In theory, antivirus software is designed to keep users safe from their own mistakes. Who among us hasn’t occasionally visited a dodgy website or downloaded a dubious file? But while they can help counteract our carelessness, we still need to be careful about the ways we use them. That’s a lesson that one hospital recently learned the hard way when a medical device crashed in the midst of heart surgery. On investigation, it turned out that the culprit was the antivirus program on a computer to which the device was connected.
As Softpedia’s Catalin Cimpanu writes, the incident, which occurred in February, involved a tool called the Merge Hemo, which contributes to cardiac data collection. The Merge Hemo itself gathers and evaluates information about the patient, then transfers that information to a connected computer. An incident report filed with the Food and Drug Administration explains that the crash happened because the computer automatically initiated its hourly malware scan while the procedure was in progress. That froze up the Merge Hemo app on the computer, which shut down the actual device’s interface.
Fortunately, in this case the interruption was only temporary. The FDA write-up goes on to explain “it was reported that the procedure was completed successfully once the application was rebooted.” Merge claims that fault lies with the hospital, gesturing to its own security recommendations, which note “that improper configuration of anti-virus software can have adverse affects including downtime and clinically unusable performance.”
While this story has a relatively happy ending, it still speaks to the larger cyberhygiene problem in hospitals. As my colleague Lily Hay Newman has regularly shown, virtually everything that connects to the internet has been hacked, including medical devices. And hospitals themselves have been subject to ransomware attacks by hackers, endangering patient safety. But as J.M. Porup has argued in Future Tense, the real danger in medical environments may not be malice but malware, invasive programs that could interrupt care—even if their developers didn’t actually intend to target hospitals.
It’s reassuring to see that hospitals are attempting to do something about such problems, but the Merge Hemo incident also provides an important reminder: Cybersecurity has to be an active enterprise, an ongoing, engaged process. Installing anti-malware security programs and calling it a day clearly isn’t enough. Indeed, it may make things worse.
