Meeting EPCS Compliance for eRx Security With 2FA
As part of the push to digitize healthcare records, the U.S. federal government rolled out an incentive program years ago that may pay hospitals up to $2 million - provided they prove Meaningful Use of their electronic healthcare record (EHR) systems.
Meaningful Use Stage 3 Objectives
The latest Meaningful Use Stage 3 standards (PDF) (effective from 2015-2018) require that hospitals meet nine basic objectives, summarized here:
- Protect electronic health information with appropriate technical capabilities.
- Use clinical decision support to improve performance on high priority health conditions.
- Use computerized provider order entry (CPOE) for medication, lab and radiology orders directly entered by any licensed healthcare professional into medical records
- Generate and transmit permissible discharge prescriptions electronically (eRx).
- Provide a summary care record for patients transitioned to another care setting or provider
- Use clinically relevant information from certified electronic healthcare records technology (CEHRT) to identify and provide patients with patient-specific education resources
- The hospital who receives a patient from another setting of care or provider of care or believes an encounter is relevant performs medication reconciliation.
- Provide patients the ability to view online, download and transmit their health information within 36 hours of hospital discharge.
- Engage with a public health agency to submit electronic public health data from CEHRT, except where prohibited and in accordance with applicable law and practice.
Stage 2 of Meaningful Use requires that hospitals issue e-prescriptions, with more than 50 percent of all permissible prescriptions are transmitted electronically using an EHR. But Stage 3 requires more than 80 percent of all prescriptions to be transmitted electronically using a CEHRT.
Protecting E-Prescriptions With Two-Factor Authentication
E-prescriptions, also known as eRx, are often integrated with a hospital’s electronic healthcare records (EHR) software. They allow physicians to digitally sign prescriptions and send them electronically to pharmacies to fill for patients.
But they’re also regulated by the Drug Enforcement Administration (DEA), which outlines technical safeguards to ensure secure and valid eRx. The DEA requires that healthcare providers meet Electronic Prescriptions for Controlled Substances (EPCS) compliance, mandatory for conducting eRx with their EHR software.
Why? Because there are two main risks to eRx, including unauthorized prescribing and unauthorized access to sensitive information. To ensure that eRx is protect against either threat, the DEA requires the use of two-factor authentication (2FA).
Meeting EPCS Compliance With 2FA
To meet EPCS compliance, practitioners can authenticate using:
- Something they know, like a password, and
- Something they have, like a smartphone app or hard token
Other requirements include:
The app or token must also be stored separately from any computer used to sign the eRx - smartphones, USB tokens and key fobs meet this requirement.
EPCS 2FA solutions must also be FIPS 140-2 approved.
State-Specific Deadlines for eRx and ECPS Compliance
State laws vary, and if they’re more stringent than the DEA’s requirements for EPCS compliance, they will supersede the federal law. While eRx is legal in all states, only a few have made electronic prescribing of controlled substances a mandatory requirement:
New York
The requirement that all NY providers electronically prescribe all medications was delayed to March 27, 2016, giving providers more time to meet the mandate.
Minnesota
Minnesota law requires that:
Effective January 1, 2011, all providers, group purchasers, prescribers, and dispensers must establish, maintain, and use an electronic prescription drug program. This program must comply with the applicable standards in this section for transmitting, directly or through an intermediary, prescriptions and prescription-related information using electronic media (Minnesota statutes, section 62J.497; see Appendix B for the complete statutory language).
Using EPCS Certified EHR Vendors for eRx
Epic, an EHR vendor, is EPCS certified, meaning hospitals can use the software to digitally prescribe controlled substances.
And to meet requirements for secure identity verification and digital signing, hospitals must integrate two-factor authentication technology with their certified EHR software.
2FA App for EPCS Compliance
To help streamline workflow, Duo Authentication for Epic allows healthcare professionals to digitally sign prescriptions using a device they already carry: a phone. The user simply needs to tap a green button on their smartphone to securely log in or approve a sensitive transaction.
When choosing authentication solutions, choose one that provides:
- Low overhead operational costs, with easy self-enrollment or bulk user provisioning
- A cloud-based authentication solution that is automatically updated without any IT support or maintenance windows
- A solution managed by the provider, with biweekly updates that protect against the latest threats
- A solution that will easily scale with your organization as your infrastructure changes, or as your users and applications change
Learn more about different two-factor solutions in our Two-Factor Authentication Evaluation Guide and about healthcare security risks in Duo Security's Guide to Securing Patient Data.