About

TechNation is the primary monthly magazine and ultimate resource guide for over 12,000 medical equipment service professionals. Its diverse editorial and information helps biomedical, HTM, imaging and I.T. professionals keep their finger on the pulse of the healthcare technology community, helping advance their careers and further their profession.

Register Now: Modernizing HTM Economics | April 22
TechNation.TV | HTM Jobs | Right to Repair | Advertise
Subscribe

Health-ISAC: Product End of Life is not the Time to Roll the Dice on Risk

5 Mins Read

 

By Phil Englert

When manufacturers declare the end of life or support for a product, the owner is often left with the decision to continue to operate. In health care, the decision to continue to use a medical device or patient care system is complex. The device or system likely still performs the clinical functionality it was acquired to perform. The capital or operational funds to replace the technology may be limited or unavailable. Replacing capital technology can disrupt business operations with downtime resulting in lost productivity and revenues. New medical technology may not be compatible with existing systems or processes, requiring additional investment in infrastructure and software. Employee training can be time-consuming and may require additional investment in human resources.

Overall, the decision to replace medical technology is complex and requires careful consideration of the costs and benefits involved. When cybersecurity is the driver, health care providers may choose to extend the life of their medical technology by investing in maintenance and compensating controls rather than replacing it outright. This can reduce costs and minimize disruption while allowing the health care provider to benefit from the technology. The decision to continue to operate unsupported technology may result in a risk transfer. 

Risk transfer for technical support, including cybersecurity functions, refers to the transference of responsibility for potential risks associated with technical support to another party. Risk transfer aims to protect the technology manufacturer or technical support provider from financial and reputational risks that may arise due to potential issues related to the technical support they provide. By transferring the risk to the customer, the manufacturer or technical support provider can limit their liability in case of any issues or problems that may arise while providing technical support services. This risk transfer is often a passive assumption by the customer rather than a legal agreement of a contract or service level agreement.

During the supported product life, levels of risk (product support) are negotiated and agreed upon in warranty documents, service contacts or service level agreements. Each party consents to specifically defined responsibilities. The amount of risk can be transferred from one party to another over the supported product lifecycle. For instance, the medical device manufacturer may agree to provide patches or updates to newly discovered vulnerabilities within an agreed-upon time frame. The customer may agree to apply those updates to the equipment they own, or they may engage the manufacturer or other third party to complete that task. During the supported life of medical technology, risk transference can be fluid depending on the capabilities and capacities of each party. Risk transfer can occur at the end of a product’s life cycle. 

When a product reaches the end of its life, the manufacturer relinquishes responsibility for continued support, including patches and updates. The risk associated with the continued operation of the medical technology is transferred to the customer. Overall, risk transfer at the end of a product’s life is an essential consideration for health care providers. It allows them to consider the benefits, liability and financial exposure of continuing to operate unsupported technology.

There are several key considerations to remember regarding risk transfer, regardless of the specific context in which it is being applied. These considerations include:

  • Risk assessment: Before accepting the transference of any risks, it is important to conduct a thorough risk assessment to identify potential sources of risk and their potential impact. This can help ensure that the risk transfer is appropriate and does not expose the customer to untenable risks or financial consequences.
  • Financial considerations: The cost of transferring risk must be weighed against the potential cost of bearing the risk. In addition to the patient benefits and revenues, risk transfer can involve fees, premiums, penalties, and legal exposure, and it is vital to ensure that these costs are reasonable and justifiable.
  • Capacity and expertise: The party assuming the transferred risk must have the ability and expertise to manage that risk effectively. For example, applying compensating controls, additional monitoring and ensuring a response plan is effective and updated may counter some of the risk reduction tasks previously performed by the manufacturer.
  • Reputation and relationships: The decision to transfer risk can impact the reputation and relationships of the parties involved. For example, if a company transfers risk to a third-party maintainer of the medical technologies that subsequently performs poorly, the company’s reputation may be damaged.
  • Compliance and legal requirements: Any risk transfer should comply with relevant laws, regulations, and industry standards. Failure to comply with these requirements can expose the parties involved to additional legal and financial risks.

Overall, risk transfer is a complex process that requires careful consideration of the potential risks and rewards. By keeping these considerations in mind, businesses and organizations can make informed decisions about risk transfer that help protect their financial and reputational interests. 

Phil Englert is the director of medical device security for Health-ISAC. 

Share.

Related Posts

Add A Comment

Leave A Reply

X