Security Analysis of the Internet of Medical Things (IoMT): Case Study of the Pacemaker Ecosystem.

During the pandemic, the Internet of Medical Things (IoMT) has played a key role in reducing unnecessary hospital visits and the burden on health care systems by providing home-based hospital services and ambulatory nursing services. As IoMT devices handle patient data and are connected over the Internet to the complex hospital Information and Communication Technology (ICT) infrastructure, their role in the transformation of healthcare services will introduce a range of new potential risks. Over the past years, several demonstrated attacks in the healthcare domain have indicated cyber security challenges for integrating IoMT devices. In this paper, we experimentally evaluate the potential risks that accompany the integration of a given IoMT device, here a connected pacemaker, from a hardware and network security perspective. We take a black box testing approach to the pacemaker ecosystem and find key shortcomings that enable several practical and low-cost attacks that impact a patient’s safety and privacy. In particular, we demonstrate the ability to gain control over the home monitoring device and to perform man-in-the-middle attacks. We find that it is possible to bypass hardware security protection mechanisms, to perform remote denial of service attacks, and other attacks. Lastly, we discuss the potential trade-offs in security protection choices and mitigation techniques.