Medical applications of the Internet of Things (IoT) have gained significant attention, especially in the context of monitoring health-related information for elderly individuals living alone and patients receiving home-based care, especially during the COVID-19 pandemic. These applications offer immense convenience and contribute to the reduction of infection risk. Consequently, safeguarding the privacy of patient data has become increasingly vital. However, the resource limitations inherent to IoT present challenges in implementing complex algorithms. Numerous researchers have proposed authentication schemes based on three factors: passwords, biometric features, and smart cards. While three-factor authentication protocols are generally more secure than two-factor ones, recent studies have unveiled vulnerabilities in existing protocols designed for IoT environments, particularly concerning sensor node capture attack and smart card stolen attack. Only a few protocols provide reliable solutions to address these issues. To tackle this challenge, we propose a lightweight authentication protocol that introduces the Physical Unclonable Function (PUF) as the fourth factor, enhancing the security and privacy of the system. By integrating PUF technology into servers and embedding it into the integrated circuit chips of sensors, our protocol is specifically designed to thwart attacks like sensor node capture and smart card stolen. We validate the security of our proposed protocol using formal BAN logic and ProVerif simulator tool, demonstrating its capability to provide secure mutual authentication. Moreover, through informal analysis, we illustrate that our scheme can withstand multiple attacks. Furthermore, our proposed protocol outperforms existing protocols in terms of computational cost, storage cost, communication cost, and security requirements.