JOURNAL OF MEDICINE CARE AND HEALTH REVIEW

Introduction

The Growing Cybersecurity Crisis in Smart Healthcare

The integration of Internet of Medical Things (IoMT) devices into healthcare delivery has accelerated dramatically over the past decade. From implantable cardiac monitors and continuous glucose sensors to smart infusion pumps and connected ventilators, IoMT devices now number over 500 million globally, with projections exceeding 1.5 billion by 2028 [1]. These devices generate vast streams of physiological and operational data, enabling remote patient monitoring, automated clinical alerts, and data-driven treatment optimization. However, the same connectivity that enables these benefits has transformed healthcare networks into prime targets for cyberattacks.

The consequences of IoMT security breaches extend far beyond traditional data confidentiality concerns. When an infusion pump is remotely manipulated, patient safety is directly threatened. When a hospital's IoMT network is encrypted by ransomware, critical care delivery is paralyzed. High-profile attacks illustrate the escalating risk: the 2024 attack on Change Healthcare compromised data of over 100 million patients and disrupted pharmacy services nationwide for weeks [2]; the 2020 ransomware attack on Düsseldorf University Hospital resulted in a patient's death after emergency services were diverted[3]; and in 2025, researchers demonstrated remote exploitation of vulnerabilities in commercial pacemakers, theoretically enabling fatal arrhythmia induction.

Traditional security measures, such as firewalls, antivirus software, and signature-based intrusion detection systems (IDS), have proven inadequate for IoMT environments for three fundamental reasons[4]. First, IoMT devices are typically resource-constrained (limited CPU, memory, battery), preventing the deployment of conventional security agents. Second, many devices lack update mechanisms or are no longer supported by manufacturers, leaving known vulnerabilities unpatched for years. Third, the heterogeneous nature of IoMT ecosystems devices from dozens of vendors communicating via multiple protocols (Bluetooth, Zigbee, LoRaWAN, MQTT, DICOM, HL7) creates an exponentially large attack surface that defies comprehensive signature enumeration.

Limitations of Existing Intrusion Detection Approaches

Existing intrusion detection systems for healthcare networks fall into three categories, each with distinct limitations:

Signature-based IDS maintains databases of known attack patterns and matches incoming traffic against these signatures. While accurate for known threats, these systems fail catastrophically against zero-day attacks and novel exploits for which signatures have not yet been developed [5]. Given that healthcare networks face an average of 1.5 new attack variants per week, the window of vulnerability between attack emergence and signature deployment (typically 48-72 hours) represents a critical risk period[5].

Anomaly-based IDS establishes baselines of normal network behavior and flags deviations as potential attacks. Machine learning (ML) approaches, including autoencoders, recurrent neural networks, and isolation forests, have demonstrated promise for zero-day detection[6]. However, centralized ML training requires aggregating raw network traffic data, including potentially identifiable patient information, at a central server, violating healthcare privacy regulations, including HIPAA and GDPR. Furthermore, centralization creates a single point of failure and a single point of compromise: attackers who breach the central server gain access to the complete training dataset and model.

Federated learning approaches have recently emerged as a privacy-preserving alternative[6]. In federated learning, models are trained locally on edge devices; only model updates (gradients or weights) are transmitted to a central aggregator, never raw data. While several federated IDS frameworks have been proposed for generic IoT networks, they exhibit three deficiencies when applied to IoMT environments: (1) they assume homogeneous device capabilities, whereas IoMT networks include diverse devices ranging from resource-constrained sensors to powerful edge gateways; (2) they lack mechanisms for zero-day detection, instead focusing on classification of known attack types; and (3) they do not address the non-stationary nature of healthcare network traffic, where normal patterns evolve over time due to changing patient conditions and clinical workflows.

Contributions

This paper presents FL-IDS-IoMT, a federated learning-based intrusion detection framework that addresses these gaps. Our specific contributions are:

1. A hybrid autoencoder-generative adversarial network (AE-GAN) architecture for unsupervised zero-day attack detection that learns a compact representation of benign IoMT traffic patterns and detects anomalies as deviations from this representation, achieving robust detection without labeled attack data.
2. A hierarchical federated learning protocol with adaptive aggregation weighting that accommodates device heterogeneity by assigning aggregation weights based on local dataset sizes, device computational capacity, and historical model contribution quality.
3. A lightweight on-device inference engine optimized for resource-constrained IoMT devices, achieving a memory footprint <2MB and inference latency <100ms on ARM Cortex-M class processors.
4. Comprehensive empirical evaluation using three contemporary IoMT/healthcare datasets, demonstrating zero-day detection accuracy of 94.2% with 94.7% bandwidth reduction compared to centralized approaches.
5. Clinical feasibility validation through deployment on commercial IoMT devices in a simulated 50-bed smart ward environment.

Paper Organization

Section 2 reviews related work in IoMT intrusion detection and federated learning. Section 3 presents the FL-IDS-IoMT framework architecture and algorithms. Section 4 describes experimental methodology, datasets, and evaluation metrics. Section 5 reports results. Section 6 discusses limitations, deployment considerations, and future directions. Section 7 concludes.

Related Work

Intrusion Detection for IoMT and Healthcare Networks

The application of machine learning to healthcare network intrusion detection has grown substantially. Al-Hawawreh and colleagues conducted a comprehensive review of ML-based IDS for IoMT, identifying deep learning approaches, particularly autoencoders and convolutional neural networks, as achieving the highest detection accuracy (typically 85-95%) on benchmark datasets. However, the review noted that 92% of surveyed studies assumed centralized training, explicitly disregarding privacy constraints.

Several studies have explored anomaly detection for zero-day attacks in healthcare contexts. A .5% improvement over standalone autoencoders, achieving 96.3% detection rate on previously unseen attack types in the CICIoMT2024 dataset. However, like most approaches, these were evaluated in centralized settings.

Federated Learning for Network Intrusion Detection

Federated learning, introduced by McMahan and colleagues at Google in 2017, has been extensively applied to intrusion detection in generic IoT networks. The seminal FedIDS framework demonstrated that federated training could achieve accuracy within 2-3% of centralized training while preserving data locality. Subsequent work improved communication efficiency through gradient compression and adaptive aggregation frequencies.

For healthcare-specific applications, several federated IDS frameworks have been proposed. FL-HIS implemented federated anomaly detection for hospital information systems, achieving 89.7% accuracy across three simulated hospital networks. PriFedHealth incorporated differential privacy guarantees into federated training for wearable device monitoring. However, these frameworks were evaluated on homogeneous device settings and did not address the specific challenges of IoMT environments: heterogeneous computational capabilities, non-IID data distributions across devices, and the need for real-time inference on resource-constrained sensors.

Critically, existing federated IDS frameworks assume that attack labels are available for local training, an assumption that fails for zero-day attacks where no prior examples exist. To our knowledge, no prior work has combined federated learning with unsupervised zero-day detection specifically for IoMT environments.

Research Gaps

Based on this review, we identify three specific gaps that FL-IDS-IoMT addresses:

Gap 1: No existing federated IDS framework supports unsupervised zero-day attack detection—all require labeled attack data for training.

Gap 2: Current federated aggregation methods assume homogeneous device capabilities and IID data distributions, neither of which holds in clinical IoMT networks.

Gap 3: Model optimization for resource-constrained IoMT devices has received minimal attention, with existing frameworks assuming compute capabilities (GPU, >4GB RAM) unavailable on typical medical sensors.

3. FL-IDS-IoMT Framework Architecture

3.1 Overview

FL-IDS-IoMT adopts a hierarchical architecture comprising three tiers:

Tier 1: IoMT Device Layer comprises resource-constrained sensors and actuators (wearable monitors, smart infusion pumps, pulse oximeters) that generate network traffic. These devices run a lightweight inference engine that performs local anomaly detection on their own traffic patterns. Devices have no persistent storage of training data and transmit only anomaly scores and, when participating in federated training, encrypted model update parameters.

Tier 2: Edge Gateway Layer consists of hospital room or ward-level gateways (e.g., Raspberry Pi 4-class devices or commercial medical gateways) that aggregate traffic from multiple IoMT devices. Gateways perform local model training using on-device benign traffic data, compute model updates, and communicate with the central aggregator. Edge gateways also cache recent traffic for forensic analysis.

Tier 3: Central Aggregator Layer is a trusted server (located within hospital network or secure cloud) that coordinates federated learning, aggregates model updates from edge gateways using a weighted averaging protocol, and distributes updated global models back to edge gateways. The central aggregator does not have access to raw patient data.

Hybrid AE-GAN Architecture for Unsupervised Zero-Day Detection

The core detection model combines an autoencoder (AE) for dimensionality reduction and a generative adversarial network (GAN) for robust anomaly scoring.

Autoencoder Component: The AE learns a compressed latent representation of benign IoMT traffic. Given an input feature vector x ∈ ℝ^d (derived from network packet headers and flow statistics), the encoder E maps x to latent code z ∈ ℝ^k (k << d), and decoder D reconstructs x̂ = D(E(x)). During training on benign traffic only, the AE minimizes reconstruction error L_recon = ||x - x̂||₂². For anomalous traffic (including zero-day attacks), reconstruction error is expected to be significantly higher.

GAN Discriminator Component: To improve anomaly discrimination, we train a discriminator network G that distinguishes between real benign samples and AE-reconstructed samples. The AE and discriminator are trained adversarially: the AE attempts to generate reconstructions that fool the discriminator, while the discriminator attempts to identify reconstructions. The final anomaly score combines reconstruction error and discriminator output: S(x) = α·||x - x̂||₂² + (1-α)[7]·(1 - D(x̂)), where α is a hyperparameter (set to 0.7 in our experiments).

Feature Extraction: Raw network packets are transformed into 18 features per flow: source/destination ports, protocol, packet length statistics (mean, variance, min, max), inter-arrival time statistics, flow duration, byte counts, and flag counts. For encrypted traffic (increasingly common in IoMT), we rely on packet length and timing features only, as payload content is inaccessible.

Hierarchical Federated Learning with Adaptive Aggregation

We implement Federated Averaging (FedAvg) with two extensions for IoMT heterogeneity.

Adaptive Weighting: In standard FedAvg, the central aggregator computes global model weights w_global = Σᵢ (n_i/N) w_i, where n_i is the number of training samples at edge node i, and N is the total number of samples across all nodes. This assumes all samples contribute equally to model quality—an assumption violated when devices have different data distributions or when some devices are unreliable. We implement adaptive weighting: w_global = Σᵢ (q_i / Σⱼ q_j) w_i, where q_i = n_i × c_i × h_i. Here, c_i ∈ [0,1] is a device capability score (derived from CPU benchmark), and h_i is a historical contribution quality score (based on validation accuracy contribution in previous rounds). This weighting scheme reduces the influence of low-capability or low-quality devices on the global model.

Secure Aggregation with Differential Privacy: To prevent model inversion attacks (wherein an adversary extracts training data characteristics from model updates), we add Gaussian noise to gradient updates before transmission. For each update Δw_i from edge node i, we transmit Δw_i' = Δw_i + N(0, σ²I)[8], where σ is calibrated to achieve differential privacy budget ε ≤ 2.0.

Communication Efficiency: Edge gateways transmit model updates only every τ training steps (τ=20 in our implementation) and apply gradient compression via top-k sparsification (transmitting only the largest 10% of gradient values).

Lightweight On-Device Inference Engine

For direct deployment on Tier 1 IoMT devices, we implement model quantization and pruning:

Quantization: We quantize the AE-GAN model from 32-bit floating point to 8-bit integer using post-training quantization, reducing memory footprint from 14.2MB to 1.78MB with 0.8% accuracy loss.

Pruning: We apply magnitude-based pruning to remove 60% of weights with the smallest absolute values, followed by fine-tuning on benign traffic.

Inference Optimization: The forward pass is implemented in C without operating system dependencies, enabling deployment on bare-metal microcontrollers. Inference latency on ARM Cortex-M4 (100 MHz) is 87ms per 128-packet batch.

Training Protocol

The federated training protocol proceeds as follows:

1. Initialization: The central aggregator initializes the global AE-GAN model with random weights and distributes it to all edge gateways.
2. Local Training (Edge): Each edge gateway collects local benign traffic from its connected IoMT devices for 24 hours. Using only this local data, the gateway trains its local model for E local epochs (E=5) using the hybrid AE-GAN loss.
3. Update Transmission: Edge gateways compute weight updates Δw_i = w_i_local - w_global, apply differential privacy noise, and transmit to the central aggregator.
4. Aggregation: Central aggregator computes an adaptive weighted average of updates to produce a new global model.
5. Distribution: The updated global model is distributed to edge gateways.
6. Iteration: Steps 2-5 repeat for R communication rounds (R=50 in our experiments).

Convergence Criterion: Training continues until global validation loss stabilizes (change <0.1% over 10 consecutive rounds) or maximum rounds reached.

Anomaly Detection at Inference

Once trained, each edge gateway performs real-time anomaly detection on incoming traffic:

1. Windowing: Incoming packets are aggregated into 30-second time windows (approximately 128 packets for typical IoMT device traffic rates).
2. Feature Extraction: For each window, the 18-dimensional feature vector is computed.
3. Anomaly Scoring: The local AE-GAN model computes anomaly score S(x) for each window.
4. Thresholding: If S(x) > θ (threshold calibrated to achieve 99% true positive rate on validation of benign traffic), an intrusion alert is generated and transmitted to the central aggregator.
5. Alert Handling: Alerts are logged and, for high-confidence detections (S(x) > 0.95), automated response actions (e.g., isolating the affected device) may be triggered per hospital policy.

Experimental Methodology

Datasets

We evaluate FL-IDS-IoMT using three contemporary datasets that span IoMT and healthcare network traffic:

CICIoMT2024: Released by the Canadian Institute for Cybersecurity, this dataset contains 87,434 attack instances across 8 categories (DDoS, ransomware, injection, reconnaissance, man-in-the-middle, botnet, scanning, and zero-day variants). Normal traffic includes simulated IoMT device data from patient monitors, infusion pumps, and ventilators over 7 days. Attack traffic includes both known signatures (for baseline comparison) and a withheld set of 12,000 zero-day attack samples (variants not represented in training).

WUSTL-EHMS-2024: This dataset simulates a hospital environment with 25 IoMT devices, including ransomware attacks (WannaCry variant, Ryuk) and DDoS attacks targeting medical devices. Total capture duration: 14 days; 43,000 attack instances.

Edge-IIoTset: Real IoT/IIoT traffic from 10 device types with 14 attack categories. While not healthcare-specific, we include it to evaluate generalization to non-medical IoT contexts. Total: 15,000,000+ records.

Data Partitioning: For federated learning evaluation, we partition training data across simulated edge gateways (12 gateways in our experiments) according to two distribution scenarios: (1) IID: each gateway receives random sample of benign traffic; (2) Non-IID: each gateway receives traffic from distinct device types (e.g., Gateway A: only infusion pumps; Gateway B: only patient monitors), simulating real clinical deployment.

Baselines

We compare FL-IDS-IoMT against five baselines:

1. Centralized AE-GAN: Same architecture but trained on centrally aggregated raw data (privacy violation, used only as performance upper bound).
2. Signature-based IDS (Snort): Open-source IDS with the latest community rules.
3. Centralized Isolation Forest: Classic anomaly detection algorithm trained centrally.
4. Federated Autoencoder (no GAN): FedAvg-trained autoencoder without adversarial component.
5. FedIDS: Prior federated IDS framework adapted for IoMT.

Evaluation Metrics

Primary metrics: Accuracy, Precision, Recall (Detection Rate), F1-Score, Area Under ROC Curve (AUC). For zero-day detection specifically: Zero-Day Detection Rate (percentage of withheld unseen attack variants correctly identified as anomalous). Secondary metrics: Communication cost (MB per round), Training time (hours to convergence), Inference latency (ms), Memory footprint (MB). Privacy metric: Differential privacy budget ε.

Experimental Setup

Hardware: Central aggregator: 64-core AMD EPYC, 256GB RAM. Edge gateways simulated on Raspberry Pi 4 (4GB RAM). IoMT device simulation on ARM Cortex-M4 and M7 microcontrollers.

Software: TensorFlow Federated framework, custom C inference engine, Python analysis scripts.

Statistical Testing: Five independent runs per experiment; reported as mean ± standard deviation. Significance testing using paired t-test (α=0.05)

Results

Zero-Day Attack Detection Performance

FL-IDS-IoMT achieved a zero-day detection rate of 94.2% (AUC 0.968) on CICIoMT2024 withheld zero-day samples, significantly outperforming all baselines.

The federated autoencoder (no GAN) achieved 87.3%, confirming that the adversarial discriminator component adds 6.9 percentage points of detection improvement. FedIDS, the prior federated IDS framework, achieved only 82.9% as it was not designed for unsupervised zero-day detection and assumes labeled attack data for training.

Per-Attack Type Analysis: FL-IDS-IoMT performed best on DDoS and scanning attacks (96.2% detection), worst on sophisticated low-and-slow reconnaissance attacks (88.4% detection), which intentionally mimic benign traffic patterns.

Clinical Feasibility Validation

Discussion

Comparison with Prior Work

Limitations

Future Directions