By Joseph E. Fishel, CBET, MBA
Do you have purchasing requirements to use as guidelines? Are your guidelines updated with regularity? Have you updated them to reflect the new UL 2900 standards for cybersecurity?
The purchase of a medical device is usually an 8- to 10-year investment. Any changes identified as happening in the near future need to be fed into the procurement process early on. This keeps equipment in compliance with new standards.
So, what do you include in your purchasing requirements? Here are a few thoughts and ideas.
Documentation – What kind of documentation do you want to come with the device? Typically we ask for two copies of the operator’s manual and a service manual. We also request any updates or service bulletins to keep devices current. Some of the documentation that can be required include the following:
- A copy of the MDS2
- A Master Service Agreement with the manufacturer that outlines everything we are going to talk about here.
- PHI Security Risk Assessment
- Business Associates Agreement
- UL, NFPA and (if networked or if it contains PHI) UL 2900 standards
Hardware and software – This is where you can define requirements such as password protection, operating system levels, operating systems with an EOS and how it will be dealt with in the future. Hardware and software upgrades in the future and how it will be dealt with. This is an opportunity to ask for what you need. Here are some suggestions:
- Upon delivery and before first use the device will be brought up to the current software and operating system revisions and all applicable patches applied.
- Maintenance or service passwords will not be generic such as 1234, Password, password, PASSWORD, Admin, ADMIN, etc.
- If there is a need for the vendor to remote into the XXXXXXXXXX network to reach the device, does the vendor meet your requirements? (If the requirements are changing in the future will they meet the future requirements)
- Can HDMI ports, disk or CD drives be deactivated?
- Future upgrades/updates and costs.
Acceptance Testing – this is always an interesting subject. When is the device accepted?
- When the equipment is delivered and installed at the hospital, the hospital will schedule the appropriate tests. At the hospital’s discretion, the vendor shall have a qualified individual available during the acceptance testing period to operate the equipment, answer questions and perform adjustments as required. The vendor shall be responsible for its own overtime incurred during acceptance testing.
- If the device is to be networked, acceptance can’t be granted until the device is in communication to all applicable applications.
- Performance testing will be carried out by the hospital in conjunction with the appropriate departmental personnel.
- Acceptable performance means that all of the equipment will perform its intended function and will meet or exceed all manufacturer’s claims and specifications, all FDA certification requirements as well as those performance standards established by recognized scientific organizations.
- The equipment and all its peripheral devices shall be certified as a system by a nationally recognized testing laboratory. Any testing required for product safety certification will be at the vendor’s expense. Electrical leakage and grounding tests will be carried out by the hospital after installation.
Warranty – What is covered and what isn’t and when?
- Warranty will begin after formal acceptance of the equipment or upon a mutually agreed date.
- All warranty service work shall be documented. Warranty service shall be scheduled through the hospital’s biomedical repair department. Complete, legible copies of the service forms must be left with the biomed department when the work is finished.
- If the cumulative downtime or restricted clinical use exceeds 10% of the total warranty period, the vendor will extend the warranty to include an additional 30 days for every point below 90%.
- The decision to repair or replace faulty components during the warranty period shall be made jointly by the biomed department and the vendor.
- The vendor, in conjunction with the hospital and the applicable departmental representatives, shall carry out a complete evaluation of the system to assure that all specifications are met 30 days before the end of the warranty period. The vendor shall offer a warranty extension according to 3rd bullet above.
Training – You can negotiate training be free and the level of training.
The vendor shall make available adequate applications training to all shifts of designated department employees. All training shall be at the hospital unless otherwise agreed upon by the hospital. All available training materials including, but not being limited to, videos, CDs, software, manuals, charts, audio tapes, etc. shall be provided to the hospital free of charge for as long as the hospital owns or leases the equipment. Follow-up applications training shall be provided by the vendor during the warranty period at the hospital’s request at the charges agreed to by the hospital and the vendor. In the event that the new software changes the operation of any equipment, supplemental applications training, as needed by the hospital, shall be provided by the vendor at no cost beyond the vendor’s charge for such software.
The vendor shall make available to the hospital a number of training opportunities. The hospital shall use the training only to maintain equipment owned or leased by the hospital, and shall protect all training materials from unauthorized disclosure. The training shall be the same as offered to the vendor’s own service personnel and shall become available before the end of the warranty period. All costs of such training shall be paid by the vendor. The hospital shall pay the trainees’ room, board, and travel expenses. The assignment of training slots shall be as follow:
- First of a kind system purchased by the hospital – 2 training slots
- Each additional system purchased by the hospital – 1 training slot
These are just some suggestions. What do you want to see on yours? Talk with your purchasing/procurement department as well as your legal.
Joseph E. Fishel, CBET, MBA, is the Healthcare Technology Systems Manager with Sutter Health eQuip Services.