1. Field of the Invention
The present invention relates generally to medical probes, including sensor devices and methods for measuring clinical physiological parameters including vital signs. More particularly, the invention is concerned with a medical system that limits the use of an associated medical probe according to usage criteria to prevent misapplication, overuse and potential failure, including auto-identification of the probe, addressing the problem of re-identification when the connection of a medical probe to the medical device is interrupted during use. The invention describes a medical reprocessing system that performs reprocessing (utilization history review, functional testing, and authorization for reuse) of a previously used medical probe. Usage criteria may include duration and/or number of uses, shelf or warranty life, and/or compatibility of the medical probe with the patient and/or selected medical probe function(s).
Medical probes include devices that are inserted into a body cavity or under the skin of a patient in order to perform therapy or monitoring. Such probes, including devices to view or scan tissue, or monitor biological parameters, are well known in the art. A sensor device typically comprises a housing including at least one sensor such as a pressure sensor; a light emitting device and associated detector comprising a pulse oximetry sensor; an ECG sensor; or other vital sign monitoring device; plus a means of conveying information from the sensor device to a caregiver. One particular example of a medical sensor device is fetal sensor, including external sensors placed on the maternal abdomen and internal sensors placed through the birth canal onto a part of the fetus. An example of an internal fetal sensor is a fetal pulse oximetry sensor, such as described in U.S. Pat. No. 5,425,362 to Siker et al. The sensor described therein is inserted past the cervical os into the uterus of the mother to non-invasively monitor the condition of a fetus, a mother, and/or a placenta.
One problem associated with known medical probes is that they have a limited life span. Probes are prone to wear through repeated use or through extended use over a period of time, and through cleaning and sterilization processes. Problems associated with such overuse include spurious readings as internal wires and connectors become loose. More importantly, probes that are used repeatedly or over an extended period of time are prone to break. Once such an incident occurs, it is often difficult to determine when the probe failed, or to track the cause of such an occurrence. Furthermore, medical probes often have a limited shelf life or warranty period, i.e., the period of time after manufacture during which they are guaranteed to function properly. An out-of-date medical probe may fail to function to manufacturer's specifications, posing a health risk to the patient.
To prevent these problems, medical clinicians may limit the number and duration of uses of a given probe through an equipment log or other manual system. While such systems may be effective in certain circumstances, they rely heavily on manual records, which are time-consuming and difficult to maintain, particularly since the cooperation of a number of clinical personnel is required. In busy hospital settings, and especially in emergency situations, such systems are difficult to manage and are easily overlooked or ignored.
The prevalence of medical errors, some related to misuse of medical devices, has been detailed in the 1999. Institute of Medicine report “To Err is Human,” chapter 2, ISBN 0-309-06837-1. Interest in reducing medical errors has motivated an initiative to uniquely identify all drugs and medical devices, to assist in prevention of medical errors by correlating the drug or device with the patient's identification and intended procedure. In response to a U.S. Food & Drug Administration (FDA) suggestion to use bar codes under the Universal Product Numbering (UPN) system, the Advanced Medical Technology Association (AdvaMed), a medical device industry association, has suggested in a statement to employ generic “auto-identification” methods, which could include RF or other electronic means as an alternative to bar code technology. (Statement to the Food & Drug Administration by T. Cammack on Jul. 26, 2002.)
A particular class of medical probe is the single-use device (SUD). A device may be designed as an SUD by the manufacturer for several reasons, including: the risk of cross-contamination between patients; because some key component (for example, a battery or reagent) is sufficient only for one use; due to difficulty in the cleaning and sterilization to permit reuse; or due to the prohibitive cost of producing a device durable enough to be reused. Despite manufacturers designations, clinical institutions and third-party services sometimes choose to refurbish SUDs and reuse them. This practice has become increasingly common as clinical institutions experience financial pressures, since a SUD may be refurbished at a substantial discount from the retail price of a new one.
Typically, refurbishing of an SUD entails cleaning, inspection, sterilization, replacement of worn or exhausted components, and re-validation for safety and efficacy. The practice is so widespread that regulatory bodies in the United States and around the world have instituted legislation to limit and/or monitor the reuse of SUDs. The FDA documents “Premarket Guidance: Reprocessing and Reuse of Single-Use Devices” (Jun. 1, 2001) and “Labeling Recommendations for Single-Use Devices Reprocessed by Third Parties and Hospitals” (Jul. 30, 2001) have provided guidance with respect to compliance with the U.S. regulatory requirements. One aspect of regulation that is being emphasized is the need for good record keeping in tracking the history of use of an SUD, including how long and in what fashion the SUD was used.
The manufacturer of a medical device also faces the possibility of counterfeiting. In some cases, an unscrupulous manufacturer seeks to avoid paying licensing fees for proprietary technology used in the device. Even if misappropriation of intellectual property is not involved, a second manufacturer may seek to undercut the price of the original device by producing it with less expensive components, labor, or both. In any case, when a lower-quality device is used in a medical application, patient safety becomes the issue. In particular, SUDs or limited-use devices are generally designed to work in conjunction with a medical monitor. It is important to ensure that every medical sensing device utilized with the monitor is designed and calibrated to work properly with it.
Several partial solutions to the problem of controlling use of a medical probe have been proposed. U.S. Pat. No. 5,991,355 to Dahlke proposed a simple identification and counting system associated with an electrophysiology sensor for the purpose of limiting reuse of said sensor. However, the method entails simple counting of uses, without support for usage limitation based upon utilization time; nor does it include device identification.
In U.S. Pat. No. 5,400,267 to Denen et al., a medical device (electro-surgical knife) with an embedded non-volatile memory component is described. The memory stores utilization limits and operating parameters. The invention permits the system attached to the device (in that case, a power supply) to (a) configure itself for appropriate operation with the device, and (b) disable the device after some operational limit is exceeded. The need for re-identification of the medical device if the connection with the system is broken is disclosed. This is intended to prevent the system from counting any pause in use less than a preset period as a new use. However, the patent proposes only to store the current time in the medical device during use, without considering how to prevent this data from being manipulated to prevent the system from detecting the occurrence of a new use.
U.S. Pat. No. 6,237,604 to Burnside et al. proposes usage control based upon cycles or usage time, but fails to address the management of legitimate medical probe reprocessing.
U.S. Patent Application 2002/0095078 A1 to Mannheimer et al. specifically relates to pulse oximetry sensor reuse, supporting limits on number of sterilization cycles or warranty expiration date. None of these patents or applications addresses the need for security features or security functions to prevent product counterfeiting or tampering with the usage control method.
Similarly, the non-medical sensing device for attachment to a measurement instrument described in U.S. Pat. No. 5,162,725 to Hodson et al. offers no provision for establishing the authenticity of the sensing device (e.g., probe) when it is coupled to the instrument. That is, no means is suggested to solve the problem of preventing use of a counterfeit sensing device, that is constructed to include similar calibration and identification data.
The prevalence of electronic technology in the world makes it relatively easy to counterfeit the memory devices proposed for control of reuse with modest effort. Potentially, a medical device could be reprocessed by replacing the memory component with a copy made from an unused original. The counterfeit memory could be placed in a reusable adapter used in conjunction with an expired medical probe. Alternatively, an entire counterfeit sensing device could be manufactured that was indistinguishable with respect to the memory component or its content.
The U.S. Health Insurance Portability and Accountability Act of 1996 expressed the need for protection of privacy in storage and transfer of healthcare information. This is detailed in the Federal Register, Vol. 63 No. 155, 45 CFR Part 142, Security and Electronic Signature Standards.
Another application of a memory component associated with a medical probe is storage of patient data and patient identification data, disclosed in related inventions U.S. Pat. No. 6,308,089 to von der Ruhr et al. and continuation application Ser. No. 09/291,769. The aforementioned patent reveals the use of encryption to permit the secure storage of data related to the usage of a medical probe, including one or more of its identifying data, duration of use, number of uses, or time and date stamp of use.
U.S. Patent Application 2002/0095077 A1 to Swedlow et al. discloses storage of patient identification data, pulse rate, and oxygen saturation values, etc., in a pulse oximetry sensor. However, a means for secure storage and data transfer to ensure data integrity and privacy is not disclosed.
Secure data storage and transfer in automated systems can be achieved utilizing a physical security method and/or an algorithmic security method. The physical security method relies upon the use of a physical object which might be difficult to bypass or forge, such as a door requiring a physical key to unlock it, whereas an algorithmic security method might rely upon the use of secret data, such as a password or personal identification number (PIN) entered into a keypad. In biometrics, the physical “key” is some characteristic physical property of the authorized user, such as a fingerprint, retinal image, voiceprint, and so forth. Combining multiple techniques of using physical and/or algorithmic security methods offers the best hope of providing a secure authentication method. This strategy can be applied to the problem of securing the data in a limited use medical sensor.
The more usage, calibration, and clinical data that is to be stored in a medical probe, the more important it becomes to utilize an efficient storage method. Data compression, particularly lossless data compression, is an encoding method to store more data in less physical memory without information loss. Error detection and correction can also be part of the method. The encoding of data in a medical probe should preferably address the needs of data security, integrity, and storage efficiency.
There remains, therefore, a need for a medical system that can automatically control the use of a medical probe through enforcement of usage criteria. Such usage criteria would include: limiting the duration and/or number of uses of the probe to a predetermined limit value; limiting use of the probe to a shelf life or warranty period; permitting use of the medical probe only after validation of the combination of medical probe, patient and procedure; and limiting access to patient data stored within the medical probe to ensure patient privacy. Preferably, the medical system would also provide additional functions, such as data compression, error checking, time and date stamping, and security checking, that would facilitate this usage control, as well as regulated reprocessing of medical probes prior to reuse. Data stored in the medical probe, related not only to probe usage but also patient identity and condition, should be held in a secure fashion.
It is therefore an object of the invention to provide a medical system that can limit the number of times a medical probe is used.
It is another object of the invention to provide a medical system that can limit the duration of the use of a medical probe.
It is yet another object of the invention to provide a medical system that can limit the use of a medical probe to a certain shelf life or warranty period.
It is still another object of the invention to provide a medical system that provides a time and date stamp to identify when the therapeutic or monitoring operation performed by the medical system in conjunction with the medical probe took place.
It is a still further object of the invention to provide a medical system that provides an auto-identification function to validate proper use of a medical probe with a medical device on a particular patient for a requested therapy or monitoring function.
It is another object of the invention to provide a medical probe that can store data regarding the duration of use of the probe.
It is yet another object of the invention to provide a medical probe that can store data regarding the number of times the probe has been used.
It is still another object of the invention to provide a medical probe that can store a usage limit on the number of times or duration of time the probe may be used.
It is yet another object of the invention to provide a medical probe than can store data regarding the reprocessing of the medical probe for subsequent reuse.
It is a yet further object of the invention to provide a medical system in which identifying data for the medical probe and other medical devices is stored in each.
It is another object of the invention to provide a medical system in which a medical device can re-identify a medical probe after an interruption in use, to prevent the interruption from being construed as a new use.
It is still another object of the invention to provide a medical system that includes a security function for verifying the identity of an attached probe.
It is yet another object of the invention to provide a medical system that includes a security function to prevent tampering with data stored in the probe.
It is a still further object of the invention to provide a medical system that employs a data encoding system including encryption as an algorithmic security method when storing data in the medical probe as part of a security function.
It is another object of the invention to provide a medical system that includes a probe functional test sequence.
It is another object of the invention to provide a medical reprocessing system that can read the usage data in an attached medical probe.
It is a yet further object of the invention to provide a medical reprocessing system that can store reprocessing data in an attached medical probe.
It is still another object of the invention to provide a medical reprocessing system than can store usage control data in an attached medical probe, indicating the number of reuses and/or duration of reuse of the probe to be permitted subsequent to reprocessing.
It is a still further object of the invention to provide a medical reprocessing system that can detect and delete patient data from an attached medical probe.
It is yet another object of the invention to provide a medical reprocessing system that includes a security function for verifying that reprocessing of an attached medical probe is permitted.
It is another object of the invention to provide a medical reprocessing system that includes an authorization function to prevent reprocessing of an attached medical probe without obtaining authorization in a secure fashion from a licensing or regulatory party.