Respiratory health IoT devices—such as smart inhalers—and implantable medical devices face significant privacy leakage and data security risks arising from insecure human-device interactions. Method: We propose the first usability-driven privacy threat elicitation framework for chronic respiratory disease IoT devices, integrating human factors evaluation, protocol reverse engineering, communication traffic auditing, and STRIDE threat modeling. Contribution/Results: The framework identifies seven high-risk privacy leakage pathways and introduces three lightweight, embedded protection mechanisms that preserve real-time performance and operate under severe resource constraints. These mechanisms significantly enhance data confidentiality without compromising device functionality. Our empirical analysis provides foundational evidence and a systematic methodology to inform the development of security standards for respiratory health IoT devices, extending applicability to broader implantable medical systems.

The rapid development of Internet of Things (IoT) technology has significantly impacted various market sectors. According to Li et al (2024), an estimated 75 billion devices will be on the market in 2025. The healthcare industry is a target to improve patient care and ease healthcare provider burdens. Chronic respiratory disease is likely to benefit from their inclusion, with 545 million people worldwide recorded to suffer in patients using these devices can track their dosage, while healthcare providers can improve medication administration and monitor respiratory health (Soriano et al, 2020). The growing prevalence of IoT devices, including intelligent inhalers like the Propeller Health System Smart Inhaler, Breather Fit, and Lookee O2 Ring, underscores the increasing importance of network connectivity and software development. While IoT medical devices offer numerous benefits, they also come with security vulnerabilities that can expose patient data to cyber-attacks. It’s crucial to prioritize security measures in developing and deploying IoT medical devices, especially in personalized health monitoring systems for individuals with respiratory conditions. Addressing the security gaps and vulnerabilities in IoT devices is essential to ensure patient data’s safety and privacy. Efforts are underway to assess the security risks associated with intelligent inhalers and respiratory medical devices by understanding usability behaviour and technological elements to identify and address vulnerabilities effectively. This work analyses usability behaviour and technical vulnerabilities, emphasizing the confidentiality of information gained from Smart Inhalers. It then extrapolates to interrogate potential vulnerabilities with Implantable Medical Devices (IMDs). Our work explores the tensions in device development through the intersection of IoT technology and respiratory health, particularly in the context of intelligent inhalers and other breathing medical devices, calling for integrating robust security measures into the development and deployment of IoT devices to safeguard patient data and ensure the secure functioning of these critical healthcare technologies.