A technology-based health care system that fully integrates the technical and social aspects of patient care and therapy should be able to flawlessly connect the client with care providers irrespective of separation distance or location of the participants. While clinicians will continue to treat patients in accordance with accepted modern medical practice, developments in communications technology are making it ever more possible to provide medical services in a time and place independent manner.
Prior art methods of clinical services are generally limited to in-hospital operations. For example, if a physician needs to review the performance parameters of an implantable device in a patient, it is likely that the patient has to go to the clinic. Further, if the medical conditions of a patient with an implantable device warrant a continuous monitoring or adjustment of the device, the patient would have to stay in a hospital indefinitely. Such a continued treatment plan poses both economic and social problems. Under the exemplary scenario, as the segment of the population with implanted medical devices increases many more hospitals/clinics including service personnel will be needed to provide in-hospital service for the patients, thus escalating the cost of healthcare. Additionally the patients will be unduly restricted and inconvenienced by the need to either stay in the hospital or make very frequent visits to a clinic.
Yet another condition of the prior art practice requires that a patient visit a clinic center for occasional retrieval of data from the implanted device to assess the operations of the device and gather patient history for both clinical and research purposes. Depending on the frequency of data collection this procedure may pose a serious difficulty and inconvenience for patients who live in rural areas or have limited mobility. Similarly, in the event a need arises to upgrade the software of an implantable medical device, the patient will be required to come into the clinic or hospital to have the upgrade installed.
Further, in medical practice it is an industry-wide standard to keep an accurate record of past and present procedures relating to an IMD. Generally, a report should be generated each time a medical component such as a programmer and/or analyzer is connected to the IMD. Various information should be contained in the report including an identification of all the medical components used during a procedure. Specifically, all peripheral and major devices that are used in down linking to the IMD need to be reported. Presently, there is no automated system for providing an automated report of all the major components used in a procedure involving communications with an IMD. The current practice is for a medical person to physically record or enter data related to the devices used in the down linking procedure. One of the limitations of this procedure is the fact that it is error prone and often requires rechecking of the data to verify accuracy. Further, current practice does not allow secure patient data transfer across communicating media systems.
Protecting the safety and privacy of patient medical information has become a growing concern of health care organizations. The explosive growth of the internet and distributed computing environments is largely responsible for connecting previously disconnected remote computing platforms of health care providers. The cost of establishing and maintaining proprietary data networks between remotely communicating computers and data centers is very expensive. Thus health care organizations increasingly rely on unsecure “public” networks, such as the internet or public telephone systems to connect remote computing platforms. As a result, while in transit, sensitive patient medical records are compromised and healthcare providers may be liable to privacy and breach of confidentiality claims. Generally, these risks are not encountered in non-networked computing platforms.
As the sophistication of medical devices increases, health care providers are faced with new challenges in protecting sensitive patient information. Some medical devices are now capable of performing independent data transfers across communications networks to data centers, or to other medical devices. One example of such a medical device is a programmer. Programmers are used to initialize and service various implanted devices. These implanted devices include, for example, neural implants, pacemakers and cardioversion/defibrillator devices. Presently, typical programmers in use by physicians are generally the size and shape of a portable laptop computer. Communication with an implanted device is accomplished through a radio frequency (RF) connection by using an accessory connected to the programmer. The programmer further includes a screen for displaying alphanumeric information, and, optionally, to display graphic information such as an electrogram (EGM) or an electrocardiogram (ECG). The programmer also includes an interface with a printer for printing information, such as the programming parameters set for a particular pacemaker, data logged by the pacemaker for a pre-selected period, or an ECG graph.
Data encryption has been increasingly used to add security and privacy to data, voice and video transmissions across public networks. Encryption involves the translation of data into a secret code. A common method includes the scrambling of bit patterns. To read an encrypted file, a user must have access to a secret key or password to decrypt the data. Unencrypted data is called plain text, while encrypted data is referred to as cipher text. There are two main types of encryption (discussed in more detail below): asymmetric encryption (also called public-key encryption) and symmetric encryption. Encryption algorithms have been available for some time, but only recently have low-cost processors become fast enough to perform encryption and decryption functions in a reasonable amount of time.
Several methods can be used to encrypt data streams, all of which can easily be implemented through software. The simplest of all of the methods is the translation table. Each piece of data (usually 1 byte) is used as an offset within a translation table, and the resulting translated value from within the table is then written into the output stream. The encryption and decryption programs each use a table that translates to and from the encrypted data. Some central processing units (e.g., Intel Corporation's 80×86 series) have an instruction “XLAT” that perform the translation at the hardware level. While the translation table method is very simple and fast, once the translation table is known, the code is broken.
A modification to the translation table method uses two or more tables, based on the position of the bytes within the data stream, or on the data stream itself. Decoding becomes more complex, since the same process must be reversed reliably. By using more than one translation table (i.e., especially when implemented in a “pseudo-random” order), breaking the encryption code becomes considerably more difficult. As an example, one translation method might use translation table “A” on all of the even bytes, and translation table “B” on all of the odd bytes. Unless a potential code breaker knows that there are exactly two tables, even with both source and encrypted data available, the deciphering process is relatively difficult.
Another encryption method, known as data repositioning, reads a buffer of data from the input source, rearranges the order of the bytes, and writes the results to an “out of order” output. The decryption program then reads the output, and puts the “out of order” data back in order.
The most commonly employed (and complex) encryption method involves word/byte rotation and XOR bit masking. Under this method, if words or bytes within a data stream are rotated, using multiple and variable directions and duration of rotations in a reproducible pattern, a stream of data is quickly encoded with a method that is nearly impossible to break. Further, if an “XOR mask” is used in combination with the rotations (i.e., “flipping” the bits in predefined positions from 1 to 0, or 0 to 1), the code breaking process is made even more difficult.
One feature of a good encryption scheme is the ability to specify a “key” or “password”, and have the encryption method alter itself such that each “key” or “password” produces a different encrypted output, which requires a unique “key” or “password” to decrypt. Symmetric encryption is a type of encryption where the same key is used to encrypt and decrypt the message. This differs from asymmetric (or public-key) encryption, which uses one key to encrypt a message and another (different) key to decrypt the message.
In a symmetric-key encryption system, two people first agree on a pass phase, such as a phone number or fax number. At the sending end, the encryption software turns the pass phase into a binary number, then uses that binary number (e.g. key) to encrypt all outgoing messages. The mathematical module used for encrypting the message is called the algorithm. The whole system is referred to as a cipher. At the receiving end, each incoming message is decrypted using the same key. The receiver types in the agreed pass phrase, the software converts it to the binary key, and uses the binary key to decrypt the cipher text (i.e., the incoming message). Out of the conversion comes plain text (i.e., the original message in readable form). To summarize, in symmetric-key encryption, the same key is used to encrypt and decrypt. Symmetric key encryption assumes that the sender and receiver have another way to communicate that is also very secure, so that the keys can be distributed safely.
In contrast to symmetric-key encryption, public key encryption uses two different keys—a public key known to everyone and a private or secret key known only to the recipient of the message. As an example, when a sender wishes to send a secure message to the recipient, the sender uses the recipient's public key to encrypt the message. The recipient then uses the recipient's private key to decrypt the message. In public key encryption, the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt messages. Moreover, it is virtually impossible to deduce the private key if the public key is known. One difficulty with public-key systems is that the sender needs to know the recipient's public key to encrypt a message.
While encryption safeguards the data transmitted between the sender and the recipient, a digital signature is often employed to validate the authenticity of a communication. The most common use of a digital signature is to verify that a user sending a message is who he/she claims to be. Using the public key encryption method described above, a digital signature can be created by using a private key to encrypt a message digest (i.e., a representation of text in the form of a single string of digits, created using a formula called a one-way hash function). One possible format for a message digest is a 128-bit one-way hash function, similar to an error-checking code used to detect faulty communications. By using 128 bits, there are 2128 possible combinations, making the message digest computationally too intensive to decipher.
The digital signature can be verified by using the sender's public key to decrypt the signature. Because it is encrypted with the private key, only the originator of the message could have prepared it. And since it is decrypted with the public key, any user can verify that it was sent by the originator. The digital signature can be used in conjunction with a message by first creating the message digest with the sender's private key, attaching the digital signature to the communication, then encrypting both the message and the digital signature with the recipient's public key. The recipient reverses these steps, first decrypting the message with their private key, then decrypting the signature with the public one.
While data encryption and digital signatures have seen increasing use in computer-to-computer data transfers and messaging applications across public networks, these security measures have not been utilized in medical device applications. Until recently, the technology for transferring operational information between programmers used in conjunction with an implantable medical device and a remote data center has proven impracticable, if not impossible. Because of the highly critical nature of the information involved, security and reliability of the transfer is of manifest importance. Medical devices are often widely dispersed across the world, necessitating a common communications medium available to all users of the medical devices across the world, no matter where the medical device is located. The data transmission facility must also be universally available quick, cost effective, and easy to use.
A further limitation of the prior art relates to the management of multiple implantable devices in a single patient. Advances in modem patient therapy and treatment have made it possible to implant a number of devices in a patient. For example, implantable devices such as a defibrillator or a pacer, a neural implant, a drug pump, a separate physiologic monitor and various other implantable devices may be implanted in a single patent. To successfully manage the operations and assess the performance of each device in a patient with multi-implants requires a continuous update and monitoring of the devices. Further, it may be preferred to have an operable communication between the various implants to provide a coordinated clinical therapy to the patient. Thus, there is a need to monitor the performance of the implantable devices on a regular, if not a continuous, basis to ensure optimal patient care. In the absence of other alternatives, this imposes a great burden on the patient if a hospital or clinic is the only center where the necessary frequent follow up, evaluation and adjustment of the medical devices could be made. Moreover, even if feasible the situation would require the establishment of multiple service areas or clinic centers to provide adequate service to the burgeoning number of multi implant patients worldwide. Accordingly, it is vital to have a programmer unit that would connect to a remote expert medical center to provide access to expert systems and import the expertise to a local environment. This approach would enable unencumbered access to the IMD or the patient. Further, the proliferation of patients with multi-implant medical devices worldwide has made it imperative to provide remote services. Thus, frequent use of programmers to communicate with the IMD and provide various remote services, have become an important aspect of patient care as indicated in the disclosures contained in co-pending applications titled “Apparatus and Method for Remote Troubleshooting, Maintenance and Upgrade of Implantable Device Systems,” filed on Oct. 26, 1999, Ser. No. 09/426,741, now U.S. Pat. No. 6,442,433; “Tactile Feedback for Indicating Validity of Communication Link with an Implantable Medical Device,” filed Oct. 29, 1999, Ser. No. 09/430,708, now U.S. Pat. No. 6,644,321; “Apparatus and Method for Automated Invoicing of Medical Device Systems,” filed Oct. 29, 1999, Ser. No. 09/430,208, now U.S. Pat. No. 6,385,593: “Apparatus and Method for Remote Self-Identification of Components in Medical Device Systems,” filed Oct. 29, 1999, Ser. No. 09/429,950, now abandoned; and “Apparatus and Method to Automate Remote Software Updates of Medical Device Systems,” filed Oct. 29, 1999, Ser. No. 09/429,960, now U.S. Pat. No. 6,363,282, which are all incorporated by reference herein in their entirety.
The prior art provides various types of remote sending and communications with implantable medical devices. One such example is disclosed by Gessman in U.S. Pat. No. 5,321,618 issued. In this disclosure a remote apparatus is adapted to receive commands from and transmit data to a central monitoring facility over telephone communication channels. The remote apparatus includes equipment for acquiring a patient's ECG waveform and transmitting that waveform to the central facility over the telephone communications channels. The remote apparatus also includes a segment, responsive to a command received from the central monitoring facility, for enabling the emission of audio tone signals from the cardioverter defibrillator. The audio tones are detected and sent to the central monitoring facility via the telephone communication channel. The remote apparatus also includes patient alert devices, which are activated by commands received from the central monitoring facility over the telephone communication channel.
One of the many limitations of the apparatus and method disclosed in the Gessman patent is the fact that the segment, which may be construed to be equivalent to a programmer, is not remotely adjustable from the central monitoring device. The segment merely acts as a switching station between the remote apparatus and the central monitoring station. Further, there is no indication of security for the patient data being collected.
An additional example of prior art practice includes a packet-based telemedicine system for communicating information between central monitoring stations and a remote patient monitoring station disclosed in Peifer, WO 99/14882 published 25 Mar., 1999. The disclosure relates to a packet-based telemedicine system for communicating video, voice and medical data between a central monitoring station and a patient that is remotely located with respect to the central monitoring station. The patient monitoring station obtains digital video, voice and medical measurement data from a patient and encapsulates the data in packets and sends the packets over a network to the central monitoring station. Since the information is encapsulated in packets, the information can be sent over multiple types or combination of network architectures, including a community access television (CATV) network, the public switched telephone network (PSTN), the integrated services digital network (ISDN), the Internet, a local area network (LAN), a wide area network (WAN), over a wireless communications network, or over asynchronous transfer mode (ATM) network. A separate transmission code is not required for each different type of transmission media.
One of the advantages of the Pfeifer invention is that it enables data of various forms to be formatted in a single packet irrespective of the origin or medium of transmission. However, the data transfer system lacks the capability to remotely debug the performance parameters of the medical interface device or the programmer. Further, Pfeifer does not disclose a method or structure by which the medical data in transmission is secured to protect privacy and eliminate data privacy by unauthorized personnel.
In a related art, Thompson discloses a patient tracking system in a co-pending application entitled “World-wide Patient Location and Data Telemetry System For Implantable Medical Devices”, Ser. No. 09/045,272, filed on Mar. 20, 1998 which is incorporated by reference herein in its entirety. The disclosure provides additional features for patient tracking in a mobile environment worldwide via the GPS system. However, the concepts advanced by the present invention are not within the purview of the Thompson disclosure because there is no teaching of a web-based environment in which a programmer is in secure data communications with a remote expert data center to exchange patient data as needed.
Yet in another related art, Ferek-Petric discloses a system for communication with a medical device in a co-pending application Ser. No. 09/348,506 which is incorporated by reference herein in its entirety. The disclosure relates to a system that enables remote communications with a medical device, such as a programmer. Particularly, the system enables remote communications to inform device experts about programmer status and problems, The experts will then provide guidance and support to the remotely to service personnel or operators located at the programmer. The system may include a medical device adapted to be implanted into a patient; a server PC communicating with the medical device; the server PC having means for receiving data transmitted across a dispersed data communication pathway, such as the Internet; and a client PC having means for receiving data transmitted across a dispersed communications pathway from the SPC. In certain configurations the server PC may have means for transmitting data across a dispersed data communication pathway (Internet) along a first channel and a second channel; and the client PC may have means for receiving data across a dispersed communication pathway from the server PC along a first channel and a second channel.
One of the significant teachings of Ferek Petric's disclosure, in the context of the present invention, includes the implementation of communication systems, associated with IMDs that are compatible with the Internet. Specifically the disclosure advances the art of remote communications between a medical device, such as a programmer, and experts located at a remote location using the Internet. As indicated hereinabove, the communications scheme is structured to primarily alert remote experts to existing or impending problems with the programming device so that prudent action, such as early maintenance or other remedial steps, may be timely exercised. Further, because of the early warning or advance knowledge of the problem, the remote expert would be well informed to provide remote advice or guidance to service personnel or operators at the programmer.
While Ferek-Petric's invention advances the art in communications systems relating to interacting with a programmer via a communication medium such as the Internet, the system does neither propose nor suggest a secure data transmission system in which a local programmer exchanges patient information from IMDs to a remote expert data center in a manner that protects the data from privacy.
Accordingly it would be advantageous to provide a system in which a programmer could uplink to a remote expert data center to exchange pertinent data securely. Yet another desirable advantage would be to provide a system to implement the use of remote expert systems to manage a programmer on a real-time basis by exchanging private data in a secure manner. A further desirable advantage would be to provide a communications scheme that is compatible with various communications media, to promote a fast uplink of a programmer to remote expert systems and specialized data resources while retaining the privacy of the data in transmission. Yet another desirable advantage would be to provide a high speed communications scheme to enable the transmission of high fidelity sound, video and data to advance and implement efficient and secure remote data management of a clinical/therapy system via a programmer thereby enhancing patient clinical care. As discussed herein below, the present invention provides these and other desirable advantages.