FDA: Antivirus Crashed Diagnostic Tool During Heart Procedure

The Hemo diagnostic tool by Merge Healthcare was felled by anti virus software running on a monitoring PC, the FDA said in a recent Adverse Incident report.
The Hemo diagnostic tool by Merge Healthcare was felled by anti virus software running on a monitoring PC, the FDA said in a recent Adverse Incident report.

In-brief: antivirus software running on a medical diagnostic computer caused the device to fail in the middle of a cardiac procedure, the FDA said.

Antivirus software running on a medical diagnostic computer caused the device to fail in the middle of a cardiac procedure, denying physicians access to data from a critical monitoring tool and potentially endangering patient safety, the U.S. Food and Drug Administration said.

The FDA issued an Adverse Event Report, dated February 8, regarding the device: the Merge Hemo Programmable Diagnostic Computer, which is made by Merge Healthcare. The adverse event occurred during a hearth catheterization procedure and was caused by improper configuration of the anti virus software, the FDA concluded.

The incident is a rare, documented instance of a software based failure interfering with a medical procedure, though nobody knows for sure how common equipment failures in clinical settings are.

The Merge Hemo system runs in cardiac catheterization labs, where long, thin tubes (catheters) are threaded into blood vessels in a patient’s heart by of an artery or vein in the groin, neck or arm. Catheters are used to help diagnose heart ailments. The Hemo platform combines a “patient data module” with a monitoring station, running on a personal computer. The two units are connected via a serial interface. During a catheterization procedure, the Hemo system relays vital hemodynamic parameters and evaluations from the patient data module to the Hemo monitor pc via a serial interface, where clinicians can view it.

According to the Adverse Event report, a Merge Hemo customer reported to the company that, “in the middle of a heart catheterization procedure, the Hemo Monitor PC lost communication with the Hemo client and the Hemo monitor went black.” According to information provided by the customer, “there was a delay of about 5 minutes while the patient was sedated so that the application could be rebooted.”

An investigation by the vendor found that the source of the failure was anti malware software running on the PC, which initiated an “hourly scan” of the local system during the procedure. Apparently, anti-virus scans can sweep up medical images and patient data files used by Merge, making them inaccessible, temporarily, to the application.

That’s a condition that, according to the FDA, Merge explicitly calls out in its documentation and product security recommendations. Merge recommends that anti-malware software be configured to scan “only the potentially vulnerable files on the system, while skipping the medical images and patient data files.”

The FDA said it isn’t the first time this has happened. “Our experience has shown that improper configuration of anti-virus software can have adverse affects including downtime and clinically unusable performance. ”

The downtime could have potentially caused a “delay in care that results in harm to the patient,” however, in the documented case, the procedure was completed successfully “once the (Hemo) application was rebooted.

The Agency received more than 1.2 million adverse event reports in 2014, the last full year for which data is available. That’s almost triple the number from 2006 (470,000). Software linked errors are not uncommon, though this is the first Adverse Event report that specifically names anti malware software as the cause of the event.

The FDA issued guidance for securing medical devices in 2014, calling on medical device manufacturers to consider cyber security risks as part of the design and development of devices” and asking device makers to submit documentation to the FDA about any “risks identified and controls in place to mitigate those risks” in medical devices. The guidance also recommended that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run. In 2015, it issued a safety advisory for Hospira drug infusion pumps, following demonstrations of security vulnerabilities affecting those devices.

The Agency is continuing to refine its guidance to industry. Recently, Dr. Kevin Fu of the University of Michigan warned that pending FDA guidance on managing post market cybersecurity vulnerabilities in medical devices is too focused on stomping out known threats and not enough on addressing cyber security risk to medical environments.

Fu said more work needs to be done to make the FDA guidance risk- rather than threat based.  Otherwise: the U.S. government and healthcare organizations risk falling victim to what Fu termed “the street light effect,” Namely: focusing resources on fighting security threats where it is easiest (that is: where they’ve already been identified) rather than all the different places that cyber risk might exist.