Method and system for remote programming of an implantable medical device
A two-factor authentication process using a proprietary medical device and smartphone or tablet ensures secure remote programming of implantable devices by verifying patient consent through proximity and multiple verification steps, enhancing security against manipulation.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- BIOTRONIK SE & CO KG
- Filing Date
- 2025-12-02
- Publication Date
- 2026-06-25
AI Technical Summary
Existing remote programming systems for implantable medical devices lack sufficient security measures to ensure patient consent is genuinely provided and verified, as they are vulnerable to manipulation and unauthorized access.
A two-factor authentication process involving a proprietary medical device and a smartphone or tablet, where a first release token is generated on the medical device and displayed, read by the smartphone or tablet, and a second release token is scanned, ensuring proximity and patient approval, with cryptographic checks and separate communication channels for verification.
Enhances security by ensuring patient consent is genuinely provided and verified, reducing the risk of unauthorized programming changes.
Smart Images

Figure EP2025085044_25062026_PF_FP_ABST
Abstract
Description
[0001] Applicant: BIOTRONIK SE & Co. KG
[0002] Date: 02.12.2025
[0003] Our Reference: 24.146P-WO
[0004] Method and system for remote programming of an implantable medical device
[0005] The invention relates to a medical communication system for remote programming of an implantable medical device.
[0006] Furthermore, the invention relates to a computer-implemented method for remote programming of an implantable medical device.
[0007] In some cases, remote programming requires a declaration of consent from the patient. Multi-factor authentication is suitable for this, which ensures that the patient device and smartphone are in the immediate vicinity of the patient and are actively operated by the patient. Declaration of consent can be made e.g. by telephone or via an app on the patient's smartphone or via a dedicated menu on the patient's device.
[0008] In general, it is not considered safe to declare consent exclusively by telephone, as the system cannot automatically check the declaration of consent via a secure channel. The patient's consent can only be checked by the user of the service provider, i.e. clinical staff, who confirms this to the service provider via a user interface. The user can be an attacker who has gained unauthorized access and thus simply confirms to the system that consent has been given.
[0009] A declaration of consent via the app on the patient's smartphone, which transmits an activation token to the system, for example, is only partially secure, as the patient's smartphone could have been manipulated by the attacker. The manipulation of a smartphone is more likely than the manipulation of a proprietary medical device, which is a closed system with very few interfaces. It is therefore an object of the present invention to provide an improved medical communication system for remote programming of an implantable medical device comprising providing enhanced safety.
[0010] The object is solved by medical communication system for remote programming of an implantable medical device having the features of claim 1.
[0011] In addition, the object is solved by a computer-implemented method for remote programming of an implantable medical device having the features of claim 13.
[0012] Moreover, the object is solved by a computer program having the features of claim 14 and by a computer-readable data carrier having the features of claim 15.
[0013] Further developments and advantageous embodiments are defined in the dependent claims.
[0014] According to a first aspect, the present invention provides a medical communication system for remote programming of an implantable medical device.
[0015] The system comprises a data input means configured to provide a request for remote programming of the implantable medical device to a computing device of a service provider.
[0016] The system further comprises the computing device of the service provider, said computing device being configured to, based on the request for remote programming of the implantable medical device, generate a first release token sent to a first patient device, in particular a patient communication device.
[0017] Furthermore, the system comprises the first patient device configured to, based on the first release token generate a second release token and display the second release token on a screen of the first patient device, and a second patient device, in particular a smartphone or tablet device, configured to read the second release token, wherein the second patient device is further configured to display information comprised by the second release token relating to the request for remote programming of the implantable medical device on a screen of the
[0018] 24.146P-WO / 02.12.2025 second patient device, wherein the second patient device, upon patient approval of the request for remote programming of the implantable medical device comprised by the second release token is configured to send the second release token to the computing device of the service provider, and wherein upon verification of the second release token by the computing device of the service provider, the computing device of the service provider is configured to authorize the remote programming of the implantable medical device.
[0019] According to a second aspect, the present invention provides a computer-implemented method for remote programming of an implantable medical device.
[0020] The method comprises providing a request for remote programming of the implantable medical device to a computing device of a service provider, and based on the request for remote programming of the implantable medical device, generating a first release token by the computing device of a service provider and sending the first release token to a first patient device, in particular a patient communication device.
[0021] In addition, the method comprises based on the first release token generating a second release token by the first patient device and displaying the second release token on a screen of the first patient device, and reading the second release token by a second patient device, in particular a smartphone or tablet device.
[0022] The method moreover comprises displaying information comprised by the second release token relating to the request for remote programming of the implantable medical device on a screen of the second patient device, and upon patient approval of the request for remote programming of the implantable medical device comprised by the second release token, sending the second release token to the computing device of the service provider.
[0023] Furthermore, the method comprises upon verification of the second release token by the computing device of the service provider, authorizing the remote programming of the implantable medical device.
[0024] 24.146P-WO / 02.12.2025 In addition, the present invention provides a computer program with program code to perform the method of the present invention when the computer program is executed on a computer. Moreover, the present invention provides a computer-readable data carrier containing program code of a computer program for performing the method of the present invention when the computer program is executed on a computer.
[0025] An idea of the present invention is that the first patient device, i.e. the proprietary device shows information on a display. This is read by the second device, i.e. smartphone or tablet.
[0026] The application interprets this information and uses it to generate a release token for reprogramming. This ensures that both the proprietary device and the smartphone or tablet are near or in close proximity to each other and that the generation of the release token was initiated by an active action of the patient on site. Near or in close proximity to each other means that the distance between the proprietary device and the smartphone or tablet is a maximum of one meter, in particular a maximum of 20 cm.
[0027] Furthermore, cryptographic procedures such as signatures can be used to ensure the authenticity of the transmitted release tokens and other information. If the cryptographic check of one of the release tokens fails, the remote programming request is not displayed on the smartphone, but a corresponding message is sent to a security monitoring system in the backend of the service provider.
[0028] A token is defined as a sequence of related characters or sequence of bits, which in the present case comprises is translatable into a machine-readable code. The term release token refers to the fact its function is to allow release of remote programming of the implantable medical device by the computing device of a service provider.
[0029] In a further aspect, it is proposed that the second release token comprises a machine-readable code, in particular a QR-Code, wherein the second patient device is configured to scan the machine-readable code via a camera of the second patient device, wherein an app of the second patient device is configured to interpret the machine-readable code and display
[0030] 24.146P-WO / 02.12.2025 information comprised by the machine-readable code relating to the request for remote programming of the implantable medical device on the screen of the second patient device.
[0031] By scanning, the patient gives their consent for remote programming. Scanning also ensures that the declaration of consent has been given by a human actor who is in possession of the second patient device.
[0032] In a further aspect, it is proposed that the computing device of the service provider is configured to send a first message to the second patient device notifying the patient that the first release token has been generated and sent to the first patient device. The patient is thus alerted to the fact that he or she should scan the machine-readable code displayed on the first patient device.
[0033] In a further aspect, it is proposed that the first message further comprises a request for the patient to contact a medical service provider, in particular a medical practice or hospital, via a separate communication channel, in particular via telephone, in order to verify an authenticity of the request for remote programming of the implantable medical device.
[0034] In doing so a two-factor authentication is performed. On the one hand, the first release token contains information that it was generated by the computing device of the service provider. On the other hand, the patient verifies the information via a separate communication channel to ensure that the message is authentic.
[0035] In a further aspect, it is proposed that upon verifying the authenticity of the request for remote programming of the implantable medical device, the second patient device is configured to display a second message notifying the patient to scan the machine-readable code via the camera of the second patient device.
[0036] Due to the fact that the first patient device is a proprietary device within a closed system security is enhanced since the code generation and interpretation are performed on two separate devices compared to a case where the machine-readable code is generated directly by the second patient device.
[0037] 24.146P-WO / 02.12.2025 In a further aspect, it is proposed that the first release token comprises identification data of the computing device of a service provider, and wherein the second release token comprises identification data of the first patient device. Thus, the identity of each of the devices can be safely verified.
[0038] In a further aspect, it is proposed that the second release token comprises the first release token and the machine-readable code displayed on the screen of the first patient device. The second release token incorporating the first release token thus forms an end-to-end token chain enhancing security of the overall system.
[0039] In a further aspect, it is proposed that the app of the second patient device is configured to generate a third message asking for patient approval of the request for remote programming of the implantable medical device. After scanning the machine-readable code and reading the information contained with it, the patient then uses an appropriate action.
[0040] In a further aspect, it is proposed that the third message comprises a choice of approving or disapproving the request for remote programming of the implantable medical device. After performing the two-factor authentication, the patient can thus be sure of the authenticity of the message and make an appropriate choice either approving or disapproving the remote programming request for the implantable medical device.
[0041] In a further aspect, it is proposed that the third message comprises situational information relating to the request for remote programming of the implantable medical device, said situational information comprising reprogramming parameters. Said situational information can advantageously assist the patient in verifying the authenticity of the message since the situational information, if correct, coincides with a treatment plan of the patient and / or prior discussion with a healthcare provider that the patient is aware of.
[0042] In a further aspect, it is proposed that the third message comprises a first authentication code that the patient verifies against a second verification code previously provided to the patient by the medical service provider, in particular a medical practice or hospital.
[0043] 24.146P-WO / 02.12.2025 The authentication code thus advantageously provides an additional layer of safety in that further to communicating with the service provider via an alternative communication channel, the correctness of the safety code also needs to be verified.
[0044] In a further aspect, it is proposed that upon patient disapproval of the request for remote programming of the implantable medical device comprised by the second release token, canceling the remote programming of the implantable medical device is performed.
[0045] The patient thus has the power to approve or disapprove any suggested programming change of the implantable medical device such that no programming change of the implantable medical device may occur without consent of the patient.
[0046] The herein described features of the medical communication system for remote programming of an implantable medical device are also disclosed for the computer- implemented method for remote programming of an implantable medical device and vice versa.
[0047] For a more complete understanding of the present invention and advantages thereof, reference is now made to the following description taken in conjunction with the accompanying drawings. The invention is explained in more detail below using exemplary embodiments, which are specified in the schematic figures of the drawings, in which:
[0048] Fig. 1 shows a diagram of a medical communication system for remote programming of an implantable medical device according to a preferred embodiment of the invention; and
[0049] Fig. 2 shows a flowchart of a computer-implemented method for remote programming of an implantable medical device according to the preferred embodiment of the invention.
[0050] 24.146P-WO / 02.12.2025 The medical communication system 1 for remote programming of an implantable medical device 10 shown in Fig. 1 comprises a data input means 12 configured to provide a request 14 for remote programming of the implantable medical device 10 to a computing device 16 of a service provider and the computing device 16 of the service provider, said computing device 16 being configured to, based on the request 14 for remote programming of the implantable medical device 10, generate a first release token RT1 sent to a first patient device 18, in particular a patient communication device.
[0051] Furthermore, the medical communication system 1 comprises the first patient device 18 configured to, based on the first release token RT1 generate a second release token RT2 and display the second release token RT2 on a screen 19 of the first patient device 18, and a second patient device 20, in particular a smartphone or tablet device, configured to read the second release token RT2, wherein the second patient device 20 is further configured to display information comprised by the second release token RT2 relating to the request 14 for remote programming of the implantable medical device 10 on a screen 21 of the second patient device 20, wherein the second patient device 20, upon patient approval of the request 14 for remote programming of the implantable medical device 10 comprised by the second release token RT2 is configured to send the second release token RT2 to the computing device 16 of the service provider, and wherein upon verification of the second release token RT2 by the computing device 16 of the service provider, the computing device 16 of the service provider is configured to authorize the remote programming of the implantable medical device 10.
[0052] The second release token RT2 comprises a machine-readable code 22, in particular a QR- Code, wherein the second patient device 20 is configured to scan the machine-readable code 22 via a camera of the second patient device 20, wherein an app 24 of the second patient device 20 is configured to interpret the machine-readable code 22 and display information comprised by the machine-readable code 22 relating to the request 14 for remote programming of the implantable medical device 10 on the screen 21 of the second patient device 20.
[0053] 24.146P-WO / 02.12.2025 The computing device 16 of the service provider is configured to send a first message 26 to the second patient device 20 notifying the patient that the first release token RT1 has been generated and sent to the first patient device 18.
[0054] The first message 26 further comprises a request for the patient to contact a medical service provider, in particular a medical practice or hospital, via a separate communication channel, in particular via telephone, in order to verify an authenticity of the request 14 for remote programming of the implantable medical device 10.
[0055] Upon verifying the authenticity of the request 14 for remote programming of the implantable medical device 10, the second patient device 20 is configured to display a second message 28 notifying the patient to scan the machine-readable code 22 via the camera of the second patient device 20. The second message 28 is sent from the computing device 16 of the service provider to the second patient device 20.
[0056] The first release token RT1 comprises identification data of the computing device 16 of a service provider, and wherein the second release token RT2 comprises identification data of the first patient device 18.
[0057] The second release token RT2 comprises the first release token RT1 and the machine- readable code 22 displayed on the screen 19 of the first patient device 18.
[0058] In addition, the app 24 of the second patient device 20 is configured to generate a third message 30 asking for patient approval of the request 14 for remote programming of the implantable medical device 10.
[0059] The third message 30 comprises a choice of approving or disapproving the request 14 for remote programming of the implantable medical device 10.
[0060] Furthermore, the third message 30 comprises situational information relating to the request 14 for remote programming of the implantable medical device 10, said situational information comprising reprogramming parameters.
[0061] 24.146P-WO / 02.12.2025 Moreover, the third message 30 comprises a first authentication code 32 that the patient verifies against a second verification code 34 previously provided to the patient by the medical service provider, in particular a medical practice or hospital.
[0062] Upon patient disapproval of the request 14 for remote programming of the implantable medical device 10 comprised by the second release token RT2, canceling the remote programming of the implantable medical device 10 is performed.
[0063] Fig. 2 shows a flowchart of a computer-implemented method for remote programming of an implantable medical device 10 according to the preferred embodiment of the invention.
[0064] The method comprises providing SI a request 14 for remote programming of the implantable medical device 10 to a computing device 16 of a service provider, and based on the request 14 for remote programming of the implantable medical device 10, generating S2 a first release token RT1 by the computing device 16 of a service provider and sending the first release token RT1 to a first patient device 18, in particular a patient communication device.
[0065] Furthermore, the method comprises based on the first release token RT1 generating S3 a second release token RT2 by the first patient device 18 and displaying S4 the second release token RT2 on a screen 19 of the first patient device 18, reading S5 the second release token RT2 by a second patient device 20, in particular a smartphone or tablet device, and displaying S6 information comprised by the second release token RT2 relating to the request 14 for remote programming of the implantable medical device 10 on a screen 21 of the second patient device 20.
[0066] In addition, the method comprises upon patient approval of the request 14 for remote programming of the implantable medical device 10 comprised by the second release token RT2, sending S7 the second release token RT2 to the computing device 16 of the service provider, and upon verification of the second release token RT2 by the computing device 16 of the service provider, authorizing S8 the remote programming of the implantable medical device 10.
[0067] 24.146P-WO / 02.12.2025 Although specific embodiments have been illustrated and described herein, it will be understood by those skilled in the art that a variety of alternative and / or equivalent implementations exist. It should be noted that the exemplary embodiment or exemplary embodiments are examples only and are not intended to limit the scope, applicability or configuration in any way.
[0068] Rather, the foregoing detailed description provides the skilled person with a convenient guide to implementing at least one exemplary embodiment, it being understood that various changes in the scope of functionality and arrangement of the elements may be made without departing from the scope of the appended claims and their legal equivalents.
[0069] In general, this application intends to cover modifications or adaptations or variations of the embodiments disclosed herein. For example, a sequence of method steps may be modified. The method may further be carried out sequentially or in parallel, at least in part.
[0070] 24.146P-WO / 02.12.2025 Reference Signs
[0071] 1 medical communication system
[0072] 10 implantable medical device
[0073] 12 data input means
[0074] 14 request for remote programming of the implantable medical device
[0075] 16 computing device of a service provider
[0076] 18 first patient device
[0077] 19 screen of the first patient device
[0078] 20 second patient device
[0079] 21 screen of the second patient device
[0080] 22 machine-readable code
[0081] 24 app
[0082] 26 first message
[0083] 28 second message
[0084] 30 third message
[0085] 32 first authentication code
[0086] 34 second authentication code
[0087] RT1 first release token
[0088] RT2 second release token
[0089] S1-S8 method steps
[0090] 24.146P-WO / 02.12.2025
Claims
Claims1. Medical communication system (1) for remote programming of an implantable medical device (10), comprising: a data input means (12) configured to provide a request (14) for remote programming of the implantable medical device (10) to a computing device (16) of a service provider; the computing device (16) of the service provider, said computing device (16) being configured to, based on the request (14) for remote programming of the implantable medical device (10), generate a first release token (RT1) sent to a first patient device (18), in particular a patient communication device; the first patient device (18) configured to, based on the first release token (RT1) generate a second release token (RT2) and display the second release token (RT2) on a screen (19) of the first patient device (18); a second patient device (20), in particular a smartphone or tablet device, configured to read the second release token (RT2), wherein the second patient device (20) is further configured to display information comprised by the second release token (RT2) relating to the request (14) for remote programming of the implantable medical device (10) on a screen (21) of the second patient device (20), wherein the second patient device (20), upon patient approval of the request (14) for remote programming of the implantable medical device (10) comprised by the second release token (RT2) is configured to send the second release token (RT2) to the computing device (16) of the service provider, and wherein upon verification of the second release token (RT2) by the computing device (16) of the service provider, the computing device (16) of the service provider is configured to authorize the remote programming of the implantable medical device (10).
2. Medical communication system (1) of claim 1, wherein the second release token (RT2) comprises a machine-readable code (22), in particular a QR-Code, wherein the second patient device (20) is configured to scan the machine-readable code (22) via a camera of the second patient device (20), wherein an app (24) of the second patient device (20) is configured to interpret the machine-readable code (22) and display information24.146P-WO / 02.12.2025comprised by the machine-readable code (22) relating to the request (14) for remote programming of the implantable medical device (10) on the screen (21) of the second patient device (20).
3. Medical communication system (1) of claim 2, wherein the computing device (16) of the service provider is configured to send a first message (26) to the second patient device (20) notifying the patient that the first release token (RT1) has been generated and sent to the first patient device (18).
4. Medical communication system (1) of claim 3, wherein the first message (26) further comprises a request for the patient to contact a medical service provider, in particular a medical practice or hospital, via a separate communication channel, in particular via telephone, in order to verify an authenticity of the request (14) for remote programming of the implantable medical device (10).
5. Medical communication system (1) of claim 4, wherein upon verifying the authenticity of the request (14) for remote programming of the implantable medical device (10), the second patient device (20) is configured to display a second message (28) notifying the patient to scan the machine-readable code (22) via the camera of the second patient device (20).
6. Medical communication system (1) of any of claims 2 to 5, wherein the first release token (RT1) comprises identification data of the computing device (16) of a service provider, and wherein the second release token (RT2) comprises identification data of the first patient device (18).
7. Medical communication system (1) of any one of claims 2 to 6, wherein the second release token (RT2) comprises the first release token (RT1) and the machine-readable code (22) displayed on the screen (19) of the first patient device (18).
8. Medical communication system (1) of any one of claims 2 to 7, wherein the app (24) of the second patient device (20) is configured to generate a third message (30) asking24.146P-WO / 02.12.2025- 15 - for patient approval of the request (14) for remote programming of the implantable medical device (10).
9. Medical communication system (1) of claim 8, wherein the third message (30) comprises a choice of approving or disapproving the request (14) for remote programming of the implantable medical device (10).
10. Medical communication system (1) of claim 8 or 9, wherein the third message (30) comprises situational information relating to the request (14) for remote programming of the implantable medical device (10), said situational information comprising reprogramming parameters.
11. Medical communication system (1) of claims 8 to 10, wherein the third message (30) comprises a first authentication code (32) that the patient verifies against a second verification code (34) previously provided to the patient by the medical service provider, in particular a medical practice or hospital.
12. Medical communication system (1) of any one of the preceding claims, wherein upon patient disapproval of the request (14) for remote programming of the implantable medical device (10) comprised by the second release token (RT2), canceling the remote programming of the implantable medical device (10) is performed.
13. Computer-implemented method for remote programming of an implantable medical device (10), comprising the steps of: providing (SI) a request (14) for remote programming of the implantable medical device (10) to a computing device (16) of a service provider; based on the request (14) for remote programming of the implantable medical device (10), generating (S2) a first release token (RT1) by the computing device (16) of a service provider and sending the first release token (RT1) to a first patient device (18), in particular a patient communication device;24.146P-WO / 02.12.2025- 16 - based on the first release token (RT1) generating (S3) a second release token (RT2) by the first patient device (18) and displaying (S4) the second release token (RT2) on a screen (19) of the first patient device (18); reading (S5) the second release token (RT2) by a second patient device (20), in particular a smartphone or tablet device; displaying (S6) information comprised by the second release token (RT2) relating to the request (14) for remote programming of the implantable medical device (10) on a screen (21) of the second patient device (20); and upon patient approval of the request (14) for remote programming of the implantable medical device (10) comprised by the second release token (RT2), sending (S7) the second release token (RT2) to the computing device (16) of the service provider; and upon verification of the second release token (RT2) by the computing device (16) of the service provider, authorizing (S8) the remote programming of the implantable medical device (10).
14. Computer program with program code to perform the method of claim 13 when the computer program is executed on a computer.
15. Computer-readable data carrier containing program code of a computer program for performing the method of claim 13 when the computer program is executed on a computer.24.146P-WO / 02.12.2025