Medical Internet of Things (IoT) systems can be used to monitor and treat patient health conditions. Security and privacy issues in medical IoT services are more important than those in any other IoT-enabled service. Therefore, various mutual authentication and key-distribution schemes have been proposed for secure communication in medical IoT services. We analyzed Hu et al.'s scheme and found that an attacker can impersonate legitimate sensor nodes and generate illegitimate session keys using the information stored in the sensor node and the information transmitted over the public channel. To overcome these vulnerabilities, we propose a scheme that utilizes physically unclonable functions to ensure a secure session key distribution and increase the computational efficiency of resource-limited sensor nodes. In addition, the proposed scheme enhances privacy protection using pseudonyms, which we prove using a formal security analysis tool, ProVerif 2.05.