The increasing reliance on IoMT in healthcare has introduced new, complex cybersecurity challenges. Devices operate in dynamic and often untrusted environments, making them vulnerable to a wide range of attacks. Traditional measures such as firewalls and antivirus software lack the adaptability and intelligence required to protect such decentralized and heterogeneous systems [14].

There is an urgent need for a comprehensive security framework that integrates the principles of the CIA triad and authentication with the adaptive capabilities of IDPS, enhanced by ML & DL. This integration aims to deliver real-time threat detection, reduced false positives, and improved resilience of healthcare infrastructures.

How can ML & DL, when integrated with IDPS, enhance threat classification and response in complex IoMT environments?

This study aims to contribute original insights by combining the CIA triad and authentication with ML, DL, and IDPS in a robust framework tailored to IoMT. The research seeks to demonstrate how intelligent systems can be employed to secure sensitive medical data and ensure uninterrupted healthcare services.

To establish the originality of integrating the CIA triad, authentication, and advanced IDPS with ML & DL for improved IoMT security.

This research presents a novel integration of ML & DL with the CIA triad and authentication in an IDPS designed for IoMT. The proposed architecture is multi-layered: ML techniques handle initial anomaly detection, and DL models perform more complex threat verification and classification. This allows the system to maintain high detection accuracy while being computationally efficient.

The framework not only supports efficient resource use but also enhances system responsiveness, contributing to the reliability and sustainability of healthcare IT infrastructures. Additionally, its modular and scalable design makes it adaptable to other critical domains, such as industrial IoT, smart cities, and financial systems. These extensions demonstrate the broader relevance and transferability of the proposed model.

Following this Introduction, the manuscript will present a detailed Literature Review to place the protection of the CIA Triad with authentication and ML & DL based IDPS within the current landscape of IoMT security solutions. Section 3 will outline the experimental design, data collection, and analysis procedures used in this study. Then explanation of Identified Machine Learning and Deep Learning Models. Section 5 will demonstrate the effectiveness of the proposed hybrid security framework in an IoMT setting. Sections 6 and 7 will reflect on the implications of these findings for future research and practical application, advocating for the broader adoption of advanced, integrated security systems across various industries.

Traditional security frameworks struggle to keep up with the dynamic demands of IoMT due to several limitations. These include limited device capabilities, diverse hardware and software ecosystems, and the need for low-latency, real-time communication. Studies have demonstrated that these limitations impede real-time anomaly detection and data protection at both device and network layers [16,17]. Additionally, securing PGHD during transmission and processing is critical, as these data streams are vulnerable to man-in-the-middle and spoofing attacks [18]. Integrating edge computing with lightweight cryptographic algorithms and access control mechanisms has been proposed to mitigate latency and computational overhead [19].

An effective IDPS serves as the backbone of IoMT security by enabling real-time intrusion detection and system resilience. Unlike static, signature-based detection, which fails against zero-day threats, anomaly-based IDPS dynamically learns traffic patterns and user behavior by [20,21]. These systems require high adaptability, especially in healthcare where threats evolve rapidly and detection delays can result in critical failures.

ML and DL have demonstrated high potential in strengthening IDPS functionalities by learning from vast and diverse datasets to identify anomalies, classify intrusions, and adapt to evolving threats [22,23]. ML models such as Decision Trees, Naïve Bayes, and ensemble techniques have been extensively used to achieve fast and interpretable intrusion detection. DL models such as CNN, LSTM, and attention-based networks are particularly effective in identifying subtle patterns within sequential and high-dimensional data streams, significantly reducing false positives [24,25].

Yet, deploying these models in practice involves challenges such as data imbalance, explainability, and the need for efficient model execution on constrained devices [26,27]. Therefore, there is a strong need for scalable, low-latency, and accurate models that can generalize across a wide range of attack scenarios and IoMT configurations.

Various ML methods have demonstrated their effectiveness in intrusion detection. For example, the Enhanced Random Forest Classifier for Achieving the Best Execution Time (ERF-ABE) achieved 99% accuracy in detecting DDoS and delay attacks [28]. Similarly, an ensemble model combining DTs, Naïve Bayes, RF, and XGBoost reported 96.35% accuracy and 99.98% detection rate [29]. A hybrid approach of Logistic Regression and Gradient Boosted Trees achieved 95.4% accuracy while optimizing for real-time use with a lightweight feature set [30]. Meta-learning strategies have also emerged, such as the one presented by [31], which attained 99.99% accuracy and a remarkably low False Alarm Rate of 0.00004%.

In the DL domain, several models have shown promising results. A Deep Neural Network with global attention achieved an accuracy range of 89%–99% [32]. A GRU with attention mechanism also delivered near-perfect results in classification tasks [33]. To improve efficiency, one study combined PCA and Grey Wolf Optimization (GWO) with a DNN to reduce time complexity by 32% without sacrificing performance [34]. Moreover, CNN-Transformer hybrids and LSTM architectures have proven useful for detecting anomalies in time-series medical data [32].

Despite these achievements, real-world deployments remain limited. Execution time and resource usage are underreported in many studies, although some like [28,34] address performance efficiency directly.

2.6 Emerging Trends and Limitations

Emerging frameworks such as Federated Learning [35] and Meta-Learning [31] are gaining traction due to their privacy-preserving capabilities and potential to scale across distributed IoMT environments. However, issues like regulatory compliance, model interpretability, and deployment readiness continue to hinder widespread adoption.

In summary, while ML and DL techniques offer strong enhancements to IDPS in IoMT, the path forward involves addressing deployment efficiency, compliance, and model transparency. Tailored, intelligent systems are essential for safeguarding PGHD and ensuring the resilience of healthcare infrastructures. We have summarised some important methodologies, findings and limitations of the studies in Table 1 shown below:

Our innovative architecture for the IoMT, which is structured into three primary layers: the Device layer, the Fog layer, and the Cloud layer refer to Fig. 1 for a visual representation.

Device Layer: This foundational layer consists of wearables and medical sensors. These devices are crucial as they collect and transmit medical data directly from patients. Their primary function is to ensure that vital health metrics are captured in real-time and sent forward for further processing.

Fog Layer: Serving as an intermediary, the Fog layer plays a pivotal role in the IoMT architecture. It facilitates the seamless transmission of data from the Device layer to the Cloud layer [36,37]. Beyond just relaying data, this layer has critical functionalities including the initial processing of data, as well as handling aspects of security and privacy. Its position in the architecture makes it a key point for implementing robust security measures because it acts as a bridge between data collection points and the data storage and analysis centres.

Cloud Layer: As the uppermost layer in this architecture, the Cloud layer serves as the central repository for all IoMT data. It is where data is stored, analysed, and made accessible to authorized healthcare providers and researchers. This layer enables the deep analysis of collected data, supporting healthcare professionals in making informed decisions based on comprehensive data insights.

Given the essential role of the Fog layer in connecting the device-collected data with cloud-based analysis and storage, it also represents a significant point of vulnerability within the IoMT framework. To address this, it is equipped with advanced security systems, including intelligent IDPS that utilize ML & DL techniques in layered fashion. These systems are designed to detect and mitigate potential security threats in real-time, ensuring that the integrity and confidentiality of medical data are maintained as it moves through the architecture. This multi-layered approach not only enhances the functionality and efficiency of medical data processing but also fortifies the security framework necessary to protect sensitive health information in the evolving digital landscape of healthcare. Our proposed advanced IDPS, which are integral to reinforcing the security of the IoMT is designed to identify and respond to potential security threats, ensuring the integrity and confidentiality of PGHD across IoMT networks.

The implementation of both IDPS within the IoMT environment is crucial for maintaining a secure operational landscape. By integrating these systems, IoMT can benefit from a comprehensive security approach that not only detects a wide range of known and unknown threats but also actively works to prevent these threats from causing harm. This dual approach ensures that PGHD transmitted across IoMT networks remains secure from both passive and active cyber threats, safeguarding critical healthcare operations and patient information.

This methodology represents a robust security framework that adapts to the evolving challenges and complexities of the IoMT environment. By employing the proactive capabilities of IDPS, the IoMT infrastructure is equipped to handle the multifaceted nature of modern cybersecurity threats. Refer to Fig. 2 for a visual representation.

In this section, we outline the criteria used to evaluate the effectiveness of IDPS within the IoMT environment.

Detection Rate is a critical metric that measures the IDPS’s ability to correctly identify actual threats within the network. An effective IDPS should demonstrate a high detection rate, signifying its efficiency in recognizing and reacting to genuine security threats. This metric is essential for maintaining the integrity and security of the IoMT network.

False Discovery Rate measures the proportion of false alarms, where the system erroneously flags normal activities as malicious. Minimizing the FDR is crucial because a high rate of false alarms can lead to resource wastage and potentially desensitize the system administrators to alerts, increasing the risk of overlooking actual threats.

Response Time evaluates the promptness of the IDPS in detecting and responding to intrusions. It tracks the duration from when a threat is detected to when action is taken by the system. Rapid response is vital in IoMT environments to prevent the escalation of incidents and to minimize the damage caused by security breaches.

Scalability assesses the ability of the IDPS to handle growing amounts of network traffic effectively as the IoMT infrastructure expands. This metric is indicative of the system’s capability to adapt and maintain performance levels despite an increase in load, ensuring that security does not become compromised as the network evolves.

Together, these metrics provide a comprehensive assessment of an IDPS’s performance, highlighting its accuracy, reliability, responsiveness, and adaptability in the dynamic and growing field of IoMT. By continuously monitoring these metrics, stakeholders can ensure that the IDPS is effectively safeguarding the IoMT environment against current and future cybersecurity challenges.

ML & DL technologies are incorporated into IDPS to enhance the security of IoMT networks. Machine Learning algorithm in IDPS analyse network traffic initially to detect potential security threats. Then DL, a subset of ML, utilizes layers of neural networks to process data and identify complex patterns. This technology is especially effective in IDPS for several reasons especially due to in depth analysis of data and then automatic identification of normal and malicious traffic patterns as shown in Fig. 3. The integration of ML and DL within IDPS marks a pivotal advancement in cybersecurity strategies, particularly within the IoMT. The primary goal of implementing these advanced technologies in IDPS for IoMT is to bolster the protection of the CIA Triad with authentication, which is foundational to the security framework of IoMT.

Confidentiality ensures that sensitive medical data is accessible only to authorized individuals. ML & DL enhance IDPS capabilities to detect unauthorized access attempts, thereby safeguarding patient privacy and sensitive information.

Integrity guarantees that medical data and device configurations are not altered maliciously or inadvertently. By using ML & DL, IDPS can more accurately identify and thwart attempts to tamper with or corrupt data, ensuring that medical records and treatment protocols remain trustworthy and unaltered.

Availability ensures that medical data and IoMT services are available to authorized users when needed. Advanced IDPS, powered by ML … DL, can quickly detect and mitigate attacks that threaten to disrupt service availability, such as Distributed Denial of Service (DDoS) attacks.

Authentication verifies the identity of users or devices accessing IoMT networks. ML & DL techniques strengthen IDPS by detecting anomalies in login patterns, device behaviors, or access requests, ensuring that only legitimate entities can interact with sensitive systems, thus preventing unauthorized access and impersonation attacks.

By leveraging ML & DL, in IDPS can achieve a higher level of accuracy in detecting threats, significantly reduce false positives, and respond more swiftly and effectively to potential security threats. This comprehensive approach shown in Fig. 4 not only enhances the protection of PGHD and devices but also supports the overall reliability and efficiency of healthcare services that rely on IoMT technologies. In summary, the integration of these sophisticated technologies into IDPS is essential for maintaining robust cybersecurity measures that uphold the principles of the CIA Triad with authentication in IoMT environments.

Each ML and DL models’ hyperparameters as shown in Tables 2 and 3 are tailored to optimize their specific architectures and tasks. These hyperparameters are essential for tuning the models to achieve optimal performance in various applications, including the complex environments typical of IoMT systems.

The experiments were carried out on identified dataset using Lenovo Mobile Workstation equipped with Processor: 12th Generation Intel Core i9, Windows 11 operating system with Memory: 128 GB DDR4, Hard Drive: 2 TB SSD, Graphics: NVIDIA RTX A4000, and the library used Python 3.4. Scikit-learn 0.21.

For our project, we have selected the Edge-IIoTset [38], a dataset specifically designed for Internet of Things (IoT) and Industrial Internet of Things (IIoT) applications. This dataset stands out due to its comprehensive collection of data from various IoMT devices simulated in a real-world environment, which makes it highly relevant for our ML & DL based IDPS. Its utility is further enhanced by its ability to support both centralized and federated learning modes, which are crucial for the development of scalable and robust cybersecurity solutions in diverse operational environments.

The Edge-IIoTset includes data from over ten types of IoT devices such as temperature and humidity sensors, ultrasonic sensors, water level detection sensors, and heart rate monitors, among others. These diverse data sources provide a rich foundation for training our IDPS to recognize a wide range of normal operational patterns as well as potential security threats. The dataset encompasses fourteen attack types associated with IoT connectivity protocols, organized into five main threat categories: DoS/DDoS attacks, information gathering, man-in-the-middle attacks, injection attacks, and malware. This classification helps in precisely training and testing the IDPS to detect and mitigate specific types of cyber threats effectively.

The structured testbed of the dataset spans seven layers, including cloud computing, network functions virtualization, blockchain network, fog computing, software-defined networking, edge computing, and IoT and IIoT Perception layers. Each layer integrates emerging technologies that meet the specific requirements of IoT and IIoT applications, such as the ThingsBoard IoT platform, OPNFV platform, Hyperledger Sawtooth, and ONOS SDN controller. This layered approach not only mimics a real-world IoT ecosystem but also enables comprehensive security testing across all levels of an IoMT infrastructure.

The selection of the Edge-IIoTset for our project is based on its ability to provide a realistic and dynamic environment for developing and evaluating the effectiveness of our ML & DL-based IDPS. It allows us to conduct a thorough exploratory data analysis and to rigorously evaluate the performance of machine learning methods in both centralized and federated learning contexts, ensuring our IDPS can operate effectively under varied and realistic conditions.

Here is Table 4 to visualize the diversity and frequency of attacks in the IoMT environment in an interesting way using the Edge-IIoTset dataset. This representation emphasizes the variety and relative occurrence of different types of cyber threats encountered.

Effective data pre-processing is a critical step in the utilization of ML and DL models, especially in the fields of IoT and IIoT cybersecurity. This process involves preparing the raw data by converting it into a format that can be easily understood and processed by ML and DL models, thereby improving the models’ accuracy and reducing the time required to obtain results.

In the initial stage, our pre-processing involved reducing the dataset’s complexity by removing 15 of the original 63 columns that were deemed irrelevant for identifying traffic characteristics. We employed a manual relevance-based feature elimination technique, guided by domain expertise, to discard protocol-specific and metadata fields such as frame.time, ip.src host, ip.dst host, among others. This targeted reduction enhances processing efficiency by focusing analysis on the most impactful features.

Duplicate records in the dataset were identified and eliminated using a row-wise duplication detection technique, where exact matches across all feature columns were flagged. Only the first instance of each duplicate was retained. This approach ensures the uniqueness of the dataset, which is crucial for maintaining the integrity, and quality of the training process.

One-Hot Encoding was employed to convert categorical variables into a numerical format, as ML and DL models require numeric input. This technique was chosen for its rigor and simplicity, ensuring no ordinal relationships are falsely introduced and allowing the models to accurately learn from categorical distinctions, thereby enhancing overall model performance.

The dataset was examined for missing values, which were imputed using the K-Nearest Neighbours (KNN) Imputation technique. KNN was chosen due to its non-parametric approach that considers similar data patterns, ensuring originality in preserving feature relationships and enhancing the model training reliability and predictive accuracy in complex IoMT datasets.

Feature extraction is integral to refining the dataset so that models are trained on attributes that contribute most significantly to the prediction process. The study employed both Recursive Feature Elimination (RFE) to retain the most relevant features and Principal Component Analysis (PCA) to further reduce dimensionality and eliminate multicollinearity, ensuring rigorous, efficient, and performance-optimized model training.

The issue of unbalanced data distributions poses a significant challenge in machine learning, as models tend to exhibit bias toward the majority class, often at the expense of minority class accuracy. To address this with methodological rigor, the dataset was first split into two subsets: 70% for training and 30% for testing. SMOTE was then applied exclusively to the training set to balance class distributions by synthetically generating new examples for the minority classes based on linear interpolations of existing instances. This approach preserves the originality and integrity of the testing set, ensuring an unbiased evaluation of the model’s performance on unseen data. SMOTE enhances the model’s ability to generalize across diverse classes while reducing the risk of overfitting.

To further ensure robust model validation, a fivefold cross-validation technique was employed on the training data. The training set was divided into five subsets, where the model was iteratively trained on four subsets and validated on the fifth. This process was repeated five times, with each subset used once for validation. This strategy helped optimize model hyperparameters, improving overall predictive accuracy and reliability.

By applying these comprehensive pre-processing methods, the Edge-IIoTset is transformed into a refined dataset that is optimally structured for training robust cybersecurity models. These models are designed to effectively detect and prevent a broad spectrum of cyber threats in IoT and IIoT environments, thereby enhancing the security framework critical for the integrity and functionality of modern technological ecosystems.

In this section, we detail the methodology for evaluating the performance of our proposed architecture designed to protect the IoMT using ML & DL based IDPS. This architecture is focused on safeguarding the CIA Triad with authentication, while ensuring a sustainable computing environment.

To evaluate the efficacy of the ML & DL integrated with IDPS for the IoMT, we use a comprehensive set of performance metrics. Each metric provides insights into different aspects of the system’s performance, collectively ensuring that the IDPS effectively safeguards the IoMT environment against cybersecurity threats. The metrics include Loss, Accuracy, Recall, Precision, F1-Score, False Alarm Rate (FAR)/False Positive Rate (FPR), and False Discovery Rate (FDR) are explained below:

Loss can be calculated by using Eq. (1) represents the model’s error rate on the training or validation datasets. (1)Loss=−Σ(ylog⁡(p)+(1−y)log⁡(1−p))

Accuracy can be calculated by using Eq. (2) measures the overall correctness of the model in classifying data points, either as normal or as an intrusion. (2)Accuracy =(TP+TN)/(TP+TN+FP+FN)

Precision can be calculated by using Eq. (3) assesses the model’s accuracy in predicting positive identifications. It calculates the ratio of true positive results to all positive results, including those that were incorrectly identified. (3)Precision =TP/(TP+FP)

True Positive Rate or Recall or Sensitivity can be calculated by using Eq. (4) evaluates the model’s ability to correctly identify actual positives, measuring how well the IDPS detects real threats without missing any. (4)Recall =TP/(TP+FN)

F1-Score can be calculated by using Eq. (5) provides a balance between Precision and Recall, offering a single score that gauges the model’s accuracy at identifying true positives while penalizing false positives and false negatives. (5)F1−Score=2 ∗ (Precision ∗ Recall)/(Precision+Recall)

False Alarm Rate or False Positive Rate can be calculated by using Eq. (6) measures the frequency of false alarms. (6)FAR=FP/(FP+TN)

False Discovery Rate can be calculated by using Eq. (7) indicates the likelihood of false alarm, showing the percentage of false positives in the total number of detections. (7)FDR=FP/(FP+TP)

These metrics provide a robust framework for assessing the performance of IDPS in protecting the IoMT environment. To mitigate the risk of overfitting to synthetic conditions, our model was evaluated with metrics that emphasize precision, recall, and false positive rates across a range of attack categories, ensuring that the performance insights remain transferable to real-world deployments.

By analysing these metrics, we can pinpoint areas of strength and potential improvement, ensuring that the IDPS operates efficiently and effectively, thus enhancing the overall security and reliability of healthcare technology within a sustainable computing framework. The Algorithm 1 below outline the comprehensive steps involved in deploying this robust security framework:

This streamlined architecture focuses on integrating advanced ML & DL techniques within the IoMT environment to enhance the robustness of the IDPS. It ensures dynamic threat detection and adaptive responses, continuously evolving to address the latest cyber threats and protect the CIA Triad with authentication efficiently.

Extreme Gradient Boosting (XGBoost) enhances traditional gradient boosting through advanced regularization techniques and system optimizations, making it highly effective and efficient. The model’s mathematical foundation is built on the principle of boosting weak learners in the form of DTs, sequentially refined to minimize errors in previous iterations [45]. The core of XGB’s modeling involves an objective function that is minimized during training. This function is comprised of a loss function that measures prediction error, and a regularization term that controls model complexity to prevent overfitting given by Eq. (8):(8)Obj(Θ)=∑i=1nL(yi,y^i)+∑k=1KΩ(fk)where L(yi,y^i) represents the loss function comparing the predicted output y^i to the actual output yi, Ω(fk) is the regularization term associated with the k-th tree, Θ denotes the parameters of the model, n is the number of data points, K is the number of trees. XGB employs a unique learning algorithm that updates the model by adding a new tree that best reduces the objective function, using a gradient descent approach. This process can be described by the Eq. (9):(9)ft+1(x)=ft(x)+η⋅∑j=1Jtgtj⋅I(x∈Rtj)where ft(x) is the prediction at iteration t, η is the learning rate, gtj represents the gradient statistics on the loss function for region Rtj, Jt is the number of leaf regions in the t-th tree, I is an indicator function determining if instance x falls into region Rtj.

In addition to ML models, we implemented and assessed several DL architectures, including both standalone [49–51] and hybrid approaches [52–55]. Among these, the hybrid model combining a CNN with an Autoencoder demonstrated the highest performance. This model effectively captured both spatial and abstract patterns in the data, leading to superior detection accuracy and reduced false positives. Its ability to learn complex feature representations makes it particularly well-suited for the dynamic and layered nature of IoMT traffic.

Convolutional Neural Networks are well-known for their ability to extract high-level features from data through their deep architecture of convolutional layers and pooling layers. These layers efficiently capture spatial hierarchies and intricate patterns in data. Autoencoders, on the other hand, are unsupervised neural networks that learn efficient data codings by aiming to replicate the input at the output layer. This capability makes them particularly useful for anomaly detection, as they can learn to reconstruct normal data patterns and highlight deviations when reconstructing unseen or anomalous data [52]. The mathematical formulation of this hybrid model involves the convolutional feature extraction process followed by a reconstruction phase through the autoencoder. The CNN layers operate to extract spatial features using Eq. (10):(10)Sl=f(Wl∗Xl+bl)where Sl is the output of layer l, Wl and bl are the weights and biases for the convolutional layer l, Xl is the input, f represents a nonlinear activation function such as ReLU, and ∗ denotes the convolution operation. The Autoencoder consists of two main parts, encoder and decoder: Encoder part compresses the input into a lower-dimensional latent space using Eq. (11).(11)z=f(We⋅S+be)where z represents the encoded feature vector, We and be are the encoder weights and biases, and S is the feature set output by the final CNN layer. Decoder part attempts to reconstruct the input from the encoded state using Eq. (12): (12)X′=g(Wd⋅z+bd)where X′ is the reconstructed input, Wd and bd are the decoder weights and biases, and g is typically the sigmoid activation function.