Developer Driven Framework for Security and Privacy in the IoMT

Ceara Treacy, John Loane, Fergal McCaffery


The Internet of Medical Things (IoMT), is a fast growing domain as healthcare moves out of structured health services into care in the community. As a result, the sensitive personal and health data associated with the IoMT can potentially flow through a diversity of apps, systems, devices and technologies, public and open networks. This exposes data in the IoMT to additional attack surfaces, which requires the hardening of the security and privacy of the data. Accordingly, the data is bound by regulatory safety, security and privacy requirements. Applying the regulatory compliant requirements is a struggle for developers in small to medium enterprises due to lack of knowledge, experience and understanding. This paper proposes a framework to assist in meeting regulatory compliance for security and privacy of data in flow in the IoMT, directed at developers in small to medium enterprises. The framework considers both security and privacy properties for data in flow protection in the IoMT. This framework expands on the established threat modeling steps to consider both security and privacy. To mitigate the identified security and privacy threats, the framework includes a set of categorised technical security and privacy controls developed through medical device security standards. The originality of this framework is the inclusion of security and privacy requirements in the extension of the traditional threat modeling process, as well as the security and privacy controls embedded in the medical security standards.


Paper Citation