Heart diseases refer to several classes of cardio and cardiovascular disorders and co-morbidities relating to the heart and blood vessels. Heart disease is often treated through a combination of medication and lifestyle modification. In severe cases, a monitoring or therapy delivery device, referred to as an implantable medical device (IMD), is surgically implanted to collect cardiac performance data and to deliver therapy to the heart, when needed. IMDs are also used in other areas of medicine to provide neural stimulation, dispense drugs, and perform other monitoring and in situ therapeutic functions, as would be appreciated by one skilled in the art.
Static data can be stored on an IMD for retrieval by health care providers and for use by the IMD. In addition, data collected by the IMD can be downloaded for analysis and, if required, new performance instructions can be uploaded to reprogram the IMD. Typically, an IMD communicates with a programmer or a dedicated repeater located outside the body in a data exchange session. To minimize patient risk, wireless telemetry, such as inductive telemetry, is normally used to non-invasively communicate with the IMD.
Inductive telemetry has a few shortcomings. First, inductive telemetry is short range, typically about six centimeters, and requires close proximity between a patient and the programmer or repeater. The patient's movements are limited while data transfer is ongoing. Also, inductive telemetry typically has a slow data transfer rate, which is directly proportional to the carrier signal frequency. Only low frequency signals can be used for carrier signals due to the low-pass filtering effect of the metal casing of the IMD, resulting in a transmission speed of several kilobits per second. This transfer rate is inadequate for modern IMDs, which normally exchange thousands of kilobits of patient physiological data.
Recently, radio frequency (RF) telemetry has emerged as a viable adjunct to inductive telemetry, such as described in commonly-assigned U.S. Pat. No. 6,456,256, issued Sep. 24, 2002, to Amundson et al.; U.S. Pat. No. 6,574,510, issued Jun. 3, 2003, to Von Arx et al.; and U.S. Pat. No. 6,614,406, issued Sep. 2, 2003, to Amundson et al., the disclosures of which are incorporated by reference. Unlike inductive telemetry, RF telemetry is long range, extending to 20 or more feet from a patient without using repeaters. This range allows a patient free movement while the IMD is accessed. RF telemetry also offers a higher data transfer rate that can significantly shorten download time.
Although promising, the use of RF telemetry in IMDs potentially raises serious privacy issues. Sensitive information, such as patient-identifiable health information, exchanged between an IMD and the programmer or repeater should be safeguarded to protect patient privacy. Prior to initiating a data exchange session, a clinician preferably first informs the patient and then proceeds only with the patient's knowledge. The short range of inductive telemetry can imply informed consent, but the longer range of RF telemetry can require additional precautions to safeguard any sensitive information against unauthorized disclosure or interception.
Recently enacted medical information privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the European Privacy Directive underscore the importance of safeguarding patients' privacy and require the protection of all patient-identifiable health information (PHI). Under HIPAA, PHI is defined as individually identifiable patient health information, including identifiable demographic and other information relating to the past, present or future physical or mental health or condition, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer or health care clearinghouse. Other types of sensitive information in addition to or in lieu of PHI could also be protectable.
The sweeping scope of medical information privacy laws, such as HIPAA, may affect patient privacy on IMDs with longer transmission ranges, such as provided through RF telemetry, and other unsecured data interfaces providing sensitive information exchange under conditions that could allow eavesdropping, interception or interference. Sensitive information should be encrypted prior to long range transmission. Currently available data encryption techniques, such as the Advanced Encryption Standard (AES), a FIPS-approved symmetric encryption algorithm, can satisfactorily safeguard sensitive information. These encryption techniques employ crypto keys, which are needed by both a sender and recipient to respectively encrypt and decrypt sensitive information transmitted during a data exchange session.
Encrypted data exchange sessions between an IMD and a programmer or repeater pose special concerns due to a potentially wide disparity in processing capabilities. Performing encryption, although computationally expensive in processing and storage resources, is well within the capabilities of a programmer or repeater. However, the same resource requirements can severely burden IMDs due to the modest, battery-powered processors typically used. The processing disparity can be in the order of four to five magnitudes. For instance, encrypting a 16 Kbyte message with the widely-used Z80 microprocessor running at processing speeds typical for an IMD, for instance, 1 MHz, can take up to 650 msec, which is unacceptably slow and costly in power and transmission bandwidth consumed. Moreover, the program code and data space for the encryption operations can strain limited on-board IMD memory space.
Therefore, there is a need for a system and method to safeguard sensitive information, particularly PHI, through preencryption when exchanged via long range telemetry or unsecured data interfaces. Preferably, such an approach would free the IMD from the burdens imposed by active encryption and decryption by preencrypting sensitive information stored but not used by the IMD with a programmer or repeater prior to transmission.