framework (PSPF) assessment. To improve cybersecurity framework implementation, the authors analyzed the assessment matrix and used pattern-matching [30]. On the other hand, there is a potential gap in enhancement to understand the effectiveness of adopting and utilizing cybersecurity implementation frameworks, though adopted by businesses having branch offices across those regions (the UK, Australia, and the USA).

Cyber-Attacks Classification
Based on the open systems interconnection (OSI) model, the author [31] develops strategies to defend against attacks across industries. The research explains the threelayer architecture: The top layer, the application layer, comprises intelligent processing, cloud computing, middleware technologies, and service platforms. Wireless local area networks (WLAN), GPS, and internet protocol (IP) make up the network layer. Lastly, the sensing layer includes all IoT technologies, including RFID, NFC, Wi-Fi, computer vision, and coordination. Despite the growing demand for contactless sensing, SOLI may lead to multilayer architectures. Furthermore, the research explains various attacks on the three-layer IoT architecture. The various attacks are physical attacks, jamming attacks [32], relay attacks [33], sybil, selective forwarding, side-channel attacks [20], replay, evil twin [34], sniffing [35], spoofing, tampering or malicious code injection, firmware attacks, and network layer attacks (sinkhole, unfairness, incorrect routing, session flooding, eavesdropping related to packets). Application layer (phishing attacks virus, worms, spyware, malicious scripts, denial-of-service (DOS), injection, buffer overflows, RFID tampering. However, they demonstrated goal-based classification of the evolving signal security threats and spectrum-level vulnerabilities, causing significant disruption to the OSI. Those attacks are not limited to frequency hopping spread spectrum attack [36], direct sequence spread spectrum [37], or chirp spread spectrum (CSS) hybrid. The research investigates criminality or attacking goal-based layered classification and still lacks the choice of methodology, validation, and future works.
The research investigates criminality or attacking goal-based layered classification and still lacks the choice of methodology, validation, and future works.

Cyber-Physical Attacks on Protocols
This paper [38] examines the effectiveness of IoT against high-power cellular networks using various low-power protocols. The author discusses the key technical differences between Sigfox, LoRa, and NB-IoT, as well as their advantages and disadvantages. According to their investigation, specific protocols will deliver high mobility and QoS. However, downlink data are possible with wearables with the same spectrum threat of the uplink process.
In other words, the danger is not different for each process since both work under an unlicensed frequency band under the range of Industrial, scientific, and medical (ISM) 900 MHZ [39]. Medical sensors in the ISM band are vulnerable to physical layer attacks. Examples include tampering/malicious code injection, firmware attacks, jamming, replay, and evil twin attacks. During the reconnaissance phase of attack strategies, adversaries thoroughly investigate those devices. OSINT toolsets are suited to their motivations and guided by attack vector maturity. The newly identified markers employ a variety of attack surfaces, including iron oxide fillings and traces. In our scope, we focus on attacks at the spectrum level before reaching the IP network gateway. A few common attacks on those spaces are sniffing, eavesdropping, jamming, network state disruption or transmitting noise, and conflicting the traffic within the target RF channel having the same frequency.
Re-transmitting the symbol or captured frames to the receiver to implement a replay attack includes re-transmitting mutated information. The threat or aggression process will be the same regardless of the spectrum of attacks. The base of any attack strategy is to understand the protocols and reverse engineer the spectrum for payload injection. Several factors contribute to the identification and localization, including modulation, frequency, bandwidth, data rate, half duplex or full duplex system, maximum payload size, range between source-target, interference immunity, adaptive data rate, authentication, handover to fault-tolerant node, localization, and energy awareness. Additionally, the localization of the transmitting rogue SDR is detectable using the angle of arrival (AOA), time difference of arrival (TDOA), frequency difference of arrival (FDOA), and received signal strength indicator (RSSI) techniques.

Cyber-Physical Attacks on Low-Power Protocols
In paper [39], the author examines the effectiveness of the Internet of Things using lowpower protocols. Furthermore, their investigation claims that mobility and QoS will be high for specific protocols because of asset mobility and continuous evaluation and monitoring. The IoT, drones, radio channels, satellite communications, and marine, aeronautical, and deep space communication create new cybersecurity threats. Anything emitting RF energy is vulnerable. Due to IoT, including the internet of medical things, battle things, and the internet of everything, and high-level adversary motivation, the attack surface is growing. New threats will increase the urgency for innovation in frameworks, cybersecurity maturity models, standards, and guidelines. Therefore, cybersecurity policies and controls must move into the extended maturity group.

Sniffing Attack
This section discusses physical attacks-sniffing and tampering. However, little is known about how the Internet of Medical Things matures and how Radio Frequency spectrum attacks have grown in recent years. There is a niche gap in the research's demonstration evaluation depth and rigor [40] on side-channel attacks on wearables. The categorization of attack levels-operating system level, user interface level, shows how the sensitive information across the process flows. However, there are no concrete details on contribution. Finally, the inheritance of old password authentication strategies shows the infancy of research rigor and does not contribute to sniffing attacks. An analysis compared solutions against IoT attacks, dividing them into three layers, focusing on perception layer attacks and further dividing perception layer attacks by technology. The contribution of this paper [41] goes beyond the practice of designing, making artifacts, proving concepts, doing experiments, evaluating them, and making suggestions for the future. Motivating research focus with possible questions is the main idea.

Cybersecurity Experimentation with AI-Enabled CS
The paper [42] explores artificial intelligence (AI) cybersecurity systems. A platform is needed to test big data and fog computing, cyber situational awareness, innovative simulations, and cyber decision support systems (CDSS). For example, safety-critical systems include production and industrial control systems (ICS), and mission-critical includes communication, access management, interfaces, and business system (HRM, financial, procurement, product, innovation, sales, marketing, etc.). The corporate system cannot depend only on the external penetration testing strategies but develop an internal red team-to attack the system-and a blue team-to defend the system-providing a competitive advantage in attaining cyber maturity. To achieve and reduce the dependability on external penetration tester, the low-cost testbed can be performed to improve the effectiveness and usability of continuous security monitoring (CSM), facilitate attack and defense awareness among employees, and thus reduce KT cost between IT and operational departments. The testbed can also be scaled to accommodate upcoming threats from similar market segments and innovate new strategies-deception against advanced persistent threats (APTs).
Researchers state that the inability to experiment with cybersecurity threats on the lowcost testbed is an excellent threat to the ICS. The research claims that open-source hardware and software can develop a testbed within 500 euros for ethical industrial control system hacking, education, competency development, and research. However, it lacks rationality in the choice of hardware and software concerning functional and non-functional attributes such as performance, security, scalability, maintainability, interoperability, usability, and availability. Additionally, this approach will improve the real-world simulation of attack and defense strategies discussed in the previous paper. This approach motivates us to identify a cost-effective way to conduct field experiments as we implement our framework. Using interoperable data-driven systems, the research examines the industry 4.0 problem.
Additionally, they investigated the four levels of cybersecurity in ICS and how intruder threats, including insider threats, can experiment against them. Based on the analysis, insider threats and associated tools impact 0 and 1 compared to a remote intruder. The author demonstrated that a low-cost testbed could address the growing demand for attack vectors and surfaces in the corporate ecosystem. Expert assessments and other studies are recommended for fog computing and AI-enabled systems [43].
Using low-cost SDR hardware and universal radio hacker (URH), we have developed a framework and validated attack and defense scenarios in the hospital ecosystem [42].

Radiofrequency Machine Learning and Data Set Creation
ML and DL techniques are analyzed in a paper [44] on network-centric intrusion detection systems (IDS). This paper provides an overview of publicly available cyberse-curity intrusion detection data sets. Due to inconsistent support categories, there may be insufficient data volume to address research objectives.
In this paper [45], the author examines endpoint detection and response (EDR). They then demonstrated how data-driven technologies are replacing traditional approaches. Between 1990 and 2019, they studied IEEE, Science Direct, ACM, and Springer Link databases. Alternative methodologies are available for endpoint detection and response (EDR). The research aims to analyze the publication trends in EDR and techniques used for EDR. However, they do not address how ML and DL can be used for intelligent systems. Each of the four categories of machine learning algorithms is represented in cybersecurity management systems (supervised learning, unsupervised learning, semi-supervised learning, reinforcement learning). Using design science principles, each category represents a unique set of machine learning algorithms. EDR technologies such as fire eye endpoint security [46], carbon black response [47], Symantec endpoint protection, Webroot endpoint protection, etc., can be improved through optimized data-driven cybersecurity processes.
Future research will need to examine how these ML techniques are used with analytics and tools for advanced prediction or intelligent sniffing systems. No evidence or reason was provided for their choice of four databases. The cybersecurity core systems (governance, risk management, information security control, compliance, audit, security program management, operation, information security core module, strategic planning, finance, procurement, innovation, and vendor ecosystem) are a top hierarchy. Additionally, their associated subsystems (compliance management, guidelines, program management, operation management, access control, physical security, network security, endpoint protection, application security, encryption technologies, virtualization, cloud computing, transformative technologies, strategic planning, designing, developing, and maintaining information security program, awareness, education) are categorized as middle-level categories.
Dimensions and facts include security metrics and measurable quantities. The dimensions against those facts are viewed by region, time, incidents, threats, vulnerabilities, assets, and attacks. Frameworks are developed with multilayer architectures (database, business, presentation, and innovation). Cardinalities from the azure cloud synapse and data brick [48] connect dimensions and facts in the database layer. The business layer implements business logic and security logic, including embedded and available filters. The presentation layer, query items (columns), and query subjects (table) are reflected as functional requirements, non-functional requirements, policies, and data governance. Dimensions such as time, date, and asset are critical, as well as malware infection facts, threats, vulnerabilities, configurations, mitigations, protocol, transmission power, and reception power.
Our research identifies gaps, develops frameworks and prototypes, and validates them through experiments and analysis. RFML provides insight into how deep learning technologies could be used for identifying modulation and spectrum information and their signal classification.

Conclusions and Future Works
The PRISMA-based search and systematic literature review identify the research gap in radio frequency spectrum threats in the hospital ecosystem. The potential gap is well analyzed, and the results are visualized. This research paper will be relevant to the IoT, IoMT, and medical readers, as this will open a new dimension for physicians and healthcare researchers in spectrum-level threats in machine implantable communication systems. Examples: deep brain stimulators, implantable cardioverter-defibrillator, cardiac stents, implantable insulin pumps, interocular lenses, and pacemakers.
Time difference of arrival (TDOA)-based IoMT field experimentation will be used in our future research to validate the defensive framework. The framework will guide healthcare stakeholders while implementing corporate cybersecurity strategies.
Eventually, further analysis will answer why and how sniffing attacks occur and how they can be identified and mitigated. We will use the design science research methodology to validate the entire process. A core research problem is identified as part of the first agile process, motivating the researcher and customer toward solutions. An overview of the issue and the importance of finding solutions are provided. As part of the second agile process, solutions are evaluated qualitatively, quantitatively, or using a combination of methods. An artifact's core behavior and structure are deduced by analyzing the created solutions during the third agile process. The fourth, the agile methodology, shows how well you can create artifacts that solve problems through design and development. We planned to perform extensive experiments, simulations, and proofs-of-concept to understand how the artifacts address the core issues. As part of the fifth agile process, the success criteria are compared with the findings or results.
We are measuring and observing how artifacts support solutions to problems. The proposed solutions' objectives are well matched with the experimental findings through demonstration processes. As a result of this process, researchers can improve artifacts and communicate results for further development. At the end of the agile process, findings will be communicated in relation to the published objectives for peer review. Our proposed future research investigates sniffing attacks on IoMT under the medical implantable communication system (MICS) frequency band ranging from 402 to 406 MHZ using the design science method.
We planned to use radio frequency machine learning (RFML) utilizing radio frequency machine learning [49], physical emanation security [50], and the internet of medical things. We will develop an open-source testbed for collecting signal intelligence data. We develop a proposed framework for countering or mitigating RF spectrum-based sniffing attacks on IoMT in the healthcare ecosystem. The results and analysis will be evaluated in the testbed. Research issues in spectrum-level physical attacks on IoMT devices will be discussed, including future directions and commercialization.

Conflicts of Interest:
The authors declare no conflict of interest. Table A1. SLR Protocol.

The Objective
A Systematic Review of Radio Frequency Threats in IoMT.

Research Questions
RQ1: How well has IoT been integrated into healthcare? RQ2: What is the current state of healthcare-RF cybersecurity research? Table A1. Cont.

The Objective
A Systematic Review of Radio Frequency Threats in IoMT. Exclusion Criteria (E) E1: Reviews of the literature, secondary research, and other publications that are not related to the topic. E2: Publications that contain only ideas, such as magazines, interviews, and discussion papers. E3: Non-English publications.

Report
A spreadsheet is used to record and analyze findings.