Every NHS Trust in Britain manages hundreds of connected medical devices – from insulin pumps transmitting patient glucose levels to MRI scanners sharing diagnostic images across hospital networks. These Internet of Medical Things (IoMT) devices enable life-saving remote monitoring and real-time clinical decisions.
However, medical devices were designed for patient care, not cyber threats. A compromised infusion pump could alter medication dosages. A breached patient monitor could expose confidential health records. The WannaCry ransomware attack in 2017 demonstrated this vulnerability when 81 NHS Trusts faced disrupted services, with MRI scanners rendered inoperable and 19,000 cancelled appointments.
This guide provides UK healthcare providers with practical IoMT security strategies aligned with the NHS Data Security and Protection Toolkit requirements, the ICO’s enforcement expectations, and the MHRA’s medical device regulations. You’ll learn how to classify and inventory IoMT devices, implement UK-specific compliance requirements, deploy Zero Trust architecture for clinical environments and secure legacy medical equipment that cannot be patched.
Table of Contents
What is IoMT? Understanding the Internet of Medical Things
The Internet of Medical Things refers to the network of connected medical devices, healthcare applications and IT systems that collect, analyse and transmit patient health data across clinical networks. These devices range from wearable fitness trackers to life-critical implanted pacemakers, all sharing the common characteristic of network connectivity that enables remote monitoring and data exchange.
IoMT vs IoT: Critical Differences in Healthcare
Whilst IoMT evolved from broader Internet of Things principles, five distinctions separate consumer IoT from medical-grade IoMT devices.
- Risk Consequence: A compromised smart thermostat creates inconvenience. A compromised pacemaker creates a life-safety emergency. Consumer IoT failures typically result in financial loss or privacy breaches, whilst IoMT device compromise can cause patient injury or death.
- Regulatory Burden: Standard IoT products must meet the basic product safety standards outlined in the Consumer Rights Act 2015. IoMT devices require MHRA registration, Medical Device Regulations compliance, CE marking and ongoing post-market surveillance. The regulatory framework governing medical devices is substantially more stringent due to patient safety implications.
- Patching Cycle: Consumer IoT devices receive frequent automated updates with rapid iteration cycles. IoMT devices require extensive testing before software updates. An MRI scanner cannot receive overnight patches like a mobile phone. Updates may require equipment recalibration, clinical validation trials and scheduled downtime during non-critical hours. Many medical devices remain unpatchable throughout their operational lifespan.
- Network Requirements: Consumer IoT tolerates latency and occasional packet loss. IoMT demands real-time data transmission with zero tolerance for connectivity failures. A ventilator that transmits patient oxygen levels cannot afford the 3-5 second delays typically acceptable in smart home devices. Network reliability becomes a clinical safety requirement.
- Device Lifespan: Consumer IoT typically operates for 2-5 years before replacement. IoMT devices function for 10-20 years or longer. NHS Trusts have operated MRI scanners since the 1990s and CT equipment running Windows XP. This extended operational lifespan creates security challenges unknown in consumer environments where devices cycle through frequent upgrades.
How IoMT Evolved from Connected Devices to Clinical Systems
Early medical device connectivity focused on point-to-point links between individual devices and dedicated monitoring stations. A cardiac monitor connected directly to a bedside display unit with no broader network integration. This isolated approach limited data sharing but provided natural security through physical separation.
Modern IoMT represents full network integration. Devices connect to hospital WiFi, transmit data to cloud platforms and integrate with Electronic Patient Record systems. This connectivity enables remote patient monitoring programmes, allowing patients to receive care at home whilst clinicians monitor vital signs in real-time. The National Health Service Long Term Plan prioritises IoMT deployment for chronic disease management, aiming to reduce hospital admissions through early intervention.
However, this network integration introduces cybersecurity challenges. Devices designed initially for isolated operation now sit on networks accessible from the internet. Legacy equipment lacks security features expected in modern connected systems. The convergence of Information Technology (hospital computers and servers), Operational Technology (building management systems), and IoMT devices creates complex security requirements, where a compromise in one domain can spread to others.
IoMT Devices: Examples and Classifications
IoMT devices are divided into four primary categories, each with distinct security requirements and regulatory considerations under UK healthcare standards.
Wearable IoMT Devices
Wearable medical technology enables continuous patient monitoring outside clinical settings, supporting both consumer health tracking and clinical-grade diagnostics.
Consumer health wearables include continuous glucose monitors like FreeStyle Libre, tracking blood sugar levels in real-time, smart fitness trackers monitoring heart rate variability and blood pressure monitoring smartwatches providing GP-prescribed hypertension management. Clinical-grade wearables include Holter monitors that record 24-48-hour ECG data, ambulatory blood pressure monitors that collect readings throughout daily activities, and wearable defibrillators that provide automatic shock delivery for at-risk cardiac patients.
NHS Trusts are increasingly deploying wearable IoMT devices for remote patient monitoring programmes, particularly for the management of chronic diseases. However, these devices often connect to consumer-grade networks and personal smartphones, raising security concerns regarding data transmission.
Implantable Medical Devices
Life-critical implantable devices require the highest security standards due to their direct impact on patient safety.
Pacemakers with remote monitoring transmit heart rhythm data to cardiology clinics, enabling early intervention. Implantable cardioverter defibrillators detect and correct dangerous heart rhythms. Left ventricular assist devices support heart function in patients awaiting heart transplantation. Insulin pumps with continuous glucose monitoring integration automate insulin delivery, reducing hypoglycemic events for people with Type 1 diabetes. Neurostimulators deliver targeted electrical impulses for the management of chronic pain and neurological conditions.
The Medicines and Healthcare products Regulatory Agency maintains specific cybersecurity guidance for implantable IoMT devices. Security vulnerabilities could enable unauthorised parties to alter device programming, directly threatening patient safety. Several high-profile recalls have addressed firmware vulnerabilities in pacemakers and insulin pumps.
Stationary IoMT Equipment
High-value diagnostic and treatment systems that anchor UK hospital infrastructure represent a substantial investment and pose complex security challenges.
MRI scanners connect to hospital networks for Picture Archiving and Communication System integration, transmitting diagnostic images. CT scanners network with Electronic Patient Record systems. Digital X-ray equipment stores images on centralised servers. Radiotherapy linear accelerators require precise calibration data from treatment planning systems. Dialysis machines with remote monitoring alert clinical teams to treatment complications.
NHS Digital’s 2023 audit revealed that 67% of hospital imaging equipment relies on legacy Windows operating systems, which have reached end-of-life years ago. These systems cannot be updated without voiding manufacturer warranties or requiring full equipment recalibration, costing hundreds of thousands of pounds.
Mobile Clinical Devices
Devices used across multiple patients and departments present unique security challenges related to authentication and data segregation.
Smart infusion pumps deliver precise medication dosing whilst logging administration records. Portable ventilators with telemetry support patient transfer between departments. Mobile vital signs monitors connect wirelessly to centralised patient records. Portable ultrasound scanners enable bedside diagnostics. Mobile devices moving between network segments can potentially carry malware between isolated zones.
NHS England’s Digital Health Technology Standards require that all new IoMT device procurements meet the DCB0129 Clinical Risk Management standards. Manufacturers must demonstrate security controls throughout the device lifecycle.
IoMT Device Asset Management: UK Healthcare Strategies
Effective IoMT security begins with comprehensive visibility into every connected medical device across healthcare networks. NHS Trusts typically manage hundreds to thousands of IoMT endpoints, many remaining untracked or improperly inventoried in asset databases.
Discovering and Inventorying IoMT Devices
Medical departments frequently procure connected devices without the IT security team’s awareness, creating shadow IT challenges.
A 2023 NHS Digital survey found that 43% of medical devices on hospital networks were unknown to IT teams. Clinical departments purchase equipment through capital budgets without triggering IT asset management processes. Active vulnerability scans can crash sensitive medical equipment, so NHS Trusts should deploy passive discovery tools that analyse network traffic without sending probes.
Modern IoMT asset management platforms create behavioural fingerprints of device activity. Deviations from established patterns trigger security alerts. An infusion pump suddenly transmitting 100 times the normal data volume suggests either a malfunction or a compromise.
Lifecycle Management for Medical Equipment
IoMT security considerations extend across the entire device lifecycle.
NHS Supply Chain’s framework agreements increasingly mandate cybersecurity requirements, including manufacturer commitments to security patch delivery throughout the device’s expected lifespan. Before connecting IoMT devices to production networks, NHS Trusts should change all default passwords, disable unnecessary services, configure devices for VLAN assignment based on risk classification and conduct baseline security assessments.
Ongoing operational security includes quarterly vulnerability assessments, continuous monitoring for anomalous behaviour, regular penetration testing and incident response procedures specific to medical device compromise. Proper device retirement prevents data breaches from discarded equipment by securely wiping data using NCSC-approved sanitisation standards.
NHS Asset Management Requirements
The NHS Data Security and Protection Toolkit Assertion 6.1 requires that all IT assets be tracked and have assigned owners.
Gloucestershire Hospitals NHS Foundation Trust received a £270,000 fine from the ICO in 2022, which included specific criticism of asset management failures. The Trust couldn’t identify which systems held copies of compromised patient data because device inventories were incomplete. Norfolk and Suffolk NHS Foundation Trust’s £200,000 fine in 2021 followed a ransomware incident where the Trust was unable to identify all affected systems for prioritisation of recovery.
NHS organisations should categorise IoMT devices by clinical impact. Category A life-critical devices, including pacemakers and ventilators, require a maximum 15-minute recovery time objectives and the highest security investment. Category B clinical operations devices, including diagnostic imaging, require 4-hour recovery time objectives. Category C administrative support devices accept 24-hour recovery time objectives.
IoMT Security Threats and Vulnerabilities
Connected medical devices face multiple threat vectors that can compromise patient data, disrupt clinical services and directly threaten patient safety through manipulation of life-critical equipment.
Cyber-Physical Risks to Patient Safety
Traditional cybersecurity focuses on data confidentiality, integrity and availability. IoMT security must also consider cyber-physical risks, where digital compromise can cause physical harm.
Researchers demonstrated vulnerabilities in insulin pumps, allowing remote manipulation of dosing commands, potentially causing life-threatening hypoglycaemia. Pacemaker firmware vulnerabilities enabled unauthorised parties to deplete batteries or alter pacing parameters. The MHRA issues Medical Device Alerts when security vulnerabilities are discovered in widely deployed devices.
UK Hospital Cyberattack Case Studies
British healthcare has experienced several major cyberattacks that have impacted IoMT infrastructure.
WannaCry ransomware struck 81 NHS Trusts in May 2017. MRI scanners remained inoperable for 3 to 5 days. Digital X-ray systems went offline. The attack resulted in 19,000 cancelled appointments, including cancer treatments, with total costs exceeding £92 million. The root cause involved unpatched Windows systems controlling medical imaging equipment.
University Hospitals Birmingham suffered a targeted attack on radiology systems in 2019. The Picture Archiving and Communication System went offline. CT and MRI scanners could not transmit images. Recovery required 9 days. The investigation revealed inadequate network segmentation between the radiology systems and the general IT network.
Cambridge University Hospitals experienced ransomware in 2023. Electronic patient record system access was interrupted. Connected diagnostic equipment operated in standalone mode. NHS England’s 2024 Digital Health Report noted a 47% increase in ransomware attacks specifically targeting medical device networks.
Legacy Medical Device Vulnerabilities
The extended operational lifespan of medical equipment presents security challenges not typically encountered in standard IT environments.
NHS Trusts operate diagnostic imaging equipment purchased 15-20 years ago, running Windows XP or Windows 7. Microsoft ended support for these platforms years ago. Manufacturers often cannot provide operating system upgrades because medical device software is tightly integrated with specific versions of Windows.
Many medical devices use embedded operating systems with no upgrade path. Some use unencrypted communications protocols. Others use hard-coded credentials that cannot be changed. These fundamental design weaknesses cannot be remedied through software updates.
A modern MRI scanner costs between £1 million and £ 3 million. CT scanners range from £500,000 to £2 million. NHS Trusts cannot simply replace all legacy equipment. Security strategies must accommodate unpatchable devices that will remain in service for years.
UK NHS IoMT Security Compliance Framework
Healthcare providers operating IoMT devices in the UK must navigate multiple regulatory frameworks that intersect cybersecurity, medical device safety and data protection requirements.
NHS Data Security and Protection Toolkit Requirements
The DSPT provides the standards for data security in health and care organisations.
Assertion 4 requires that staff using IoMT devices complete annual cybersecurity training. Assertion 6 mandates technical security measures, including network firewalls that separate medical device segments, antivirus protection where compatible, and patch management processes with documented exceptions for legacy equipment. Assertion 8 requires business continuity plans specifically addressing IoMT device compromise scenarios.
NHS Trusts must submit annual DSPT assessments demonstrating compliance. Organisations failing to meet DSPT standards face contract suspension and potential investigation by the ICO.
ICO Enforcement and Medical Data Breaches
The Information Commissioner’s Office actively enforces GDPR within healthcare contexts.
The ICO fined Gloucestershire Hospitals NHS Foundation Trust £270,000 in 2022 for medical records accessible through inadequately secured networks. The enforcement specifically criticised the failure to segment medical device networks from general IT systems. Norfolk and Suffolk NHS Foundation Trust received a £200,000 fine in 2021 for inadequate access controls on networked medical equipment.
The ICO expects healthcare providers to conduct Data Protection Impact Assessments for new IoMT device deployments, encrypt patient data both in transit and at rest, implement access logging, and establish clear vendor contracts that define data processing responsibilities.
NCSC Guidance for Healthcare IoMT Security
The National Cyber Security Centre provides specific guidance for medical device security.
NCSC guidance on legacy IT addresses unpatchable medical devices. Recommendations include implementing virtual patching through network-based intrusion prevention systems, application whitelisting where feasible and network segmentation to contain potential compromise.
The Cyber Assessment Framework includes specific outcomes for medical device security. Outcome C4 on Secure Configuration requires documenting security baselines for each IoMT device type. Outcome C5 on Vulnerability Management mandates maintaining vulnerability registers, including unpatchable devices. Outcome D2 on Security Monitoring requires implementing anomaly detection for medical device networks.
Medical Device Regulations and MHRA Standards
The MHRA enforces the Medical Devices Regulations 2002 as amended, which now includes cybersecurity requirements.
Manufacturers must provide software bills of materials that document all software components, commit to delivering security patches throughout the product lifecycle, and document known vulnerabilities. Healthcare providers must register devices with the MHRA as required, report cybersecurity incidents through the Yellow Card scheme, and maintain up-to-date manufacturer contact information.
The MHRA issues Medical Device Alerts when security vulnerabilities are discovered in widely deployed devices. Recent examples include pacemaker firmware vulnerabilities and flaws in insulin pump communication protocols.
Zero Trust Architecture for IoMT Security
Zero Trust principles assume that no user, device or network segment can be implicitly trusted. Every access request must be verified regardless of origin, providing defence-in-depth protection for sensitive medical environments.
Network Segmentation for Medical Devices
Network segmentation divides hospital networks into isolated zones, allowing for controlled communication between segments.
Medical devices should operate on dedicated VLANs separated from general IT networks. Firewalls between segments enforce strict access control rules. Micro-segmentation isolates individual device categories. MRI scanners communicate only with PACS servers. Infusion pumps connect exclusively to electronic prescribing systems. This granular segmentation limits lateral movement if attackers compromise one device.
Implementation requires careful planning to prevent disruptions to clinical workflows. Role-based access controls grant clinicians appropriate permissions based on job functions. Mobile devices moving between departments require dynamic VLAN assignment based on device authentication.
Identity and Access Management for Clinical Staff
Clinical environments require frictionless authentication that maintains security appropriate for sensitive medical data.
Proximity-based authentication using RFID badges enables login when clinicians approach workstations. When clinicians log out, the system automatically logs them out. Biometric authentication using fingerprint or facial recognition provides strong identity verification without password entry. Multi-factor authentication for remote access requires both a password and a time-based code before granting access.
Role-based access controls limit data visibility according to clinical needs. Emergency department staff access current vital signs for patients under their care, but cannot browse historical records for patients treated by other departments.
Continuous Monitoring and Threat Detection
Security monitoring for IoMT devices must detect anomalies without generating excessive false alarms.
Security Information and Event Management systems aggregate logs from medical devices and network equipment. Machine learning algorithms establish baseline behaviour for each device category. Deviations from established baselines trigger alerts for investigation. An MRI scanner suddenly communicating with external IP addresses suggests compromise. Infusion pumps attempting to access the internet indicate a potential malware infection.
Intrusion detection systems monitor network traffic for known attack patterns. Healthcare security operations centres provide 24/7 monitoring for critical alerts, with Category A life-critical devices receiving continuous monitoring.
Securing Legacy IoMT Devices: Practical Solutions
The reality of unpatchable medical equipment requires alternative security approaches beyond traditional patch management strategies.
Virtual Patching for Unpatchable Equipment
Virtual patching deploys network-based controls that detect and block exploit attempts without requiring changes to vulnerable devices.
Intrusion prevention systems analyse network traffic destined for legacy medical devices, comparing packets against known exploit signatures. When attack patterns are detected, the IPS blocks the malicious traffic before it reaches the vulnerable device. Virtual patches can be deployed within hours of vulnerability disclosure, providing rapid protection during the extended period between vulnerability announcement and availability of vendor-supplied patches.
Network-based application firewalls provide protocol-level protection for medical devices, permitting legitimate clinical data exchange whilst blocking malformed packets that may represent exploit attempts.
VLAN Micro-Segmentation Strategies
Micro-segmentation isolates vulnerable legacy devices in network cells that permit only necessary clinical communication.
Legacy MRI scanners operating on Windows XP should reside in VLANs allowing communication exclusively with PACS servers and time synchronisation servers. Firewall rules block all other network access. CT scanners in isolated VLANs communicate only with radiology information systems, PACS and Electronic Patient Record systems. Laboratory analysers transmit test results to laboratory information systems through dedicated network segments.
Implementation requires documenting legitimate communication patterns for each device category. Clinical engineering and IT security teams must identify necessary network dependencies whilst eliminating unnecessary access.
Shielding Windows XP and Windows 7 Based Medical Scanners
Medical imaging equipment frequently runs on Windows operating systems that reached end-of-life years ago.
Microsoft ended support for Windows XP in 2014 and Windows 7 in 2020. NHS Trusts continue operating thousands of imaging devices on these platforms because manufacturers have not provided upgrade paths, and replacement costs are prohibitive.
Physical network isolation provides strong protection. Air-gapped devices have no network connectivity, with images transferred via USB media. Network diodes enable one-way data transmission, allowing medical devices to send images to PACS servers while preventing inbound network traffic. Dedicated jump servers provide controlled access for remote support whilst eliminating direct internet exposure of vulnerable devices.
IoMT Security Best Practices for UK Healthcare Providers
Comprehensive IoMT security requires coordinated technical controls, organisational processes, and staff awareness that extend across entire healthcare organisations.
Procurement Security Requirements
Security considerations must influence medical device purchasing decisions.
Tender documentation should require manufacturers to commit to a minimum of 5-year security patch support, extending to 10-15 years for major capital equipment. Vendors must disclose security patch delivery timelines. Software bills of materials enable healthcare organisations to assess supply chain risks. Manufacturers should provide penetration testing reports conducted by CHECK-accredited testers. Contractual commitments for vulnerability disclosure establish clear processes for reporting security issues.
Encryption and Authentication Protocols
Strong cryptographic controls protect patient data during transmission and storage.
Transport Layer Security version 1.2 or higher should encrypt all network communication between IoMT devices and healthcare information systems. Certificate-based authentication verifies device identity before permitting network access. Each IoMT device receives a unique digital certificate issued by the healthcare organisation’s certificate authority. AES-256 encryption protects data at rest on medical device storage systems. Multi-factor authentication for administrative access prevents unauthorised configuration changes.
Regular Risk Assessments and Penetration Testing
Ongoing security validation identifies vulnerabilities before attackers discover them.
Quarterly vulnerability scanning assesses IoMT devices for known security weaknesses using passive assessment techniques. Annual penetration testing by independent security assessors provides a realistic assessment of the effectiveness of security controls. Risk assessments should be performed before deploying new IoMT device categories. Clinical Risk Management standards under DCB0129 require a formal assessment of patient safety risks.
Staff Training and Clinical Resilience
Technical controls require an informed staff that understands security responsibilities.
Annual mandatory cybersecurity training for clinical and administrative staff should include IoMT security modules that cover phishing recognition, password security, and incident reporting. Clinical engineering teams require specialised training on medical device security, including understanding manufacturer security bulletins and safely applying firmware updates.
Incident response drills should include scenarios involving IoMT (Internet of Medical Things) compromises. Tabletop exercises simulate ransomware affecting medical device networks. Clinical departments need defined manual operation procedures for situations when IoMT devices become unavailable.
IoMT devices deliver substantial clinical benefits through remote monitoring, real-time data analysis and improved care coordination. However, these benefits come with significant security responsibilities. The interconnected nature of modern healthcare IT environments means that medical device security affects not just data privacy but patient safety directly.
UK healthcare providers must implement multi-layered security strategies addressing the unique challenges of medical environments. Network segmentation contains potential compromises. Virtual patching protects unpatchable legacy equipment. Continuous monitoring detects anomalous behaviour requiring investigation. Staff training ensures that human factors support, rather than undermine, technical controls.
Compliance with NHS DSPT requirements, ICO expectations and MHRA standards is not optional. Recent enforcement actions demonstrate that regulators hold healthcare organisations accountable for inadequate medical device security. The financial penalties for non-compliance pale in comparison to the reputational damage and patient safety consequences of security incidents.
The threat landscape continues to evolve as attackers recognise that healthcare organisations face unique operational pressures. Ransomware attacks increasingly target medical device networks specifically, knowing that patient safety concerns may pressure organisations into making ransom payments. Defence requires proactive security postures that anticipate threats rather than reacting to incidents.
Healthcare organisations should conduct comprehensive IoMT security assessments, identifying current vulnerabilities, gaps in compliance and opportunities for security improvement. These assessments provide roadmaps for systematic security enhancement aligned with available resources and organisational priorities. Patient safety depends on healthcare providers taking IoMT security seriously and investing appropriately in protective measures.
For immediate security concerns or suspected IoMT device compromise, healthcare organisations should contact NHS Digital CareCERT at 0300 303 5222 for technical assistance. Criminal incidents should be reported to Action Fraud at 0300 123 2040. The ICO should be notified within 72 hours of discovering data breaches involving patient information at 0303 123 1113.