
Medical Equipment Crashes During Heart Procedure Because of Antivirus Scan - akehrer
http://news.softpedia.com/news/medical-equipment-crashes-during-heart-procedure-because-of-antivirus-scan-503642.shtml
======
Avernar
"Merge says the antivirus froze access to crucial data acquired during the
heart catheterization. Unable to access real-time data, the app crashed
spectacularly.

The company claims that they included proper instructions in their
documentation, advising companies to whitelist Merge Hemo's folders in order
to prevent crashes from happening, so it seems that the whole incident was
nothing more than an oversight on the medical unit's side."

Here's how I read that: The programmers of this piece of software assumed that
some I/O operation would never fail and when it does the program shits itself.
So instead of hardening their software to withstand loss of telemetry
gracefully, which would cost time and money for the company, they just give
instructions to disable scans on their folder.

Odds are good that somewhere this scan will happen (and it did). Either IT
doesn't read the release notes or goofs the configuration or an antivirus
update clears the white list. Might not even be the antivirus that interferes
with the telemetry briefly.

But instead of having resilient software it's "the anitvirus software's fault"
or "it's IT's fault" when something goes wrong because of their bad
management/engineering decision.

~~~
sillysaurus3
Software shouldn't necessarily try to account for errors in that manner.
Usually, the most graceful thing to do is to exit cleanly.

For example, if there is a massive amount of data, it has to be stored on
disk. It's too large to keep in memory. And if the point of the program is to
transform that data in real time, then it has to have access to the disk.

The antivirus basically unplugged the disk. What can it do to recover? There's
nothing to be done.

It should be able to survive that situation, of course. When the disk is
plugged back in, it should be able to restart without any problems. But I
think that's a different kind of resiliency than what you're referring to.

In this case, the only way to recover would be to copy the frozen data to a
new area of the hard drive, assuming it retained read access. But such
complexities result in brittle implementations, prone to acquiring bugs. What
if the disk space runs out? So you check beforehand whether there's enough
space. But what if some other program starts consuming disk space in the
middle of your copy operation? And so on. It's an endless spiral of design
complexity.

The situation in the article seems closer to hardware failure than a design
oversight.

~~~
Avernar
> When the disk is plugged back in, it should be able to restart without any
> problems. But I think that's a different kind of resiliency than what you're
> referring to.

Yes and no. I was referring to restarting internally when the error condition
went away but restarting the app and waiting for telemetry to return can be a
valid solution.

Think of your torrent software. If you crank your firewall to block it while
it's running it will not crash. If your disk fills up it won't crash. When the
network comes back or more drive space if freed it will restart it's internal
mechanisms. You wouldn't want it to restart in these conditions. If it runs
out of memory however choosing to exit might be the best recovery mechanism.

I think a life critical medical application can at least strive for internal
restart and do an external restart if all else failed. The article stated they
had to reboot the machine to get it back. Now that's way worse.

> The situation in the article seems closer to hardware failure than a design
> oversight.

Hardware failure is almost always a permanent condition. This was a "my I/O
stopped briefly and would have came back if my code could handle it".

~~~
sillysaurus3
During a surgery, the program doesn't have the luxury of showing a screen that
says "No telemetry available." Such a program would be considered equally
unreliable. Worse, it would lead to confusion: "Why is the telemetry
unavailable? What does 'Error Code 2931' mean?"

A spectacular crash immediately led to pinpointing the problem: The antivirus.

If the program's sole purpose is to transform a massive amount of data in real
time, it must have disk access by definition. It can't not have disk access.
What would you suggest it do?

~~~
Avernar
Yes it does! Showing "no telemetry available" is exactly what it should do.
Crashing = unreliable. Reporting an error condition = reliable.

Immediately? Took them 5 minutes to reboot the computer. The scan of the
folder would take seconds let alone minutes. Pinpointing the problem is
secondary. Not killing the patient is primary.

> If the program's sole purpose is to transform a massive amount of data in
> real time, it must have disk access by definition. It can't not have disk
> access.

And that is the mind set the programmers of the software had. You have to take
care of error conditions. The processing can't have no disk access but no disk
access can occur temporarily or permanently. What can you do? Pause the
processing part of your program. Or make the processing part treat "no data"
as valid input and display something else.

Imagine taking that viewpoint with an ECG machine: This machine displays a
heart rate waveform. So it must have a heart rate input. If there is no heart
rate we'll just crash requiring a 5 minute reboot.

Hell no! Draw a straight line and set off a buzzer!

~~~
Bluestrike2
I agree with you, but the flat line might not be the best example because that
has a very specific meaning (asystole) that doctors will take certain actions
based on without necessarily trying to verify it manually when time is already
critical. You should never be able to confuse an error message for anything
else.

~~~
Avernar
> You should never be able to confuse an error message for anything else.

Exactly. Which is why "Can't read file sensors.dat" is way better than just
crashing. Crashing is one of the worst error messages you can get because you
don't know what happened.

------
11thEarlOfMar
/rant/

I can't tell you how many times we've chased down field problems that
ultimately were the result of antivirus scans. It's been so bad, that one of
the first questions we now ask when we get a tool-down report is "is there
antivirus running and what is the configuration?"

Bringing Windows into the architecture of any type of capital equipment
control system is a bane. A scourge. I mean to say, it really is a
misappropriation of software. Imagine, "Yeah, Frank only knows VB, so that's
what we used for the aircraft's cockpit GUI."

/xrant/

~~~
raverbashing
This

This machines costs hundreds of thousands of dollars.

There should be no excuse for using Windows. None.

I would not be surprised if the "antivirus" thing was some PHB requirement

~~~
Amezarak
Is there a reason to believe that choosing Windows was a bad decision?

The bad decision was installing antivirus software. Otherwise, most any modern
OS would be fine. This machine probably shouldn't be connected to a network
(if it was), the USB ports should be disabled; data can come off on burned
CDs, autorun should be disabled, etc. That's how you deal with IA concerns on
a standalone mission-critical system, not by installing antivirus.

~~~
raverbashing
You're right. My bet is that they use windows because they want to save or get
something from the machine (either to a USB drive or network)

And I would have followed the same steps you mentioned. The machine could work
with Windows.

Windows CE might have been a better pick, so you can have things like RO
filesystem, etc

"There is no reason to use Windows" is, as you mentioned, not a bad decision
in itself, but since they do it the lazy way, it is awful. Not sure if there's
an out-of-the-box way of firewalling everything in the Windows versions
available at the time that machine was built

~~~
enraged_camel
A lot of those machines have Windows embedded in them, because a lot of
doctors and nurses are really, really bad with technology and cannot use
anything more complicated than Windows's familiar user interface. Training
involves "OK, now use the mouse and double-click this icon on the desktop to
start the program."

I wish I was kidding.

~~~
stephengillie
Windows is a familiar interface for computers. Is there a good reason for not
using a familiar user interface?

~~~
tremon
Huh? Of course there is. "Familiar interface" isn't even a functional
requirement, it is only of secondary importance for any system. Actual
functionality is much more important.

As an aside, if "familiar interface" is your only requirement, I'd suggest to
install a door handle or light switch.

~~~
seanp2k2
Your comment may sound sarcastic on the first read, but I agree with the
point; don't use Windows when what you needed could be done with a micro
controller or a physical circuit. Not sure if the application here fits that
at all, but I've definitely seen things like you-do-it check-outs, ATMs,
billboards, etc running Windows. I would think that these systems would be
much better off with something like a hardened micro controller running a
remote display system vs a multi-gigabyte operating system.

With Windows 10, this problem will likely get a whole lot worse. What do you
do when MS pushes a forced update to your deployed devices and it bricks some
of them?
[http://m.theregister.co.uk/2016/05/06/microsoft_update_asus_...](http://m.theregister.co.uk/2016/05/06/microsoft_update_asus_windows_7/)

What about when you can't disable Cortana (without breaking the start menu)
and you're in a HIPAA / PCI environment? [http://winaero.com/blog/how-to-
uninstall-and-remove-cortana-...](http://winaero.com/blog/how-to-uninstall-
and-remove-cortana-in-windows-10/)

As we've seen with things like SCADA, switching from Windows is not a silver
bullet, but in terms of minimizing the complexity and attack surface, Windows
seems to be starting at the opposite end of the spectrum.

~~~
tremon
Oh, I didn't even mean my comment to be about Windows vs dedicated OS, at
least not directly. When administered correctly and properly fenced off, using
a modern Windows system is not a cardinal sin. Although I will admit that
Windows 10, with its non-optional feature cadence, brings additional
uncertainty.

However, I do question "it looks like Windows" as a valid rationale for what
appears to be a single-purpose machine. I don't think it's likely that staff
are using the operating room equipment as a desktop machine, so presumably
they only care about the in-app user interface. And an application interface
can be made to "look like Windows" regardless of what OS it's running on.

------
CaptSpify
[https://xkcd.com/463/](https://xkcd.com/463/)

The whole structure is wrong. I used to work in medical equipment repair.
Windows Embedded is running so many devices it's not funny. But it's not
_just_ Windows that's the problem.

I put a linux-system on a PACS network to diagnose equipment. It was a
headless, and we _asked_ the IT group to block it off from the Internet.

Hospital IT: "Does it have antivirus?"

Me: "..."

~~~
SixSigma
List of FDA medical equipment recalls for 2016

[http://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm48...](http://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm480134.htm)

At least three of them are Class 1 - May cause death

And all of those are software related, none run Windows

[http://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm48...](http://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm481966.htm)

[http://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm48...](http://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm489108.htm)

[http://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm48...](http://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm485790.htm)

~~~
kosmic_k
That is astoundingly horrifying, especially the Class 1's which were
distributed for over five years.

~~~
SixSigma
I read every recall, food and medical, from 2000-2015 for a university
research project. tbh I'm surprised anyone is still alive !

------
dchichkov
Let me surprise you, with the code quality that sometimes is running in what
is actually 'life-critical' software.

Back in the nineties, I wrote a nice piece of some 300kb of C code, for
DOS/x86. It was a complete software package, controlling medical equipment
that was testing speed of blood coagulation. These tests are crucial in the
patient post-operation recovery.

This piece of C code had some hardware control code, some statistics, a bit of
math, some visualisation, GUI, etc. Normally, you'd imagine a team of 2-3
people, carefully written test cases, dedicated QA person, and a year of time
to write something like it. And independend lab, that would certify the thing.
Well... in that case, yes, there was independent certification... but...

It was just one developer, and I was 13, when I wrote it ;) During after-
school time, in around 4-6 months. And I must say, I still sometimes have
chills, when I think of the code quality, and, um, unorthodox solutions of
13-year-old myself. Yes, I've had some years of experience at the time, both
writing software and designing hardware, and advice from my parents, who both
could write software. But, at the time, I've had zero formal training, aside
from reading K&R and PC XT manuals ;). So, you might imagine the code quality
;) Even, no need to imagine, I actually still have it somewhere in the
archives :)

~~~
state
I understand why you probably don't want to put it up, but boy would it be fun
to look at the code you're describing.

~~~
dchichkov
I probably will put it up. It's a nice inspirational story for teens out here.
Doubt there'd be any repercussions, no one cares about some random code on
GitHub. And the equipment is hopefully taken out of service years ago, it was
more than 20 years back. I wish I knew how long it had been used, but there've
been only about 10-20 units sold, I think.

I vaguely remember adding extra features for a year or so (like adding support
for HP laserjet printer). But one of the founders of the company (on the
business side) had some health problems, and I guess that had played role in
very small number of units sold. The only feedback that I've had, is pretty
much that my father took me to a lab once, that had a unit deployed, for a
support call. And I've seen some real printouts with patient names, from the
unit. The lab assistant seemed to be happy with the device. I remember them
showing me some blood plasma and teaching me to count cells, during lab tour
;)

------
pdkl95
Is it going to take more deaths to convince people to learn from the
Therac-25[1]? If you aren't designing for _safety first_ , you have no
business working on medical devices or anything else that might be a dangerous
when it misbehaves.

[1]
[http://sunnyday.mit.edu/papers/therac.pdf](http://sunnyday.mit.edu/papers/therac.pdf)

~~~
chestervonwinch
I am not the parent poster, but may I ask why is this comment being down-
voted? I'm not speaking for the parent, but he or she seems to be implying
that medical equipment with anti-virus software with automatic updates (used
as such) may potentially compromise a patient's safety, and may be indicative
of further bad design practices, which could result in, at worst, death. Is
this somehow off-topic, or not worthy of discussion?

~~~
pdkl95
That's exactly right. The article mentions that the doctors were fortunate
enough to have _five minutes_ during which they could reboot the device. If
they were in the middle of some other procedure that had tighter time
constraints, a reboot could have _easily_ killed the patient.

Just like the Therac-25, this isn't about a single problem (the antivirus or
the race condition in the Therac-25's software). Designing for safety has to
happen at all levels of design. Using Windows (or Linux, or any other complex
OS) in a medical device shows that the designer wasn't even considering the
safety of major parts of their design.

Designing medical devices with an OS that can be infected with malware (and
thus need an antivirus) is the same kind of idiocy that puts a car's steering
and brakes on the same CAN bus as the music player and emergency radio. It's a
sign that the designer needs either more education or a different job before
someone is injured or killed.

------
iask
There are a couple of things here from my POV, first - I would replace the
head of their IT and any senior IT staff - who seem to look for the quickest-
then-cheap solutions. Dumb ducks who don't spend the extra time understanding
the importance of the infrastructure and the software they install. And also
replace the service vendor, if they have one.

I've seen this happen time and again, where companies have some 3rd party
service vendors who would install AV software on anything they can get their
hand on, even a microwave or coffee machine - just to tell the client "my bill
is expensive, but you can feel secure, we installed AV". I despise these folks
with a passion.

The problem is not Windows. It's a lack of knowledge and understanding.
Simple.

For god's sake - it's 2016 - dump the Anti Virus software. I am gonna make
t-shirts this summer with this ;)

~~~
technion

        I would replace the head of their IT and any senior IT staff 
    

It's a very good bet the senior IT team were following orders from somewhere
else in the chain here.

------
GunboatDiplomat
Why on earth is medical equipment running standard Windows? This is the ideal
location for some basic RTOS or even just an embedded Linux. Seems like a huge
cost and risk for no gain.

~~~
tluyben2
It's cheap to find Windows programmers and even cheaper to find ones that are
not hindered by knowledge about software quality and safety. That's not their
fault; no-one ever told them something like that exists.

~~~
nonbel
>"hindered by knowledge"

This is a great phrase. "Joe was hindered by knowledge of what a p-value means
and so didn't claim he discovered a key to understanding the disease."

------
steven2012
Antivirus scans are one of those things added on IT checklists to cover their
ass whenever something wrong happens.

But it rarely is useful. It only causes problems. We've seen so many issues
related to virus scans throughout the years it's crazy.

What's better is to lock down the servers with only minimal access. I haven't
used virus scan on my main desktop for over 10 years because I don't click on
weird emails and I don't go to sketchy websites ever. Sure there's the risk of
malware from ads I suppose, but I'm not that worried.

~~~
jconley
Most of the time IT is just implementing policy from the CIO, which is basing
it on the requirements of the company's insurers. Insurance companies require
some very annoying things like Anti-virus. It's like having a lock on your
office. You do it so the insurance company will pay you if someone comes in
and steals your stuff.

~~~
AnthonyMouse
It's more like the requirements cronies put into defense contracts to make
sure the contractors make a lot of money.

The reason "security requirements" documents require antivirus is that
companies like Symantec make sure they're in the right position to be the ones
asked when someone is writing up a security requirements document, so that
their answer can be "make sure you install antivirus (and here's the contact
info for our volume licensing center)."

------
YeGoblynQueenne
>> The antivirus was configured to scan for viruses every hour, and the scan
started right in the middle of the procedure.

>> The company claims that they included proper instructions in their
documentation, advising companies to whitelist Merge Hemo's folders in order
to prevent crashes from happening, so it seems that the whole incident was
nothing more than an oversight on the medical unit's side.

So "RTFM"? Not very helpful.

------
combatentropy
> they included proper instructions in their documentation, advising companies
> to whitelist Merge Hemo's folders in order to prevent crashes from
> happening, so it seems that the whole incident was nothing more than an
> oversight on the medical unit's side.

And the hospital included full instructions to the software company on how to
properly perform a heart transplant, so they were baffled why the programmer
just let his teammate die of heart failure.

Come on, this kind of stuff should be a zero-configuration hardware-based
black box, with its own buttons, screen, etc. --- not something that needs to
be (or even can be) connected to something outside the vendor's total control.

------
ezoe
This situation is even funnier(and sadly very seriously flawed) in Japan.

Medical equipment require an authorization to use. Any change to the medical
equipment requires another authorization or it's prohibited.

By "any change" , it includes Windows Update(it changes the system obviously).

The result: they use anti-malware software to protect(or rather, believed to
protect) unpatched Windows.

At least one anti-malware software company(Trend Micro), marketing that their
software can protect the medical equipment in such situation.

~~~
exhilaration
But... what about AV/malware definition updates? Doesn't that fall under "any
change"?

~~~
symtos
and what about security updates to the snakeoil they sell, eg.
[https://bugs.chromium.org/p/project-
zero/issues/detail?id=69...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=693)

------
callesgg
Putting antivirus on equipment at all indicates a much bigger problem.

That the equipment is somehow configured to be susceptible to viruses.

~~~
datenwolf
Well at least in EN62304 the installation of AV on medical devices is
recommended. The whole thing reads like as if it was written by people who
picked up a few buzzwords and read a few articles in a computer magazine.

------
stevetrewick
From the linked report :

 _Based upon the available information, the cause for the reported event was
due to the customer not following instructions concerning the installation of
anti-virus software; therefore, there is no indication that the reported event
was related to product malfunction or defect_

I beg to differ. I'd consider a momentary loss of file I/O due to lock
contention causing a machine to require a reboot a shocking defect in - say -
a word processor (which, notably, do not have this problem). That this risk is
apparently known and the vendor's sole mitigation is to document a 'Don't do
that then' is absolutely 100% an indication of a product defect, even in the
absence of an actual occurrence.

------
kinai
this reminds me of IT crowds bomb disposal robot:
[https://www.youtube.com/watch?v=z88b96ECZCE](https://www.youtube.com/watch?v=z88b96ECZCE)

just perfect

------
toomanythings2
I don't think they say this device is controlled by Windows but it must be.
Why professional software and instruments even consider using Windows is
beyond me.

------
malbs
We've had issues with the latest versions of kaspersky. A burst of network
activity is almost guaranteed to crash a machine.

It took us a while to isolate Kaspersky 10, and it's not even any particular
component inside of Kaspersky, but only when all features are enabled. We
tried different permutations of features to try and isolate the cause of our
crashes, but as soon as you have any one feature disabled in, the crashes
stop, Very frustrating because ultimately our clients laid the blame at my
feet (new software feature, new release, blah blah blah), and not exactly much
you can do in the way of hardening against this particular crash, the app
generates a burst of network data, and boom, blue screen/instant reboot.

------
coldcode
I worked at a financial company that ran its production Oracle database
servers on Windows in the same network as the staff (no firewall) and ran
virus checkers on them. Performance was terrible of course.

------
angersock
Okay, seriously, I need to say something, because I doubt most of the people
commenting in this thread have ever dealt with either health IT, healthcare
software, or any of the related nonsense.

There are kinda four flavors of machine setup I ran into while in that field:
big server banks for on-site hosting (think huge enterprise VM farms, for data
warehousing and record storage and virtual desktop hosting), care provider
systems (think like tablets, doctor office computers, nurse workstations, room
workstations), cart computers (used for things like running the sonogram or
cardiogram equipment, or for other studies), and actual integrated devices
(for, say, data collection).

The care provider systems are usually comically locked-down, tablets and
phones having the meanest management software they can (no apps, limited
connectivity, remote wiping, and so forth). Workstations tend to be centrally
managed, have images pushed regularly (ha!), and often use AD and smartcards
to handle authentication. One place I've seen took this a step further, and
basically just booted users directly into a VM hosted on the server farms
mentioned earlier. You can't use USB devices, you have highly-regulated
clipboard access, and so forth--this is done to prevent HIPAA breaches. Which
is kinda silly given other workarounds, but whatever makes people feel safe
and the CIO happy. These workstations run some enterprise version of Windows,
probably 7 Pro. Those silly-long extended service agreements you see on
Microsoft? Hospitals are some of the people keeping that alive, and they will
pay _obnoxious_ amounts of money for the privilege.

The cart computers are typically like the workstations in terms of
functionality, but they may have software specific to the device they're
talking to. They might not be as locked down (e.g., only acting as thin
clients to a remote VM), but they are still running Windows.

The device computers may run some kind of RTOS. In some cases, they'll be
running a customized Windows CE installation--which is totally reasonable.
There are a lot of good guarantees that that can give a development shop,
least of all that they can call up Microsoft instead of StackOverflow and say
"Hey, this function does x, it's documented as y, and we're paying you a lot
of money, so what the fuck?". Windows Embedded (which is I think the
successor, am not sure).

In all of these cases, _Windows itself works pretty damned well_.

It runs the software everybody needs, it has the enterprise deployment stuff
figured out through decades of improvement, and really there is no reason to
be scoffing at its choice.

Now, if folks have goofed up and thrown a stupid AV policy on the machine,
_that 's_ a different question entirely. Health IT is _full_ to the brim of
people basically just punching a clock and being unable to get anything done
in a reasonable amount of time. Sometimes, they do awesome things, but mainly
they are just custodians standing between doctors and really really stupid
policy decisions that seemed good at the time.

EDIT: Removed unrelated example at top.

------
saganus
Wtf?

"The antivirus was configured to scan for viruses every hour, and the scan
started right in the middle of the procedure."

Who configures an antiviurs for an hourly scan on a doctor's computer?

~~~
pritambaral
It wasn't even a doctor's computer, it was apparently an operating-room
equipment computer.

------
Kristine1975
Why is there a virus scanner on a PC inside the operating room?

Don't tell me that PC is connected to the internet...

~~~
rs999gti
I was going to ask this as well. Why does this PC need to be connected to the
internet? If it doesn't need to phone home while operating as a heart monitor
then there is no need to have antivirus or have this PC connected to the
internet.

Also, plenty of devices not connected to the internet run Windows: ATM's,
Billboard, Monitors, etc.

Dumb IT is to blame for this mistake.

~~~
jcrawfordor
> Also, plenty of devices not connected to the internet run Windows: ATM's,
> Billboard, Monitors, etc.

I hate to break it to you, but, in practice... these things are all typically
connected to the internet.

------
billforsternz
"A critical medical equipment crashed during a heart procedure due to a
_timely_ scan triggered by the antivirus software installed on the PC to which
the said device was sending data for logging and monitoring."

That should be _untimely_. The opposite of timely.

------
firebones
For what it is worth, Merge is now part of IBM Watson.

[http://www.merge.com/News/Article.aspx?ItemID=660](http://www.merge.com/News/Article.aspx?ItemID=660)

Welcome to the Health Cloud Powered by Watson.

------
fla
How can a medical device be certified for running on 'user hardware'
(=uncontrolled environment).

Something is probably missing from the article. IMO, the device in question
wasn't critical at all, and a failure could be expected.

------
fencepost
I see a bunch of folks talking about whether PCs are connected to the Internet
and "why was it running antivirus in the first place?" It's called Defense in
Depth.

It Does Not Matter if the device is connected to/able to reach the Internet.

First, it probably can reach the Internet in some way simply by being
networked. I don't think I've ever seen a medical office (can't speak about
hospitals) where medical diagnostic equipment was on a fully-separate network
able only to talk to other network equipment and specified data destinations
(PACS servers).

Second, I'm not concerned about unpatched, unprotected machines being infected
from the Internet. Odds are they're running a restricted version of Windows,
with a custom shell and a lot of stuff stripped out. I'm concerned that
they're going to be infected by another machine on the network that's gotten
infected. With all the past SQL Server security issues a decade or more ago,
how many people think those SQL Server boxes could be directly reached from
outside the local network?

The conjunction of those two is that even if you firewall all that stuff off,
the PACS servers are still on both networks, and are probably running much
more interesting and vulnerable stuff than the device controllers.

Sure you can fully wall everything off - it's really easy, just do your X-rays
onto film, burn your MRIs and ultrasounds onto CDs, and print your EKGs for
later scanning. Oh, and listen to people complain about how out-of-date your
systems and procedures are.

There are other factors that come in as well - sure, every device manufacturer
could provide fully bespoke diagnostic displays developed from the ground up
in artisanal software shops providing full employment for assembly programmers
working on embedded systems, along with cohorts of graphic designers creating
glorious steampunk-styled interfaces. That's a beautiful dream, keep having
it.

For the rest of the world, creating a UI on that custom embedded system
running on something from RIM/Blackberry (yeah, they own QNX) is just going to
get them crap from people because of A) how clunky it probably looks and B)
How could they even consider allowing direct user interaction with the RTOS
that was chosen to ensure that the dangerous bits in contact with
patients/radiation/irradiated patients were safe?

There's a beautiful world out there somewhere where everything is safe and
secure and seamless and updated. The rest of us live in worlds where Joe in
Marketing's PC gets infected with something that allows an attacker to start
scanning the network for unpatched vulnerabilities on any system, which leads
to an out-of-date install of IIS on a legacy server that hasn't been updated
because there's no longer a contract with the vendor (or no vendor) but it's
around because there's a statutory requirement to keep the data on that system
for 7-10 years.

There's a lot of ugliness out there. Antivirus is a way to try to ensure that
when (not if) some of it hits you the repercussions are minimized.

~~~
tremon
_it probably can reach the Internet in some way simply by being networked_

That is simply untrue, you can (and in many cases should) have unroutable
subnets. But even if true, that only slightly changes the question: why is
operating room equipment networked in the first place? That you've never
encountered a proper setup doesn't excuse not having it.

~~~
fencepost
I phrased that badly - it's not that they can reach the Internet, it's that
with the exception of true high-security fully-airgapped locations, if the
machine is networked then it's almost guaranteed that the Internet (or
something on it) can effectively reach out and touch that machine even if it's
only via other systems.

I don't work in a hospital environment, haven't for more than a decade and
wasn't interacting with clinical systems even then, but my understanding is
that a very significant amount of medical equipment was networked even then,
and was at least in theory capable of streaming HL7-formatted data to other
internal systems for reasons of patient care, billing, or both. How much of
that happens in the real world instead of being theoretical is something I
can't say, but I'm sure in the 15+ years since I was working with HL7 that
hospitals and equipment haven't gotten less networked.

------
mtgx
Microsoft must be relieved this wasn't yet another Windows 10 upgrade horror
story.

