Apparatus and method for protecting a medical device and a patient treated with this device against harmful influences from a communication network

US 8,146,149 B2
Filed: 06/01/2007
Issued: 03/27/2012
Est. Priority Date: 06/03/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a transmission means for transmitting communication packets to and from an external device via a communication network, the communication network comprises at least one insecure sub-network and a secure sub-network on the device side;

a monitoring means for monitoring the state of the connection of the device to the network; and

a breaker means for breaking an existing connection between the secure sub-network and the insecure sub-network,wherein the external device is a medical device comprising a means for connecting to the communication network,wherein the apparatus is suitable for breaking the network connection to the medical device if, during monitoring, a state of the network connection is detected which poses a risk to a patient treated with the device or to the correct functioning of the devicewherein the apparatus carries out at least one of a translation or encryption of communication protocols used in the insecure sub-network or in the secure sub-network in such a way that communication packets that have been modified with respect to the communication packets originating from the original protocol are used in the respective other sub-network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus for interacting with a medical device which is suitable for connection into a communication network which comprises at least one insecure area and a secure area on the device side, wherein the apparatus comprises a transmission device for transmitting communication packets to and from the medical device via the communication network, it comprises a monitoring device for monitoring the state of the connection of the device to the network, and it comprises a breaker device for breaking an existing connection between the secure area and the insecure area of the network if, during the monitoring process, a state of the network connection is detected which poses a risk to a patient treated with the device or to the correct functioning of the device.

52 Citations

View as Search Results

24 Claims

1. An apparatus comprising:
- a transmission means for transmitting communication packets to and from an external device via a communication network, the communication network comprises at least one insecure sub-network and a secure sub-network on the device side;
  
  a monitoring means for monitoring the state of the connection of the device to the network; and
  
  a breaker means for breaking an existing connection between the secure sub-network and the insecure sub-network,wherein the external device is a medical device comprising a means for connecting to the communication network,wherein the apparatus is suitable for breaking the network connection to the medical device if, during monitoring, a state of the network connection is detected which poses a risk to a patient treated with the device or to the correct functioning of the devicewherein the apparatus carries out at least one of a translation or encryption of communication protocols used in the insecure sub-network or in the secure sub-network in such a way that communication packets that have been modified with respect to the communication packets originating from the original protocol are used in the respective other sub-network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The Apparatus according to claim 1, wherein the transmission means comprises a packet filter which carries out packet filtering on the communication packets transmitted between the insecure sub-network and the secure sub-network of the communication network 11, wherein the packet filter is suitable for blocking communication packets which pose a potential risk to the medical device, the breaker means comprises at least one breaker switch, and the monitoring means comprises at least one control logic which, when a state of the network connection which poses a risk to a patient or to the correct functioning of the device is detected, triggers opening of one of the breaker switches so as to separate the insecure sub-network from the secure sub-network of the communication network which is connected directly to the medical device.
  - 3. The Apparatus according to claim 2, wherein the packet filter performs bidirectional packet filtering on the communication packets transmitted between the insecure sub-network and the secure sub-network of the communication network.
  - 4. The Apparatus according to claim 2, wherein the packet filter partially or completely replaces at least one of the monitoring means or the breaker means by blocking harmful communication packets or all communication packets when a state of the network connection which poses a risk to the patient or to the correct functioning of the device is detected.
  - 5. The Apparatus according to claim 1, wherein the separation between the secure sub-network and the insecure sub-network of the communication network is implemented as logical segmentation.
  - 6. The Apparatus according to claim 1, wherein the separation between the secure sub-network and the insecure sub-network of the communication network is implemented as physical segmentation.
  - 7. The Apparatus according to claim 6, wherein physical segmentation is achieved by different physical transmission paths in the secure sub-network and in the insecure sub-network of the communication network or by different instances of the same transmission path.
  - 8. The Apparatus according to claim 6, wherein the communication network comprises at least one of cable-based or radio-based transmission paths.
  - 9. The Apparatus according to claim 1, wherein the transmission path in the secure sub-network of the communication network comprises optical fibers.
  - 10. The Apparatus according to claim 2, wherein the control logic includes means for carrying out a static and/or dynamic check of the data to be transmitted in the communication network, the result of which check leads to an existing connection between the secure sub-network and the insecure sub-network of the network being maintained or cut by triggering the breaker switch(es).
  - 11. The Apparatus according to claim 2, wherein one of the breaker switches is located on one of the sides connected to the secure sub-network of the communication network or on the side of the apparatus connected to the insecure area of the communication network, so as to be able to separate only the medical device or both the medical device and the apparatus itself from the insecure sub-network.
  - 12. The Apparatus according to claim 1, further comprising a redundant architecture by integrating in the monitoring means a model of the function of the transmission means which makes it possible to check the correct functioning thereof.
  - 13. The Apparatus according to claim 1, further comprising at least two diverse channels, each with their own monitoring means and breaker means, wherein each channel can monitor both itself and also the other channel independently and can separate from the insecure sub-network of the communication network when a state of the network connection which poses a risk to the patient or to the correct functioning of the device is detected.
  - 14. The Apparatus according to claim 2, further comprising a comparator for comparing the results of the packet filtering in each channel with one another and forwarding the communication packets to be transmitted only if they are the same in each channel.
  - 15. The Apparatus according to claim 13, further comprising in each channel a security logic which is suitable for separating the insecure area of the communication network from the secure area thereof, independently of the security logic of any other channel, when a state of the network connection which poses a risk to the patient or to the correct functioning of the device is detected.

16. A method for controlling an apparatus for interacting with a medical device which is suitable for connection into a communication network which comprises at least one insecure sub-network and a secure sub-network on the device side, the secure area being protected by a firewall device, the method comprising:
- ensuring the transmission of communication packets to and from the medical device via the communication network'"'"'s;
  
  monitoring the state of the connection of the device to the network; and
  
  breaking an existing connection between the secure sub-network and the insecure sub-network of the network if during the monitoring process, a state of the network connection is detected which poses a risk to the patient or to the correct functioning of the device.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The method according to claim 16, further comprising packet filtering during the transmission of the communication packets transmitted between the insecure sub-network and the secure sub-network of the communication network, wherein filtering is suitable for blocking communication packets which pose a potential risk to the medical device.
  - 18. The method according to claim 16, further comprising bidirectional packet filtering on the communication packets transmitted between the insecure sub-network and the secure sub-network of the communication network.
  - 19. The method according to claim 16, further comprising allowing logical segmentation between the secure area and the insecure area of the communication network.
  - 20. The method according to claim 16, further comprising allowing said monitoring and/or breaking steps to be partially or completely replaced by the packet filtering during the transmission by blocking, during the packet filtering, harmful communication packets or all communication packets when a state of the network connection which poses a risk to the patient or to the correct functioning of the device is detected.
  - 21. The method according to claim 16, wherein packet filtering is suitable for carrying out one of a translation or encryption of the communication protocols used in the insecure sub-network or in the secure sub-network of the communication network in such a way that communication packets that have been modified with respect to the communication packets originating from the original protocol are used in the respective other sub-network of the communication network.
  - 22. The method according to claim 16, wherein monitoring includes performing one of a static or dynamic check of the data to be transmitted in the communication network is carried out, the result of which check leads to an existing connection between the secure sub-network and the insecure sub-network of the network being maintained or cut.
  - 23. The method according to claim 16, further comprising operating redundantly by integrating in the monitoring step an at least partial model of the function of the transmission step which makes it possible to check the correct functioning thereof.
  - 24. The method according to claim 16, further comprising operating in at least two diverse channels, each with their own transmission, monitoring and breaking, wherein each channel can monitor both itself and also the other channel independently and can separate from the insecure sub-network of the communication network when a state of the network connection which poses a risk to the patient or to the correct functioning of the device is detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
B Braun Medizinelektronik GmbH & Company KG
Original Assignee
B Braun Medizinelektronik GmbH & Company KG
Inventors
Steinkogler, Alexander, Lauer, Hans Martin, Preus, Niko
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US11/757,188
Publication Number

US 20080040788A1
Time in Patent Office

1,761 Days
Field of Search

None
US Class Current

726/16
CPC Class Codes

G16H 40/67   for remote operation

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/145   the attack involving the pr...

Apparatus and method for protecting a medical device and a patient treated with this device against harmful influences from a communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for protecting a medical device and a patient treated with this device against harmful influences from a communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links