Securing E-Prescription Applications & Identity-Proofing
Physicians and healthcare systems have been turning to the use of EHR (electronic health records) systems to digitally collect and store patient health information, as well as e-prescribe (eRx) controlled substances, an effort incentivized by recent U.S. government legislation.
Actualizing the standards has required government-mandated audits, stiff breach fines, and EHR incentive programs for healthcare professionals that prove “meaningful use” of their electronic records systems. Meaningful use standards were created to demonstrate and increase participation with EHR systems (sometimes used interchangeably with the term EMR systems).
And for some eligible hospitals, incentive payments can add up to $2 million or more, according to HealthIT.gov, with eligible physicians receiving as much as $63k+. Part of meeting these meaningful use standards includes objectives for eRx, seen below.
Since 2008, physicians e-prescribing via EHRs has increased from 7 percent to 70 percent, as reported in April 2014, according to an ONC Data Brief: E-Prescribing Trends in the United States (PDF). eRx supposedly isn’t federally-mandated, but state laws vary - e.g., New York has instituted mandatory e-prescribing, effective March 27, 2015, according to the NY State Dept. of Health. This is part of their I-STOP (Internet System for Tracking Over-Prescribing) legislation passed in efforts to curb prescription-drug misuse. They offer an informative FAQ (PDF) for practitioners with questions about e-prescribing compliance.
With such a high rate of physicians e-prescribing, data security is a concern reflected by the U.S. Drug Enforcement Administration (DEA) that allows eRx only with certain safeguards in place.
Two-Factor Authentication for E-Prescriptions
In 2010, the DEA implemented an Interim Final Rule (IFR) on safeguards for the e-prescription of controlled substances (EPCS) that EHR applications and providers would have to comply with, sometimes referred to as DEA EPCS compliance within the industry.
One of their rules for EPCS includes an audit of the EHR application to ensure compliance with DEA requirements, which the application provider can hire a third-party to do. Some of the larger, compliant EHR providers include Epic and Cerner. Surescripts, a health information network provider supporting eRx, provides a list of certified software and vendors.
At the other receiving end, only certified pharmacies are allowed to accept eRx - Surescripts provides a map of the percent of pharmacies enabled for EPCS across the U.S.
When it comes to individual practitioners (like physicians or nurses), they need to meet certain security standards to ensure identity-proofing, that is, to eliminate any unauthorized persons that may want to abuse the privilege of eRx.
In a Q&A on the rule as it relates to practitioners, the DEA addresses their technology recommendations for identity-proofing:
Q. Why is DEA requiring the use of two-factor authentication credentials?
A. Two-factor authentication (two of the following – something you know, something you have, something you are) protects the practitioner from misuse of his/her credential by insiders as well as protecting him/her from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner’s knowledge.
However, some modern two-factor authentication solutions let you use your smartphone to authenticate if you don’t want to use biometrics or a hard token as your second factor.
Find out more about other Authentication Methods.