PLATFORM FOR SECURE COMMUNICATIONS WITH MEDICAL DEVICE
A communication platform at least partially implements secure communications between a medical device and a trusted authority (TA) service provider. The secure communications prevent access to the secure communications by the communication platform while permitting access to the secure communications at the medical device and/or at the trusted authority service provider.
Latest INSPIRE MEDICAL SYSTEMS, INC. Patents:
- Method of treating sleep disordered breathing
- Display screen or portion thereof with a graphical user interface
- Display screen or portion thereof with a graphical user interface
- Display screen or portion thereof with a graphical user interface
- Display screen or portion thereof with a graphical user interface
This application is a continuation of U.S. patent application Ser. No. 15/751,056, filed Feb. 7, 2018, which is a U.S. National Stage filing under 35 U.S.C. § 371 of PCT/US2016/046600, filed Aug. 11, 2016, which claims benefit of U.S. Provisional Application 62/203,435, filed Aug. 11, 2015, the entire teachings of each of which are incorporated herein by reference.
BACKGROUNDActive implantable medical devices and the systems that interact with them are highly regulated to maintain reasonable safeguards for the patient and their caregivers. Accordingly, there has been little flexibility in the type of devices permitted for use in monitoring and/or controlling active implantable medical devices.
In the following Detailed Description, reference is made to the accompanying drawings which form a part hereof, and in which is shown by way of illustration specific examples of the present disclosure which may be practiced. It is to be understood that other examples may be utilized and structural or logical changes may be made without departing from the scope of the present disclosure. The following detailed description, therefore, is not to be taken in a limiting sense.
In at least some examples of the present disclosure, a communication platform at least partially implements first secure communications between an implantable medical device and a trusted authority service provider. In some examples, the first secure communications prevent access to at least content of the first secure communications by the communication platform. In some examples, the first secure communications are accessible at the implantable medical device and at the trusted authority service provider, and the first secure communications originate via at least one of the implantable medical device and the trusted authority service provider.
In at least some examples of the present disclosure, the communications platform may comprise a consumer communication device such as a smartphone, tablet computer, etc., and which is used to at least partially monitor and/or at least partially control an implantable medical device (IMD) within a patient. In some examples, this arrangement is implemented via a wireless communication protocol (such as but not limited to Bluetooth Low Energy (BLE)) within the communication platform in which the wireless communication protocol is reliable enough and operates at low enough power that they can be utilized for communication with at least some implantable medical devices (IMD). In some examples, the communication platform, which does not otherwise meet regulatory criteria to monitor and/or control an implantable medical device (IMD), can become equipped to at least partially monitor and/or at least partially control an implantable medical device (IMD) while complying with a medical device regulatory framework (i.e. meeting device reliability and security criteria).
In some examples, the communication platform is not dedicated for use in monitoring and/or controlling an implantable medical device (IMD). Accordingly, the communication platform may sometimes referred to as a non-IMD-dedicated communication platform. In some examples, the communication platform may comprise a consumer communication device, which may be portable or stationary. In some examples, the communication platform comprises a server. In some examples, the communication platform comprises a web server.
With this in mind, in some example arrangements, an application is executable on, and/or associated with, a communication platform to at least partially implement first secure communications between an implantable medical device (IMD) and a trusted authority (TA) service provider. The first secure communications include a security mechanism to prevent access to the first secure communications by the communication platform and by the application while permitting secure access to the first secure communications at the IMD and/or at the trusted authority service provider.
It will be understood that in at least some examples the security mechanism may involve encryption to implement the access prevention and may involve decryption to implement the secure access. In some such examples, the security mechanism includes or implements a security element which forms part of the first secure communications. In some examples, a similar arrangement may be applied for second secure communications, which are further described later.
In some examples, the trusted authority (TA) service provider at least partially manages operation of the IMD via the first secure communications. In some examples, via the TA service provider the application enables some user participation in operation of the IMD. As previously noted, in some examples the communications platform may comprise a communication device, such as but not limited to, a smartphone, a tablet computer, phablet, etc. generally available to ordinary consumers as a consumer communication device.
In some examples, by utilizing the presence of the TA service provider to perform and/or initiate communications with the IMD, security may be enhanced by implementing more sensitive aspects (e.g. aspects relating to medical safety) of the system in the trusted authority service provider, instead of implementing those more sensitive aspects in the communication platform (including an IMD application), which may be more susceptible to attacks such as reverse engineering.
Accordingly, whether embodied as a consumer communication device or other modality, at least some examples of the present disclosure enable a communication platform to act as the patient's controller for their IMD without exposing the patient to unnecessary risks and without exposing the communication platform to close medical regulatory scrutiny. Accordingly, in one aspect, these communication platforms (e.g. consumer communication device, desktop computer) retain their customary functions as a regular phone, tablet, computer etc. while also permitting user participation via an application (executable on the communication platform) to at least partially monitor and/or at least partially control an implantable medical device.
In some examples, a first IMD application executable via the communication platform may take the form of a service, such that at least a second IMD application executable via the communication platform may use the first IMD application as a means to communicate with the IMD and/or TA service provider. In some such examples, the first IMD application may act as a communication conduit while the second IMD application may provide control and/or information functions. In some such examples, the first IMD application may sometimes be referred to as a driver.
In some examples, at some of the example communication platforms can be implemented without modification to the communication platform, such as a consumer communication device. For instance, in at least some examples, such a communication platform does not involve an initial mode selection, does not involve separate operating systems, does not involve any special memory segregation, and the like in order to use the communication platform via the executable IMD application to at least partially monitor and/or at least partially control the implantable medical device (IMD).
In some examples, a communication platform comprises a non-IMD-dedicated communication platform. In some examples, the term “non-IMD-dedicated” communication platform refers to a communication platform which is not dedicated to exclusively communicate with, control and/or be controlled by an implantable medical device (IMD). Accordingly, with a communication device providing one example implementation of such a communication platform, in some examples, the term “non-IMD-dedicated communication device” refers to a device which is not dedicated to exclusively communicate with, control and/or be controlled by an implantable medical device (IMD). In some instances, the communication device may sometimes be referred to as communicating non-exclusively with the implantable medical device.
In some examples, the non-IMD-dedicated communication platform is a “non-medically-exclusive” communication platform, i.e. a communication platform not for exclusive medical use with IMD and/or not for exclusive medical use with external medical device.
In some instances, the non-IMD-dedicated communication platform is a personal communication device, which may be consumer grade, commercial grade, military grade, etc., and therefore may sometimes be referred to as a non-IMD-dedicated communication device. In some examples, the personal communication device may be a mobile communication device.
In some instances, the non-IMD-dedicated communication platform comprises a device not enabled for secured communications to/from the implantable medical device (IMD). In some instances, the non-IMD-dedicated communication platform is unsecured in at least the sense that it does not include a secure channel or pathway for receiving and sending secure communications (e.g. messages, transmissions, etc.) which originate from either an implantable medical device (IMD) or a trusted authority (TA) service provider and which pass through the non-IMD-dedicated communication platform.
Via at least some examples of the present disclosure, a manufacturer of an implantable medical device may experience reduced costs because they can omit designing and building an external device as a patient remote monitor. In some examples, a patient may experience greater ease of use because they can omit carrying an external device dedicated to monitor and/or control their implantable medical device while gaining the convenience of monitoring and/or controlling the implantable medical device via a communication platform, such as (but not limited to) their smartphone, tablet, or functionally similar communication device. In some examples, the communication platform is enabled for such use via an executable application (e.g. a mobile app in some examples) directed to at least partially monitoring and/or at least partially controlling the implantable medical device in the manner described throughout at least some examples of the present disclosure.
In some examples, via the IMD application executable via the communication platform, a patient and/or clinician may receive data obtained by a sensor and use that information to advance care of the patient. In some examples, such sensors may obtain information relating to pulse oximetry, accelerometry, audio, heart rate, images, and video, and the like. In some examples, such sensors may reside on or be accessible via the communication platform while in some examples, the sensor may be implantable. In some examples, such an implantable sensor may be incorporated within or on the implantable medical device. With such arrangements, in some examples the IMD application can integrate information from the implantable medical device (IMD) and sensed information relating to a physiologic state of the patient to thereby advance care of the patient.
These examples, and additional examples, are described in more detail in association with at least
In general terms, the communication platform 40 acts as an intermediary for the first secure communications 70A, 70B between the IMD 20 and the TA service provider 60. In some examples, the first secure communications 70A, 70B are implemented in a manner which prevents access to the first secure communications 70A, 70B by the communication platform 40 while permitting secure access to the first secure communications 70A, 70B at the IMD 20 and at the TA service provider 60.
In some examples, the communication platform 40 comprises a wireless communication element 75 to at least partially implement the first secure communications between the implantable medical device (IMD) 20 and the trusted authority (TA) service provider 60. In some examples, the wireless communication element 75 enables communication with devices and/or resources other than the IMD 20 and TA service provider 60.
In some examples, the TA service provider 60 at least partially manage operations of the IMD 20 via the first secure communications 70A, 70B with the IMD 20, as will be further described later. However, in some examples, the TA service provider 60 merely receives information from IMD 20 via first secure communications 70A, 70B without at least partially managing IMD 20.
With this general arrangement of system 10 in
Referring again to at least
In some examples, both the TA service provider 60 and the communication platform 40 are external to the patient's body while the IMD 20 is implanted within the patient's body.
In some examples, the IMD 20 comprises a passive implantable medical device. In some examples, the IMD 20 comprises an active implantable medical device.
In some examples, one such active IMD (AIMD) 20 is an implantable neurostimulation system. In some examples, the AIMD 20 includes at least an implantable pulse generator (IPG) or other implantable neurostimulator. In some examples, the AIMD 20 includes a stimulation element operably coupled relative to the IPG. In some examples, the AIMD 20 includes an implanted respiratory sensor operably coupled relative to the IPG. In some examples, the AIMD 20 is adapted to treat obstructive sleep apnea and/or other sleep disordered breathing behavior. Is some examples, the AIMD 20 is adapted to treat diseases amenable to therapy via neurostimulation. In some examples, the AIMD 20 is adapted to treat diseases amenable to therapy via other forms of electrically, mechanical, hydrologic, chemical, genetic, and/or biological activities implementable via the AIMD 20.
In some examples, implementing communication platform 40 is not strictly dependent on all of the elements of the AIMD 20 being implanted.
In some examples, IMD 20 comprises a passive implantable medical device (PIMD) which is subject to substantially the same degree of medical regulatory criteria as IMD 20. It will be understood that in these examples, the IMD 20 would be implemented in the form of passive implantable medical device (PIMD) in at least some of the examples described throughout the present disclosure.
In some examples, instead of an implantable medical device (IMD) 20, system 10 comprises a non-implantable medical device (NIMD) 20 which has no elements implanted within the patient's body, but which otherwise is subject to substantially the same degree of medical regulatory criteria as IMD 20. The NIMD 20 can be an external fluid pump, such as for treating diabetes, or can take other forms for other purposes.
In some examples, the non-implantable medical device (NIMD) 20 comprises an active device, e.g., active non-implantable medical device (ANIMD) 20. In some examples, the non-implantable medical device comprises a passive device, e.g. passive non-implantable medical device (PNIMD) 20. With this in mind, it will be understood that in some examples the IMD 20 may be implemented in the form of an ANIMD 20 or PNIMD 20 in at least some of the examples described throughout the present disclosure.
In some examples, the IMD 20 includes a communications security manager 22 (
In some examples, the security mechanisms associated with the respective first and second secure communications are implemented via at least the respective security managers 22, 62, which include cryptographic technologies, and at least some of which are further described below and later illustrated in association with at least
In some examples, cryptographic protection of communications within system 10 includes implementing a symmetric cryptographic protection protocol and/or an asymmetric protection protocol. In some examples, a cryptographic protection protocol for communications at least between the IMD 20 and the TA service provider 60 implements at least some aspects of both symmetric and asymmetric protection protocols. In some examples, a symmetric protection protocol includes stream and block ciphers such as, but not limited to, the Advanced Encryption Standard (AES) protocol. In some examples, an asymmetric protection scheme includes public/private key pairs such as, but not limited to, the Rivest-Shamir-Adleman (RSA) protocol.
In some examples, as further described below and throughout examples of the present disclosure, communication platform 40 comprises an implantable medical device (IMD) application 50 as shown in at least
In some examples, the communication platform 40 comprises a user interface, such as but not limited to the user interface 1092 as later described in association with at least
It will be understood that the IMD 20 already incorporates regulatory constraints for safe, efficacious therapy and communication.
In some examples, the implantable medical device (IMD) 20 includes at least one communication element (ISM inductive communications, Bluetooth, Wi-Fi, etc.) capable of interaction with communication platform 40, which in at least some examples may be a consumer communication devices such as a smartphone, tablet, phablets, and the like. In some examples, such communication elements operates in a low power mode (e.g. Bluetooth Low Energy—BLE), which may contribute to performing secure communications by making it more difficult for others to surreptitiously intercept the communications.
In some examples, IMD 20 includes a security manager 22 (
In some examples, the security manager 22 (
In some examples, the IMD 20 implements a cryptographic protection protocol involving symmetric keys for communication with the TA service provider 60. In some examples, a first key can be used for standard secure communications. In some examples, a second key can be used solely for direct communications between the IMD 20 and the TA service provider 60 for the purpose of changing symmetric keys (such as the first key) or other security features. In some examples, each key is paired with a random bit of secret data/string (e.g. salt) to buffer data and increase security. In some examples, such an arrangement may help to mitigate replay-style attacks.
As noted elsewhere, in at least some examples the communication platform 40 may act as an intermediary which does not have access to the content of the secure communications.
In some examples, the IMD 20 includes a provisioning element for initiation of communication with the trusted authority (TA) service provider 60 via a communication platform 40, such as but not limited to a consumer communication device (e.g. a non-IMD-dedicated device).
In some examples, the IMD 20 includes a protective mechanism to mitigate an attack intended to deplete a power source of the IMD 20. In one such example, the IMD 20 utilizes ultra-low-power communications or communications that are self-powered (e.g. NFC, RFID, inductive) such that the IMD 20 may be resistant to an attack of repeated communications aimed at depleting the power source. This arrangement is just one of several example mechanisms within the present disclosure which provide a layered approach to secure an environment to enable at least partially controlling an IMD 20 via an IMD application (e.g. at least 50 in
In some examples, another layer of protection includes the IMD 20 evaluating each external communication device attempting to communicate with the IMD 20. For instance, the IMD 20 may evaluate a Bluetooth/MAC address along with device data and credentials in the communication packets from the external communication device. If the external communication device is not an authorized communication device according to the IMD 20, then the IMD 20 disregards future communications from that external communication device and that MAC address for a certain period of time. In some examples, such evaluation is incorporated within the IMD security manager 22 (
In some examples, multiple layers of the protection mechanisms described above (regarding protecting a power source of the IMD 20) are implemented in combination.
In some examples, the communication platform 40 comprises an application 50 as shown in
In some examples, the communication platform 140 provides at least some example implementations of the communication platform 40 in
In general terms, the communication platform 140 comprises some combination of hardware and applications executable via such hardware to facilitate first secure communications 70A, 70B to pass through communication platform 40 in the manner described throughout the examples of the present disclosure. Accordingly, a wide variety of types of devices, types of applications, etc. may be used to implement communication platform 140 and to implement secure communications through communication platform 140.
With this in mind, as shown in
In some examples, the communication platform 140 comprises a stationary device 144. In some examples, the stationary device 144 comprises a web server. However, it will be understood that in some examples, the web server can be sized to be portable or mobile. In some examples, the stationary device 144 comprises a desktop computer.
In some examples, the communication platform 140 comprises a combination of a stationary device 144 and a dongle 146 with dongle 146 having at least wireless communication capabilities suitable for communicating with IMD 20. The dongle 146 and stationary device 144 may communicate together via wired or wireless pathways, while stationary device 144 may communicate with the TA service provider via wired or wireless pathways. In some examples, the dongle 146 may be used with non-stationary computers as part of communication platform 140.
As further shown in
In some examples, the communication platform 140 comprises more than one component arranged in series 163 or may comprise more than one component arranged in parallel 165.
In some examples, the communication platform 140 is not dedicated for exclusive communication with an implantable medical device (IMD) and therefore may sometimes be referred to as a non-IMD-dedicated communication platform 171, which may comprise a non-IMD-dedicated device. In contrast, at least some commercially available devices for communication with an implanted medical device are tailored for communication exclusively with the implanted medical device, such as a dedicated patient programmer (e.g. dedicated remote control).
In some examples of the present disclosure, the communication platform 140 is dedicated for communication with one implantable medical device (IMD) but is not necessarily dedicated to use for a particular brand/model of implantable medical device. In such examples, the platform 140 may sometimes be referred to as a non-specific-IMD-dedicated communication platform 173, which may comprise a non-specific-IMD-dedicated device.
In some examples, the communication platform 140 is dedicated for communication with several different implantable medical devices (IMDs). In some examples, the different implantable medical devices may all be the same brand (i.e. a common manufacturer). However, in some examples, at least some of the different implantable medical devices may comprise different brands. In such examples, the platform 140 may sometimes be referred to as a multi-IMD-dedicated communication platform 175 as shown in
As shown in
In some examples, the first channel is arranged to implement first secure communications according to a first level of access privileges to a content of the first secure communications. Meanwhile, the second channel is arranged to implement the second secure communications according to a second level of access privileges to the content of the first secure communications, wherein the second level of access privileges is different than the first level of access privileges.
In some examples, the first channel (e.g. Platform A) may be dedicated to a patient application and the second channel (e.g. Platform B) may be dedicated to a clinician application. In this arrangement, the clinician application has full privileges while the patient application has whatever limited privileges are granted by the clinician.
In some examples, the first channel (e.g. Platform A) may be dedicated to a patient application and the second channel (e.g. Platform B) may be dedicated to a home monitor application, which is granted read-only access to IMD.
In some examples, one channel may be dedicated to a clinician with full privileges while the other channel has less privileges such as a caregiver application with a displayable subset of read-only IMD information or such as an emergency use application to disable therapy only in an emergency situation.
The two platform portions 240A, 240B are separate from, and independent of, each other. In some examples, the two IMD applications 250A, 250B are separate from, and independent of, each other. However, in some examples, the two IMD applications 250A, 250B represent distributed portions of a single IMD application.
In some examples, the two separate platform portions 240A, 240B are embodied in a single housing 255.
In some examples, via execution by communication platform 40, the IMD application 50 (
In some examples, the arrangement of IMD application 50 adding a layer of security (onto communications already secured by the IMD 20 and/or the TA service provider 60) helps to support verification of the IMD application 50 from communication session-to-communication session in support of a loose pairing concept mediated by the TA service provider 60. For instance, the TA service provider 60 may authorize an IMD application 50 (executable on a communication platform 40) to communicate with an IMD 20 in an arrangement such that the TA service provider 60 can use a signature of that particular IMD application 50 instance on that particular communication platform 40 to actively monitor and secure the communication path to the IMD 20. The IMD application 50 is loosely paired to the IMD 20 and the communication platform 40 may already typically include a method to validate a user via a user ID (e.g. via Microsoft ID, Google ID, or Apple ID). In some examples, the TA service provider 60 may further validate the user via such methods to help confirm continued authorization of the user, communication platform 40, and IMD application 50 to interact with the IMD 20. With this arrangement, in some examples, if the communication platform 40 becomes associated with a different user ID, then the IMD application 50 and/or TA service provider 60 may take additional steps to verify the user prior to allowing access. It will be understood that in some examples, this arrangement may be applicable for clinicians as well in which a “user ID” is used to further validate access by a clinician. Moreover, in some examples, a clinician may be validated access via a “user ID” at TA service provider 60 for multiple IMDs 20 and/or a IMD application 50 for multiple IMDs 20, whether the multiple IMDs 20 are associated with one patient or each of the multiple IMDs 20 are associated with a different patient.
As shown in
As shown in
In some examples, at least a portion of the authentication engine 350 may be implemented as part of IMD 20 while in some examples, at least a portion of the authentication engine 350 may be implemented as part of IMD application 50 and/or TA service provider 60. In some examples, at least a portion of authentication engine 350 may be implemented via communication platform 40.
As shown in
The user id function 354 calls for a user identification (user id) for the second step authentication, which is managed by a third party and/or the TA service provider 60. The user id function 354 also may call for an associated password. In some examples, to implement a second step authentication, the biometric function 356 of authentication engine 350 calls for the user to present a recognizable physiologic feature, such as a fingerprint, retina, etc. for scanning or sensing. In some examples, to implement a second step authentication, the physical function 358 of authentication engine 350 calls for physical information, such as an activation code associated with the IMD 20. In some examples, In some examples, to implement a second step authentication, the messaging function 360 of authentication engine 350 calls for a message, such as an a short message system (SMS; e.g. text) or other phone messaging tool. In some examples, a combination or hybrid of the various functions 354-360 are implemented to achieve a two-step authentication via engine 350.
As shown in
However, in some examples, the implantable sensor 480 has an indirect communication link 494 (
As further shown in
In some examples, the sensor 482 comprises an independent sensor 486, such that the sensor is separate from, and independent of, the communication platform 40 and/or TA service provider 60. In some such examples, the sensor 486 may be removably coupled relative to the patient's body. In some such examples, the sensor 486 may be physically spaced apart from the patient's body. In some examples, such sensors 486 have a direct communication link 492 (
The information sensed via sensors 480 and/or 482 is at least tracked and/or recorded, and in some instances may be communicated to TA service provider 60 (
In some examples, a non-implantable sensor such as sensors 484, 486 (
In some examples, an implantable sensor such as sensor 422 (
In some examples, at least some aspects of the performance engine 500 may be implemented in at least the TA service provider 60 and/or via the communication platform 40, such as but not limited to, in the IMD application 50.
As shown in
As further shown in
As further shown in
As further shown in
As further shown in
In some examples, the performance engine 500 comprises a power function 548 to monitor and/or at least partially implement power functionality associated with operation of IMD 20. Such monitoring may include tracking longevity of a power source and such implementing may include selective power conservation in cooperation with the various functions of IMD 20 impacting the power supply of IMD 20. It will be understood that the power function 548 may relate to a battery but is not strictly limited to battery, such as currently commercially available batteries, but may include other types of power sources suitable for use in IMD 20. The batteries and/or other power sources may be rechargeable in some examples.
In some examples, various combinations of the engines 502 and functions 510, 520, 530, 532, 534, 542, 544, 548 of performance engine 500 operate in a complementary or cooperative manner.
In some examples, the performance engine 500 is implemented in the form of a patient performance manager 1090 in IMD application 50 and/or as a master performance manager 1080 in TA service provider 60, as later described in association with at least
In some examples, operation of and/or monitoring the performance engine 500 may be at least partially implemented via a user interface, such as user interface 600 in
As shown in
In some examples, the active link function 604 monitors and/or displays which communication links are active, e.g. properly functioning, among at least the IMD 20, communication platform 40, IMD application 50, and TA service provider 60. Via such display, a patient or clinician can quickly be assured of proper communication, and therefore proper operation of the IMD 20 and related components. Alternatively, in the event that one of the communication links were not active, the patient and/or clinician would become aware of the inactive link. In some examples, in the event of an inactive link, the active link function 604 cooperates with reporting function 634 of user interface 600 to provide an alert or notification to the patient or clinician. Such reporting may in the form of an email, text (e.g. SMS), audio indicator (e.g. ringtone, other), visual indicator, etc., such as via communication platform 40, IMD application 50, and/or TA service provider 60. In some examples, such reports may indicate actions which may be taken to fix or improve operation of a particular communication link.
In some examples, the link identifier function 606 cooperates with the active link function 604 to track and/or indicate each link separately to enable a quick and effective identification of the various communication links.
In some examples, the availability function 608 tracks and/or displays a type and number of which links are available for communication with or among at least IMD 20, communication platform 40, IMD application 50, and/or TA service provider 60.
In some examples, the user interface 600 comprises a verification function 640 to verify various functions associated with operation of at least the IMD application 1050, at least some of which are further described later in association with IMD application 1050. By doing so, a clinician and/or user may use the IMD 20 with confidence and safely to advance the care of the patient. In some examples, the verification function 640 may be implemented as part of (and/or cooperate with) at least the performance engine 500 (
In some examples, user interface 600 comprises a user input engine 610. In some examples, in general terms the user input engine 610 may receive user input to operate user interface 600 and/or the engines and functions of IMD 20, communication platform 40, IMD application 50, and/or TA service provider 60 as appropriate to the level of access granted to the particular user (e.g. patient, clinician, technical support, etc.) for a particular aspect (e.g. 20, 40, 50, 60) of a system. In some examples, the user input engine 610 includes a therapy function 622 to at least partially monitor and/or at least partially implement at least some aspects of therapy via IMD 20.
In some examples, the user input engine 610 includes a device selection function 624 for user selection of which device or component of a system to which a user input should be applied and/or which device or component is to be monitored.
In some examples, user interface 600 comprises a performance function 630 to select displayable information regarding, and/or implement control associated with, at least some aspects of performance regarding IMD 20, communication platform 40, IMD application 50, and/or TA service provider 60. In some examples, the performance function 630 enables selective display of information and/or implementing control relating to at least some of the aspects of performance engine 500 as previously described in association with at least
In some examples, user interface 600 comprises a sensing function 632 to select displayable information regarding, and/or implement control associated with, at least some aspects of sensing in relation to IMD 20, communication platform 40, IMD application 50, and/or TA service provider 60. In some examples, the sensing function 632 enables selective display of information and/or implementing control relating to at least some of the aspects of the sensor(s) as previously described in association with at least
In some examples, user interface 600 comprises a reporting function 634 to select displayable information regarding, and/or implement control associated with, at least some aspects of reporting in relation to IMD 20, communication platform 40, IMD application 50, and/or TA service provider 60.
In some examples, user interface 600 comprises a data transfer function 634 to select displayable information regarding, and/or implement control associated with, at least some aspects of data transfer in relation to IMD 20, communication platform 40, IMD application 50, and/or TA service provider 60. In some such examples, the data transfer function 634 facilitates availability of directly downloadable information by other resources, which can be selectively communicatively coupled relative to IMD 20, communication platform 40, IMD application 50, and/or TA service provider 60
In some examples, data may be transferred on an application-to-application basis, such as IMD application 50 transferring data to another application (e.g. a commercially available application or custom application) for analysis. Such “other” applications may include applications such as, but not limited to, an Apple® healthkit application, Twitter®, etc. In this way, the data transfer function 634 may contribute to establishing a comprehensive health platform for the patient.
In some examples, various combinations of the engines 602 and functions 604, 606, 608, 610, 622, 624, 630, 632, 634, 636 in user interface 600 operate in a complementary or cooperative manner.
In substantially the same manner as previously described for system 10 (at least
In some instances at least a portion of the communication platform 1040 may take the form of one of several different types of devices 142-175 as previously described in association with
With this general arrangement of system 1010 in
In addition, in a manner similar to that described in association with at least
In a manner similar to that previously described in association with at least
In some examples, the security mechanisms associated with the respective first and second communications and implemented via at least the respective security managers (e.g. 22, 62 in
In some examples, the IMD application 1050 includes a user interface 1092. In some instances, user interface 1092 includes an input mechanism and a display with user interface 1092 being implemented a corresponding graphical user interface of the mobile device 1040. In some examples, user interface 1092 embodies at least some of substantially the same features and attributes as user interface 1486 as described in association with at least
Accordingly, in some examples, upon implementing the performance engine 500 in the IMD application 1050, a performance manager 1090 is accessible and implementable via user interface 1092. In some examples, the manager 1090 is primarily accessible and/or used by the patient and as such may sometimes be referred to as a patient performance manager 1090. The patient performance manager 1090 enables a patient to monitor and/or control at least some operations of the IMD 1020, as permitted by the manufacturer of the IMD 1020 and/or the clinician responsible for the patient. For instance, a patient may be permitted via patient performance manager 1090 to make adjustments in the intensity of stimulation with such adjustments being within an absolute range set by the manufacturer and with a relative range (which is within the absolute range) set by the clinician. Other patient-controllable performance parameters may include an on/off function, programmed start/end times, delayed start, and the like which are within the ambit of decisions suitably made by a patient.
In some examples, the TA service provider 1060 includes a master performance manager 1080, which enables a clinician to monitor and/or control at least some operations of the IMD 1020, as permitted by the manufacturer of the IMD 1020. For instance, a clinician may be permitted via a master performance manager 1080 to make adjustments in various parameters regarding stimulation therapy. In one example, the master performance manager 1080 permits the clinician to set the relative range of values for each of certain parameters modifiable to the patient with such adjustments being within an absolute range of values set by the manufacturer and in compliance with medical regulatory frameworks. In some examples, such control by the clinician may be at least partially implemented via a rules function 1378 as further described in association with management engine 1350 in association with at least
Accordingly, patient performance manager 1090 and master performance manager 1080 implement parameters of the IMD 1020 within constraints set by the manufacturer of the IMD 1020, which also are within constraints determined and/or approved within a medical regulatory framework. It will be understood that the constraints on parameters, functions, and engines of IMD 1020 in each of the patient performance manager 1090 and master performance manager 1080 are appropriate to the respective roles (e.g. patient, clinician respectively) in patient care. In some examples, manager 1080 of TA service provider 1060 is at least partially implemented, displayable, and/or operable via a user interface 1061 of TA service provider, as shown in
With this in mind,
Similarly,
In some examples, the TA service provider 1060 may authorize the IMD application 1050 to communicate directly with the IMD 20 for a selectable, predetermined time period. The authorization may be renewable by the TA service provider in some examples. In some such examples, the authorization may include a unique IMD 1020, IMD application 1050 and communication platform 1040, user id, and/or wireless communication protocol id (e.g. Bluetooth ID).
In some examples, such authorization by the TA service provider 1060 may be implemented via an authority delegation function, such as but not limited to the authority delegation function 1376 of TA service provider 1060 as described in association with at least
In some examples, the TA service provider 1060 may provide authorization to the IMD application 1050 by communicating instructions (e.g. a recipe) for the IMD application 1050 to implement communications with IMD 1020, at least for a limited period of time.
In some examples, communication between IMD application 1050 and IMD 1020 such as via IMD-to-App message 1172 (and/or a corresponding App-to-IMD message) is authorized via a second authentication factor, which may be implemented via a second step authentication scheme, such as but not limited to authentication engine 350 as previously described in association with at least
In some examples, message 1097 may include performance information to be displayed in a user interface (600 in
With these more specific examples (
With this in mind, in some examples the TA service provider (e.g. 60 in
In some examples, as shown in at least
In some examples, as shown in at least
In some examples, the TA service provider 1060 (
In some examples, as shown in at least
In some examples, the TA service provider 1060 includes a user interface 1061 (
In some examples, the TA service provider 1060 includes an user interface 1061 as shown in
In some examples, via its communication with IMD application 1050, the TA service provider 1060 (
In some examples, at least when implemented as a non-IMD-dedicated device (e.g. a consumer communication device), communication platform 1040 (
In some examples, the communication platform 1040 (
In some examples, the IMD application 1050 (
In some examples, the IMD application 1050 (
In some examples, the IMD application 1050 (
In some examples, the IMD application 1050 (
In some examples, at least via second secure communications 1094 (
In some examples, the IMD application 1050 (
In some examples, the IMD application 1050 (
In some examples, depending on a relative safety profile of the therapy, the TA service provider 1060 (
In some instances, via the authority delegation function 1376 (
In some instances, via the authority delegation function 1376 (
In some examples, at least one implementation of the authority delegation function 1376 (
With further reference to
In some examples, the IMD application 1050 (as executed via communication platform 1040) does not have access to symmetric keys of the IMD 1020 and TA service provider 1060 because such access might otherwise subject such communications between the IMD 1020 and the TA service provider 1060 to attack. In some examples, such symmetric keys used in communications between the IMD 1020 and the TA service provider 1060 prevent access by the IMD application 1050.
In some examples, the TA service provider 1060 (
In some examples, a private key may be shared with the IMD 1020 along with temporal parameters and other hardware parameters (e.g. Bluetooth address, IP address, MAC address, version of the IMD application 1050 (as executed via communication platform 1040) so the private key can directly identify the communication platform (e.g. consumer communication device, in some examples).
In some examples, de-authorization of the IMD application 1050 (as executed via communication platform 1040) can occur upon natural expiration of a public key due to temporal parameters or forced de-authorization facilitated by the TA service provider 1060.
In some examples, in coordination with at least communication platform 1040 on which it is executed, the IMD application 1050 can include methods and/or elements to allow the IMD application 1050 to self-verify normal operation, such as evaluating its memory space against values that were compiled in or provided by the TA service provider 1060. This arrangement may provide an additional layer of protection against reverse engineering or other unwanted manipulation.
In some examples, all communications between the communication platform 1040 (including application 1050) and the TA service provider 1060 can be further encrypted utilizing security protocols to maintain communication confidentiality, integrity, and availability. In one such example, the communications are performed via a Secure Socket Layer (SSL) protocol. In one aspect, this arrangement provides a redundancy to communications to provide additional protection.
In some examples, the IMD application 1050 includes at least one mechanism to verify normal operation of at least one of the IMD application 1050 and of the communication platform 1040 on which the IMD application 1050 is executable.
In some examples, in this context the term “normal operation” refers to uncorrupted operation of the IMD application 1050 and/or communication platform 1040, e.g. operation which has not been corrupted, compromised, hacked by unauthorized agents, such as but not limited to, an intrusion, alteration, etc. of IMD 1020, TA service provider 1060, communication platform 1040, IMD application 1050, and/or even a sensor (
In some examples, verifying normal operation of the IMD application 1050 (as executable on communication platform 1040) includes verifying that the user can see the pertinent information regarding operation of the IMD 1020, such as via a user interface (1092
In some examples, verifying normal operation of the IMD application 1050 (as executable on the communication platform 1040) includes verifying that the IMD application 1050 has not been tampered with, such as via tamper resistance tools. In some examples, tamper resistance tools include self-hashing techniques and/or self-evaluation of execution metrics and pathways. In some instances, this self-verification includes the IMD application 1050 (as executable via the communication platform) using redundant steps to verify its output. In some examples, such verification may be at least partially implemented via at least verification function 640 (
In some examples, more than one of the identified self-verification techniques is implemented in association with the IMD application 50.
In view of these various examples of the IMD 1020, IMD application 1050, TA service provider 1060 (and others described in the present disclosure), it will be understood that in some examples the TA service provider 1060 may manage multiple IMDs 1020 (and associated IMD applications 1050) in which the multiple IMDs 1020 belong to a single patient or in which the multiple IMDs 1020 (and associated IMD applications 1050) are dispersed among different patients.
Moreover, it will be further understood that in some examples, via their respective managers 1090, 1080, the TA service provider 1060 and/or IMD application 1050 may manage multiple types of IMDs 1020. For instance, some types of IMD 1020 may be adapted to treat obstructive sleep apnea, while other types of IMDs 1020 may be adapted to treat cardiac irregularities or may be adapted to treat urinary incontinence, for pain management, diabetes, other types of neurostimulation, etc. In addition, while some types of IMD 1020 managed by TA service provider 1060 and/or IMD application 1050 may involve neurostimulation, other types of IMDs 1020 managed by TA service provider 1060 and/or IMD application 1050 may involve other types of non-neurostimulation therapies such as, but not limited to, fluid delivery (e.g. pharmaceutical and/or non-pharmaceutical).
With continued reference to
In some examples, as shown in
In some examples, the IMD application 1050 displays the sensed information in association with the communication platform 1040, such as via user interface 1092 (
In some examples, the IMD application 1050 communicates the sensed information via a sensor message 1312 (
In some examples, via its manager 1080 (
In addition, as further shown in
In some examples, a performance manager 1080 (
In some examples, the auto-titration manager may be at least partially implemented via a rules function 1378 of management engine 1350 as shown in
As previously mentioned,
As further shown in
In some examples, the second secure communication path 1415 is separate from, and independent of, the first secure communication path 1405A, 1405B. In some examples, the second secure communication path 1415 is implemented via the examples of secure communications and/or security mechanisms between IMD application 1050 and TA service provider 1060 as previously described in association with at least
In some examples, the first secure communication path 1405A, 1405B is provided via secure communication device 1410 including a telemetry tool to securely receive information directly from the IMD 1020 and a tool (e.g. telephony or other means) to securely send the received information to the trusted authority (TA) service provider 1060. In some examples, the secure communication device 1410 can securely receive information from the trusted authority (TA) service provider 1060 (whether via telephony or other means) and the IMD 1020 can securely receive information from the secure communication device 1410 via telemetry.
In some examples, the IMD application 1050 receives performance information from the trusted authority (TA) service provider 1060 and displays the received performance information via the user interface 1092 (at least 600 in
In some examples, the IMD 1020, IMD application 1050 (executable via communication platform 1040), and/or TA service provider 1060 in system 1401 include at least some of substantially the same features and attributes as described throughout the present disclosure in association with
In some examples, the first secure communication path 1405A, 1405B and/or secure communication device 1410 is implementable via existent remote monitoring systems, such as but not limited to, the type of remote patient monitoring systems available under the trade name Carelink™ from Medtronic, Inc. As such, in some examples, the secure communication device 1410 may comprise an “off-the-shelf” medical controller/monitor already available for use and communication with a particular IMD 1020 or adapted for use with other IMDs 1020. It will be understood that in some examples, an existent secure communication device 1410 may be adapted for use with IMD 1050 via programming changes via TA service provider 1060 or via hardware updates, which adapt the existent secure communication device 1410 for use with the IMD 1020, IMD application 1050, and TA service provider 1060 in a manner consistent with at least some examples of the present disclosure.
In general terms, controller 1482 of control portion 1480 comprises at least one processor 1483 and associated memories. The controller 1482 is electrically couplable to, and in communication with, memory 1484 to generate control signals to direct operation of at least some components of the systems, components, engines, functions, tools, parameters, managers, mechanisms, applications, interfaces, and/or elements described throughout the present disclosure. In some examples, these generated control signals include, but are not limited to, employing manager 1485 stored in memory 1484 to manage performance of the IMD 1020 (including but not limited to patient therapy) and/or manage security of communications/operation of the IMD 1020, IMD application 1050 (as executable via communication platform 1040), and/or trusted authority (TA) service provider 1060 in the manner described in at least some examples of the present disclosure. It will be further understood that control portion 1480 (or another control portion) may also be employed to operate general functions of the IMD 1020, communication platform 1040, IMD application 1050, and/or trusted authority service provider 1060.
In response to or based upon commands received via a user interface (e.g. 600 in
For purposes of this application, in reference to the controller 1482, the term “processor” shall mean a presently developed or future developed processor (or processing resources) that executes sequences of machine readable instructions contained in a memory. In some examples, execution of the sequences of machine readable instructions, such as those provided via memory 1484 of control portion 1480 cause the processor to perform actions, such as operating controller 1482 to implement performance management/monitoring (including therapy in some examples) and/or security in communications/operations, as generally described in (or consistent with) at least some examples of the present disclosure. The machine readable instructions may be loaded in a random access memory (RAM) for execution by the processor from their stored location in a read only memory (ROM), a mass storage device, or some other persistent storage (e.g., non-transitory tangible medium or non-volatile tangible medium, as represented by memory 1484. In some examples, memory 1484 comprises a computer readable tangible medium providing non-volatile storage of the machine readable instructions executable by a process of controller 1482. In other examples, hard wired circuitry may be used in place of or in combination with machine readable instructions to implement the functions described. For example, controller 1482 may be embodied as part of at least one application-specific integrated circuit (ASIC). In at least some examples, the controller 1482 is not limited to any specific combination of hardware circuitry and machine readable instructions, nor limited to any particular source for the machine readable instructions executed by the controller 1482.
In some examples, user interface 1486 comprises a user interface or other display that provides for the simultaneous display, activation, and/or operation of at least some of the various components, systems, components, engines, functions, tools, parameters, managers, mechanisms, applications, interfaces, elements, features, and attributes of control portion 1480 and/or the various aspects of an IMD application 1050 (as executable via communication platform 1040) and/or trusted authority (TA) service provider 1060. In some examples, at least some portions or aspects of the user interface 1486 are provided via a graphical user interface (GUI). In some examples, as shown in
As shown in
In some examples, the communication platform comprises a wireless communication element to implement the first secure communications at least partially wirelessly.
As shown via 1720 in
However, it will be understood that in at least some such examples, the trusted authority (TA) service provider may still operate in a complementary or cooperative manner relative to implantable medical device (IMD) to at least partially implement security aspects of the first secure communications. Moreover, in such arrangements, in some examples the TA service provider may receive information from the implantable medical device (IMD) even though the implantable medical device (IMD) and/or communications platform do not receive operational and/or performance instruction from the TA service provider.
In some examples, method 1720 can be performed via at least some of the methods, systems, components, engines, elements, parameters, managers, mechanisms, applications, interfaces, functions, tools, etc. as previously described in association with at least
As shown at 1730 in
In some examples, the arrangement in 1730 can be performed via at least some of the methods, systems, components, engines, elements, parameters, managers, mechanisms, applications, interfaces, functions, tools, etc. as previously described in association with at least
As shown at 1802 in
Although specific examples have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that a variety of alternate and/or equivalent implementations may be substituted for the specific examples shown and described without departing from the scope of the present disclosure. This application is intended to cover any adaptations or variations of the specific examples discussed herein.
Claims
1. An application comprising machine readable instructions stored in a non-transitory medium and executable via a communication platform to:
- receive and display information associated with an implantable medical device (IMD); and
- cause the communication platform to at least partially implement first secure communications between the implantable medical device and a trusted authority service provider, the first secure communications to prevent access, by the application and by the communication platform, to at least content of the first secure communications.
2. The application of claim 1, the first secure communications to include use information regarding the implantable medical device.
3. The application of claim 1, the instructions to enable second secure communications between the application and the trusted authority service provider regarding information associated with the implantable medical device.
4. The application of claim 3, wherein at least some of the second secure communications comprise data from the first secure communications, and wherein the first secure communications are independent of, and separate from, the second secure communications.
5. The application of claim 3, the instructions to form a user interface including an input mechanism to receive user input to modify at least some operations of the IMD to enable at least partial user control over the IMD.
6. The application of claim 5, wherein the user interface prevents user awareness of the second secure communications such that the application appears to provide direct control over the IMD via the user interface.
7. The application of claim 1, the instructions to directly control, via delegated authority received from the trusted authority service provider, at least some operations of the implantable medical device via the communication platform for at least a predetermined period of time.
8. The application of claim 7, the instructions to form a user interface including an input mechanism to receive user input to implement at least partial user control over the IMD via direct communication between the application and the implantable medical device.
9. The application of claim 1, the instructions to form a user interface including a status function to indicate that at least one communication link associated with the first secure communications is active.
10. The application of claim 1, wherein the application is formatted for installation on a non-IMD-dedicated device.
11. The application of claim 12, wherein the non-IMD-dedicated device is a smart phone.
12. The application of claim 1, wherein the IMD includes at least a first element implanted into a body of a patient and a second element not implanted into the body of the patient.
13. The application of claim 1, wherein the first secure communications is a communication originating from the trusted authority service provider.
14. The application of claim 1, wherein the first secure communication is a communication originating from the IMD.
15. The application of claim 1, wherein the communications platform comprises a combination of a mobile device communicating with a dongle.
16. The application of claim 1, wherein the communication platform comprises at least one of:
- at least two components arranged in series; and
- at least two components arranged in parallel.
17. The application of claim 1, wherein the instructions at least partially implement the first secure communication via wireless communication with a device other than the IMD.
18. The application of claim 1, wherein the instructions cause the communication platform to act as an intermediary between the implantable medical device and the trusted authority service provider.
19. The application of claim 1, wherein the instructions form a communication link for a separate application to communicate with at least one of the trusted authority service provider and the IMD.
20. The application of claim 1, wherein the instructions are implemented in an at least partially distributed arrangement on the communication platform to represent a first IMD application and a second IMD application.
Type: Application
Filed: Jan 25, 2022
Publication Date: May 12, 2022
Applicant: INSPIRE MEDICAL SYSTEMS, INC. (Golden Valley, MN)
Inventors: John Rondoni (Plymouth, MN), Dave Dieken (Minneapolis, MN)
Application Number: 17/583,547