Federal safety officials have issued an urgent warning about software defects in an anesthesia delivery system that can cause life-threatening failures at unexpected times, including when a cellphone or other device is plugged into one of its USB ports.

The ARKON anesthesia delivery system is used in hospitals to deliver oxygen, anesthetic vapor, and nitrous oxide to patients during surgical procedures. It is manufactured by UK-based Spacelabs Healthcare Ltd., which issued a recall in March. A bug in Version 2.0 of the software running on the device is so serious that it could cause severe injury or death, the US Food and Drug Administration warned last week in what's known as a Class I recall. In part, the FDA advisory read:

Reason for Recall: Spacelabs Healthcare is recalling the ARKON Anesthesia System with Version 2.0 Software due to a software defect. This software issue may cause the System to stop working and require manual ventilation of patients. In addition, if a cell phone or other USB device is plugged into one of the four USB ports for charging, this may also cause the System to stop working. This defect may cause serious adverse health consequences, including hypoxemia and death. Spacelabs Healthcare received one report related to the software defect. There has been no injuries or deaths associated with this malfunction.

At least 16 vulnerable units were in place at hospitals in North Carolina and South Carolina, according to the Class I advisory, the most serious type of recall notice issued by the FDA.

It remains unclear why such a sensitive medical device has USB ports or why there would ever be a medical necessity for plugging a cell phone into one of them. Assuming there are reasons for including the ports in the first place, it's hard to understand how a bug in the way they handle connected devices wasn't caught during quality assurance testing. It's the second recall of a Spacelabs-made anesthesia device in the past year. In October, the manufacturer recalled its BleaseSirius and BleaseFocus anesthesia workstations because of loose fastening hardware in an absorber. The FDA issued a Class I advisory in response to that flaw as well.

Further Reading Vast array of medical devices vulnerable to serious hacks, feds warn

The software defect underscores the life-threatening risks buggy or poorly designed code can pose when embedded in critical medical devices. Last year, the Industrial Control Systems Cyber Emergency Response Team issued an advisory warning that a vast array of heart defibrillators, drug infusion pumps, and other medical devices contained backdoors that made them vulnerable to potentially life-threatening hacks . Security researcher Barnaby Jack was prepared to demonstrate a variety of serious hacks on medical devices at last year's Black Hat security conference when he died suddenly (of a reported drug overdose) just days before his scheduled talk.