A patient undergoing heart surgery in a US-based hospital was left at risk after an improperly configured piece of antivirus software caused critical medical equipment to crash right in the middle of a procedure.

In documents released by the US Food and Drug Administration (FDA), the medical equipment in question – called a Merge Hemo – went offline for more than five minutes, leaving hospital staff looking at a blank computer screen.

The Merge Hemo computer set-up involved a patient data module being connected to a PC that monitors and logs the data in real time. However, as reported by Softpedia, an FDA investigation discovered that anti-malware protection was configured to scan for viruses every hour – against the recommendation of the manufacturer.

The report states: "In the middle of a heart catheterisation procedure, the hemo monitor PC lost communication with the hemo client and the hemo monitor went black. Information obtained from the customer indicated that there was a delay of about five minutes while the patient was sedated so that the application could be rebooted.

"It was found that anti-malware software was performing hourly scans. With Merge Hemo not presenting physiological data during treatment, there is a potential for a delay in care that results in harm to the patient."

Luckily, it was reported the procedure was completed successfully once the system was able to be rebooted. The report does not reveal the name of the hospital involved, though it notes the incident tool place on 8 February this year.

According to the investigation into the incident, the cause was not deemed to be a technical error or a fault with the medical device. Instead, the malfunction was likely based on a misconfiguration by hospital staff, it found.

'Adverse effects'

"Based upon the available information, the cause for the reported event was due to the customer not following instructions concerning the installation of anti-virus software; therefore, there is no indication that the reported event was related to product malfunction or defect," the FDA report concluded.

"The anti-virus software needs to be configured to scan only the potentially vulnerable files on the system, while skipping the medical images and patient data files. Our experience has shown that improper configuration of anti-virus software can have adverse effects including downtime and clinically unusable performance."

Recently, hospitals in the US have faced a barrage of cybersecurity threats – mainly surrounding the threat of ransomware, which hackers are now using to infect crucial healthcare computer networks. In one landmark case, cybercriminals were able to extort $17,000 (£12,000) from one affected hospital.