Why do so many eHealth projects fail or fizzle out? Is it because too big a risk was taken? Or is it the opposite? Is it because we don’t take enough risks? In my experience the biggest failures and the most mediocre successes were the result of playing it safe to the point of failure.
I had a boss who said that "perfection is the enemy of the good". When we strive for perfection in information systems we often become paralyzed. This is particularly acute in government-sponsored initiatives where any flaw can become a political hot potato. In an environment where mistakes are not permitted, a system cannot go live until perfection is achieved… which is never.
I have seen project managers overcome by fear and trepidation concerning privacy and security when in reality the risks were very low. Costs were escalated and implementations delayed because of the perceived need to address every possible risk, no matter how remote.
This is not to minimize privacy or security risks. These are important issues that must be addressed. They must also be balanced against the risk of not proceeding with a critical information system. Are we going to delay implementation of a potentially life-saving system because privacy or security risks exist? Maybe.... but maybe not. That's the kind of risk decision CIO's and other health system managers must make all the time.
Hence the need for risk management. Risk Management doesn’t mean that there are no risks. It means managing real risks that are there and aren’t going away. We must do what we can to minimize risk, but at the end of the day we must also ensure that we deliver on our primary mandate, which is to deliver effective health care.