Is a Domain Registrar a Critical Supplier?

QAMed26

Starting to get Involved
#1
Good afternoon,

Working through a bit of a mess of an AVL that I inherited from a former employee (I am the "replacement"). They listed our domain registrar as a critical supplier because customers interact with our stand alone software medical device through our website. So in theory, if the registrar up and disappeared customers wouldn't be able to have their raw data scored until we found a new registrar, however the medical device itself would be unaffected, yes?
#confusedinCanada ;)
 

Ron Rompen

Trusted Information Resource
Trusted
#2
I would agree that the registrar would be a 'critical supplier' since the inability to interact with your software would result in the equipment being nonfunctional. Not sure how difficult it would be to have a backup supplier, or if it is even feasible.
 

RoxaneB

Super Moderator
Super Moderator
#3
Good afternoon,

Working through a bit of a mess of an AVL that I inherited from a former employee (I am the "replacement"). They listed our domain registrar as a critical supplier because customers interact with our stand alone software medical device through our website. So in theory, if the registrar up and disappeared customers wouldn't be able to have their raw data scored until we found a new registrar, however the medical device itself would be unaffected, yes?
#confusedinCanada ;)
If the scoring of the data is critical to what your organization provides to the clients? I ask because I'm uncertain what you mean by "raw data" - it could be data transmitted via the medical device regarding the ability to provide feedback on the client's health outcomes.

Is the website also how your organization communicates with clients (e.g., product upgrades, product recalls, etc.)?

What is the risk if the registrar is removed from the list? Or would be more a case of downgrading them from being a critical supplier to a "normal" one? How would that impact their evaluation?
 

QAMed26

Starting to get Involved
#4
Essentially our clients use our other device to gather data from a patient. They then take this data and submit it to a website that will do an autoscoring for them and give those results. A doctor will then make a diagnosis based on the autoscored results. If they cannot access the autoscoring website because our registrar is down there is a delay in diagnosis, but no risk for an improper diagnosis.

Does that help make it clearer?
 

RoxaneB

Super Moderator
Super Moderator
#5
Is the doctor supposed to do the scoring manually then if the registrar is down?

I'll be honest, it does sound as if the application of the site is one of the fundamental "selling points" of the device and its funcationality.

I also consider it "critical" because it seems like the application is managing Personal Health Information (PHI) or am I misinterpreting?
 

QAMed26

Starting to get Involved
#6
Thanks for engaging in this conversation. These are great questions for me to wrap my brain around :)

No - we do not communicate to the doctor that they should do that. The idea is that our domain registrar should never go down. Our Internet Service Provider is probably another situation that i need to look into, as I don't see them on our AVL.

The functionality is a definite selling point.

And no - we never see patient information. That is mandated in the IFU, I believe.

I think I'm just trying to look at risk. The probability of our domain registrar up and disappearing is minimal - we do not use some obscure one. However the severity is moderate to high.
 

RoxaneB

Super Moderator
Super Moderator
#7
I think you've nailed it on the head with:

QAMed26 said:
I think I'm just trying to look at risk. The probability of our domain registrar up and disappearing is minimal - we do not use some obscure one. However the severity is moderate to high.
The idea of having a contingency plan might be worth looking into, if one does not already exist.
 

Ninja

Looking for Reality
Trusted
#8
FWIW, "Domain Registrar" and "Domain Host" are not required to be the same thing.

Not sure I would consider the Domain Registrar a risk...Domain Host, yes.
Most of the cases (99+%) they are the same company...but it is not necessary to be so.
 

Ronen E

Just a person
Super Moderator
#10
we do not use some obscure one.
You have given the answer you're looking for, really. It conveys that that supplier's quality/reliability is of importance, and therefore you've evaluated it before engaging, albeit in an informal way. All you need to do is formalise it - put it through your formal vendors evaluation and selection process and capture the result (which you already know) on your AVL. If your policy is to have contingencies for high-risk suppliers, do that too; however, if the formalised and documented risk is acceptable as-is, maybe that's an overshoot.

BTW in medical devices quality management critical suppliers are usually considered those that provide an element that has a significant bearing on the finished device's safety or effectiveness.

Cheers,
Ronen.
 

Top