Tuesday, July 10, 2007

Critical Reading

The most important factor when assessing risk is the availability of complete, accurate and current information. You can’t reliably predict risk outcomes without the all of the facts, or at least as many facts as are available at the time. Where do we find accurate and reliable information about eHealth?

The simple answer is nowhere. Everything you read or hear about anything, be it geopolitics, global warming or eHealth comes from a biased perspective that must be taken with a grain (or a whole shaker) of salt.

I remember when I first lost faith in the mass media as a source of reliable information. It was in December 2001 when I was Chief Privacy and Security Officer at the Ontario Smart Systems for Health Agency (SSHA), a branch of the Ministry of Health at the time. Canada’s national newspaper, the Globe and Mail, broke a story about an SSHA system that had gone live the month before. From the front page the nation learned about security weaknesses and inappropriate behavior by the Agency and its personnel.

Problem was, none of it was true. The reporter had fashioned a scathing article out of a few disparate documents leaked to him by a disgruntled employee. This was my first experience where I actually knew all of the relevant facts of the case and could compare it to what I saw in the media, and the media got it all wrong. To finish this story, the Information and Privacy Commissioner for Ontario conducted a comprehensive investigation that exonerated SSHA. The Globe printed a brief article acknowledging the Commissioner’s report, but buried it deep inside the paper and never repudiated its allegations.

Today, as I scan the net each morning looking for news and resources for the blog, I maintain a skeptical eye. I read, but put little stock in the mass media. They are out for headlines and sales. The mass media dwells on the negative, jumping on an event such as a security breach when it first occurs, quickly losing interest and rarely reporting on the final outcomes of any investigation that may come months later.

Trade magazines are a little better, though while the mass media dwells on the negative, trade journals (paper and online) tend to overstate the positive. With the organizational Chiefs (CEOs, CIOs, CFOs, etc.) as their audience and IT vendors footing the bill through advertising, they are less inclined to report when things go really bad. They don’t want to bite the hand that feeds them.

Blogs are an interesting new source of information, but they are inherently biased. Usually authored by one person, or a group of like-minded people, blogs offer opinion. Facts are filtered to support the blogger’s point of view. In many cases, mine included, blogs are maintained by consultants and companies who want to show you how clever they are in the hope that you will hire them. Treat blogs (including this one) as you would a movie or theatre critic. Find one that represents your point of view, but don’t expect pure truth.

A number of reports and publications are published by organizations mandated to deliver eHealth as a function of public policy (in Canada this includes Canada Health Infoway, the Smart Systems for Health Agency and Ministries of Health). Every country has its proponent organizations. At the international level groups like the WHO and the EU promote eHealth aggressively. You never hear bad news stories from these sources. There is often a blurring of objective fact and marketing hype in these publications which can be useful, but need to be understood in their context of promoting public (i.e. political) policy.

The most reliable sources of information (in this blogger’s biased point of view) are respectable peer-reviewed journals published by professional organizations. Reports by respected public authorities such as government auditing agencies (e.g. the Auditor General in Canada), privacy commissioners and standards producing bodies (e.g. ISO, CSA, ANSI, CEN) can be generally relied upon. But even these documents are products of a point-in-time view of available facts and must be read with that in mind. Their findings can become irrelevant as circumstances change over time.

You can’t ignore any source of information as you try to assess risk in eHealth. Even the mass media teaches you how the mass media is likely to respond if you or your organization is the subject of a security breach or patient safety incident. The key is to read critically and to try to keep it real.

No comments: