Disclosure of Invention
The invention relates to a method for operating a medical instrument and to a medical instrument in the independent claims. Embodiments are given in the dependent claims.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as an apparatus, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "circuit," module "or" system. Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer-readable media having computer-executable code embodied therein.
Any combination of one or more computer-readable media may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A 'computer-readable storage medium' as used herein includes any tangible storage medium that can store instructions that are executable by a processor of a computing device. The computer-readable storage medium may be referred to as a computer-readable non-transitory storage medium. The computer readable storage medium may also be referred to as a tangible computer readable medium. In some embodiments, the computer-readable storage medium may also be capable of storing data that is accessible by a processor of the computing device. Examples of computer-readable storage media include, but are not limited to: a floppy disk, a magnetic hard drive, a solid state disk, flash memory, a USB thumb drive, Random Access Memory (RAM), Read Only Memory (ROM), an optical disk, a magneto-optical disk, and a register file for a processor. Examples of optical disks include Compact Disks (CDs) and Digital Versatile Disks (DVDs), such as CD-ROMs, CD-RWs, CD-R, DVD-ROMs, DVD-RWs, or DVD-R disks. The term computer-readable storage medium also refers to various types of recording media that can be accessed by a computer device via a network or a communication link. For example, the data may be retrieved through a modem, through the internet, or through a local area network. Computer executable code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, metal wire, fiber optic cable, RF, etc., or any appropriate combination of the foregoing.
A computer readable signal medium may include a propagated data signal with computer executable code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
'computer memory' or 'memory' is one example of a computer-readable storage medium. Computer memory is any memory that is directly accessible to the processor. 'computer storage' or 'storage' is another example of computer-readable storage media. Computer storage is any non-volatile computer-readable storage medium. In some embodiments, the computer storage may also be computer memory or vice versa.
A 'processor' as used herein includes an electronic component capable of executing a program or machine-executable instructions or computer-executable code. References to a computing device comprising a 'processor' should be interpreted as potentially containing more than one processor or processing core. The processor may be, for example, a multi-core processor. A processor may also refer to a collection of processors within a single computer system or distributed among multiple computer systems. The term computing device should also be interpreted to possibly refer to a collection or network of computing devices, each of which includes one or more processors. The computer executable code may be executed by multiple processors, which may be within the same computing device or even distributed across multiple computing devices.
The computer executable code may include machine executable instructions or programs that cause the processor to perform aspects of the present invention. Computer executable code for carrying out operations of aspects of the present invention may be written in any combination of one or more programming languages and compiled into machine executable instructions, the one or more programming languages comprising: an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. In some cases, the computer executable code may be in a high level language form or in a pre-compiled form and used in conjunction with an interpreter that generates machine executable instructions on the fly.
The computer executable code may execute entirely on the user's computer, partly on the user's computer as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
Aspects of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block or portion of a block of the flowchart, illustration, and/or block diagrams, when applicable, can be implemented by computer program instructions in the form of computer-executable code. It will be further understood that combinations of blocks in the different flowcharts, illustrations, and/or block diagrams may be combined when not mutually exclusive. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
A 'user interface' as used herein is an interface that allows a user or operator to interact with a computer or computer system. The 'user interface' may also be referred to as a 'human interface device'. The user interface may provide information or data to and/or receive information or data from an operator. The user interface may enable input from an operator to be received by the computer and may provide output from the computer to the user. In other words, the user interface may allow an operator to control or manipulate the computer and the interface may allow the computer to indicate the effect of the operator's control or manipulation. The display of data or information on a display or graphical user interface is one example of providing information to an operator. The reception of data by means of a keyboard, mouse, trackball, touch pad, touch screen, pointing stick, tablet, joystick, game pad, webcam, headphones, gear lever, steering wheel, pedals, wired gloves, dance pad, remote control device and accelerometer are all examples of user interface means enabling the reception of information or data from an operator.
As used herein, a 'hardware interface' includes an interface that enables a processor of a computer system to interact with and/or control an external computing device and/or apparatus. The hardware interface may allow the processor to send control signals or instructions to an external computing device and/or apparatus. The hardware interface may also enable the processor to exchange data with external computing devices and/or apparatus. Examples of hardware interfaces include, but are not limited to: a universal serial bus, an IEEE 1394 port, a parallel port, an IEEE 1284 port, a serial port, an RS-232 port, an IEEE-488 port, a Bluetooth connection, a wireless local area network connection, an Ethernet connection, a control voltage interface, an MID interface, an analog input interface, and a digital input interface.
A 'display' or 'display device' as used herein includes an output device or user interface suitable for displaying images or data. The display may output visual, auditory, and or tactile data. Examples of displays include, but are not limited to: computer monitors, television screens, touch screens, tactile electronic displays, braille screens, Cathode Ray Tubes (CRTs), memory tubes, bi-stable displays, electronic paper, vector displays, flat panel displays, vacuum fluorescent displays (VFs), Light Emitting Diode (LED) displays, electroluminescent displays (ELDs), Plasma Display Panels (PDPs), Liquid Crystal Displays (LCDs), organic light emitting diode displays (OLEDs), projectors, and head mounted displays.
In one aspect, the invention relates to a method of operating a medical instrument. The medical instrument comprises a medical instrument and a control unit. The medical device is powered by the first battery. The control unit is powered by the second battery. The medical device includes an electronics portion and a subcutaneous portion. The subcutaneous portion may include such things as a cannula for attachment to a pump that pumps fluid into a subject. The subcutaneous portion may also include a sensor that may be inserted into the subject. The electronic portion includes a first processor and a first memory. The first memory includes a onetime password.
A one-time password comprises a password that may be used or is expected to be used once. The one-time password stored in the first memory is prevented from being reused after the bluetooth encryption key is stored in the first memory because the key agreement algorithm of password authentication is disabled. In this context, a one-time password means that the one-time password can only be used to pair the medical devices once. The term one-time is thus considered to describe how the password is used. The term "one-time password" may be considered equivalent to and/or with the term "single-use password" or "password" herein.
The first memory further includes an implementation of a password-authenticated key agreement algorithm.
The implementation of the cryptographic-authentication key agreement algorithm may be performed or in the form of machine executable instructions for execution by the first processor.
The control unit includes a second processor and a second memory. The control unit includes a data entry interface. The second memory contains an implementation of a cipher-authenticated key agreement algorithm. The implementation of the cryptographic-authentication key agreement algorithm in the second memory is in machine executable form for execution by the second processor. The cipher-authenticated key agreement algorithms in the first and second memories are complementary. In other words, the implementation of the cipher-authenticated key agreement algorithm in the first memory is the first part of the algorithm. The implementation of the cipher-authenticated key agreement algorithm in the second memory is a second part of the cipher-authenticated key agreement algorithm. The first and second parts of the cipher-authenticated key agreement algorithm work together to cause the first processor and the second processor to execute a cipher-authenticated key agreement algorithm with each other.
The medical device comprises a first Bluetooth communication module. The control unit further includes a second bluetooth communication module. The first bluetooth communication module and the second bluetooth communication module are operable to form a wireless communication channel between the medical device and the control unit.
The method includes the step of entering a one-time password into the data entry interface. This step may take different forms. For example, if the data entry interface is a keypad, the user may simply enter a one-time password into the data entry interface. In other examples, the data entry interface may be a variety of other types of interfaces or readers for receiving data. For example, the data entry interface may include an optical, acoustic, or radio frequency system for receiving a one-time password.
The method further includes the step of generating, by the medical instrument and the control unit, a bluetooth encryption key with the one-time password by exchanging data across the wireless communication channel by executing a password-authenticated key agreement algorithm. The control unit initiates execution of a cipher-authenticated key agreement algorithm. The one-time password is used as a shared secret for generating a bluetooth encryption key by a password-authenticated key agreement algorithm. The use of one-time passwords as shared secrets prevents so-called man-in-the-middle attacks.
The method further includes the step of storing the bluetooth encryption key in a first memory. The method further includes the step of disabling the cipher-authenticated key agreement algorithm in the first memory after the bluetooth encryption key is stored in the first memory. Once the cipher-authenticated key agreement algorithm has been executed once to generate the bluetooth encryption key, the medical instrument is no longer able to execute the cipher-authenticated key agreement algorithm again. This prevents pairing of the medical instrument with any other device than the control unit. The method further includes the step of storing the bluetooth encryption key in a second memory. The method further includes the step of establishing an encrypted bluetooth communication channel using the first bluetooth communication module and the second bluetooth communication module. The encrypted bluetooth communication channel is encrypted using a bluetooth encryption key.
By using the one-time password as a shared secret, the password-authenticated key agreement algorithm may be used by the medical instrument and control unit to securely establish a bluetooth encryption key. The shared secret is shared outside of a wireless communication channel formed by the bluetooth communication module. This may greatly increase safety and reduce the risk that the medical instrument may be taken over or controlled by anything other than the control unit.
Because the medical device is prohibited from repeating the password-authenticated key agreement algorithm, pairing of the medical device and the control unit can only occur once. If the medical device and the control unit lose their connection, they can be repaired again using the bluetooth encryption key.
In another embodiment, the cipher-authenticated key agreement algorithm is the J-PAKE algorithm. The J-PAKE algorithm may also be referred to herein as a cipher-authenticated key agreement algorithm. The J-PAKE algorithm or protocol is a type of cryptographic-authenticated key agreement protocol that enables two parties to uniquely establish private and authenticated communications based on their shared (low-entropy) cipher without the need to use a public key infrastructure. The use of the J-PAKE algorithm provides increased security without a complex public key infrastructure and eliminates the possibility of man-in-the-middle attacks.
Some embodiments may provide improved security of the pairing between the medical instrument and the control unit. In particular, the combination of using the J-PAKE algorithm for pairing and then disabling the J-PAKE algorithm in the first memory causes the one-time password to function as a pairing only once without using an external server or system for managing keys. The use of the J-PAKE algorithm also prevents any kind of man-in-the-middle attack.
In another embodiment, the subcutaneous portion includes a glucose sensor (130). The medical device includes a continuous glucose monitoring system (126, 130). The method includes the step of recording a glucose measurement using a continuous glucose monitoring system. The method further comprises the step of communicating the glucose measurement to the control unit using the encrypted bluetooth communication channel.
In another embodiment, the subcutaneous portion includes at least one cannula (124). The medical device includes a pumping system (122). The pumping system comprises any one of the following: an insulin pump for pumping insulin through the at least one cannula, a glucagon pump for pumping glucagon through the at least one cannula, and combinations thereof. The method further comprises the step of controlling the pumping system by the control unit via the encrypted bluetooth communication channel.
In another embodiment, the cipher-authenticated key agreement algorithm is the J-PAKE algorithm.
In another embodiment, disabling the cipher-authenticated key agreement algorithm in the first memory comprises preventing execution of the cipher-authenticated key agreement algorithm by the first processor after the bluetooth encryption key has been stored in the first memory.
In some examples, this may be accomplished, for example, by first machine-executable instructions in the first memory containing a command to prevent execution of the password-authenticated key agreement algorithm after the bluetooth encryption key is stored in the first memory. These first machine instructions or even the implementation of the cipher-authenticated key agreement algorithm itself will be modified such that all or a portion of the cipher-authenticated key agreement algorithm in the first memory is deleted or overwritten. This would make it impossible to cause the medical instrument to go through the bluetooth pairing process a second time, even if the device is hacked.
In another embodiment, disabling the J-PAKE algorithm in the first memory includes preventing execution of the J-PAKE algorithm by the first processor after the Bluetooth encryption key has been stored in the first memory.
In some examples, this would be accomplished, for example, by first machine-executable instructions in the first memory containing a command to prevent execution of the J-wake algorithm after the bluetooth encryption key is stored in the first memory. These first machine instructions, or even the implementation of the J-PAKE algorithm itself, will be modified such that all or a portion of the J-PAKE algorithm in the first memory is deleted or overwritten. This would make it impossible to cause the medical instrument to go through the bluetooth pairing process a second time, even if the device is hacked.
In another embodiment, the password-authenticated key agreement algorithm is an EKE algorithm.
In another embodiment, the password-authenticated key agreement algorithm is a PPK algorithm.
In another embodiment, the cipher-authenticated key agreement algorithm is a SPEKE algorithm.
In another embodiment, the password-authentication key agreement algorithm is a dragonfly algorithm.
In another embodiment, the cipher-authenticated key agreement algorithm conforms to IEEE Standard 802.11-2012.
In another embodiment, the electronic system has an external surface. The medical device may also be referred to herein as an electronic system. The exterior surface includes indicia having cryptographic data. The password data describes a one-time password. In some cases, the password data may be the same as the one-time password. In other examples, the password data may include data that may be converted into a one-time password. For example, when passing cryptographic data through a hash function, it may be hashed to the appropriate cipher. The cryptographic data may also be machine readable code that may be converted into a password. In another example, the cryptographic data further includes a serial number of the medical instrument. In some cases, the one-time password and the serial number are in the password data. In some cases, the one-time password is or includes a serial number of the medical device.
In another embodiment, the data entry interface includes a keypad. The method further comprises the step of entering a one-time password and/or password data using the keypad. For example, if the control unit has a touch screen, the method may comprise displaying a keypad on the touch screen such that the step of entering the one-time password using the touch screen may be accomplished.
In another embodiment, the medical instrument further comprises a print containing a one-time password. The print may be, for example, a piece of paper included with the medical device that contains such things as a one-time password and/or a serial number of the medical device.
In another embodiment, the indicia is machine readable. The data entry interface is an optical indicia reader configured to read cryptographic data. The optical indicia reader may take different forms depending on the type of indicia. In some cases, the optical indicia reader is a camera. In other cases, such things as laser scanners may be used. The step of entering a one-time password into the data entry interface includes reading the password data with an optical indicia reader. The step of entering the one-time password into the data entry interface further comprises converting the password data into the one-time password. For example, if the indicia contains a one-time password and a serial number, this step may include extracting the one-time password from the optical reader information or data.
In another embodiment, the cryptographic data is encoded as a bar code and the optical indicia reader is a bar code reader.
In another embodiment, the cryptographic data is encoded as an EAN code and the optical indicia reader is an EAN code reader.
In another embodiment, the cryptographic data is encoded as a two-dimensional optical code and the optical indicia reader is a two-dimensional optical code reader.
In another embodiment, the cryptographic data is encoded as a QR code and the optical indicia reader is a QR code reader.
In another embodiment, the cryptographic data is encoded as a data matrix code and the optical indicia reader is a data matrix code reader.
In the above examples, for example, the barcode reader, EAN code reader, two-dimensional optical code reader, and QR code reader may be implemented in some examples as a camera with appropriate software for analyzing pictures taken by the camera.
In another embodiment, the optical indicia reader is a digital camera.
In another embodiment, the electronic portion includes an optical indicator. The optical indicator may be a blinking light or light emitting diode in one example. The data entry interface includes an optical detector. The optical detector may for example be a digital camera or it may be another detector for detecting a signal from the optical indicator. In some examples, the optical indicator and optical detector will be operable to operate in the infrared or ultraviolet range. The step of entering the one-time password into the data entry interface includes transmitting the one-time password using the optical indicator. The step of entering the one-time password into the data entry interface further comprises receiving the one-time password using an optical detector.
In another embodiment, the electronic portion includes an audio signal generator. The audio signal generator may be, for example, a speaker, a piezoelectric transducer, or other transducer for generating audio sounds. The data entry interface includes an audio signal detector. The audio signal detector may be a microphone, for example. The step of entering the one-time password into the data entry interface includes transmitting the one-time password using the audio signal generator. The step of entering the one-time password into the data entry interface further comprises receiving the one-time password using an audio signal generator.
For example, the audio signal generator will use one or more tones to transmit data. For example, a single frequency of about 3kHz may be useful. In this case, amplitude modification of the audio signal may be performed. If a second or multiple frequencies are used, one of these frequencies may be used as a clock signal. This may enable a more rapid transfer of data.
In another embodiment, the medical device has a switch that causes the medical device to initiate transmission of the one-time password.
In another embodiment, the electronic portion includes a first RFID module. The data entry interface is a second RFID module. The step of entering the one-time password into the data entry interface includes exchanging the one-time password using the first RFID module and the second RFID module. The use of RFID modules may be useful because RFID has a shorter range than bluetooth. Moreover, the use of two different communication protocols may reduce the chances of one-time passwords being stolen and bypassing the method.
In another embodiment, the first RFID module is controlled by the first processor.
In another embodiment, the first RFID module is an RFID tag. For example, the RFID tag may be mounted inside the medical device or on an external surface of the medical device. In some cases, the RFID tag may also incorporate machine-readable indicia. The RFID tag includes an RFID tag memory and the RFID tag memory contains a one-time password. In this case, both the first memory and the RFID tag memory contain a one-time password. The use of an RFID tag attached to a medical instrument may be useful because a user may remove and/or destroy the RFID tag, for example, after using the RFID tag.
In another embodiment, the electronic part comprises a first NFC module. The data entry interface is a second NFC module. Entering cryptographic data into the data entry interface comprises exchanging cryptographic data using the first NFC module and the second NFC module.
In another embodiment, the medical device comprises an insulin pump.
In another embodiment, the medical device comprises a glucagon pump.
In another embodiment, the medical device includes a continuous glucose monitoring system.
In another embodiment, the control unit is a mobile phone device or a tablet computer.
In another embodiment, the one-time password has a lower entropy than the bluetooth encryption key.
In another embodiment, the step of entering the one-time password into the data entry interface comprises: inputting password data into a data input interface, wherein the password data describes a one-time password; and converting the password data into a one-time password.
In another aspect, the invention provides a medical instrument. The medical instrument comprises a medical instrument and a control unit. The medical device is battery powered by the first battery. The control unit is battery powered by the second battery. The medical device includes an electronics portion and a subcutaneous portion. The electronic portion includes a first processor and a first memory. The first memory contains a one-time password. The first memory further contains an implementation of a password-authenticated key agreement algorithm. The first memory further contains first machine-executable instructions. The control unit includes a second processor and a second memory. The control unit includes a data entry interface.
The second memory contains an implementation of a cipher-authenticated key agreement algorithm. The second memory further contains second machine executable instructions. The medical device comprises a first Bluetooth communication module. The control unit further includes a second bluetooth communication module. The first bluetooth communication module and the second bluetooth communication module are operable to form a wireless communication channel between the medical instrument and the control unit. Execution of the second machine-executable instructions causes the second processor to receive a one-time password into the data entry interface.
In some examples, execution of the first machine-executable instructions may cause the first processor to transmit a one-time password to the data entry interface. For example, if the medical device transmits the one-time password via sound, light, image, or radio waves. Execution of the second machine-executable instructions and the first machine-executable instructions cause the first processor and the second processor to generate, by the medical device and the control unit, a bluetooth encryption key with the one-time password by executing a password-authenticated key agreement algorithm, by exchanging data across the wireless communication channel.
The control unit initiates execution of a cipher-authenticated key agreement algorithm. Execution of the first machine-executable instructions causes the first processor to store the bluetooth encryption key in the first memory. Execution of the first instructions further causes the first processor to disable the cipher-authenticated key agreement algorithm in the first memory after storing the bluetooth encryption key in the first memory. Execution of the second machine-executable instructions further causes the second processor to store the bluetooth encryption key in the second memory. Execution of the second machine-executable instructions and the first machine-executable instructions causes the first processor and the second processor to establish an encrypted bluetooth communication channel using the first bluetooth communication module and the second bluetooth communication module. The encrypted bluetooth communication channel is encrypted using a bluetooth encryption key.
It is to be understood that one or more of the foregoing embodiments of the invention may be combined, as long as the combined embodiments are not mutually exclusive.
Detailed Description
Elements similarly encoded in the figures are equivalent elements or perform the same function. Elements that have been previously discussed will not necessarily be discussed in later figures if they are functionally equivalent.
Fig. 1 shows one example of a medical instrument 100. The medical instrument comprises a control unit 102 and a medical instrument 104. The medical device 104 is shown in a cradle 106, the cradle 106 having a tie layer 108 attaching it to an outer layer 110 of a subject 112. The view of the subject 112 is cross-sectional. The outer surface 110 is shown in contact with a dermis or skin layer 114. The dermal layer is in contact with adipose tissue 116. The medical device 104 is shown having an electronics portion 118 and a subcutaneous portion 120. The subcutaneous portion includes a cannula 124 and a sensor 130 attached to a sensor lead 128. In this example, the electronics portion 118 includes a pump 122 connected to a cannula 124 that extends into the adipose tissue 116. For example, the pump 122 may be used to dispense insulin and/or glucagon. In some cases, there may be more than one pump so that both insulin and glucagon can be dispensed. The electronics portion 118 is further shown as having a sensor controller 126 connected to a sensor wire 128 extending into the subject 112. The sensor 130 may be, for example, a glucose sensor for a continuous glucose monitoring system.
The electronics portion 118 is additionally shown to include a first processor 132, a first bluetooth communication module 134, and a first battery 136. Not all components of the control unit 102 and the medical instrument 104 are shown in fig. 1.
The control unit 102 is shown with a touch screen 138. A touch pad 140 is implemented on the touch screen 138. For example, the touch pad 140 may be used to input a one-time password. The touch screen 138 may also have other elements, such as a box or display element 142 for showing data being entered. Not all components of the control unit 102 are shown in this figure. The control unit 102 is shown as further comprising a second processor 144 powered by a second battery 148. The control unit 102 further comprises a second bluetooth module 150 which is used to form a wireless communication channel 152 between the control unit 102 and the medical instrument 104. The control unit 102 may then transmit and receive data via the wireless communication channel 152 in order to control and/or monitor the operation of the medical instrument 104.
Fig. 2 shows another example of a medical instrument 200. The medical instrument 200 has an exterior surface 202 to which a machine-readable indicia 204 is attached. The machine-readable indicia 204 may encode cryptographic data that describes the one-time-password or that may be used to derive the one-time-password. In this example, the electronics portion 118 is further shown as including a first memory 206 and a hardware interface 208. The hardware interface 208 enables the processor 132 to control the operation and function of the components of the medical instrument. Not all components are shown in fig. 2.
The first memory 206 is shown having a one-time password 210 stored therein. The first memory 206 is shown as further containing a password-authenticated key agreement algorithm 212. The first memory 206 is further shown to contain a control module 214 that provides code that enables the processor 132 to control the operation and function of the overall medical device. The first memory 206 is further shown as containing a data log 216. The data log contains data that may be generated or stored when the processor 132 implements the control module 214. For example, how pump 122 or sensor data 130 may be stored in the file. The first memory 206 is further shown as containing a bluetooth encryption key 218 that is derived when the password-authenticated key agreement algorithm 212 is executed. The first memory 206 is further shown as containing instructions received from the control unit 220 via the wireless communication channel 152.
In this particular example, the control unit 102 is shown as further comprising a camera 221 and a second memory 223. The camera 221 is shown positioned such that it can take an image of the machine-readable indicia 204. The second memory 223 is shown as containing an operating system 222 that provides an operating system for the control unit 102. For example, the operating system 222 may be an android, iOS, LINUX, or other operating system. The second memory 223 is further shown as containing a control application 224 that enables the processor 114 to control the medical instrument 104 via the wireless communication channel 152. The camera 221 may be used to capture images of the machine-readable indicia 204. Second memory 223 is shown to contain an image identified in this case as password data 226. The second memory 223 is shown as further containing a cryptographic conversion module 228 that enables the processor 114 to decode the cryptographic data or image 226 into the one-time-password 210. Computer memory 223 is further shown as containing an implementation of password-authenticated key agreement algorithm 212'. The machine-executable instructions 212 and 212' enable the control unit 102 and the medical appliance 104 to generate a bluetooth encryption key 218 using the one-time password 210 as a shared secret. The features of fig. 1 and 2 may be combined. In the example shown in fig. 2, once camera 221 has taken an image of machine-readable indicia 204, this may initiate the implementation of a password-authenticated key agreement algorithm.
Fig. 3 shows one example of a method illustrated in a flowchart showing how a medical instrument according to one example may be operated. First, in step 300, a one-time password 210 is entered into the data entry interface 140. This step may also be provided by using the camera 221 or other examples that follow in later figures. Next, in step 302, the bluetooth encryption key 218 is generated by the medical instrument 104 and the control unit 102 by exchanging data across the wireless communication channel 152. This is accomplished by executing the cipher-authenticated key agreement algorithm 212, 212 ', and the control unit 102 initiates execution of the cipher-authenticated key agreement algorithm 212, 212'.
Next, in step 304, the bluetooth encryption key 218 is stored in the first memory 206. The next step is step 306, in which the cipher-authenticated key agreement algorithm 212 is disabled after the bluetooth encryption key 218 is stored in the first memory 206. Next, in step 308, the bluetooth encryption key 218 is stored in the second memory 223. Finally, in step 310, the encrypted bluetooth communication channel 152 is established using the first bluetooth communication module 134 and the second bluetooth communication module 150. The bluetooth communication channel is a wireless communication channel 152 that has been encrypted using a bluetooth encryption key 218.
Fig. 4 shows another example of a medical device 400. In this example, rather than having indicia 204, there is a light source or light 402 that is exposed or visible to exterior surface 202 when exterior surface 202 is viewed. The first memory 206 contains cryptographic data 226. In this case, the password data 226 is an untimed password 210 encoded as pulses for the lamp 402. The processor 132 then controls the lights 402 to flash in accordance with the password data 226. The camera 221 then records these pulses and records them as cryptographic data 226. Other types of optical detectors 221 may be substituted for the camera 221.
Fig. 5 shows another example of a medical device 500. The example shown in fig. 5 is similar to the example in fig. 4, except that the lamp has been replaced with a transducer 502. The camera 221 has been replaced with a microphone 504. The transducer 502 is capable of transmitting sound waves 506 to the microphone 504. In this example, the cryptographic data 226 is encoded as sound that can be transmitted from the transducer 502 to the microphone 504 via sound waves 506, where it is then recorded again and stored as sound or cryptographic data 226. The recording of the password data 226 by the microphone 504 may trigger the processor 144 to initiate the password-authenticated key agreement algorithm 212'.
Fig. 6 shows another example of a medical device 600. In this example, the medical instrument 104 includes a first RFID module 602 and the control unit 102 includes a second RFID module 604. The two RFID modules 602 and 604 can form an RFID communication channel 606, which is used to exchange cryptographic data 226 or even one-time password 210 directly via the RFID communication channel 606.
Fig. 7 shows another example of a medical device 700. The example shown in fig. 7 is similar to the example in fig. 6, except that the processor 132 that instead controls the first RFID module 602 and the first RFID module 602' is an RFID tag. The RFID tag 602' will have a separate memory that will store the one-time password or password data 226 separately from the first memory 206. The second RFID module 604 functions as an RFID reader for the RFID tag 602'.
A standardized communication protocol like bluetooth allows devices to communicate together. For security reasons it must be possible to identify specific devices and thus to enable control of those devices that are allowed to be connected to a given bluetooth device. Unfortunately, the available bluetooth protocols for pairing, like the secure simple pairing in bluetooth version 4.0, are not effectively protected from MITM or man-in-the-middle attacks, and furthermore require that each device has input means such as a display and/or a numeric keypad. A disadvantage of the standard bluetooth-available protocol for pairing is that it is not protected against MITM attacks, especially if one or both devices do not have an input means, as is the case with patch pumps. A patch pump is an insulin pump that is attached to the surface of a subject.
Some examples may use a specific combination including a password-authenticated key agreement protocol (such as J-park) with an interface to a standardized bluetooth low energy protocol, in which the generated highly secure random numbers are stored. One technical solution is that the J-paw algorithm generates a random number for pairing two devices based on a random number and a password (in this case, a one-time password) generated by each device. The password may, for example, be printed on the medical device (e.g., as a bar code, 2D code, or dot matrix code) and read, for example, with an integrated camera in the remote control. This highly secure random number is then integrated in the BLE stack and allows secure pairing between the medical devices. Other standard protocols may be used in addition to J-PAKE. The J-PAKE algorithm may be implemented, for example, using elliptic curves.
Fig. 8 illustrates how the standard J-wake algorithm 212, 212' may be combined with a standard bluetooth implementation 800. The J-PAKE algorithm 212, 212' supplies a random number or shared secret 210 to the bluetooth security manager 802. This is then used by the bluetooth communication module 804 to establish the initial connection 152, which enables the digital exchange of the J-wake algorithm 212, 212' to exchange random numbers with the medical device 104.
Fig. 9 shows a flow chart illustrating one example of the integration of the J-pay algorithm 212, 212' with bluetooth 901. First, in step 900, the medical instrument stores a random number 900. Next, in step 902, the control unit starts encryption by sending a message to the medical instrument 104. In step 904, the control unit 102 generates a random number. Next, in step 906, the control unit 102 transmits the random number to the medical instrument 104. In step 908, the medical instrument sends its random number 908 to the control unit 102. After that, the medical instrument 104 calculates the bluetooth encryption key 910. The control unit 912 then also calculates the same bluetooth encryption key. The cipher-authentication key agreement algorithm 212, 212' then passes the bluetooth encryption key on to the standard bluetooth algorithm. In step 914, the medical appliance sends the bluetooth encryption key to the bluetooth security manager. Also in step 914, the control unit 102 sends its value calculated for the bluetooth encryption key to its bluetooth security manager. Next, in step 916, the control unit 102 initiates bluetooth encryption. Next, in step 918, the medical instrument 104 transmits parameters for encryption. And finally in step 920 the control unit 102 sends a confirmation encrypted message to the medical instrument 104. At this point, an encrypted bluetooth communication channel has been established.
List of reference numerals.
100 medical instrument
102 control unit
104 medical device
106 bracket
108 adhesive
110 external surface
112 test subject
114 dermis
116 adipose tissue
118 electronic part
120 subcutaneous part
122 pump
124 casing tube
126 sensor controller
128 sensor lead
130 sensor
132 processor
134 first bluetooth communication module
136 first battery
138 touch screen
140 small keyboard
142 display element
144 second processor
148 second battery
150 second bluetooth communication module
152 wireless communication channel
200 medical instrument
202 outer surface
204 machine-readable indicia
206 first memory
208 hardware interface
210 one-time password
212 cipher-authenticated key agreement algorithm
212' cipher-authentication key agreement algorithm
214 control module
216 data Log
218 bluetooth encryption key
220 from the controller
221 Camera
222 operating system
223 second memory
224 control application
226 cryptographic data
228 cipher conversion module
300 input the one-time password into the data entry interface
302 generating a bluetooth encryption key with one-time password by a medical instrument and control unit by exchanging data across a wireless communication channel by performing a password-authenticated key agreement algorithm
304 storing the bluetooth encryption key in a first memory;
306 disabling the cipher-authenticated key agreement algorithm in the first memory after storing the bluetooth encryption key in the first memory;
308 store the bluetooth encryption key in a second memory
310 establish an encrypted bluetooth communication channel using a first bluetooth communication module and a second bluetooth communication module
400 medical device
402 lamp
500 medical device
502 transducer
504 microphone
506 sound wave
600 medical device
602 first RFID module
602' RFID tag
604 second RFID Module (RFID reader)
606 RFID communication channel
700 medical device
800 Bluetooth algorithm
802 bluetooth safety manager
804 Bluetooth communication
806 antenna
900 store random numbers
901 Bluetooth algorithm
902 start encryption
904 generate random numbers
906 transmit random numbers
908 sends a random number
910 calculate a random number for a key
912 computes a random number for the key
914 sends the key to BLE security manager
915 sending the secret key to a BLE security manager
916 start BLE ciphering
918 sending parameters for encryption
920 confirms the encryption.