In general, implantable medical devices (IMDs) provide in situ therapy delivery, such as pacing, cardiac resynchronization, defibrillation, neural stimulation and drug delivery, and physiological monitoring and data collection. Once implanted, IMDs function autonomously by relying on preprogrammed operation and control over therapeutic and monitoring functions. IMDs can be interfaced to external devices, such as programmers, repeaters and similar devices, which can program, troubleshoot, and download telemetered data, typically through induction or similar forms of near-field telemetry.
Telemetered data download typically occurs during follow-up, which requires an in-clinic visit by the patient once every three to twelve months, or as necessary. Following interrogation of the IMD, the telemetered data can be analyzed to evaluate patient health status. Although clinical follow-up is mandatory, the frequency and type of follow-up are dependent upon several factors, including projected battery life, type, mode and programming of IMD, stability of pacing and sensing, the need for programming changes, underlying rhythm or cardiac condition, travel logistics, and the availability of alternative follow-up methods, such as transtelephonic monitoring, for example, the CareLink Monitor, offered by Medtronic, Inc., Minneapolis, Minn.; Housecall Plus Remote Patient Monitoring System, offered by St. Jude Medical, Inc., St. Paul, Minn.; and BIOTRONIK Home Monitoring Service, offered by BIOTRONIK GmbH & Co. KG, Berlin, Germany.
Telemetered data generally includes information on all programmed device parameters, as well as real time or measured and recorded data on the operation of the IMD available at the time of interrogation. In addition, telemetered data can include parametric and physiological information on the output circuit, battery parameters, sensor activities for rate adaptive IMDs, event markers, cumulative totals of sensed and paced events, and transmission of electrograms. Derived measures include battery depletion, which can be gauged by the downloaded battery voltage and impedance levels, and lead integrity, which is reflected by pacing impedance. Event markers depict pacing and sensing simultaneously recorded with electrograms to indicate how the IMD interprets specifically paced or sensed events with timing intervals. Other types of telemetered data are possible.
Clinical follow-up is conventionally performed using a programmer under the direction of trained healthcare professionals. The programmer is typically interfaced to an IMD through inductive near field telemetry. Fundamentally, IMDs are passive devices that report on operational and behavioral patient status, including the occurrence of significant events, only when interrogated by an external device. As a result, the programmer-based follow-up sessions generally provide the sole opportunity for the IMD to report any significant event occurrences observed since the last follow-up session. Moreover, the latency in reporting significant event occurrences becomes dependent upon the timing of the clinical follow-up sessions for non-closely followed patients. Thus, in some circumstances, delays in downloading telemetered data can result in lost data or chronic cardiac conditions recognized too late.
Recently, far field telemetry using radio frequency (RF) carrier signals has provided an alternative means for interfacing programmers and similar external devices to IMDs, such as described in commonly-assigned U.S. Pat. No. 6,456,256, issued Sep. 24, 2002, to Amudson et al.; U.S. Pat. No. 6,574,510, to Von Arx et al., issued Jun. 3, 2003; and U.S. Pat. No. 6,614,406, issued Sep. 2, 2003, to Amudson et al., disclosures of which are incorporated by reference. Far field telemetry has a higher data rate, which results in shorter downloading times, and the patient experiences greater freedom of movement while the IMD is being accessed. Nevertheless, despite the higher data rate, the IMD remains a passive device that only reports significant event occurrences when interrogated using an RF-capable programmer.
Similarly, dedicated monitoring devices, known as repeaters, have become available to patients to provide monitoring and IMD follow-up in an at-home setting similar to transtelephonic monitoring. Each repeater is specifically matched to an IMD. Once a day or as required, the patient uses the repeater to actively poll the IMD through induction or far field telemetry. Alternatively, some repeaters can be passively polled. During each session, any significant events occurrences are reported, although programming of the IMD is generally not allowed for safety reasons. As well, repeaters download recorded telemetered data. Despite the improved frequency and speed of telemetered data downloads, the latency to report significant event occurrences can be as long as a full day. The patient must also be physically proximal to the repeater during interrogation in the same fashion as a programmer. In addition, repeaters, by virtue of being stationary devices, are unable to capture patient physiological and behavioral data while the patient is engaged in normal everyday activities or at any other time upon the initiation of the patient or by a remote patient management system.
Furthermore, the use of RF telemetry in IMDs potentially raises serious privacy and safety concerns. Sensitive information, such as patient-identifiable health information (PHI), exchanged between an IMD and the programmer or repeater should be safeguarded to protect against compromise. Recently enacted medical information privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the European Privacy Directive underscore the importance of safeguarding a patient's privacy and safety and require the protection of all patient-identifiable health information (PHI). Under HIPAA, PHI is defined as individually identifiable health information, including identifiable demographic and other information relating to the past, present or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer or health care clearinghouse. Other types of sensitive information in addition to or in lieu of PHI could also be protectable.
The sweeping scope of medical information privacy laws, such as HIPAA, may affect patient privacy on IMDs with longer transmission ranges, such as provided through RF telemetry, and other unsecured data interfaces providing sensitive information exchange under conditions that could allow eavesdropping, interception or interference. Sensitive information should be encrypted prior to long range transmission. Currently available data authentication techniques for IMDs can satisfactorily safeguard sensitive information. These techniques generally require cryptographic keys, which are needed by both a sender and recipient to respectively encrypt and decrypt sensitive information transmitted during a data exchange session. Cryptographic keys can be used to authenticate commands, check data integrity and, optionally, encrypt sensitive information, including any PHI, during a data exchange session. Preferably, the cryptographic key is unique to each IMD. However, authentication can only provide adequate patient data security if the identification of the cryptographic key from the IMD to the programmer or repeater is also properly safeguarded.
Therefore, there is a need for an approach to providing an ambulatory solution to retrieving physiological and parametric telemetered data from IMDs. Preferably, such an approach would provide authenticated and secure communication with IMDs and include configurable activation settings.