Movatterモバイル変換

[0]ホーム
URL:

NL2028563B1 - implantable medical device and control device therefor - Google Patents

implantable medical device and control device thereforDownload PDF

Info

Publication number
NL2028563B1
NL2028563B1NL2028563ANL2028563ANL2028563B1NL 2028563 B1NL2028563 B1NL 2028563B1NL 2028563 ANL2028563 ANL 2028563ANL 2028563 ANL2028563 ANL 2028563ANL 2028563 B1NL2028563 B1NL 2028563B1
Authority
NL
Netherlands
Prior art keywords
data
message
communication channel
medical device
implantable medical
Prior art date
Application number
NL2028563A
Other languages
Dutch (nl)
Inventor
Ali Siddiqi Muhammad
Innocentius De Zeeuw Christiaan
Strydis Christos
Original Assignee
Univ Erasmus Med Ct Rotterdam
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Erasmus Med Ct RotterdamfiledCriticalUniv Erasmus Med Ct Rotterdam
Priority to NL2028563ApriorityCriticalpatent/NL2028563B1/en
Priority to PCT/NL2022/050273prioritypatent/WO2022245212A1/en
Application grantedgrantedCritical
Publication of NL2028563B1publicationCriticalpatent/NL2028563B1/en

Links

Classifications

Landscapes

Abstract

In an implantable medical device, a method of communicating With a control device is provided. The method comprises receiving a first data message from the control device via a first physical communication channel, upon receiving the first message, activating a second physical communication channel different from the first physical communication channel and obtaining first authentication data of the control device, based on data provided in the first data message. The method further comprises receiving, via the second physical communication channel, a second message, verifying Whether the second message originates from the control device, based on the obtained first authentication data and deactivating the second physical communication channel at the side of the implantable medical device if a result of the verifying is that the second message does not originate from the control device.

Description

P130344NL00 Title: implantable medical device and control device therefor
TECHNICAL FIELD The various aspects and variations thereof relate to communication between an implantable medical device and a control device.
BACKGROUND Implantable medical devices may be controlled by means of a control device. Such may be a dedicated device or a generally available device, like a smartphone. The communication may take place using radiofrequency communication or ultrasonic communication. As hacking of devices, causing the implantable medical device to demonstrate unwanted or dangerous behaviour or to drain a battery of the implantable medical device, is possible without the appropriate measures, security measures are provided.
SUMMARY It is preferred to improve the currently available security measures. To that purpose, a first aspect provides, in an implantable medical device, a method of communicating with a control device. The method comprises receiving a first data message from the control device via a first physical communication channel, upon receiving the first message, activating a second physical communication channel different from the first physical communication channel and obtaining first authentication data of the control device, based on data provided in the first data message. The method further comprises receiving, via the second physical communication channel, a second message, verifying whether the second message originates from the control device, based on the obtained first authentication data and deactivating the second physical communication channel at the side of the implantable medical device if a result of the verifying is that the second message does not originate from the control device.
This method allows for secure coupling of the control device with the implantable medical device. A first connection is made using a first physical communication channel, for example ultrasound and via that connection, first security data is provided. The security data may be used to enable the control device to authenticate particular data sent to the implantable medical device. For the avoidance of doubt, to authenticate, within the context of this disclosure, is an equivalent of to certify, meaning to modify a message, by modifying data or by appending particular data, such that an origin of data may be verified, based on any action performed by an authentication step. Such action may be signing, encrypting, adding a certificate, other, or a combination thereof.
The data to be certified is certified and received by the implantable medical device. This enables the implantable medical device to verify that the message is received from the control device. This message, with the authenticated data to be verified, is sent via another physical communication channel. This allows for use of a further physical communication channel that may be, in physical nature, less secure as the ranger is wider, after more crucial and more basic security data has been exchanged over for example a physical communication channel that has a shorter range. The communication over the potentially less secure physical communication channel is at higher layers secured by, for example, cryptography, signing, certification, other means of authenticating data or a combination thereof. This allows for improved security and for flexibility of use of communication channels.
By shutting down the second physical communication channel upon any verification error, improved security is provided and any further energy consumption is prevented, reducing risks of battery depletion attacks on the implantable medical device.
The method may further comprise sending, upon receiving the first message, via the first physical communication channel, a third message to the control device, the third message comprising second authentication data, wherein the first authentication data is further based on the second authentication data. This may allow for symmetrical key generation, in which a generated key is based on data from the implantable medical device, as well as data from the control device.
The second authentication data may comprise at least one of a medical device identifier identifying the implantable medical device and random medical device data. By including the medical device identifier, fixed data related to the medical device may be used. Such data identifies the applicable device and the data is readily available. Use of random data reduces a risk of spoofing.
The first data message may comprise at least one of a control identifier identifying the control device and random control data and the first authentication data may further be based on at least one of the control identifier and the random control data. By including the medical device identifier, fixed data related to the medical device may be used. Such data identifies the applicable device and the data is readily available. Use of random data reduces a risk of spoofing.
Obtaining first authentication data may comprise generating, by the implantable medical device, a key based on data provided in the first data message. In such case, the key is comprised by the first authentication data. In this disclosure, a key may be a key as known in the narrow definition in encryption and signing, but also as any data in general to indicate authenticity of data or to certify a particular origin of data. An advantage is that such key may be used on a case by case communication, for example on a per-communication session basis.
The first physical communication channel may have a first signal attenuation factor in a gaseous medium and the second physical communication channel has a second signal attenuation factor in the gaseous medium, the first signal attenuation factor being higher than the second signal attenuation factor. This means that the first communications, with first security data, can only be done if the control device and the 1mplantable medical device are very close together. If the implantable medical device is implanted, this may even require contact between the control device and the implantable medical device. This means that data for verifying the authentication over the second physical communication channel may only be transmitted while being noticed by a person in whom the implantable medical device is implanted, reducing a risk of hacking.
The first physical communication channel may be an ultrasonic communication channel and the second physical communication channel may be an electromagnetic communication channel. Firstly, such communication techniques are well known and have been proven. Second, such communication techniques may also transmit power from the control device to the implantable medical device. This may reduce a risk of depletion of a battery of the implantable medical device by continuously hailing the implantable medical device. The energy provided in the signal carrying the first message may be used for processing data in the implantable medical device.
A second aspect provides, in a control device arranged to control an implantable medical device, a method of communicating with the implantable medical device. The method comprises sending a first data message to the implantable medical device over a first physical communication channel, obtaining first authentication data based on data provided in the first data message, generating second data message, authenticating the second data message using the first authentication data and sending the authenticated second data message to the implantable medical device over a second physical communication channel, the second physical communication channel being different from the first physical communication channel.
By requiring the control device to use the first authentication data received over the first physical communication channel for 5 communication on the second physical communication channel, security is improved, as two types of channels are required. Different physical communication channels are, in the context of this disclosure, to be understood as relying on different physical principles, like mechanical vibrations versus electromagnetic waves.
The method may further comprise receiving, from the implantable medical device, over the first physical communication channel, a third message, the third message comprising second authentication data, wherein the first authentication data may further be based on the second authentication data. In this case, security 1s further improved by requiring the control device to use also data from the implantable medical device for generating or otherwise obtaining the first authentication data.
The second authentication data may comprise at least one of a medical device identifier identifying the implantable medical device and random medical device data. Use of randomised data may reduce a risk of spoofing and the medical device identifier is readily available data.
The first data message may comprise at least one of a control identifier identifying the control device and random control data; and the first authentication data may further be based on at least one of the control identifier and the random control data. Use of randomised data may reduce a risk of spoofing and the medical device identifier 1s readily available data.
A third aspect provides an implantable medical device arranged for communicating with a control device. The implantable medical device comprises a first transceiver arranged to receive, via a first physical communication channel, a first message from a control device, a second transceiver arranged to receive, via a second physical communication channel, a second message and a processing unit. The processing unit is arranged to activate, upon receiving the first message, the second physical communication channel, by activating the second transceiver, obtain first authentication data of the control device, based on data provided in the first data message, verify whether the second message originates from the control device, based on the obtained first authentication data and deactivate the second physical communication channel at the side of the implantable medical device if a result of the verifying is that the second message does not originate from the control device.
A fourth aspect provides a control device arranged to control an implantable medical device. The control device comprises a first transceiver arranged to send, via a first physical communication channel, a first data message to the implantable medical device, a second transceiver arranged to send, via a second physical communication channel, a second data message to the implantable medical device, the second physical communication channel being different from the first physical communication channel and a processing unit. The processing unit is arranged to obtain first authentication data based on the first data message, generate the second data message, authenticate the second data message using the first authentication data and send the authenticated second data message to the implantable medical device by means of the second transceiver.
BRIEF DESCRIPTION OF THE DRAWINGS The various aspects and variations thereof will now be elucidated in further detail in conjunction with drawings. In the drawings: Figure 1 A: shows an implantable medical device; Figure 1 B: shows a control device; Figure 2 A: shows a first part of a flowchart; and Figure 2 B: shows a second part of a flowchart.
DETAILED DESCRIPTION Figure 1 A shows an implantable medical device 100. The implantable medical device 100 comprises a central processing unit 102, coupled to a memory module 104 as a data storage unit and to a communication processor 106. The memory module 104 may be volatile or non-volatile, magnetic, electronic, other, or a combination thereof. The memory module 104 is arranged to store data acquired by the implantable medical device 100, for example related to a body in which the implantable medical device 100 may be implanted.
Furthermore, the memory module 104 is arranged to store code readable and executable by the central processing unit 102, the communication processor 106 and other parts of the implantable medical device 100. With such code, the various part of the implantable medical device 100 may be programmed to execute methods described above and below.
The central processing unit 102 is further coupled to a sensor module 108 and an actuator module 110. The sensor module 108 may be an electrical sensor, capable of measuring at least one of voltages, currents and electrical power, a magnetic sensor, a mechanic sensor capable of measuring motion, acceleration, force, stress, other or a combination thereof. The actuator module 110 may be an electrical, mechanical, magnetic or other type of sensor or combination thereof. For example, the actuator module 110 may provide electrical pulses - currents, voltages or both - to muscles of a body, like a heart.
As shown by Figure 1A, the communication processor 106 is programmed, either hardwired or softwired by means of code, to comprise a random number unit 122 arranged to generate random numbers, a key generation unit 124 arranged to generate a key, an authentication unit 126 arranged to authenticate data, using for example a key and a verification unit 128 to verify an authentication for particular data.
A key may be understood as any type of data object that may be used to authenticate data and to verify the authentication.
Authentication may be any type of process to generate a data object, in conjunction with a key, which generated data may be used to verify an origin of the data to be authenticated.
Authentication may be executed by means of signing, encrypting, hashing, compressing, other, or a combination thereof.
Verification of data may be executed using data identical or similar to data used for authentication or other data, to verify that the authentication to be verified matches with a verification data object, like a key.
The communication processor 106 is connected to an RF module 112 as an RF transceiver that is in turn connected to an antenna 114. The RF module 112 is arranged to modulate a radio frequency electromagnetic signal with data provided by the communication processor 106. Furthermore, the RF module is arranged to demodulate a radio frequency electromagnetic signal received by means of the antenna 114 to obtain data.
Radio frequency may be between 100 kHz and 10 GHz; preferably, standardised spectra for near-field radio frequency data communication are used.
The communication processor 106 is further connected to an acoustic driver 116 as an ultrasonic transceiver that is in turn connected to an ultrasonic transducer 118. The acoustic driver 116 is arranged to modulate an ultrasonic signal with data provided by the communication processor and provide the modulated signal to the ultrasonic transducer 108 for generating a modulated acoustic signal.
Furthermore, the acoustic driver 116 is arranged to demodulate an ultrasonic signal received by means of the ultrasonic transducer 118 to obtain data.
Ultrasonic sound may be defined as sound - mechanical vibrations - having a frequency of at least 20 kHz, in particular at least 500 MHz, at least 1 MHz or at least 2 MHz.
Figure 1 B shows a control device 150 arranged to control the implantable medical device 100. The control device 150 comprise a central processing unit 152, coupled to a memory module 154 as a data storage unit and to a communication processor 156. The memory module 154 may be volatile or non-volatile, magnetic, electronic, other, or a combination thereof. The memory module 154 1s arranged to store data acquired by the implantable medical device 100, for example related to a body in which the implantable medical device 100 may be implanted.
Furthermore, the memory module 154 is arranged to store code readable and executable by the central processing unit 152, the communication processor 156 and other parts of the control device 150. With such code, the various part of the control device 150 may be programmed to execute methods described above and below.
The central processing unit 152 is further coupled to an input module 158 and an output module 160. The input module 158 may be a keyboard, a touchscreen, a mouse, a data network connector, a microphone, a touchpad, other or a combination thereof. The output module 160 may be an electronic display screen, a touchscreen, a speaker, a data network connector, an array of light sources, other, or combination thereof.
As shown by Figure 1 B, the communication processor 156 is programmed, either hardwired or softwired by means of code, to comprise a random number unit 172 arranged to generate random numbers, a key generation unit 174 arranged to generate a key, an authentication unit 176 arranged to authenticate data, using for example a key and a verification unit 178 to verify an authentication for particular data. A key may be understood as any type of data object that may be used to authenticate data.
Authentication may be any type of process to generate a data object, In conjunction with a key. Authentication may be executed by means of signing, encrypting, hashing, compressing, other, or a combination thereof. Verification of data may be executed using data identical or similar to data used for authentication or other data, to verify that the authentication to be verified matches with a verification data object, like a key.
The communication processor 156 1s connected to an RF module 162 as an RF transceiver that is in turn connected to an antenna 164. The RF module 162 is arranged to modulate a radio frequency electromagnetic signal with data provided by the communication processor 156. Furthermore, the RF module is arranged to demodulate a radio frequency electromagnetic signal received by means of the antenna 164 to obtain data. Radio frequency may be between 100 kHz and 10 GHz; preferably, standardised spectra for near-field radio frequency data communication are used.
The communication processor 156 is further connected to an acoustic driver 166 as an ultrasonic transceiver that is in turn connected to an ultrasonic transducer 168. The acoustic driver 166 is arranged to modulate an ultrasonic signal with data provided by the communication processor and provide the modulated signal to the ultrasonic transducer 158 for generating a modulated acoustic signal. Furthermore, the acoustic driver 166 is arranged to demodulate an ultrasonic signal received by means of the ultrasonic transducer 168 to obtain data. Ultrasonic sound may be defined as sound - mechanical vibrations - having a frequency of at least 20 kHz, in particular at least 500 MHz, at least 1 MHz or at least 2 MHz.
The various components of the two devices described above may be integrated in one or more semiconductor dies, provided with one or more discrete components, other, or a combination thereof. The various components may be powered by means of an internal or external battery.
The implantable medical device 100 may be controlled by means of the control device. A first flowchart 200 shown by Figure 2 A and a second flowchart 200' shown by Figure 2 B show a procedure for communication between the implantable medical device 100 and the control device 150.
Parts shown at the left may be executed by the control device 150 and parts on the right may be executed by the implantable medical device 100, unless indicated otherwise.
Below, a list is provided with brief summaries of the parts of the first flowchart 200 and the second flowchart 200". 202 start procedure 204 create control nonce 206 create control message 208 send message to medical device over acoustic 210 receive message over acoustic 212 create IMD nonce 214 obtain long term key 216 create IMD message 218 send IMD message over acoustic 220 receive IMD message over acoustic 222 get key 224 get nonces and identifiers 226 generate short-term key 228 activate RF 230 generate message 232 authenticate message with short term key 234 send message over RF 236 receive message over RF 238 verify authentication of message 240 verified? 242 generate message 244 authenticate message with short term key 246 send message over RF 248 receive message over RF 250 verify authentication of message 252 verified?
254 communicate between devices 256 communication ended 258 sleep 260 generate nonce 262 send continuation message over RF 264 receive continuation message over RF 266 wake up 268 generate nonce 270 send continuation confirmation over RF 272 receive continuation confirmation over RF 274 generate short term key 276 generate message 278 authenticate message 280 send continuation verification 282 receive continuation verification 284 verify continuation verification 286 verified? 288 send continuation verification return 290 receive continuation verification return 292 verify continuation verification return 294 verified? 296 deactivate RF 298 end The procedure starts in a terminator 202 and continues to step 204, in which the random number unit 172 of the control device 150 generates a control nonce as a random number.
In step 206, a control message 1s generated, comprising the nonce and an identifier of the control device 150. In step 208, the control message is sent by the control device 150 by means of the acoustic driver 166 and the ultrasonic transducer 168.
In step 210, the implantable medical device 100 receives the ultrasonic signal with the control message by means of the ultrasonic transducer 118 and the acoustic driver 116 of the implantable medical device 100. The demodulated data is provided to the communication processor 106 of the implantable medical device 100.
The energy in the signal received by means of the ultrasonic transducer 118 and the acoustic driver 116 may be stored in a battery or other energy storage module of the implantable medical device 100 and used for communication or other data processing by the implantable medical device.
Upon receiving the data in the control message, the communication processor 106 of the implantable medical device 100 and the random number unit 122 thereof creates a medical device nonce as a random number in step 212. In step 214, the communication processor 106 obtains a long-term key. The long-term key may be obtained from the memory module 106, may be generated by the central processing unit 102, may be generated by the communication processor 106 or may be obtained otherwise.
In step 216, a medical device message 15 generated comprising the medical device nonce, an identifier of the implantable medical device 100 and the obtained long-term key. The message is sent to the control device 150 in step 218, using the acoustic driver 116 and the ultrasonic transducer 118, analogous to the sending of the control message as discussed above. The medical device message is received by the control device 150 by means of the ultrasonic transducer 168 and the acoustic driver 166 analogous to the receiving of the control message as discussed above in step 220.
The key in the medical device message is obtained by the communication processor 156 of the control device 150 in step 222. In step 224, the key generation unit 174 of the control device 150 obtains at least one of the received long-term key, the control nonce, the medical device nonce, the identifier of the control device 150 and the identifier of the implantable medical device 100 and generates based thereon a short-term key in step 226 in accordance with a particular algorithm, which may be pre-determined.
Likewise, in step 224', the key generation unit 124 of the implantable medical device 100 obtains at least one of the received key, the control nonce, the medical device nonce, the identifier of the control device 150 and the identifier of the implantable medical device 150 and generates based thereon a short-term key in step 226' in accordance with a particular algorithm, which may be pre-determined and which may be the same as used in step 226. Hence, the key generated in step 226 may be the same as the key generated in step 226'. In step 228, the implantable medical device 100 activates the RF module 112 and opens a communication channel at a radio frequency.
Subsequently, the communication processor 256 of the control device 150 generates in step 230a data object which may be based on at least one of the control nonce, the medical device nonce, the identifier of the control device 150 and the identifier of the implantable medical device 100, other, or a combination thereof. In step 232, the authentication unit 126 authenticates the data object thus generated. The authenticated data object is sent as a message to the implantable medical device 100 by means of the RF module 162 and the antenna 164 of the control device 150 in step 234.
The message thus sent in step 236 1s received by the implantable medical device 100 by means of its antenna 114, its RF module 112 and its communication processor 106. In step 238, the verification unit 128 of the implantable medical device 100 verifies whether the data received is authenticated with an appropriate key. The energy in the RF signal received may be used for this processing or other processing and/or may be stored in a battery or another energy storage module comprised by the implantable medical device.
In step 238, the key generated in step 226' above may be used to this purpose. In step 240, the procedure branches to step 296 if the verification fails, in which step 296 the RF communication channel is closed by the communication processor 106 and the RF module 112 of the implantable medical device 100. Subsequently, the procedure ends in terminator 298.
If the verification in step 238 is successful, the procedure branches in step 240 to step 242 in which a data object is generated by the communication processor 106 of the implantable medical device based on at least one of the control nonce, the medical device nonce, the identifier of the control device 150 and the identifier of the implantable medical device 100. In step 244, the authentication unit 176 authenticates the data object thus generated. The authenticated data object is sent as a message to the control device 150 by means of the RF module 112 and the antenna 114 of the implantable medical device 100 in step 246.
The message thus sent is received by the control device 150 by means of its antenna 164, its RF module 162 and its communication processor 156 in step 248. In step 250, the verification unit 178 of the control device 150 verifies whether the data received is authenticated with an appropriate key. In step 250, the key generated in step 226 above may be used to this purpose. In step 252, the procedure branches to step 296 if the verification fails, in which step 296 the RF communication channel is closed by the communication processor 156 and the RF module 162 of the control device 150. Subsequently, the procedure ends in terminator 298.
If the verification in step 250 is successful, the procedure branches in step 252 to step 254 and step 254' in which the control device 150 and the implantable medical device 100 exchange data. Generally, the control device 150 will provide instruction to the implantable medical device 100 how the central processing unit 102 is to control the actuator module.
Additionally, or alternatively, instructions may be provided to provide the control device 150 with data acquired by means of the sensor module 108 and/or to acquire data using the sensor module 108.
In this regular data exchange as well , the messages may be encrypted in the form of “Authenticated Encryption”, in which both Encryption and Message Authentication Code (MAC) may be used in order to provide data confidentiality and authentication, respectively, for example, the standardized Galois Counter Mode (GCM) block-cipher mode of operation, Encrypt-then-MAC (EtM), other, or a combination thereof. A MAC code of every message sent during regular-data-exchange may be verified as discussed in conjunction with step 250. If any such verification check fails, the process branches to step 296 as well and the RF module 162 will be switched off. Additionally, or alternatively, an established pairing between the implantable medical device 100 and the control device may be reset.
During communication, both in step 256 and step 256', the control device 150 and the implantable medical device check whether the communication continues or has ended. The communication may be ended explicitly, by means of a termination instruction or implicitly, by not sending any data anymore. Upon any end of the communication, the procedure enters in waiting step 258. In the waiting step 258, both devices may be in a low-power state or sleeping state.
In step 260, the control device 150 is activated, for example following user input as discussed above. Following activation, with an instruction to be sent to the implantable medical device 100, a nonce is generated by the random number unit 172, which may be based on an instruction of the central processing unit 152. In step 262, the nonce thus generated 1s sent by the control device 150 as discussed above, via the RF module 162. The identifier of the control device 150 may be sent along, as well as a specific instruction to resume communication.
The data thus sent in step 262, 15 received in step 264 as a continuation message by means of the RF module 112 of the implantable medical device 100. In step 266, the implantable medical device 100 wakes up as a result of receiving the message. Energy in the received signal may be used for the waking up. In step 268, the random number unit 122 generates a nonce and in step 270, the nonce 1s sent to the control unit 150, which may be accompanied by an identifier of the implantable medical device 100. The data message thus generated and sent is received by the control device 150 in step 272.
In step 274, the key generation unit 172 of the control device 150 generates a short-term key, based on at least the long-term key, the control nonce, the medical device nonce, the identifier of the control device 150 and the identifier of the implantable medical device 100. Next, the communication processor 156 generates a data object based on at least one of the short-term key, the control nonce, the medical device nonce, the identifier of the control device 150 and the identifier of the implantable medical device 100 in step 276. In step 278, the authentication unit 176 authenticates the data object thus generated.
Likewise, in step 274’, the key generation unit 122 of the implantable medical device 100 generated a short-term key, based on at least the long-term key, the control nonce, the medical device nonce, the identifier of the control device 150 and the identifier of the implantable medical device 100. Next, the communication processor 106 generates a data object based on at least one of the short-term key, the control nonce, the medical device nonce, the identifier of the control device 150 and the identifier of the implantable medical device 100 in step 276'. In step 278', the authentication unit 126 authenticates the data object thus generated.
In step 280, the authenticated data object generated by the communication processor 156 of the control device as discussed above is sent to the implantable medical device 150 by means of the RF module 112 as a continuation confirmation message. The continuation confirmation message is received by the RF module 112 of the implantable medical device 100 in step 282 and the authentication is verified in step 284. The verification may be executed using the key generated in step 274. If the verification fails, the procedure branches to step 296 as discussed above. Additionally, the control device 150 may be unpaired with the implantable medical device 100, which means that for further contact between the two devices, the pairing using ultrasonic data communication may have to be executed again, as discussed above.
If the verification in step 284 is successful, the procedure continues to step 288 via branch 286, in which the data object generated in step 276' and authenticated in step 278' is sent to the control device as a continuation verification return message, via the RF module 112 and the communication processor 106. The continuation verification return message thus sent is received by the control device in step 290, by means of the RF module 162.
In step 292, the authentication of the continuation verification return message is verified in step 292, which may be executed by means of the key generated in step 274' discussed above. If the verification fails, the procedure branches to step 296 as discussed above via step 294. Additionally, the control device 150 may be unpaired with the implantable medical device 100, which means that for further contact between the two devices, the pairing using ultrasonic data communication may have to be executed again. If the verification is successful, the procedure branches back to step 254 and step 254, in which communication is resumed as discussed above.
The various aspects and variations thereof relate to the following numbered implementations:
1. In an implantable medical device, a method of communicating with a control device, the method comprising:
receiving a first data message from the control device via a first physical communication channel; upon receiving the first message, activating a second physical communication channel different from the first physical communication channel; obtaining first authentication data of the control device, based on data provided in the first data message; receiving, via the second physical communication channel, a second message; verifying whether the second message originates from the control device, based on the obtained first authentication data; deactivating the second physical communication channel at the side of the implantable medical device if a result of the verifying is that the second message does not originate from the control device.
2. The method according to implementation 1, further comprising sending, upon receiving the first message, via the first physical communication channel, a third message to the control device, the third message comprising second authentication data; wherein the first authentication data is further based on the second authentication data.
3. The method according to implementation 2, wherein the second authentication data comprises at least one of a medical device identifier identifying the implantable medical device and random medical device data.
4. The method according to any of the preceding implementations, wherein: the first data message comprises at least one of a control identifier identifying the control device and random control data; and the first authentication data is further based on at least one of the control identifier and the random control data.
5. Method according to any of the preceding implementations, wherein obtaining first authentication data comprises generating, by the implantable medical device, a key based on data provided in the first data message.
6. Method according to any of the preceding implementations, wherein the verifying comprises at least one of verifying a signature of the second message and subjecting at least part of the second message to a decryption operation.
7. The method according to any of the preceding implementations, wherein the first physical communication channel has a first signal attenuation factor in a gaseous medium and the second physical communication channel has a second signal attenuation factor in the gaseous medium, the first signal attenuation factor being higher than the second signal attenuation factor.
8. The method of any one of the preceding implementations, wherein the first physical communication channel is an ultrasonic communication channel and the second physical communication channel is an electromagnetic communication channel.
9. The method according to implementation 8, wherein the ultrasonic communication channel has a frequency higher than 500 kHz, preferably higher than 1 MHz.
10. The method according to implementation 8 or implementation 9, wherein the electromagnetic communication channel has a frequency between 100 kHz and 10 GHz.
11. In a control device arranged to control an implantable medical device, a method of communicating with the implantable medical device, the method comprising: sending a first data message to the implantable medical device over a first physical communication channel;
obtaining first authentication data based on data provided in the first data message; generating second data message; authenticating the second data message using the first authentication data; sending the authenticated second data message to the implantable medical device over a second physical communication channel, the second physical communication channel being different from the first physical communication channel.
12. The method according to implementation 11, further comprising receiving, from the implantable medical device, over the first physical communication channel, a third message, the third message comprising second authentication data; wherein the first authentication data is further based on the second authentication data.
13. The method according to implementation 12, wherein the second authentication data comprises at least one of a medical device identifier identifying the implantable medical device and random medical device data.
14. The method according to any of implementations 11 to 13, wherein: the first data message comprises at least one of a control identifier identifying the control device and random control data; and the first authentication data is further based on at least one of the control identifier and the random control data.
15. Method according to any one of the implementations 11 to 14, wherein obtaining first authentication data comprises generating, by the control device, a key based on data provided in the first data message.
16. Method according to any of the implementations 11 to 15, wherein the authenticating comprises at least one of adding signature to the second message and subjecting at least part of the second message to an encryption operation.
17. The method according to any of the implementations 9 to 16, wherein the first physical communication channel has a first signal attenuation factor in a gaseous medium and the second physical communication channel has a second signal attenuation factor in the gaseous medium, the first signal attenuation factor being higher than the second signal attenuation factor.
18. The method of any one of the implementations 11 to 17, wherein the first physical communication channel is an ultrasonic communication channel and the second physical communication channel is an electromagnetic communication channel.
19. The method according to implementation 18, wherein the ultrasonic communication channel has a frequency higher than 500 kHz, preferably higher than 1 MHz.
20. The method according to implementation 18 or implementation 19, wherein the electromagnetic communication channel has a frequency between 100 kHz and 10 GHz.
21. An implantable medical device arranged for communicating with a control device, the implantable medical device comprising: a first transceiver arranged to receive, via a first physical communication channel, a first message from a control device; a second transceiver arranged to receive, via a second physical communication channel, a second message; a processing unit arranged to: activate, upon receiving the first message, the second physical communication channel, by activating the second transceiver; obtain first authentication data of the control device, based on data provided in the first data message;
verify whether the second message originates from the control device, based on the obtained first authentication data; deactivate the second physical communication channel at the side of the implantable medical device if a result of the verifying is that the second message does not originate from the control device.
22. A control device arranged to control an implantable medical device, the control device comprising a first transceiver arranged to send, via a first physical communication channel, a first data message to the implantable medical device; a second transceiver arranged to send, via a second physical communication channel, a second data message to the implantable medical device, the second physical communication channel being different from the first physical communication channel; a processing unit arranged to: obtain first authentication data based on the first data message; generate the second data message; authenticate the second data message using the first authentication data; and send the authenticated second data message to the implantable medical device by means of the second transceiver.

Claims (22)

Translated fromEnglish
ConclusiesConclusions1. In een implanteerbaar medisch apparaat, een werkwijze voor communiceren met een regelapparaat, de werkwijze omvattende: ontvangen van een eerste gegevensbericht van het regelapparaat via een eerste fysieke communicatiekanaal; bij het ontvangen van het eerste bericht, activeren van een tweede fysieke communicatiekanaal dat verschilt van het eerste fysieke communicatiekanaal; verkrijgen van eerste authenticatiegegevens van het regelapparaat, gebaseerd op gegevens voorzien in het eerste gegevensbericht; ontvangen van, via het tweede fysieke communicatiekanaal, een tweede bericht; verifiëren of het tweede bericht zijn oorsprong vindt van het regelapparaat, gebaseerd op de verkregen eerste authenticatiegegevens; uitschakelen van het tweede fysieke communicatiekanaal nabij de zijde van het implanteerbare medische apparaat als een resultaat van het verifiëren is dat het tweede bericht zijn oorsprong niet vindt in het regelapparaat.In an implantable medical device, a method of communicating with a control device, the method comprising: receiving a first data message from the control device via a first physical communication channel; upon receiving the first message, activating a second physical communication channel different from the first physical communication channel; obtaining first authentication data from the control device based on data provided in the first data message; receiving, via the second physical communication channel, a second message; verifying whether the second message originates from the control device, based on the obtained first authentication data; disabling the second physical communication channel near the implantable medical device side as a result of verifying that the second message does not originate in the control device.2. Werkwijze volgens conclusie 1, voorts omvattende het versturen, bij ontvangen van een eerste bericht, via het eerste fysieke communicatiekanaal, een derde bericht aan het regelapparaat, waarbij het derde bericht tweede authenticatiegegevens omvat; waarbij de eerste authenticatiegegevens voorts zijn gebaseerd op de tweede authenticatiegegevens.The method of claim 1, further comprising, upon receipt of a first message, sending, via the first physical communication channel, a third message to the control device, the third message comprising second authentication data; wherein the first authentication data is further based on the second authentication data.3. Werkwijze volgens conclusie 2, waarbij de tweede authenticatiegegevens ten minste een van een medisch apparaatidentificatie die het implanteerbare medische apparaat identificeert en willekeurige medische apparaatgegevens omvat.The method of claim 2, wherein the second authentication data includes at least one of a medical device identifier that identifies the implantable medical device and random medical device data.4. Werkwijze volgens een der voorgaande conclusies, waarbij: eerste gegevensbericht ten minste een van een regelidentificatie die het regelapparaat identificeert en willekeurige regelgegevens omvat; en waarbij de eerste authenticatiegegevens voorts zijn gebaseerd op ten minste een van de regelidentificatie en de willekeurige regelgegevens.A method according to any one of the preceding claims, wherein: first data message includes at least one of a rule identifier identifying the control device and random rule data; and wherein the first authentication data is further based on at least one of the rule identifier and the arbitrary rule data.5. Werkwijze volgens een der voorgaande conclusies, waarbij het verkrijgen van eerste authenticatiegegevens genereren van, door het implanteerbare medische apparaat, een sleutel omvat die gebaseerd is op gegevens voorzien in het eerste gegevensbericht.The method of any preceding claim, wherein obtaining first authentication data includes generating, by the implantable medical device, a key based on data provided in the first data message.6. Werkwijze volgens een der voorgaande conclusies, waarbij het verifiëren ten minste een van verifiëren van een handtekening van het tweede bericht en ten minste een deel van het tweede bericht onderwerpen aan een ontcijferingsoperatie omvat.A method according to any one of the preceding claims, wherein verifying comprises at least one of verifying a signature of the second message and subjecting at least a portion of the second message to a decryption operation.7. Werkwijze volgens een der voorgaande conclusies, waarbij het eerste fysieke communicatiekanaal een eerste signaalverminderingsfactor in een gasvormig medium heeft en het tweede fysieke communicatiekanaal een tweede signaalverminderingsfactor in het gasvormig medium heeft, waarbij het eerste signaalverminderingsfactor hoger is dan het tweede signaalverminderingsfactor.A method according to any one of the preceding claims, wherein the first physical communication channel has a first signal reduction factor in a gaseous medium and the second physical communication channel has a second signal reduction factor in the gaseous medium, the first signal reduction factor being higher than the second signal reduction factor.8. Werkwijze volgens een der voorgaande conclusies, waarbij het eerste fysieke communicatiekanaal een ultrasoon communicatiekanaal is en het tweede fysieke communicatiekanaal een elektromagnetisch communicatiekanaal IS.A method according to any one of the preceding claims, wherein the first physical communication channel is an ultrasonic communication channel and the second physical communication channel is an electromagnetic communication channel IS.9. Werkwijze volgens conclusie 3, waarbij het ultrasone communicatiekanaal een frequentie hoger dan 500 kHz heeft, bij voorkeur hoger dan 1 MHz.A method according to claim 3, wherein the ultrasonic communication channel has a frequency higher than 500 kHz, preferably higher than 1 MHz.10. Werkwijze volgens conclusie 3 of 4, waarbij het elektromagnetische communicatiekanaal een frequentie tussen 100 kHz en 10 GHz heeft.A method according to claim 3 or 4, wherein the electromagnetic communication channel has a frequency between 100 kHz and 10 GHz.11. In een regelapparaat ingericht om een implanteerbaar medisch apparaat te regelen, een werkwijze voor communiceren met het implanteerbare medische apparaat, de werkwijze omvattende: versturen van een eerste gegevensbericht naar het implanteerbare medische apparaat over een eerste fysieke communicatiekanaal; verkrijgen van eerste authenticatiegegevens gebaseerd op gegevens voorzien in het eerste gegevensbericht; genereren van tweede gegevensbericht; authentiseren van het tweede gegevensbericht door de eerste authenticatiegegevens te gebruiken; verzenden van het geauthenticeerde tweede gegevensbericht naar het implanteerbare medische apparaat over een tweede fysieke communicatiekanaal, waarbij het tweede fysieke communicatiekaneel verschillend is van het eerste fysieke communicatiekanaal.11. In a control device adapted to control an implantable medical device, a method of communicating with the implantable medical device, the method comprising: sending a first data message to the implantable medical device over a first physical communication channel; obtaining first authentication data based on data provided in the first data message; generating second data message; authenticating the second data message by using the first authentication data; transmitting the authenticated second data message to the implantable medical device over a second physical communication channel, the second physical communication channel being different from the first physical communication channel.12. Werkwijze volgens conclusie 11, voorts omvattende ontvangen, van het implanteerbare medische apparaat, over het eerste fysieke communicatiekanaal, een derde bericht, waarbij het derde bericht tweede authenticatiegegevens omvat; waarbij de eerste authenticatiegegevens voorts zijn gebaseerd op de tweede authenticatiegegevens.The method of claim 11, further comprising receiving, from the implantable medical device, over the first physical communication channel, a third message, the third message comprising second authentication data; wherein the first authentication data is further based on the second authentication data.13. Werkwijze volgens conclusie 12, waarbij de tweede authenticatiegegevens ten minste een van een medisch apparaatidentificatie dat die implanteerbare medische apparaat identificeert en willekeurige medische apparaatgegevens omvat.The method of claim 12, wherein the second authentication data includes at least one of a medical device identifier that identifies that implantable medical device and random medical device data.14. Werkwijze volgens conclusies 11 — 13, waarbij: het eerste gegevensbericht ten minste een van een regelidentificatie die het regelapparaat identificeert en willekeurige regelgegevens omvat; en de eerste authenticatiegegevens voorts zijn gebaseerd op ten minste een van de regelidentificatie en de willekeurige regelgegevens.The method of claims 11 - 13, wherein: the first data message includes at least one of a rule identifier identifying the control device and random rule data; and the first authentication data is further based on at least one of the rule identifier and the random rule data.15. Werkwijze volgens conclusies 11 — 14, waarbij het verkrijgen van eerste authenticatiegegevens genereren van, door het regelapparaat, een sleutel omvat die gebaseerd is op gegevens voorzien in het eerste gegevensbericht.A method according to claims 11 - 14, wherein obtaining first authentication data comprises generating, by the control device, a key based on data provided in the first data message.16. Werkwijze volgens conclusies 11 - 15, waarbij het authentiseren ten minste een van een handtekening toevoegen aan het tweede bericht en ten minste een deel van het tweede bericht onderwerpen aan een versleuteloperatie omvat.The method of claims 11-15, wherein authenticating includes adding at least one of a signature to the second message and subjecting at least a portion of the second message to an encryption operation.17. Werkwijze volgens conclusies 9 - 16, waarbij het eerste fysieke communicatiekanaal een eerste signaalverminderingsfactor in een gasvormig medium heeft en het tweede fysieke communicatiekanaal een tweede signaalverminderingsfactor heeft, waarbij het eerste signaalverminderingsfactor hoger is dan het tweede signaalverminderingsfactor.The method of claims 9 - 16, wherein the first physical communication channel has a first signal reduction factor in a gaseous medium and the second physical communication channel has a second signal reduction factor, the first signal reduction factor being higher than the second signal reduction factor.18. Werkwijze volgens conclusies 11 - 17, waarbij het eerste fysieke communicatiekanaal een ultrasoon communicatiekanaal is en het tweede fysieke communicatiekanaal een elektromagnetisch communicatiekanaal is.The method of claims 11-17, wherein the first physical communication channel is an ultrasonic communication channel and the second physical communication channel is an electromagnetic communication channel.19. Werkwijze volgens conclusie 18, waarbij het ultrasone communicatiekanaal een frequentie hoger dan 500 kHz heeft, bij voorkeur hoger dan 1 MHz.A method according to claim 18, wherein the ultrasonic communication channel has a frequency higher than 500 kHz, preferably higher than 1 MHz.20. Werkwijze volgens conclusies 18 of 19, waarbij het elektromagnetische communicatiekanaal een frequentie tussen 100 kHz en 10 GHz heeft.A method according to claims 18 or 19, wherein the electromagnetic communication channel has a frequency between 100 kHz and 10 GHz.21. Een implanteerbaar medisch apparaat ingericht om te communiceren met een regelapparaat, het implanteerbare medische apparaat omvattende: een eerste zendontvanger ingericht om een eerste bericht te ontvangen, via een eerste fysieke communicatiekanaal, van een regelapparaat; een tweede zendontvanger inricht om een tweede bericht te ontvangen, via een tweede fysieke communicatiekanaal; een verwerkingseenheid ingericht om: het tweede fysieke communicatiekanaal te activeren, door de tweede zendontvanger te activeren; eerste authenticatiegegevens verkrijgen van het regelapparaat, gebaseerd op gegevens voorzien in het eerste gegevensbericht;21. An implantable medical device configured to communicate with a control device, the implantable medical device comprising: a first transceiver configured to receive a first message, via a first physical communication channel, from a control device; a second transceiver arranged to receive a second message, via a second physical communication channel; a processor adapted to: activate the second physical communication channel, by activating the second transceiver; obtaining first authentication data from the control device based on data provided in the first data message;te verifiéren of het tweede bericht zijn oorsprong vindt in het regelapparaat, gebaseerd op de verkregen eerste authenticatiegegevens; het tweede fysieke communicatiekanaal nabij de zijde van het implanteerbare medische apparaat uitschakelen als een resultaat van het verifiëren is dat het tweede bericht zijn oorsprong niet vindt in het regelapparaat.verify whether the second message originates from the control device, based on the obtained first authentication data; disable the second physical communication channel near the side of the implantable medical device if a result of verifying is that the second message does not originate in the control device.22. Een regelapparaat ingericht om een implanteerbaar medische apparaat te regelen, het regelapparaat omvattende een eerste zendontvanger ingericht om, via een eerste fysieke communicatiekanaal, een eerste gegevensbericht te versturen naar het implanteerbare medische apparaat; een tweede zendontvanger ingericht om, via een tweede fysieke communicatiekanaal, een tweede gegevensbericht te versturen naar het implanteerbare medische apparaat, waarbij het tweede fysieke communicatiekanaal verschillend is van het eerste fysieke communicatiekanaal; een verwerkingseenheid ingericht om: eerste authenticatiegegevens te verkrijgen gebaseerd op het eerste gegevensbericht; het tweede gegevensbericht te genereren; het tweede gegevensbericht te authentiseren door de eerste authenticatiegegevens te gebruiken; en het geauthenticeerde tweede gegevensbericht te versturen naar het implanteerbare medische apparaat door middel van de tweede zendontvanger.22. A control device configured to control an implantable medical device, the control device comprising a first transceiver configured to transmit, via a first physical communication channel, a first data message to the implantable medical device; a second transceiver configured to transmit, via a second physical communication channel, a second data message to the implantable medical device, the second physical communication channel being different from the first physical communication channel; a processing unit arranged to: obtain first authentication data based on the first data message; generate the second data message; authenticate the second data message by using the first authentication data; and transmitting the authenticated second data message to the implantable medical device through the second transceiver.
NL2028563A2021-05-192021-06-29implantable medical device and control device thereforNL2028563B1 (en)

Priority Applications (2)

Application NumberPriority DateFiling DateTitle
NL2028563ANL2028563B1 (en)2021-06-292021-06-29implantable medical device and control device therefor
PCT/NL2022/050273WO2022245212A1 (en)2021-05-192022-05-19Implantable medical device and control device therefor

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
NL2028563ANL2028563B1 (en)2021-06-292021-06-29implantable medical device and control device therefor

Publications (1)

Publication NumberPublication Date
NL2028563B1true NL2028563B1 (en)2023-01-09

Family

ID=77911061

Family Applications (1)

Application NumberTitlePriority DateFiling Date
NL2028563ANL2028563B1 (en)2021-05-192021-06-29implantable medical device and control device therefor

Country Status (1)

CountryLink
NL (1)NL2028563B1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20040260363A1 (en)*2003-06-232004-12-23Arx Jeffrey A. VonSecure long-range telemetry for implantable medical device
US20120266221A1 (en)*2009-10-202012-10-18Claude CastellucciaMethod for secure communication between devices
US20190201702A1 (en)*2018-01-042019-07-04Cardiac Pacemakers, Inc.Secure transdermal communication with implanted device
US20200101301A1 (en)*2017-04-062020-04-02Yoram PaltiRetrofit to Protect Implanted Devices (e.g., Pacemakers) from Unauthorized Manipulation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20040260363A1 (en)*2003-06-232004-12-23Arx Jeffrey A. VonSecure long-range telemetry for implantable medical device
US20120266221A1 (en)*2009-10-202012-10-18Claude CastellucciaMethod for secure communication between devices
US20200101301A1 (en)*2017-04-062020-04-02Yoram PaltiRetrofit to Protect Implanted Devices (e.g., Pacemakers) from Unauthorized Manipulation
US20190201702A1 (en)*2018-01-042019-07-04Cardiac Pacemakers, Inc.Secure transdermal communication with implanted device

Similar Documents

PublicationPublication DateTitle
US9277407B2 (en)Methods for authentication using near-field
US8745392B2 (en)Two-way authentication between two communication endpoints using a one-way out-of band (OOB) channel
JP2019083560A (en)Authentication device including bluetooth interface
JP6608339B2 (en) Client device with authentication and associated method
Jarecki et al.Two-factor authentication with end-to-end password security
CN101366299B (en) Bootstrap Authentication Using Special Random Challenges
US20220166623A1 (en)Hardware authentication token with remote validation
CN103037366B (en)Mobile phone users authentication method based on asymmetric cryptographic technique and mobile terminal
Chen et al.Lightweight one‐time password authentication scheme based on radio‐frequency fingerprinting
CN103959831A (en)Assisted certificate enrollment
CN104158666A (en)Method of implementing binding and authentication of intelligent bracelet and intelligent mobile terminal
CN107612949B (en)Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint
CN105282179A (en)Family Internet of things security control method based on CPK
CN105719131A (en)Server, client and paying-for-another method of e-payment
WO2010023506A1 (en)Methods, apparatuses, computer program products, and systems for providing secure pairing and association for wireless devices
JP2016129010A (en)Hearing device with service mode and related method
CN105119716A (en)Secret key negotiation method based on SD cards
CN109067550A (en)Two-way authentication system and mutual authentication method based on CPK tagged keys
Ghose et al.ZITA: zero-interaction two-factor authentication using contact traces and in-band proximity verification
NL2028563B1 (en)implantable medical device and control device therefor
Baek et al.Secure and lightweight authentication protocol for NFC tag based services
CN106981111A (en)A kind of utilization rivest, shamir, adelman encrypts the electronic switch lock and its method for unlocking of sonic data
NL2028564B1 (en)implantable medical device and control device therefor
CN117615373B (en)Lightweight key negotiation identity authentication and communication method based on ECC and PUF
WO2022245212A1 (en)Implantable medical device and control device therefor

Legal Events

DateCodeTitleDescription
MMLapsed because of non-payment of the annual fee

Effective date:20240701
[8]ページ先頭
©2009-2025 Movatter.jp