Is a Domain Registrar a Critical Supplier?

[QAMed26]

Good afternoon,

Working through a bit of a mess of an AVL that I inherited from a former employee (I am the "replacement"). They listed our domain registrar as a critical supplier because customers interact with our stand alone software medical device through our website. So in theory, if the registrar up and disappeared customers wouldn't be able to have their raw data scored until we found a new registrar, however the medical device itself would be unaffected, yes?
#confusedinCanada

 

[Ron Rompen]

I would agree that the registrar would be a 'critical supplier' since the inability to interact with your software would result in the equipment being nonfunctional. Not sure how difficult it would be to have a backup supplier, or if it is even feasible.

 

[RoxaneB]

Good afternoon,

Working through a bit of a mess of an AVL that I inherited from a former employee (I am the "replacement"). They listed our domain registrar as a critical supplier because customers interact with our stand alone software medical device through our website. So in theory, if the registrar up and disappeared customers wouldn't be able to have their raw data scored until we found a new registrar, however the medical device itself would be unaffected, yes?
#confusedinCanada

If the scoring of the data is critical to what your organization provides to the clients? I ask because I'm uncertain what you mean by "raw data" - it could be data transmitted via the medical device regarding the ability to provide feedback on the client's health outcomes.

Is the website also how your organization communicates with clients (e.g., product upgrades, product recalls, etc.)?

What is the risk if the registrar is removed from the list? Or would be more a case of downgrading them from being a critical supplier to a "normal" one? How would that impact their evaluation?

 

[QAMed26]

Essentially our clients use our other device to gather data from a patient. They then take this data and submit it to a website that will do an autoscoring for them and give those results. A doctor will then make a diagnosis based on the autoscored results. If they cannot access the autoscoring website because our registrar is down there is a delay in diagnosis, but no risk for an improper diagnosis.

Does that help make it clearer?

 

[RoxaneB]

Is the doctor supposed to do the scoring manually then if the registrar is down?

I'll be honest, it does sound as if the application of the site is one of the fundamental "selling points" of the device and its funcationality.

I also consider it "critical" because it seems like the application is managing Personal Health Information (PHI) or am I misinterpreting?

 

[QAMed26]

Thanks for engaging in this conversation. These are great questions for me to wrap my brain around

No - we do not communicate to the doctor that they should do that. The idea is that our domain registrar should never go down. Our Internet Service Provider is probably another situation that i need to look into, as I don't see them on our AVL.

The functionality is a definite selling point.

And no - we never see patient information. That is mandated in the IFU, I believe.

I think I'm just trying to look at risk. The probability of our domain registrar up and disappearing is minimal - we do not use some obscure one. However the severity is moderate to high.

 

[RoxaneB]

I think you've nailed it on the head with:

I think I'm just trying to look at risk. The probability of our domain registrar up and disappearing is minimal - we do not use some obscure one. However the severity is moderate to high.

The idea of having a contingency plan might be worth looking into, if one does not already exist.

 

[Ninja]

FWIW, "Domain Registrar" and "Domain Host" are not required to be the same thing.

Not sure I would consider the Domain Registrar a risk...Domain Host, yes.
Most of the cases (99+%) they are the same company...but it is not necessary to be so.

 

[QAMed26]

Well that gives me something to discuss with my IT guy in the morning.
Thanks!

 

[Ronen E]

we do not use some obscure one.

You have given the answer you're looking for, really. It conveys that that supplier's quality/reliability is of importance, and therefore you've evaluated it before engaging, albeit in an informal way. All you need to do is formalise it - put it through your formal vendors evaluation and selection process and capture the result (which you already know) on your AVL. If your policy is to have contingencies for high-risk suppliers, do that too; however, if the formalised and documented risk is acceptable as-is, maybe that's an overshoot.

BTW in medical devices quality management critical suppliers are usually considered those that provide an element that has a significant bearing on the finished device's safety or effectiveness.

Cheers,
Ronen.