Method for operating a medical system, medical system, and security module

Abstract

A method for operating a medical system includes providing a public-private key pair for asymmetric cryptography, wherein the public key is provided to remote control and medical devices, and the private key is provided to a security module, encrypting a control command with the public key in the remote control, receiving the encrypted control command in the security module, decrypting the encrypted control command with the private key, encrypting a security module control command with the private key applied to the decrypted control command or an amended medical control command derived from the decrypted control command, receiving the security module control command in the medical device, decrypting the security module control command with the public key, and controlling operation of the medical device according to the decrypted security module control command, if confirmed by a user confirmation input received in the security module or the medical device.

Claims

1. A method for operating a medical system having a remote control device, a security module, and a medical device, the method comprising: providing a pair of keys for asymmetric cryptography, the pair of keys comprising a public key and a private key, wherein the public key is provided in both the remote control device and the medical device, and the private key is provided in the security module; in the remote control device, generating an encrypted control command encrypted by applying the public key to a control command configured to control operation of the medical device; receiving the encrypted control command in the security module; in the security module, decrypting the encrypted control command by applying the private key, the decrypting comprises determining that the control command was encrypted by applying the public key; in the security module, generating a security module encrypted control command by applying the private key to the decrypted control command or an amended medical control command derived from the decrypted control command and configured to control operation of the medical device; receiving the security module encrypted control command in the medical device; in the medical device, decrypting the security module encrypted control command by applying the public key; and controlling operation of the medical device according to one of the control command and the amended control command, if the control command or the amended control command has been confirmed by a user confirmation input received in one of the security module, and the medical device.

2. The method of claim 1, wherein the generating of the security module encrypted control command further comprises: applying a command security check for the encrypted control command, comprising determining whether the control command is a control command approved for remote control of the medical device according to approved command control information provided in the security module; and generating the security module encrypted control command, if the control command is determined an approved control command.

3. The method of claim 1, wherein the generating of the security module encrypted control command further comprises: applying an error-detecting check for the encrypted control command, comprising determining whether the control command was correctly encrypted by the remote control device; and generating the security module encrypted control command, if the control command was correctly encrypted.

4. The method of claim 1, wherein the generating of the security module encrypted control command further comprises: applying a device security check for the encrypted control command, comprising determining whether the control command is received from a remote control device approved for remote control of the medical device according to approved device control information provided in the security module; and generating the security module encrypted control command, if the remote control device is determined to be an approved remote control device.

5. The method of claim 2 further comprising: in the medical device, applying for the security module encrypted control command at least one of the command security check, the error-detecting check, and the device security check.

6. The method of claim 1, wherein the providing of the pair of keys for asymmetric cryptography comprises providing the private key in a read only data memory in the security module.

7. The method of claim 1 further comprising: providing the security module as a device component in one of the remote control device, and the medical device.

8. The method of claim 1 further comprising: providing the security module as a portable device separated from the remote control device, and the medical device.

9. The method of claim 1, wherein the confirming of the device control command or the amended control command comprises: outputting command user information through an output device of a user interface provided on at least one of the remote control device, the security module, and the medical device, the command user information being indicative of the device control command or the amended device control command; and receiving the user confirmation input through an input device of the user interface.

10. The method of claim 1, wherein the controlling of the operation further comprises controlling operation of a medical device selected from the following group: medical pump device, insulin pump, and blood sugar measurement device.

11. A medical system comprising: a remote control device; a security module; and a medical device; and the system components being configured to provide a pair of keys for asymmetric cryptography, the pair of keys comprising a public key and a private key; provide the public key in both the remote control device and the medical device; provide the private key in the security module; in the remote control device, generate an encrypted control command encrypted by applying the public key to a control command; receive the encrypted control command in the security module; in the security module, decrypt the encrypted control command by applying the private key, the decrypting comprises determining whether the control command was encrypted by applying the public key; in the security module, generate a security module encrypted control command by applying the private key to the decrypted control command or an amended medical control command derived from the decrypted control command and configured to control operation of the medical device; receive the security module encrypted control command in the medical device; in the medical device, decrypt the security module encrypted control command by applying the public key; and control operation of the medical device according to one of the control command and the amended control command, if the control command or the amended control command has been confirmed by a user confirmation input received in one of the security module, and the medical device.

12. The medical system of claim 11, wherein the remote control device is a portable control device.

13. A security module for a medical system, comprising a data memory comprising a private key assigned to a pair of keys for asymmetric cryptography, the pair of keys comprising the private key and a public key; one or more data processors; and a data communication interface for data communication with a remote control device and a medical device; wherein the one or more data processors are configured to receive, from the remote control device, an encrypted control command encrypted by applying the public key to a control command configured to control operation of the medical device; decrypt the encrypted control command by applying the private key, the decrypting comprises determining whether the control command was encrypted by applying the public key; generate a security module encrypted control command by applying the private key to the decrypted control command or an amended medical control command derived from the decrypted control command and configured to control operation of the medical device; transmit the security module encrypted control command to the medical device.

Description

Description of further embodiments

[0031] Following, further embodiments are described by referring to figures. In the figures show:

[0032] FIG. 1 a schematic representation of a medical system including a remote control device, a security module, and a medical device; and

[0033] FIG. 2 a schematic flow diagram for a method of operating the medical system.

[0034] FIG. 1 shows a schematic representation of a medical system 1 including a remote control device 2, a security module or device 3, and a medical device 4. The medical device 4, for example, may be provided with a pump for delivering medication, e.g. insulin pump, a measurement device such as a sensor device for gathering or collecting medical data, or an analysis device such as a device for determining a sample of a bodily fluid. Such components of the medical system 1 are provided with one or more data communication protocols for wireless and/or wired data communication. Different technologies available as such may be applied for implementing data communication between the components of the medical system 1 such as Bluetooth or nearfield communication (NFC). Different software applications can be implemented on the components of the medical system 1 for providing different functionalities such as encryption and decryption of data or information. Other functionalities refer to data transmission, data reception, data storage, and data processing. Each of the components of the medical system 1 may include one or more data processors configured to process electronic data. Also, the components may have one or more storage devices for storing electronic data locally. In addition, data may be received from and/or transmitted to one or more remote server devices.

[0035] The remote control device 2 may be provided as a consumer electronic device such as mobile phone, tablet computer, or laptop. A software application is running on the remote control device 2 for at least generating control commands (also referred to as device control commands or medical device control commands) configured to control operation of the medical device 4. A control command is configured to control at least one functionality provided for the medical device 4 in a mode of operation. The remote control device 2 may be configured to apply a two factor authentication before a user is allowed to use the software application providing functionality for generating control commands.

[0036] In the embodiment shown in FIG. 1, the components of the medical system 1 are shown to be separated system components. In an alternative embodiment, the security module 3 may be part of one of the remote control device 2 and the medical device 4, for example, a plug-in device component.

[0037] Referring to FIG. 2, a method for operating the medical system 1 provided with the remote control device 2, the security module 3, and the medical device 4 is described. In step 20, a pair of keys for asymmetric cryptography is provided in the medical system 1. The pair of keys includes a public key and a private key. A cryptography infrastructure of the medical system 1 may include one or more further pairs of keys for asymmetric cryptography. The public key of the pair of keys is provided at least to both the remote control device 2 and the medical 4. A copy of the public key may also be available in the security module 2. The private key is provided in the security module 3. In conclusion, neither the remote control device 2 nor the medical device 4 have received or have access to the private key which is kept to the security module 3 in the embodiment described. The pair of keys is assigned to security module 2 in the medical system 1.

[0038] If a user of the mode control device 2 wants to apply controlling of operation to the medical device 4, in response to a user input received in the remote control device 2, a control command is generated by the software application running on the remote control device 2 in step 21. The control command is configured to control operation of the medical device 4. For example, the control command may be provided for controlling application of medication by the medical device 4. For example, if the medical device 4 is provided with a pump device for delivering medication such as insulin, a pump control command is generated, e.g. an amount of medication is to be delivered by the pump device.

[0039] Following, in step 22 an encrypted control command is generated in the remote control device 2 by applying the public key to the control command.

[0040] The encrypted control command is transmitted from the remote control device 2 to the security module 3 in step 23. In step 24, the security module 3 is decrypting the encrypted control command by applying the private key. In doing so, it is determined by the security module 3 whether the control command was correctly encrypted by applying the public key. Further, the security module 3 may check whether the encrypted control command has been received from the remote control device 2. The security module 3 may confirm that the remote control device 2 is approved for providing control commands for the medical device 4. Information about approved remote control devices may be provided in a storage device of the security module 3. Alternatively or in addition, such information may be received from a remote server device. The security module 3 may also apply an error-detecting check for the encrypted control command received from the remote control device 2. For example, a cyclic redundancy test (CRC) check may be performed. One or more security checks may be applied by the security module 3.

[0041] If it is confirmed in the security module 3 that the received control command is determined to be correct (allowed) by one or more of the security checks, the security module 3 will generate a security module encrypted control command by applying the private key to the control command or an amended control command derived from the control command in step 24. For example, the amended control command may limit one or more operation parameters to limits allowed, such operation parameter(s) indicating limits in the control command not allowed for the medical device 4. The security module encrypted control command is transmitted from the security module 3 to the medical device 4 in step 25. In response, the medical device 4 will decrypt the security module encrypted control command by applying the public key.

[0042] In step 26, the operation of the medical device 4 is controlled according to one of the control command and the amended control command. Such controlling of operation is applied, if the control command or the amended control command has been confirmed by a user confirmation. Such user confirmation is received in response to outputting command user information through an output device provided with a user interface of the medical system 1, the command user information being indicative of the device control command or the amended device control command. By such command user information the user is informed about the control command/amended control command intended to be applied to the medical device 4. The user can check whether such control command shall be applied or not. By inputting the user confirmation input through an input device of the user interface of the medical system 1 the user is confirming that the control command can be applied.

[0043] The command user information may be provided with audio/or video data. The command user information may be outputted through an output device of one of the remote control device 2, the security module 3, and the medical device 4. Audio data and/or video data may be outputted for providing the command user information to the user. For example, the command user information may indicate to the user a functionality of the medical device 4 which is to be controlled by the control command. Also, the command user information may indicate one or more control parameter, according to the control command, to be applied for operating the medical device 4. For the operation parameters parameter limits may be indicated by the command user information.

[0044] The command user information output may be generated in the security module 3 in response to receiving the encrypted control command. As an alternative or in addition, command user information may be generated and outputted by the medical device 4 after receiving the security module encrypted control command. Thus, controlling operation of the medical device 4 according to the control command or the amended control command will only be applied after receiving user input confirmation.

[0045] It may be provided that only the remote control device 2 include functionality for generating the control command, but not the security module 3. On the other hand, only the security module 3 is provided with the private key. Thus, only the security module 3 (different from the remote control device 2) is enabled to generate the security module encrypted control command which can be decrypted in the medical device 4 for actual control of operation of the medical device 4. There is no need and no requirement for the security module 3 being provided with functionality for generating control commands, since such control commands are received from the remote control device 2. Thus, the security module 3 is provided free of functionality for generating control commands.

Method for operating a medical system, medical system, and security module

Assignee

Inventors

Cpc classification

Classification Explorer

H04L2209/88

ELECTRICITY

Classification Explorer

G06F21/305

PHYSICS

Classification Explorer

H04L63/0464

ELECTRICITY

Classification Explorer

G06F2221/2141

PHYSICS

Classification Explorer

G06F21/64

PHYSICS

Classification Explorer

G16H40/67

PHYSICS

Classification Explorer

G06F21/606

PHYSICS

Classification Explorer

H04L63/123

ELECTRICITY

Classification Explorer

H04L63/0442

ELECTRICITY

Classification Explorer

H04L9/3073

ELECTRICITY

International classification

Classification Explorer

H04L9/40

ELECTRICITY

Classification Explorer

G16H40/67

PHYSICS

Classification Explorer

H04L9/30

ELECTRICITY

Abstract

Claims

Description