One of the first realizations I had when I started researching risk management in eHealth is the need for a paradigm shift from what I call a "compliance mindset" to a "risk management mindset".
The compliance mindset says that if you following all of the prescribed laws and standards, everything will be OK. The risk management mindset says that you need to understand the world around you, you need to understand your eHealth program, and you need to understand all of the risks associated with implementing the eHealth program into your environment. The risk management mindset then insists that you do something about those risks.
eHealth has been caught up in the compliance mindset, particularly with respect to privacy and security. Unfortunately, our legislators and standards setters have only tackled part of the risk issue associated with eHealth. While we have privacy legislation in most jurisdictions, and while standards are emerging for eHealth security, we miss many eHealth risks.
The biggest gaps in my mind are around safety risks and the many project and business risks associated with eHealth.
I personally have never seen an eHealth project fail because of a privacy issue (though breaches have caused grief for eHealth managers and the unfortunate victims). I have however seen many eHealth initiatives fail because of project and business risks that were completely predictable, but invisible to those who operated in the compliance paradigm. Poor project management, business models that failed to address the needs of all stakeholders, poor understanding of the end-user environment, inadequate funding and poor procurement practices top my list of factors that have caused eHealth projects to fail.
The safety issue is the sleeper here. The only reason we haven't seen more safety issues is that we have only just begun to implement eHealth into the clinical environment. Early experience around CPOE suggests that implemented well CPOE can reduce medical errors. Implemented poorly, CPOE can kill. As eHealth rolls out I believe we will see more and more serious safety issues. As of yet there is no structured process for assessing safety risk in eHealth (although draft safety standards for health IT software are in development at ISO TC215/WG4). But even these standards will address only part of the safety issue.
Compliance with legislation and standards is a good thing. Legislators and standards setters are to be lauded for their efforts. But it isn't enough. If eHealth is to succeed we need to tackle the full range of risk issues associated with health IT and the human and business systems that surround it.