A Comprehensive Review of the State-of-the-Art on Security and Privacy Issues in Healthcare

Our research work consists of complementing and improving the work already performed in healthcare (presented in many surveys below) paying special attention to security and privacy issues, with the intention of providing a comprehensive knowledge base of security and privacy on healthcare for the future researchers and professionals who are and will be working in this field.

Besides, there are some other motivations to perform this review. First, the healthcare environment, which is key for people’s well-being, is one of the most affected sectors by malicious attacks. Therefore, there is a need to address research efforts to improve and protect this critical scenario. Second, the existing literature mainly discusses the different threats and security mechanisms. However, the security and privacy requirements, together with the importance of patient safety, need to be enumerated and explained thoroughly. Third, there is a lack of research on the overall healthcare architecture, which identifies the main stakeholders and the main components/technologies implied in the scenario. Fourth, the datasets enumeration for artificial intelligence-based mechanisms is a task not incorporated properly in the literature. Therefore, we decided to address it in this survey. Fifth, some research works present threat taxonomies identified in the healthcare environment, but we identify a lack of discussing the formal alignment of such threats with a widely used threat framework, promoting compatibility and interoperability with other related projects.

Our contribution aims to provide a comprehensive review of the state-of-the-art on security and privacy issues in healthcare, in terms of technologies and stakeholders collection, threats and attacks enumeration, and existing security mechanisms in this environment. To this end, we describe the overall healthcare architecture, its main stakeholders, its components and technologies involved. We show the security, privacy, and safety requirements to be included in the following steps of the research work, allowing the correct incorporation of them in future implementations in this scenario. We also identify the threats addressed to this field, and the possible security mechanisms that can be implemented on it. In this regard, we conduct the study of related work searching strengths and limitations of the existing research, the creation of a threat taxonomy aligned with a reference framework to provide scalability and compatibility with other related projects. Moreover, we discuss the existing security mechanisms focusing on possible artificial intelligence techniques with the enumeration and introduction of available datasets to work in this environment.

To conduct this survey, a qualitative methodology is implemented to analyze and synthesize the existing reviews in the literature. We identified the main requirements, threats, attacks, objectives, challenges, and limitations belonging to the healthcare environment. The methodology followed was: first, to collect the different works, the main scientific databases and publishers (Web of Science, Google Scholar, Scopus, PubMed, Elsevier, IEEE, ACM, arXiv, and Springer) were inspected starting from 2010 (to get the latest information) and using different keywords relevant for healthcare in each database and publisher; to filter the interesting articles (works with relevant content, such as threats or security mechanisms on healthcare); to inspect and eliminate works with limited information; and to classify all articles in different thematics and sections included in this survey. The search is performed doing groups of keywords and creating combinations between them. The first group contains Threats, Security, IoT/IoMT/IWMD, Attacks, Privacy, Protection, and Safety. The second group has Healthcare, Medical and Health keywords, and the third group is composed of Domain/Field, Devices, Architecture, Survey, Mechanisms, and Environment. Each search is composed of one keyword of each group applying an OR function.

This article is organized as follows. Section 2 presents the healthcare ecosystem, stakeholders, and technologies used in this environment. Section 3 analyzes the related work. Section 4 shows the security, privacy, and safety requirements collected for medical domain. Section 5 includes the threat classification, mapping the threats identified with a widely accepted framework and attack enumeration. Section 6 covers the existing security mechanisms and datasets collection for artificial intelligence methods. Section 7 provides a discussion of the challenges and future work, and finally, we conclude in Section 8.

The patient body incorporates Implanted and Wearable Medical Devices (IWMD), i.e., the implanted and wearable devices used to track the physical wellness and monitor the patient health status. Here, the main stakeholder is the patient since it places all available sensors. These implanted and non-implanted devices have been classified by different official organizations, where we can find Federal Drug Administration (FDA) as the US representative and European Medicines Agency (EMA) as the EU one. FDA groups devices in each of 19 specified medical specialties (Haematology, Chemistry, Dental, Radiology, etc.), registered in the FDA’s database of Manufacturer and User Facility Device Experiences (MAUDE) [12]. By other hand, the EU classifies devices by several characteristics, such as duration of use, implanted use, and system where the device is installed. These characteristics are taken by Aronson et al. [12] to create a device classification with three main categories: Site of application, Time scale to use, and Power source, which are related to the risk of harms that devices can cause. In Fig. 1, we enumerate some of the existing medical devices implanted and non-implanted in human body, such as Blood Pressure sensor, Body Temperature sensor and Accelerometer [112]. These devices telemetrise the patient (monitor the patient health) by communicating with an external device, called “Programmer” or “Reader”. There are different standards that regulate telemetry for medical devices [8]:

By other hand, the communication between wearable and implanted medical devices and programmer/smartphone is performed with different technologies (wireless short-range and wired), which mainly are Zigbee, Bluetooth, Bluetooth Low Energy (BLE), IEEE 802.11, IEEE 802.11ah and IEEE 802.3 [157].

The IoMT edge network (Fig. 1) comprises the technologies and devices designated outside of patient body, in a near location. In this location, patient is the main stakeholder, but other primary stakeholders appear, such as nurses and doctors, who can monitor and access patient data remotely or on-site. At device level, we find devices with programmer or reader capabilities (smartphones, edge servers, and smart home devices). The communication IWMD/programmer is produced with the technologies/protocols already commented, and the main difference between human body and IoMT edge network location is the ability to collect and process patient information and end results achieved. Due to processing capability, different applications and functions can be created.

As an example for better understanding, let us suppose a cardio health monitoring application, where may be used an electro cardio graph sensor and a photo plethysmography sensor. This application needs real-time response because of an anomaly detected in the cardio graph can be fatal for the patient’s health. Therefore, the sensors must be connected to a gateway like a smartphone, where the data are interpreted, processed, and transmitted in real time to the entities responsible for acting accordingly with the information produced by sensors. Taking this example as a reference, data processing can follow two different approaches [127]:

After data processing, the information is shared with the another location identified above: the central healthcare infrastructure. This communication is performed through wireless or wired communication (LTE, Fibber Optic).

In this CHI, we identify stakeholders belonging to three groups, from primary to tertiary stakeholders. Primary stakeholders have complete access to the data obtained from lower locations, and much more information created in places like hospitals, the central facilities of healthcare ecosystem. By other hand, secondary and tertiary stakeholders produce changes direct and indirectly in stored data, processes and procedures inside of healthcare. With all data available in the central healthcare infrastructure, primary stakeholders are responsible for processing and acting consequently as a way of providing optimal treatment and monitoring for patients.

The central healthcare domain includes the different technologies, regulations, and characteristics shown at the top left of Fig. 1, such as EHR [32], Cloud Computing, Policies (HIPAA, MDR, etc.) [55, 157], Healthcare Applications, Machine-Learning, Software Defined Networks (SDN), Telemedicine [115], Big Data, and Blockchain. These technologies provide intelligence or new characteristics to healthcare scenario managing and processing all patient-related information.

This revision of related works is mainly concentrated on detecting the security and privacy issues discovered in the literature and the most common security mechanisms chosen for protecting the healthcare domain. After analysing the literature, we classify the research works into two families: IMD/IWMD/IoMT-focused and infrastructure-focused, being most of the works classified in the first family.

To begin with, Nasiri et al. [107] studied the importance of cyber resilience concept, obtaining multiple security requirements (Reliability, Reparability, etc.) appeared thanks to the application of this property in IoMT. Besides, Sametinger et al. [129] classified medical devices into four security levels (Low, Medium, High, and Very high) in function of the risk associated to the sensitive information processed by device or the critical task performed by it. In privacy terms, Saleh et al.’s work [128] presents a complete view of the privacy for WMSN on healthcare, showing requirements, applications, privacy and security services implemented in WMSN (SATIRE [44], MeDiSN [74]), attacks, countermeasures, and so on. Regarding WMSNs, Al Ameen et al. [2] compared BANs and WMSNs and highlighted the security and privacy issues of these networks in healthcare.

With respect to security attacks, the majority of works [22, 34, 35, 106, 118, 124, 159] referred to attacks addressed to medical devices (IMD, IWMD, and IoMT), mainly classifying them in three types referring to the layer attacked: application layer (malware attack, software attacks), network layer (man-in-the-middle attack, eavesdropping, denial of service—DoS—attack, spoofing attack) and perception layer (physical attack, RFID sniffing/spoofing). Kumar [76] performed a review of cyber-attacks in the healthcare industry and emphasised the importance of protecting this environment indicating real examples of vulnerabilities found in medical devices.

Islam et al. [63] enumerated different IoT healthcare networks as well as a collaborative security model for IoT-based healthcare, which was composed of three security services: protection services, detection services, and reaction services. In this context, Altawy and Youssef [8] introduced the Cyber Physical Systems (physical systems where their operation requires advanced connectivity and computation) identifying threats, security properties and explaining IMDs as a use case in this scenario. Rathore et al. [118] proposed different security mechanisms to prevent and react against these attacks, divided them into categories, such as biometric-based approaches, distance-based approaches, key management protocols, audit mechanisms, anomaly detection, and external device methodologies. On the other hand, Nanayakkara et al. [106] performed a statistic study about the different security mechanisms named in the literature and obtained that identification, authentication and authorization mechanisms are the ones that appear the most in the works published.

Kagita et al. [71] and Flowerday and Christos [42] addressed recent studies focused on security and privacy problems, tendencies and mechanisms to protect medical devices and environment itself. Camara et al. [19] presented different operation modes, security properties, an adversarial approach, limitations, and security mechanisms for them. Furthermore, this work categorizes threats against the IMD using the STRIDE [98] methodology, comparing the six categories provided by STRIDE with the threats presented for IMD. Appari and Johnson [10] performed a complete review about security and privacy in healthcare, showing many different researches and tendencies in those years, which have been developed in future works to the present day. Otherwise, we can highlight Yaqoob et al. [157] and Papaioannou et al. [112]’s surveys. Yaqoob et al. [157] made a review of networked medical devices with regulations, attack vectors, protocols, classification, architecture, and so on. This work also offered safety and privacy knowledge and examples where the official regulations have not been enforced. Papaioannou et al. [112] created a complete threat taxonomy (due to the amount of threats presented) not seen so far, taking as main categories the security requirements extracted in this survey, and showing examples of attacks in the final parts of the taxonomy.

Manogaran et al. [87]’s work concentrated on Big Data for Smart Healthcare Industry, describing architecture, communications, security and privacy requirements, threats, challenges and open research issues. In this case, the authors also proposed an architecture to use Big Data in conjunction with Industry 4.0 characteristics to protect the healthcare environment. Fatima and Colomo-Palacios [40] studied the Healthcare Information System (HIS) making a complete research work in the literature and obtaining answers like the most cited guidelines/regulations for data security in HIS, and the most reported security incidents/threats/security measures. Razaque et al. [119] conducted their study taking as reference the flow information inside of medical domain, and extracted the main attacks (Password Intrusion, Denial of Service, Dropbear SSH Server, etc.) produced in healthcare with an excellent analysis of possible security mechanisms to be applied in order to protect from them, as well as the presentation of different security architectures addressed in the literature.

Bhuyan et al. [17] incorporated as new content not seen so far, the enumeration of main stakeholders involved in the cyber-attacks produced on healthcare: cyber-attackers, cyber-defenders, end users, and developers. Hathaliya and Tanwar [52] created an exhaustive survey on security and privacy issues in Healthcare 4.0, which is considered the new era of healthcare with the incorporation of technologies such as IoT and telehealthcare. This work covered several security and privacy requirements, a taxonomy with security and privacy solutions, and performed different state-of-the-art security schemes based on mechanisms such as processing-based, machine learning based, wearable devices, IoT and telehealthcare, policies and standards, authentication, and network or traffic. Singh et al. [139] conducted a survey about healthcare data, explaining firstly the Smart Healthcare with the main applications and characteristic listed. After this, the review was focused on issues and the existing security techniques for healthcare data, dividing them into cryptography-based, biometrics-based, and watermarking-based (offer copyright protection and content authentication) types.

To conclude, Newaz et al. [108] is one of the best research works performed in the literature about healthcare, due to the amount of information collected and the topics addressed. This article presented security and privacy requirements, an attack model with the attacker goals, attacker capabilities and attack types, and divides the main attacks focused on healthcare into five categories (Software, Hardware, System-level, Side-channel, and Communication channel). Thus, Newaz et al. evaluated the attacks with different vulnerability metrics (attack approach, attack complexity, privilege requirement, and user cooperation), and extracted the target medical devices (invasive devices, therapeutic devices, etc.) and specific components (sensor, device, data, healthcare provider, etc.). The authors deeply explain all attacks and provide an extensive review about the existing security and privacy solutions for healthcare devices and applications. Finally, Pantelopoulos and Bourbakis [111] presented a review of a wearable health-monitoring system that was used ten years later by Newaz et al. This relation highlights the importance of Pantelopoulos’ work conducted in 2010.

The main surveys performed about the healthcare sector have been analysed. Thanks to this analysis, we have obtained a holistic view of the previous literature. Next, we present below the limitations observed and the main differences with our proposal to enhance the current situation of this scenario. First, we note that the overall vision of healthcare ecosystem with the main stakeholders has not been addressed, only special and concrete scenarios have been explained, such as the one explored in [17]. For this reason, we presented the holistic scenario in Section 2 where all stakeholders and technologies implied in the healthcare environment are presented.

Second, we detect a lack of using threat modelling [144], consisting of identifying threats in healthcare in a targeted manner, with frameworks or knowledge bases in terms of threats and attacks, such as STRIDE [98] or MITRE ATT&CK [147]. Camara et al.’s [19] work is the unique one that performs a threat modelling with the STRIDE methodology. In our work, we incorporate the threat modelling through MITRE ATT&CK, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. We add this mechanism to healthcare in order to provide compatibility and a reference framework to compare different related works, as well as a possible automation in the threat modelling with the tools available in the framework.

Third, Newaz et al. [108] and Hathaliya and Tanwar [52] show the existing security mechanisms with considerable detail and enumerating different types of mechanisms, but we have detected an issue not yet covered: the search, enumeration and categorisation of existing datasets encompassed in the healthcare environment. Resolving this issue, new applications and solutions can be created with less effort since we will have a knowledge base about the existing tools to work with machine and deep learning on healthcare. For this reason, we address this issue in Section 6. Finally, our work provides the necessary knowledge base, in terms of security and privacy, to continue with the research in the medical environment.

In the literature, the security requirements in healthcare have been extensively discussed. However, usually these requirements are the Confidentiality-Integrity-Availability (CIA) triad [28, 48, 63, 108, 112, 124, 159], a traditional approach that defines the basic principles of the information security. These principles can be described as follows, when the healthcare environment is concerned:

Apart from these, others can be identified in the literature. These requirements define the properties that medical devices and systems, defined by the type of devices and information processed, must meet to provide a correct behaviour and avoid misconduct or associated threats:

Personal data are created and managed all the time due to the use of Internet and the human interaction with smart devices. Therefore, it is key the correct treatment of this information to prevent a potential privacy issues against the individual who owns the information. Thus, data privacy protection should be considered as a measure to be applied by default (privacy by default) and from the design of the solutions (privacy by design). In data privacy term, personal data treatment takes relevant grade of importance in healthcare. This concern conducts the correct management of data allocated in this environment, since the medical records are understood as sensitive data (e.g., in GDPR European regulation explained above [140]). For this reason, different government/regulatory entities address data privacy with the creation of regulations with the aim of ensuring the secure use, control and management of personal data, and for protecting citizen’s rights. In the US context, HIPAA provides the regulation for the privacy and security of Protected Health Information (PHI) [55]. This compliance offers different rules, such as security rules, privacy rules, breach notification rules, omnibus rules, and enforcement rules to provide a complete view of the data privacy management with the medical information.

On the other hand, the GDPR, which is the European regulation for processing personal data [37], is composed of different articles that regulate management and storage of personal data. Seven principles are given in GDPR, but one of them takes importance in healthcare, the privacy by design [104]. This principle has been addressed in the literature in recent years, highlighting the research performed in [134]. This work analyses the current situation of privacy by design in the healthcare sector, and defines it as “a process based on proactively embedding good privacy practices into the design and operation of IT systems, physical infrastructure, and business practices.” This work presents the seven principles of privacy by design that are Proactive not Reactive, Preventive not Remedial; Privacy as the Default; Privacy Embedded into Design; Full Functionality - Positive-Sum not Zero-Sum; End to End Security—Lifecycle Protection; Visibility and Transparency; and Respect for User Privacy. These principles are defined by Semantha et al. [134] as assumptions, which need tools to apply the eight established strategies: minimise, hide, separate, aggregate, inform, control, enforce, and demonstrate. The correct incorporation of these principles allows IT systems to be privacy friendly, and at last instance, the deployment of a privacy impact assessment and security incident management produces a complete privacy by design implementation lifecycle.

Following the international regulations, as for privacy terms, there are two approaches to manage healthcare data: data-centric and user-centric. The data-centric approach usually selects service providers as stakeholders in charge of managing the data lifecycle, transmission, and so on, while the user-centric approach offers the right and ownership to the user who generated the data. This second approach allows users to manage access control to data by preventing unauthorised access [67], as well as to comply with the HIPAA and GDPR principles explained above in a more user-friendly way.

To conclude the privacy overview in healthcare, the privacy topic has been addressed in the literature [9, 28, 48, 52, 108, 124, 128, 159] for years and various privacy requirements have been identified inside of medical scope:

The patient safety supposes a critical need thus making this scenario acquires a further level of complexity. As an introduction to this concept, a safety classification is presented in the literature [8, 73, 129, 157].

All research works show the classification created by the Federal Drug Administration (FDA) of US, which divides medical devices into three classes, Class I (Low to Medium Risk), Class II (Medium to High Risk), and Class III (High to Very High Risk). The classes are based on the level of control that is necessary to apply for assuring the safety and effectiveness of a device; the higher the risk, the higher the class [129]. In this sense, this latter work proposed four security levels taking into account the safety concern to classify the devices allocated in healthcare environment: low (e.g., administrative computer in hospital), medium (e.g., sensors measuring glucose levels), high (e.g., sensors controlling insulin pumps) and very high (e.g., implanted devices with medication).

There are international regulations created for preserving safety in the medical domain, Yaqoob et al. [157] enumerated the main regulations: the FDA regulation, the Medical Device Directive (MDD), and Conformite Europe (CE) redacted by the EU. The MDD shares with FDA the classification criteria by level but differs from the FDA in the number of levels, since MDD proposes four classes (Class I, IIa, IIb, III) in function of the risk level, while FDA provides three classes (Class 1, 2, 3). MDD divides class II of FDA into two classes to provide more granularity in the classification. On the other hand, the CE is a mark used for marketing in Europe in charge of ensuring that the devices fulfil the safety criteria determined. Yaqoob et al. also comment in [157] the new MDR (implemented in 2020), but with a special case, the vitro diagnostic devices where the MDR will be implanted in 2022. Finally, this work remarks different limitations that these regulations present, such as standard tools, minimum security control criteria, and medical device reporting.

After presenting main regulations, Kim et al. [73] shows various examples about the real problem of the incorrect safety protection in medical devices, such as a person died by a cardiac arrest due to a failure in his/her Implantable Cardioverter Defibrillator (ICD), or attacks produced to ICDs through their wireless interface. For further the research work, Altawy and Youssef covered in [8] the Cyber Physical Systems (CPS) and revealed with a case of study on implantable medical devices (IMDs), the real importance of the safety property and defended the protection of the individuals involved in its operations. Altawy and Youssef [8] highlighted the critical operation that IMDs perform in the patient health and the fatal consequences produced with the misbehaviour of these devices. Because of our literature review, we are able to conclude the importance of safety in healthcare, and the need of implementing secure mechanisms and safety-based concerned to protect the patient health.

The reviews analyzed in Section 3 broadly covers the security topic, identifying different threats for medical devices and healthcare infrastructure. Our article aims to offer a complete threat taxonomy (unifying healthcare ecosystem) with all threats (IMD/IWMD/IoMT-focused and infrastructure-focused) found in the literature, enumerated and classified.

For classifying threats, we take the decision of aligning them with a globally accessible knowledge base like MITRE ATT&CK, because tools of this type are acquiring more importance in recent years for the works performed about threat modeling [56, 78]. This alignment may be useful in the compatibility of this work with other related projects, as well as the provision of a reference framework to compare this threat classification. Apart from MITRE ATT&CK, other alternatives can be deemed, such as Cyber Kill Chain [89] and Diamond Model [18]. However, MITRE ATT&CK is the most adopted by the industry and community because offers different advantages: it maps and covers everything regarding an intrusion from both the attack and defense sides, and provides examples and references including data on threat groups. This knowledge base is composed of 12 categories mapped to the steps executed in an attack: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. MITRE ATT&CK also has three different matrices for modelling different scenarios: Enterprise, which contains threats associated with Windows, Linux, Cloud, and so on; Mobile, which covers both Android and iOS threats; and Industrial Control Systems (ICS), focusing on industry-specific devices and operations.

To perform this alignment, we select the Enterprise and ICS matrices due to the majority of threats found in healthcare infrastructure are more related with the Enterprise matrix, and some of medical devices suffer from attacks similar to those found in the industry. In Fig. 3, we show the complete threat taxonomy aligned with MITRE ATT&CK. To better understanding, the threat taxonomy is divided into twelve categories, being nine of them shared between Enterprise and ICS matrices, two of them Enterprise-specific (Resource Development and Credential Access) and the last one ICS-specific (Impair Process Control).

In terms of MITRE ATT&CK, more threats and techniques are included, but only the categories and threats related with the specific vulnerabilities and attacks presented in healthcare have been mapped. Starting with Resource Development, as shown in Fig. 3, this category covers the techniques used by adversaries with the purpose of introducing the needed mechanisms to allow the execution of future operations. In this category, we select from ATT&CK Develop, Obtain and Stage Capabilities, and Compromise Accounts and Infrastructure as the most important threats for healthcare. Regarding to Capabilities, firstly the adversary can develop or obtain the capabilities to later stage them in the target. On the other hand, Compromise Accounts and Infrastructure are other gateways that attackers can use for entering in the victim environment.

The second category presented, Initial Access, involves all techniques that gain access to the network thanks to entry points or vectors available on it. In this sense, we enumerated Rogue Master, Hardware Trojans and Phishing to allocate the attacks appeared in healthcare. Rogue Master is ICS-specific and consists of impersonating a master allowing attacker to disrupt the network communications by capturing and receiving traffic, to affect processes in unintended ways, to hide his/her attack in the organisation, and so on. Other way to enter in the network is with Hardware Trojans, introducing hardware components inside of environment and distributing the attack. Finally, Phishing is the technique used to mislead users with the intention of obtaining their user credentials, sensitive information, and so on.

The third category is Execution, including the techniques where the attacker compromises the local or remote system running malicious code. The threat highlighted in this category is Modify Controller Tasking, ICS-specific technique that alter the tasking of the controller to modify the operations and the behaviour of the device. Next, we present Persistence, incorporating techniques to keep access to the system after restarts, shutdowns, software modifications, etc. Here, we enumerate System Firmware, Valid Accounts and Server Software Component. Belonging to ICS group, System Firmware exploits the firmware update feature available in devices to incorporate malicious firmware that allows attacker to take device control. Valid Accounts is a result of a successful intrusion performed with other techniques belonging to other categories like Initial Access or Resource Development. At this point, the adversary acts as a valid account inside of environment. Server Software Component is another technique that exploits server development features to gain persistent access to the system. Then, we show Privilege Escalation as the group of techniques in charge of trying to get elevated permissions in the system or device. In this case, the main threat selected is Exploitation for Privilege Escalation, where vulnerabilities are used for producing the attack and elevating privileges.

Defense Evasion encompasses techniques that pretend to avoid the defenses included in the system to perform an attack. Here, we include Modify Cloud Computing Infrastructure and Weaken Encryption techniques. The former tries to leverage the different options that Cloud Computing offers for instances (create, remove or modify instances to avoid the defenses deployed in the system). Weaken Encryption exploits a problem in the encryption to intercept and capture communications. This technique can also attack to devices in charge of encrypting the messages for obtaining the information. The Credential Access category includes techniques to obtain the necessary information (generally users and passwords) to enter in the system as an authenticated user. For this group, we indicate Brute Force, Unsecured Credentials, Steal Authentication Token, and Man-in-the-Middle. Firstly, Brute Force is the common technique to obtain user passwords by inserting text strings until a valid result is obtained. Unsecured Credentials leverages weaken credentials policies or the use of default credentials for gaining the system access. Steal Authentication Token gets the access to the system through the action of a legitimate user that grants the access to the adversary. Finally, Man-in-the-Middle consists of intercepting the communication between two entities sniffing or modifying the communication.

The Discovery category enumerates techniques used for knowing and detect the victim’s environment. Here, we present Wireless Sniffing and Network Sniffing, where both techniques try to collect information of the organisation through include mechanisms to obtain the communications produced in it. Wireless Sniffing allocates the mechanisms in the wireless environment while Network Sniffing utilises the interface of a computer to gain knowledge about internal network. To continue, the Lateral Movement category comprises the mechanisms used for pivoting by the environment changing the system of the internal network. As technique for this category, we only highlight Valid Accounts, which is able to traverse the network thanks to valid user’s credentials obtained. The next category is Collection, where are allocated the techniques that allow attackers to gather data and knowledge for their purpose. Here, different mechanisms are listed: Wireless Sniffing, Data from Information Repositories, Monitor Process State, and Man-in-the-Middle. On one hand, Wireless Sniffing and Man-in-the-Middle have already explained because they can be found in other categories. On the other hand, Data from Information Repositories collect information by repositories installed in the organization, while Monitor Process State searches relevant information in the physical state, such as CPUs number, RAM inserted, and so forth.

The Impair Process Control category is ICS-specific and incorporates techniques with the purpose of seeking malicious effects in the physical control processes. Here, two important mechanisms appear, Modify Parameter and Spoof Reporting Message. Both cover all techniques able to change the packets and messages sent between devices and systems inside of network, as well as process configurations producing different behaviours in the organisation operations. Finally, the Impact category encompasses the techniques that affect to the functioning of the system, such as manipulation, disruption, damaging, and so on. Here, two different Denial of Service attacks appear, Network and Endpoint, and Data Encryption for Impact, traditionally known.

All categories and techniques presented above are used here to map and create the association between the attacks produced in healthcare and the categories enumerated. For evaluating the impact of vulnerabilities, different frameworks provide a scoring per vulnerability in function of different established metrics. In this sense, the most adopted framework is the Common Vulnerability Scoring System (CVSS) v3 [61]. The CVSS is composed of three metrics groups: base, temporal, and experimental metrics. These metrics give a specific vulnerability scoring.

Although CVSS is broadly extended, it is neither healthcare-focused nor designed for covering the security issues presented in the medical domain. Delving into the literature and official standardization organizations, we find other alternatives such as Risk Scoring System for Medical Devices (RSS-MD) [116] and the work performed by Carreon et al. [20], which try to incorporate health and privacy concerns of medical devices to the CVSS. This latter work adds two new metrics to CVSS, i.e., Health Impact and Sensitivity, and then compares the accuracy of RSS-MD, CVSS and their approach. This comparison states that Carreon et al.’s work shows better results. On the other hand, the Federal Risk and Authorization Management Program (FedRAMP) contracted to MITRE in 2020 to adapt the current CVSSv3 to medical devices and created the “Rubric for applying CVSS to medical devices” [23]. This rubric improves the initial CVSSv3 with the healthcare characteristics to be used in this environment. This framework is the final selected for our work due to the compatibility with CVSS and the adoption that CVSS has in the threat classification, as well as the entity behind of this work, creator also of MITRE ATT&CK.

The purpose with our work is to classify the threats collected on healthcare with a common adopted method, i.e., CVSS, incorporating this effort in the work already performed through this mechanism. In Tables 2 and 3, we present all attacks discovered on healthcare. By each attack, the tables present the target of the attack, being IWMD or Healthcare infrastructure the available options, the MITRE Category and its concrete technique as introduced in Fig. 3. In this sense, the attacks are sorted by the category they belong to. In the following column group, the CVSS is developed by each attack, presenting the metric vector and the resulting score. In this regard, the work at hand has been performed taking into account the review presented by Newaz et al. [108], where some metric of CVSSv3 are used for some of the attacks presented here; the NVD Database [62], searching vulnerabilities exploiting these attacks and checking the more repeated values; and the results achieved with the MITRE rubric to obtain the best score per attack. Finally, we show the works (their reference) where the attacks have been collected.

Delving into metric vector, we highlight that the main difference between Rubric proposed by MITRE and CVSSv3 is the reformulation of questions and options to evaluate such metrics and incorporating the processes and data managed in healthcare. Although the available options to select in the metrics maintain the same values, the description of the value and the reason for selecting it is changed according to the environment, processes, information, and assets belonging to medical domain. For example, to evaluate the Confidentiality impact of an attack, the impact in Protected Health Information (PHI) and Personal Identifiable Information (PII) data must be checked. The different metrics analyzed, represented at the Vector column in Tables 2 and 3, are as follows:

After presenting Tables 2 and 3, we start with the attack explanation. Firstly, we enumerate Malware, Outdated Operating Systems (OSs), Dropbear SSH Server, and Social Engineering as healthcare threats allocated in the Resource Development (RD) category. Malware encompasses all code that is installed in healthcare assets with malicious intentions. Different reviews present this attack [7, 73, 108, 112, 118], and highlight the problem that this attack poses in healthcare. For example, Newaz et al. [108] presented different Malware, such as “Conflicker”, a malware that allowed attacker to execute arbitrary code on the vulnerable systems (X-ray machine, mammography, and a gamma camera), and “Kwampirs” malware, which provides attacker to trigger equipment malfunction or delay in accessing information. Outdated Operating Systems is is also a very common threat in healthcare devices allowing attackers to exploit bugs that have been fixed in newer versions of them. This attack is depicted in [34, 108], where Newaz et al. [108] affirmed that many devices are out of date in the medical environment. Dropbear SSH Server, analyzed in [119], is a small Linux distribution that allows some medical devices to have a SSH connection, and the incorrect protection of this server can suppose an entering point in the healthcare infrastructure. Social Engineering is a traditional technique trying to leverage the public information available of medical workers as well as other sources in order to compromise the accounts of them [3, 112].

Next, we found Sybil, Hardware Trojans, and Phishing as threats belonging to the Initial Access (IA) category. Sybil, enumerated in [27, 112, 113], is an IWMD specific threat and consists of creating non-real identities in internal environment (achieve the trust of the network) to perform other attacks, such as Denial of Service or Flooding attacks. Papaioannou et al. [112] explained that a Sybil attack can influence in legitimate entities to draw incorrect conclusions. Hardware Trojan is a technical threat presented in [73, 108], which has the objective of inserting a trojan in integrated circuits and hardware device. Newaz et al. [108] commented that FDA has released numerous reports with this type of threat. Phishing is a widely method used for entering to private environments with the interaction of a valid user leveraging the inattention or lack of knowledge [106].

The Execution (Ex) category covers Routing Attack, Wormhole, Blackhole, and Grayhole as healthcare threats. Routing Attack is the one performed for altering the route of packets to change the destination. This attack is presented in [3, 113]. Algarni [3] showed this attack into a medical device in Smart Healthcare Systems (Incorporate Smart technology to Healthcare) suffering a change in its routing table. Wormhole proceeds with the alteration of routing tables forwarding traffic to one adversary node. Blackhole and Grayhole are variations of Wormhole. The former consists of dropping the packet when is received by the adversary node, while the latter implements a dropping algorithm to complicate the detection attack. These attacks are presented in [3, 27, 113] and have the IWMD as main targets in healthcare.

The following attacks are Firmware Modification, Compromised Node, and SQL Injection which are encompassed in the Persistence (Pe) category. Firmware Modification is a very common attack completed in medical devices and means the modification of the firmware, transforming the device behaviour. Newaz et al. [108] highlighted the importance of this attack and explained some cases where this attack served as input point to healthcare system. Besides, Yaqoob et al. [157] enumerated different devices vulnerable to this attack with the followed attack methodology and the vulnerability exploited in each case. Compromised Node is the infection of valid node of the network. Algarni [3] showcased this attack by taking control of the node sensors providing false information. Finally, SQL Injection is an attack produced in a healthcare website injecting malicious code to exploit the SQL database [34].

The Privilege Escalation (PE) category is presented with only the Privilege Escalation attack. This attack is the common procedure used to obtain increased system permissions through exploits and vulnerabilities found. Next, the Defense Evasion (DE) category includes two attacks, IaaS Cloud Attack, and Device Cloning. Both attacks are collected by [34], and IaaS Cloud Attack is the alteration of cloud infrastructure, technology implemented in healthcare in the recent years to improve the processes and operations. Device Cloning is the impersonation of device to perform malicious activities in the environment.

The Credential Access (CA) category comprises Password Intrusion, Weak Authentication Schemes Exploitation, Unauthorised Access, Forgery, and Man-in-the-Middle attacks. Password Intrusion is an attack used to obtain the access to the system with user’s credentials, being brute force one of the most repeated techniques. Weak Authentication Schemes Exploitation is defined by Newaz et al. [108] as the lack of strength of the authentication mechanisms, mainly in medical devices. This attack can appear during the instant of reading and writing data from these devices where Newaz et al. commented different studies which obtain data from devices with a CD or USB portable medium. Unauthorized Access leverages the unsecured protection in order to enter in the system. Both [3] and [157] present this entry vector and Yaqoob et al. [157] enumerates multiple medical devices where this attack has been produced, such as Cardioverter Defibrillator and Insulin pump. Forgery is an attack only collected in [112], defined as the counterfeit construction of identity being authenticated to transmit fake data to other entities. Papaioannou et al. highlights in [112] the problem of this attack against the authentication requirement. Man-in-the-Middle is widely used in communications to access sensitive information. This attack is addressed in [108, 112, 157], highlighting different entry points presented by Newaz et al. [108], such as Bluetooth and reverse engineering. Yaqoob et al. [157] enumerated some vulnerable medical devices to this attack.

In Discovery (Di) category, two extensively used attacks are classified: Eavesdropping and Traffic Analysis. Eavesdropping is the most commented attack in the literature appearing in [3, 7, 73, 108, 112, 118, 124, 157]. This attack pretends to obtain sensitive information thanks to unsecured communication channels. Newaz et al. [108] commented that different medical and wearable devices such as Blood Pressure Monitors and smartwatches suffered vulnerabilities that allowed attackers to obtain sensitive information. On the other hand, Yaqoob et al. [157] enumerated different medical devices suffering this attack, such as Accelerometer and Cardiac Monitor, which was produced by a lack of encryption and protection in communication protocols. Finally, Traffic Analysis is listed in [112] and consists of passively observing the traffic transmitted inferring knowledge through characteristics of the data flow.

Lateral Movement (LM) contains only Impersonation attack. This threat has as purpose the hide yourself as a valid user in the network. Two works address it [108, 112]. In [108] researchers collected an example leveraging the lack of protection in the communication between glucose monitoring device and the insulin delivery system to obtain the PIN of authentication. With this PIN the attacker impersonated the patient.

Collection (Co) is the category with more attacks and has Sniffing, Data Breach, Message Disclosure, Side Channel, Sinkhole, and ARP Table Poisoning attacks. Sniffing is similar to eavesdropping, where hardware and software sniffer are used to collect traffic. This attack is presented in [27, 157] which comment the problem of medical devices to protect their communications and data. Data Breach is a generic threat that poses the loss of sensitive data with important impact in healthcare. Almohri et al. [7] joint this attack with confidentiality requirement due to this exposure of information. Message Disclosure can be understood as an example of Data Breach because unauthorised entities exposure information leveraging weaknesses in device or communication medium. This attack is analysed in [3, 157], especially for capturing patient logs files with sensitive information. Side Channel is a widely discussed attack in literature [27, 73, 108, 124, 157], and acts collecting physical parameters from medical devices, such as power consumption and Electromagnetic (EM) radiations resulting in sensitive information leakage. Newaz et al. [108] presents three types of Side Channel attacks taking into account the read parameters: electromagnetic interference, sensor spoofing and differential power analysis attacks on medical devices. Sinkhole is an attack only found in [27] and works obtaining all traffic due to malicious node is properly published in the network as the fastest path to the base station. Finally, ARP Table Poisoning is an implementation of Man-in-the-Middle attack presented before [34]. The attacker sends false ARP messages to nodes in the network alerting of the best route for reaching the base station, which coincide with his/her node.

The Impair Process Control (IPC) category contains Tampering, Sensor Spoofing, Replying Attack, and Message Modification. Firstly, Tampering and Message Modification are two variations of attacks with the purpose of altering messages between medical devices and healthcare provider. In this sense, different works [3, 7, 112, 157] comment these attacks, being Yaqoob et al. [157] who presented different targets where these attacks were produced, such as wearable devices (Fitbit) and medical devices (pacemaker or prosthetic limb). Sensor Spoofing has been presented above as a type of Side Channel attack. When the attack is successful, the attacker takes the control of sensor changing the medical device operation. Specifically, [7, 108, 157] present different techniques such as static and dynamic analysis, reverse engineering and communication channel exploitation to perform this attack [157]. Finally, Replying Attack is defined as the achievement of valid packets transmitted in order to corrupt or impersonate it [3, 157]. The attack vectors here are shared with the Sensor Spoofing threat.

To conclude, we present the Impact (Im) category with Flooding, Denial of Service, Ransomware, Battery Depletion, Multiple-Input-Multiple-Output (MIMO), and Bluetooth attacks. Flooding can be seen as a concrete type of Denial of Service attack, which impacts in the healthcare environment blocking and overloading the assets. Denial of Service is a widely discussed threat in literature [7, 27, 112, 113, 118, 119, 124, 157], providing different forms of performing it, such as battery drainage, botnets, and so on. Ransomware is a type of Malware separated by it due to the importance and impact that it has in healthcare. In Section 1, we presented some attacks to hospitals based on Ransomware. The works conducted in [108, 157] addressed this threat and commented different data in economic terms, such as $17000 paid by a hospital to recover its systems. Battery Depletion attack damages the charging of the device to render the device unavailable. Namely, this attack is covered in [108, 124, 157], highlighting the content presented by Newaz et al. [108] that commented the execution of this attack with a forced authentication attack, where the adversary performs multiple authentication processes to drainage the battery. MIMO Attack is presented in [108], which consists of collecting transmitted data in wireless environment to damage the confidentiality in healthcare. Finally, Bluetooth attacks are explained. These can be included in several MITRE categories because Bluetooth implements its own layer architecture. In [162], some attacks are commented, such as Blue smacking (DoS), Blue snarfing and Blue bugging (Data Breach), Bluejacking (Impersonation), Blue printing (Sniffing), and Mac spoofing.

Summarising the content presented in this section, we have performed a proper alignment of healthcare threats found in the literature with MITRE ATT&CK in order to achieve compatibility and provide a reference framework to compare different related works. Besides, we have classified all attacks with the “Rubric for applying CVSS to Medical Devices” [23] by MITRE to properly understand each threat’s scope and impact in the healthcare environment. Thus, we present in Fig. 4 several charts to highlight the results obtained with the rubric application for the attacks classified. Fig. 4 shows six different charts, where the first three ones illustrate the CIA impact, showing by each requirement the percentage of High, Low, or None impact. In the three cases, the High impact is the most appeared. Following the charts, the fourth includes the number of attacks, with respect of the total amount (41 attacks), the classification for Attack Complexity, User Interaction and Scope. In Attack Complexity, the attacks have been divided between the two possible values, Low and High. For User Interaction, the majority does not require None user action. Finally, Scope presents only three attacks that can act in a Changed environment. In Fig. 4, the total of attacks impacted by each CIA requirement is shown in the fifth chart, with a similar percentage for the three properties. Finally, the Privilege Required value is mostly covered by the None option, showing that many attacks can be executed without specific user privileges.

Our work identifies the main categories of security mechanisms found in the healthcare literature. In this task, unlike we made with the threat collection where, we only used the reviews analysed in Section 3, in this case, we divide this work into two parts. First, we identify the main tendencies in the detection and protection of healthcare, thanks to the reviews listed in Section 3. Second, we perform another research in the literature to obtain more specific works that cover each research line identified. This is to provide detailed characteristics of each category, not seen in a review, as well as the possibility of finding public datasets or interesting information. In Table 4, the covered attacks, a summary description, the possible limitations and future work (mainly discussed in Section 7), and the works discovered per category are shown. As final indications, we present the most recently research works of each category, providing the current status of the scene with the most interesting ones.

In Table 4, Key Management Schemes (KMS) research line is the unique where we enumerate work prior to 2017. The reason is that KMS have been used in healthcare for years. This solution is created for protecting the communications, encrypting the messages, and avoiding malicious interceptions. To achieve such purpose, the messages are protected with a key, which allows the packets to be encrypted. Two approaches are widespread in the key management, the symmetric and asymmetric keys. There are remarkable works in [65, 79, 94, 141], which provide interesting findings. Traditionally, the tendency in KMS was to design algorithms based on Elliptic Curve Cryptography (public key cryptography) [79] to evolve towards more disruptive methods, such as Merkle Hash Tree (trees based on a one-way hash function) [94], Chinese remainder theorem (central entity broadcasting messages to different patient groups) [141], and Group Key Management protocols [141]. By other hand, the WBANs are the main targets of the research works on KMS [65, 94, 141], due to their special characteristics, such as power and processing constraints. Finally, we list the work performed by Jabeen et al. [65], since they offer a recent systematic literature review that shows a complete view of this category so far. They present many different methods and protocols to implement KMS, such as AES symmetric key based-schemes, Hashing algorithm-based schemes, the Kerberos protocol, and other solutions.

The Physical Layer Security Schemes category covers the techniques used to incorporate security in the physical environment. Here, we present three works [13, 80, 153], which use physical layer methods to protect the healthcare environment against wireless attacks. Atat et al. [13] proposed a three-tier hierarchical m-Health system where the first tier is occupied by the medical sensors, the second tier by the smart devices (smartphones) and, the third tier by the central healthcare system. Atat et al.’s purpose was to develop a security scheme in the second tier based on Stochastic Geometry, which allowed creating an accurate model of participants’ spatial locations to protect the use case defined. Li et al. [80] implemented another scheme called Friendly-Jamming. Basically, this security model was based on adding friendly jammers to wireless network to confuse the eavesdropper and protect the legitimate network information. Finally, Wei and Liu [153] designed a model named Sparse Learning based Encryption and Recovery (SLER). This method improved the spectral efficiency and reduced the power consumption thanks to the theory of compressed sensing (CS), which leverages the Sparse Learning characteristics in the compression of IMD signal.

The Routing mechanisms category is created to protect the healthcare environment (mainly medical sensors and devices) of attacks like Wormhole, Routing Attacks, DoS, etc. Due to different constraints surged in WBANs, such as power consumption, low processing capabilities or lack of memory (storage), the transmission mechanisms must be optimised and security-focused for this environment. We can point out three different mechanisms to develop this research line in [95, 109, 125]. Namely, Mehta and Parmar [95] presented certain problems that the Routing Protocol for Low Power and Lossy Network (RPL), standardised for IoT networks, had in security terms. They proposed a Lightweight Trust mechanism to secure the RPL, where the nodes monitor their neighbours to check if they were complying the RPL. Nidhya et al. [109] implemented an Energy-Aware Routing Mechanism also based on Trust concept. In this case, they used Fog Computing to improve the quality of service, reduce the latency, etc., getting results where the latency was reduced by 19% and the communication overhead by 23%. Saba et al. [125] designed a secure and energy-efficient framework for IoMT, which was divided into the network structure of the medical sensors and sink node, the intelligence routing (modelling a graph with cost function), and the secure data transmission (using Cipher Block Chaining and Digital signature). To conclude, we can highlight SDN technology as the main alternative to implement a secure routing system as it offers characteristics such as high-level security, intelligent network management, and optimal resource scheduling [121].

Data Aggregation is very related to privacy on healthcare, since it is used for collecting data from different sources (medical sensors) and applying an aggregation technique to secure and privatise the information. To better understand the current status of this technique in healthcare, we have analysed the works in [24, 117, 142]. Tang et al. [142] created a secure data aggregation in the process of transmitting the information from medical centers to the cloud server. They applied different characteristics to implement the technique: differential privacy preservation, where each healthcare center incorporates noise in their aggregated data; obliviousness security, in which the aggregated data generated in one healthcare center do not be known by other center due to the use of distinct secret keys; fair incentives, where patients providing data are rewarded; and healthcare center fault tolerance, the cloud server can know the source of aggregated data thanks to the Sharmir’s Secret Sharing. Chen et al. [24] defended the use of the Federated Learning paradigm (global model trained with local models where the data are generated) to implement a secure data aggregation. Hence, Chen et al. joined Federated Learning with Transfer Learning to implement the data aggregation technique. Initially, they have a global model trained with public datasets, which is sent to users where they train the model with their local data, and finally, the local models are transmitted to the cloud center. Finally, Ranjani NY et al. [117] proposed a Cluster-based secure and private data aggregation model, using Glow swarm optimization algorithm for clustering process, the selection of a cluster head as the aggregator, and the cloud server for accessing/maintenance of aggregated data.

Proxy-based includes the mechanisms able to add intelligence between medical devices and healthcare platform. The proxy approach consists of adding an entity, layer or process to secure the data generated in medical devices. Different works address this topic [50, 75, 90, 154]. First, Wu et al. [154] created a proxy-based approach and adopted a ciphertext-policy attribute-based encryption (CP-ABE) to protect the communications and provide fine-grained access control in IMDs and WBAN environment. Kulac [75] created a jacket with multiple sensors. These sensors were implemented with the ability of communicating with the IMDs in the body patient. To implement security, the sensors were able to wireless transmit in different models, such as jamming and spoofing modes. Han et al. [50] detected that different medical devices running healthcare applications contain particular context. This fact produced a crosscut of application codes incrementing costs of development and maintenance, so that they designed an encapsulation mechanism-based context-orient programming paradigm (COP) in IoMT to solve this problem. To conclude, Marwan et al. [90] proposed a cloud framework destined to data sharing and processing and created with two cryptosystems (AES and Paillier cryptosystems) for data encryption and key management. They incorporated an entity as third party to enforce security called CloudSec.

The Blockchain-based mechanisms are based on a decentralised ledger that records data in a database made up of different users hosted in different locations. The information is stored in blocks which can not be modified or altered. The integration of Blockchain technology in healthcare has been addressed for years, and we can highlight the works published in [5, 25, 36, 59, 82, 143]. These works incorporate some reviews that offer us a complete view of the contributions achieved in the literature, and we select below the more interesting information. Firstly, Esposito et al. [36] analysed the current problems of healthcare (access control, cloud-based solutions, etc.) and highlighted Blockchain as a possible alternative to improve the actual context of healthcare, exploring also challenges belonging to Blockchain (storage, regulations compliance, etc.). Liu et al. [82] and Chukwu and Garg [25]’s works integrated Blockchain technology in EHR managing. Liu et al. explained the main principles/challenges of this technology, and selected Ethereum network and Interplanetary File System peer-to-peer protocol to solve the scalability issue that healthcare had in the processing and storing of EHR. Chukwu and Garg proposed a Blockchain and Distributed Ledger Based Improved Bio-Medical Security system, characterised by the creation of a Trust model based on Linear Decision Making, and tested with an adversary model where man-in-the-middle and data tampering attacks are executed. In security terms, Tariq et al. [143] analysed different issues addressed with Blockchain, such as privacy leakage, data integrity, and DoS attack, as well as the advantages provided by this technology, such as confidentiality, non-repudiation, and immutability. Finally, Hussein et al. [59] illustrated a holistic view of the Blockchain technology in healthcare, presenting the trends and opportunities mainly in Telecare Medical Information System, a technology that connects patients and physicians to send and receive healthcare services and records from remote sites.

The Anomaly Detection research line encompasses intrusion detection techniques for discovering attacks or malicious actions in the network or system. The literature has deeply addressed this topic and the works we selected are [21, 41, 49, 86, 133, 145]. For clinical scenarios, Fernández Maimó et al. [41] developed a ransomware detection and mitigation method, focused on the spreading phase (exploit vulnerability available in the network/system) of this attack. This work was designed taking into account a future hospital room with different sensors and medical equipment. They proposed a complete framework with different modules (Monitoring, Offline Model Generation, Analyser and Detection & Reaction Modules) implemented with Machine Learning technology. Turn into IoMT/IMD-related, Sehatbakhsh et al. [133], Manimurugan et al. [86], and Thamilarasu et al. [145] proposed different anomaly detection solutions. Sehatbakhsh et al. studied the involuntary electromagnetic emanations of embedded devices to detect possible anomalous actions through two phases: a training phase and a monitoring phase. Manimurugan et al. presented a method based on Deep Belief Neural Network (training achieved layer by layer using the previous one) to effectively attack detection. On the other hand, Thamilarasu et al. implemented a polynomial model (predict sensor data) for detecting device level anomalies using statistical regression (deviation). Showing healthcare-focused works, Carvalho et al. [21] and Hady et al. [49] developed two anomaly detection methods, the first one implementing a provider-consumer solution composed of hospitals (providers) and patients (consumers), and the last one addressing a man-in-the-middle attack with the creation of a machine learning algorithm with different techniques (Random Forest, Support Vector Machines, etc.).

Finally, Authentication Schemes research line includes the different techniques implemented to protect the authentication phase in healthcare. Some articles address this point in [6, 11, 30, 53, 136, 137, 156] and divided into two approaches: biometric-based and mutual authentication. In the former, we highlight the works by Hathaliya et al. [53], Shakil et al. [136], Weitao et al. [156], and Patricia et al. [11] works, who defined the biometric approach as the inherent factors that users have, such as fingerprint and retina/iris. Hathaliya et al. created a hybrid approach with four phases: sensor registration, patient device registration with biometric data collected, patient registration, and login/authentication phase. Shakil et al. proposed a cloud-based secure biometric authentication (BAMHealthCloud) composed of two components, health data store and security manager. Besides, they incorporated a priority-based parallel algorithm called ALGOHealthSecurityCheck for data access. They used elliptic curve scalar multiplication to perform this change. Weitao et al. implemented a mechanism to gait recognition thanks to the kinetic energy harvester (KEH) with great results. Finally, Patricia et al. proposed a novel authentication method through brainwaves, demonstrating the applicability of this biometric factor. In contrast to biometric approach, mutual-authentication was described by Deebak and Al-Turjman [30], and Alladi et al. [6] as the need to authenticate both sides of the communication. They presented a smart mutual authentication framework constituted by three stages: initialization by service-authority center, registration by a medical sensor, and smart authentication. Alladi et al. explained a Healthcare Authentication Protocol using Resource-constrained IoT devices (HARCI) with key establishment features.

After showing the different research lines of security and privacy mechanisms extracted from the literature, we present the works and datasets developed in the healthcare environment. In two tables we show the healthcare security-focused datasets and the IoT security-focused datasets. The reason behind creating two different tables is the lack of public healthcare security-focused datasets, which has forced us to extract information in other areas that can also be used in the medical environment. One of the causes for the lack of public data can be the grade of sensitivity that healthcare information has (commented in Section 4.2). The methodology followed for finding the datasets has been the use of specific search engines, such as Google Dataset [46], IEEEDataPort [60], and Kaggle [70]. Besides, we have used advanced searches (such as discarding statistic datasets and focused on other environments, e.g., economic sectors) to obtain better results.

We have only found eigth security-focused datasets, highlighting that five of them have been created in 2021. In Table 5, we list these datasets about healthcare security-focused. As an initial detail, we can highlight the year of creation of these datasets. This aspect can draw in a tendency change, where all datasets were private time ago, creating public information of this environment, due to the prominence healthcare has taken. The data of these datasets encompasses different healthcare components, from IoMT devices to EEG brainwaves. First, IoT Healthcare Security Dataset [58] and ECU-IoHT [1], contain normal and malicious traffic collected from a simulated environment. In the case of IoT Healthcare Security Dataset, the data correspond to a hospital room, where sensors and control units was deployed. Bluetack [149] gathers Bluetooth traffic belonging to IoMT devices, where different attacks are applied, such as DoS and DDoS. Meanwhile, EEG Brainwave Dataset [4] was created for industrial insider threat detection. The dataset contains data from 17 volunteer subjects. Another interesting dataset that has not been collected from medical environment is SOREL-20M [51]. We list this dataset here because can be very useful to malware detection inside of healthcare since it contains twenty million of malware samples and can help to train a Machine-Learning solution. The Received Signal Strength Based Gait Authentication dataset [101] includes a different type of data. It collects the received signal strength indicator (RSSI) emitted by wireless devices in WBANs to authenticate the patient. The two last datasets contain patient information, Cyber Incident Detection for EMR [92] and MIMIC Dataset for Anomaly Detection [66] are created for incident detection in Electronic Medical Records (EMR) systems. In the case of MIMIC Dataset for Anomaly Detection, it extracts data from the MIMIC database [68] composed of public EMRs to create a database that serves for anomaly detection.

Analysing other alternatives seeing the lack of datasets on healthcare security, we present several IoT security-focused datasets in Table 6. The IoT technology is widely used in the medical environment. We can leverage this adoption to complement the initial information that Machine Learning-based solutions need in the training phase to implement security and protection in the healthcare context. We have selected the most recent datasets available and the most significant and realistic projects in this process.

In this second category, we have only found eleven IoT security-focused datasets. IoT is a widely studied environment and the years in which these datasets have been released demonstrate this fact, being homogeneously distributed in the time. Firstly, CICIDS2017 [138] was performed with a project where a simulated network was deployed. The traffic was collected for five days and different attacks (i.e., brute force and web attack) were executed. Kitsune Network Attack Dataset [100] presented the larger amount of data related to IoT traffic, including malicious attacks in the collection. N-BaIoT Dataset [96], IoT Security Dataset, [16] and IoT-BDA Botnet Analysis Dataset [148] gave these data from attacks created with botnets. This last dataset [148] was created with real traffic collected by different honeypots. For N-BaIoT Dataset, the attacks were produced with two botnets (Mirai and BASHLITE) having nine IoT devices as main targets. In contrast, IoT Security Dataset simulated three IoT profiles (Multimedia Center, Surveillance Camera, and Surveillance Camera with Additional Traffic profiles) with a Raspberry Pi and executed the attacks on it. Then, IoT Network Intrusion Dataset [72] is a smart home-focused dataset, where IoT devices deployed in this scenario were targets of different attacks. IoT-23 Dataset [45] is a dataset provided of twenty malware captures and three benign captures. This dataset was created by Avast Software, creator of a well-known antivirus. To continue, IoT DoS and DDoS Attack Dataset [57] was produced to address the DoS and DDoS attacks. The work that encompassed this dataset implemented a Convolutional Neural Network (CNN) model to detect such attacks. Finally, two specific datasets are presented, MQTT-IoT-IDS2020 Dataset [54] and MQTTset [151]. The Message Queuing Telemetry Transport (MQTT) protocol is one of the most used in the industry and IoT Machine to Machine. Besides, this protocol is becoming to be used in healthcare environment [132]. For this reason, we present these two datasets simulating an MQTT network architecture, where different attacks are produced, such as brute force and scan attack.