Search

EP-3427463-B1 - AUTHENTICATING A WIRELESS PROGRAMMING DEVICE IN A PROGRAMMABLE MEDICAL SYSTEM

EP3427463B1EP 3427463 B1EP3427463 B1EP 3427463B1EP-3427463-B1

Inventors

  • RODRIGUEZ, SAUL
  • HAN, Dan
  • ISTOC, EMIL

Dates

Publication Date
20260506
Application Date
20170307

Claims (15)

  1. A medical device (102, 104) of a medical system (100) configured for communicating with an external programmer (114, 116) over a wireless communications link (118), the medical device (102, 104) comprising: a wireless communications module (168, 180) configured for receiving a first unencrypted version of a random number and a first encrypted version of the random number from the external programmer (114, 116) over the wireless communications link (118); and control circuitry (158) configured for performing an authentication procedure on the external programmer (114, 116) based on the first unencrypted version of the random number and the first encrypted version of the random number, and preventing the external programmer (114, 116) from commanding the medical device (102, 104) to perform an action unless the authentication procedure is completed within a predetermined period of time after a wireless actuator (120) has been triggered.
  2. The medical device (102, 104) of claim 1, wherein the control circuitry (158) is configured for performing the authentication procedure by either: generating a second encrypted version of the random number from the first unencrypted version of the random number, comparing the first and second versions of the encrypted random number, and determining if the first and second versions of the encrypted random number match; or: decrypting the first encrypted version of the random number to recover a second unencrypted version of the random number, comparing the first and second versions of the unencrypted random number, and determining if the first and second versions of the unencrypted random number match.
  3. The medical device (102, 104) of claim 1, wherein the wireless communications module (168, 180) is configured for receiving a session request from the external programmer (114, 116) over the wireless communications link (118) and sending the session request to the control circuitry (158), and wherein the control circuitry (158) is configured for performing the authentication procedure in response to receiving the session request.
  4. The medical device (102, 104) of claim 3, wherein the control circuitry (158) is configured for instructing the wireless communications module (168, 180) to send an acknowledge command to the external programmer (114, 116) over the wireless communications link (118) if the authentication procedure is successful.
  5. The medical device (102, 104) of claim 3, wherein the control circuitry (158) is configured for instructing the wireless communications module (168, 180) to send a non-acknowledge command to the external programmer (114, 116) over the wireless communications link (118) if the authentication procedure fails.
  6. The medical device (102, 104) of claim 1, wherein the wireless communications module (168, 180) is configured for establishing the wireless communications link (118) with the external programmer (114, 116) by authenticating the external programmer (114, 116) at a first security level, wherein the control circuitry (158) is configured for performing the authentication procedure at a second security level.
  7. The medical device (102, 104) of claim 1, wherein the further comprising: a power source (162) configured for supplying power to the wireless communications module (168, 180); wherein the wireless actuator (120) is configured for being triggered in response to a user action, and the control circuitry (158) is configured for permitting the supply of power from the power source (162) to the wireless communications module (168, 180) in response to the triggering of the wireless actuator (120).
  8. The medical device (102, 104) of claim 7, wherein the control circuitry (158) is configured for preventing the external programmer (114, 116) from commanding the medical device (102, 104) to perform the action by terminating the supply of power from the power source (162) to the wireless communications module (168, 180) if the authentication procedure is not completed within a predetermined period of time.
  9. The medical device (102, 104) of claim 8, further comprising a switch (176) coupled between the power source (162) and the wireless communications module (168, 180), wherein the control circuitry (158) is configured for permitting the supply of power from the power source (162) to the wireless communications module (168, 180) by closing the switch (176), and for terminating the supply of power from the power source (162) to the wireless communications module (168, 180) by opening the switch (176).
  10. The medical device (102, 104) of claim 9, wherein the control circuitry (158) comprises a timer (178) configured for being started in response to the triggering of the wireless actuator (120), and for being stopped if the authentication procedure succeeds, wherein the control circuitry (158) is configured for opening the switch (176) if the timer (178) indicates that the predetermined period of time has elapsed.
  11. The medical device (102, 104) of claim 1, wherein the control circuitry (158) is configured for preventing the external programmer (114, 116) from commanding the medical device (102, 104) to perform the action by terminating the supply of power from the power source (162) to the wireless communications module (168, 180) if the authentication procedure fails.
  12. The medical device (102, 104) of claim 1, wherein the wireless actuator (120) is a physical wireless actuator configured for being physically triggered in response to the user action; and optionally the physical wireless actuator is a button.
  13. The medical device (102, 104) of claim 1, wherein the control circuitry (158) is configured for preventing the external programmer (114, 116) from commanding the medical device (102, 104) to perform the action by instructing the wireless communications module (168, 180) to not forward commands received from the external programmer (114, 116) over the wireless communications link (118) to the control circuitry (158).
  14. The medical device (102, 104) of claim 1, wherein the wireless communications module (168, 180) is configured for forwarding commands received from the external programmer (114, 116) over the wireless communications link (118) to the control circuitry, and wherein the control circuitry (158) is configured for preventing the external programmer (114, 116) from commanding the medical device (102, 104) to perform the action by ignoring the commands forwarded from the wireless communications module (168, 180).
  15. The medical device (102, 104) of claim 1, wherein the control circuitry (158) is configured for preventing the external programmer (114, 116) from commanding the medical device (102, 104) to perform the action by instructing the wireless communications module (168, 180) to terminate the wireless communication link (118).

Description

RELATED APPLICATION This application claims priority from U.S. Provisional Patent Application Ser. No. 62/304,603, filed March 7, 2016. FIELD OF THE INVENTION The present invention generally relates to wireless programming techniques in medical systems, and specifically relates to authenticating wireless programming devices, such as clinician programmers, for use in programmable medical systems. BACKGROUND OF THE INVENTION Medical systems, such as implantable medical systems, typically comprise one or more implantable medical devices and an external telemetry controller capable of controlling operation of the implanted medical device(s) and acquiring physiological data or operational status data from the implanted medical device(s). Implantable medical systems may further comprise an external programmer, such as a clinician programmer or patient programmer, that may download operating parameters or programs into the telemetry controller to set or otherwise modify the operating configuration of the implantable medical system and/or upload information, such as the physiological data or operational status data, from the telemetry controller. Communication between such an external programmer and telemetry controller of an implantable medical system may be conveniently accomplished through wireless means, such as radio frequency (RF) communication. One method of wirelessly communicating between an external programmer and a telemetry controller uses a short-range RF communications in accordance with Bluetooth technology. The external programmer and telemetry controller can be paired by exchanging or otherwise storing a shared secret key (referred to as a "link key") that is used to subsequently authenticate the external programmer and encrypt data and commands sent between the external programmer and telemetry controller. Thus, by design, only the external programmer and any previously paired external programmer are permitted to communicate with the telemetry controller. However, present telemetry controllers that communicate with external programmers over a Bluetooth communications link may be susceptible to inadvertent or intentional hijacking by unauthorized users, because the link key may be surreptitiously acquired or otherwise generated as a default in some operational systems, such as Linux. Once acquired, the shared link key can be used by any device to communication with the telemetry controller. As such, a potential vulnerability from undesired modification of the operating configuration of medical equipment may arise. In the prior art, EP1730878 A2 discloses that an integrity of a wirelessly telemetered message communicated between an implantable medical device and an external programmer is authenticated by encoding the message. The message is encrypted based on a random number or time stamp and a secret key. The message is authenticated by encryption and decryption or by executing a hash function. There, thus, remains a need for preventing or otherwise deterring unauthorized programming of medical equipment, such as telemetry controllers used in implantable medical systems. SUMMARY OF THE INVENTION In accordance with a first aspect of the present inventions, a medical device of a medical system configured for communicating with an external programmer over a wireless communications link (e.g., one having a range of less than one hundred feet) is provided. The medical device comprises a wireless communications module configured for receiving a first unencrypted version of a random number and a first encrypted version of the random number from the external programmer over the wireless communications link. In one embodiment, the wireless communications module is a radio frequency (RF) communications module, such as one that communicates with the external programmer in accordance with a Bluetooth or a Wi-Fi protocol. The medical device further comprises control circuitry (e.g., a microcontroller) configured for performing an authentication procedure on the external programmer based on the first unencrypted version of the random number and the first encrypted version of the random number, and preventing the external programmer from commanding the medical device to perform an action (e.g., allowing modification of at least one operational parameter of the medical system) unless the authentication procedure is successful. The wireless communications module may be hardwired to the control circuitry. The wireless communications module may be configured for establishing the wireless communications link with the external programmer by authenticating the external programmer at a first security level, sending status messages to the control circuitry indicating the status of the wireless communications link with the external programmer, in which case, the control circuitry may be configured for performing the authentication procedure at a second security level. In one embodiment, the control circuitry is configured