Anti-virus software stops surgery to scan medical monitor for malware

Screens on a vital medical monitor went blank in the middle of a heart procedure in the US - officials blame human error for misconfigured AV software.

Merge Hemo monitor display
Merge Hemo monitor display

A patient in the US undergoing heart surgery was put at risk after anti-virus software started running on a computer monitoring the procedure.

Many medical devices now run anti-malware software in response to the discovery of myriad vulnerabilities and ongoing concerns about the internet of things (IoT).

In a report published by the US Food and Drug Administration (FDA), the equipment – called a Merge hemo – ceased to function for around five minutes, leaving a blank screen. Merge hemo monitors, measures and records physiological data from a patient undergoing a cardiac catheterisation procedure.

An investigation by the FDA found that anti-malware software was responsible for the failure of the equipment as it was set to scan for viruses every hour, against the recommendation of the equipment maker.

"In the middle of a heart catheterisation procedure, the hemo monitor PC lost communication with the hemo client and the hemo monitor went black. Information obtained from the customer indicated that there was a delay of about five minutes while the patient was sedated so that the application could be rebooted,” the report said.

"It was found that anti-malware software was performing hourly scans. With Merge Hemo not presenting physiological data during treatment, there is a potential for a delay in care that results in harm to the patient."

Thankfully for the patient, the procedure was completed after the system was rebooted. The name and location of the hospital has not been revealed but according to the report, the incident took place in early February. Details have only come to light recently.

No error or fault was found with the equipment, but the malfunction was blamed on a misconfiguration by hospital staff.

"Based upon the available information, the cause for the reported event was due to the customer not following instructions concerning the installation of anti-virus software; therefore, there is no indication that the reported event was related to product malfunction or defect," the FDA said.

"The anti-virus software needs to be configured to scan only the potentially vulnerable files on the system, while skipping the medical images and patient data files. Our experience has shown that improper configuration of anti-virus software can have adverse effects including downtime and clinically unusable performance."

Ellen Derrico, senior director of healthcare and life sciences at RES, told SCMagazineUK.com that the main role of anti-virus software is to ensure no malicious software ends up having a detrimental impact on critical medical equipment – particularly mid-surgery.

“While the importance of having AV is self-explanatory, IT teams at hospitals have to remember that the software they have installed on machines is of far more importance than in other organisations – that's because if it doesn't work, or in this instance stops a machine doing what it is supposed to do, then it literally can become a life or death situation,” she said.

“Hospital IT teams must ensure that equipment running security software not only protects against things like malware attacks, but is also properly configured to let critical devices operate as normal, in order to ensure the safety of patients at all times. Time is precious in places like the operating theatre, emergency department or ICU, the very last thing practitioners need to be doing is lodging an IT ticket mid-operation,” added Derrico.

Richard Barger, chief technology officer at ThreatConnect, told SC that this incident highlights the issue of fragmentation that exists within enterprise security teams.

“Many security practitioners are simply not made aware of the unique intricacies of nuanced and specialised devices and systems by network administrators or users until there is an issue. Perhaps the responsibility doesn't fall on the security professional – rather the device user. Perhaps there was a policy in place for anti-virus applications to be disabled momentarily for the term of the medical procedure, where the policy was not followed and this was simply a case of user error,” he said.

Organisations must find creative ways to strike a balance between streamlined network operations and security, according to Barger.

He said examples of best practices could range from simply having a backup device on hand that may be properly configured or available in the event of some sort of other type of failure (digital or mechanical).

“Another is a complex process of inventorying each system, and each application on each system, applying proper configuration management protocols for specialized medical devices as well as security patches or secure architectures (where applicable) to insulate potentially vulnerable systems of record,” Barger said.