Implantable medical devices such as implantable cardiac pacemakers or implantable cardioverter/defibrillators often receive control commands via a telemetry unit, e.g., when an implant is remotely programmed via home monitoring. These control commands are typically intended to adapt and improve the operation of the implantable medical device, although they can impair operation if misuse occurs. Data communication between an external device and the implantable medical device should therefore be as secure as possible, and should preferably be authenticated. Since unauthorized personnel could reconfigure an active implantable medical device in ways that are potentially harmful to health, data access should be granted only to an authorized person or an authorized external device.
Currently, an inductive programming head is commonly used for data transmission to ensure patient security, and that authorized personnel are performing reconfiguration. The range of an inductive programming head is typically a few centimeters, and therefore the physician who is performing the reconfiguration must be located in the direct vicinity of the patient, which implicitly ensures authenticity.
It may be desirable to have a physician perform a reconfiguration remotely. In this instance, inductive telemetry should be replaced by radio frequency telemetry to avoid troubling the patient with the occasionally complicated placement of the programming head, which can be an error-prone endeavor for a layperson. Ranges of within a few meters are technically easy to attain, and therefore the patient's implant can be accessed without the need to be in his immediate vicinity. However, the use of radio frequency telemetry, with the greater range thereof, opens up new possibilities for compromising patient security. This has already been demonstrated in several publications.
It is therefore desirable to permit communication with the implant only when the external device reads a feature on the patient that may only be read directly and possibly only with the patient's permission, and that is compared by the implant with one of its own measurements for authentication. If they match, the implant can approve communication. A number of features might be extracted from the patient to perform an authentication:                Optical pulse measurement and comparison with an intracardial electrocardiogram (IEGM)        Measurement of the transit time of the radio signals and denial of access if the distance is too great        Application of an access code in the form of a tattooed barcode, number, or other indicia which is read by a camera        
Known solutions typically require additional hardware or do not solve the problem completely. A brief summary of the complexity of implementation is presented below:
Pulse Measurement
Implementation complexity is increased since an external device must be equipped with an optical pulse meter. This typically takes place on the finger. The solution is good in principle since a patient-specific feature is read, and the patient must actively “permit” the measurement.
Measurement of Transit Time
Implementation complexity is high since a special RF chip must be developed. Authentication is possible, although it is not possible for the patient to grant approval. In addition, the method is difficult for the patient to understand.
Tattooing
It is not particularly practical to apply features as tattoos. The security of authentication is good in principle, since authentication requires patient consent.
It would therefore be useful to have methods and devices that ensure maximum security and require only a reasonable amount of effort.