Secure long-range telemetry for implantable medical device

US 8,706,251 B2
Filed: 12/18/2006
Issued: 04/22/2014
Est. Priority Date: 06/23/2003
Status: Active Grant

First Claim

Patent Images

1. A method for implementing communications between an implantable medical device (IMD) and an external device (ED) over a telemetry channel, comprising:

limiting data communications between the IMD and ED over a long range telemetry channel not requiring physical proximity to the IMD until a telemetry interlock has been released, wherein the telemetry interlock is released when the IMD receives an enable command via a short-range communications channel requiring physical proximity to the IMD;

authenticating the long range telemetry channel by transmitting a first encrypted communication from the IMD via the long range telemetry channel and receiving a second encrypted communication with the IMD via the long range telemetry channel, wherein the second message evidences that the sending device encrypted the second message using an expected encryption key; and

allowing data communications over the long range telemetry channel between the IMD and the ED but preventing programming of the IMD over the long range telemetry channel until the telemetry interlock is released and the long range telemetry channel is authenticated.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for enabling secure communications between an implantable medical device (IMD) and an external device (ED) over a telemetry channel. A telemetry interlock may be implemented which limits any communications between the ED and the IMD over the telemetry channel, where the telemetry interlock is released when the ED transmits an enable command to the IMD via a short-range communications channel requiring physical proximity to the IMD. As either an alternative or addition to the telemetry interlock, a data communications session between the IMD and ED over the telemetry channel may be allowed to occur only after the IMD and ED have been cryptographically authenticated to one other.

90 Citations

View as Search Results

20 Claims

1. A method for implementing communications between an implantable medical device (IMD) and an external device (ED) over a telemetry channel, comprising:
- limiting data communications between the IMD and ED over a long range telemetry channel not requiring physical proximity to the IMD until a telemetry interlock has been released, wherein the telemetry interlock is released when the IMD receives an enable command via a short-range communications channel requiring physical proximity to the IMD;
  
  authenticating the long range telemetry channel by transmitting a first encrypted communication from the IMD via the long range telemetry channel and receiving a second encrypted communication with the IMD via the long range telemetry channel, wherein the second message evidences that the sending device encrypted the second message using an expected encryption key; and
  
  allowing data communications over the long range telemetry channel between the IMD and the ED but preventing programming of the IMD over the long range telemetry channel until the telemetry interlock is released and the long range telemetry channel is authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein, after a communications session over the telemetry channel ends, the telemetry interlock is re-activated to limit communications over the telemetry channel until the telemetry interlock is again released.
  - 3. The method of claim 1 wherein the release of the telemetry interlock times out after a specified time period at which point the telemetry interlock is re-activated.
  - 4. The method of claim 1 wherein the short-range communications channel is an inductive communications link between the IMD and another device in proximity to the IMD.
  - 5. The method of claim 4 wherein the IMD and the device in proximity to the IMD must exchange keys inductively before the telemetry interlock is released.
  - 6. The method of claim 1 wherein the short-range communications channel is a switch within the IMD which is actuated by a magnet held in close proximity to the IMD to thereby release the telemetry interlock.
  - 7. The method of claim 1 wherein the short-range communications channel is a capacitive communications link between the IMD and another device in proximity to the IMD.
  - 8. The method of claim 1 further comprising:
    - authenticating the ED to the IMD when the IMD receives the second message from the ED evidencing use of an encryption key expected to be possessed by the ED; and
      
      ,limiting communications between the IMD and the ED such that a programming session over the telemetry channel cannot be established unless the ED has been authenticated to the IMD.
  - 9. The method of claim 8 further comprising:
    - authenticating the IMD to the ED when the ED receives a message from the IMD evidencing use of an encryption key expected to be possessed by the IMD; and
      
      ,allowing a programming session between the IMD and ED over the telemetry channel to occur only after the IMD and ED have been authenticated to one other.
  - 10. The method of claim 9 wherein the ED and the IMD are authenticated to one another using public key cryptography by:
    - authenticating the IMD to the ED when the ED encrypts a first message with a public key having a corresponding private key expected to be possessed by the IMD, transmits the encrypted first message over the telemetry channel to the IMD, and receives in response a message from the IMD derived from the first message which thereby evidences possession of the corresponding private key by the IMD; and
      
      ,authenticating the ED to the IMD when the IMD encrypts a second message with a public key having a corresponding private key expected to be possessed by the ED, transmits the encrypted second message over the telemetry channel to the ED, and receives in response a message from the ED derived from the second message which thereby evidences possession of the corresponding private key by the ED.
  - 11. The method of claim 9 wherein the ED and the IMD are authenticated to one another using secret key cryptography by:
    - authenticating the IMD to the ED when the ED transmits a first message to the IMD over the telemetry channel and receives in response a message derived from the first message which is encrypted by a secret key expected to be possessed by the IMD;
      
      authenticating the ED to the IMD when the IMD transmits a second message to the ED over the telemetry channel and receives in response a message derived from the second message which is encrypted by a secret key expected to be possessed by the ED.

12. A system for implementing communications between an implantable medical device (IMD) and an external device (ED) over a telemetry channel, comprising:
- means for limiting data communications between the IMD and ED over a long range telemetry channel not requiring physical proximity to the IMD until a telemetry interlock has been released, wherein the telemetry interlock is released when the IMD receives an enable command via a short-range communications channel requiring physical proximity to the IMD;
  
  means for authenticating the long range telemetry channel by transmitting a first encrypted communication from the IMD via the long range telemetry channel and receiving a second encrypted communication with the IMD via the long range telemetry channel, wherein the second message evidences that the sending device encrypted the second message using an expected encryption key; and
  
  means for allowing data communications over the long range telemetry channel between the IMD and the ED but preventing programming of the IMD over the long range telemetry channel until the telemetry interlock is released and the long range telemetry channel is authenticated.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12 further comprising means for, after a communications session over the telemetry channel ends, re-activating the telemetry interlock to limit communications over the telemetry channel until the telemetry interlock is again released.
  - 14. The system of claim 12 further comprising means for timing out the telemetry interlock after a specified time period at which point the telemetry interlock is re-activated.
  - 15. The system of claim 12 wherein the short-range communications channel is an inductive communications link between the IMD and another device in proximity to the IMD.
  - 16. The system of claim 15 further comprising means for preventing release of the telemetry interlock unless the IMD and the device in proximity to the IMD exchange keys inductively.
  - 17. The system of claim 12 wherein the short-range communications channel is a switch within the IMD which is actuated by a magnet held in close proximity to the IMD to thereby release the telemetry interlock.
  - 18. The system of claim 12 wherein the short-range communications channel is a capacitive communications link between the IMD and another device in proximity to the IMD.
  - 19. The system of claim 12 further comprising:
    - means for authenticating the ED to the IMD when the IMD receives the second message from the ED evidencing use of an encryption key expected to be possessed by the ED; and
      
      ,means for limiting communications between the IMD and the ED such that a programming session over the telemetry channel cannot be established unless the ED has been authenticated to the IMD.
  - 20. The system of claim 19 further comprising:
    - means for authenticating the IMD to the ED when the ED receives a message from the IMD evidencing use of an encryption key expected to be possessed by the IMD; and
      
      ,means for allowing a programming session between the IMD and ED over the telemetry channel to occur only after the IMD and ED have been authenticated to one other.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cardiac Pacemakers
Original Assignee
Cardiac Pacemakers
Inventors
Von Arx, Jeffrey A., Koshiol, Allan T., Bange, Joseph E.
Primary Examiner(s)
Bertram, Eric D.

Application Number

US11/640,552
Publication Number

US 20070118188A1
Time in Patent Office

2,682 Days
Field of Search

607 59- 60
US Class Current

607/60
CPC Class Codes

A61B 5/0031   Implanted circuitry

A61N 1/37223   Circuits for electromagneti...

A61N 1/37254   Pacemaker or defibrillator ...

G16H 40/63   for local operation

G16H 40/67   for remote operation

H04L 2209/88   Medical equipments

H04L 9/0844   with user authentication or...

H04L 9/3271   using challenge-response

Y10S 128/903   Radio telemetry

Secure long-range telemetry for implantable medical device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure long-range telemetry for implantable medical device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links