Internet of Things 23 (2023) 100887

Contents lists available at ScienceDirect

Internet of Things
journal homepage: www.elsevier.com/locate/iot

Review article

Artificial intelligence for IoMT security: A review of intrusion

detection systems, attacks, datasets and Cloud–Fog–Edge
architectures
Mireya Lucia Hernandez-Jaimes a , Alfonso Martinez-Cruz a,b ,∗,
Kelsey Alejandra Ramírez-Gutiérrez a,b , Claudia Feregrino-Uribe a
a Computer Sciences Department, Instituto Nacional de Astrofísica, Óptica y Electrónica (INAOE), Luis Enrique Erro No. 1, Sta. Ma.
Tonantzintla, 72840, Puebla, Mexico
b
Consejo Nacional de Humanidades, Ciencia y Tecnología (CONAHCYT), Av. Insurgentes Sur 1582, Col. Crédito Constructor, Alcaldía Benito
Juárez, Ciudad de Mexico, 03940, Mexico

ARTICLE INFO ABSTRACT

MSC: Recent advances in the Internet of Medical Things (IoMT) have impacted traditional medical
0000 treatment and have evolved data communications in the Smart Healthcare scenario. Unfortu-
1111 nately, this also has resulted in a fertile field for attackers. As a result, traditional intrusion
Keywords: detection models and new detection schemes for IoMT applications have been applied. Along
Smart Healthcare with it, there has been a rising trend of employing different types of artificial intelligence
Intrusion Detection System algorithms to improve the detection performance of attacks in medical systems communications.
Security
This paper provides a novel taxonomy of intrusion detection schemes for IoMT, which includes
Artificial Intelligence
a comparative analysis of intrusion detection methods and an unique classification of current
Machine Learning
Deep Learning datasets for insights into detection performance. Additionally, we discuss the cybersecurity
Internet of Medical Things threats regarding the IoMT architecture and the security requirements of IoMT. Moreover, an
Datasets examination of the tasks carried out in Cloud–Fog–Edge architectures, and a classification of
recent literature based on the AI methods, are presented. We also discuss the legal and ethical
security aspects of IoMT. Finally, we provide the challenges and novel perspectives requiring
further investigation.

1. Introduction

The number of connected devices has been constantly increasing due to the arrival of new paradigms like the Internet of Things
(IoT) and the evolution of communications systems. Different IoT applications and environments have impacted our daily activities.
Despite the challenges posed by the chip shortage and the COVID-19 pandemic, the IoT market managed to sustain its growth. Also,
organizations such as IoT analytics have reported that global spending on enterprise IoT technologies (involving: IoT Security, IoT
hardware, IoT services, and IoT software) will be increased, showing resilience despite economic problems.
On the other hand, according to the IEEE technologies predictions, remote healthcare and advanced wearables are among the
technologies that will have the most significant impact on humanity and success in their development this year [1].
An area derived from this parading is the Internet of Medical Things also called Smart Healthcare, which has dramatically
impacted health treatments and new devices to improve health monitoring. There is no generic definition of Smart Healthcare.

∗ Corresponding author at: Computer Sciences Department, Instituto Nacional de Astrofísica, Óptica y Electrónica (INAOE), Luis Enrique Erro No. 1, Sta. Ma.
Tonantzintla, 72840, Puebla, Mexico.
E-mail address: [email protected] (A. Martinez-Cruz).

https://doi.org/10.1016/j.iot.2023.100887
Received 23 March 2023; Received in revised form 14 June 2023; Accepted 21 July 2023
Available online 1 August 2023
2542-6605/© 2023 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 1. Overview of Smart Healthcare.

Therefore, several alternative terms in the literature for IoMT are used, such as Smart Healthcare, Internet of Health Things (IoHT),
Medical Internet of Things (MIoT), IoT-Healthcare, and Healthcare 4.0. Consequently, various definitions in the literature are as
follows:

• ‘‘A subset of the Internet of Things, the Internet of Healthcare Things is the convergence and integration of sensor data collected by
medical devices and mobile technologies, as applied to healthcare. Devices linked to cloud platforms on which captured data is stored
and analyzed have become known as the Internet of Medical Things." [2]

According to Caldwell et al. [3], Smart Healthcare can be classified into ecosystems based on the IoMT devices, as shown
in Fig. 1(a). The On-Body ecosystem includes wearables and implantable devices. In contrast, the In-Home ecosystem comprises
transportable medical devices and telemedicine. The In-Clinic ecosystem refers to ambulatory care, while the In-Hospital ecosystem
involves patients, caregivers, and various medical equipment such as defibrillators, surgical tables, and electrocardiogram machines.
In addition, there are four primary categories of medical devices/sensors: patient monitoring, implantable, environmental
monitoring, and In-Hospital connected devices, as depicted in Fig. 1(b) [4,5].
Finally, various healthcare applications have been distinguished by some researchers, as demonstrated in Fig. 1(c), including
patient and environment monitoring, therapeutics, medical diagnosis, and workflow, which involves patients’ surveillance, personal
assistant platforms, patient and personal identification, and other activities [6–8].
As shown in Fig. 2, IoMT has already been adopted by roughly 60% of healthcare organizations [9]. Meanwhile, integrating inno-
vative technologies, such as artificial pancreas and pacemakers, has resulted in over 300,000 interconnected medical devices [10]. As
a result, by 2025, it is projected that the medical device market in the US will reach a value of $208 billion [9]. In the same way, the
estimated cost of cybercrimes will grow to US $10.5 trillion by 2025 [11]. Unfortunately, in 2022, healthcare experienced the highest
cost industry for twelve years running, and the average breach in healthcare reached US $10.10 million. Consequently, data breaches
in healthcare are costly compared to the financial, pharmaceutical, technology, energy, and so on [12]. Also, medical records and
personal healthcare data hold a higher value compared to credit cards and bank account numbers. Some malicious uses include
applying for credit cards or a loan, opening a new bank account, seeking medical treatment, and getting prescriptions [10,13].
Furthermore, the healthcare industry is at greater risk from present-day cybersecurity threats due to insufficient investment in
modern technology. The lack of current cybersecurity technology is highlighted by the fact that, despite anticipating cyberattacks
in the coming year, 83% of medical device manufacturers and 85% of healthcare organizations require further planning to mitigate
such attacks [10]. On the other hand, the Artificial Intelligence (AI) market will attain a value of USD 190.6 billion by 2025 [9].
Also, Cyber Artificial Intelligence (AI) can enable organizations to respond faster than attackers, anticipate malicious moves, and
react to them in advance [11]. As a result, fully deployed security AI and automation increased from 21% to 31% between 2020
and 2022 [12].

2
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 2. Data reports of Internet of Medical Things.

1.1. Motivation

The Smart Healthcare industry is rapidly changing, with advanced technology for patient-focused services. Unfortunately, this
growing field also has created a favorable environment for attackers. As a result, different security strategies have been developed
to protect IoMT environments, including authentication, access control, key management, encryption, and intrusion detection.
However, this study focuses only on Intrusion Detection Systems (IDSs) and the integration of AI techniques into these systems.
The intrusion detection systems are designed to detect malicious activities occurring on host or network levels. Malicious activities
pose a significant threat to the security of Smart Healthcare, as they can result in data breaches, unauthorized access, health-based
data alterations, and life-threatening consequences for patients.
In recent times researchers have directed their attention towards IDS based on Artificial Intelligence, such as Machine Learning
(ML) and Deep Learning (DL) algorithms, because of their capacity to detect zero-day attacks, overcome security threats to the
confidentiality, integrity, and availability, and their ability to recognize the dynamic changes in IoMT environments. Moreover,
IDSs based on AI algorithms have shown promising results in addressing the challenges associated with IoMT, including limited
resource constraints, heterogeneity, scalability, and latency. Therefore, a new IoMT security-related review is necessary to identify
the strategies for the development of intrusion detection in IoMT systems, trends related to IA-based methods, datasets available
for training and testing, new research problems, and possible future research directions in AI-based intrusion detection models for
IoMT.

2. Related work and contributions

There are many articles addressing different aspects of cybersecurity in IoMT environments. However, to the best of our
knowledge, only a few papers focus on IDSs based on AI techniques to secure Smart Healthcare organizations. This section provides
an overview of recent related notable works and presents a comparison with our survey. Table 1 highlights specific aspects of our
contributions described at the end of the related-work overview.
In work conducted by Yaacoub et al. [7], existing cryptographic and non-cryptographic solutions to overcome security and
privacy issues were discussed, emphasizing the need to design lightweight and hybrid cooperative IDSs to enhance the resilience of
IoMT networks against various cyberattacks. Additionally, the researchers classified each attack based on its impact, scope, nature,
security aspect threatened, and capacity. The authors also presented the main communication types used in IoMT and highlighted
the benefits provided by the IoMT industry.
Elhoseny et al. in [14] described the fundamentals of the MIoT architecture, classifying different device categories based IoMT-
layer location. The study also discussed the security and privacy requirements of MIoT and classified different attacks based on the
IoMT-layer threatened. In addition, this study suggested countermeasures and solutions based on the reviewed literature, including
IDSs, data encryption, access control mechanisms, and data auditing.
Malamas et al. [5] conducted a study encompassing risk assessment and mitigation methodologies for IoMT. For the first, the
researchers structured a taxonomy based on three categories: impact assessment, vulnerability, and threat. They examined various
solutions, including IDSs, authentication algorithms, and data encryption. Additionally, they summarized some of the most common
security issues facing IoMT. They categorized them using the spoofing, tampering, repudiation, information disclosure, denial of
service, and elevation of privilege (STRIDE) model. They also identified the target IoMT-based layers of each cyberattack. Finally,
regarding the mitigation methodologies, the researchers provided a list of security controls against cyberattacks.
In the study conducted by Rbah et al. [15], ML-based IDSs and DL-based IDSs for IoMT environments were discussed, providing
fundamental concepts of IDSs and a classification of the algorithms used in the IDSs based on the type of ML or DL techniques
implemented. Moreover, they provided some characteristics of each reviewed solution, including accuracy measures, attacks
detected, dataset, and the employment of resources.

3
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 1
Comparison of related reviews with our proposed study.
Study [7] [14] [5] [15] [16] [17] Ours
Year 2020 2021 2021 2022 2022 2022 –
Classification of AI algorithms ✓ ✓
used for anomaly detection
Classification of datasets for ✓
IDS evaluation
Classification of cyberattacks ✓ ✓ ✓
based on the target IoMT layer
Classification of attacks based ✓ ✓ ✓ ✓
on the threatened CIA security
aspects
Analysis of pre-processing ✓
steps for improved anomaly
detection
Discussion of IDS architectures ✓
based on Cloud–Fog–Edge
computing

Si-Ahmed et al. in [16] reviewed studies that integrated ML into intrusion detection methods to secure various IoMT applications.
These methods aimed to detect malicious activity, fake glucose measurements, and abnormal insulin dosage in insulin pumps. The
review highlighted each proposed ML solution’s methods, advantages, limitations, and datasets. Additionally, this study described
the generic three-layer architecture of IoMT and identified the threats that affect the security requirements of IoMT systems at the
data collection, transmission, and storage levels. Finally, the study briefly discussed ML-based IDS and described the ML techniques
used in the reviewed literature.
The work of Rasool et al. [17] reviews the security issues in communication networks of connected medical devices. Additionally,
this study presents a comprehensive attack taxonomy based on several privacy and security requirements of the IoMT. The study
also describes the advantages and limitations of security protocols and countermeasures to mitigate threats against devices such
as wearable IoMT, implantable medical, and environmental IoMT. Moreover, this work highlights different security algorithms,
including ML, DL, blockchain, and authentication algorithms.
This paper takes a different approach from the works previously discussed in several ways. Firstly, it presents a novel taxonomy
of intrusion detection schemes, which includes a classification of the algorithms used for anomaly detection in IoMT based on the
type of artificial intelligence algorithms, including supervised and unsupervised ML/DL, ensemble learning, online learning, and
adaptive incremental algorithms. This approach distinguishes this paper from previous works that only classified algorithms into
ML and DL methods.
Secondly, this paper categorizes datasets based on the nature of network communications and data generation used to evaluate
the anomaly detection methods proposed in the literature, providing additional insights into the detection performance and detected
cyberattacks in IoMT environments.
Third, this paper is the first to classify and relate cyberattacks based on the target IoMT layer and the threatened CIA
security aspects. This approach distinguishes this paper from previous works that may have employed different criteria for attack
classification.
Fourth, this paper analyzes the steps of data cleaning and feature selection techniques to enhance the input data for modeling AI
algorithms integrated into IoMT-based intrusion detection systems. These pre-processing steps are essential to ensure the efficiency
of the detection techniques.
Finally, this paper contributes to the field by discussing the integration of cloud–fog–edge paradigms into intrusion detection
systems. It highlights the importance of considering these paradigms to carried out different tasks for developing effective intrusion
detection systems and solving problems related to resource constraints, latency, scalability, among others in IoMT environments.

2.1. Contributions of this review

For researchers interested in exploring the field of IoMT security, our study provides a comprehensive review of intrusion
detection systems using artificial intelligence-based methods. In particular, our review offers the following contributions:

• We provide a new taxonomy of intrusion detection models for IoMT, covering the IDSs based on the response strategy, data
source, architecture, and AI algorithms. This taxonomy also delves into the datasets used in the development of IDSs for IoMT.
• We identify and classify the cybersecurity threats to IoMT, highlighting the threatened security aspect, the target IoMT layer,
and the impact on both IoMT environments and IDS performance.
• We provide insights into IDS architectures based on Cloud–Fog–Edge computing for anomaly detection in IoMT.
• We discuss and classify methods based on AI algorithms, such as Machine Learning, Deep Learning, Online Learning, and
Adaptive Incremental Classifiers.
• We examine feature selection techniques, such as bio-inspired algorithms and meta-heuristics used in the development of the
intrusion detection methods.
• We discuss the nature of datasets used to evaluate the effectiveness of the detection methods in IoMT.

4
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 3. The frequency of selected articles published by different types of publishers from 2019 to 2022.

2.2. Organization of this review

The rest of this study is structured as follows. Section 3 presents the research strategy followed to accomplish this study. Section 4
introduces the IoMT architecture, security requirements, security threats, and emerging technologies for IoMT security. Section 5
describes a novel taxonomy of intrusion detection schemes based on different characteristics. Section 6 discusses different types of
attacks considered in the datasets for the training and testing AI algorithms integrated into the anomaly detection systems. Section 7
introduces the concept, characteristics, and functionality of Intrusion Detection Systems for IoMT. In Section 8, we discuss the type
of Intrusion Detection Systems based on their response strategy. In Section 9, we focus on the different methods based on the
data source of intrusion in IoMT environments. Section 10 discusses the different IDS architectures for anomaly detection in IoMT
based on Cloud–Fog–Edge paradigms. The detection models based on AI for IDS development are discussed in Section 11. Section 12
analyzes, describes, and classifies the nature of the generated data to construct the dataset for IDS evaluation. In Section 13, the legal
and ethical concerns of IoMT are provided. Sections 14 and 15 present the challenges, future research directions, and conclusions,
respectively.

3. Methodology

This review followed a structured research methodology involving a comprehensive database search, including IEEE Xplore,
Springer, Elsevier, MPDI, and ScienceDirect. The search strategy included using several keywords, such as ‘intrusion detection’,
‘anomaly detection’, ‘attack detection’, ‘artificial intelligence’, ‘machine learning’, ‘deep learning’, ‘smart healthcare’, ‘Internet of
Medical things’, ‘IoMT’, ‘Internet of Health Things’, ‘IoHT’, ‘Medical Internet of Things’, and ‘MIoT’. We selected 40 publications [18–
57] from 2019 to 2022 that met the inclusion criteria. In addition, the inclusion criteria incorporated relevant articles published in
the past four years that focused on intrusion detection systems using methods based on artificial intelligence algorithms for IoMT
environments. The surveys, books, and reports were included for broader coverage. Finally, in Fig. 3, we illustrate the publishers
of the selected papers, indicating that IEEE and Elsevier are responsible for 70 percent of the total publications.

4. IoMT security

In Smart Healthcare ecosystems, securing IoMT communications is crucial due to the sensitive data exchanged and the potential
risks associated with interconnected IoMT-based devices [32]. A secure IoMT network enhances response and decision-making,
prevents unauthorized data tampering, safeguards medical devices and patient safety, ensures critical medical services’ availability
and functionality, and avoids legal repercussions associated with non-compliance [16,18,22,32].
In order to comprehend the general and specific principles of the Internet of Medical Things, this section provides a brief overview
of the overall IoMT architecture, security requirements, security threats, and emerging technologies in the field.

5
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 4. IoMT architecture.

4.0.1. IoMT architecture

As this work aims to review the security attacks targeting the IoMT environments, it is essential to have an understanding of
its architecture. As proposed in the literature [14,16,33,51,58], we specified a four-layer architecture suitable for IoMT. As shown
in Fig. 4, the IoMT architecture consists of perception, network, transport, and application layers. The perception layer consists of
medical devices, such as scanners, monitors, wearables, and sensors for measuring glucose levels, oxygen levels, and temperature,
among others. These devices play a crucial role in gathering vital medical information. Moreover, they serve as the interface
connecting users to the virtual world of healthcare. The network layer consists of wireless, wired, and middleware systems, which
allow communication between medical devices, representing how all IoMT environment elements are connected to the network.
Next, the transport layer facilitates end-to-end communication to transfer the collected physiological data to medical servers for
processing, storage, and data analysis. Finally, the application layer provides an interface between the transport layer and patients,
enabling patient control, hospital monitoring, and medical treatments.
IoMT architecture can transmit a high volume of data and leads to remote monitoring of different health parameters of patients.
The new network technologies such as Wi Fi, 5G, LPWA, NB-IoT, and LTE are now used to transmit data generated for the different
devices in IoMT ecosystems, requiring new security schemes to ensure CIA aspects.

4.1. Security requirements of IoMT

According to several studies [5,14,16–18,33,35,58], the principal security requirements of IoMT include confidentiality, integrity
and availability, namely the CIA triad, which are described as follows:

• Confidentiality protects the patient’s health status and treatment details. Furthermore, personal information from unauthorized
users during the storing or transmitting of IoMT-based data.
• Integrity guarantees that medical information is not corrupted or deleted during storing or transmission of IoMT-based data.
• Availability ensures the continuous operation of medical devices, services, and clinical records of patients. Additionally, play
a critical role in promptly responding to health emergencies.

4.2. Security threats to IoMT

With the rapid proliferation of Internet of Medical Things industry, attackers are attracted to this network because of the resource-
constrained IoMT devices, IoMT data heterogeneity, and dynamic nature of the IoMT network. Consequently, IoMT network security
concerns about confidentiality, integrity, and availability (CIA) emerge as sensitive medical data is directly related to the safety of
the users [21,22,26,28,41,43,45,46,53,54]. Unfortunately, IoMT devices lack security solutions, such as encryption, authorization,
and authentication measures, due to their computationally intensive and complexity implementation [22,26,29,33,35]. However,
novel Intrusion Detection Systems based on AI have been proposed to solve zero-day vulnerabilities and maintain the security of
IoMT networks. Fig. 5 presents the most commonly mentioned types of IoMT attacks in the reviewed works, such as Denial of
Service (DoS) and Distributed Denial of Service (DDoS), Man in the Middle (MitM) and Ransomware. DoS and DDoS can impact
the availability of medical services and devices, resulting in the inability to respond to critical scenarios on time. MitM can affect
medical data integrity by altering packet information traveling across IoMT systems, leading to data breaches and alteration. Finally,
Ransomware can impact CIA triad and cause catastrophic consequences for the health of the users by locking the functionalities of
advanced IoMT technology, such as pacemakers and infusion pumps [14]. This review is mainly concerned with cyber threats used
to model AI algorithms integrated into the intrusion detection systems to secure IoMT environments, as discussed in Section 6.

4.3. Emerging technologies in IoMT security

This subsection offers a brief overview of the emerging technologies employed in the anomaly detection systems for IoMT,
including Artificial Intelligence, Software Defined Networking (SDN), Network Function Virtualization (NFV), Cloud–Fog–Edge
computing, and 5G, LPWA, NB-IoT, and LTE technologies.

6
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 5. Examples of security threats to IoMT.

4.3.1. AI technologies
AI algorithms have significantly impacted the general performance of Intrusion Detection methods by enhancing security and
preserving privacy. Because of their capability to effectively adapt to dynamic network environments, handle large volumes of data,
and provide reliable outcomes [34,56,58].
Machine Learning and Deep Learning represent a medium to provide a solution for anomaly detection systems. ML is a subfield
of AI that automatically seeks to learn meaningful patterns or relationships from observations. On the other hand, DL is a subdomain
of ML and the functioning of the human brain inspires it to process and learn data with several levels of abstraction [16,39,46].

4.3.2. SDN and NFV technologies

With technologies such as Software Defined Networking (SDN) and Network Function Virtualization (NFV), Intrusion Detection
Systems can protect IoMT-based networks actively by detecting and mitigating the malicious activities detected. SDN is a networking
architecture to manage heterogeneous IoMT infrastructure, making traditional network structures more precise, flexible, and
programmable. NFV enables the efficient allocation of network resources to virtual networks and ensures the exhibition of virtual
organization activities, minimizing latency and failure rates. Moreover, it allows for easier managing, adding, removing, or updating
functions for all or a subset of end-users [8,17,30].

4.3.3. Cloud–fog–edge technologies

Cloud computing is an internet-based computing infrastructure that offers extensive resources, ample storage space, and high-
performance servers. It can be used to integrate AI, Machine Learning, and Deep Learning algorithms into IoMT systems for predicting
security threats [58]. Fog computing is a distributed computing architecture with limited capabilities, such as storage and computing.
Its decentralized nature allows lower latency and data processing more efficient [8]. Edge computing brings the computation facilities
closer to IoMT devices, enabling data processing at the edge network. It is often required when minimal latency is required [32].

4.3.4. Networking technologies

Network connectivity is critical for the successful deployment and optimal utilization of IoMT applications. However, for several
reasons, traditional connectivity methods, such as CAT cabling, Wi-Fi, and public cellular networks, have ceased to be suitable
solutions in the IoMT industry. Cabling connectivity is expensive and irrelevant for mobile assets, such as ventilators and connected
devices used in ambulances. WiFi connectivity needs to improve when it comes to supporting a high density of connected medical
devices, ensuring the quality of service, securing sensitive medical data, and meeting the demands of large outdoor sites and mobile
assets. Public cellular networks are susceptible to hacking and challenging to manage and scale globally [59,60]. Consequently, 5G,
3GPP Low-Power Wide-Area (LPWA), narrowband (NB)-IoT, and Long-Term Evolution (LTE) have been proposed to address IoMT
connectivity challenges.
5G will significantly contribute to expanding telemedicine applications, such as patient monitoring, virtual consultations,
and mobile medicine. It will achieve this by offering ultra-reliable, low-latency communications and massive machine-type
communications [61]. The primary vision behind 5G is to improve the user experience and to enable various machine-related uses
cases. As a result, 3GPP LPWA technologies like NB-IoT and LTE were incorporated into the 5G family [62].
3GPP LPWA technologies are based on existing cellular standards, resulting in reliable and low latency connectivity. Moreover,
they offer low power consumption features, minimizing the need for frequent battery replacements or recharging medical devices.
LPWA cellular standards can handle the transmission of complex data from IoMT devices, whether conveying comprehensive patient
health indicators or transmitting medical images and videos [59]. Thus, NB-IoT and LTE can be widely applied in IoMT environments

7
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 6. Taxonomy of intrusion detection models for the Internet of Medical Things.

as they allow minimal latency, provides extensive area coverage, minimizes battery consumption, reduces the device cost, enables
a high volume of connected medical devices with good quality connectivity, and verify the proper functioning of these IoMT
devices [60,63].

5. Taxonomy

This section presents a novel taxonomy for research in intrusion detection systems based on artificial intelligence strategies for
IoMT environments. We consider six essential categories, namely attacks on IoMT, type of IDS based on the response strategy, type
of IDS based on the data source, type of IDS architecture for anomaly detection, Artificial Intelligence algorithms for IDS, and nature
of IDS datasets, as shown in Fig. 6.
The attacks on IoMT category identifies and classifies the attacks found in the literature. Examining the attacks used to train
AI algorithms integrated into IDS aims to enhance understanding of the real-world applicability of the proposed detection methods
based on AI for IoMT environments.
The type of IDS based on the response strategy category provides a comprehensive and general structure of the IDSs based on
AI for IoMT environments, as explored in the reviewed works. Moreover, we analyze the works based on the active or passive
strategy response taken upon detecting an intrusion. Additionally, this section offers insights into the principal research objectives,
contributing to understanding the research landscape.
The type of IDS based on the data source category discusses the implementation of IDSs based on the location of malicious
activity detection, encompassing network-based, host-based IDS, and hybrid IDS. This module explores how these types of IDSs are
designed to detect malicious behavior from various sources within a system or network, providing characteristics of the diverse
strategies employed to identify security threats in IoMT.
The type of IDS architecture for the anomaly detection category focuses on utilizing Cloud–Fog–Edge computing for Intrusion
Detection in IoMT. By exploring the functionalities of each paradigm, we aim to provide insights into the development of secure
and reliable healthcare systems lying on these paradigms.
The Artificial Intelligence algorithms for IDS category provides the pre-processing data steps to prepare the input data for
effective anomaly detection, including data cleaning and feature selection techniques. By examining the integration of AI algorithms
into IDSs, this section presents a comprehensive classification of different methods based on their AI foundations. Furthermore, it
distinguishes between binary and multi-class classification approaches employed for anomaly detection in IoMT. This section also
offers a comprehensive overview of the reviewed works’ description, the dataset used, and detection performance.
The nature of IDS datasets category identifies and classifies the datasets employed in the literature based on the nature of the
generated data, focusing on their characteristics, such as environment, type of attacks considered, and type of devices, among others.

6. Attacks on IoMT

This subsection classifies the cyberattacks found in the reviewed literature as Denial of Service (DoS) attacks, Distributed Denial
of Service (DDoS) attacks, Man in the Middle (MitM) attacks, Ransomware attacks, Information Gathering attacks, Password attacks,
Malware attacks, Injection attacks, and Other-type attacks, highlighting the security aspect threatened and the target IoMT layer.
Fig. 7 shows the attacks impacting different CIA security aspects at different levels of IoMT architecture.

8
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 7. Main attacks targeting different levels of IoMT architecture.

6.1. DoS attacks

DoS attacks aim to interrupt services, over-saturate the capacity of a machine, exhaust servers, or render a device unavailable,
and it is the most common threat to availability of IoMT data and health services [50,53]. In IoMT environments, this security threat
disrupts critical patient devices, such as ventilators and oxygen supply [44]. In Table 2, we present the DoS targeting application

9
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 2
Denial of Service attacks detected in the reviewed literature.
Attack CIA Target layer Datasets
MQTT Packet crafting IoT Healthcare
Security
Application
COAP Replay-SlowITE
DoS-GoldenEye CIC-IDS-2017
and BoT-IoT
DoS-Hulk Availability CIC-IDS-2017
and CIC-IDS-2018
DoS-SLowhttpTest
DoS-Slowloris
TCP-DoS BoT-IoT
Transport
and Edge-IIoT
UDP-DoS BoT-IoT, All
powertrace
and Edge-IIoT
ICMP DoS Edge-IIoT
DoS Network KDDCup99, NSL-
KDD, UNSW-
NB15, Univer-
sal Kaggle, ToN-
IoT, Netflow
ToN-IoT and
Ecu-IoHT
Bluetooth-DoS BlueTack

layer MQTT and COAP, called MQTT Packet Crafting and COAP ReplaySlowITE, respectively; DoS attacks targeting the application
layer HTTP simulated by tools, such as GoldenEye, Hulk, SLowhttTest, and slowloris; and DoS based on TCP, UDP and ICMP protocols
to deplete CPU and memory resources. Most DoS attacks focus on the application and network layers. Also, several datasets do not
specify details about the DoS attack targeting the network layer.
The MQTT and COAP application layer protocols are widely used in IoT applications, including Smart Healthcare. MQTT packet
crafting attack aims to crash an application by establishing a connection with the MQTT broker. COAP Replay-SlowITE attack
modifies the payload information to send it to the COAP server with spoofed IP. Both attacks result in DoS [18].
HTTP protocol is commonly used by IoMT systems, especially e-healthcare applications, such as Electronic Health Record
applications [31]. Attacks against HTTP protocol can be simulated by several tools. GoldenEye tool uses various machines working
together to attack one machine. Hulk tool attacks web servers by flooding these servers with a large amount of diverse network
traffic. SlowhttpTest tool sends HTTP Get requests to bypass the server’s connection limit, inhibiting access to the servers by
legitimate users. Finally, Slowloris tool sends many HTTP requests to the victim server but intentionally keeps them open and
incomplete to consume server resources [27].
DoS and DDoS attacks targeting Bluetooth protocols, specifically Bluetooth Low Energy (BLE) and Bluetooth Basic Rate/Enhanced
Data Rate (BR/EDR), are also considered to secure IoMT communications as medical sensors widely utilize this version of Bluetooth.
Moreover, the SweynTooth vulnerability could impact implantable medical devices, including insulin pumps, pacemakers, blood
glucose monitors, and hospital equipment, such as patient monitors and ultrasound machines [57].

6.2. DDoS attacks

A DDoS attack is a DoS attack where multiple sources attack the same target, making IoMT devices interrupt their health-related
services [22,38]. The Centre for Internet Security (CIS) states that the healthcare sector is vulnerable to DoS and DDoS attacks,
which can be particularly concerning in hospitals since access to sensitive and critical patient information can be compromised [64].
One instance of IoMT devices’ susceptibility to DDoS attacks was demonstrated recently, where the hacktivist group ‘‘Kill-Net’’ was
responsible for DDoS attacks on the official websites of US hospitals [65]. Moreover, in 2014, the Boston Children’s hospital spent
over a week fighting against a massive DDoS attack from the hacktivist group ‘‘Anonymous’’ [66].
Table 3 includes all DDoS attacks of the reviewed datasets; some are based on the protocols MQTT, TCP, UDP, and ICMP. Even
though different datasets are used in the literature, most of these contain attacks targeting the network layer.
MQTT publishing floods attack is caused by sending messages at a high rate, which causes a delay in data transmission that can
be very harmful to patients in smart hospitals [18].
Smurf attack floods the host by continuously sending a massive amount of ICMP echo request packets and exploiting the
characteristics of broadcast networks to magnify the volume of attack traffic significantly. Moreover, this type of DDoS attack can
be performed by the Ettercap tool [22].

10
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 3
Distributed Denial of Service attacks detected in the reviewed literature.
Attack CIA Target layer Datasets
MQTT Publish flood Application IoT Healthcare
Security
TCP-DDoS BoT-IoT and
Transport
Availability Edge-IIoT
UDP-DDoS
ICMP DDoS
DDoS CIC-IDS-2017,
Network
ToN-IoT and
Netflow ToN-IoT
Smurf Ecu-IoHT
Bluetooth-DDoS BlueTack

Table 4
Man in the Middle attacks detected in the reviewed literature.
Attack CIA Target layer Datasets
MitM ToN-IoT and
Netflow ToN-IoT
Confidentiality Network and
MitM-Ettercap Ecu-IoHT
and integrity Transport
Spoofing Wustl-EHMS,
Ecu-IoHT and
Edge-IIoT
Data alteration Wustl-EHMS
Bluetooth-MitM BlueTack

6.3. MitM attacks

This form of threat occurs between two parties to eavesdrop on their communication. Often in healthcare organizations, MitM
incidents can result in the exposure of confidential patient data or the modification of sensitive medical information, which may be
subsequently sold, misused for other types of cybercrime, or employed to extort affected patients [22,46].
In Table 4, it is visible that there are different ways to produce this type-attack. It shows MiMT-Ettercap, an open and network
security tool that can simulate MitM attacks on LANs [22]. The most frequent type of MitM attack observed in these datasets is
spoofing, which can compromise the integrity and confidentiality of the network and transport layers. This attack manipulates and
modifies a medical device by intercepting an external signal to gain unauthorized access to IoMT data and other system components.
For example, a research paper conducted an experiment in which they altered the information of a health monitoring device, Fitbit,
using a cheap speaker [67]. In another work, researchers used low-cost infrared lasers to deceive a sensor spoof sensor of an infusion
pump [68]. For example, in the case of a blood pressure monitor connected to a mobile app, MitM attack can capture and extract
the data measured by the medical devices, including device model, MAC address, firmware version and information about the
patient’s pressure, among others. This information can then be exploited to intercept communication and launch attacks like data
injection [49].
Spoofing attacks deceive the source into thinking they are a genuine destination by impersonating an IoMT device, such as
spoofed IP and MAC addresses. This attack can interfere with the communication of IoMT devices to eavesdrop, modify data, or
delete information. One instance of this type of MitM attack is the phishing attack capable of targeting healthcare systems [44,55].
Data alteration or tampering attacks can alter medical data randomly or according to a set of rules. This alteration in the values of
the metainformation or patient biomarkers can harm the patients as they may receive incorrect treatment due to the false diagnostics
resulting from this type of MitM attack [19,44]. For instance, MitM attacker can lead to incorrect administration of insulin by altering
the measured value of a smart insulin pump [49].

6.4. Ransomware attacks

The objective of ransomware attacks is to deny users access to files on their machines by encrypting them and demanding
payment. This type of attack is a growing concern in hospitals because of the financial burden and the disruption to healthcare
services [44]. Even Interpol sent an alert about this threat targeting healthcare systems to block access to the patient records and
critical medical information [22].
For instance, in the last year, the charting software used by doctors to monitor patients in Jackson Hospital’s emergency room was
infected with ransomware, which hindered the connection to the charting system [69]. In 2020, a ransomware attack affected the
University of Vermont Medical Center, causing 5000 computers on its IT network to shut down. The attack disrupted several critical
operations, including the hospital’s sleep studies, radiology services, and financial systems. As a result, patient care was significantly
impacted, and the hospital experienced a prolonged outage for several weeks [70]. In the same year, the University Hospital of
Düsseldorf in Germany experienced a ransomware attack that resulted in a complete failure of system and data access. As a result,

11
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 5
Ransomware attacks detected in the reviewed literature.
Attack CIA Target layer Datasets
Ransomware ToN-IoT and Netflow
TonN-IoT and
Integrity and
Application Edge-IIoT
Availability
Wannacry
Petya
ICE
BadRabbit
PowerGhost

Table 6
Information Gathering attacks detected in the reviewed literature.
Attack CIA Target layer Datasets
Scanning CIC-IDS-2017,
ToN-IoT,
Confidentiality Network
Netflow ToN-IoT
, BoT-IoT and
Edge-IIoT
Probing KDDCup99,
NSL-KDD and
Universal Kaggle
OS Fingerprinting BoT-IoT and
Edge-IIoT
Reconnaissance UNSW-NB15 and
Ecu-IoHT

the emergency room became unavailable [42]. In 2019, the DCH Health System in West Alabama was infected with ransomware.
Despite this, the hospitals within the network were still able to offer essential medical services to existing patients, but the incident
did interrupt their ability to admit new patients [71]. In 2018, the Indiana hospital system was attacked by ransomware, resulting in
a financial loss of $55,000 dollars [28]. In 2017, the National Health Service (NHS) of Britain was targeted by a ransomware called
WannaCry (also referred to as WannaCrypt), which led to an obstruction in patient care across the healthcare network, affecting
2000,000 machines and 300,000 patients in 150 countries [22,28,31,40,42,72].
Table 5 shows the datasets containing different types of ransomware attacks discussed in the reviewed literature. Wannacry,
Petya, BadRabbit, and PowerGhost are well-known ransomware attacks capable of affecting IoMT environments and causing
health-threatening scenarios [23].

6.5. Information gathering attacks

The information-gathering attacks collect different kinds of information about the targeted victim by exploiting the vulnerabilities
of IoMT devices [50]. The vulnerabilities and information that can be compromised include systems details, host information, ports,
and services, along with their respective versions. Additionally, sensitive data transmitted through a network and the confidential
information we provide through emails or text messages on our devices can also be at risk. One instance of the susceptibility of IoMT
environments to this type of attacks was demonstrated last year when the Louisiana healthcare system experienced an attempted
ransomware attack that resulted in hackers gaining access to the personal information of nearly 270,000 patients [73]. Another
occurrence happened when attackers exploited a vulnerability in a drug pump to infiltrate the hospital network and steal the users’
medical records and private information [22].
The security issues related to this attack in the reviewed datasets are presented in Table 6. As shown in these datasets, scanning
and probing attacks are most founded in data available in IoMT datasets. Scanning attacks aim to gather information about the
victim IoMT systems, such as the type of operating systems (OS) and running services [27]. Probing attacks seek to gather network
information and scan IoMT device’s information by sending probe packets [50]. OS fingerprinting attacks determine the operating
system running on a targeted device or network. Finally, Reconnaissance attacks also involve gathering information about a target
IoMT system [44].

6.6. Malware attacks

When the attackers have gained access to a system, they can act against the targeted user by performing different malware attacks
or malicious software. This malicious software, or malware, encompasses a range of programs intended to damage, alter, spy, or
delete information without the user’s consent. Recently, device protocol and system vulnerabilities have been commonly exploited
to implant malware [51]. The spread of worms, fuzzers or exploits typically relies on weaknesses in the targeted IoMT. However,
this process can disrupt medical services, rendering them inoperable for users [50]. IoMT devices are vulnerable to malware attacks
such Mirai botnet can take complete control of the entire IoMT system [30,45]. For example, as previously mentioned, the WannaCry

12
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 7
Malware attacks detected in the reviewed literature.
Attack CIA Target layer Datasets
Malware IoT malware
Integrity and
Botnet Application CIC-IDS-2017/2018
Availability
Worms UNSW-NB15

Table 8
Injection attacks detected in the reviewed literature.
Attack CIA Target layer Datasets
Data injection ToN-IoT and Netflow ToN-IoT
XSS All Application CIC-IDS-201, ToN-IoT,
Netflow ToN-IoT and
Edge-IIoT
SQL injection CIC-IDS-2017 and Edge-IIoT

Table 9
Password attacks detected in the reviewed literature.
Attack CIA Target layer Datasets
MQTT Authentication Bypass IoT Healthcare
Security
FTP-Patator All Application CIC-IDS-2017
SSH-Patator and
Brute force CIC-IDS-2018
Password cracking ToN-IoT, Netflow
ToN-IoT and Edge-
IIoT

ransomware that impacted the NHS of Britain was intentionally created as a worm [72]. Another malware incident occurred to a
blood gas analyzer [22].
Table 7 presents the malware attacks mentioned in the reviewed literature, including botnet and worm attacks.

6.7. Injection attacks

Injection attacks allow attackers to inject malicious code into a program or malware onto a machine to reveal sensitive
information, give permissions, modify data, and damage devices. Although there have been a few reported incidents of injection
exploit attacks on hospitals, cybersecurity researchers are apprehensive about the potential risks involved [74]. Launching an
injection attack can alter patients’ biometric data, leading to life-threatening treatments [20].
Table 8 presents the prevalent injection attacks in the reviewed datasets. As is shown, Cross-site scripting (XSS) is mostly found
in the reviewed datasets. This attack injects random code, often in JavaScript, into a legitimate IoMT-based web application. These
malicious injection codes are designed to establish a communication between the compromised IoMT devices and the attacker’s
serve [46]. SQL injection attacks target data-driven applications where malicious SQL statements are inserted into input fields for
execution [27].

6.8. Password attacks

The National Cyber Security Center and the Cybersecurity and Infrastructure Security Agency have observed extensive password
attacks targeting medical research organizations and healthcare institutions [75]. This attack aims to control a system by guessing
the user’s password. Additionally, password attacks are hazardous due tho their low frequency and localized distribution, making
them difficult to detect [50].
The password attacks found in the reviewed literature are shown in Table 9. Additionally, several datasets contain password-
cracking attacks where confidentiality, integrity, and authentication are compromised. MQTT Authentication Bypass attack targets
MQTT broker, which requires legitimate username and password information. By excluding the password field from the MQTT
packet and providing only a valid username, it is possible to bypass this authentication process. [18].
Attackers use FTP-patator and SSH-patator tools to execute brute force attacks with the aim of discovering SSH login passwords
and FTP login passwords, respectively [27,38].
Brute force attack attempts to guess passwords by using telnet. This attack aims to access into the victim’s IoMT machine [38].
As a result, sensitive patient information can be compromised and destroyed, causing damage in IoMT environments [50].

13
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 8. Construction phases of the IDS based on AI.

6.9. Other-type attacks

Some authors have been interested in other types of attacks. For instance, Kamel et al. in [48] designed a system to detect RPL-
based attacks, including sinkhole attacks, version attacks, selective forward attacks, wormhole attacks, and hello flooding attacks,
to protect medical devices from excessive power consumption. In work by Grammatikis et al. in [31], attacks based on HTTP and
Modbus/TCP protocols were considered as they are commonly used in conventional Information and Communication Technologies
(ICT) for health and by the IoMT industry, respectively. In addition to cyberattack detection, Sait et al. [32] focused on detecting
anomalies in the health state and patient environment, such as heart attack and ambient temperature.

6.10. The impact of IoMT attacks on IDS

The performance of intrusion detection systems based on AI can be affected by the different type of attacks and its variants.
Understanding the appearance of these attacks and its susceptibility is crucial for improved performance detection and the success
of security IoMT networks [46]. Regarding FN and FP outcomes, essential health-related treatments may not be administered [20].
As a result, an IDS may consider the behavior characteristics of a considerable amount of attacks that can threat IoMT environments
to gain a better knowledge and create more robust AI models, such as Machine Learning and Deep Learning algorithms [21,
22,27,42,49,57]. From the analysis of the attacks on IoMT, it is evident that exist several sophisticated tools to execute several
security threats. Unfortunately, as we mentioned in previous subsections, various of these attacks are low-rate, which consists of
small malicious network traffic, making it challenging to achieve a good detection performance [37]. Moreover, we notice that
typical IoMT protocols like MQTT and COAP are only considered by one dataset. Therefore, in most anomaly detection methods,
AI algorithms do not consider the specific characteristics of these protocols, making it difficult to detect zero-day vulnerabilities
related to these IoMT protocols [18].

7. Introduction to intrusion detection systems

An Intrusion Detection System (IDS) can be a software or hardware component designed to detect anomaly activities occurring
on computer systems or networks. The IDSs based on AI are also known as anomaly-based IDSs [29], which work on the premise that
malicious activities differ from typical user behavior by modeling the behavior of a computer system through artificial intelligence
algorithms. Thus, any notable deviation from the observed behavior is considered a potential intrusion. An intrusion attempts to
compromise the CIA triad of sensitive medical data [16]. In addition, the IDS can also be categorized as Active (IDS) and Passive,
also called Intrusion Detection and Prevention System (IDPS). Both monitor the computer systems network passively to identify
anomalous activities and traffic patterns. The difference is that IDPS responds automatically to potential threat [7,76].
The reviewed works [18–57] summarize the anomaly detection process in IoMT systems in two phases: AI-model generation and
intelligent detection, as shown in Fig. 8.
The first phase involves developing an AI-based model for anomaly detection. This phase typically consists of four critical steps
for generating a classifier to detect malicious activities in IoMT-based networks. The dataset step consists in selecting a suitable
collection of network traffic data for training and evaluating the performance of the AI models. The data pre-processing step involves
applying mechanisms to clean and enhance the data for improved anomaly detection. Next, the feature selection step identifies the
most relevant and valuable features for the AI algorithm’s modeling.
In the intelligent detection phase, the IDS monitors the network flow of medical devices based on the AI-model trained in the
previous phase. Finally, the IDS responds to detected intrusions by generating alerts or implementing mitigation mechanisms, which
are then relayed to the supervisor of the Smart Healthcare Ecosystem.
The performance evaluation of AI-based IDS commonly relies on standard measures based on True Positives (TP), False Positives
(FP), True Negatives (TN), and False Negatives (FN), including accuracy, precision, recall, f1-score, detection rate (DR) or True
Positive Rate (TPR), false positive rate (FPR), training time, and detection time, described as follows [29,35,39,42,43,45,46,48,53,
55].

• TP measures the amount of malicious data in IoMT-based data correctly identified as anomalous.

14
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

• FP refers to the benign or normal samples in the IoMT-based data that are incorrectly classified as malicious activity.
• TN represents the amount of benign samples in the IoMT-based data that is correctly identified as benign.
• FN corresponds to malicious IoMT-based data that are incorrectly classified as benign samples.
• Accuracy describes the proportion of correctly predicted samples out of all the instances.
𝑇𝑃 + 𝑇𝑁
𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = (1)
𝑇𝑃 + 𝑇𝑁 + 𝐹𝑃 + 𝐹𝑁
• Precision identifies the ratio of the number of true samples to all observations predicted as positives.
𝑇𝑃
𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 = (2)
𝑇𝑃 + 𝐹𝑃
• Recall calculates the ratio of the total number of true positives to all true positives.
𝑇𝑃
𝑅𝑒𝑐𝑎𝑙𝑙 = (3)
𝑇𝑃 + 𝐹𝑁
• F1-Score is a harmonic average of recall and precision metrics by taking their weighted average. The harmonic mean is used
instead of a simple arithmetic mean to give more weight to lower values, which helps to penalize imbalances between precision
and recall.
𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛𝑥𝑅𝑒𝑐𝑎𝑙𝑙
𝐹 1 − 𝑆𝑐𝑜𝑟𝑒 = 2𝑥 (4)
𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 + 𝑅𝑒𝑐𝑎𝑙𝑙
• TPR corresponds to the relation between the number of correctly true positive samples and the total number of actual positive
samples.
𝑇𝑃
𝑇𝑃𝑅 = (5)
𝑇𝑃 + 𝐹𝑁
• FPR is the number of incorrectly predicted negative samples related to the total of negative instances.
𝐹𝑃
𝐹𝑃𝑅 = (6)
𝐹𝑃 + 𝑇𝑁

8. Type of IDS based on the response strategy

In [18,19,22,57], generating a new dataset was the study’s principal objective, while implementing an IDS was a secondary
task to test the generated dataset. Salman et al. in [20] proposed a new evaluation metric, and an IDS was applied to compare
the proposed metric with standard metrics employed to evaluate the performance of intrusion detection systems [20]. Most of the
works in the reviewed literature focus on designing a novel intrusion detection model for IoMT networks [21,25–30,32–39,41–56],
and only the following four studies proposed an IDPS [23,24,31,40].
A system in real-time that can identify, categorize, and mitigate ransomware attacks that aim to compromise Integrated Clinical
Environments (ICE) designed by Fernandez Maimo et al. [23] has used ML techniques to find unusual patterns in the communication
network; they combined the paradigms of Software Defined Networks (SDN), Network Function Virtualization (NFV), and Mobile
Edge Computing (MEC) to isolate and replace infected devices.
In the work conducted by Thapa et al. [24], the authors focused on developing a collaborative healthcare framework called
FedDICE by integrating federated learning to SDN in distributed ICE (DICE) to detect and mitigate ransomware attacks.
Radoglou-Grammatikis et al. in [31] proposed an IDPS that applies active learning to secure Healthcare communications that rely
on Modbus/Transmission Control Protocol (TCP) and Hypertext Transfer Protocol (HTTP). This system selects the most relevant data
samples using an Uncertainty Sampling Strategy to feed the ML models. Then, the detection performance is improved by updating
and re-training the classifiers. Its mitigation module consists of generating and applying automated Linux firewall rules to overcome
cyberattacks.
In [40], the authors introduced an IDPS comprising a detection process based on ML, an automatic mitigation process modeled
as a multiarmed bandit (MAB) task, and a decision-making process based on a reinforcement learning technique called the Thomson
Sampling method. Moreover, SDN technology is employed to mitigate attacks based on IEC 60 870-5-104 protocol. The proposed
IDPS outperformed a widely known IDPS that uses a signature-based detection technique, namely Suricata.
The reviewed literature mainly focuses on developing novel anomaly-based intrusion detection models for IoMT networks, with
only a few studies proposing an IDPS. These solutions utilize machine learning techniques and SDN and NFV paradigms to secure
healthcare communications. The proposed IDS and IDPS solutions have demonstrated greater suitability for IoMT environments.

9. Type of IDS based on the data source

The IDSs can be categorized based on the data sources to detect anomalous activities. There are usually three types of IDSs
concerning the location of intrusion activity detection: Host-based IDS, Network-based IDS, and Hybrid-based IDS [38].
In the reviewed literature, none of the works proposed a host-based IDS; instead, most were identified as network-based IDS,
except for the following hybrid-based IDS [26,28,30,42].

15
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 10
Works using Cloud–Fog–Edge architectures.
Year Study Solution Proposal Architecture Dataset
2019 Alrashdi et al. [55] Attack detection framework based on Fog Cloud–Fog NSL-KDD
Computing and Ensemble of Online Sequential
Extreme Learning Machine.
2021 Kumar et al. [29] Collaborative anomaly detection system based on Cloud–Fog ToN-IoT
XGBoost.
2021 Said et al. [32] A One-Class Support Vector Machine-based system Cloud-Edge Own dataset
for abnormal health conditions detection and
network intrusion detection.
2021 Hameed et al. [36] Host-Network based intrusion detection system Fog-Edge ToN-IoT and
using online incremental learning methods. Netflow ToN-IoT
2021 Nandy et al. [41] A unique Swarm-Neural Network-based Empirical Edge ToN-IoT
Intelligent Agent is employed in an Edge-centric
attack detection framework.
2021 Yao et al. [50] Edge-based anomaly detection scheme based on Edge UNSW-NB15 and
wrapper feature selection method and ensemble NSL-KDD
learning.
2021 Otoum et al. [56] IDS based on Federated Transfer Learning for Cloud-Edge CIC-IDS-2017
healthcare connected devices.
2022 Gupta et al. [44] MUSE: a malicious activity detection system based Cloud-Edge BoT-IoT,
on deep hierarchical stacked neural networks. UNSW-NB15 and
own dataset
2022 Zubair et al. [57] IDS based on DL to autonomously detect and Cloud-Edge BlueTack
mitigate malicious network traffic.

Thamilarasu et al. [26], proposed a device-network intrusion detection system to secure two wireless body area networks (WBAN)
groups. The first group consists of wireless wearables and implantable medical devices, and the second WBAN group includes
more advanced and connected devices, such as scanners and smart beds. The hybrid IDS employs a decentralized and hierarchical
architecture, utilizing mobile agents to detect attacks by employing ML models and regression algorithms at various network layers.
A novel host-network-based intrusion detection system relying on ML algorithms for anomaly detection was presented in [28];
It was designed to monitor the IoMT edge network and gather log files from IoMT devices to secure both the IoMT edge network
and IoMT devices from internal and external cyberattacks.
In [36], a fog computing-based IDS that operates on a host-network basis was proposed. This lightweight hybrid system utilizes
adaptive incremental learning to detect attacks at early stages in both network data and fog layer devices. It achieves this without
imposing additional overhead on the fog devices, as the model can adapt and update itself based on incoming data.
Ghourab et al. in [42] designed a hybrid detection model based on an optimized Light Gradient Boosting model (LightGBM)
and a Transformer- based model to detect intrusions in medical device networks and malware for medical staff computers using
windows as an operating system.
Most of the proposed solutions were identified as network-based IDS among the different types of IDSs based on data sources.
However, the hybrid-based IDS solutions presented showed promising results in detecting attacks at different network layers and
securing IoMT devices from internal and external cyber-attacks without imposing significant resource consumption overhead on the
IoMT devices. Therefore, hybrid detection systems can be a potential solution to enhance the security of IoMT networks.

10. Type of IDS architecture for anomaly detection

The distributed topology, storage, and network services near the users in Fog and Edge Computing architectures allow for solving
major issues in the Smart Healthcare industry, including immediate action in emergency cases, minimum latency time, scalability,
and security of sensitive data [10]. Thus, intrusion detection can be improved by leveraging the benefits of cloud–fog–edge
computing.
This section aims to analyze the tasks carried out by these architectures to achieve anomaly detection. Table 10 presents the
works that proposed an intrusion detection framework on one or a combination of these architectures.
Also, Table 11 presents different tasks carried out by these architectures, according to the works discussed above. For instance, in
works conducted in [29,55], Fog nodes are used for network traffic pre-processing, as well as Edge nodes in [36], along with Cloud
computing in [57]. Moreover, Edge and Fog nodes can collect network traffic data for further computing, as reported in [36,55].
In [29,33,55], Cloud computing enables complex processing, data analysis, data visualization, data storage, long-term data storage,
and handling requested services unavailable in Fog or Edge layer. In the study presented in [57], Cloud computing is also responsible
for the feature selection. Besides, the ML models can be trained in this architecture according to the works presented in [44,56,57].
Alternatively, Fog and Edge nodes can perform lower complexity ML algorithm training by using data collected from their respective
coverage area, as demonstrated in [36,44], respectively. Finally, the attack detection module can be performed in all architectures:
Cloud computing in [29,44], Fog computing in [29,36,55], and Edge computing in [32,41,44,50,56,57].
The discussed works using these technologies show relevant advantages, including enhancing response time of anomaly
detection [36,55], identifying cyberattacks during data transmission through IoMT networks [41], addressing security challenges

16
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 11
Tasks of Cloud–Fog–Edge architectures.
Task Cloud Fog Edge
Network traffic pre-processing ✓ ✓ ✓
Complex data processing ✓
Network traffic collection ✓ ✓
Data Storage ✓ ✓
Long-Term Data Storage ✓
Services ✓
Data analysis ✓
Data visualization ✓
Feature selection Engineering ✓
Model training ✓ ✓ ✓
Complex model training ✓
Attack detection ✓ ✓ ✓

of using only cloud computing [29,55,56], reducing decision latency and network bandwidth [32], adapting with the hierarchical
structure of IoMT networks [44], and providing a scalable and secure IoMT architecture [57]. As a result, intrusion detection systems
lying on cloud–fog–edge architectures can be a potential alternative to address the security challenges of IoMT.

11. Artificial intelligence algorithms for IDS

This section discusses how different AI algorithms have been integrated into attack detection systems of the reviewed literature.
First of all, it is work mentioning that some works have realized some data pre-processing before training the AI-based classifiers
to eliminate redundancy, reduce inaccurate outcomes, ease further processing, and improve the performance of the detection
model [18,25,28,29]. Some data cleaning includes transforming categorical values to numeric values [18,25,28,29,33,38,39,53,
57], replacing insignificant values (missing values, duplicated values, Null values, inconsistencies) [23,29,37,54,57] and data
normalization by performing min–max method [21,26,28,29,37,43,45,46,50] or Z-score normalization [39,57].
Secondly, few papers have implemented techniques to handle the imbalanced dataset problem to improve model performance,
avoid unfair results, reduce computational complexity of AI algorithms, and increase size of data set for training and testing DL-based
models [19,21,39,48]. The most common technique was the Synthetic Minority Over-sampling Technique (SMOTE) [19,21,45,48]
compared to the Random Sampling technique [39].
Thirdly, as shown in Fig. 9, feature selection algorithms have been used in the literature to reduce the complexity of IoMT-data,
increase the model’s efficiency, decrease computational cost, and improve storage capacity [18,21,25,29,33,34,43,46].
For the training of AI models, some works [21,23,39] tuned the values that govern the learning process of AI algorithms, namely
as hyper-parameters. This model tuning process demonstrated improved detection performance by finding optimal hyperparameter
values to construct the best classifier for anomaly detection in IoMT networks.
Furthermore, Fig. 10 illustrates the different types of Artificial Intelligence algorithms used in the reviewed literature, including
supervised ML/DL, semi-supervised ML/DL, unsupervised ML/DL, ensemble learning of ML classifiers, online learning, and adaptive
incremental classifiers. However, some authors proposed new algorithms for attack detection systems; for example, Manimuruga
et al. [27] introduced a novel deep learning-based model DBN algorithm to improve the detection performance in terms of detection
rate, precision, accuracy, recall, and F1-score; Fang et al. [51] proposed the R-FCVM model based on the Fuzzy Core Vector machine
(FCVM) and Rough Set (RS) theory to enhance the performance of illegal behavior detection in terms of accuracy. Nandy et al. [41]
presented the Swarm-Neural Network (Swarm-NN) approach, which involves generating and training a group of neural networks to
identify anomalies in IoMT data to reduce the error rate; Yao et al. [50], introduced a novel ensemble based on random subspace
(RSS) and bagging methods to improve the robustness of attack detection. Khan et al. [30] constructed a hybrid model based on
CNN and LSTM algorithms to enhance the detection performance regarding false positive rates.
On the other hand, Naveed et al. in [55] and Hameed et al. in [36] explored other types of AI models for attack identification. The
first used online learning for fast learning and proposed an Ensemble of Online Sequential Extreme Learning Machine to outperform
both Extreme learning machine (ELM) and Online Sequential Extreme Learning Machine (OS-ELM) in terms of detection rate, false
alarms rate, and accuracy. The latter implemented six different adaptive incremental classifiers into their host-network-based attack
detection system to have the capacity to update new incoming data with a high average accuracy, such as Incremental Naïve
Bayes (INB), Weighted Hoeffding Tree Ensemble (WHTE), Hoeffding Tree Naïve Bayes Adaptive (HTNBA), Incremental K-Nearest
Neighbors (IKNN), Hoeffding Tree Majority Class (HTMC) and Hoeffding Tree Naïve Bayes (HTNB).
In Table 12, we present solutions from the reviewed literature that only use ML algorithms for attack detection, such as
Naive Bayes (NB), Reduced Error Pruning (REP) Tree, Extra Tree (ET), Ridge Classifier (RC), Gaussian Naive Bayes (GNB),
Stochastic Gradient Descent (SGD), Connectivity-based Outlier Factor (COF), Local Outlier Factor (LOF), Local Outlier Probability
(LoOP), approximate Local Correlation Integral (aLOCI), Influenced Outlierness (INFLO), Local Density Cluster-Based Outlier
Factor (LDCOF), Histogram-based Outlier Score (HBOS), Cluster-based Local Outlier Factor (CBLOF), Clustering-based Multivariate
Gaussian Outlier Score (CMGOS), Isolation Forest (IF), One class Support Vector Machine (OC-SVM/LIBSVM), Ensemble Crossover
XGBoost (C-XGBoost), Light Gradient Boosting Model (LightGBM), among others.

17
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 9. Feature selection algorithms used in IoMT-based IDS.

Fig. 10. AI algorithms used in the reviewed literature.

The DL models used in the reviewed literature are Recurrent Neural Network (RNN), Convolutional Neural Network (CNN),
Multi-layer Perceptron (MLP), Spiking neural networks (SNN), Artificial Neural Network (ANN), Long Short Term Memory Network
(LSTM), Feedforward Neural Network (FNN), Gated Recurrent Unit Network (GRU), Bidirectional long-short term memory (Bi-LSTM)
and bidirectional Simple Recurrent Units (Bid-SRU), Deep Neural Network (DNN), Deep Believe Network (DBN), Sparse Stacked
Autoenconder (SSAE), and BERT-based Transformer. The studies which used only DL models for anomaly detection are described in

18
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 12
Works using only ML algorithms for attack detection.
Year Study Solution Proposal Dataset Algorithms of ML
2020 Salman et al. [20] A novel attack detection performance evaluation Wustl-EHMS KNN, LogR and RF
metric called Safety Score.
2020 Newaz et al. [49] HEKA: an IDS for personal medical devices. Own dataset KNN, RF, DT and
SVM
2020 Fang et al. [51] R-FCVM model for illegal behavior detection in Own dataset One-Class SVM,
medical IoT environment. Isolation Forest,
SVM and FCVM
2020 Saba et al. [53] Integration of PCA as feature selection mechanism KDDCup99 Bagging, Boosting
to improve the attack detection of IoMT networks. and Voting
Ensembles
2020 Thamilarasu et al. [26] Device-centric and Network-centric intrusion Own dataset KNN, RF, DT, SVM
detection system to secure medical devices. and NB
2021 Hussain et al. [18] A novel IoMT dataset generated by IoT-Flock for IoT Healthcare KNN, LogR, RF, DT
malicious traffic detection. Security and NB
2021 Zachos et al. [28] Network-based and Host-based intrusion detection All powertrace and KNN, logR, RF, DT,
system for IoMT devices. ToN-IoT SVM and NB
2021 Kumar et al. [29] Anomaly detection system based on ensemble ToN-IoT RF, DT, NB and
learning and Cloud–Fog computing. XGBoost
2021 Said et al. [32] A novel detection system designed to identify Own dataset SVM
network anomalies and unusual health conditions.
2021 Iwendi et al. [37] Anomaly detection system based on genetic NSL-KDD and LogR, RF and NB
algorithm to optimize and reduce system resource CIC-IDS-2018
consumption for IoMT.
2021 Ahmed et al. [22] New IoMT dataset for anomaly detection. Ecu-IoHT KNN, CBLOF, LOF,
aLOCI, COF, INFLO,
LoOP, CMGOS,
LDCOF, RPCA,
HBOS and LIBSVM
2022 Saif et al. [38] HIIDS: Hybrid Intelligent Intrusion Detection NSL-KDD KNN and DT
System based on the combination of different
feature selection algorithms and ML models.
2022 Basharat et al. [43] Comparative assessment of various ML models for UNSW-NB15 RF, SVM, Bagging
intrusion detection in Smart Healthcare systems. and Adaboost
2022 Kumar et al. [47] Real-time healthcare system for attack detection Own dataset RF, DT, NB and
based on wise greedy routing technique, ensemble crossover
multi-heuristic optimization process and ensemble XGboost classifier
classifier.
2022 Naveed et al. [54] Intrusion detection system based on Pearson KDDCup99 SVM
correlation coefficient and ML models to secure
smart IoT devices for people with disabilities.
2022 Gupta et al. [21] A lightweight intrusion detection model based on Wustl-EHMS RF, LogR, DT, and
a novel tree classifier utilizing Random Forest, as ET
well as feature selection and dimension reduction
techniques.

Table 13, and the works which compared both ML and DL algorithms are presented in Table 14. We highlighted the IoMT datasets
to identify those works that evaluated their proposals with IoMT-based data.
Finally, we categorize all works based on type-classification and present the studies that classified IoMT data into benign and
malicious behavior in Table 15. We highlight the significant metrics for IDS performance, such as precision, accuracy, F1-Score,
recall, Detection rate (DR), false positive rate (FPR), classifier training time, and detection time.
Many reviewed works integrated ML algorithms into their solutions, with the RF classifier being the most widely used. In most
cases, combining the RF classifier with feature selection mechanisms, such as the Wrapper-based PSO algorithm, Standard Deviation
algorithm, and Genetic algorithm resulted in the best training time, detection time, and detection rate. However, DL-based models
were explored less frequently than ML-based models. It is worth noting that DL algorithms, such as ANN and DNN, were found to
have longer training times than ML classifiers. Nonetheless, hybrid-DL models based on CNN and LSTM displayed the best training
time and detection performance compared to the XGBoost ensemble. However, the latter proved to have the best detection time
compared to this hybrid-DL algorithm. In addition, the DL-based model named SSAE showcased the best false positive rate compared
to various ML classifiers, such as RF, DT, XGBoost, and the proposed ensemble based on RSS and Bagging methods. Conversely, the
adaptive incremental classifier, WHTE, and BERT-based Transformer demonstrated the highest performance compared to all other
works in the reviewed literature.
Furthermore, Table 16 presents the works, classifies the type of attacks, and highlights their important metrics. However, none
of these works included an analysis of the training time, detection time, and false positive rate. The NB and DBN-based models
obtained a performance of over 95% for all detected types of attacks. However, other studies obtained poor results for some attacks,
with a detection performance below 50%. It is notable that for this multi-class task, tests were done with fewer types of algorithms.

19
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 13
Works using only DL algorithms for attack detection.
Year Study Solution Proposal Dataset Algorithms of DL
2020 Kamel et al. [48] IoT Routing attacks detection model based on CNN Own dataset CNN
to protect IoMT environments from power
consumption and destruction of the entire network.
2021 Khan et al. [30] Deep learning-driven SDN enabled framework IoT malware CNN+LSTM,
based on CNN and LSTM for IoMT malware CNN+GRU,
detection systems. GRU+LSTM
2022 Gupta et al. [44] MUSE: malicious activity system between the core BoT-IoT, Proposed model
clouds, edge and IoT gateway, based on a deep UNSW-NB15 and
hierarchical stacked neural networks. own dataset
2022 Wagan et al. [45] A multi-modal approach to distinguish between Wustl-EHMS BiLSTM
benign and malicious IoMT network traffic, as well
as predict heart attacks based on the combination
of dynamic Fuzz C-Means clustering and a
customized Bi-LSTM algorithm.
2022 Khan et al. [46] XSRU-IoMT model for identifying complex attacks ToN-IoT Proposed bid-SRU,
in IoMT networks using a novel bidirectional LSTM and GRU
SRU-driven deep learning algorithm and
eXplainable Artificial Intelligence (XAI) to enhance
human trust management.
2022 Ghourabi et al. [42] Hybrid IDS for intrusions detection in IoMT Ecu-IoHT, ToN-IoT, LightGBM, DNN,
networks and malware in Windows environments. Edge-IIoT and BERT-based
Ember Transformer and
LSTM

Since IoMT networks generate a large amount of data, including real-time data, and IoMT devices often have limited compu-
tational resources, AI algorithms have become necessary for IDS because they can be designed to learn and adapt to new attack
patterns, making them more effective in detecting zero-day attacks without compromising their performance.

12. Nature of IDS datasets

In this subsection, we describe and classify the datasets used in the reviewed literature based on the nature of the generated
network traffic data. As shown in Fig. 11, we identified three main types of datasets for traditional network traffic, IoT-specific
networks, and IoMT-specific networks called Traditional Networks datasets, IoT datasets, and IoMT datasets, respectively. Identifying
the type of dataset used to evaluate an IDS is critical since different datasets have distinct characteristics and patterns of normal
and malicious behavior. Thus, selecting a dataset is crucial to ensuring effective attack detection and classification in real-world
IoMT-based scenarios. Furthermore, an IDS may experience poor detection performance when the training of its model is based on
one specific dataset that may not generalize well to different IoMT scenarios.

12.1. Traditional networks datasets

The datasets included in the category of traditional network datasets are considered traditional because they have been widely
used for benchmarking purposes in network security since the early days of detection systems approaches. This category comprises
several commonly used datasets created for evaluating intrusion detection systems and other network security mechanisms, such as
the CIC-IDS-2017 dataset, UNSW-NB15 dataset, NSL-KDD dataset, among others, next described in more detail.
The Universal benchmarked intrusion detection dataset from Kaggle or Universal Kaggle dataset comprises benign and common
attacks in pcap format for validating IDSs and IDPSs.
Endgame Malware Benchmark for Research (EMBER) dataset includes malicious Windows portable executable files used in
Machine Learning Static Evasion Competition 2018.
The CIC-IDS-2017 dataset comprises typical network flows and abnormal data from 50 and 420 machines, respectively. It
was designed to simulate real-world data for the performance evaluation of intrusion detection and prevention models. After, the
CIC-IDS-2018 dataset was built to enhance its previous version.
The UNSW-NB15 dataset was created by a tool of IXIA, and it was configured with three virtual servers; two were configured
for regular traffic, while the third server simulated the malicious scenario considering nine different attacks.
Finally, the NSL-KDD dataset comprises traffic from multiple computers, servers, and multiple IP addresses, and it was constructed
to address some of the limitations of KDDCup99 dataset, which was initially developed for the Third International Competition on
Knowledge Discovery and Data Mining Tools in 1999.
The popularity of traditional datasets for IDSs is due to their inclusion of various attack types and typical traffic patterns, making
them suitable for testing the effectiveness of different detection methods. Furthermore, using these datasets can offer valuable
insights into how to modify traditional IDSs techniques to the particular characteristics of IoMT networks. However, these datasets
do not entirely reflect the complexity and diversity of network traffic in IoMT-based environments and may not contain some novel
and complex attacks.

20
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 14
Works using ML and DL algorithms for attack detection.
Year Study Solution Proposal Dataset Algorithms of
ML/DL
2019 Newaz et al. [52] HealthGuard: a novel security framework that Own dataset KNN, DT, RF and
employs ML techniques to detect malicious activity ANN
within Smart Healthcare Systems.
2019 Fernandez Maimo et al. [23] An intelligent real-time system for ransomware ICE RF, NB, LOF,
detection, classification and mitigation in OC-SVM, IF and
integrated clinical environments based on ML, NFV ANN
and SDN technologies. Moreover, this study claims
to detect zero-day attacks by training the system
with some types of ransomware attacks and testing
it with other different types of ransomware.
2020 Manimuru-gan et al. [27] A novel DBN algorithm for intrusion detection CIC-IDS-2017 SVM, RNN, DBN,
schemes in IoMT. SNN and proposed
DBN
2020 Hady et al. [19] Novel IoMT dataset that comprises network and Wusl-EHMS KNN, SVM, RF and
biometric metrics features for MitM attacks ANN
detection.
2020 Maddikunta et al. [25] An IDS based on PCA-GWO and DNN to identify, Universal Kaggle KNN, SVM, NB, RF
classify and predict attacks in IoMT. and DNN
2021 Li et al. [34] Abnormal behavior detection model in a medical NSL-KDD ANN, DT, RF and
IoT system based on butterfly optimization LogR
algorithm and ANN.
2021 Yao et al. [50] Anomaly detection scheme based on Edge UNSW-NB15 and proposed Ensemble
computing, a novel ensemble and BPSO-based NSL-KDD Learning Method,
wrapper feature selection method. KNN,GNB, RF, SVM,
MLP and AdaBoost
2021 Otoum et al. [56] An IDS based on federated transfer learning using CIC-IDS-2017 DT, SVM, DBN, SGD
DNN to protect the medical devices that are and DNN
connected to a patient’s healthcare system.
2021 Radoglou-Grammatikis et al. [31] AN IDPS based on active learning approach to CIC-IDS-2017 and DT, SVM, NB, RF,
protect healthcare communications that rely on own dataset MLP and DNN
HTTP and Modbus/TCP.
2021 Saheed et al. [33] An IDS based on Wrapper-based PSO and ML NSL-KDD KNN, DT, RC, RF
algorithms for threats identification and prevention and RNN
in IoMT.
2021 Subasi et al. [35] An intrusion detection framework based on NSL-KDD KNN, SVM, Random
Bagging ensemble classifier for Smart Healthcare. Tree, c4.5, REP
Tree, RF, Bagging
and ANN
2021 Radoglou-Grammatikis et al. [40] An IDPS based on ML algorithms and SDN Own dataset LogR, NB, CART,
paradigm to protect and mitigate cyberattacks RF, SVM, Adaboost
utilizing the IEC 60 870-5-104 protocol. and MLP
2021 Nandy et al. [41] A new edge-centric IoMT framework based on a ToN-IoT KNN, LogR, DT,
unique Swarm-NN for health data protection. SVM, and
Swarm-NN
2021 Thapa et al. [24] FedDICE: a Federate Distributed Integrated Clinical ICE LogR, SVM and FNN
Environment for ransomware attacks detection and
mitigation.
2022 Binbusayyis et al. [39] Investigation and comparison of applying several BoT-IoT KNN, DT, SVM, NB
ML models for anomaly-based intrusion detection and ANN
systems in IoMT networks.
2022 Zubair et al. [57] A novel dataset for IoT attacks based on Bluetooth, BlueTack LogR, DT, SVM, NB,
and a secure attack detection framework lying on LOF, K-means, IF
the edge nodes of a smart healthcare system. and MLP

12.2. IoT datasets

The category of IoT datasets comprises datasets designed to reflect the unique characteristics of IoT environments, such as large
number of devices, data heterogeneity, diversity of communication networks and protocols, and limited computing resources of IoT
devices. Therefore, evaluating IDSs on these datasets can be helpful in developing effective security solutions for IoT environments.
The following datasets are considered IoT datasets, described in detail below.
BoT-IoT dataset comprises of simulate and legitimate IoT network traffic from 5 MQTT-IoT-based devices, along with several
attacks commonly used by botnets to evaluate security countermeasures for IoT environments.
The ToN-IoT dataset is a compilation of heterogeneous datasets obtained from telemetry IoT-based and Industrial IoT (IIoT)
based data intended to assess AI-based security models.

21
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 15
Comparison of the solution proposals performance handling binary classification.
Year Study Best classifier Accuracy Precision Recall F1-Score DR FPR Training Detection Dataset
time (s) time (s)
2019 Newaz et al. DT 90.9% 91% 91% 90% – – – – Own dataset
[52]
2019 Fernandez OC-SVM – 92.32% 99.97% 95.96% – 4.6% – 10.022 s ICE
Maimo et al.
[23]
2019 Naveed et al. Ensemble of 98.19% – – – 97.09% 2.04% 0.4362 s – NSL-KDD
[55] OS-ELM
2020 Hady et al. [19] ANN 90.04% – – 300 s 0.5 s Wustl-EHMS
2020 Salman et al. RF 93% – – 71.7% – – – – Wustl-EHMS
[20]
2020 Maddikunta et DNN 99.90% – – 580 s – Universal
al. [25] Kaggle
2020 Newaz et al. RF 94-98% 94-98% 94-98% 94-98% – – – – Own dataset
[49]
2020 Fang et al. [51] R-FCVM 96-98% – – – – Own dataset
2020 Saba et al. [53] Bagging 93.2% 99% 92% 96.1% – – – – KDDCup99
2020 Thamilarasu et RF 97-99% – – – – – 6 s – Own dataset
al. [26]
2020 Kamel et al. [48] CNN 90-98% 94-99% 80-99% 88-97% – – – – Own dataset
Hameed et – – – ToN-IoT
2021 WHTE
al. [36] 100% 100% 100% – – – 12.89 s Netflow
ToN-IoT
Radoglou- DT for 96.44% – – 91.11% – 2.22% – – CIC-IDS-2017
2021
Grammatikis HTTP-attacks
et al. [31] RF for 94.54% – – 94.25% – 10.1669% – – Own dataset
Modbus/TCP-
attacks
2021 Saheed et al. RF 99.76% 99.75% 96.45% 96.45% – – 0.1181 s – NSL-KDD
[33]
2021 Subasi et al. Bagging 97.67% – – 97.7% – – – – NSL-KDD
[35]
2021 Radoglou- CART 81.73% – – 79.21% – 2.03% – – Own dataset
Grammatikis
et al. [40]
2021 Nandy et al. Swarm-NN 99.5% – – – – – – – ToN-IoT
[41]
2021 Thapa et al. [24] LogR 99% 99% 99% 99% – – – ICE
2021 Otoum et al. DNN 95.14% – – – – – 227.1 s 10.3 s UNSW-NB15
[56]
Proposed 90.06% – – 90.01% 85.42% 3.8% 3.47 s 0.27 s UNSW-NB15
2021 Yao et al. [50]
ensemble 90.59% – – 90.63% 96.43% 18.70% 3.87 s 0.36 s NSL-KDD
2021 Hussain et al. RF 99.51% 99.70% 99.79% 99.65% – – – – IoT
[18] Healthcare
Security
Zachos et al. KNN 99.98% 99.95% 99.97% 99.96% – – – – ToN-IoT
2021
[28] RF 99% 97.18% 96.84% 97.01% – – – – All
powertrace
2021 Kumar et al. XGBoost 96.35% 90.54% – 95.03% 99.98% 5.59% 80 s 0.6991 s ToN-IoT
[29]
2021 Iwendi et al. GA-RF 99.10% 99% 99% 99% 98.81% 0.8% – – NSL-KDD
[37]
2021 Ahmed et al. INFLO – – – over 95% – – – – Ecu-IoHT
[22]
2021 Khan et al. [30] CNN+ LSTM 99.83% 99.43% 99.71% 99.77% – – 20.5 s 1.2 s IoT malware
2021 Li et al. [34] ANN 93.27% – – – – – – NSL-KDD
2022 Binbusayyis et DT 100% – – – 100% 12% – – BoT-IoT
al. [39]
BERT-based 100% 100% 100% 100% – – – – ECU-IoHT
Ghourabi Transformer
2022
et al. [42] 99.99% 99.98% 99.99% 99.99% – – – – ToN-IoT
LightGBM 100% 100% 100% 100% – – – – Edge-IIoT
97.96% 98.39% 97.52% 97.95% – – – – Ember
2022 Zubair et al. MLP 99.8% 99.7% 99.06% 99.38% – – – – BlueTack
[57]
(continued on next page)

22
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 15 (continued).
Year Study Best classifier Accuracy Precision Recall F1-Score DR FPR Training Detection Dataset
time (s) time (s)
2022 Kumar et al. Ensemble 99.64% 95% – 98.5% – – – – Own dataset
[47] crossover
XGboost
classifier
2022 Naveed et al. SVM 99.3% 99.1% – 99.25% – – – – KDDCup99
[54]
2022 Gupta et al. [21] RF 94.23% – – 93.8% 93.72% 6% – 3.5 μs wustl-EHMS
2022 Gupta et al. [44] SSAE 99.20% 96.55% 98.59% 97.55% – 0.64% – – Combination
of BoT-IoT,
UNSW-NB15
and own
dataset
2022 Wagan et al. BiLSTM 92.95% 91.61% 95.64% 95.64% – – – – Wustl-EHMS
[45]
2022 Khan et al. [46] Bid-SRU 99.38% 99.39% 98.99% 99.37% – – – – ToN-IoT

The Netflow-ToN-IoT dataset is built from the raw packet capture files of the ToN-IoT dataset, which was converted into a
common format called NetFlow for evaluating detection systems based on ML.
Edge-IoT was generated from various IoT devices to create a suitable testing environment arranged into seven interconnected
layers, including Edge computing layer, Fog computing layer, Cloud computing layer, IoT perception, SDN layer, NFV layer, and
Blockchain layer.
All power-trace dataset includes both malicious and benign behavior of IoT-based devices, created by the Cooja Simulator to
train and test ML models used in attack detection approaches.
Finally, the IoT malware dataset provides executable likable format files of benign IoT samples and sequence of opcodes as
malware IoT samples.
The IoT datasets lead to the development of more accurate IDS for real IoT-based scenarios. However, IoT has a wide range of
applications across various fields, including smart home, smart healthcare, and smart cities. Consequently, the IoT datasets discussed
previously may partially capture the characteristics and requirements of IoMT applications. As a result, it has become essential to
use datasets that reflect typical and malicious IoMT-based scenarios to secure IoMT networks.

12.3. IoMT datasets

The category of IoMT datasets includes datasets that provide a realistic representation of IoMT environments. Evaluating IDSs
for Smart Healthcare organizations require datasets covering various medical devices, including the diversity of IoMT-based data
and sensors, security and privacy concerns, and the characteristics of IoMT systems and architectures. The following paragraphs
will describe the IoMT datasets used in the proposed solutions.
BlueTack dataset proposed by Zubair et al. in [57] consists of data related to Bluetooth Low Energy (BLE) and Basic
rate/Enhanced data rate (BR/EDR) technology. This dataset also includes various attacks against this Bluetooth technology, intending
to evaluate security mechanisms that seek to protect users who use wireless medical devices.
Hussain et al. in [18] developed a utility called IoT-Flock on Linux to generate an IoT Healthcare Security dataset, which simulates
an IoT-based Intensive Care Unit with a capacity of two beds equipped with seven environment monitoring devices and nine patient
monitoring sensors each.
The Libelium MySignals Healthcare kit created the Ecu-IoHT dataset presented in [22]. It includes several sensors capable of
monitoring various biometric parameters and simulating an Internet of Health Things environment.
Hady et al. in [19] utilized the PM4100 Six Pe Multi-Sensor Board, a product from the Medical expo to simulate a real-time
Enhanced Healthcare Monitoring System (EHMS), namely Wustl-EHM dataset. This medical board is equipped with a set of sensors
that are attached to a patient’s body to collect their biometric data.
The Integrated Clinical Environment (ICE) dataset introduced in [23] was generated from five medical devices with different
operating systems and one clinical database distributed across the machines with MS windows to detect five types of ransomware
attacks.
Fig. 12 shows an overview of the testbeds used to generate these IoMT datasets, and Table 17 shows the type of ecosystem,
healthcare application, and type of medical devices for each IoMT dataset presented previously.
These IoMT datasets were generated using different medical devices and simulated various healthcare scenarios to evaluate
the IDS effectiveness against different types of attacks. It is essential to use IoMT datasets that accurately represent the IoMT
environment’s complexity. Thus, an IoMT dataset should include various medical devices, sensors, and IoMT system and architecture
characteristics.

23
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 16
Comparison of the solution proposals performance handling multi-classification.
Year Study Best classifier Class Accuracy Precision Recall F1-Score DR Dataset
Clean 99% – – – –
WannaCry 100% – – – –
Fernandez et
2019 NB Petya 100% – – – – ICE
al. [23]
BadRabbit 100% – – – –
PowerGhost 99% – – – –
Normal 99.37% 96.21% 98.34% 97% 98.31%
Botnet 97.93% 96.21% 98.54% 97% 98.51%
Brute Force 97.71% 96.21% 98.17% 97% 98.01%
DBN-based
2020 Manimurugan DoS/DDoS 96.67% 95.21% 97.34% 97% 97.31% CIC-IDS-2017
model
et al. [27] Infiltration 96.37% 95.21% 96.74% 97% 96.30%
Scanning 97.71% 96.12% 96.24% 97% 96.30%
Web attack 98.37% 97.21% 98.34% 97% 98.31%
Rank attack – – – – 93.4%
Said et al.
2021 SVM Flooding attack – – – – 60.8% Own dataset
[32]
Version number – – – – 91.6%
modification
attack
Normal 100% – – – –
DoS 99.8% – – – –
Saif et al.
2022 GA-DT U2R 86.40% – – – – NSL-KDD
[38]
R2L 95.38% – – – –
Probing 96.96% – – – –
Normal – 98.80% 98.90% 98.80% –
DoS – 99.60% 99.60% 99.60% –
Iwendi et al.
2021 GA-RF Probing – 98.70% 98.90% 98.80% – NSL-KDD
[37]
R2L – 86.50% 85.30% 85.90% –
U2R – 64.30% 32.10% 42.90% –
Normal 100% 100% 100% –
Reconnaissance 56.7% 42.4% 48.5% –
Backdoor 0% 0% 0% –
DoS 43.8% 53.8% 48.3% –
Basharat et Exploits 95.32% 65.4% 65.1% 65.3% –
2022 Adaboost UNSW-NB15
al. [43] Analysis (average) 0% 50% 0% –
Fuzzers 51.8% 71.1% 59.9% –
Worms 0% 0% 0% –
Shellcode 0% 30% 0% –
Generic 99.2% 96.3% 97.7% –
BLE-based 96.8% 95.8% 88.32% 91.7% –
Zubair et al.
2022 MLP Normal BlueTack
[57]
BLE-based DoS 96.86% 95% 98% 92% –
BLE-based MitM 88.23% 87.23% 65.78% 75% –
Normal – 81% 100% 89% –
DDoS-UDP – 100% 100% 100% –
DDoS-ICMP – 100% 100% 100% –
DDoS-HTTP – 82% 73% 77% –
DDoS-TCP – 100% 100% 100% –
Ransomware – 90% 90% 90% –
SQL Injection – 83% 76% 80% –
Ghourab et Uploading – 90% 71% 80% –
2022 LightGBM Edge-IIoT
al. [42] Backdoor – 96% 91% 94% –
Vulnerability – 99% 98% 98% –
Scanning – 91% 92% 91% –
XSS – 98% 99% 98% –
Password – 86% 78% 82% –
MitM – 100% 100% 100% –
Fingerprinting – 87% 58% 70% –
Average – 92% 88% 89% –

12.3.1. Customized iomt datasets

Fig. 13 shows the frequency of use of each dataset employed in the reviewed literature. This analysis revealed that the NSL-KDD
and ToN-IoT datasets were the most commonly used, while only ten articles conducted experiments on IoMT datasets. A brief
overview of these studies [26,31,32,40,44,47–49,51,52] will be provided, including the custom data they developed, the testbed
they simulated, and their rationale for generating their own data.
Newaz et al. [52] gathered data from various smart medical devices in a specific Smart Healthcare System. They aimed to identify
malicious activities by considering the interconnectivity of body functions. This interconnectivity scenario involved monitoring the
activities of both typical users and medical devices affected by diseases.

24
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 11. Classification of datasets according to the nature of the generated data.

Fang et al. [51] focused on identifying illegal activities in medical IoT devices using Bluetooth Low Energy (BLE) and WiFi
protocols. They used twenty-one medical IoT devices and a programmed Raspberry Pi3 as a WiFi access point to simulate benign
network traffic and abnormal behavior, including replay attacks, shoulder-surfing attacks, and malware attacks.
Thamilarasu et al. [26] considered securing implantable and wireless wearable devices commonly used in WBAN. Using the
Castalia-3.2 tool, they created a simulated hospital network testbed. The simulation emulated wireless sensing devices that employed
either the 802.15.6 WBAN standard or Zigbee protocol, and also emulated connected medical devices using the DICOM network
protocol, such as ultrasound scanners.
Newaz et al. [49] focused on personal medical device protection for Modern Smart Health Systems. They performed their
evaluations with data collected from eight Personal Medical Devices (PMDs) in a lab environment. They also simulated malicious
activities by performing MitM attacks, replay attacks, false data injection attacks, and DoS attacks.
Said et al. [32] implemented a prototype to test their proposed architecture for event-based and network-based anomaly detection
in Smart Hospitals. For event-based anomaly detection, the prototype used a TI SensorTag CC2650 to detect physical parameters,
including humidity, and body pressure. For network-based anomalies, they used a programming tool called Node-RED to simulate
rank attacks, Version Number Modification attacks, and flooding attacks.

25
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 12. Overview of the testbed design for each IoMT dataset.

Fig. 13. Frequency of use of datasets in the reviewed literature.

Kumar et al. [47] performed the entire experiment in a Matlab environment to simulate a configuration of nodes. This
configuration emulated an advanced healthcare system comprising medical sensor devices, including wireless, implantables, and
wearables.
Gupta et al. [44] employed the BoT-IoT and UNSW-NB15 datasets along with data collected from various IoMT devices, such as
pulse oximeters, body temperature, and galvanic skin response sensors. They evaluated the proposed detection model for advanced
Smart Healthcare architectures, which is divided into four interconnected domains: the visualization domain, the core cloud domain,
the Edge-Cloud domain, and the sensor-actuator domain.
Other studies collected their data to detect specific attacks. For instance, one work simulated IoT-routing protocol-based attacks
using the open-source Contiki-Cooja simulator [48]; Another study simulated IEC 60 870-5-104 protocol-based attacks using virtual
machines (VMs) with IEC-TestServer and Qtester104 to represent the field devices and human-machine interface, respectively.

26
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Table 17
IoMT datasets.
Dataset Ecosystem Application Type of devices
ICE In-Clinic Workflow Not available.
Wustl-EHMS On-body Patient Patient monitoring
monitoring sensors: Electro-
and medical cardiogram, Oxygen
diagnosis. saturation, Tempe-
rature and Blood
pressure.
IoT Healthcare In-Hospital Patient Patient monitoring
Security and In-Clinic monitoring, sensors: Remote
patient ECG, Infusion Pump,
environment Pulsoximeter, Nasal
monitoring or Mouth airflow,
and medical Blood pressure
diagnosis. monitor, Glucometer,
Body Temperature,
Electromyography
sensor,
and Galvanic Skin
Response sensor.
Environment monitoring
sensors: Humidity,
Temperature, Carbon
monoxide, Fire,
Smoke, Barometer,
and Solar
radiation sensor.
Ecu-IoHT On-body Patient Patient monitoring
monitoring and sensors: Temperature,
medical Blood pressure
diagnosis. and Heart Rate.
BlueTack On-body Patient monitoring
sensors: Electro-
cardiogram, Heart rate
and Oxygen
saturation sensor.

They also used three VMs equipped with Ettercap, OpenMUC j60870, and Metasploit to simulate the cyberattacks [40]. Finally,
Modbus/TCP protocol-based attacks were detected in [31].
Several studies contribute to enhancing the security of Smart Healthcare systems by collecting IoMT-based data in different
scenarios, including advanced healthcare systems, different types of IoMT architecture, smart medical devices using specific network
protocols and connectivity, among others.

13. Legal and ethical matters of IoMT

With the advancement of new IoMT technologies, more efficient and complete healthcare resources are available to patients
and users. Different variables and measures can be automatically monitored, and more efficient treatments can be applied. So far,
disease diagnostics, medical treatments, and the utilization of medical data are commonly based on human decisions. However, new
challenges and threats have arisen with the emergence of Artificial Intelligence.
Using IA in Smart Healthcare has brought advantages. However, new legal and ethical risks in these environments are imminent
due to the importance of the privacy of patients’ medical data. Therefore, new laws and specifications for IoMT are required. There
should be more literature on the legal and ethical matters of IoMT. However, some works analyze and describe different proposals
related to these aspects [77–79].
Legal elements are needed to increase security levels and involve all IoMT devices. For example, in the case of privacy and security
violation, security laws should be proposed to include wearables and medical devices to meet different security standards and
requirements [77]. Also, laws to ensure the correct use of information for health companies and manufacturers could be established.
Different organizations in the USA, such as the National Institute of Standards and Technology (NIST), the Federal Drug
Administration (FDA), and the Health Insurance Portability and Accountability Act (HIPAA), have proposed some standards and
requirements for different IoMT devices. However, different sectors, including government, industry, institutions, and organizations,
should establish governance mechanisms, standards, recommendations, and laws to regulate the security of IoMT devices.
Regarding ethical aspects, some works show that culture can impact this area [80]. Moreover, some works have proposed methods
to implement moral, legal, and ethical policies related to the IoMT. For example, in [81], authors proposed a method based on a
set of variables and related tables to express the relationship between ethical requirements, context, and manners. Based on the
literature, it has been found that there are some challenges, such as reducing the lack of provider responsibility, since, unlike

27
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

large companies, small companies need to invest more resources to increase the security of IoMT devices. Also, new standards and
laws are needed to avoid cybercrime and attacks on IoMT devices and networks. Other challenges are security recommendations,
transparency, solidarity, and human dignity [82].

14. Discussion, challenges, and future research directions

The findings have significant implications for developing and implementing effective security solutions for IoMT systems. To
enhance the performance of intrusion detection approaches in these environments, several challenges and future directions should
be explored. These include:

• Lightweight intrusion detection models. Typically, traditional intrusion detection systems require a large number of resources
to operate effectively. As a result, there is a need for lightweight intrusion detection models that can run efficiently on resource-
constrained IoMT devices. Despite the presence of various proposed solutions, there is still a need to confront the following
challenges:

– To develop lightweight ML/DL algorithms computationally efficient that require minimal resources to operate in real-time
in critical IoMT applications.
– To consider the security and privacy concerns of ML/DL models related to the vulnerability of ML/DL models, such as
adversarial attacks. Securing the ML/DL models for protecting sensitive healthcare data is essential.
– To consider the network heterogeneity from the use of different communication protocols, hardware, and software
configurations across different IoMT devices for the development of compatible and effective intrusion detection solutions
with all IoMT-based complex devices.

• Alternative algorithms. Researchers can identify more effective algorithms for detecting advanced cyberattacks in IoMT
environments by exploring alternative algorithms based on artificial intelligence. The continuous exploration and evaluation
of new algorithms for IDS to leads in the following directions:

– To improve detection performance, exploring unsupervised ML/DL algorithms that identify and analyze patterns based
on the inherent properties of the IoMT data without prior knowledge of normal and malicious activities is essential. In
addition, unsupervised models can reduce label dependency and, as a result, reduce the computational complexity of
IDS systems in IoMT.
– To apply self-learning into the IDS to continuously learn and adapt to new and sophisticated attacks and variations in
the IoMT data. And so enhance detection efficiency and reduce false positive rates by decreasing the need for manual
updates and human maintenance of the system. Moreover, self-learning algorithms can prioritize and identify relevant
medical data, reducing the computational requirements of the IoMT systems.
– Hybrid-IDS models can help address the limitations of individual techniques. They can improve the detection performance
and efficiency, detect different type-attacks, secure different levels of the IoMT architecture and extends the leverage of
the advantages of novel paradigms, such as SDN, NFV, and Cloud–Fog–Edge computing.

• Model performance. The IDS models proposed for IoMT environments have shown promising results, but also the new
challenges demand that these solutions comply with the following challenges to improve the security of sensitive and critical
medical information:

– Explore more complex and evolving cyberattacks is essential for ensuring the security of patients and medical data in
an increasingly interconnected world of medical devices. Ubiquitous IoMT-based devices are vulnerable to cyberattacks
that can cause significant health harm and data breaches.
– It is important to detect different types of attacks to improve the robustness of detection models and ensure that all
possible threats to Smart Healthcare organizations are detected. In addition, early detection of attacks targeting multiple
layers of the IoMT architecture is essential for taking appropriate action and preventing further damage.
– To incorporate suitable hyperparameter tuning mechanisms into IDS to improve model performance by optimizing its
parameters, enhance the adaptability of IDS to different environments, and increase the efficiency of ML/DL classifiers
by reducing false alarm rates.
– To support multi-class classification for accurately detecting and mitigating cyberattacks to protect sensitive data from
cyber-criminals. Hence, the IoMT industry will be capable of responding more effectively to security incidents.
– To include pre-processing steps to improve the efficiency of the IoMT-based detection systems, such as data cleaning
to remove irrelevant data or noise; data normalization for ensuring data consistency across different IoMT sensors and
environments; feature extraction and selection techniques to extract essential features and reduce the complexity of the
IoMT data.
– To consider the characteristics of novel IoMT networking technologies, including 5G, LPWA, NB-IoT, and LTE for the
development of compatible intrusion detection methods.

• IoMT datasets. Evaluating IDS performance using relevant datasets is crucial because it provides insight into the system’s
effectiveness in real IoMT environments. According to current research, possible directions are as follows:

28
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 14. IoMT-based IDS challenges.

– To test the proposed methods with diverse datasets. These datasets should encompass a different IoMT scenarios that
incorporate various types of medical devices, several security threats, heterogeneous communication networks and
protocols, and emerging networking technologies.
– To improve the quality of IoMT datasets by proposing new IoMT datasets that are well-balanced and representative of
different IoMT-based scenarios for a more accurate evaluation of IDS performance.
– To enhance the quantity of IoMT datasets by applying techniques that can address the problem of imbalanced datasets,
such as data augmentation. A balanced dataset can help reduce the negative impact of biased results from ML/DL models
of the IoMT-based IDS.

Figs. 14 and 15 illustrate the challenges and potential future research directions for improving the security of IoMT-based IDS,
respectively. Overall, IDS in IoMT will continue to be a fundamental security aspect to protect users of medical devices and sensitive
medical information.

15. Conclusion

This survey provides a comprehensive overview of the current state of intrusion detection models in Smart Healthcare. Anomaly-
based methods were found to be the most common approach due to their ability to detect unknown suspicious behavior with the
help of ML/DL algorithms. However, only some works integrated mitigation mechanisms into their systems, such as SDN and NFV
technologies. The reviewed literature revealed that the IDS that exclusively monitors network traffic is the most attractive due to the
resource-constrained IoMT devices. However, only some proposals considered hybrid-based models to secure IoMT- based devices
and networks from internal and external threats. Also, some of them took advantage of Cloud–Fog-Edge architectures. Additionally,
several authors generated their data to study the security of specific types of attacks, groups of medical devices, communication
protocols, and architecture of medical systems.
Moreover, we detected that the principal security threats of IoMT applications are DoS attacks, DDoS attacks, Ransomware
attacks and MitM attacks. Consequently, there is a need to ensure the availability, integrity, and confidentiality of IoMT systems.
Most attacks target the transport and network layer of IoMT architecture, and most datasets comprise attacks targeting a single
type of layer. However, there are a few exceptions, such as the CIC-IDS-2017, CIC-IDS-2018, and BoT-IoT datasets, which include
attacks aimed at the application, transport, and network layers. Furthermore, the IoT Healthcare Security dataset stands out as
the only one that considers attacks that utilize two of the most prevalent protocols in IoT, COAP and MQTT. Along with this,
collaborative detection models based on Cloud–Fog–Edge architectures were effective in detecting the early stages of attacks and
achieving improvements in detection time, accuracy, and robustness.

29
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

Fig. 15. Future research directions for IoMT-based IDS.

Furthermore, the different types of Artificial Intelligence algorithms used in the reviewed literature include ML, DL, online
learning, and adaptive incremental classifiers. Most of these algorithms showed comparable performance in detecting anomalies
and integrating pre-processing techniques and feature selection mechanisms into the proposed models, resulting in enhanced attack
detection systems.
Finally, only a few studies have approached the problem of attack detection as a multi-class task, achieving comparable
performance in most cases to those that have treated the problem as a binary classification task. However, these studies did not
provide further analysis regarding false positive rates, training time, and detection times.
Overall, these findings suggest that integrating AI algorithms, Cloud–Fog–Edge paradigms, and novel technologies, such as SDN,
into IDS for IoMT devices is essential to secure the IoMT industry from the novel and advanced cyberattacks.

Declaration of competing interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared
to influence the work reported in this paper.

Data availability

No data was used for the research described in the article

Acknowledgments

This work has been partially supported by grant under agreements Consejo Nacional de Humanidades Ciencia 𝑦 Tecnología
(CONAHCYT) with CVU 1116589, and the CONAHCYT project 2017-01-7092.

References

[1] IEEE, Technology Predictions Report, Tech. Rep., IEEE Computer Society, 2023, URL https://www.computer.org/2023-top-technology-predictions.
[2] IBM, Medical Devices are Vital, but Vulnerable: Treat Infrastructure Risks to Safeguard Patient Care, Tech. Rep., International Business Machines
Corporation, 2020, URL https://www.ibm.com/thought-leadership/institute-business-value/report/medical-device-security#.
[3] Z.B. Caldwell, The case for a security metric framework to rate cyber security effectiveness for Internet of Medical Things (IoMT), in: Women
Securing the Future with TIPPSS for Connected Healthcare: Trust, Identity, Privacy, Protection, Safety, Security, Springer, 2022, pp. 63–81, URL
https://link.springer.com/chapter/10.1007/978-3-030-93592-4_4.
[4] E. Kwarteng, M. Cebe, A survey on security issues in modern implantable Devices: Solutions and future issues, Smart Health 25 (2022) 100295,
http://dx.doi.org/10.1016/j.smhl.2022.100295, URL https://www.sciencedirect.com/science/article/abs/pii/S2352648322000307.
[5] V. Malamas, F. Chantzis, T.K. Dasaklis, G. Stergiopoulos, P. Kotzanikolaou, C. Douligeris, Risk assessment methodologies for the Internet of Medical Things:
A survey and comparative appraisal, IEEE Access 9 (2021) 40049–40075, http://dx.doi.org/10.1109/ACCESS.2021.3064682, URL https://ieeexplore.ieee.
org/document/9373445.
[6] N.M. Thomasian, E.Y. Adashi, Cybersecurity in the Internet of Medical Things, Health Policy Technol. 10 (3) (2021) 100549, http://dx.doi.org/10.1016/
j.hlpt.2021.100549, URL https://www.sciencedirect.com/science/article/abs/pii/S2211883721000721.
[7] J.-P.A. Yaacoub, M. Noura, H.N. Noura, O. Salman, E. Yaacoub, R. Couturier, A. Chehab, Securing Internet of Medical Things systems: Limitations, issues
and recommendations, Future Gener. Comput. Syst. 105 (2020) 581–606, http://dx.doi.org/10.1016/j.future.2019.12.028, URL https://www.sciencedirect.
com/science/article/abs/pii/S0167739X19305680.
[8] M.A. Tunc, E. Gures, I. Shayea, A survey on IoT smart healthcare: Emerging technologies, applications, challenges, and future trends, 2021, http:
//dx.doi.org/10.48550/arXiv.2109.02042, arXiv preprint arXiv:2109.02042.

30
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

[9] A.-W.S.D. Firm, The Ultimate List of Healthcare It Statistics, Tech. Rep., Arkenea Inc, 2023, URL https://arkenea.com/healthcare-statistics/.
[10] S. Tanwar, Fog Computing for Healthcare 4.0 Environments, Springer, 2021, http://dx.doi.org/10.1007/978-3-030-46197-3.
[11] Deloitte, Tech Trends 2022, Tech. Rep., Deloitte Touche Tohmatsu Limited, 2022, URL https://www2.deloitte.com/mx/es/pages/technology/articles/tech-
trends-2022.html.
[12] IBM-Security, Cost of a Data Breach Report, Tech. Rep., International Business Machines Corporation, 2022, URL https://www.ibm.com/reports/data-breach.
[13] W. Maddox, Why medical data is 50 times more valuable than a credit card, 2019, URL https://www.dmagazine.com/healthcare-business/2019/10/why-
medical-data-is-50-times-more-valuable-than-a-credit-card/.
[14] M. Elhoseny, N.N. Thilakarathne, M.I. Alghamdi, R.K. Mahendran, A.A. Gardezi, H. Weerasinghe, A. Welhenge, Security and privacy issues in Medical
Internet of Things: Overview, countermeasures, challenges and future directions, Sustainability 13 (21) (2021) 11645, http://dx.doi.org/10.3390/
su132111645, URL https://www.mdpi.com/2071-1050/13/21/11645.
[15] Y. Rbah, M. Mahfoudi, Y. Balboul, M. Fattah, S. Mazer, M. Elbekkali, B. Bernoussi, Machine learning and deep learning methods for intrusion detection
systems in IoMT: A survey, in: 2022 2nd International Conference on Innovative Research in Applied Science, Engineering and Technology, IRASET, IEEE,
2022, pp. 1–9, http://dx.doi.org/10.1109/IRASET52964.2022.9738218, URL https://ieeexplore.ieee.org/document/9738218.
[16] A. Si-Ahmed, M.A. Al-Garadi, N. Boustia, Survey of machine learning based intrusion detection methods for Internet of Medical Things, 2022, http:
//dx.doi.org/10.48550/arXiv.2202.09657, arXiv preprint arXiv:2202.09657.
[17] R.U. Rasool, H.F. Ahmad, W. Rafique, A. Qayyum, J. Qadir, Security and privacy of Internet of Medical Things: A contemporary review in the
age of surveillance, botnets, and adversarial ML, J. Netw. Comput. Appl. 201 (2022) 103332, http://dx.doi.org/10.1016/j.jnca.2022.103332, URL
https://www.sciencedirect.com/science/article/abs/pii/S1084804522000017.
[18] F. Hussain, S.G. Abbas, G.A. Shah, I.M. Pires, U.U. Fayyaz, F. Shahzad, N.M. Garcia, E. Zdravevski, A framework for malicious traffic detection in IoT
healthcare environment, Sensors 21 (9) (2021) 3025, http://dx.doi.org/10.3390/s21093025, URL https://www.mdpi.com/1424-8220/21/9/3025.
[19] A.A. Hady, A. Ghubaish, T. Salman, D. Unal, R. Jain, Intrusion detection system for healthcare systems using medical and network data: A comparison
study, IEEE Access 8 (2020) 106576–106584, http://dx.doi.org/10.1109/ACCESS.2020.3000421, URL https://ieeexplore.ieee.org/document/9109651.
[20] T. Salman, A. Ghubaish, D. Unal, R. Jain, Safety score as an evaluation metric for machine learning models of security applications, IEEE Netw. Lett. 2
(4) (2020) 207–211, http://dx.doi.org/10.1109/LNET.2020.3016583, URL https://ieeexplore.ieee.org/document/9167254.
[21] K. Gupta, D.K. Sharma, K.D. Gupta, A. Kumar, A tree classifier based network intrusion detection model for Internet of Medical Things, Comput.
Electr. Eng. 102 (2022) 108158, http://dx.doi.org/10.1016/j.compelenceg.2022.108158, URL https://www.sciencedirect.com/science/article/abs/pii/
S0045790622004049.
[22] M. Ahmed, S. Byreddy, A. Nutakki, L.F. Sikos, P. Haskell-Dowland, ECU-IoHT: A dataset for analyzing cyberattacks in Internet of Health Things, Ad Hoc
Netw. 122 (2021) 102621, doi:10.106/j.adhoc.2021.102621, URL https://www.sciencedirect.com/science/article/abs/pii/S1570870521001475.
[23] L. Fernandez Maimo, A. Huertas Celdran, A.L. Perales Gomez, F.J. Garcia Clemente, J. Weimer, I. Lee, Intelligent and dynamic ransomware spread detection
and mitigation in integrated clinical environments, Sensors 19 (5) (2019) 1114, http://dx.doi.org/10.3390/s19051114, URL https://www.mdpi.com/1424-
8220/19/5/1114.
[24] C. Thapa, K.K. Karmakar, A.H. Celdran, S. Camtepe, V. Varadharajan, S. Nepal, FedDICE: A ransomware spread detection in a distributed integrated clinical
environment using federated learning and SDN based mitigation, in: International Conference on Heterogeneous Networking for Quality, Reliability, Security
and Robustness, Springer, 2021, pp. 3–24, http://dx.doi.org/10.1007/978-3-030-91424-0_1, URL https://link.springer.com/chapter/10.1007/978-3-030-
91424-0_1.
[25] S.P. RM, P.K.R. Maddikunta, M. Parimala, S. Koppu, T.R. Gadekallu, C.L. Chowdhary, M. Alazab, An effective feature engineering for DNN using hybrid
PCA-GWO for intrusion detection in IoMT architecture, Comput. Commun. 160 (2020) 139–149, http://dx.doi.org/10.1016/j.comcom.2020.05048, URL
https://www.sciencedirect.com/science/article/abs/pii/S014036642030298X.
[26] G. Thamilarasu, A. Odesile, A. Hoang, An intrusion detection system for Internet of Medical Things, IEEE Access 8 (2020) 181560–181576, http:
//dx.doi.org/10.1109/ACCESS.2020.3026260, URL https://ieeexplore.ieee.org/document/9204697.
[27] S. Manimurugan, S. Al-Mutairi, M.M. Aborokbah, N. Chilamkurti, S. Ganesan, R. Patan, Effective attack detection in Internet of Medical Things
smart environment using a deep belief neural network, IEEE Access 8 (2020) 77396–77404, http://dx.doi.org/10.1109/ACCESS.2020.2986013, URL
https://ieeexplore.ieee.org/document/9057709.
[28] G. Zachos, I. Essop, G. Mantas, K. Porfyrakis, J.C. Ribeiro, J. Rodriguez, An anomaly-based intrusion detection system for Internet of Medical Things
networks, Electronics 10 (21) (2021) 2562, http://dx.doi.org/10.3390/electronics10212562, URL https://www.mdpi.com/2079-9292/10/21/2562.
[29] P. Kumar, G.P. Gupta, R. Tripathi, An ensemble learning and fog-cloud architecture-driven cyber-attack detection framework for IoMT networks,
Comput. Commun. 166 (2021) 110–124, http://dx.doi.org/10.1016/j.comcom.2020.12.003, URL https://www.sciencedirect.com/science/article/abs/pii/
S0140366420320090.
[30] S. Khan, A. Akhunzada, A hybrid DL-driven intelligent SDN-enabled malware detection framework for Internet of Medical Things (IoMT), Comput. Commun.
170 (2021) 209–216, http://dx.doi.org/10.1016/j.comcom.2021.01.013, URL https://www.sciencedirect.com/science/article/abs/pii/S0140366421000347.
[31] P. Radoglou-Grammatikis, P. Sarigiannidis, G. Efstathopoulos, T. Lagkas, G. Fragulis, A. Sarigiannidis, A self-learning approach for detecting intrusions
in healthcare systems, in: ICC 2021-IEEE International Conference on Communications, IEEE, 2021, pp. 1–6, http://dx.doi.org/10.1109/ICC42927.2021.
9500354, URL https://ieeexplore.ieee.org/document/9500354.
[32] A.M. Said, A. Yahyaoui, T. Abdellatif, Efficient anomaly detection for smart hospital IoT systems, Sensors 21 (4) (2021) 1026, http://dx.doi.org/10.3390/
s21041026, URL https://www.mdpi.com/1424-8220/21/4/1026.
[33] Y.K. Saheed, M.O. Arowolo, Efficient cyber attack detection on the Internet of Medical Things-smart environment based on deep recurrent neural network
and machine learning algorithms, IEEE Access 9 (2021) 161546–161554, http://dx.doi.org/10.1109/ACCESS.2021.3128837, URL https://ieeexplore.ieee.
org/document/9617609.
[34] Y. Li, S.-m. Ghoreishi, A. Issakhov, Improving the accuracy of network intrusion detection system in Medical IoT Systems through butterfly optimization
algorithm, Wirel. Pers. Commun. 126 (3) (2022) 1999–2017, http://dx.doi.org/10.1007/s11277-021-08756-x, URL https://link.springer.com/article/10.
1007/s11277-021-08756-x.
[35] A. Subasi, S. Algebsani, W. Alghamdi, E. Kremic, J. Almaasrani, N. Abdulaziz, Intrusion detection in smart healthcare using bagging ensemble classifier,
in: International Conference on Medical and Biological Engineering, Springer, 2021, pp. 164–171, http://dx.doi.org/10.1007/978-3-030-73909-6_18, URL
https://link.springer.com/chapter/10.1007/978-3-030-73909-6_18.
[36] S.S. Hameed, A. Selamat, L. Abdul Latiff, S.A. Razak, O. Krejcar, H. Fujita, M.N. Ahmad Sharif, S. Omatu, A hybrid lightweight system for early attack
detection in the IoMT fog, Sensors 21 (24) (2021) 8289, http://dx.doi.org/10.3390/s21248289, URL https://www.mdpi.com/1424-8220/21/24/8289.
[37] C. Iwendi, J.H. Anajemba, C. Biamba, D. Ngabo, Security of things intrusion detection system for smart healthcare, Electronics 10 (12) (2021) 1375,
http://dx.doi.org/10.3390/electronics10121375, URL https://www.mdpi.com/2079-9292/10/12/1375.
[38] S. Saif, P. Das, S. Biswas, M. Khari, V. Shanmuganathan, HIIDS: Hybrid intelligent intrusion detection system empowered with machine learning and
metaheuristic algorithms for application in IoT based healthcare, Microprocess. Microsyst. (2022) 104622, http://dx.doi.org/10.1016/j.micpro.2022.104622,
URL https://www.sciencedirect.com/science/article/abs/pii/S0141933122001594.
[39] A. Binbusayyis, H. Alaskar, T. Vaiyapuri, M. Dinesh, An investigation and comparison of machine learning approaches for intrusion detection in IoMT
network, J. Supercomput. 78 (15) (2022) 17403–17422, http://dx.doi.org/10.1007/s11227-022-04568-3, URL https://link.springer.com/article/10.1007/
s11227-022-04568-3.

31
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

[40] P. Radoglou-Grammatikis, K. Rompolos, P. Sarigiannidis, V. Argyriou, T. Lagkas, A. Sarigiannidis, S. Goudos, S. Wan, Modeling, detecting, and mitigating
threats against industrial healthcare systems: A combined software defined networking and reinforcement learning approach, IEEE Trans. Ind. Inform. 18
(3) (2021) 2041–2052, http://dx.doi.org/10.1109/TII.2021.3093905, URL https://ieeexplore.ieee.org/document/9470933.
[41] S. Nandy, M. Adhikari, M.A. Khan, V.G. Menon, S. Verma, An intrusion detection mechanism for secured IoMT framework based on swarm-neural network,
IEEE J. Biomed. Health Inf. 26 (5) (2021) 1969–1976, http://dx.doi.org/10.1109/JBHI.2021.3101686, URL https://ieeexplore.ieee.org/document/9508880.
[42] A. Ghourabi, A security model based on LightGBM and transformer to protect healthcare systems from cyberattacks, IEEE Access 10 (2022) 48890–48903,
http://dx.doi.org/10.1109/ACCESS.2022.3172432, URL https://ieeexplore.ieee.org/document/9767819.
[43] A. Basharat, M.M.B. Mohamad, A. Khan, Machine learning techniques for intrusion detection in smart healthcare systems:A comparative analysis, in: 2022
4th International Conference on Smart Sensors and Application, ICSSA, IEEE, 2022, pp. 29–33, http://dx.doi.org/10.1109/ICSSA54161.2022.9870973, URL
https://ieeexplore.ieee.org/document/9870973.
[44] L. Gupta, T. Salman, A. Ghubaish, D. Unal, A.K. Al-Ali, R. Jain, Cybersecurity of multi-cloud healthcare systems: A hierarchical deep learning
approach, Appl. Soft Comput. 118 (2022) 108439, http://dx.doi.org/10.1016/j.asoc.2022.108439, URL https://www.sciencedirect.com/science/article/
abs/pii/S1568494622000175.
[45] S.A. Wagan, J. Koo, I.F. Siddiqui, N.M.F. Qureshi, M. Attique, D.R. Shin, A fuzzy-based duo-secure multi-modal framework for IoMT anomaly detection,
J. King Saud Univ.-Comput. Inf. Sci. 35 (1) 131–144.
[46] I.A. Khan, N. Moustafa, I. Razzak, M. Tanveer, D. Pi, Y. Pan, B.S. Ali, XSRU-IoMT: Explainable simple recurrent units for threat detection in
Internet of Medical Things networks, Future Gener. Comput. Syst. 127 (2022) 181–193, http://dx.doi.org/10.1016/j.future.2021.09010, URL https:
//www.sciencedirect.com/science/article/abs/pii/S0167739X21003563.
[47] C.V. Kumar, et al., A real time health care cyber attack detection using ensemble classifier, Comput. Electr. Eng. 101 (2022) 108043,
doi:j.compeleceng.2022.108043, URL https://www.sciencedirect.com/science/article/abs/pii/S0045790622003044.
[48] S.O.M. Kamel, S.A. Elhamayed, Mitigating the impact of IoT routing attacks on power consumption in IoT healthcare environment using convolutional
neural network, Int. J. Comput. Netw. Inf. Secur. 12 (4) (2020) 11–29, http://dx.doi.org/10.5815/ijcnis.2020.04.02.
[49] A.I. Newaz, A.K. Sikder, L. Babun, A.S. Uluagac, Heka: A novel intrusion detection system for attacks to personal medical devices, in: 2020 IEEE
Conference on Communications and Network Security, CNS, IEEE, 2020, pp. 1–9, http://dx.doi.org/10.1109/CNS48642.2020.9162311, URL https:
//ieeexplore.ieee.org/document/9162311.
[50] W. Yao, K. Zhang, C. Yu, H. Zhao, Exploiting ensemble learning for edge-assisted anomaly detection scheme in e-healthcare system, in: 2021 IEEE Global
Communications Conference, GLOBECOM, IEEE, 2021, pp. 1–7, http://dx.doi.org/10.1109/GLOBECOM46510.2021.9685745, URL https://ieeexplore.ieee.
org/document/9685745.
[51] L. Fang, Y. Li, Z. Liu, C. Yin, M. Li, Z.J. Cao, A practical model based on anomaly detection for protecting medical IoT control services against external
attacks, IEEE Trans. Ind. Inform. 17 (6) (2020) 4260–4269, http://dx.doi.org/10.1109/TII.2020.3011444, URL https://ieeexplore.ieee.org/document/
9146676.
[52] A.I. Newaz, A.K. Sikder, M.A. Rahman, A.S. Uluagac, Healthguard: A machine learning-based security framework for smart healthcare systems, in: 2019
Sixth International Conference on Social Networks Analysis, Management and Security, SNAMS, IEEE, 2019, pp. 389–396, http://dx.doi.org/10.1109/
SNAMS.2019.8931716, URL https://ieeexplore.ieee.org/document/8931716.
[53] T. Saba, Intrusion detection in smart city hospitals using ensemble classifiers, in: 2020 13th International Conference on Developments in ESystems
Engineering, DeSE, IEEE, 2020, pp. 418–422, http://dx.doi.org/10.1109/DeSE51703.2020.9450247, URL https://ieeexplore.ieee.org/document/9450247.
[54] M. Naveed, S.M. Usman, M.I. Satti, S. Aleshaiker, A. Anwar, Intrusion detection in smart IoT devices for people with disabilities, in: 2022 IEEE
International Smart Cities Conference, ISC2, IEEE, 2022, pp. 1–5, http://dx.doi.org/10.1109/ISC255366.2022.9921991, URL https://ieeexplore.ieee.org/
document/9921991.
[55] I. Alrashdi, A. Alqazzaz, R. Alharthi, E. Aloufi, M.A. Zohdy, H. Ming, FBAD: Fog-based attack detection for IoT healthcare in smart cities, in: 2019 IEEE
10th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference, UEMCON, IEEE, 2019, pp. 0515–0522, http://dx.doi.org/10.1109/
UEMCON47517.2019.8992963, URL https://ieeexplore.ieee.org/document/8992963.
[56] Y. Otoum, Y. Wan, A. Nayak, Federated transfer learning-based IDS for the Internet of Medical Things (IoMT), in: 2021 IEEE Globecom Workshops, GC
Wkshps, IEEE, 2021, pp. 1–6, http://dx.doi.org/10.1109/GCWkshps52748.2021.9682118, URL https://ieeexplore.ieee.org/document/9682118.
[57] M. Zubair, A. Ghubaish, D. Unal, A. Al-Ali, T. Reimann, G. Alinier, M. Hammoudeh, J. Qadir, Secure bluetooth communication in smart healthcare
systems: A novel community dataset and intrusion detection system, Sensors 22 (21) (2022) 8280, http://dx.doi.org/10.3390/s22218280, URL https:
//www.mdpi.com/1424-8220/22/21/8280.
[58] M. Mamdouh, A.I. Awad, A.A. Khalaf, H.F. Hamed, Authentication and identity management of IoHT devices: Achievements, challenges, and future
directions, Comput. Secur. 111 (2021) 102491, http://dx.doi.org/10.1016/j.cose.2021.102491, URL https://www.sciencedirect.com/science/article/pii/
S0167404821003151.
[59] S. Wireless, How to get IoT Connectivity Right in Medical Devices, Tech. Rep., Sierra Wireless: A Semtech Company, 2020, URL https://www.sierrawireless.
com/resources/white-paper/medical-device-connectivity/.
[60] P. Group, The ’Private’ in Private LTE: IoT Healthcare Networks and Data Security, Tech. Rep., Podsystem Limited, 2020, URL https://www.podgroup.
com/private-lte/.
[61] S. Wireless, 5G Unlocking the Potential of Telemedicine With the IoT, Tech. Rep., Sierra Wireless: A Semtech Company, 2020, URL https://www.
sierrawireless.com/resources/ebook/5g-telemedicine-iot/.
[62] GSMA, Mobile IoT in the 5G future, Tech. Rep., Global System for Mobile Communications Association, 2018, URL https://www.gsma.com/iot/resources/
mobile-iot-5g-future/.
[63] E.M. Ar-Reyouchi, K. Ghoumid, D. Ar-Reyouchi, S. Rattal, R. Yahiaoui, O. Elmazria, Protocol wireless medical sensor networks in IoT for the efficiency of
healthcare, IEEE Internet Things J. 9 (13) (2021) 10693–10704, http://dx.doi.org/10.1109/JIOT.2021.3125886, URL https://ieeexplore.ieee.org/document/
9606206.
[64] Medical Device Network, Cybersecurity in medical: Changing Threats, 2021, URL https://www.medicaldevice-network.com/comment/cybersecurity-
medical-changing-threats/.
[65] HealthcareInnovation, Hacktivist group responsible for attacks on U.S. hospitals, 2023, URL https://www.hcinnovationgroup.com/cybersecurity/news/
21294198/hacktivist-group-responsible-for-attacks-on-us-hospitals.
[66] HealthcareITNews, Boston Children’s Hospital was target of cyberattack thwarted by FBI, 2022, URL https://www.healthcareitnews.com/news/boston-
childrens-hospital-was-target-cyberattack-thwarted-fbi.
[67] T. Trippel, O. Weisse, W. Xu, P. Honeyman, K. Fu, WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection
attacks, in: 2017 IEEE European Symposium on Security and Privacy, EuroS&P, IEEE, 2017, pp. 3–18, http://dx.doi.org/10.1109/EuroSP.2017.42, URL
https://ieeexplore.ieee.org/document/7961948.
[68] Y. Park, Y. Son, H. Shin, D. Kim, Y. Kim, This ain’t your dose: Sensor spoofing attack on medical infusion pump, in: 10th USENIX Workshop on Offensive
Technologies, USENIX, 2016, URL https://www.usenix.org/conference/woot16/workshop-program/presentation/park.
[69] CNN, ‘Lock it down and piss people off’: How quick thinking stopped a ransomware attack from crippling a Florida hospital, 2022, URL https:
//edition.cnn.com/2022/01/16/politics/florida-hospital-ransomware/index.html.

32
M.L. Hernandez-Jaimes et al. Internet of Things 23 (2023) 100887

[70] CNN, Hundreds of health care facilities were hit by ransomware last year amid pandemic, 2020, URL https://edition.cnn.com/2021/01/19/tech/
ransomware-2020-review/index.html.
[71] CNN, In the last 10 months, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks, 2019, URL
https://edition.cnn.com/2019/10/08/business/ransomware-attacks-trnd/index.html.
[72] J.M. Ehrenfeld, Wannacry, cybersecurity and health information technology: A time to act, J. Med. Syst. 41 (2017) 1, http://dx.doi.org/10.1007/s10916-
017-0752-1, URL https://link.springer.com/article/10.1007/s10916-017-0752-1.
[73] CNN, Hackers accessed data on 270,000 patients from Louisiana hospital system in attempted ransomware attack, 2022, URL https://edition.cnn.com/
2022/12/28/politics/hackers-access-data-louisiana-hospital-system-ransomware/index.html.
[74] S.S. Bhuyan, U.Y. Kabir, J.M. Escareno, K. Ector, S. Palakodeti, D. Wyant, S. Kumar, M. Levy, S. Kedia, D. Dasgupta, A. Dobalian, Transforming healthcare
cybersecurity from reactive to proactive: Current status and future recommendations, J. Med. Syst. 44 (2020) 1–9, http://dx.doi.org/10.1007/s10916-019-
1507-y.
[75] National Cyber Security Center, Cyber warning issued for key healthcare organisations in UK and USA, 2020, URL https://www.ncsc.gov.uk/news/warning-
issued-uk-usa-healthcare-organisations.
[76] Y. Rbah, M. Mahfoudi, Y. Balboul, M. Fattah, S. Mazer, M. Elbekkali, B. Bernoussi, Machine learning and deep learning methods for intrusion detection
systems in IoMT: A survey, in: 2022 2nd International Conference on Innovative Research in Applied Science, Engineering and Technology, IRASET, IEEE,
2022, pp. 1–9, http://dx.doi.org/10.1109/IRASET52964.2022.9738218, URL https://ieeexplore.ieee.org/document/9738218.
[77] W. Osei-Bonsu, A. Stein, M. Boswell, The current ethical and regulatory status of the Internet of Medical Things (IoMT) and the need of a new IoMT law,
J. Healthc. Ethics Administration 4 (2) (2018) 32–38, http://dx.doi.org/10.22461/jhea.6.7162.
[78] B. Mittelstadt, Ethics of the health-related Internet of Things: A narrative review, Ethics Inf. Technol. 19 (3) (2017) 157–175, http://dx.doi.org/10.1007/
s10676-017-9426-4, URL https://link.springer.com/article/10.1007/s10676-017-9426-4.
[79] N. Naik, B. Hameed, D.K. Shetty, D. Swain, M. Shah, R. Paul, K. Aggarwal, S. Ibrahim, V. Patil, K. Smriti, S. Shetty, B.P. Rai, P. Chlosta, B.K. Somani,
Legal and ethical consideration in artificial intelligence in healthcare: Who takes responsibility? Front. Surg. 9 (2022) 266, http://dx.doi.org/10.3389/
fsurg.2022.862322.
[80] W.Z. Khan, M. Zahid, M.Y. Aalsalem, H.M. Zangoti, Q. Arshad, Ethical aspects of Internet of Things from Islamic perspective, in: 2017 9th IEEE-GCC
Conference and Exhibition, GCCCE, IEEE, 2017, pp. 1–4, http://dx.doi.org/10.1109/IEEEGCC.2017.8448105, URL https://ieeexplore.ieee.org/document/
8448105.
[81] S. Sholla, R. Naaz, M.A. Chishti, Incorporating ethics in Internet of Things (IoT) enabled connected smart healthcare, in: 2017 IEEE/ACM International
Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE, IEEE, 2017, pp. 262–263, http://dx.doi.org/10.1109/CHASE.
2017.93, URL https://ieeexplore.ieee.org/document/8010648.
[82] E. Mbunge, S.G. Fashoto, B. Akinnuwesi, A. Metfula, S. Simelane, N. Ndumiso, Ethics for integrating emerging technologies to contain COVID-19 in
Zimbabwe, Hum. Behav. Emerg. Technol. 3 (5) (2021) 876–890, http://dx.doi.org/10.1002/hbe2.277, URL https://onlinelibrary.wiley.com/doi/pdf/10.
1002/hbe2.277.

33