SECURE DRUG DELIVERY DATA TRANSMISSION

Abstract

The disclosure is concerned with privacy and integrity of personalized protected health information when transmitted to a cloud computing facility and subsequently distributed to a plurality of stakeholders. An electronic unit of a drug delivery device is configured to prepare payload data comprising data items according to an allocation scheme, and to encrypt, based on an encryption key, and transmit data including the payload data. The allocation scheme and the encryption key are defined for each of a plurality of data subscribers. Accordingly, personalized protected health information payload data is suitably protected with generator-to-subscriber or pass-through data security measures, and any intermediary node or data server in the communication network lacking a matching decryption key will not have access to unencrypted payload data.

Claims

1. A method of monitoring drug delivery from a drug delivery device using an electronic unit associated with the drug delivery device and comprising a processor adapted to generate and to transmit to a manufacturer of the electronic unit, delivery data including an identifier of the electronic unit and a quality indicator QI indicative of delivery data accuracy determined by the electronic unit from sensed data associated with a delivery event, the method comprising: receiving, from the electronic unit, first transmit data including a first quality indicator value QI1 for a first delivery event and second transmit data including a second quality indicator value QI2 for a second delivery event after the first event; comparing the QI1 and QI2 quality indicator values to determine at least one point of failure of the electronic unit; and replacing the electronic unit or adapting an operation thereof before the at least one point of failure is reached.

2. The method of claim 1, wherein the processor of the electronic unit is configured to: identify individual dose units of a single delivery event from feedback sample signals of a sensor element of the electronic unit based on a set of identification parameters for a neural network and derive from these the QI1 and QI2 quality indicator values, and wherein the step of replacing the electronic unit or adapting an operation of the electronic unit comprises: deriving adapted identification parameters by re-training the neural network; transmitting the adapted identification parameters to the electronic unit; and reconfiguring the electronic unit with the adapted identification parameters.

3. The method of claim 1, further comprising: sensing two concurrent sensor signals from two distinct sensors, and by a transmitter, communicating the two concurrent sensor signals to a subscriber to determine whether one of the sensors is malfunctioning by determining a presence of a deteriorating correlation between the two concurrent sensor signals from the two distinct sensors.

4. An electronic unit for association with a drug delivery device and adapted to generate and handle drug delivery data and to transmit data items of the delivery data to a first data subscriber and to a second data subscriber, respectively, the electronic unit comprising: at least one sensor for collecting delivery data associated with the delivery device; and a processor with associated memory and having: access to a first encryption key and a second encryption key associated with the first data subscriber and the second data subscriber, respectively, and access to a first data allocation scheme and to a second data allocation scheme indicating to which delivery data item or items the first data subscriber and second data subscriber have respectively subscribed; wherein the electronic unit is configured: to prepare first transmit data including at least one delivery data item according to the first data allocation scheme, and to encrypt the first transmit data based on the first encryption key; to prepare second transmit data including at least one delivery data item according to the second data allocation scheme and to encrypt the second transmit data based on the second encryption key; and to control transmission of the encrypted first transmit data and the encrypted second transmit data to the first data subscriber and the second data subscriber, respectively.

5. The electronic unit according to claim 4, wherein the drug delivery device comprises a disposable injection device generating signals that are detectable by the at least one sensor element of the electronic unit and said electronic unit being attachable to the injection device, and wherein the injection device comprises a machine-readable tag storing the first encryption key of the first data subscriber, wherein the at least one sensor comprises a tag reader for reading the first encryption key from the machine-readable tag.

6. The electronic unit according to claim 4, wherein the processor is configured: to encrypt the first transmit data based on the first encryption key by encrypting the delivery data items with the first encryption key, or by encrypting the delivery data items with a generic key and encrypting the generic key with the first encryption key; and to control transmission of the encrypted first transmit data by transmitting the encrypted delivery data items or by transmitting the encrypted delivery data items and the encrypted generic key, respectively.

7. The electronic unit according to claim 4, wherein the memory is configured for storing the first encryption key and second encryption key and the first data allocation scheme and second data allocation scheme.

8. The electronic unit according to claim 7, wherein the first data allocation scheme assigns delivery data items including an identifier and a battery level of the electronic unit to a manufacturer of the electronic unit.

9. The electronic unit according to claim 4, further comprising a transmitter for communicating with a mobile device or with a stationary gateway device to transmit the encrypted first transmit data and encrypted second transmit data to a remote data server.

10. The electronic unit according to claim 4 further comprising: wherein the at least one sensor is a sensor for sensing data for deriving a quality indicator QI indicative of data accuracy of data determined by the electronic unit in a delivery event, wherein QI includes a first quality indicator value QI1 for a first delivery event and a second quality indicator value QI2 for a second delivery event after the first event; and a transmitter for communicating the first quality indicator value QI1 and the second quality indicator value QI2 to at least one of the first data subscriber or the second data subscriber.

11. The electronic unit according to claim 4: wherein the at least one sensor comprises means for sensing two concurrent sensor signals from two distinct sensors, and a transmitter for communicating the two concurrent sensor signals to at least one of the first data subscriber or the second data subscriber.

12. The electronic unit according to claim 4 wherein first data allocation scheme and second data allocation scheme comprise a representation of data-to-subscriber allocation schemes in the form of a chart or array.

13. The electronic unit according to claim 4 wherein the at least one sensor comprises a tag reader for a machine-readable tag or label storing drug information mounted to a device housing of the drug delivery device.

14. A method of monitoring drug delivery from a drug delivery device by means of an associated electronic unit adapted to generate and handle delivery data and to transmit data items of the delivery data to a first data subscriber and to a second data subscriber, comprising: using the first data subscriber and the second data subscriber to generate, respectively, a first encryption key and a second encryption key and to define a first data allocation scheme and a second data allocation scheme indicating to which data item or items the first data subscriber and second data subscriber have respectively subscribed; providing to the electronic unit, by the first data subscriber and the second data subscriber, the first encryption key and second encryption key and the first data allocation scheme and second data allocation scheme; controlling the processor of the electronic unit to: prepare first transmit data including data items according to the first data allocation scheme; encrypt the first transmit data based on the first encryption key; prepare second transmit data including data items according to the second data allocation scheme; and encrypt the second transmit data based on the second encryption key.

15. The method according to claim 14, further comprising: providing the electronic unit access to a transmitter; using the electronic unit to transmit the encrypted first transmit data and second transmit data to a data server; and using the data server to provide the encrypted first transmit data to the first data subscriber and to provide the encrypted second transmit data to the second data subscriber.

16. The method according to claim 14, wherein the first data subscriber is a manufacturer of the electronic unit, and wherein the first data allocation scheme assigns delivery data items including an identifier of the electronic unit and a quality indicator indicative of an accuracy of a dispensed dose determined by the electronic unit, wherein the first data subscriber: receives first transmit data including a first quality indicator value for a first delivery event and second transmit data including a second quality indicator value for a second delivery event after the first event; compares the two quality indicator values to determine a point of failure of the electronic unit; and causes the electronic unit to be replaced or adapts an operation of the electronic unit before the point of failure is reached.

17. The method according to claim 16, wherein the processor of the electronic unit is configured to identify individual dose units of a single delivery event from feedback sample signals of a sensor element of the electronic unit based on a set of identification parameters for a neural network, and wherein the step of replacing the electronic unit or adapting an operation thereof comprises: deriving adapted identification parameters by re-training the neural network; transmitting the adapted identification parameters to the electronic unit; and reconfiguring the electronic unit with the adapted identification parameters.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0038] The subject-matter of the disclosure will be explained in more detail in the following text with reference to exemplary embodiments as illustrated in the attached drawings, of which

[0039] FIG. 1 depicts a medical injection monitoring and patient support system according to the present disclosure;

[0040] FIG. 2 is a an example of a consolidated representation of data-to-subscriber allocation schemes, according to the present disclosure;

[0041] FIG. 3 illustrates three variants of subscriber-based encryption key provision, according to the present disclosure; and

[0042] FIG. 4 is a flow chart of a method of predictively maintaining the system, according to the present disclosure.

[0043] For consistency, the same reference numerals are used to denote similar elements illustrated throughout the drawings.

DETAILED DESCRIPTION

[0044] FIG. 1 depicts a medical injection or drug delivery monitoring and patient support system, comprising an injection device 1 in the form of a disposable, variable dose injection pen with manual drug dispense, an auxiliary electronic module 2 detachably mounted to the injection device, data transmission components 3, and data subscribers or system stakeholders 4.

[0045] The injection pen may include an elongate, pen-shaped device housing 10 which may essentially be symmetric around a main device axis, as well as a dosing device including a dosing sleeve 11, a rotary dosing knob 12, and a dispense or discharge button 13. The dosing knob 12 may enable the user to adjust a dose and is arranged on a proximal end of the dosing sleeve. The dosing sleeve 11 features markings in the form of numbers on its outer surface. When the dosing sleeve is screwed out of the housing during the dose setting operation, the adjusted dose may be displayed in a window of the housing. Alternatively, the injection device may be a disposable, single-dose auto-injector with a drive spring for automatic dispense of a dose of drug. A passive machine-readable tag (22a, shown in phantom in FIG. 1) may be mounted to, for instance embedded in or attached to a surface of, the device housing 10. The tag 22a may store drug information about the drug comprised in a container of the injection device, including any or all of a drug identifier, an expiry date, or a batch number of the drug.

[0046] The electronic module 2 may be laterally attached to the injection device 1 by means of a snap-fit or clip connection involving resilient module wings on opposite sides of the device housing. The housing 20 of the electronic module may feature a prominent laterally extending volume for accommodating the electronic unit 28, which may include a sensor element 21 to detect a status or signal from any kind of indicating component of the injection device, a tag reader 22 different from the injection sensor, for reading drug information from the machine-readable tag 22a, a processor 23, a data storage or memory 24 connected to the processor, and a transmitter 25 for wireless transmission of data about the injection progress via Bluetooth Low Energy (BLE) or equivalent short or near range wireless communication technology to the data transmission components 3. The electronic module 2 may further include a connection and system status indicator 26 that provides visual feedback about a connection status indicative of an established communication or transmission link to the components 3, and about a device, module, or process status including for instance an availability of battery power, a readiness of communication or transmitter means, an attached/detached status of the electronic module 2 and the injection device, or a progress of an ongoing injection process. The electronic module may be further adapted to produce a time-stamp indicating at what date and time a monitored dose has been injected, and to store at least the dose expelled and the time-stamp in the data storage unit for later upload. Alternatively, the electronic module 2 may start a timer or counter upon completion of an injection, from which an absolute time of the injection may be inferred at or following data upload.

[0047] The network or data transmission components 3 may include a mobile device 31a such as a smartphone or tablet device running a dedicated application program, or a laptop computer configured accordingly. Alternatively, the transmitter 25 of the electronic module 2 may communicate with a stationary medical gateway device 31b. The mobile or gateway device may be connected, via a 4G/LTE cellular mobile and/or wire-based communication network, to a remote, distributed cloud based computing facility or data server 32. Alternatively, the transmitter 25 of the electronic module may communicate directly with the data server 32 via wireless long-range communication networks such as 5G cellular mobile networks. The data server 32 may be configured to store delivery data, drug information, patient adherence data, or any further monitoring data accumulated by the electronic unit 28 and uploaded to the data server in encrypted format per subscriber as detailed below. The data server 32 may in turn forward the uploaded data to the data subscribers 4, which may include any or all of a device manufacturer 41a, a drug supplier or pharmaceutical company 41b, a healthcare professional HCP 41c assigned to a patient, a clinical research organization CRO 41d, a health insurance company 41e of the patient, and the patient himself 41f. The patient 41f may in addition, or alternatively, receive information from the visual indicator 26 of the electronic module, and/or from the mobile device 31a. The drug delivery monitoring system may include further intermediary network components or nodes in the communication paths between the mobile or gateway device and the data server, as well as between the latter and the data subscriber.

[0048] FIG. 2 depicts a data structure 200, for example in the form of a consolidated allocation table or array, with an exemplary selection of delivery data items, in the first column, and an exemplary number of data subscribers in the first row. The crosses in a column of the table indicate to which delivery data items the respective subscriber has subscribed, such that each column represents a data allocation scheme according to the terminology used. The list of subscribers includes, in order, a device manufacturer, a drug supplier or pharmaceutical company, a healthcare professional (HCP) assigned to a patient, a clinical research organization (CRO), a health insurance of the patient, and the patient himself/herself. The device manufacturer may be the manufacturer of the auxiliary electronic module 2 including the electronic unit 28, the manufacturer of the delivery device to which the electronic module attaches, or the manufacturer of an electronic delivery device embedding the electronic unit 28.

[0049] The data items may include an identifier (ID) or serial number of the auxiliary electronic module or the electronic delivery device provided by the device manufacturer, the value of which is stored in a memory of the device upon device manufacturing. The delivery data items may further include a Unique Device Identification (UDI) including information on the drug, drug batch, drug expiry in encoded format; a therapy plan including the agreed medication schedule and configured device behavior; a clinical study identifier (ID); a patient identifier in anonymized form, and a designation or trade name of the medicament in plain text. All the aforementioned data may be provided on a tag 22a of the delivery device that may be read by a tag reader 22 of the auxiliary electronic module, or stored in a memory of the electronic delivery device or unit following download from a central server facility. The data items also may include event data of a specific delivery event such as a time of delivery, place of delivery, dispensed dose, and holding time elapsed between completion of drug dispense and removal of the delivery device from the injection site. The event data may further include an injection result in binary form or including an event data sensing quality indicator indicative of a level of quality of, or uncertainty tied to, the event data. Likewise, a drug temperature or further event parameter may be included. The data items ultimately may include further device data such as error, firmware, software, and battery status information of the auxiliary module or electronic delivery device.

[0050] As is evident from the table, the device manufacturer has subscribed to data items relating to the device, in order to track a lifecycle of the device. A usage time or usage count as a consolidated number of successfully completed delivery events may also be of interest to a manufacturer of an electronic delivery device, especially in view of complaint handling processes. It is also apparent from the table that the physician or other HCP of the patient, the healthcare insurance, and a CRO are all interested in event data including medication, dose, and delivery success. However, while the physician and CRO require to know the delivery result per patient and per event, the insurance may be satisfied with anonymized data allowing to establish therapy efficiency, and/or patient adherence to therapy plans.

[0051] FIG. 3 illustrates three distinct variants of subscriber-based encryption key provision or distribution. In a first variant (first communication path represented by left-side curved arrow 41), exemplary first data subscriber 41d provides an encryption key or shared secret (Sec d) to the manufacturer 41a of electronic modules. The manufacturer then copies this key to a memory of each assembled electronic module 2. In a sub-variant, the manufacturer assembles electronic, or intelligent, delivery devices with embedded electronic units, in which case the key is copied to a memory of the electronic unit 28 of the electronic delivery device. In a second variant (second communication path represented by center curved arrow 42), the encryption key or shared secret (Sec d) of the first data subscriber 41d is provided to a delivery device end-assembly site, where the key may be copied to a machine-readable tag or label of each assembled delivery device 1. In a third variant (third communication path represented by right-side curved arrow 43), exemplary second subscriber 41e provides a public key (PubK e) via an exemplary communication network including the data transmission components 32, 31a to the electronic module 2 or, in a sub-variant, to an electronic delivery device. The three variants may be used in parallel or consecutively with one and the same auxiliary electronic device and/or data subscriber.

[0052] In an embodiment of variant two, the machine-readable tag 22a may be attached externally to the device housing, which may be compatible with non-transparent device housings, and which specifically may exclude embedding the tag 22a into the device housing in a molding step of the device housing preceding an assembly of the injection device. Attaching the tag 22a to the device housing surface may allow delaying of a programming or printing of the tag to a very late stage, specifically to finalize the tag during or even after assembly of the drug container and the injection device, yet still before attachment of the tag to the device housing. The passive machine-readable tag may include an optical bar code or a data-matrix/QR code label, or a non-optical Radio Frequency Identification (RFID) tag or transponder, specifically a NFC tag operating according to one of the Near-Field Communication (NFC) standards. Accordingly, the electronic module may be equipped with a camera or with an RFID/NFC reading or readout unit.

[0053] At least the standardized Near-Field Communication (NFC) tags may contain data including unique tag identifiers such as serial numbers encoded in the tag at the time of tag manufacture in read-only format such that this information cannot be altered once set. NFC tags may further include a user memory programmable, or writable, at delivery device assembly and providing for at least 300 Bytes of memory space, which is sufficient to store drug information in addition to an exemplary encryption key of 256 Bytes such as according to the RSA2048 encryption scheme. Near-field communication may use magnetic induction between two loop antennas connected to respective RFID chips or control units, and located within a near field of each other, thus effectively forming an air-core transformer operating at an exemplary frequency of 13.56 MHz well below an UHF band of 300 MHz or higher. In passive communication mode, the initiator device may provide a carrier field and the target device responds by modulating the existing field. In this mode, the target device may draw its operating power from the initiator-provided electromagnetic field. In the context of the present disclosure, the initiator may be an electronic unit 28 as part of the electronic module, and the target may be the passive tag 22a or transponder attached to the medicament delivery device housing.

[0054] The electronic unit 28 being integrated in the electronic injection device or being part of an electronic module may comprise a visual, audible and/or tactile status indicator indicating to a user a status of the system. The status of the system may include any of a device status of the injection device, a module status of the electronic module, or a delivery status of a drug dispensing process. The status indicator may be simple and limited to a few Light Emitting Diodes LEDs in traffic-light colors and/or an audible signal generator for generating language-independent beep sounds or simple melodies in accordance with a therapy plan to be followed. In an embodiment, the status information may include a positive confirmation of a dose having been set or corrected, or an indication about a lapse of a minimum holding, delay, or dwell time following completion of a substance dispensing activity to inform the user that it is now safe to remove the injection device. The status indicator may explicitly exclude any advanced human-machine interfacing capability, and be limited to a few, for example, specifically less than ten, messages conveyable to the user. In particular, the electronic unit 28 may not be wired to, and the electronic module may be free of, a display, screen, or projector for visually transmitting readable instructions, and likewise exclude an artificial speech assistant for reading out loud the instructions.

[0055] FIG. 4 is a flow chart of an exemplary method 400 of predictively maintaining the above monitoring system, according to the present disclosure. The method includes the step of receiving a first source quality indicator value Q1 indicative of an accuracy of a dispensed dose determined by the electronic unit 28 in a first or earlier delivery event at time T1 (operation 410). The method includes the step of receiving a second source quality indicator value Q2 indicative of an accuracy of a dispensed dose determined by the electronic unit 28 in a second or later delivery event at time T2 (operation 420). The quality indicator source may be any of the components involved in the dose determination, including an electronic unit comprising sensor and processor elements, a reusable electronic module or delivery device hosting the electronic unit, or a disposable injection device to which the electronic unit is releasably attached. The method includes the step of evaluating the quality indicator values to derive, by statistical and predictive means, a source point of failure as a point in time Tz when a dose determination will no longer be possible or useful (operation 430). The quality indicator values are received and evaluated by or on behalf of a manufacturer of the source, e.g., unit. The method includes the step of predictively maintaining the source at a maintenance time Tm well before Tz, which includes intelligently alerting users and/or service personnel that the source is (or may be) operating abnormally and requires component replacement or process reconfiguration of the source devices (operation 440). While the device and method have been described in detail in the drawings and foregoing description, such description is to be considered illustrative or exemplary and not restrictive. Variations to the disclosed embodiments can be understood and effected by those skilled in the art and practicing the claimed subject matter, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. The mere fact that certain elements or steps are recited in distinct claims shall not preclude the existence of further meaningful combinations of these elements or steps.

LIST OF REFERENCE NUMERALS

[0056] 1 injection device

[0057] 10 device housing

[0058] 11 dosing sleeve

[0059] 12 dosing knob

[0060] 13 dispense button

[0061] 2 electronic module

[0062] 20 module housing

[0063] 21 sensor element

[0064] 22 tag reader

[0065] 22a machine-readable tag

[0066] 23 processor

[0067] 24 memory

[0068] 25 transmitter

[0069] 26 visual indicator

[0070] 28 electronic unit

[0071] 3 data transmission components

[0072] 31a mobile device

[0073] 31b gateway

[0074] 32 data server

[0075] 4 data subscribers

[0076] 41 first communication path

[0077] 42 second communication path

[0078] 43 third communication path

[0079] 200 data structure

[0080] 400 flowchart of predictive maintenance

[0081] 410, 420, 430, 440 steps in flowchart 400