Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant’s amendment filed 5/28/2021 has been entered.  Claims 1, 2, 8, 15, 17, 18 and 20 were amended.  Claim 14 was previously cancelled.  Claims 1-13 and 15-21 are pending examination.

Response to Arguments
Applicant’s arguments with respect to claims 1 and 17 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
On pages 11 and 12, Applicant’s arguments regarding claim 1 communication encryption is not taught by Waniss (2011/0081888), in view of Barton (2014/0032733), in view of Bower (2017/0109512) are moot.  The new communication encryption limitation is taught by Golden (2017/0319861).
Claim 11 and its dependent claims are allowable.
On page 12, Applicant argues claim 18 amendments.  The amendments were to claim 17 and the arguments are interpreted to be against claim 17.  The new limitations of “comparing … an immutable identity that is included in the certificate …” are taught by Thornton’s requirement for immutable identity in the certificate as shown in the rejection below (Thornton [0182]).  Consistent with the broadest reasonable interpretation, the claimed "immutable identity" is interpreted to include, e.g., International Mobile Equipment Identity (IMEI) number, a phone number, a Bluetooth Low Energy (BLE) Media Access Control (MAC) address, a TrustZone Identifier (ID) or other identifier that is bound and associated with the device certificate.  See Specification [0058].

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5 are rejected under 35 U.S.C. 103 as being unpatentable over Waniss (2011/0081888), in view of Barton (2014/0032733), in view of Bower (2017/0109512) in view of Golden (2017/0319861).

Regarding claim 1, Waniss teaches
a mobile device for providing secure communication, comprising: (Waniss, [0015] FIG. 1 shows a system for enabling multiple caregivers to communicate with and control a medical device 100 via their wireless mobile communication devices 130, 130', etc.  [0047] By providing bi-directional closed-loop, secure and well-controlled communications between the MDC 110 and wireless communication devices 130, 130', etc.)
memory that is configured to … store an application (Waniss, [0021] Software, which may include operating system software or application software, may be stored in flash memory 214, RAM 216 or any other memory element. As will be discussed below, according to an exemplary embodiment, application software is provided to permit the wireless mobile communication device 130) that manages or controls a medical device (Waniss, [0021] As will be discussed below, according to an exemplary embodiment, application software is provided to permit the wireless mobile communication device 130 to monitor data received from MDC 110 and provide signals for controlling the medical device 100 via the MDC 110 of FIG. 1.)
establishing a communication channel with the medical device (Waniss, [0013] According to a further aspect of this specification, there is provided a method of operating a wireless mobile communication device for monitoring and control of a medical device connected to a medical device connector,)
Waniss does not teach a trusted environment having a memory that is configured to store an application.
However Barton teaches a trusted environment (Barton [0202] An administrator may set the policies of the managed applications, with default settings being to contain data within the managed set 820 of trusted apps as described herein.) having a memory that is configured to store an application (Barton, [0076] The managed partition 310 may have policies applied to it to secure the applications running on and data stored in the managed partition. … By operating in accordance with their respective policy file(s), each application may be allowed or restricted from communications with one or more other applications and/or resources, thereby creating a virtual partition. Thus, as used herein, a partition may refer to a physically partitioned portion of memory (physical partition), a logically partitioned portion of memory (logical partition), and/or a virtual partition created as a result of enforcement of one or more policies and/or policy files across multiple apps as described herein (virtual partition). Stated differently, by enforcing policies on managed apps, those apps may be restricted to only be able to communicate with other managed apps and trusted enterprise resources, thereby creating a virtual partition that is impenetrable by unmanaged apps and devices. [0077] The applications running on the managed partition may be secure applications.)
one or more processors configured to perform operations of the application that execute within the trusted environment, the operations comprising: (Barton, [0130] The method includes receiving, by a processor of the electronic mobile device, a managed application from an application 
sending an access request to connect with a … device, (Barton, [0213] A mobile device's enterprise access request can be sent to the secure mobile gateway 925 via a connection 946, and the gateway 928 can send the request to an enterprise resource 930 via an internal connection 954.) and that identifies the application as the application that manages or controls the medical device, (Barton [0210] As will be described in further detail below, such access rules can be used to regulate access based on, e.g., mobile device properties, user properties, the specific enterprise resources 930 for which access is requested, or any combination thereof. [0222] The mobile device manager 1602 or another software component of the enterprise system 910 can be configured to select an appropriate enterprise agent 1720 for each given mobile device 920, based on such properties of the mobile devices 920 (e.g., mobile device properties 1608 of FIG. 16).)
receiving an authentication request from the … device that requests the application to provide one or more authentication factors including a … proof, (Barton [0398] For example, the proxy device 2510 may request that the client device 2505 sign or decrypt an authentication message using the client certificate (or a private key included therein), or return a list of available security certificates or a selection by the user of a particular security certificate.)
obtaining the … proof,  sending the … proof to the … device, and 
establishing a communication channel with the … device (Barton, [0399] For example, the context information may identify a data structure of authentication information exchanged (or to be exchanged) between the proxy device 2510 and resource 2520 and/or the proxy device 2510 and the authentication service 2515. The client device 2505 may use the context information to verify or otherwise confirm the authentication session between the proxy device 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have applied Barton’s application management with Waniss’ mobile control of a medical device because doing so improves security by preventing the application from interference from untrusted apps (Barton, [0201] In order to provide enhanced security, it is preferred to avoid comingling of trusted (managed) apps and untrusted (unmanaged) apps, but comingling depends on policy.)
Waniss-Barton do not teach zero-knowledge password.
However Bower teaches requests the application to provide a zero-knowledge password proof (Bower, [0056] In some example embodiments, application unit 406 may generate a one-time password for authentication. This authentication may be used to for example readily authenticate a user equipment, such as a wearable device, in a way that does not require a user to repeatedly provide a password or PIN.  In this example, a challenge-response process is described at FIG. 5A, although other schemes such as zero-knowledge password proof, time-synchronized one-time passwords, and/or the like may be used as well.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have substituted Bower’s zero-knowledge password proof for Waniss-Barton’s authentication message  with reasonable expectation of success because doing so improves security by not revealing user information and further provides users with an alternative authentication mechanism (Bower [0057] In this example, authentication may unlock doors for example of an 
Waniss does not teach an encryption engine that is configured to encrypt communications.
However Golden teaches
an encryption engine that is configured to encrypt communications through an untrusted environment of the mobile device and to the medical device  (Golden, [0076] In some embodiments, communication among the user device 210, medical device 220 and service platform may utilize security technologies such as encryption/decryption (in an exemplary embodiment 128-bit encryption or higher), cryptography (including but not limited to that used in RSA encryption), Internet Protocol Security (IPSec), Secure Socket Layer (SSL), Virtual Private Networks (VPN),  [0110] The secure environment 311 may also be configured to authorize and grant/deny access to a secure environment operating on a medical device. This feature prohibits unauthorized devices and/or medical applications from communicating with the medical device. This configuration may be accomplished using standard and/or custom methods. Standard methods may include Bluetooth's Health Device Profile (HDP), Bluetooth's embedded security features, NFC's embedded and value-added security features from third parties, TCP/IP with IPSec and or SSL,  [0117] The secure environment 311 may also be configured to act as a translator for data (e.g., communication to and/or from a medical device). [0070] In addition, user device 210 includes a medical device communications interface 256 configured to provide a communications connection to one or more medical devices)

Regarding claim 2, Waniss, Barton, Bower and Golden teach
the mobile device of claim 1, (Waniss, [0015] FIG. 1 shows a system for enabling multiple caregivers to communicate with and control a medical device 100 via their wireless mobile communication devices 130, 130', etc.) further comprising the untrusted environment, wherein the untrusted environment has another memory, wherein the one or more processors perform other operations that execute within the untrusted environment (Barton, [0201] In order to provide enhanced security, it is preferred to avoid comingling of trusted (managed) apps and untrusted (unmanaged) apps, but comingling depends on policy.)


Regarding claim 3, Waniss, Barton, Bower and Golden teach
the mobile device of claim 2 (Waniss, [0015] FIG. 1 shows a system for enabling multiple caregivers to communicate with and control a medical device 100 via their wireless mobile communication devices 130, 130', etc.), wherein the trusted environment has a trusted execution space that is logically or physically separated from the untrusted environment and secures the application from security vulnerabilities residing on the … device (Barton, [0076] Stated differently, by enforcing policies on managed apps, those apps may be restricted to only be able to communicate with other managed apps and trusted enterprise resources, thereby creating a virtual partition that is impenetrable by unmanaged apps and devices.)

Regarding claim 4, Waniss, Barton, Bower and Golden teach
the mobile device of claim 1 (Waniss, [0015] FIG. 1 shows a system for enabling multiple caregivers to communicate with and control a medical device 100 via their wireless mobile communication devices 130, 130', etc.), wherein the operations within the trusted environment further comprise:
encrypting the …  proof prior to sending the … proof to the … device (Barton, [0233] In addition to the components shown in FIG. 18, one or more code libraries may be installed on the mobile device for implementing various security functions, such as data encryption and formation of application 
Waniss does not teach zero-knowledge password.
However Bower teaches zero-knowledge password proof (Bower, [0056] In some example embodiments, application unit 406 may generate a one-time password for authentication. This authentication may be used to for example readily authenticate a user equipment, such as a wearable device, in a way that does not require a user to repeatedly provide a password or PIN. In this example, a challenge-response process is described at FIG. 5A, although other schemes such as zero-knowledge password proof, time-synchronized one-time passwords, and/or the like may be used as well.)
Same reason to use Bower with Waniss-Barton as in claim 1.

Regarding claim 5, Waniss, Barton, Bower and Golden teach
the mobile device of claim 1 (Waniss, [0015] FIG. 1 shows a system for enabling multiple caregivers to communicate with and control a medical device 100 via their wireless mobile communication devices 130, 130', etc.), wherein the zero-knowledge password proof is a password that is provisioned during manufacturing, packaging or distribution (Bower, [0030] The secure element 104 may comprise a tamper-resistant platform (for example, a secure microcontroller including memory) that can securely host applications, store sensitive data, keys, and/or the like. [0056] In some example embodiments, application unit 406 may generate a one-time password for authentication. This authentication may be used to for example readily authenticate a user equipment, such as a wearable device, in a way that does not require a user to repeatedly provide a password or PIN. In this example, a challenge-response process is described at FIG. 5A, although other schemes such as zero-knowledge password proof, time-synchronized one-time passwords, and/or the like may be used as well.)

Claims 6-10 are rejected under 35 U.S.C. 103 as being unpatentable over Waniss (2011/0081888), in view of Barton (2014/0032733), in view of Bower (2017/0109512) in view of Golden (2017/0319861) in view of Thornton (2005/0071630).

Regarding claim 6, Waniss, Barton, Bower and Golden teach
the mobile device of claim 1, (Waniss [0013])
sending the certificate or the cloud authentication token to the … device; and (Barton [0398] For example, the proxy device 2510 may request that the client device 2505 sign or decrypt an authentication message using the client certificate (or a private key included therein), or return a list of available security certificates or a selection by the user of a particular security certificate.)
establishing communication with the medical device further using  authentication key. (Waniss, [0013] According to a further aspect of this specification, there is provided a method of operating a wireless mobile communication device for monitoring and control of a medical device connected to a medical device connector, [0014] in response generating a device-ID and authentication key, transmitting said device-ID and authentication key to said medical device connector and receiving via said communication subsystem one of either a confirmation that said wireless mobile communication device has been authenticated by said medical device connector)
Waniss does not teach wherein the authentication request from the medical device requests the application to provide a certificate or cloud authentication token, wherein the operations further comprise: 
obtaining from a server the certificate or the cloud authentication token; 
wherein the authentication request from the second device requests the application to provide a certificate or cloud authentication token, wherein the operations further comprise: 
obtaining from a server the certificate or the cloud authentication token; (Thornton, [0071] A client receiving a certificate from a server may verify a signed certificate by doing the following)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have substituted Thornton’s certificates for Waniss authentication key because doing so improves security (Thornton, [0068] This technique is often referred to as a "man in the middle attack", and can be a serious problem for many entities, such as banks or on-line stores, wishing to correspond with customers, employees and others over public and/or uncontrolled networks. [0069] To solve this problem a number of Certificate Authorities (CAs), for example Verisign and Entrust, have created services for authenticating certificates.)

Regarding claim 7, Waniss, Barton, Bower, Golden and Thornton teach
the mobile device of claim 6, (Waniss [0013]) wherein the certificate includes an immutable identifier that is verified by the … device, (Barton, [0087] In this case, the left hand side represents an enrolled/managed mobile device 402 (e.g., client 107, 212, 302, etc.) with a client agent 404, which interacts with gateway server 406 (which includes access gateway and application controller functionality) to access various enterprise resources 408 and services 409 such as Exchange, Sharepoint, PKI Resources, Kerberos Resources, and Certificate Issuance Service, [0106] Gateway server 406 may interact with an enterprise special purpose web service to support the issuance of client certificates to allow relevant managed applications to authenticate to internal PKI protected resources. Alternatively, client certificates may be issued by access gateway 360. In another example, client certificates may be provided by an EMM/MRM server (e.g., at the device level), and/or by an app controller that provisions wherein the certificate is signed by the server using a private key or other signature authority (Thornton, [0068] In a commonly used PKI, certificates also include a signature to verify the source of the certificate.)
Same reason to combine Barton as in claim 1.

Regarding claim 8, Waniss, Barton, Bower, Golden and Thornton teach
the device of claim 7, wherein the immutable identifier includes at least one of an International Mobile Equipment Identity (IMEI) number, a phone number, a Bluetooth Low Energy (BLE) Media Access Control (MAC) address, or a TrustZone Identifier (ID) (Waniss, [0018] In the embodiment shown in FIG. 2, network access is associated with a subscriber or user of the wireless mobile communication device 130 via a memory module 202, which may be a Subscriber Identity Module (SIM) card for use in a GSM network or a Universal Subscriber Identity Module (USIM) card for use in a Universal Mobile Telecommunication System (UMTS).)
	
Regarding claim 9, Waniss, Barton, Bower, Golden and Thornton teach
the mobile device of claim 6, wherein the cloud authentication token is provisioned during manufacturing, distribution or packaging (Thornton, [0069] The private keys are secretly held by the CA, while the root certificates containing public keys are provided to others through controlled distribution.  [0072] Following negotiation, sever 41 transmits a certificate to client 40 containing a public key, as shown in FIG. 4B. The client may verify the server's certificate).

Regarding claim 10, Waniss, Barton, Bower, Golden and Thornton teach
the mobile device of claim 1, further comprising a secure element, wherein the trusted environment is within the secure element, wherein the one or more processors are further configured to perform operations comprising: 
storing the certificate in the memory; (Waniss [0011] receiving a device-ID and authentication key from said one of said plurality of wireless mobile communication devices; processing said authentication key to determine if said wireless mobile communication device is an authenticated wireless mobile communication device and if said wireless mobile communication device is authenticated then assigning a role to said wireless mobile communication device, storing said device-ID, authentication key and role in a list of authenticated wireless mobile communication devices,) 
Waniss does not teach obtaining form a server, revoking and renewing the certificate.
However Thornton teaches 
obtaining, from a server, a certificate; (Thornton, [0071] A client receiving a certificate from a server may verify a signed certificate by doing the following)
revoking the certificate after a period of time; and (Thornton, [0074] A certificate is normally used for a limited amount of time for a number of reasons.  [0075] Having a limited service life of certificates requires intervention and/or certificate renewal upon the expiration of the validity of those certificates [0081] For each certificate, an expiration date or time may also be noted, by which the expiring of certificates may be noticed. [0174] If the certificate has been revoked, or if the certificate is not valid for the authentication purposes, tested in step 1310, the server may proceed to issue a new certificate to the client.) 
renewing the certificate with the server after the certificate is revoked (Thornton, [0176] Otherwise, a process of renewing a certificate may commence, in step 1318. In that step, the old certificate is renewed with the appropriate certificate authority).
Same reason to combine Thornton as in claim 6 applies.


Claims 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Waniss (2011/0081888), in view of Thornton (2005/0071630) in view of Lamb (2012/0060030) in view of Belk (2014/0364056).

Regarding claim 17, Waniss teaches
a method for securely communicating between a medical device and an application on a personal device in a secure computing environment, comprising: (Waniss, [0015] FIG. 1 shows a system for enabling multiple caregivers to communicate with and control a medical device 100 via their wireless mobile communication devices 130, 130', etc.  [0047] By providing bi-directional closed-loop, secure and well-controlled communications between the MDC 110 and wireless communication devices 130, 130', etc)
receiving, by the network access device of the medical device, an access request … after the personal device is discovered; (Waniss, [0036] The MDC 110 sends a request message (step 400) to the caregiver's mobile communication device 130. The request message includes an identifier (MDC-ID) for the requesting device 110. The request message is transmitted over the network 120 and received at mobile communication device 130 (step 405). An application executed by microprocessor 210 within device 130 determines whether or not to accept the caregiver request (step 410).)
that identifies the application as the application that manages or controls the medical device (Waniss, [0039] FIG. 5 is a flow diagram showing monitoring of medical device 100 by an authenticated wireless mobile communication device 130 and presentation of the data thereon. The device 130 sends a request for status/data relating to medical device 100 (step 500), wherein the request includes the device-ID and authentication key.)
authenticating, by the processor, the …  authentication factors; (Waniss, [0039] FIG. 5 is a flow diagram showing monitoring of medical device 100 by an authenticated wireless mobile communication device 130 and presentation of the data thereon. The device 130 sends a request for status/data relating to medical device 100 (step 500), wherein the request includes the device-ID and authentication key. The request is received by MDC 110 which then determines (step 505) if the requesting device 130 is an authenticated device by checking the device-ID and authentication key against the list saved in memory (see step 485).)
in response to receiving the access request, sending, by a processor of the medical device, an authentication request that requests a plurality of authentication factors; (Waniss [0036] The MDC 110 sends a request message (step 400) to the caregiver's mobile communication device 130. The request message includes an identifier (MDC-ID) for the requesting device 110. The request message is transmitted over the network 120 and received at mobile communication device 130 (step 405). An application executed by microprocessor 210 within device 130 determines whether or not to accept the caregiver request (step 410).)
Waniss does not teach a plurality of authentication factors.
However Lamb teaches receiving, by the processor, a plurality of authentication factors; (Lamb, [0128] An exemplary process 150 for authenticating a user, information or service is illustrated in FIG. 10. As shown in FIG. 10, process 150 begins with obtaining 152 information of multiple factors of authentication. [0129] Subsequent to obtaining 152 the information, process 150 continues by determining 154 whether the information obtained matches a selected combination of the multiple factors of authentication. Determination 154 may be made using various pieces of information supplied by a client and/or a service provider. For example, a provider of a first service may request that certain combinations of the enhanced multi-factor authentication feature be used while a second service provider requests another combination.)
authenticated … based on the type of authentication factor; (Lamb, [0129] Subsequent to obtaining 152 the information, process 150 continues by determining 154 whether the information obtained matches a selected combination of the multiple factors of authentication. Determination 154 may be made using various pieces of information supplied by a client and/or a service provider. [0042] The current factors available within enhanced multi-factor authentication include those described above in the multi-factor authentication paragraph which include: something you have, something you know, and something you are. There are currently four additional factors that makeup enhanced multi-factor authentication including: somewhere you are, when you are, what role you are, and why you are.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Lamb’s multi-factor authentication with Waniss’ mobile control of a medical device because doing so improves security (Lamb, [0017] In accordance with one embodiment, a trusted, secure, and verifiable operating environment is comprised of various hardware, firmware, software, and/or features configured in a defense-in-depth architecture and manufactured to defeat many security weaknesses including those inherent in modern products while providing a maximum number of form factors and services as to provide clients with ease-of-use.)
Waniss does not teach immutable identity that is included in the certificate and a chain of trust.
However Thornton teaches 
comparing, by the processor, an immutable identity that is included in the certificate to an identity of the personal device (Thornton, [0182] The service provider may also wish to prevent the transfer of a certificate from one client device to another. In that case, the certificate may include information unique to the client device, for example a MAC address, a fixed IP address, a serial number or a processor ID. The signature of the certificate may further be obtained by encoding the unique information, causing a signature mismatch should the certificate be moved. In an alternative system, an 
including the certificate based on the comparison (Thornton, [0182] The signature of the certificate may further be obtained by encoding the unique information, causing a signature mismatch should the certificate be moved)
establishing, by the processor and the application on the personal device, a chain of trust between the medical device and the personal device; and (Thornton, [0071] A client receiving a certificate from a server may verify a signed certificate by doing the following. First the client may review the certificate to see what certificate was used for signing (i.e. a parent certificate). If the parent certificate is recorded at the client's location, it may locate it and extract the public key. If the parent certificate is not known to the client, the client may request the parent certificate from an accessible server. Upon receipt of the parent certificate, the client may extract the public key. Having the public key, the client may then verify the signing of the child certificate. If the parent certificate was obtained remotely, the client may continue by verifying the signing of the parent certificate. That procedure may continue through a chain of certificates until reaching a known certificate,)
establishing, by the processor and the application on the personal device, a secure communication channel between the medical device and the personal device based on the chain of trust (Thornton, [0072] Referring now to FIGS. 4A through 4D, a method of establishing secure communications between a client and a server over a network is depicted. In FIG. 4A, a negotiation takes place between the client and the server. This involves client 40 sending a request to server 41 to initiate negotiation. If multiple communication modes are available, i.e. if more than one cryptographic algorithm is available for use, one of client 40 or server 41 will chose a mode. Following negotiation, sever 41 transmits a certificate to client 40 containing a public key, as shown in FIG. 4B. The client may verify the server's certificate, if desired. In response, client 40 chooses a secret key to be shared with 
request … including a certificate (Thornton [0072] Following negotiation, sever 41 transmits a certificate to client 40) and receiving … including the certificate (Thornton, [0071] A client receiving a certificate from a server may verify a signed certificate by doing the following.) (EN: Lamb teaches multifactor authentication types, Thornton teaches certificates which is a type of authentication)
Same reason to combine Thornton as in claim 6 applies 
Waniss does not teach discovering, using a network access device of the … device, the personal device when the personal device is within a threshold distance of the medical device.
However Belk teaches discovering, using a network access device of the … device, the personal device when the personal device is within a threshold distance of the medical device (Belk, [0075] Digital media device 104 can establish (726) a communication channel between digital media device 104 and a mobile device (e.g., mobile device 102) located within a proximity threshold distance from the digital media device.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Belk’s wireless control with proximity thresholds with Waniss’s mobile control of a medical device because doing so improves device control to local control (Belk, [0005] Control of a digital media device can be enhanced. [0003] A mobile device located in proximity of the digital media device, upon detecting the signal, can perform various security checks to authenticate the request, and then open a communication channel with the digital media device.)

Regarding claim 18, Waniss, Thornton, Lamb and Belk teach
the method of claim 17, wherein the plurality of authentication factors further include at least one of a hardware token, a cloud authentication token, or a zero-knowledge password proof (Lamb, [0129] Subsequent to obtaining 152 the information, process 150 continues by determining 154 whether the information obtained matches a selected combination of the multiple factors of authentication. Determination 154 may be made using various pieces of information supplied by a client and/or a service provider. For example, a provider of a first service may request that certain combinations of the enhanced multi-factor authentication [0060] Others provide two or three factor authentication by requiring either a hardware token (something you have)).

Regarding claim 19, Waniss, Thornton, Lamb and Belk teach
the method of claim 18, wherein establishing, by the processor and the application on the personal device, the chain of trust between the medical device and the personal device includes:
sending, by the processor of the medical device via the personal device, a message to a server, the message including a cloud authentication token and a request to authenticate the personal device; (Thornton, [0071] A client receiving a certificate from a server may verify a signed certificate by doing the following. First the client may review the certificate to see what certificate was used for signing (i.e. a parent certificate). If the parent certificate is recorded at the client's location, it may locate it and extract the public key. If the parent certificate is not known to the client, the client may request the parent certificate from an accessible server.)
generating and signing, by the server, a response that includes an authorization of the personal device; 
sending, by the server, the response to the medical device via the personal device; (Thornton, [0071] Upon receipt of the parent certificate, the client may extract the public key. Having the public key, the client may then verify the signing of the child certificate. If the parent certificate was obtained remotely, the client may continue by verifying the signing of the parent certificate. That procedure may continue through a chain of certificates until reaching a known certificate, or reaching an unsigned or unavailable certificate)
verifying, by the processor of the medical device, the signature of the response; and authenticating, by the processor of the medical device, the personal device (Thornton, [0071] That procedure may continue through a chain of certificates until reaching a known certificate, or reaching an unsigned or unavailable certificate.)

Regarding claim 20, Waniss, Thornton, Lamb and Belk teach
the method of claim 19, wherein the personal device is a smartphone that is configured to run a plurality of applications including the application (Waniss, [0017] The concepts herein may be applicable to a variety of wireless mobile communication devices, such as two-way pagers, cellular telephones, etc.  [0021] As will be discussed below, according to an exemplary embodiment, application software is provided to permit the wireless mobile communication device 130 to monitor data received from MDC 110 and provide signals for controlling the medical device 100 via the MDC 110 of FIG. 1.)

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Waniss (2011/0081888), in view of Thornton (2005/0071630) in view of Lamb (2012/0060030) in view of Belk (2014/0364056) in view of Kreft (2016/0359636).

a first authentication factor from a tamper-proof secure element.
However Kreft teaches wherein the plurality of authentication factors includes a first authentication factor (Kreft, [0081] Rather than embodying a single cryptographic key, PUFs can be used to implement challenge-response authentication.) from a tamper-proof secure element, (Kreft, [0017] A tamper-protected semiconductor module may also be referred to as a Hardware Security Module (HSM). [0018] In one exemplary embodiment, the tamper-protected semiconductor module is a tamper-protected chip, die or multi-die. [0087] Another possible way to use the hardware PUF for securing the tamper-protected hardware module is its utilization in a segmentation process of secrets used within the tamper-protected semiconductor module:) wherein establishing the chain of trust is based on the first authentication factor (Kreft, [0091] In one exemplary embodiment, the challenges and their corresponding (cryptographic hash of) hardware PUF responses are signed by a Root Certification Authority to allow verification of their integrity. [0092] The challenges and their corresponding (cryptographic hash of) hardware PUF responses could for example be signed by the Root Certification Authority using a signing key-pair's private signing key,.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Kreft’s authentication factors from a secure element with Waniss’s mobile control of a medical device because doing so improves device security by providing multiple authentication factors and a tamper proof element (Kreft, [0002] Security is nowadays globally known of being in the need to get enforced by measures of authentication and change-protection incorporated and embedded into chips by fitting to physical and individual descriptors and characteristics not able to get copied. Such a mechanism is provided by a PUF (Physical Unclonable Function).).


Allowable Subject Matter
Claims 11-13 and 15-16 are allowed.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315.  The examiner can normally be reached on 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/BRUCE S ASHLEY/Examiner, Art Unit 2494                                                                                                                                                                                                        
/THEODORE C PARSONS/Primary Examiner, Art Unit 2494