Patent Grant
11931591
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This summary is not intended to identify key features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
Medical device technology has evolved and advanced along with most other areas. Medical devices are often now as interconnected as any other technology, such as conventional computing devices and telephone systems. For that reason, medical devices routinely gather, collect, and store patient data.
Frequently, a medical device, such as a Wearable Cardioverter Defibrillator (WCD) may interface with other components, sometimes many other components, for the purpose of providing therapy to a patient. In connection with that therapy, the WCD may initiate or receive requests to initiate communication sessions with other medical devices or other non-medical devices. To ensure that private patient data is not compromised, and to ensure the integrity of the operation of critical life-saving medical devices, the WCD should only allow communication sessions with authorized and/or approved components.
Embodiments of the disclosure implement a platform to enable secure communication between medical devices and non-medical devices that also ensures only trusted components are allowed to communicate with a medical device, especially a medical device that provides critical life-saving therapy. In various embodiments, the communication platform is implemented using at least a security certificate that is attested to by a trusted Certificate Authority. The security certificate is used to authenticate trusted components to each other, and to enable secure (encrypted) communication between such trusted components.
In another aspect, embodiments build on the secure communication platform to ensure that only authorized users have access to patient data. In such embodiments, the secure communication platform includes a patient unique identifier (UID) that is used, in connection with the security certificates, to ensure that only trusted components with authorized access to a patient's data are provided access to the patient's data.
Generally described, embodiments are directed to security methods applied to connections between components in a distributed (networked) system including medical and non-medical devices, providing secure authentication, authorization, patient and device data transfer, and patient data association and privacy for components of the system.
Various embodiments are described more fully below with reference to the accompanying drawings, which form a part hereof, and which show specific exemplary implementations for practicing various embodiments. However, other embodiments may be implemented in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy formal statutory requirements. Embodiments may be practiced as methods, systems or devices. Accordingly, embodiments may take the form of a hardware implementation, an entirely software implementation, or an implementation combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.
The logical operations of the various embodiments are implemented (1) as a sequence of computer implemented steps running on a computing system and/or (2) as interconnected machine modules within the computing system. The implementation is a matter of choice dependent on various considerations, such as performance requirements of the computing system implementing the embodiment. Accordingly, the logical operations making up the embodiments described herein may be referred to alternatively as operations, steps or modules.
A patient 82, who is ambulatory, is shown in
Indeed, garment 170 can be implemented in many different ways. For example, it may be implemented as a single component or as a combination of multiple components. In some embodiments, garment 170 includes a harness, one or more belts or straps, etc. In such embodiments, those items can be worn around the torso or hips, over the shoulder, or the like. In other embodiments, garment 170 includes a container or housing, which may be waterproof.
As shown in
The WCD System 100 may also include a monitoring device (e.g., monitor 180) to monitor the patient 82, the patient's environment, or both. In many embodiments, the monitor 180 is coupled to one or more sensors, such as electrocardiogram electrodes. Using those sensors, the monitor 180 detects criteria upon which a shock/no-shock decision can be made.
In certain embodiments, monitor 180 is implemented as a component of the defibrillator 101. In other embodiments, monitor 180 may be implemented as a stand-alone monitoring device supported by the garment 170 or perhaps worn separately, such as on the patient's wrist or belt. In such cases, monitor 180 may be communicatively coupled with other components, which are coupled to garment 170. Such communication can be implemented by a communication module, as will be described below.
Optionally, the WCD System 100 may include a fluid that can be deployed between the defibrillation electrodes and the patient's skin. The fluid can be conductive, such as by including an electrolyte, for making a better electrical contact between the electrode and the skin. Electrically speaking, when the fluid is deployed, the electrical impedance between the electrode and the skin is reduced. Mechanically speaking, the fluid may be in the form of a low-viscosity gel, so that it does not flow away, after it has been deployed. The fluid can be used for both defibrillation electrodes and sensing electrodes.
The WCD System 100 is configured to defibrillate the patient 82 by delivering an electrical shock (sometimes referred to as a pulse, defibrillation shock, therapy, or therapy shock) to the patient's heart through the patient's body. When defibrillation electrodes 104 make good electrical contact with the body of patient 82, defibrillator 101 can administer, via electrodes 104 a brief, strong electric shock through the patient's body. The shock is intended to go through and restart the patient's heart, in an effort to save the life of the patient 82.
Various embodiments may also provide remote sensors, such as ECG electrodes, which are in operative communication with the defibrillator 101. The remote sensors provide the defibrillator 101 with physiological information upon which the shock/no-shock decision can be made. In further accordance with this disclosure, these remote sensors are either separate or separable from the garment 170.
In various embodiments, and as discussed in greater detail below, the WCD System 100 illustrated in
Shown in
In various embodiments, an aspect of system connection and interaction is that certain elements must allow only connection to and communication with other trusted other elements. Some embodiments, for example, are implemented using a Wearable Cardioverter Defibrillator (WCD) device, which can analyze an ECG of patients wearing the WCD device and deliver defibrillation therapy if necessary. It is important that connection and communications are only allowed from trusted elements.
Some embodiments are configured to ensure only authorized elements can connect and communicate with other elements using secure certificates issued by a private Assure certificate authority. A security certificate is an encrypted electronic record that contains information about the element requesting connection and is signed by an external and trusted Certificate Authority. Each of the illustrative components will be generally described here.
The WCD system 200 includes a Wearable Cardioverter Defibrillator (WCD) 201, which is typically considered a medical device. The WCD 201 is a medical device configured to deliver a shock therapy to a patient in response to a cardiac event, such as a ventricular fibrillation. The WCD 201 is able to accept connections from other components and allow them to transfer data or perform critical operations on the WCD 201. One specific example of a WCD 201 is illustrated in
A Tablet 203 is a mobile device that, in the preferred embodiment, allows clinicians to view WCD status information and to configure the WCD 201. In the preferred embodiment, the Tablet 203 is considered a medical device although in other embodiments it may not be.
An Assistant 205 is a mobile device that mirrors some aspects of WCD status and transfers patient and device data to a CareStation Server 211. The Assistant 205 is considered a medical device in the preferred embodiment, although in other embodiments it may not be.
Manufacturing System 207 is a system for testing and configuring the WCD 201 in a manufacturing environment. The manufacturing system 207 is not generally considered a medical device.
A Test System 209 is a system for verification of certain functionality of the WCD 201. The Test System 209 is not generally considered a medical device, although in other embodiments it may be.
A CareStation Server 211 is a cloud-based system for receiving and storing device and patient data, and accepts patient and device data transmissions from other elements of the system. Clinical and support personnel can view the data stored at the CareStation Server 211. In various embodiments, the CareStation Server 211 also provides access to security certificate services such as Certificate Signing Requests (CSRs) and a certificate revocation list. Generally, the CareStation Server 211 is considered a medical device.
An Assure Certificate Authority 213 is a system that provides security certificate services such as issuing Assure root certificates and performing certificate signing on CSRs. In the preferred embodiment, the Assure Certificate Authority 213 is not generally considered a medical device.
A certificate requesting component 219 is included that is configured to request a security certificate (described below) on behalf of another component that seeks to be trusted by other components in the WCD system 200, such as the WCD 201. Generally stated, the certificate requesting component 219 is programmed to generate a public/private key pair and a Certificate Signing Request (CSR) on behalf of another component. The certificate requesting component 219 is itself already trusted within the WCD system 200. The certificate requesting component 219 is not generally considered a medical device, but its functionality may be incorporated into a medical device.
Other components 215 may also be included in the WCD system 200 that interface with the WCD 201 and use security certificates to connect with the WCD 201 and perform various operations with it. The other components 215 may or may not be considered medical devices.
Several of the components of the WCD system 200 may be implemented with computing devices. One illustrative computing device which may be used to implement various components is illustrated in
In accordance with the disclosure, the various components of the WCD system 200 communicate with each other and with the WCD 201 using security certificates to ensure trusted communications. The security certificates and trusted communications are described in detail below.
The defibrillator 301 of the illustrative WCD includes at least a processor, a power source, an energy storage module, and a discharge circuit. The processor 302 may be implemented as a digital and/or analog processor, such as microprocessors and Digital Signal Processors (DSPs); microcontrollers; software running in a machine; programmable circuits such as Field Programmable Gate Arrays (FPGAs), Field-Programmable Analog Arrays (FPAAs), Programmable Logic Devices (PLDs), Application Specific Integrated Circuits (ASICs), any combination of one or more of these, and so on.
The processor 302 may include, or have access to, a memory 320 that may be either volatile, nonvolatile, or some combination of the two. Computer executable instructions may be stored in the memory 320. The instructions generally provide functionality by defining methods as may be disclosed herein or understood by one skilled in the art in view of this disclosure. The memory may be implemented as Read-Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media, optical storage media, flash memory, any combination of these, or the like.
In accordance with the present disclosure, the memory 320 further includes a certificate store 321. Within the certificate store 321 resides various security certificates (also referred to as digital certificates) which enable secure communication with trusted components. One specific example of an illustrative security certificate is shown in
The power source 303 may be any type of electrical component sufficient to provide power, such as a battery. Other types of power source 303 could include an AC power override, for where AC power will be available, an energy storage capacitor, and so on. Appropriate components may also be included to provide for charging or replacing power source 303.
The defibrillator 301 may additionally include an energy storage module 305. Energy storage module 305 is where electrical energy is stored temporarily in the form of an electrical charge, when preparing it for discharge to administer a shock. Energy storage module 305 can be charged from power source 303 to the desired amount of energy. In typical implementations, module 305 includes a capacitor, which can be a single capacitor or a system of capacitors, and so on. In some embodiments, energy storage module 305 includes a device that exhibits high power density, such as an ultracapacitor.
The defibrillator component also includes a discharge circuit 307. When the processor 302 determines that a shock is appropriate, the processor 302 instructs the discharge circuit 307 to discharge the electrical charge stored in energy storage module 305 to the patient. When so controlled, the discharge circuit 307 causes the energy stored in energy storage module 305 to be discharged to defibrillation electrodes 309, so as to cause a shock to be delivered to the patient.
In accordance with this disclosure, defibrillator 301 also includes a communication module 340 configured to enable communication with remote components. In certain embodiments, communication module 340 includes a wireless communication facility to enable wireless communication between the defibrillator 301 and remote components. Examples of wireless communication that may be enabled include 802.11 (WiFi) communication, Bluetooth communication, Near Field Communication (NFC), infrared communication, or the like.
In other embodiments, communication module 340 includes a wired communication facility to enable wired communication. In such embodiments, defibrillator 301 may include a communication port 341 through which the wired communication may be effected. Examples of such wired communication may include a universal serial bus connector (e.g., USB-C, micro-USB, mini-USB, USB-A, or the like), a coaxial connector, an Ethernet connector, a 12-lead connector, or the like.
The communication module 340 enables the defibrillator 301 to communicate with other components, such as trusted component 351. In this way, the processor 302 may receive sensory input data upon which it can base a shock/no-shock decision, it may receive configuration instructions, it may transmit patient or therapy data to other components, or the like.
The trusted component 351 is another component of the WCD system 300. In this example, the trusted component 351 includes a remote processor 260 and a communication module 357. The communication module 357 of the trusted component 351 may function similar to the component of the same name described above (i.e., communication module 340). In other words, the communication module 357 of the trusted component 351 may enable either wired or wireless communication between the trusted component 351 and the defibrillator 301 (or any other component of the WCD system 300).
The remote processor 360 is configured to control and manage the operation of the several components of the trusted component 351 and to facilitate communication between the trusted component 351 and the defibrillator 301. The trusted component 351 may further include a power source 359.
In accordance with the present disclosure, the trusted component 351 further includes a remote memory 361 which further includes a certificate store 362. Within the certificate store 362 resides various security certificates (also referred to as digital certificates) which enable secure communication with trusted components. The trusted component 351 of the preferred embodiment includes its own security certificate which is signed by a Certificate Authority as described below.
In many embodiments, trusted component 351 is in operative communication with the defibrillator 301 for various purposes, such as to configure the defibrillator 301 or to extract device or patient data from the defibrillator 301. In various embodiments, a sensor circuit 355 may be implemented, such as an ECG electrode, an accelerometer, or the like. However, sensor circuit 355 may alternatively be implemented as one or more of various other sensors.
Embodiments of the trusted component 351 may be implemented in many ways. For instance, trusted component 351 may be implemented as a mobile device (e.g., a specially adapted cellular phone) which the patient may carry in the hand or, perhaps, in a pocket. Alternatively, trusted component 351 may be implemented as a fixed computing device, such as a desktop computer or server.
In operation, the trusted component 351 and the defibrillator 301 communicate with each other using their respective communication modules (i.e., communication module 340 and communication module 357). In accordance with the disclosure, the trusted component 351 transmits to the defibrillator 301 a security certificate that enables the defibrillator 301 to verify the authenticity of the trusted component 351. In addition, the security certificate may also specify particular permissions or tasks that the trusted component 351 is authorized to perform.
Memory 404 includes at least an operating system and may additionally include other special purpose components. The operating system includes components and functions to enable the computing device 400 to function at a basic level. Examples of the operating system components may include a file system and graphical user environment. The operating system may also include components for communicating over a local or wide area network, such as an Internet browser. Special purpose components may include other components to enable the computing device 400 to perform specific tasks. For instance, the special purpose components may include a certificate store with security certificates, a certificate signing routine, a hashing algorithm, a certificate revocation list, a facility for creating public and private keys, or the like. In addition, like the operating system, the special purpose components may also include components for communicating over a local or wide area network, such as an Internet browser, or the like.
Computing device 400 may have other features and functionality also. For example, device 400 may also include additional storage (removable and/or non-removable) including, but not limited to, magnetic or optical disks or tape. Such additional storage is illustrated in
Computing device 400 includes one or more communication connections 414 that allow computing device 400 to communicate with one or more computers and/or applications 413. Device 400 may also have input device(s) 412 such as a keyboard, mouse, digitizer or other touch-input device, voice input device, etc. Output device(s) 411 such as a monitor, speakers, printer, PDA, mobile phone, and other types of digital display devices may also be included. These devices are well known in the art and need not be discussed at length here.
The subject field may identify the certificate holder or the entity with whom the security certificate 501 is associated. The certificate holder may be an individual, an organization, a specific computing device, or any entity whose identity has been verified and whose trust is being attested to by a certifying authority (e.g., Certificate Authority 213).
The issuer field may identify a trusted Certificate Authority who may be trusted to verify the authenticity of entities. In one example, an Assure Certificate Authority may be established and trusted to verify the identity of various components that are authorized to communicate with, for example, a WCD or other components of a WCD system.
An expiration field may identify a date after which the security certificate is no longer valid or can no longer be used to trust the subject. In some embodiments, a “not before” field may also be included to identify a date before which the security certificate is not valid.
A public key portion of the security certificate is included to provide a public key for the subject and related public key information. Public/private key pairs are used in Public Key Infrastructure (PKI) systems to facilitate asymmetric cryptography. The public key information may include further information that describes the public key, such as the algorithm (e.g. Elliptic Curve Public Key), the key size (e.g. 256 bits), and the key usage (e.g. can encrypt, verify, derive). The public key portion of the security certificate 501 enables recipients of the security certificate 501 to communicate securely with the subject through encrypted communication sessions.
An algorithm field may be included in the security certificate 501 to specify a particular algorithm that was used to sign the certificate as described below. Examples of algorithms which may be used include SHA-1, SHA-2, SHA-256, and the like.
A unique identifier or serial number is also included to uniquely identify the security certificate. Note that the unique identifier should be distinguished from the subject in that the subject identifies the trusted entity or the entity with which the security certificate is associated whereas the unique identifier identifies the actual security certificate itself.
Optionally, one or more permissions fields may be included in the security certificate 501. In some embodiments, certain elements of the WCD System (such as the WCD) need to govern what operations other connected components are allowed to perform while in communication. For example, in some embodiments the WCD may be configured to allow a limited set of element types to change critical configuration parameters of the WCD but to prevent other element types from doing so. An example of this may be that the WCD can be configured to allow a Tablet to configure such parameters but it doesn't allow an Assistant to do so. In such embodiments, one or more fields of the security certificate 501 (collectively referred to as the “permissions” field for simplicity of discussion)
Other data fields may also be included and used for various reasons. Arbitrary or structured data may be included to provide or convey any manner of information deemed worthy of trust or having a need to ensure its integrity. A signature is also included with the security certificate 501. The signature is a data structure that represents an attestation to the authenticity of the security certificate 501. The signature is created by the issuer (e.g., the Certificate Authority) and is verifiable using a security certificate (or digital certificate) of the issuer. Although the signature may be created in different ways, one example may be that the body 550 of the security certificate is input to the algorithm (e.g., a hashing algorithm) identified within the security certificate together with a private key of the issuer. The algorithm creates a unique value based on the body of the security certificate and the issuer's private key. The issuer's public key can then be used by the identified algorithm to verify that the body of the security certificate has not been changed since the signature was created by the issuer. In this way, the integrity of the data in the body of the security certificate can be trusted so long as the issuer is trusted.
Turning now to
The process 600 begins (601) when a trusted component, (Certificate Requestor 620) creates a Certificate Signing Request (CSR) for a “requesting element” (not shown) that desires to communicate with a WCD. As part of that operation, the Certificate Requestor 620 may create a public/private key pair on behalf of the requesting element or the public/private key pair may be provided to the Certificate Requestor 620 by the requesting element. The CSR includes information that identifies the requesting element and includes the public key for the requesting element.
Once the CSR is created, the Certificate Requestor 620 transmits (602) the CSR 621 to a component that is responsible for facilitating the creation of security certificates for use in the WCD system. In this example, a CareStation Server 640 is that responsible component. Accordingly, the Certificate Requestor 620 transmits the CSR to the CareStation Server 640. It will be appreciated that, to ensure the CSR is securely delivered to the CareStation Server 640, the Certificate Requestor 640 may first establish a secure connection to the CareStation Server 640 using the Certificate Requestor's own security certificate.
The CareStation Server 640 forwards (603) the CSR to the Assure Certificate Authority 660. In certain embodiments, the CareStation Server 640 may forward additional information along with the CSR 621. For example, the CareStation Server 640 may maintain records about what components are authorized to perform which functions on or in conjunction with a WCD. In such an embodiment, the CareStation Server 640 may forward permission information along with the CSR to the Assure Certificate Authority 660.
The Assure Certificate Authority 660 is configured to perform operations to validate (604) the accuracy of information contained within the CSR 621. For example, the Assure Certificate Authority 660 may have access to records or data that can establish that the CSR 621 did in fact originate with the requesting element and properly names the requesting element. Still further, the Certificate Authority 660 may have access to records or data that confirm the requesting element is authorized access to other components within the WCD system, such as the WCD itself. Even further, the Assure Certificate Authority 660 may have information that either confirms permission information provided by the CareStation Server 640 (if such information was provided) or describes appropriate permissions for the requesting element in the first instance.
If the CSR survives validation, then the Assure Certificate Authority 660 creates a security certificate including the information from the CSR and signs that security certificate using the private key of the Assure Certificate Authority 660. By signing the certificate, the Assure Certificate Authority is both securing the information within the certificate against tampering and attesting to the validity of that information.
With the security certificate signed, the Assure Certificate Authority and CareStation Server 640 return the signed certificate to the Certificate Requestor 620, which then installs the security certificate 650 on the requesting element. In that way, the requesting element (e.g., the Tablet component 203) may now authenticate itself to and have secure communications with the WCD 201, for example.
The process 700 begins (701) when a trusted component 720 desires to initiate communications with another component within a WCD system. The other component is a WCD 740 in this example, but it could be any other component within the WCD system. In accordance with the disclosure, the trusted component 720 initiates a handshake with the WCD 740 to exchange security certificates. During this process, the trusted component 720 sends its security certificate 721 to the WCD 740, and the WCD 740 returns its own security certificate (not shown).
With the security certificate 721 in hand, the WCD 740 performs steps (702) to validate the security certificate 721. For instance, the WCD 740 may identify the Certificate Authority from information within the security certificate 721 to determine if the security certificate 721 is attested to by a trusted Certificate Authority. Once identified, the WCD 740 checks a certificate store (e.g., certificate store 321) to determine if the identified Certificate Authority is trusted by the WCD 740. If so, the WCD 740 uses a stored security certificate (the CA Certificate) to verify the integrity of the received security certificate 721. In short, the WCD 740 uses the CA Certificate to verify the authenticity of the security certificate 721 and that its contents have not been tampered with. The WCD 740 also ensures that the security certificate 721 is within the proper timeframe for its use (e.g., it is currently in effect and has not yet expired).
In an optional step (703), the WCD 740 (or other receiving component) may perform a check to ensure that the security certificate 721 has not been revoked since it was issued. In one embodiment, the WCD 740 transmits the security certificate 721 (or a portion thereof, such as the serial number) to another component, such as the Assure Certificate Authority 760, for verification.
In such an embodiment, the Assure Certificate Authority 760 would compare (704) the received security certificate 721 against a Certificate Revocation List (CRL) to determine if the security certificate 721 has been revoked. The Assure Certificate Authority 760 would then return (705) a pass/fail or yes/no response to indicate whether the security certificate had been revoked.
In an alternative embodiment, rather than transmit the security certificate, the WCD 740 may request (703) the CRL from the Assure Certificate Authority 760, which would then return (705 the CRL to the WCD 740 so that the WCD 740 can itself determine if the security certificate has been revoked. In such an embodiment, the WCD 740 could cache the CRL for future use to reduce the number of network communications it performs for the purpose of certificate verification.
If the security certificate 721 is adequately verified and confirmed, the WCD 740 may then allow a communication session (706) with the trusted component 720. In addition, through the exchange of security certificates and, hence, public keys, the communication session may be encrypted between the two components to ensure that the data exchanged is not compromised. However, if the security certificate 721 fails any of the tests, the WCD 740 prohibits communication with the trusted component 720 (which now becomes untrusted). In various embodiments, when the WCD 740 initiates the secure connection, it may use the security certificate 721, and specifically permission fields, to determine which operations the trusted component 720 is allowed to perform. Although referred to generically as a permission field, it will be appreciated that the WCD 740 may use any data within the security certificate (such as an “element type” field) to control the extent of permission that is granted to the trusted component 720. In other words, the security certificate 72 may, but need not have a dedicated field that explicitly describes permissions. Operative permissions may be implied based on other data within the security certificate. For example, the security certificate may contains a device type field that describes the type of connecting element, such as Tablet, Assistant, Manufacturing System, etc., and various permissions my be assigned to different device types. Another example is a region field that describes the geographical region for the trusted component, such as United States, European Union, Canada, Japan, etc.
Patient Data Association, Security and Privacy
In various embodiments, most elements of the WCD System transfer and/or store protected patient data. In practice, it is important that only users authorized to view protected patient data are able to do so. Accordingly, embodiments of the disclosure provide several methods to ensure this feature. For example, data connections among networked elements use security certificates for authentication and authorization, as described above. In addition, data transfers between trusted components are encrypted. Patient data transmissions may include an identifier (UID) that uniquely associates the transmitted data with the patient and WCD device in use.
A user authorized to view a patient's data and to configure CareStation data 804 obtains the UID for that patient/WCD assignment. That user then becomes the Authorized Configuring User 820.
The Authorized Configuring User 820 activates monitoring of the associated patient on the CareStation Server 804 using the UID. This operation uniquely associates data that the CareStation Server 804 receives for that UID with the associated patient. In the preferred embodiment, any UID can be used only once, which limits patient data access to a set of authorized users as determined by CareStation configuration.
The WCD 801 may periodically send patient data to the Assistant 802, or it may send the data upon request. Either way, the WCD 801 includes the UID as part of the transmission.
The Assistant 802 in turn sends the patient data to the CareStation Server 804, which stores it in association with the received UID. Any Authorized Monitoring User(s) 830 access the patient data on the CareStation Server 804, which uses the Patient/UID association established above. In this way, only authorized users have access to the particular patient data.
The disclosed embodiments provide a number of benefits over existing technologies. For example, various embodiments provide a private, unique and highly secure authentication mechanism for allowing communication access to a medical device using standard network technologies and protocols. This is accomplished in some embodiments by using special security certificates issued by a dedicated and separate certificate authority and a system to generate, manage, validate, and use them.
Various embodiments provide a private, unique and highly secure mechanism to control authorized operations on a medical device over standard network technologies and protocols.
In some embodiments, security certificates are managed using a ‘cloud’ based and dedicated certificate authority and certificate management system, allowing elements of the distributed system to use certificate related services using standard communication technologies and protocols in a wide variety of locations.
These and other benefits will become apparent to those skilled in the art from a study of the teachings of this disclosure, and from reasonable experimentation with various embodiments.
Embodiments provide a unique and reliable mechanism to associate clinical and personal data collected on a medical device with a unique patient data in other elements of a distributed system. These embodiments provide access control to ensure security and privacy of protected patient data on all elements of the system. In this description, numerous details have been set forth in order to provide a thorough understanding of the described embodiments. In other instances, well-known features have not been described in detail in order to not obscure unnecessarily the description.
A person skilled in the art in view of this description will be able to practice the present invention, which is to be taken as a whole. The specific embodiments disclosed and illustrated herein are not to be considered in a limiting sense. Indeed, it should be readily apparent to those skilled in the art that what is described herein may be modified in numerous ways. Such ways can include equivalents to what is described herein. In addition, the invention may be practiced in combination with other systems. The following claims define certain combinations and subcombinations of elements, features, steps, and/or functions, which are regarded as novel and non-obvious. Additional claims for other combinations and subcombinations may be presented in this or a related document.
This application is a divisional of U.S. application Ser. No. 16/396,628, filed Apr. 26, 2019, titled “PERMISSION-BASED CONTROL OF INTERFACING COMPONENTS WITH A MEDICAL DEVICE,” which claims the benefit of and priority to U.S. Provisional Application No. 62/663,131 filed Apr. 26, 2018, titled “SYSTEM AND METHOD FOR PERMISSION-BASED CONTROL OF INTERFACING COMPONENTS WITH A MEDICAL DEVICE,” the disclosures of which are hereby incorporated by reference herein in their entirety for all purposes.
| Number | Name | Date | Kind |
|---|---|---|---|
| 3724355 | Busch et al. | Apr 1973 | A |
| 4583524 | Hutchins | Apr 1986 | A |
| 4619265 | Morgan et al. | Oct 1986 | A |
| 4666432 | McNeish et al. | May 1987 | A |
| 4698848 | Buckley | Oct 1987 | A |
| 4928690 | Heilman et al. | May 1990 | A |
| 4955381 | Way et al. | Sep 1990 | A |
| 5078134 | Heilman et al. | Jan 1992 | A |
| 5228449 | Christ et al. | Jul 1993 | A |
| 5348008 | Bornn et al. | Sep 1994 | A |
| 5353793 | Bornn | Oct 1994 | A |
| RE34800 | Hutchins | Nov 1994 | E |
| 5394892 | Kenny et al. | Mar 1995 | A |
| 5405362 | Kramer et al. | Apr 1995 | A |
| 5429593 | Matory | Jul 1995 | A |
| 5474574 | Payne et al. | Dec 1995 | A |
| 5618208 | Crouse et al. | Apr 1997 | A |
| 5662690 | Cole et al. | Sep 1997 | A |
| 5708978 | Johnsrud | Jan 1998 | A |
| 5741306 | Glegyak et al. | Apr 1998 | A |
| 5782878 | Morgan et al. | Jul 1998 | A |
| 5792204 | Snell | Aug 1998 | A |
| 5902249 | Lyster | May 1999 | A |
| 5913685 | Hutchins | Jun 1999 | A |
| 5944669 | Kaib | Aug 1999 | A |
| 6047203 | Sackner et al. | Apr 2000 | A |
| 6065154 | Hulings et al. | May 2000 | A |
| 6108197 | Janik | Aug 2000 | A |
| 6148233 | Owen et al. | Nov 2000 | A |
| 6201992 | Freeman | Mar 2001 | B1 |
| 6263238 | Brewer et al. | Jul 2001 | B1 |
| 6280461 | Glegyak et al. | Aug 2001 | B1 |
| 6287328 | Snyder et al. | Sep 2001 | B1 |
| 6304780 | Owen et al. | Oct 2001 | B1 |
| 6319011 | Motti et al. | Nov 2001 | B1 |
| 6334070 | Nova et al. | Dec 2001 | B1 |
| 6356785 | Snyder et al. | Mar 2002 | B1 |
| 6427083 | Owen et al. | Jul 2002 | B1 |
| 6437083 | Brack et al. | Aug 2002 | B1 |
| 6450942 | Lapanashvili et al. | Sep 2002 | B1 |
| 6463535 | Drews | Oct 2002 | B1 |
| 6529875 | Nakajima et al. | Mar 2003 | B1 |
| 6546285 | Owen et al. | Apr 2003 | B1 |
| 6671545 | Fincke | Dec 2003 | B2 |
| 6681003 | Linder et al. | Jan 2004 | B2 |
| 6762917 | Verbiest et al. | Jul 2004 | B1 |
| 7065401 | Worden | Jun 2006 | B2 |
| 7559902 | Ting et al. | Jul 2009 | B2 |
| 7753759 | Pintor et al. | Jul 2010 | B2 |
| 7865238 | Brink | Jan 2011 | B2 |
| 7870761 | Valentine et al. | Jan 2011 | B2 |
| 7974689 | Volpe et al. | Jul 2011 | B2 |
| 8135462 | Owen et al. | Mar 2012 | B2 |
| 8140154 | Donnelly et al. | Mar 2012 | B2 |
| 8369944 | Macho et al. | Feb 2013 | B2 |
| 8527028 | Kurzweil et al. | Sep 2013 | B2 |
| 8548557 | Garstka et al. | Oct 2013 | B2 |
| 8560044 | Kurzweil et al. | Oct 2013 | B2 |
| 8615295 | Savage et al. | Dec 2013 | B2 |
| 8644925 | Volpe et al. | Feb 2014 | B2 |
| 8676313 | Volpe et al. | Mar 2014 | B2 |
| 8706255 | Phillips et al. | Apr 2014 | B2 |
| 8742349 | Urbon et al. | Jun 2014 | B2 |
| 8897860 | Volpe et al. | Nov 2014 | B2 |
| 8904214 | Volpe et al. | Dec 2014 | B2 |
| 8965500 | Macho et al. | Feb 2015 | B2 |
| 9008801 | Kaib et al. | Apr 2015 | B2 |
| 9084583 | Mazar et al. | Jul 2015 | B2 |
| 9089685 | Sullivan et al. | Jul 2015 | B2 |
| 9119547 | Cazares et al. | Sep 2015 | B2 |
| 9131901 | Volpe et al. | Sep 2015 | B2 |
| 9132267 | Kaib | Sep 2015 | B2 |
| 9265432 | Warren et al. | Feb 2016 | B2 |
| 9345898 | Piha et al. | May 2016 | B2 |
| 9408548 | Volpe et al. | Aug 2016 | B2 |
| 9445719 | Libbus et al. | Sep 2016 | B2 |
| 9454219 | Volpe et al. | Sep 2016 | B2 |
| 9579020 | Libbus et al. | Feb 2017 | B2 |
| 9592403 | Sullivan | Mar 2017 | B2 |
| 9598799 | Shoshani et al. | Mar 2017 | B2 |
| 9675804 | Whiting et al. | Jun 2017 | B2 |
| 9878171 | Kaib | Jan 2018 | B2 |
| 9895105 | Romem | Feb 2018 | B2 |
| 9901741 | Chapman et al. | Feb 2018 | B2 |
| RE46926 | Bly et al. | Jul 2018 | E |
| 10016613 | Kavounas | Jul 2018 | B2 |
| 10076656 | Dar et al. | Sep 2018 | B2 |
| 10192387 | Brinig et al. | Jan 2019 | B2 |
| 10307133 | Kaib | Jun 2019 | B2 |
| 10313136 | Salmi | Jun 2019 | B2 |
| 10463867 | Kaib et al. | Nov 2019 | B2 |
| 10589110 | Oskin et al. | Mar 2020 | B2 |
| 10599814 | Landrum et al. | Mar 2020 | B2 |
| 20020181680 | Linder et al. | Dec 2002 | A1 |
| 20030158593 | Heilman et al. | Aug 2003 | A1 |
| 20040167465 | Mihai | Aug 2004 | A1 |
| 20040171374 | Little et al. | Sep 2004 | A1 |
| 20050107833 | Freeman et al. | May 2005 | A1 |
| 20050107834 | Freeman et al. | May 2005 | A1 |
| 20050268098 | Oh et al. | Dec 2005 | A1 |
| 20060173499 | Hampton et al. | Aug 2006 | A1 |
| 20070168658 | Yamauchi | Jul 2007 | A1 |
| 20080312709 | Vollpe et al. | Dec 2008 | A1 |
| 20090005827 | Weintraub et al. | Jan 2009 | A1 |
| 20100007413 | Herleikson | Jan 2010 | A1 |
| 20100298899 | Donnelly et al. | Nov 2010 | A1 |
| 20110022105 | Owen et al. | Jan 2011 | A9 |
| 20110055903 | Leggette | Mar 2011 | A1 |
| 20110288604 | Kaib et al. | Nov 2011 | A1 |
| 20110288605 | Kaib et al. | Nov 2011 | A1 |
| 20120112903 | Kaib et al. | May 2012 | A1 |
| 20120144551 | Guldalian | Jun 2012 | A1 |
| 20120150008 | Kaib et al. | Jun 2012 | A1 |
| 20120158075 | Kaib et al. | Jun 2012 | A1 |
| 20120191476 | Reid et al. | Jul 2012 | A1 |
| 20120265265 | Razavi et al. | Oct 2012 | A1 |
| 20120283794 | Kaib et al. | Nov 2012 | A1 |
| 20120293323 | Kaib et al. | Nov 2012 | A1 |
| 20120302860 | Volpe et al. | Nov 2012 | A1 |
| 20120310315 | Savage et al. | Dec 2012 | A1 |
| 20130085538 | Volpe et al. | Apr 2013 | A1 |
| 20130091353 | Zhang | Apr 2013 | A1 |
| 20130144355 | Macho et al. | Jun 2013 | A1 |
| 20130212381 | Bousamra et al. | Aug 2013 | A1 |
| 20130231711 | Kaib | Sep 2013 | A1 |
| 20130245388 | Rafferty et al. | Sep 2013 | A1 |
| 20130274565 | Langer et al. | Oct 2013 | A1 |
| 20130317852 | Worrell et al. | Nov 2013 | A1 |
| 20130325078 | Whiting et al. | Dec 2013 | A1 |
| 20140012144 | Crone | Jan 2014 | A1 |
| 20140025131 | Sullivan et al. | Jan 2014 | A1 |
| 20140046391 | Cowan et al. | Feb 2014 | A1 |
| 20140070957 | Longinotti-Buitoni et al. | Mar 2014 | A1 |
| 20140163663 | Poddar et al. | Jun 2014 | A1 |
| 20140324112 | Macho et al. | Oct 2014 | A1 |
| 20140378812 | Saroka et al. | Dec 2014 | A1 |
| 20150039053 | Kaib et al. | Feb 2015 | A1 |
| 20150161554 | Sweeney et al. | Jun 2015 | A1 |
| 20150297135 | Shoshani et al. | Oct 2015 | A1 |
| 20150328472 | Sullivan et al. | Nov 2015 | A1 |
| 20160004831 | Carlson et al. | Jan 2016 | A1 |
| 20160076175 | Rock et al. | Mar 2016 | A1 |
| 20160076176 | Rock et al. | Mar 2016 | A1 |
| 20160082277 | Foshee, Jr. et al. | Mar 2016 | A1 |
| 20160113581 | Amir et al. | Apr 2016 | A1 |
| 20160256104 | Romem et al. | Sep 2016 | A1 |
| 20160283900 | Johnson et al. | Sep 2016 | A1 |
| 20170014073 | Shoshani et al. | Jan 2017 | A1 |
| 20170027469 | Amir et al. | Feb 2017 | A1 |
| 20170036066 | Chahine | Feb 2017 | A1 |
| 20170040758 | Amir et al. | Feb 2017 | A1 |
| 20170162840 | Pendry | Jun 2017 | A1 |
| 20170279612 | Liang et al. | Sep 2017 | A1 |
| 20170319862 | Foshee, Jr. et al. | Nov 2017 | A1 |
| 20170367591 | Jorgensen | Dec 2017 | A1 |
| 20180116537 | Sullivan et al. | May 2018 | A1 |
| 20180117299 | Gustavson et al. | May 2018 | A1 |
| 20180184933 | Sullivan et al. | Jul 2018 | A1 |
| 20180185662 | Foshee, Jr. et al. | Jul 2018 | A1 |
| 20180243578 | Volosin | Aug 2018 | A1 |
| 20180361165 | Jaax et al. | Dec 2018 | A1 |
| 20190030352 | Sullivan et al. | Jan 2019 | A1 |
| 20190076666 | Medema | Mar 2019 | A1 |
| 20190116896 | Armour et al. | Apr 2019 | A1 |
| 20190265938 | Kim et al. | Aug 2019 | A1 |
| 20190319943 | Jasper | Oct 2019 | A1 |
| 20190321650 | Raymond et al. | Oct 2019 | A1 |
| Number | Date | Country |
|---|---|---|
| 2005060985 | Jun 2007 | DE |
| 2305110 | Apr 2011 | EP |
| 4320257 | Mar 2005 | JP |
| 5963767 | Jan 2014 | JP |
| 2014526282 | Oct 2014 | JP |
| 9839061 | Sep 1998 | WO |
| 2011146448 | Nov 2011 | WO |
| 2012064604 | May 2012 | WO |
| 2012151160 | Nov 2012 | WO |
| 2015056262 | Apr 2015 | WO |
| Entry |
|---|
| Heartstart MRx and Xl AED Algorithm—Application Note, Jul. 2001, Edition 2 Philips Healthcare, USA. |
| Klein, H. U., Goldenberg, I., and Moss, A. J., “Risk Stratification for Implantable Cardioverter Defibrillator Therapy: the Role of the Wearable Cardioverter-Defibrillator, Clinical update,” European Heart Journal, May 31, 2013, pp. 1-14, doi:10.1093/eurheartj/eht167, European Society of Cardiology. |
| Lifecor LifeVest System Model WCD 3100 Operator's Manual, 2006, PN 20B0040 Rev FI, Zoll Lifecor Corporation, Pittsburgh, PA. |
| LifeVest Model 4000 Patient Manual, Zoll, 2009, PN 20B0047 Rev B. |
| Pagan-Carlo, et al., “Encircling Overlapping Multipulse Shock Waveforms for Transthoracic Defibrillation,” JACC Journals, Dec. 1998, vol. 32 Issue 7, p. 2065-2071. |
| The LifeVest Network/Patient Data Management System, Zoll, 2015, 2000503 Rev A. |
| Zoll, LifeVest, Proven protection from Sudden Cardiac Death, issued Mar. 27, 2018, 4 pages. Pittsburgh PA, USA. |
| International Search Report and Written Opinion for PCT Application No. PCT/US2015/051726, dated May 20, 2016, European Patent Office, Rijswijk, 11 pages. |
| U.S. Department of Health and Human Services, Food and Drug Administration Center for Devices and Radiological Health; “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices—Guidance for Industry and Food and Drug Administration Staff”; Document issued on Oct. 2, 2014; 7 pages total. |
| Number | Date | Country | |
|---|---|---|---|
| 20220266043 A1 | Aug 2022 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62663131 | Apr 2018 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 16396628 | Apr 2019 | US |
| Child | 17738385 | US |
