WO2018229129A1 - Machine de dialyse, équipement médical externe et procédés permettant d'établir une communication sécurisée entre une machine de dialyse et un équipement médical externe - Google Patents

Machine de dialyse, équipement médical externe et procédés permettant d'établir une communication sécurisée entre une machine de dialyse et un équipement médical externe Download PDF

Info

Publication number
WO2018229129A1
WO2018229129A1 PCT/EP2018/065661 EP2018065661W WO2018229129A1 WO 2018229129 A1 WO2018229129 A1 WO 2018229129A1 EP 2018065661 W EP2018065661 W EP 2018065661W WO 2018229129 A1 WO2018229129 A1 WO 2018229129A1
Authority
WO
WIPO (PCT)
Prior art keywords
medical equipment
dialysis machine
external medical
shared key
system time
Prior art date
Application number
PCT/EP2018/065661
Other languages
English (en)
Inventor
Olof Ekdahl
Bo WENNBERG
Niklas EKLUND
Christian Karlsson
Ding MA
Original Assignee
Gambro Lundia Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gambro Lundia Ab filed Critical Gambro Lundia Ab
Priority to EP23191913.5A priority Critical patent/EP4271018A3/fr
Priority to CN201880040157.3A priority patent/CN110770846B/zh
Priority to US16/619,728 priority patent/US11343105B2/en
Priority to EP18732707.7A priority patent/EP3639274B1/fr
Publication of WO2018229129A1 publication Critical patent/WO2018229129A1/fr
Priority to US17/750,714 priority patent/US11695572B2/en
Priority to US18/217,735 priority patent/US20230353386A1/en

Links

Classifications

    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H40/00ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices
    • G16H40/60ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices for the operation of medical equipment or devices
    • G16H40/67ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices for the operation of medical equipment or devices for remote operation

Definitions

  • the present disclosure relates to a dialysis machine, to external medical equipment and to corresponding methods for establishing an authenticated connection between a dialysis machine and external medical equipment.
  • the present disclosure also relates to a computer program and a computer program product implementing the method.
  • dialysis therapy In treatment of patients suffering acute or chronic renal insufficiency, dialysis therapy is employed. Three general categories of dialysis therapy are hemodialysis, HD, HD, and
  • PD peritoneal dialysis
  • CRRT continuous renal replacement therapy
  • hemodialysis the patient's blood is cleansed by passage through an artificial kidney in an extracorporeal membrane system, incorporated in a dialysis machine.
  • dialyzing fluid is infused into the patient's peritoneal cavity. This cavity is lined by the peritoneal membrane which is highly vascularized.
  • metabolites are removed from the patient's blood by diffusion across the peritoneal membrane into the dialyzing fluid.
  • Excess fluid i.e. water is also removed by osmosis induced by a hypertonic dialyzing fluid.
  • CRRT is used as an alternative therapy for patients who are too ill or unstable for standard hemodialysis. It is similar to hemodialysis and makes use of a semipermeable membrane for diffusion and to some extent convection.
  • Dialyzing fluids for use in the above-mentioned treatments, have traditionally been provided in sealed, heat sterilized form, ready for use.
  • peritoneal dialysis is typically performed using bags with three different
  • the bags are being delivered to a patient's home as 1 liter to 6 liter bags with different dextrose concentrations and a normal daily consumption is around 8 to 20 liters of fluid.
  • a typical daily patient consumption of PD dialysis fluid is eight to twenty liters.
  • the fluid is provided in sterilized bags of sizes up to six liters, which are packed into boxes and delivered, e.g., monthly, for use to the patient's home.
  • the boxes of fluid may be cumbersome and heavy for PD patients to handle, and consume a substantial area in a room of their homes.
  • the bags and boxes also produce a relatively large amount of waste disposed of on a weekly or monthly basis.
  • PD peritoneal dialysis
  • an overall system for dialysis may include three primary components, namely a dialysis machine, a water purifier and a disposable set operating with both the dialysis machine and the water purifier.
  • the dialysis machine is e.g. a PD cycler, a hemodialysis machine or a CRRT machine.
  • the dialysis machine and the water purifier are typically separate units. However, during operation the dialysis machine and the water purifier need to communicate. The communication is traditionally implemented using a wired interface. However, sometimes it is desirable to use a wireless interface for this communication .
  • the dialysis machine may also need to communicate with other kinds of external medical equipment using a wireless
  • a further object is to provide a solution that mitigates synchronization problems in wireless communication between a dialysis machine and external medical equipment .
  • the disclosure relates to a dialysis machine comprising a short-range communication interface and control unit.
  • the control unit is configured to cause the dialysis machine to establish, using the short-range communication interface, a short-range wireless connection between the dialysis machine and external medical equipment, wherein a first shared key is associated with the short-range wireless connection.
  • the control unit is further configured to obtain a second shared key from a set of second shared keys, wherein the set of second shared keys has been generated, in the dialysis machine, using the first shared key, and to generate a first signature, using the obtained second shared key and a dialysis machine system time.
  • the control unit is further configured to send, using the short-range
  • control unit is configured to verify the authenticity of the external medical equipment using the second signature.
  • the exchange of the signatures before using the short-range communication interface for further communication assures that the dialysis machine and the external medical equipment only communicate with other trusted devices.
  • the enhanced security does not require any additional user interaction, as the second shared keys are generated from the first shared key that is used for establishing the short-range wireless connection .
  • control unit is configured to, upon receiving, from the external medical equipment, a response indicating a synchronization error and comprising external medical equipment system time, to re-generate the first signature, using the external medical equipment system time and send, using the short-range communication interface, an authentication request comprising the re-generated first signature to the external medical equipment .
  • control unit is configured to verify the authenticated connection using the external medical equipment system time and the re-generated signature.
  • the dialysis machine in this case may choose to use the external medical equipment system time, that was signaled in the authentication accept, to avoid problems related thereto.
  • the disclosure relates to a corresponding method for establishing an authenticated
  • the disclosure relates to
  • the control unit is configured to cause the external medical equipment to establish, using the short-range communication interface, a short-range wireless connection between the external medical equipment and the dialysis machine.
  • a first shared key is associated with the short-range wireless connection.
  • the dialysis machine comprises a set of second shared keys generated in the dialysis machine from the first shared key.
  • the control unit is further configured to receive, using the short-range communication interface, from the external medical equipment, an authentication request comprising a first signature, wherein the first signature has been generated in the dialysis machine using the dialysis machine system time and a second shared key from a set of second shared keys.
  • control unit is configured to obtain the second shared key from a corresponding set of second shared keys that has been generated in the external medical equipment from the first shared key and to verify the authenticity of the dialysis machine using the obtained second shared key and external medical equipment system time.
  • control unit is configured to cause the external medical equipment to generate a second signature, using a second shared key, from the corresponding set of second shared keys, and a dialysis machine system time to send, using the short-range communication interface, an authentication accept comprising the generated second signature, to the dialysis machine .
  • external medical equipment is configured to cause the
  • control unit is further configured to cause the external medical equipment to receive, from the dialysis machine, an authentication request comprising a re-generated first signature that has been re-generated using the external medical equipment system time, using the short-range communication interface.
  • the disclosure relates to a corresponding method in external medical equipment for establishing an authenticated connection between a dialysis machine and external medical equipment.
  • the disclosure relates to a computer program, characterized in code means, which when run in a computer causes the computer to execute any of the methods described above and below.
  • the disclosure relates to computer program product including a computer readable medium and a computer program, wherein said computer program is included in the computer readable medium.
  • the disclosure relates to system comprising the dialysis machine and the external medical equipment .
  • Fig. 1 is a front elevation view of a peritoneal dialysis system comprising a PD cycler and a point of use water purifier where the proposed technique may be implemented.
  • Fig. 2a illustrates a flow chart of a method for use in a dialysis machine.
  • Fig. 2b illustrates some methods steps of the method of Fig. 2a in more detail.
  • Fig. 3a illustrates a flow chart of a method for use in external medical equipment .
  • Fig. 3b illustrates some methods steps of the method of Fig. 3a in further detail.
  • Figs. 4a and 4b illustrate signaling between the dialysis machine and the external medical equipment, when performing the methods of Figs. 2a-2b and Figs. 3a-3b.
  • Fig. 5 illustrates a dialysis machine according to some example embodiments.
  • Fig. 6 illustrates a control unit of external medical
  • Figs. 7a-7e illustrates signaling according to an example implementation of the proposed methods.
  • Dialysis machines may include wireless communication devices enabling communication with external medical equipment such as an external water purifier, a blood pressure monitor, scale or another kind of external medical equipment .
  • external medical equipment typically comprises a simple display and a simple input device such as a keypad with a few buttons. This is typically desirable from a usability perspective, as medical devices should be easy to use.
  • BluetoothTM typically require authentication exchange based on a shared pass key or PIN code.
  • the display and keypad may be so limited that they cannot support the user interactions required for a typical pairing where the pass code is entered on each device (e.g. used between smart phones and PCs) .
  • the pairing may instead include that a PIN code displayed on a display of the water purifier may be entered on the key board of the dialysis machine and sent back to the water purifier for verification. From a usability perspective, simple user interaction is anyway typically desirable, even though having a patient enter a separate passcode on each device would be more secure. However, a consequence of using a pairing procedure with limited user interaction, is that it may not be possible to verify that the correct BluetoothTM devices are paired.
  • the proposed authentication protocol uses a second key that is generated from a first key associated with the short-range wireless connection, e.g. a BluetoothTM pass key.
  • a first key associated with the short-range wireless connection e.g. a BluetoothTM pass key.
  • the external medical equipment and the dialysis machine need to know the first key and an algorithm or rule (herein referred to as at least one criterion) that is used for creating the key.
  • an algorithm or rule will only be available by devices that are trusted by the dialysis machine. In this way, it can be assured that connection is only
  • the added authentication protocol may be implemented using a standard protocol such as Json Web Token.
  • Json Web Token a protocol such as Json Web Token.
  • special adaptions might be required in order to e.g. mitigate synchronization problems.
  • Fig. 1 is a front elevation view of a peritoneal dialysis system comprising a PD cycler and a point of use water
  • System 10a includes a cycler 20 and a water purifier 110.
  • Suitable cyclers for cycler 20 include, e.g., the Amia® or HomeChoice® cycler marketed by Baxter International Inc.
  • cycler 20 includes a control unit 22.
  • Control unit 22 further e.g. includes a wired or wireless transceiver 221 (Fig. 5) configured for sending information to and receiving information from a water purifier 110.
  • the water purifier 110 also includes a control unit 112.
  • the control unit 112 of the water purifier is separate from the control unit 22 of the cycler 20.
  • the control unit 112 also includes a wired or wireless transceiver 1221 (Fig.5) for sending information to and receiving information from control unit 22 of cycler 20.
  • the cycler 20 includes a housing 24, which holds components 25 programmed via control unit 22 to prepare fresh dialysis solution at the point of use, pump the freshly prepared dialysis fluid to patient P, allow the dialysis fluid to dwell within patient P, then pump used dialysis fluid to a drain.
  • the components 25 programmed via control unit 22 to prepare fresh dialysis solution at the point of use includes components for a pneumatic pumping system, comprises but is not limited to (i) one or more positive pressure reservoir, (ii) one or more negative pressure reservoir, (iii) a compressor and a vacuum pump each under control of the control unit 22, or a single pump creating both positive and negative pressure under control of the control unit 22, for providing positive and negative pressure to be stored at the one or more positive and negative pressure reservoirs, (iv) plural pneumatic valve chambers for delivering positive and negative pressure to plural fluid valve chambers, (v) plural pneumatic pump chambers for delivering positive and negative pressure to plural fluid pump chambers, (vi) plural
  • the water purifier 110 includes water purification components, such as one or more reverse osmosis units, an electro- dionization unit (optional) , one or more pumps to move water within the water purifier and one or more heater to heat the water within the water purifier.
  • the water purifier 110 also includes at least one reservoir for holding a quantity of water to be purified and for mixing with an anti-bacterial growth agent if provided.
  • the water purifier 110 may also include a deaerator for removing air from the water being purified.
  • the water purifier 110 may further include or operate with pretreatment device, e.g., a water softener module, connected to the water purifier 110.
  • pretreatment device e.g., a water softener module
  • the method is for use in a dialysis machine such as the cycler 20 described above, or any other dialysis machine such as a hemodialysis machine or CRRT machine. That the method is for use in a dialysis machine means that the method steps of the method are performed by one or several components in the dialysis machine.
  • the method may be implemented as program code and saved in a memory unit of the dialysis machine.
  • the steps of the method may be defined in a computer program, comprising instructions which, when the program is executed by a computer e.g. the control unit 22, cause the computer to carry out the method.
  • the steps of the method may also be defined in a computer-readable medium, e.g.
  • the computer-readable medium then comprises instructions, which, when executed by a computer, cause the computer to carry out the method.
  • the proposed method will be described with reference to the cycler 20 establishing a trusted connection with the water purifier 110 of Fig. 1.
  • the same method may be used for any medical equipment for use with a cycler 20, such as a scale, a temperature sensor, a fever thermometer, a blood pressure device etc.
  • the method may also be used for connection with external device that is connected to a dialysis machine for other purposes, such as for downloading firmware or similar.
  • the dialysis machine may as well be another type of dialysis machine, such as a hemodialysis machine or a CRRT machine.
  • the dialysis machine and the external medical equipment will herein sometimes be referred to as simply the "devices".
  • devices Common for those devices is that it is important for the dialysis machine to verify the authenticity of the external medical equipment before the device is put into use.
  • the method may be performed at any time when the dialysis machine, such as the cycler 20, is switched on and needs to communicate with external medical equipment, such as the water purifier 110 in Fig. 1. If the dialysis machine is not limited to the cycler 20, is switched on and needs to communicate with external medical equipment, such as the water purifier 110 in Fig. 1. If the dialysis machine is not
  • the method may be performed for each and every of those devices.
  • the method steps are
  • a short-range wireless connection first needs to be establish between the external medical equipment and the dialysis machine.
  • Examples of short- range wireless communication protocols that may be used for the short-range wireless connection are BluetoothTM, WiFiTM, Zigbee®, Z-Wave®, wireless Universal Serial Bus, USB, or infrared protocols, or via any other suitable wireless
  • the devices first needs to be paired or bonded.
  • the two devices establish a relationship by creating a shared secret known as a link key. If both devices agree on and store the same link key, they are said to be paired or bonded.
  • BluetoothTM standards One example is secure simple pairing using Pass key entry. This method may be used between a device with a simple display, such as the water purifier 110, and a device with numeric keypad entry (such as a keyboard) , such as the cycler 20. Then the display presents a 6-digit numeric code to the user, who then enters the code on the keypad.
  • Wired Equivalent Privacy WEP
  • key used in Wi-Fi or any other PIN code used in connection with the initiation of the short-range wireless connection.
  • the method comprises an initial step of pairing SI the dialysis machine with the external medical equipment for communication over a secure short-range wireless connection using the first shared key.
  • the devices are paired .
  • an already existing bonding table may be used for establishing the connection.
  • this step is optional, which is illustrated with dashed lines in Fig. 2a.
  • the first key may be deleted from either device, which removes the bond between the devices. If one of the devices have deleted the link key, then the pairing needs to be repeated.
  • the proposed method comprises establishing S2 a short-range wireless connection between the dialysis machine and the external medical equipment.
  • a BluetoothTM pass key or link key herein referred to as the first shared key, is associated with the short-range wireless connection in the sense that it is used to pair the devices. That the first key is shared herein means that it is known by both devices. However, note that the connection as such does typically not require that the devices are in time synchronization. In other words, a system clock of the
  • dialysis machine may typically have a different time than a system clock of the external medical equipment .
  • the proposed method adds an enhanced authentication procedure on top of the wireless short-range protocol. The added
  • the BluetoothTM passkey may be stored in a memory or other data storage (with limited access) in the respective device.
  • the obtaining S3 e.g. corresponds to that the first shared key is read from a memory in the dialysis machine.
  • the generation S4 of the set of second shared keys is performed when the passkey is entered. Then the obtaining S3 corresponds to obtaining the passkey from a user interface. Note that the obtaining S3 and the generating S4 is according to some embodiments performed before the short-range connection is established S2.
  • the set of second shared keys is e.g. generated by creation of a key table using at least one predetermined criterion, such as an algorithm and one or more cryptographic salts that represent the unique organization and/or product line
  • a salt is random data that is used as an additional input to an algorithm.
  • the set of second shared keys is unique for every first shared key, which implies that a device needs to have access to both the first shared key and the at least one predetermined criterion or rule to re-create it.
  • the generated set of second shared keys may be stored e.g. in a memory, for later use.
  • Each second shared key is typically longer than the first shared key.
  • the second shared keys may be between 16-256 bits.
  • the number of second shared key may vary depending on circumstances. The higher the number of second shared keys, the higher security.
  • the set of shared keys comprises only one shared key.
  • the idea is that the dialysis machine and the external medical equipment both know the at least one predetermined criterion that is used to generate the set of second shared keys.
  • the at least one predetermined criterion is e.g. an algorithm or other formula and possibly some parameters, salts, strings etc.
  • the at least one predetermined criterion is e.g. applied to the first shared key.
  • the algorithm takes the first shared key as an input parameter. In this way two corresponding sets of second shared keys may be generated without any additional key exchange, apart from what is already required to establish the short-range wireless connection.
  • the set of second shared keys in the dialysis machine is referred to as the "set of second shared keys” and the set of shared keys in the external medical equipment is referred to as the "corresponding set of second shared keys”.
  • these sets are equal, but theoretically it could work if one of the sets is a subset of the other, provided that a second shared key included in both subsets is used.
  • the set of second shared keys may comprise one or several second shared keys.
  • the second shared keys are stored in a table, where each entry is defined by an index. If there is only one key in the table, then no index is needed.
  • the obtaining S3 and the generating S4 needs to be repeated every time the BluetoothTM bonding table is updated. However, if the dialysis machine and the external medical equipment are already paired and the set of second shared keys have already been generated and stored, then these steps need not be performed. Hence, according to some embodiments these steps are optional, which is illustrated with dashed lines in Fig. 2a.
  • the authentication may be initiated.
  • the authentication is initiated by the dialysis machine, which acts as a master.
  • the external medical equipment acts as a slave.
  • Authentication is initiated by the dialysis machine selecting one particular second shared key that is to be used for the authentication.
  • the method comprises obtaining S5 a second shared key from the set of second shared keys.
  • the set of second shared keys has been generated, in the dialysis machine, using the first shared key. This step typically means that the second shared key is read from a memory, which typically has restricted access. However, it may also be obtained directly from where it is generated.
  • the obtaining S5 comprises randomly selecting one key from the set of second shared keys. Random selection improves security, as it is unpredictable which second shared key will be used. Then an authentication request is generated using the selected or obtained second shared key.
  • the authentication request typically comprises information such as at least one of:
  • the authentication request typically also has to comprise an identifier defining the particular second shared key.
  • the identifier is e.g. an index of a table comprising the set of second shared keys.
  • the authentication request also comprises a cryptographic signature, herein referred to as a first signature.
  • the cryptographic signature is e.g. generated taking the first shared key and the other data in the authentication request as input.
  • the first signature may then be appended to the other data in the authentication request.
  • the first signature is generated using a cryptographic hash function.
  • the first signature may be used by a receiving part to verify the authenticity of the authentication request as will be further explained below (Fig. 3a) .
  • the method comprises generating S6 a first signature, using the obtained second shared key and a dialysis machine system time.
  • the dialysis machine system time is not included in the authentication request and the generating is not based on the dialysis machine system time.
  • the manufacturer of the dialysis machine may then make sure that the dialysis machine is never used with unknown external medical equipment, that may jeopardize safety of the dialysis treatment or cause damage to the dialysis machine, which would be the case if using only e.g. the open BluetoothTM protocol.
  • the authentication request is implemented using Json Web Token, JWT .
  • JWT is an Json Web Token
  • JWT JSON Web Token
  • JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
  • the protocol is efficient, easy and thoroughly tested.
  • the authentication request is created, it is sent to the external medical equipment.
  • the method then comprises sending S7 the authentication request comprising the generated first signature to the external medical equipment.
  • the sending typically comprises sending the authentication request e.g. a Json web token, over the short-range wireless connection.
  • the external medical equipment may then
  • the same procedure will be repeated by the external medical equipment. Consequently, the external medical equipment will generate a signed authentication accept (or authentication response) and send it back to the dialysis machine. This message is equal or similar to the
  • the signature of the authentication accept is herein referred to as a second signature.
  • the second signature is generated using a hash function. Typically, the same as when generating the first signature.
  • the creation of the authentication accept will be further described in
  • the dialysis machine will then receive the authentication accept.
  • the method for use in the dialysis machine then comprises, receiving S8, from the external medical equipment, an authentication accept comprising a second signature.
  • the second signature has been generated in the external medical equipment using the external medical equipment system time and a second shared key from the
  • the corresponding set of second shared keys has been generated in the external medical equipment using the first shared key.
  • the dialysis machine can then verify the authenticity of the external medical equipment through the second signature.
  • the method for use in the dialysis machine then comprises, verifying S9 the authenticity of the external medical
  • the second signature is re-generated using the same cryptographic
  • the dialysis machine knows that the external medical equipment is authentic and that it can be trusted. The medical equipment may then go into a service mode, which means that the external medical
  • the standard BluetoothTM pairing does not provide any time synchronization of the paired devices.
  • the difference in time between the system clocks of the dialysis machine and the external medical equipment may cause problems in the authentication, even if they are paired. This is an issue that cannot be handled by e.g. the proposed JWT protocol, as web servers are typically synchronized in time .
  • a time synchronization error i.e. that the time difference between the system time of the dialysis machine and the external medical equipment is above a predefined level
  • the external medical equipment responds with a response indicating a synchronization error.
  • the response will include the system time of the external medical equipment. Reception of such a response will cause the dialysis machine to repeat the procedure of generating the authentication request, but using the system time of the external medical equipment instead.
  • the first signature is dependent on the system time, the first signature also needs to be re-generated. This may be done using the same second shared key as in the
  • the method comprises, upon receiving S7a from the external medical equipment a response indicating a synchronization error and comprising external medical equipment system time, regenerating S7b the first signature, using the external medical equipment system time.
  • the method then comprises sending S7c, an authentication request comprising the re-generated first signature to the external medical equipment .
  • the external medical equipment is then typically able to verify the (regenerated) authentication request, as it has been generated the external medical equipment's own system time. Thus, there cannot be a synchronization error. Consequently, the external medical equipment may proceed and generate and send the authentication accept as described above.
  • the dialysis machine is in this case also aware of the time synchronization problem. Hence, it may also consider the problem when receiving the authentication accept. Thus, the dialysis machine may select to use the external medical equipment system time when verifying the verification accept. If this is not done, the same synchronization problem as described above may occur in the dialysis machine.
  • the verifying S9 comprises verifying the authenticated connection using the external medical equipment system time.
  • the method comprises sending S10, to the external medical equipment, a request to
  • the method is typically performed in the external medical equipment in parallel (or at least partly in parallel) with the method for use in the dialysis machine described in Figs. 2a and 2b.
  • the method is for use in external medical equipment, such as the water purifier 110 of Fig. 1, described above.
  • the method may be implemented as program code and saved in a memory of the external medical equipment.
  • the steps of the method may be defined in a computer program, comprising instructions which, when the program is executed by a computer e.g. the control unit 22 (Fig. 1) , cause the computer to carry out the method.
  • the steps of the method may also be defined in a computer-readable medium, e.g. a removable memory such as a
  • the computer-readable medium then comprises instructions, which, when executed by a computer, cause the computer to carry out the method.
  • the method comprises an initial step of pairing S21 the dialysis machine with the external medical equipment for communication over a secure short-range wireless connection.
  • the pairing uses a first shared key, such as a passkey or link key. This corresponds to step SI in the method of Fig.3a.
  • the method then comprises establishing S22 a short-range wireless connection between the external medical equipment and the dialysis machine. This step corresponds to step S2 in the method of Fig.3a. As described above, a first shared key is associated with the short-range wireless connection.
  • the dialysis machine comprises a set of second shared keys
  • the authentication is based on using a second shared key from a set of shared keys.
  • the dialysis machine and the external medical equipment generate corresponding sets of second shared keys using at least one predetermined rule or criterion and a first shared key. This step does not need to be performed for every
  • the method comprises obtaining S23, the first shared key and generating S24 a set of second shared keys based on the first shared key.
  • the obtaining S23 and the generating S24 is according to some embodiments performed before the wireless short-range connection is established S22.
  • the actual authentication procedure is typically started by the dialysis machine.
  • the authentication procedure is initiated upon receiving an authentication request from the dialysis machine.
  • the method for use in the external medical equipment comprises receiving S25 from the dialysis machine, an
  • the authentication request comprising a first signature, wherein the first signature has been generated in the dialysis machine using the dialysis machine system time and a second shared key from a set of second shared keys.
  • This step corresponds to receiving the authentication request generated in step S7 above .
  • the method then comprises obtaining S26 the second shared key from a corresponding set of second shared keys that has been generated in the external medical equipment from the first shared key. In other words, the external medical equipment needs to find the particular key that has been used to
  • the authentication request comprises an index that is used to read an entry in a table, where the set of second shared keys are stored.
  • the second shared key is obtained from the table using an index of the table comprised in the authentication request. If the set of shared keys only comprises one shared key, then that key is simply used.
  • the authentication request is then verified.
  • the verification may comprise that data comprised in the request, e.g. the first signature, is checked or verified. As mentioned above this may be done by re-generating the first signature using the same cryptographic algorithm as used when generating the signature.
  • the cryptographic algorithm may be defined by the protocol used.
  • the method typically comprises at least verifying S28 the authenticity of the dialysis machine using the obtained second shared key and external medical equipment system time.
  • the verifying S28 may also comprise verifying other data comprised in the authentication request such as dialysis machine identity (e.g. a device ID), creation time of the first signature, i.e. that the validity of the first signature has not expired.
  • the verification S28 may according to some embodiments also take into account other data comprised in the request, such as system time information, expiry time, dialysis machine
  • the authentication accept (or response) sent in response to the authentication request typically comprises a signature generated in the external medical equipment, herein referred to as a second signature.
  • the second signature is generated using a second shared key.
  • a second shared key from the corresponding set of shared keys is obtained, e.g. by randomly selecting one second shared key from a table.
  • the method for use in the external medical equipment comprises generating S210, upon the verifying S28 being successful, a second signature, using a second shared key, from the corresponding set of second shared keys, and a dialysis machine system time.
  • the method further comprises sending S211 an authentication accept comprising the generated second signature, to the dialysis machine.
  • the authentication accept typically has the same, or a similar, format as the authentication request e.g. JWT .
  • the authentication is then received and verified by the dialysis machine as described in step S8 and step S9 above.
  • the second signature may be used by the dialysis machine to verify that the external medical equipment is authentic or trusted.
  • the authentication is completed.
  • the water purifier 110 is considered to be an authentic water purifier.
  • the dialysis machine may, after successful authentication, request Sll the external medical equipment to update its system time to match the system time of the
  • the method comprises receiving S212 from the dialysis machine a request to synchronize the external medical equipment system time with the dialysis machine system time. This step corresponds to the request to synchronize the external medical equipment system time of step S10 described in connection with Fig.3a.
  • the system time of the dialysis machine and the external medical equipment are not necessarily in synchronization, which may cause problem in the
  • the external medical equipment may compare the dialysis machine system time received in the authentication request with an internal external medical equipment system time. In other words, according to some embodiments the method
  • the method comprises, upon the verifying indicating that the dialysis machine system time and the external medical equipment system time differing above a pre-determined amount sending S27a to the dialysis machine, a response indicating a synchronization error and comprising the external medical equipment system time.
  • the dialysis machine will receive S7a the response indicating a synchronization error, and respond to the response indicating a synchronization error by re-generating S7b using the external medical equipment system time and re-sending S7c the authentication request.
  • the method for use in the external medical equipment comprises receiving S27b from the dialysis machine an authentication request comprising a re-generated first signature that has been re- generated using the external medical equipment system time.
  • Figs. 4a and 4b is a signaling diagram illustrating signaling between the dialysis machine and the external medical
  • Figs. 4a and 4b the interaction between dialysis machine and the external medical equipment performing the respective methods can be seen.
  • Fig. 5 An example implementation of a dialysis machine configured to perform the methods described above will now be described using the cycler 20 of Fig. 1 as an example. Reference is in particular made to Fig. 5 illustrating the cycler 20 in more detail. Note that Fig. 5 is only a conceptual drawing and that it mainly illustrates parts of the cycler 20 that are related to the proposed technique.
  • the cycler 20 comprises a housing 24, a user interface 30, a speaker 34 and a control unit 22 also referred to as control circuitry .
  • the control unit 22 typically comprises one or more microprocessors 222 and/or one or more circuits, such as an application specific integrated circuit (ASIC) , field- programmable gate arrays (FPGAs) , and the like.
  • ASIC application specific integrated circuit
  • FPGAs field- programmable gate arrays
  • the control unit 22 comprises short-range communication interface 221.
  • the short-range communication interface 221 comprises a wireless communication circuit configured for sending information to and receiving information from control unit 22 of external medical equipment, herein exemplified by the water purifier 110 of Fig. 1. Wireless communication may be performed via any of BluetoothTM, WiFiTM, Zigbee®, Z-Wave®, wireless Universal Serial Bus (“USB”) , or infrared protocols, or via any other suitable wireless communication technology.
  • the short-range communication interface 221 is for example a BluetoothTM chip, configured to be controlled by the one or more microprocessors 222, e.g. through AT commands.
  • the short- range communication interface 221 is according to some
  • control unit 22 comprises at least one memory 223, such as a non-transitory memory unit (e.g., a hard drive, flash memory, optical disk, etc.) and/or volatile storage apparatuses (e.g., dynamic random access memory (DRAM) ) .
  • the memory 223 is configured to store data such as the first and the second shared keys or a computer program configured to execute the proposed method.
  • the user interface 30 e.g. includes a display 32, which may operate with a touch screen overlay placed onto the display 32 for inputting commands via user interface 30 into control unit 22.
  • the user interface 30 may also include one or more electromechanical input device, such as a membrane switch or other button, e.g. a key board (not shown) .
  • the user interface is e.g. configured to display a BluetoothTM passkey to a user or to let a user input a BluetoothTM passkey.
  • the control unit 22 may further include an audio controller for playing sound files, such as voice activation commands, at the speaker 34.
  • the speaker may e.g. indicate to a user when the cycler 20 is paired .
  • the control unit 22 is configured to cause the cycler 20 to perform all aspects of the method described above (Fig. 2a-c) .
  • the one or more microprocessors 222 are
  • control unit 22 is configured to cause the cycler 20 to establish, using the short-range
  • the control unit is further configured to obtain a second shared key from a set of second shared keys, wherein the set of second shared keys has been generated, in the cycler 20, using the first shared key and to generate a first signature, using the obtained second shared key and a cycler system time.
  • the cycler is configured to send, using the short-range communication interface 221, to the water purifier 110, an authentication request comprising the generated first signature and to receive, using the short- range communication interface 221, from the water purifier 110, an authentication accept comprising a second signature.
  • the second signature has been generated in the water purifier 110 using a water purifier system time and a second shared key from a corresponding set of second shared keys. As already explained above, the corresponding set of second shared keys has been generated in the water purifier 110 using the first shared key.
  • the cycler is configured to verify the authenticity of the water purifier 110 based on the second signature.
  • the control unit 22 is configured to establish a secure communication with the water purifier 110 as described above (Fig.2a) .
  • control unit 22 is
  • control unit configured to cause the cycler 20 to, upon receiving, from the water purifier, a response indicating a synchronization error and comprising a water purifier system time re-generate the first signature, using the water purifier system time and send, using the short-range communication interface, an authentication request comprising the re-generated first signature to the water purifier. Then the control unit is typically also configured to verify the authenticated
  • control unit 22 is configured to use the water purifier system time during the authentication procedure, in response to receiving a message that indicates that there is a synchronization error.
  • control unit 22 is
  • control unit 22 is
  • control unit 22 is
  • control unit 22 is configured to cause the cycler 20 to send, using the short- range communication interface 221, a request to synchronize the water purifier system time with the cycler system time to the water purifier.
  • control unit 22 is
  • a request comprising at least one of an expiry time, a present time, a device name.
  • Fig. 6 mainly illustrates parts of the water purifier 110 that are related to the proposed technique.
  • the water purifier 110 comprises a control unit 112, also referred to as control circuitry, a user interface 120 and a speaker 124.
  • the control unit 112 typically comprises one or more
  • microprocessors 1122 and/or one or more circuits such as an application specific integrated circuit (ASIC) , field- programmable gate arrays (FPGAs) , and the like.
  • ASIC application specific integrated circuit
  • FPGAs field- programmable gate arrays
  • control unit 112 comprises short-range communication interface 1121.
  • the short-range communication interface 1121 comprises a wireless
  • Wireless communication may be performed via any of BluetoothTM, WiFiTM, Zigbee®, Z-Wave®, wireless Universal Serial Bus (“USB”) , or infrared protocols, or via any other suitable wireless communication technology.
  • the short-range communication interface 1121 is for example a BluetoothTM chip, configured to be controlled by the included one or more microprocessors 1122, e.g. through AT commands. According to some embodiments the short-range communication interface 1121 is arranged external to the control unit 112.
  • control unit 112 comprises at least one memory 1123, such as a non-transitory memory unit (e.g., a hard drive, flash memory, optical disk, etc.) and/or volatile storage apparatuses (e.g., dynamic random access memory (DRAM) ) .
  • the memory 1123 is configured to store data such as the first and the second shared keys or a computer program configured to execute the proposed method.
  • the user interface 120 comprises a display 123 and one or more electromechanical input device, such as a membrane switch or other button. However, the user interface 120 does typically not comprise a proper keypad suitable for passkey entry.
  • the display 123 is configured receive data from the control unit 112 to show the data (e.g. a BluetoothTM passkey) to a user.
  • the control unit 112 may further comprise an audio controller for playing sound files, such as alarm or alert sounds, at one or more speaker 124 of water purifier 110.
  • the control unit 112 is configured to cause the water purifier 110 to perform all aspects of the method described above (Fig. 3a-c) .
  • the one or more microprocessors 1122 are configured to execute a computer program stored in the memory 1123 to achieve this.
  • control unit 112 is configured to cause the water purifier 110 to receive, using the short-range communication interface 1221, from the water purifier 110, an authentication request comprising a first signature.
  • the first signature has been generated in the cycler 20 using the cycler system time and a second shared key from a set of second shared keys.
  • the water purifier is configured to obtain the second shared key from a corresponding set of second shared keys that has been
  • the water purifier is configured to send, using the short-range communication interface 1221, an authentication accept comprising the generated second signature, to the cycler 20.
  • control unit 112 is
  • the water purifier 110 configured to cause the water purifier 110 to compare the external medical equipment system time and the cycler system time, and to send, using the short-range communication
  • the water purifier is configured to receive, from the cycler 20, an authentication request comprising a re-generated first
  • control unit 112 is
  • control unit 122 configured to cause the water purifier 110 to pair the cycler 20 with the water purifier 110 for communication over a secure short-range wireless connection, using the first shared key.
  • control unit 122 is configured to cause the water purifier 110 to obtain, the first shared key and generate a set of second shared keys based on the first shared key.
  • the set of second shared keys comprises a table of shared keys and wherein the second shared key. Then the control unit 122 is configured to cause the water purifier 110 to obtain the second shared key, from the table, using an index of the table comprised in the
  • control unit 122 is
  • control unit 122 is
  • Figs. 7a-7d illustrates signaling between the cycler 20 and the water purifier 110 (typically between the control unit 22 of the cycler 20 and the control unit 122 in the water
  • Fig.7a illustrates signaling during a first BluetoothTM, BT, connect, i.e. a BT pairing. This corresponds to steps S1-S4, S21-S24 in the methods above.
  • a patient installer who wants to connect a new cycler 20 powers on the cycler 20 and a water purifier 110.
  • the cycler 20 has no bond table or a previously cleared bond table.
  • the water purifier 110 does also not have any bond table .
  • the water purifier 110 then needs to be discoverable.
  • a standard BT pairing is started by the cycler being the master.
  • a pass key is displayed to the user on the display 123.
  • the user inputs the pass key on the keypad of the cycler 20.
  • the pairing procedure may then be completed by the wireless communication interface 221 of the cycler 20 and the wireless communication interface of the water purifier 1121 and bond tables are stored in the respective devices.
  • the cycler and the water purifier generates a respective JWT key table, including keys to be used for further
  • Fig.7b illustrates signaling during a BT connection between already paired devices, i.e. a cycler 20 with bond table and a water purifier 110 with bond table. This corresponds to steps S2, S22 in the methods above. In this scenario, there are already valid bond tables. Hence, after power on a BT
  • connection may be established at power on without any other action being taken.
  • Fig.7c illustrates signaling during a BT connection to new water purifier being established. This corresponds to steps S1-S4, SS-S4 in the methods above.
  • a patient/installer has a new water purifier that has no bond table and a cycler 20 with bond table of an old water purifier.
  • the cycler 20 will detect that the bond tables do not match. Hence, the cycler will ask the user/installer if the water purifier 110 has been replaced.
  • Fig.7d illustrates signaling during a BT Connection
  • the signaling is performed between a cycler 20 with bond table and JWT key table and the water purifier 110 with bond table and JWT key table.
  • the BT communication may be established through
  • the cycler then initiates the authentication by generating a Cycler JWT using Cycler time and a random key from the key table.
  • a connect message including the Cycler JWT is transmitted to the water purifier 110.
  • the water purifier 110 authenticates Cycler JWT using Water purifier time and Generate water purifier JWT using Water purifier time and random key from the key table.
  • the water purifier 110 sends an App level connect response including the water purifier JWT to the cycler 20. Then the water purifier authenticates the water purifier JWT using cycler time, whereby authenticated connection established.
  • Fig.7e illustrates signaling during a BT Connection
  • Fig. 7e corresponds to the embodiment of the methods illustrated in Fig. 2b and Fig. 3b.
  • the signaling is performed between a cycler 20 with bond table and JWT key table and the water purifier 110 with bond table and JWT key table.
  • the example embodiment of Fig. 7e differs from the example embodiment of Fig. 7d in that the first JWT timestamp is non- valid due to time out of synch. This causes the water purifier 110 to send a JWT level decline plus a current Water purifier time to the cycler in response to the app level connect message . The cycler 20 then generate a new JWT using water purifier time and random key from the key table. The cycler then sends a second app level connect including cycler JWT to the water purifier 110.
  • the water purifier 110 authenticates Cycler JWT using Water purifier time and Generates water purifier JWT using Water purifier time and random key from the key table.
  • the water purifier 110 sends an app level connect response including the water purifier JWT to the cycler 20. Then the water purifier authenticates the water purifier JWT using water purifier time, whereby authenticated connection established.
  • the cycler asks the water purifier to update its system time to match the cycler's system time in order to avoid future errors.
  • Fig. 7f illustrates an alternative implementation of the procedure for BT connect described in Fig. 7a.
  • the pairing is in this implementation triggered by a user providing user input (e.g. a command "New Cycler") first at the water purifier 110, and then at the cycler 20.
  • the user input may be entered e.g. using a button, keypad or other user interface.
  • Manual trigger of the pairing on both sides i.e. both at the dialysis machine and the water purifier
  • the water purifier 110 will in response to receiving this command clear its bond table and enter a discoverable mode. It will also generate a passkey (e.g. a PIN) and display the passkey on a display of the water purifier 110.
  • a passkey e.g. a PIN
  • the cycler 20 in response to receiving the command, also clears its bond table and initiates the standard BT pairing procedure by starting to scan for a BT beacon transmitted by the water purifier 110.
  • the cycler 20 will provide instructions to the user to "Read and enter PIN" (e.g. via a user interface such as a key board) .
  • the user is instructed to read the passkey displayed at the water purifier 110 and to input the passkey in the cycler 20.
  • the passkey is available at both sides, the standard BT pairing is completed according to the standard procedure and the JWT key table to use when establishing the secure connection is then generated.
  • the method is similar to the corresponding steps inFig. 7a.
  • the proposed methods or establishing a secure connection is then performed in the same manner as described in

Landscapes

  • Health & Medical Sciences (AREA)
  • Engineering & Computer Science (AREA)
  • Biomedical Technology (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Epidemiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Primary Health Care (AREA)
  • Public Health (AREA)
  • External Artificial Organs (AREA)

Abstract

La présente invention concerne une machine de dialyse, un équipement médical externe et des procédés pour établir une connexion authentifiée entre une machine de dialyse et un équipement médical externe. La machine de dialyse est amenée à établir (S2) une connexion sans fil à courte portée entre la machine de dialyse et l'équipement médical externe. Une première clé partagée est associée à la connexion sans fil à courte portée. La machine de dialyse est en outre configurée pour obtenir (S5) une seconde clé partagée générée à l'aide de la première clé partagée et pour générer (S6) une première signature, à l'aide de la seconde clé partagée obtenue. La machine de dialyse est en outre configurée pour envoyer (S7) à l'équipement médical externe une requête d'authentification comprenant la première signature générée et pour recevoir (S8) en retour une acceptation d'authentification comprenant une seconde signature. En outre, l'unité de commande est configurée pour vérifier (S9) l'authenticité de l'équipement médical externe à l'aide de la seconde signature. La présente invention porte également sur un programme d'ordinateur et sur un produit-programme d'ordinateur mettant en œuvre le procédé.
PCT/EP2018/065661 2017-06-15 2018-06-13 Machine de dialyse, équipement médical externe et procédés permettant d'établir une communication sécurisée entre une machine de dialyse et un équipement médical externe WO2018229129A1 (fr)

Priority Applications (6)

Application Number Priority Date Filing Date Title
EP23191913.5A EP4271018A3 (fr) 2017-06-15 2018-06-13 Machine de dialyse, équipement médical externe et procédés pour établir une communication sécurisée entre une machine de dialyse et un équipement médical externe
CN201880040157.3A CN110770846B (zh) 2017-06-15 2018-06-13 透析机、外部医疗设备以及在透析机和外部医疗设备之间建立安全通信的方法
US16/619,728 US11343105B2 (en) 2017-06-15 2018-06-13 Dialysis machine, external medical equipment and methods for establishing secure communication between a dialysis machine and external medical equipment
EP18732707.7A EP3639274B1 (fr) 2017-06-15 2018-06-13 Machine de dialyse, équipement médical externe et procédés permettant d'établir une communication sécurisée entre une machine de dialyse et un équipement médical externe
US17/750,714 US11695572B2 (en) 2017-06-15 2022-05-23 Dialysis machine, a fluid preparation device, and methods for establishing secure communication between a dialysis machine and a fluid preparation device
US18/217,735 US20230353386A1 (en) 2017-06-15 2023-07-03 Dialysis machine, medical equipment, and methods for establishing secure communication between a dialysis machine and medical equipment

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201762519994P 2017-06-15 2017-06-15
SE1750761-7 2017-06-15
SE1750761 2017-06-15
US62/519994 2017-06-15

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US16/619,728 A-371-Of-International US11343105B2 (en) 2017-06-15 2018-06-13 Dialysis machine, external medical equipment and methods for establishing secure communication between a dialysis machine and external medical equipment
US17/750,714 Continuation US11695572B2 (en) 2017-06-15 2022-05-23 Dialysis machine, a fluid preparation device, and methods for establishing secure communication between a dialysis machine and a fluid preparation device

Publications (1)

Publication Number Publication Date
WO2018229129A1 true WO2018229129A1 (fr) 2018-12-20

Family

ID=64660899

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/065661 WO2018229129A1 (fr) 2017-06-15 2018-06-13 Machine de dialyse, équipement médical externe et procédés permettant d'établir une communication sécurisée entre une machine de dialyse et un équipement médical externe

Country Status (1)

Country Link
WO (1) WO2018229129A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020120742A1 (fr) * 2018-12-14 2020-06-18 Gambro Lundia Ab Appariement d'une machine de dialyse et d'un équipement médical externe, et procédés d'établissement d'une communication sûre entre la machine de dialyse et l'équipement médical externe

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0535863A2 (fr) * 1991-10-02 1993-04-07 AT&T Corp. Protocole cryptographique pour une communication récurisée
WO2004070995A2 (fr) * 2003-02-01 2004-08-19 Baxter International Inc. Systeme et procede d'authentification de dispositif medical
US20140288947A1 (en) * 2002-01-29 2014-09-25 Baxter International Inc. System and method for communicating with a dialysis machine through a network
EP2857054A1 (fr) * 2009-05-20 2015-04-08 Baxter International Inc Système de collecte automatique de données de paramètres de patient utilisant la technologie câblée ou sans fil

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0535863A2 (fr) * 1991-10-02 1993-04-07 AT&T Corp. Protocole cryptographique pour une communication récurisée
US20140288947A1 (en) * 2002-01-29 2014-09-25 Baxter International Inc. System and method for communicating with a dialysis machine through a network
WO2004070995A2 (fr) * 2003-02-01 2004-08-19 Baxter International Inc. Systeme et procede d'authentification de dispositif medical
EP2857054A1 (fr) * 2009-05-20 2015-04-08 Baxter International Inc Système de collecte automatique de données de paramètres de patient utilisant la technologie câblée ou sans fil

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020120742A1 (fr) * 2018-12-14 2020-06-18 Gambro Lundia Ab Appariement d'une machine de dialyse et d'un équipement médical externe, et procédés d'établissement d'une communication sûre entre la machine de dialyse et l'équipement médical externe

Similar Documents

Publication Publication Date Title
EP3639274B1 (fr) Machine de dialyse, équipement médical externe et procédés permettant d'établir une communication sécurisée entre une machine de dialyse et un équipement médical externe
CN110574119B (zh) 安全地分发医疗处方
AU2013288269B2 (en) Communication secured between a medical device and its remote control device
CN109155732B (zh) 在网络设备之间建立安全通信的方法和装置
TW202223708A (zh) 基於身份之安全醫療裝置通訊
US20240031133A1 (en) A medical equipment, an authentication server and methods for authorizing a user access to an equipment via an equipment user interface
WO2018229129A1 (fr) Machine de dialyse, équipement médical externe et procédés permettant d'établir une communication sécurisée entre une machine de dialyse et un équipement médical externe
US11995221B2 (en) Authentication of medical device computing systems by using metadata signature
JP2023530732A (ja) 医療装置間のセキュアな相互運用性のための方法およびシステム
WO2020120742A1 (fr) Appariement d'une machine de dialyse et d'un équipement médical externe, et procédés d'établissement d'une communication sûre entre la machine de dialyse et l'équipement médical externe
CN118280549A (zh) 透析机、外部医疗设备以及在透析机和外部医疗设备之间建立安全通信的方法
AU2015202677B2 (en) System and methods for online authentication
JPWO2021257664A5 (fr)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18732707

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018732707

Country of ref document: EP

Effective date: 20200115