Heart Surgery Stalled For Five Minutes Thanks To Errant Anti-Virus Scan

from the death-by-horrible-IT-support dept

If you've ever had the pleasure of simply asking one medical outfit to transfer your records to another company or organization, you've probably become aware of the sorry state of medical IT. Billions are spent on medical hardware and software, yet this is a sector for which the fax machine remains the pinnacle of innovation and a cornerstone of daily business life. Meanwhile, getting systems to actually communicate with each other appears to be a bridge too far. And this hodge podge of discordant and often incompatible systems can very often have very real and troubling implications for patients.

For example, one patient recently undergoing a heart transfer had the procedure interrupted for five full minutes after a PC connected to an essential piece of monitoring equipment began a scheduled anti-virus scan:
"According to one such report filed by Merge Healthcare in February, Merge Hemo suffered a mysterious crash right in the middle of a heart procedure when the screen went black and doctors had to reboot their computer. Fortunately, the patient was sedated, and the doctors had five minutes at their disposal to wait for the computer to finish rebooting, start the Merge Hemo application again, and complete their procedure without any health risks for the patient."
Fortunate, since "death by shitty hospital IT support" doesn't sound like a particularly fun way to go. The filing with the FDA by the company in question (Merge) notes that the blame was the fault of the hospital's IT support, who ignored software instructions that state the folders being used by Merge's software should always be whitelisted from any anti-virus platforms:
"Merge investigated the issue and later reported to the FDA that the problem occurred because of the antivirus software running on the doctors' computer. The antivirus was configured to scan for viruses every hour, and the scan started right in the middle of the procedure. Merge says the antivirus froze access to crucial data acquired during the heart catheterization. Unable to access real-time data, the app crashed spectacularly."
Here's the thing: aging systems and shoddy medical IT support are the least of the medical industry's problems. The biggest problem continues to be that medical technology security remains little more than an afterthought, leaving underfunded IT support frequently outgunned. That has resulted in a major wave of ransomware attacks that in some instances have actually forced hospitals to revert to using paper only while they get sorted out (underfunded school systems have been having a dramatic uptick in similar attacks).

And as Internet of Things companies push hospitals to embrace even more sophisticated technologies, you can expect things to get worse. After all, this is a sector that can't even secure doorbells, refrigerators, thermostats or even tea kettles. What could possible go wrong as these technologies are introduced into an already marginally-competent medical IT sector?

Filed Under: anti-virus scan, computers, heart surgery


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Hospital Employee, 14 May 2016 @ 6:48am

    Re: Re: Re: IT kills - news at 11

    For how long would the files be locked out? A minute? Two minutes tops?

    I've encountered medical software which, through system reboot and reinitialising the programme, can take ten minutes (although clearly this one is a bit faster than that) to be fully up and running.

    I stand by what I said, the software should be robust enough to deal with it. And since Merge said the file folders should be whitelisted, they obviously knew it was a problem.

    As an aside; a problem was discovered with the Alaris (also sold under IVAC and Carefusion brands at different times) Signature volumetric infusion pump. It was known as key bounce, and what could happen was that a keystroke would inadvertently be registered twice (the keypad flexed slightly, so two distinct contacts could be made without the button being fully disengaged).

    Clearly, if this key bounce would happen while setting the infusion rate, a rate could be entered that was ~10x what it should be (e.g. 99.3ml/hr instead of 9.3). It totally did happen of course.

    Now, Alaris said - quite rightly BTW - that the user should have checked what rate they'd programmed before pressing start. But in the end, Alaris were forced to roll out a software upgrade which detected two key presses within a very short time, and gave a warning message and an audible indication.

    So anyone who works for Merge, hold onto your ankles 'cos you might still get your balls felt.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.