In February 2016, a patient undergoing a routine cardiac catheterization procedure had to remain sedated five additional minutes while the device rebooted as the result of ant-virus scan.
Merge Healthcare describes its Merge Hemo as a device that “monitors, measures, and records physiological data from a human patient undergoing a cardiac catheterization procedure.” however, as the result of the device reboot during a patient procedure, the company had to report the incident to the U.S. Food and Drug Administration (FDA). Medical device manufacturers are required to submit what’s called an Adverse Event report for any instance where a patient was directly impacted. In this case the patient successfully completed the catheterization procedure and remained sedated throughout the five minutes of “lost communications.”
In its report, Merge Healthcare identified the problem as a result of its antivirus product performing hourly scans. According to The Security Ledger, anti-virus scans in this product can sweep up medical images and patient data files used by Merge, making them inaccessible, temporarily, to the application. “That’s a condition that, according to the FDA, Merge explicitly calls out in its documentation and product security recommendations. Merge recommends that anti-malware software be configured to scan ‘only the potentially vulnerable files on the system, while skipping the medical images and patient data files.'”
The Security Ledger also notes that while software-linked errors are not uncommon, this is the first Adverse Event report that specifically names anti-malware software as the cause of the event.
This may complicate the FDA’s drive to enforce best practices within healthcare IT. A defensive measure that may have impacted patient safety may just add fuel to the argument that’s sometimes best to “do nothing” as opposed to fix the underlying issues. Perhaps that’s why your doctor still has that Windows XP machine …