Security and Privacy Management in Internet of Medical Things (IoMT): A Synthesis

: The Internet of Medical Things (IoMT) has become a strategic priority for future e-healthcare because of its ability to improve patient care and its scope of providing more reliable clinical data, increasing efﬁciency, and reducing costs. It is no wonder that many healthcare institutions nowadays like to harness the beneﬁts offered by the IoMT. In fact, it is an infrastructure with connected medical devices, software applications, and care systems and services. However, the accelerated adoption of connected devices also has a serious side effect: it obscures the broader need to meet the requirements of standard security for modern converged environments (even beyond connected medical devices). Adding up different types and numbers of devices risks creating signiﬁcant security vulnerabilities. In this paper, we have undertaken a study of various security techniques dedicated to this environment during recent years. This study enables us to classify these techniques and to characterize them in order to beneﬁt from their positive aspects.


Introduction
Various types of medical devices and applications are connected with the aid of Information Technology (IT) in an Internet of Medical Things (IoMT), which is designed to provide healthcare and e-healthcare services. The infrastructure of an IoMT involves various types of communications technologies and, in general, online networks. Wi-Fi technology could enable easy communication that can take place anywhere among the medical devices in such a setting. When cloud platforms are connected to the IoMT devices (for instance, Amazon Web Services), the sensor readings or various types of medical data can be stored and then analyzed.
One of the key objectives of the IoMT is to ensure minimal human intervention during various types of healthcare procedures and routine checkups of patients. For this, the automation of sensors and machine intelligence techniques are used. When invasive (i.e., can be inserted into human body) and non-invasive (implanted or attached to the skin) devices [1] collect enough information about a patient, that reduces the time for doctors to engage with the patient's diagnosis and frequency of hospital visits. Hence, IoMT can also reduce the costs for the patients and increase the efficiency of the healthcare professionals. For instance, it is possible to help sick elderly people by providing new assistance services in smart homes in order to continuously monitor their physiological conditions at a lower cost to detect the possible deterioration in their state of health.
The COVID-19 pandemic has shown the importance of the IoMT [1,2], with quarantine and lockdown measures which often needed remote healthcare facilities. In fact, such a situation has dramatically accelerated telemedicine and telehealth trends. It is expected that, in the coming years, IoMT will have more sophisticated technologies and applications for deeper and more precise diagnosis of diseases, efficient cost savings and faster healthcare added to it.
While the positive aspects of the IoMT are well enumerated in various studies, implementing the IoMT comes with its own set of challenges, the biggest being the security and privacy of the IoMT. Indeed, the medical data are often considered too sensitive and intrusive. Patients may often not like for their medical or health-related information to be leaked. Hence, the responsibility to protect such data is huge. The issue here, however, is that when we talk about IoMT that includes and welcomes various types of devices and applications in the setting; it would also make it more vulnerable to various types of security-and privacy-related attacks. The inadvertent inclusion of a single malicious device or a device run by a rogue entity could be enough to violate the strict requirement of the privacy of patients' information. Again, compromised data can lead to incorrect diagnoses and, thus, incorrect medications and treatment. This could even be life-threatening for targeted individuals such as national leaders or other important people with high influence or value in a society. Enemies could use the IoMT environment to obtain access to sensitive healthcare information and then cause indirect assassinations. Moreover, healthcare professionals could be wrongly accused of intentionally performing wrong treatments or modifying data and so on. Hence, security and privacy are of paramount importance in the IoMT. Indeed, to enable the wider adoption of IoMT, the security of the objects and networks used must be reinforced. Thus, new lightweight and robust mechanisms must be developed to counter the threats and attacks to which IoMT infrastructures are exposed. In fact, in a study, it was shown that the healthcare security market alone is expected to reach USA $8.7 billion by 2023 [3].
If we checked the most recent trends, we would notice that the attack surface is widening every day for the IoMT environment. On one hand, more and more medical devices are being connected to networks. On the other hand, healthcare establishments are a target favored by cyber-hackers, who are very interested in information about personal health -the most sensitive data of high value. Cybercriminals particularly covet this type of data [4] because of their great value and variety (e.g., credit card number, social security number, mailing address, email address, type of disease, medications, blood group type, things that are harmful to the patient, etc.).
In this study, we explored the area of IoMT and mainly focused on security and privacy issues. Some notable works have already been conducted in this domain. We examined and analyzed them and explored the use cases, vulnerabilities and countermeasures, solutions, and recent challenges, and then commented on the future direction of studies in this area. This study is a synthesis of what has been performed in the field of IoMT in the last few years, intended for relatively new researchers in this field, as well as for those who are interested in learning about recent advances and limitations of IoMT security issues and their solutions using new technologies. On the other hand, the comparison between different solutions based on new technologies provides a general overview of the future direction of security and privacy research in the IoMT field. This paper is structured in ten sections. In Section 2, we introduce the context and architecture of IoMT systems. Section 3 defines the important communication protocols in the IoMT. In Section 4, we present IoMT-related technologies. In Section 5, we describe the security requirements to ensure reliability and robustness against various attacks. Then, in Section 6, we discuss different attacks against the IoMT system and classify them according to the presented IoMT architecture. Section 7 defines the categories of devices in the IoMT system and provides a classification of these devices based on their usage. It also presents the potential attacks against these devices. In Section 8, we review the IoMT security model. The classification and comparison between the different security schemes are shown in Section 9, before the paper is concluded in Section 10.

Architecture of IoMT
Not all applications and technologies use the same IoMT architecture. This is important to know before studying various aspects of IoMT. Each technology has its own set of guidelines and often claims to be the best [5] (for a particular case). Existing IoMT systems [6] typically have three main layers as shown in Figure 1: perception, network, and application. These layers include all the stages through which data pass, from the collection of patient information via sensors and wearable devices to the storage, analysis, and visualization stage by the patient and medical staff.

Architecture of IoMT
Not all applications and technologies use the same IoMT architecture. This is important to know before studying various aspects of IoMT. Each technology has its own set of guidelines and often claims to be the best [5] (for a particular case). Existing IoMT systems [6] typically have three main layers as shown in Figure 1: perception, network, and application. These layers include all the stages through which data pass, from the collection of patient information via sensors and wearable devices to the storage, analysis, and visualization stage by the patient and medical staff. The perception layer is the foundational layer of the IoMT architecture. This layer ensures the precise sensing of the parameters related to health issues [7]. Different types of sensors, especially those that can be implanted or attached to the body, such as a pacemaker, smart watch, etc., could be used to read and collect data about the patient(s). The collected data are transmitted as raw values, i.e., without any processing, via different communication technologies to the network layer [8]. This second layer forwards the data to the processing units (i.e., cloud) through the IoT gateway [9]. Next, the cloud basically performs the analysis. If some changes are detected for the patient's health data, this would carry important meaning [10]. The changes are then transmitted to the application layer and presented through remote monitoring, such as in a smartphone or a dedicated Access Point (AP), to the physicians for emergency response (such as, quantity, prescription or change of dosage of different medications) and to the patient(s) or for any further actions. The setting that we are discussing requires maintaining the maximum level of reliability for communications among the devices, as there could be thousands of Internetconnected devices of various types and resources. It is quite impossible to strictly regulate the types, models, and vendors of the users' and hospitals' used medical devices. Hence, there could often be critical differences among the devices. Therefore, an adaptable layered design is required. Various approaches for IoMT architectures and layers have been presented in the literature, including those that depend on the three aforementioned layers (if we project the IoMT system onto the Open Systems Interconnection, OSI reference model). We show, in Table 2, the primary protocols used in IoMT systems at the levels of each layer.

Perception Layer
The IEEE 802.15.4 standard [14] is the basis for the protocols at the perception layer. This standard is responsible for specifying the physical (PHY) and media access control (MAC) layers for many types of devices with minimal complexity, cost, and battery consumption limitations. Several IoMT-related protocols, such as 6LowPAN, ZigBee, and ISA 100.11a [15], are compatible with the IEEE 802.15.4 standard. To gather clinical data from sensors, healthcare systems employ several perception-layer protocols such as the Radio Frequency Identification (RFID) protocol, Near Field Communication (NFC) protocol, Bluetooth/BLE (Bluetooth Low Energy), Z-Wave, and Ultra-Wideband (UWB) protocol [16].

Network Layer
The majority of protocols at this layer are based on the IEEE 802.15 standard [17]. The network layer is in charge of sending and receiving medical data. As a result, this layer acts as the foundation for the healthcare platform's architecture. Network security is a huge problem in healthcare [18], since these network devices and communication lines/channels transmit sensitive data. At this layer, the most popular protocols for IoMT are WiFi and ZigBee. Bluetooth is also utilized; however, it is used less frequently since it cannot reach large areas such as hospitals. Technologies such as LoRaWAN and 6LoWPAN (IPv6 over Low-power Wireless Personal Area Networks) related to Wireless Sensor Networks [19] can also be utilized in some cases. Conventional cellular communication technologies (such as 3G/4G/5G or GPRS-General Packet Radio Service) can be utilized for data transfer over a considerable range.

Application Layer
The application layer is dedicated towards managing the smart medical platform. This includes customized interfaces and role-based control panels for diagnostic decision making. After collecting information from other layers, the application layer can transform the information into a suitable form that can be processed by the end-devices and medical servers [20]. The most commonly used application layer protocols are medicaldata-encoding protocols such as HL7 (Health Level Seven) and XML (Extensible Markup Language) encode [21], CoAP (Constrained Application Protocol), MQTT (MQ Telemetry Transport), and HTTP (Hypertext Transfer Protocol) secured with Transport Layer Security (TLS) [22].

Protocol Range and Data Transmission Rate in IoMT
Based on the technical information presented in [23], here we will make a comparison between the different protocols used in the healthcare systems, based on the range and data transmission rate.
• Short-Range protocols: ZigBee provides a mesh network structure. When it comes to setting and planning device energy use, ZigBee is easier than 6LowPAN. ZigBee also outperforms alternative protocols such as Z-Wave in terms of device hopping and energy usage [23]. In contrast to ZigBee networks, 6LoWPAN networks appear to have lower latency and packet loss rates, which make them suitable for medical services. When comparing 6LowPAN implementations in medical contexts to BLE implementations, a relevant research work [24] reveals that 6LowPAN is more efficient when employing IP-based applications, albeit there are connection concerns when barriers are present. When it comes to network communication, 6LoWPAN devices interact directly with one another, whereas LoRaWAN data is sent through gateways and routers. On the other hand, Z-Wave has a longer optimal range than ZigBee and 6LowPAN due to its sub-1 GHz band-this communication band also allows Z-Wave to have less interference. The disadvantage is its lower data-transmission rates. • Long-Range protocols: For long-range protocols with low power consumption such as LoRaWAN and LTE-M (Long Term Evolution Machine Type Communication) networks, the main LPWAN (Low Power Wide Area Networks) technologies can also provide long-range connectivity of 10 km distances using subgigahertz (GHz) radio frequencies, even on a global scale as LTE-M networks provide a robust infrastructure and built-in security mechanism that can support most applications [25]. These technologies offer the manufacturers of connected objects to communicate data over long distances with low power consumption. Despite the need for specific hardware, LTE-M offers the best compromise between throughput and autonomy, which makes it ideal for multiple domains, including healthcare.

IoMT-Related Technologies
Wireless Sensor Networks (WSN) and Radio-Frequency IDentification (RFID) systems are two key IoMT technologies. In recent years, their integration with smart objects has offered new communication capabilities. Due to their benefits and use in IoT, we present them in brief in this section.

Wireless Sensor Networks (WSN)
A WSN consists of a set of self-powered sensor nodes with wireless computing and communication capabilities. The autonomous sensors often have limited energy resources and are capable of collecting, processing, analyzing, and disseminating information via radio waves (e.g., via ZigBee technology). A sensor node is usually composed of informationcapture interfaces, a microprocessor, a memory unit, a communication interface, and a battery as a power source ( Figure 2). These sensors can be attached to objects/persons or deployed in the environment according to the needs. There are several types of sensors depending on the phenomena monitored or the type of data such as temperature, humidity, position, or light sensors [12,23,32].

IoMT-Related Technologies
Wireless Sensor Networks (WSN) and Radio-Frequency IDentification (RFID) systems are two key IoMT technologies. In recent years, their integration with smart objects has offered new communication capabilities. Due to their benefits and use in IoT, we present them in brief in this section.

Wireless Sensor Networks (WSN)
A WSN consists of a set of self-powered sensor nodes with wireless computing and communication capabilities. The autonomous sensors often have limited energy resources and are capable of collecting, processing, analyzing, and disseminating information via radio waves (e.g., via ZigBee technology). A sensor node is usually composed of information-capture interfaces, a microprocessor, a memory unit, a communication interface, and a battery as a power source ( Figure 2). These sensors can be attached to objects/persons or deployed in the environment according to the needs. There are several types of sensors depending on the phenomena monitored or the type of data such as temperature, humidity, position, or light sensors [12,23,32]. In a medical environment, sensors have become indispensable today, including in smart homes because they can be used to measure physical parameters of the monitored person (i.e., a patient) such as heartbeat, blood pressure, body temperature, and brain signals. The information collected and sent back via the network to the cloud is then processed and analyzed by the system before being transferred by the cloud via the Internet to the various actors (doctor, emergency services, etc.). This type of network, therefore, In a medical environment, sensors have become indispensable today, including in smart homes because they can be used to measure physical parameters of the monitored person (i.e., a patient) such as heartbeat, blood pressure, body temperature, and brain signals. The information collected and sent back via the network to the cloud is then processed and analyzed by the system before being transferred by the cloud via the Internet to the various actors (doctor, emergency services, etc.). This type of network, therefore, allows health professionals to remotely monitor the patient on the basis of the information received.

RFID Technology
The RFID technology allows, via radio frequencies, the automatic remote identification of objects equipped with RFID tags. An RFID system is mainly composed of two entities, which communicate between them, the reader (also called interrogator) and the label (also called "tag"). In its passive version, the reader will interrogate the tag via radio waves and the tag will then use the electromagnetic energy carried by the received signal to power itself and, at the end of the processing, to send its data in response to the reader [26,33,34].
RFID remains a promising technology for the implementation of smart health systems. Moreover, in addition to being a founding technology of the IoMT, it is an effective way to uniquely identify and manage objects. The use of RFID technology in the healthcare sector allows healthcare providers to facilitate decision-making and the accomplishment of tasks that are usually difficult in a complex clinical environment.

IoMT Security Requirements
We have already noted that security is of paramount importance for medical devices that are supposed to be used for wireless communications and remote communications for the healthcare or e-healthcare services. If there is any weakness or point of information leakage from the IoMT devices due to poor methods of authentication and access control, the entire setting can be seriously harmed both by incoming and outgoing data [35]. It is a fact that most of the IoMT devices do not have sufficient capability to detect and prevent attacks on their own. Hence, security measures must be implemented/deployed at strategic points of the entire network or system. Otherwise, the attackers who use sophisticated and often novel methods can easily evade security measures and gain unauthorized access to patient data [2]. Here, we present the security requirements for IoMT healthcare network infrastructures. We know the type of data that we would need what kind of protection is well defined within the CIANA (Confidentiality, Integrity, Availability, Non-Repudiation, and Authentication) considerations [9,36,37]. We discuss the requirements in light of CIANA and other aspects as described below.
• Confidentiality: In the context of the IoMT, confidentiality is about protecting the medical information that the patient shares with the personal physician or medical staff [19,38]. Such data must be protected from intrusion, eavesdropping, or from rogue entities that may harm the patient or use the medical information against him. While the standards give some general guidelines, the presence of network access control and data encryption is essential for guaranteeing the property of confidentiality for IoMT [9]. • Privacy: It ensures that patients' private data are protected against disclosure and attempts to exploit them illegally [15]. Currently, there are certain enacted rules in many countries for the collection and storage of patient's health data for privacy regulations. For instance, General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) [2,39]. The IoMT system enforces these privacy regulations and allows users to access their private data. • Integrity: Data integrity is a necessity for IoMT healthcare systems. It protects patient data from being altered or deleted by unauthorized parties; this primarily ensures that the data arrives at its intended destination without being altered during wireless transmission [40] and also remains unaltered via any unauthorized means when at rest. Healthcare organizations are more conscious of the necessity of data integrity than ever before. As data represent diagnoses, treatments, and health statuses, data integrity is critical in healthcare [38]. In this context, this property can also be defined as the capacity to identify unlawful data tampering or distortion that causes permanent damage [41]. To prevent hostile attempts from modifying sent data, proper data integrity safeguards must be included. • Availability: Availability is the ability of servers and medical equipment to make services and data available to users when they need it [42]. It is an important component in healthcare systems, especially when a patient's health must be monitored on a continual basis. As a result, in order to assure availability, the system must be updated to offer suspect data storage or transmission channels in the event of DoS/DDoS (Denial-of-Service/Distributed Denial-of-Service) assaults, as well as to strengthen its permanence and capacity to promptly resolve any issues [41]. • Non-Repudiation: This is the ability to hold any authorized user responsible for his activities. Simply expressed, non-repudiation guarantees that no system activity may be rejected [9]. This criterion prevents authorized users from canceling earlier system commitments or activities [38]. This metric measures the system's capacity to confirm the existence or absence of an action. To simplify even further, an entity cannot deny completing a task after completing it and must take responsibility for any action or its consequence. The easiest approach to achieving this criterion is to use digital signature techniques [9]. • Authentication: When a user logs into the system, the user's identity should be verified. Message authentication, on the other hand, is the act of confirming that a user is the original source of the provided data from a previous time. Mutual authentication is the most secure type of security; before transferring secure keys or data, the client and server must first authenticate each other. Lightweight authentication algorithms are becoming increasingly common as a result of a shortage of memory capacity in certain IoMT devices or a lack of CPU (Central Processing Unit) strength to conduct the cryptographic operations required by classic authentication protocols [14].
• Authorization: As mentioned before, medical data must be protected from unauthorized access due to the sensitivity of such data [43]. Hence, in our context, only trusted parties (with the required skill or expertise) should be given permission to complete certain actions, such as giving commands to medical IoMT devices or updating the software or installing security patches on medical IoMT devices. • Anonymity: When unauthorized users engage with the system, this requirement guarantees that the identity of the patient or physician stays concealed, i.e., both the patient and the physician should remain anonymous. When a patient and a physician are communicating, their identities should not be revealed [35]. Passive attacks are only able to observe what a person does, not who a person is.

Classification of Attacks in IoMT
IoMT applications rely on a wide range of technologies with different types of embedded features, each of which has its own set of security vulnerabilities [31]. Hence, many widely used IoT protocols now lack fundamental security procedures. There are various types of attacks that not only compromise the patient's privacy, but can also cause irreparable financial and reputational damage [41]. As a recorded case, in October 2016, an IoT botnet conducted a DDoS attack on a DNS (Domain Name System) service provider. Mirai was the malware employed by the botnet. Large parts of the Internet, including Twitter, the Guardian, Netflix, Reddit, and CNN, were shut down as a result of the latter [44]. According to a recent Comparitech report, these attacks have cost the healthcare industry more than $160 million since 2016 [44,45]. It was also alleged that attacks on brain implants result in death [45]. The number of ransomware attacks against healthcare organizations increased by 94 percent between 2021 and 2022 according to a report from cybersecurity firm Sophos. More than two-thirds of U.S. healthcare organizations reported experiencing a ransomware attack in 2021; according to the study, this was up from 34 percent in 2020 [46]. Table 3 displays the attacks classified according to the IoMT's targeted layer and their influence on the system's security requirements. As a result of the heightened danger of a cyber-attack on the IoMT system, the creation and development of robust security solutions has become necessary. Table 3. IoMT potential attacks for each layer and their influence on the system's security requirements.

Type Layer Attack Brief Description Effects References
Perception

Side-channel attack
The information is obtained from the side channels of the encryption device.

Tampering devices
The IoMT device is physically accessed to modify the data (modification in a device using RFID or communication link).

Tag cloning
An attacker might exploit data obtained through a successful side-channel attack or replicate data from a previously used tag. The cloned tag, for example, might be used to gain access to an unlawful facility or data, such as medical data (Using simple technologies, attackers may clone RFIDs).

Rogue access
A fake gateway is placed inside the wireless network range in this attack to give genuine users access and intercept traffic. [55]

DoS/DDoS
Unlike DoS attacks, which are carried out by a single node, a DDoS attack is carried out by several sources, flooding a specified target with messages or connection requests with the purpose of rendering the service inaccessible to legitimate users.
Availability [56,57] Sinkhole A malicious node attracts traffic in this attack by offering a better connection quality. Once the attack is successful, other attacks (such as eavesdropping or selective forwarding) can be launched, in which the malicious node isolates specific nodes by discarding packets that pass through them. [35]

Sniffing
Data transferred between two nodes is passively intercepted by sniffing attacks. Due to the fact that the attacker can observe the data passed between the system's layers.

Selective Forwarding
A malicious node may simply change, drop, or selectively forward some messages to other nodes in the network. As a result, the information received by the destination is incomplete.

Brute Force
The attackers usually use automated tools to create multiple password combinations until they succeed. The dictionary attack is an example of a serious vulnerability for IoMT devices.

SQL injection
An SQL injection attack involves introducing a faulty SQL statement into the application's backend database. A successful SQL injection attack can compromise or change sensitive patient data.

Account hijacking
At the network level, many IoT devices communicate in transparent text or with insecure encryption. Intercepting the packet when an end user is authenticating allows an attacker to undertake account hijacking.
Confidentiality, Integrity [43] Ransomware Ransomware encrypts important information and demands a large fee to unlock it. In return for money, attackers can encrypt sensitive data such as health information and keep the decryption key.

IoMT Devices and Potential Attacks
IoMT systems can be useful for a wide range of medical conditions. In the IoMT, smart medical devices are classified into four categories based on where they are used on the human body [63].
• Implantable Medical Devices (IMDs): These are devices that are implanted to replace or sustain a biological structure that is absent or damaged. Furthermore, an IMD can be utilized to improve a biological structure that already exists. The primary function of such implanted devices is to monitor and transmit signals from the patient's body to other medical systems [63]. They are primarily composed of small wireless modules and health sensors that capture information such as temperature, mobility, blood glucose, and blood pressure. The pacemaker, for example, can be particularly beneficial for managing aberrant cardiac rhythms [64], and infusion pumps, such as enteral, PCA, and insulin infusion pumps, can be utilized in a range of therapies [32,65]. Infusion pumps have been linked to a number of patient-safety issues. As a result, authentication procedures need to be developed [66]. Although a wireless connection may enhance the security risks associated with these electronic devices, it is nevertheless the most preferred communication method for their installation [11]. • Internet of Wearable Devices (IoWDs): These devices are worn by people to track their biometrics, which may help them improve their overall health. This category includes a variety of IoMT systems. Examples could include EEG (electroencephalography) and ECG (electrocardiography) [67,68]. As we know, EEG can be used to monitor and record brain activities while an ECG can monitor the condition of the heart's rhythm and electrical activity. Other examples could include, for instance, smart watches that are quite popular nowadays for monitoring biometrics such as heart rate and movement; fitness trackers; activity, accelerating, and respiratory rate sensors [32,69]; and so on. However, due to battery-life limitations and sensor accuracy, these devices are unlikely to be used to replace IMDs in critical situations [12]. • Ambient Devices: Although ambient devices are not used for patient treatment and monitoring, they sense the patient's environment to monitor patterns of activity and manage environmental conditions near the patient. They include [70] patient identification devices, motion detection devices, monitoring devices, implantable device chargers, and alarm devices. • Stationary Devices: Devices that are not generally carried by the patient are classified as stationary devices. Although such devices were previously unconnected, they may now be managed remotely to enable telemedicine treatments [71]. Examples of stationary devices include imaging devices (such as, magnetic resonance imaging (MRI), computerized tomography (CT) scanners, and X-rays) and surgical devices [72].
Low-power wireless network technologies (such as Bluetooth or Bluetooth/BLE, NFC, Zigbee, Z-Wave, and RFID) are commonly used to communicate between the body network and the personal server. Bluetooth is mostly used in wearable devices, while RFID and NFC use a short-range, low-power communication topology. Therefore, they are frequently used in implanted devices [73,74]. On the other hand, long-range wireless technologies such as Wi-Fi, LoRa, and GSM are used by the IoMT system to provide the connection between the personal server gateway and the medical server. Different network attacks can compromise IoMT devices. This is due to a lack of standards and security controls in device production, as well as the nature of the devices and the IoMT network. Memory space, energy, and low power limits preclude them from supporting the calculation of typical cryptographic security methods. Furthermore, as the IoMT network is heterogeneous and uses multiple protocols at each layer, a single security solution will not work for all devices. Table 4 shows the device categories, their locations, examples for each category, and potential attacks. In the table, we have used ' ' (tick) and 'N/A' to mean whether an attack is possible to be launched or not.

IoMT Security Model
During the last decade, several researchers have concentrated on IoMT security challenges and solutions. Two of the key technologies considered for such an environment are Blockchain and Artificial Intelligence (AI). The objective was mainly to ensure secure transactions and data processing at the cloud layer [75]. As these two technologies showed promise to secure the financial sector, a similar level concern has been considered for IoMT. Blockchain technology is employed in IoMT systems as a security-management solution for sharing information between patients and other parties, such as doctors. Intrusions or unusual activity in patient data and network traffic can be detected by AI systems. This section of the paper examines the critical aspects of some of the most recent research works on IoMT systems. The selection of studies reviewed is based on the most current, relevant studies that best meet the security and privacy criteria of the IoMT system, as well as the different ways various technologies are used to meet them.

Blockchain Models
Pournaghi et al. [76] proposed a secure scheme which they named as "MedSBA". It includes the application of attribute-based encryption methods combined with blockchain technology for sharing and storing medical data among patients, hospitals, and other stakeholders. This scheme applies two types of attribute-based encryptions, KP-ABE (Key-Policy Attribute-Based Encryption) and CP-ABE (Ciphertext-Policy Attribute-Based Encryption), to control patients' access to their own medical data. It also includes two PBFT (Practical Byzantine Fault Tolerance) consensus-based private blockchains in two forms: permissionless and permissioned. The former is used to distribute public medical information and the structure for the authorized access to medical data, and the latter is to set the information of key and storage places on the cloud-storing systems. The system's functionality was proven using BAN (Burrows-Abadi-Needham) logic, while the security was proven using formal design. Simulating MedSBAs with OPNET software demonstrates the system's efficiency in terms of computing complexity and storage. However, the system did not facilitate the exchange of cryptocurrency for data sharing between data-consumer organizations and individuals.
Garg et al. [77] designed an authentication key agreement scheme termed as "BAKMP-IoMT", based on blockchain for the IoMT environment. It provides secure key management for cloud servers, personal servers, and medical implantable devices. Furthermore, the system enables secure access to critical healthcare data and guarantees that only authorized individuals have access to it. Legitimate people can also securely access healthcare data via cloud servers. This is accomplished by keeping all sensitive healthcare information in a blockchain that is managed by cloud servers. To demonstrate the system's ability to withstand many types of hypothetical attacks, a comprehensive formal security study has been performed using a widely recognized automated tool, AVISPA (automated validation of Internet security protocols and applications), as well as formal and informal security analyses. BAKMP-IoMT is compared with other existing schemes, and it also performs better in terms of security and functionality, lower communication and communication costs for authentication, and key management phases compared to other schemes. In addition, the simulation of BAKMP-IoMT is performed to demonstrate its impact on performance parameters.
Tahir et al. [78] proposed a lightweight framework for authentication and permission to complement current blockchain-based IoT networks in the healthcare sector. The authentication method, which is bound by conditional joint probability, employs random numbers. This enables the system to create a secure link between IoT devices for data collection. Extensive simulations with the AVISPA tool and the Cooja simulator are used to assess and evaluate the suggested model. The technology improves access control while also providing excellent mutual authentication. When weighed against each other, it also minimizes transmission costs and computing overheads, as seen in the testing findings. The suggested framework, on the other hand, is not assessed on hardware in a realistic context, making it less efficient (or its practicality is still questionable).
Xu et al. [79] proposed a blockchain-based privacy-preservation scheme (Healthchain) for large-scale health data. This scheme encrypts health data using fine-grained access control. In particular, the user transaction is used for key management that can allow users to add or revoke authorized physicians. In addition, it introduces two blockchains to avoid medical disputes, such as physician diagnoses. The IoT data cannot be modified or deleted once stored in the blockchain. The results of the experiment and security assessment confirmed that the system can meet the expected security requirements and can be applied to mobile health systems. However, insider attacks are neglected by the system.

Authentication Model
Deebak and Al-Turjman [80] presented the smart service authentication (SSA) framework to cross-examine the communication entities' common secret session key and improve mutual authenticity. It provides an authentic signature for conducting encrypted transfers between communication nodes and ensuring enhanced data security between the patients and physicians. Formal and informal verifications were used to investigate the security attributes. The suggested SSA framework has been implemented utilizing a Field Programmable Gate Array (FPGA) and Moteiv TMote Sky-Mote to demonstrate the system's security and performance efficiency. The importance of the SSA framework model's ability to withstand security threats such as health-report forgery, health-report reveal, serverspoofing, and so on is demonstrated by formal and informal security analysis. As a result, it is shown to be a good fit for the telecare medical information system (TMIS).
Lone et al. [13] proposed a secure communication scheme for medical applications utilizing Attribute-Based Encryption (ABE) for authentication in a Heterogeneous Network (HetNet) at the network layer. Health-related information is protected using ABE. This not only reduces transmission costs, but also protects health data from intruders [21]. It incorporates a third-party server that assists in the authentication and storage of patient data. A high-level protocol-specification language (HLPSL) is used to implement the complete security method. The AVISPA automated tool is used to validate the system codes. However, in this scenario, the users communicate through a third-party trusted authority. If this third party is hacked, all the data become subject to hostile attacks.
Yanambaka et al. [81] proposed a lightweight and robust authentication scheme based on the physical unclonable function (PUF) for IoMT. This technique does not save any data from IoMT devices in server memory. In this mechanism, the devices are completely authenticated within 1.2 to 1.5 s. A hybridized oscillator arbiter PUF is used to accomplish system validation. Based on the PUF used during system validation, the number of keys used for authentication was around 240. As the technique is lightweight, it may be used in a variety of designs to enable scalability and resilience. However, the system failed to verify that the client could authenticate the server's communications.
Xin et al. [82] proposed a multimodal biometric identification approach for IoMT. The system's effective matching technique was based on the Fishers vector's secondary calculation (FV). In addition, the system made use of three biometric techniques: finger vein, fingerprint, and face. These methods are combined at the feature level. Again, the system used a bogus feature in the feature fusion process, which often occurs in the real world. The liveness detection is added to the system, which uses DCT (Discrete Cosine Transform) to determine whether the image is genuine or false, and then removes the fake image to improve the system's robustness. The developed framework shows a relatively higher recognition rate. When compared to unimodal biometric systems, which are particularly important for an IoMT platform, it provides superior security. However, the system's accuracy ratings still remain low.

Privacy Model
Cano and Cañavate-Sanchez [83] proposed a novel method to include a dual signature in the elliptic curve digital-signature algorithm (ECDSA) for IoMT systems. Using edgecomputing servers, this system preserves the confidentiality of data transmitted from the IoMT to the cloud. In particular, the captured health data is hidden by the edge device, and the identity of the IoMT devices, namely wearable or smart devices, remains anonymous to the cloud. Since this solution is based on the elliptic-curve cryptography (ECC) approach, its implementation on IoMT devices was feasible and affordable. This technique confirms that, while the anonymity of the data source is ensured from the cloud perspective, the integrity and authentication of the origin of the collected data is also ensured. In addition, the computational requirements and complexity are minimized.
Gull et al. [84] proposed a reversible dual-frame data-hiding technique with high capacity for IoMT-based networks. Initially, the Huffman coding scheme was used to preprocess the captured secret data. A codebook of "d" bits is generated after the Huffman coding to encode the indices which are decimal values. For double steno-image acquisition, the value of the indices is divided into two parts and embedded in two images similar to each other. Although the scheme showed a very high payload, it maintained the perceptual quality at a high level. The scheme provides an average improvement in embeddability of 33.2%, with a signal-to-noise ratio (SNR) improvement of 1.32%. The average structural similarity index (SSIM) value is 0.8873. A significant improvement was offered by the system and was also computationally efficient, which allowed it to be used in the IoMT network. However, there was no effective strategy to control the underflow and overflow problems.
Huang et al. [85] proposed a practical system that reliably authenticates patients with noisy ECG signals and simultaneously provides differential privacy. With respect to the current motion status, the system can identify the motions and adapt the algorithm. By ensuring indistinguishability, the privacy of ECG patterns has been protected. This system preserves the speed of authentication by implementing lightweight online algorithms. On the other hand, it effectively disaggregates noise from ECG signals to ensure reliable authentication. It ensures indistinguishability via differential privacy to prevent adversaries from deducing patients' ECG information. This system also improves accuracy by applying soft thresholding while maintaining the claimed privacy guarantee. Online datasets were used to evaluate and validate the effectiveness of the system. In addition, a pilot study on human volunteers was conducted to validate the system. However, the system was not scalable enough for the attack.
Wang et al. [86] investigated an efficient blind-batch encryption scheme based on the Computational Diffie-Hellman hypothesis, which has been shown to be secure. For secure and privacy-preserving medical services in Smart Connected Health (SCH), the scheme used a protocol. With six classical attacks, the system analyzed the protocol and ran the prototype on the Intel Edison platform. Experiments revealed that the system was effective for "cheap" communication protocols and resource-constrained devices. For storage-limited devices, the system could require a high cost.
In a recent work, Ahamad and Pathan [2] consider the confidentiality issue for message exchange in the IoMT environment and propose SPMHF (Security and Privacy-aware Mobile Healthcare Framework). Alongside confidentiality/privacy, the mechanism ensures the integrity of the message, offers the strategy of audit control and ensures patient authentication, access control, data availability, transparency, and freshness of health data. To add more to these, the framework requires taking the patient's consent for allowing information exchange. In this work, the HIPAA standard is strictly maintained, and the authors show that several known attacks could be thwarted in that kind of environment.

Machine Learning Model
In order to predict the different patterns of attacks in deep brain stimulation (DBS), Abdaoui et al. [87] built a full prototype of an embedded system to lessen the attacks on these devices. This system does not only distinguish real alarms from fake ones, but it also classifies the different attacks using deep learning and Raspberry Pi3. Deep learning has been proved to indicate an accuracy of 97% in learning and predicting false signals. The feasibility of real-time attack-detection can be clearly demonstrated when this system is deployed on a cloud.
Ben Amor et al. [88] proposed an anomaly in terms of data detection and a separation approach designed for smartphone healthcare, called AUDIT. A pre-processing phase and a real-time processing step were used in the study. Using PCA (Principal Component Analysis) and correlation coefficient, the feature was selected and extracted. This allows the system to detect erroneous physiological measurements and to distinguish between real and false medical features.
Priya et al. [89] classified networked assaults using a hybrid PCA-GWO (Principal Component Analysis-Grey Wolf Optimization) technique for selecting features and a deep neural network (DNN) classifier. The proposed solution is suitable for IoMT devices with a single IP address. The input data was preprocessed using the One-Hop coding strategy. The two algorithms were then applied successively for data reduction, followed by prediction using well-known classifiers. The proposed model outperformed and outclassed other current learning algorithms, with a 15% gain in detection accuracy and a 32% reduction in training and classification time.
As a system to detect possible intrusions, Manimurugan et al. [90] proposed a Deep Belief Network (DBN) algorithm model. In that study, the metrics they used were F1 score, precision, recall, and detection rate, as well as accuracy. In comparison to other techniques, the proposed model obtained positive results for all variables. This model is claimed to have the possibility of being extended to detect different attack patterns against both various databases and IoT devices. For the normal class, the proposed method obtained 99.37% accuracy; for the Botnet class, it reached 97.93%; for the Dos/DDoS class, the percentage was 96.67%; as for the Port scan class, it was 97.71%; 97.71% for the Brute Force class, 96.37% for the Infiltration class; and finally, the method was able to obtain 98.37% for the Web attack.
To obtain features from the ECG signal, and thus reduce the computational cost, Barros et al. [91] used only the fiducial points detected during signal capture. For classification, a number of machine-learning approaches were applied. The results of the evaluation reveal that the suggested solution is efficient because of its accuracy of more than 98.2% in the continuous authentication and identification scenario and reduced complexity using less than 10 features. This appears to be a viable approach for improving the security of many critical services and applications.

Classification and Comparison
Throughout this study, a systematic review of literature was conducted on the privacy and security issues of IoMT as well as the different ways that various technologies are used to address them. By analyzing the results of the study, including the technologies and tools used, the benefits, evaluations and limitations of each proposed solution, Table 5 provides a classification and comparison between the security schemes discussed in the security model. This comparison provides a general overview of the future direction of privacy and security research in the field of IoMT. From this review, we can conclude that numerous schemes are published to secure IoMT devices. Most of these studies concentrated on securing the network layer of the device or the body since intrusions into devices such as IMDs can have a serious effect on the patient's health and life. Some suggested solutions to secure these devices are device authentication, sensor anomaly detection, and access control. In addition, studies which used attack and malware detection strategies observed and studied how to secure the network layer. The findings also show that the blockchain, the ECC algorithm, and light-weight authentication are the best for security in comparison to traditional algorithms. We concluded that traditional ML techniques may not be efficient enough when given metrics are not considered (such as time complexity, energy consumption, and resource complexity) [90]. We have also noticed that most studies ignore these criteria and do not take them into consideration when evaluating their proposed models. Therefore, how to use ML in an appropriate way to fit the nature of IoMT had better be the focus of future studies in this domain. Nowadays, as IoMT devices often find the authentication process computationally intensive, the present research direction is headed to apply lightweight mechanisms with the use of physiological data from sensors to decrease the computational load on the device [91]. Table 5's comparison provides a general overview of the future direction of security and privacy research in IoMT.

Conclusions and Future Directions
The use of IoMT is a reality today. Many hospital systems are adopting it or in the process of adopting it. The majority of current research activities focuses on how medical and health-monitoring technologies can help reduce healthcare costs while improving patient health. This is also an objective of many developed hospitals and medical facilities. As a result, protecting this technology has become critical, as the IoMT is vulnerable to a variety of attacks due to its reliance on wireless communications. These attacks have the potential to compromise the system and breach patient's privacy, as well as compromise the confidentiality, integrity, and availability of medical services. The major security difficulties, challenges, and drawbacks of IoMT were reported and discussed in this paper. We have also discussed how to improve IoMT services by securing IoMT domains and their related assets using various and suitable security methods, as well as how to improve patient health and experience using various strategies. We also highlighted the importance of a good security strategy for the many wireless-communication protocols used by the IoMT system to keep it secure, private, reliable, and accurate.
In a nutshell, the objective of this paper is to review the current state of security and privacy in IoMT, which has become a major concern for many security experts and researchers due to its rapid demand in recent times. Nevertheless, with respect to the current state of security and privacy, we have also reviewed and discussed a number of attack use cases, countermeasures and solutions, recent challenges, and anticipated future directions that require further attention in this area. We concluded that current techniques may fail if certain parameters, such as resource complexity, time complexity, and energy consumption, are not considered. We found that a large majority of studies have ignored these criteria in evaluating their proposed models. However, future studies should focus on how to use these new technologies appropriately to make concessions for the nature of IoMT. More work is needed to be able to address global needs, especially in the security domain.

Conflicts of Interest:
The authors declare no conflict of interest.