Wednesday, January 31, 2007

E-Health and Risk Management

Brendan, I appreciate you inviting me to respond to some of your comments.

It seems that many e-Health projects have had difficulty in delivering effectively. The three largest problems usually are being over-budget, not meeting appropriate deadlines and not meeting needed requirements. I wholeheartedly believe, being a risk management practitioner and having seen the value of risk management, that it could be a powerful tool in reducing the likelihood of delivery challenges.

I think there are two main obstacles in terms of managing risk in e-Health. One is actually doing the risk management. The other is doing it well. To me, the second obstacle is the greater challenge.

Other sectors (financial, energy, technology, government) have seen the value of risk management. They have risk management programs in place. Their projects keenly include risk management as part of overall implementation. But they have run into critical barriers in ensuring that their risks are managed in meaningful way.

If the e-Health establishment really wants to look closely at effective management of risk, it should look at some of the lessons learned from other sectors. This could prevent us from going through the same growing pains that other sectors have gone through.

Thursday, January 25, 2007

Risk Assessment for eHealth Projects

The University of Manchester has developed an interesting tool for assessing the risk of failure for eHealth projects. Its worth a close look.

Wednesday, January 24, 2007

eHealth Safety Risks

While eHealth is often promoted as a tool to reduce health care risk, particularly with regard to medical error, little is known or understood about the risks that eHealth poses itself for patient and health care provider safety. By safety risk we mean the risk of physical or mental harm to patients and health care providers, including death.

Its not surprising that there is relatively little empirical information on the subject… eHealth itself is in its infancy and quite frankly, few if any people are tracking eHealth safety incidents. The odd incident is occasionally reported in the press such as a lab system failure in Calgary. One would expect some number of errors caused as a result of systems problems, but at the moment we’re not hearing about them.

That being said, it behooves us to address the question of eHealth safety before it becomes a significant issue. It seems that there are at least 3 areas where eHealth safety problems can originate:

Security issues – are the most likely sources of eHealth safety problems. Security concerns itself with the confidentiality, integrity and availability of information. Confidentiality concerns are not likely to give rise to safety issues (except in very rare circumstances, such as releasing the identities of doctors who perform abortions making them vulnerable to personal physical attack). Integrity and availability issues will certainly impact patient and health provider safety, particularly as we become more dependent on telemedicine services and electronic health records. Consider what could happen to a patient if a denial of service attack brought down an ehealth portal that provided access to critical health information systems, or if a virus corrupted or destroyed health data.

Quality of Product Issues – where software and hardware products fail to provide essential information when required, or deliver corrupted data. Software glitches are an example such as when a lab system fails to deliver accurate test results.

Human factors issues – where the human/ information system interface fails such as confusing user interfaces or overly complex procedures that promote error or fail to catch common user errors (e.g. input procedures that make it easy to enter the wrong data or displays that make it easy to misinterpret data).

There may well be others factors that give rise to safety issues. We need to identify such factors, understand them and then act to ensure that the systems we are putting in place to help people are not harming them.

Monday, January 22, 2007

Why do EMR Implementations Fail?

Dr. Karim Keshavjee has written a brief article in Technology for Doctors addressing the reasons why half of all EMR implementations fail. Its worth a read.

Perfection is the Enemy of the Good

Why do so many eHealth projects fail or fizzle out? Is it because too big a risk was taken? Or is it the opposite? Is it because we don’t take enough risks? In my experience the biggest failures and the most mediocre successes were the result of playing it safe to the point of failure.

I had a boss who said that "perfection is the enemy of the good". When we strive for perfection in information systems we often become paralyzed. This is particularly acute in government-sponsored initiatives where any flaw can become a political hot potato. In an environment where mistakes are not permitted, a system cannot go live until perfection is achieved… which is never.

I have seen project managers overcome by fear and trepidation concerning privacy and security when in reality the risks were very low. Costs were escalated and implementations delayed because of the perceived need to address every possible risk, no matter how remote.

This is not to minimize privacy or security risks. These are important issues that must be addressed. They must also be balanced against the risk of not proceeding with a critical information system. Are we going to delay implementation of a potentially life-saving system because privacy or security risks exist? Maybe.... but maybe not. That's the kind of risk decision CIO's and other health system managers must make all the time.

Hence the need for risk management. Risk Management doesn’t mean that there are no risks. It means managing real risks that are there and aren’t going away. We must do what we can to minimize risk, but at the end of the day we must also ensure that we deliver on our primary mandate, which is to deliver effective health care.

Sunday, January 21, 2007

Identity Theft

Check out this article from BusinessWeek Online titled Diagnosis: Identity Theft. Identity theft is obviously no stranger to eHealth.

eHealth Risks

What do we have to worry about in eHealth? I suggest that there are five major areas of risk that must be managed.
1. Privacy Risks - the unauthorized collection, use and disclosure of personal health information
2. Security Risks - breaches of confidentiality, integrity and availability of personal health information and/or critical health information systems
3. Safety Risks - physical or mental harm to patients and health care providers (including death)
4. Project Risks - cost overruns, scope creep, unacceptable delays or failure to deliver eHealth sytems
5. Business Risks - loss of reputation, liability, refusal of user community to accept new systems (e.g. physicians). Also includes financial, human resource and technology risks.
All of these areas of risk are fair game for discussion on this blog.

Some Terms Defined

Just so we’re all speaking the same language, let me suggest definitions for some terms:
Risk – the function of the likelihood that some event, positive or negative, may occur combined with the impact that would be felt if the event actually did occur.
Health – a state of complete physical, mental and social well being and not merely the absence of disease or infirmity [WHO definition]
eHealth – the application of information and telecommunications technologies to the delivery of health care.
eHealth Risk – the function of the likelihood that some event, positive or negative, may occur during the application of information and telecommunications technologies to the delivery of health care, combined with the impact that would be felt by patients, health care providers or healthcare organizations if the event actually did occur.

Risk is a Good Thing!

Let me start this blog by stating the risk is a good thing. With risk comes reward. Without risk we wouldn’t drive our cars, fly in airplanes or undergo lifesaving medical procedures. In order to enjoy the benefits of science and technology we have to acknowledge that there are risks. Sometimes things go wrong. Sometimes science and technology are unable to solve our problems.

But we’re not reckless either. We manage our risks. We obey the rules of the road. We submit to airport security checks. We give consent to risky medical procedures. We behave in a way that reduces the risk to a level acceptable to us personally and to our community.

With this as the premise, that risk is a good thing, lets turn our attentions to addressing the issues of risk in eHealth and figure out ways to manage the risks so that we can all benefit from the explosion in information services that promises to transform our health care systems.

Saturday, January 20, 2007

Launching eHealthRisk.com

I have just launched a new website... eHealthRisk.com and a new blog... eHealthRisk.blogspot.com. The goal of the site and the blog is to promote risk management in the eHealth domain.

Lets work together to bring some sense into the eHealth space.