On February 8, 2016, the U.S. Food and Drug Administration (FDA) issued a Product Problem Report concerning the following device: Merge Hemo Programmable Diagnostic Computer, manufactured by Merge Healthcare. The Merge Hemo device monitors, measures and records physiological data from patients undergoing cardiac catheterization procedures and transfers this data to a monitoring station that runs on a personal computer.  This FDA report is the first identifying antimalware as the cause of a medical device failure.

The FDA issued the Product Problem Report in response to a complaint received from a Merge Healthcare customer representative reporting that the Hemo monitoring station lost communication with the patient. The system required rebooting, which resulted in a delay of approximately five minutes while the patient was sedated for the procedure.  Anti-malware software installed on the device performed an hourly scan, culling medical images and patient data and resulting in a complete system interruption.  While the patient was unharmed and the device was ultimately restored, the antimalware interruption warns of the risk of both harm to the patient and loss of critical clinical data.

The FDA is aware of the cybersecurity risks associated with medical devices, but now antimalware software designed to enhance the security of these devices poses its own set of risks.  In October 2014, The FDA issued guidance advising manufacturers to develop a set of cybersecurity controls to enhance the security and functionality of medical devices. However, in its guidance, the FDA also urged manufactures to carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use.  For example, the FDA cautioned that security controls should not unreasonably hinder access to a device that is typically used in emergency situations.  The Merge Hemo device’s antimalware interruption is a key example of the hindrance posed by certain cybersecurity safeguards that FDA wishes to avoid.


*Blake Walsh is admitted only in Tennessee. Her practice is supervised by principals of the firm admitted in the District of Columbia.