Skip navigation
Documentation

Duo Authentication for Epic

Duo integrates with Epic Hyperspace to add two-factor authentication to Epic Hyperspace e-Prescription workflows.

Overview

Duo Authentication for Epic is a client-side .NET component that provides two-factor authentication for Epic Hyperspace 2010 and later. It must be installed on all Epic workstations to provide complete protection. Duo Authentication for Epic requires .NET Framework 4, Windows Installer 4.0 or later, and the Epic Hyperspace client installed on the local system to function; none of which are included with the Duo Epic installer.

In Epic Hyperspace terms, Duo Authentication for Epic is a Direct authentication device capable of User authentication only. If configured as a Passive device or to authenticate Patient logons, the Duo device will report an error message and return a failure to Epic.

Duo Authentication for Epic does not support inline self-enrollment, as Duo Security is not a qualified credential service provider (CSP) or certificate authority (CA) for EPCS identity verification purposes. You'll need to enroll your users ahead of time using Active Directory synchronization or another method. Read the enrollment documentation to learn more.

One-time passcodes (OTP) are validated to meet FIPS 140-2 Level 1 per the table below. For the purpose of EPCS compliance, choose between available authentication methods (OTP, Duo Push, phone call, or hardware token) that meet your compliance team’s interpretation of the Federal EPCS Guidelines.

OTP Method Meets EPCS compliance for FIPS 140-2 Level 1?
Hardware Token Verify compliance with your token vendor
Duo Mobile Passcodes (iOS 6+) Yes
Duo Mobile Passcodes (Android) Yes with Duo Mobile for Android 3.11.1 and later; specify a minimum Duo Mobile version with a Duo Mobile App policy
Duo Mobile Passcodes (Windows Phone) Yes with Duo Mobile for Windows Phone 2.0 and later
Duo Mobile Passcodes (BlackBerry) No - Disable BlackBerry use with an Operating System policy
SMS Passcodes No - Disable SMS use with an Authentication Methods policy

Note that FIPS support for Android requires additional configuration. Please contact Support.

Connectivity Requirements

This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.

If Duo Authentication for Epic is unable to contact the Duo Security cloud service then Duo "fails closed" and reports the failure to Epic Hyperspace. The defined Epic application workflow determines the next action.

If you're delivering the Epic client via application virtualization (like Citrix XenApp or Microsoft Remote Desktop Services), you should install Duo Authentication for Epic at the application host — not the end-user workstation.

Prerequisites

Install .NET Framework 4 and Windows Installer 4.0 or later if not already present on the computer where the Epic client is installed.

First Steps

Check your Windows version before starting. This configuration works with Windows Vista and later client operating systems, and Windows 2008 and later server operating systems.

Then:

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Epic Hyperspace in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)
  4. Download the Duo Authentication for Epic installer package.

Run the Installer

Run the Duo Authentication for Epic installer with administrative privileges on the system(s) where the Epic client is installed. Accept the license agreement and enter your integration key, secret key, and API hostname when prompted:

Installer Application Information

Configure Epic to use Duo Authentication

To configure Epic to use the Duo authentication device:

Create the Duo Authentication Device

  1. In Chronicles, access the Authentication Devices (E0G) master file and go to Enter DataCreate/Edit Device.
  2. Enter a name for the device, such as "Duo Security Authentication".
  3. Enter a new ID of 100000 or greater.
  4. On the "General Settings screen", fill out the following fields:

    Description Enter a description of the device, if desired.
    Platform Enter 1-Desktop.
  5. On the Desktop Settings screen, enter DuoSecurity.EpicAuthenticationDevice in the ProgID field.

Verify or Create the Authentication Configuration Record

Ensure that there is an entry for Authentication Configuration Record in Chronicles by going to d^%ZeUSTBLHyperspaceMiscellaneous Security Settings. If no Authentication Configuration Record is defined then create and define one.

  1. In Chronicles, go to d ^ee0aEnter DataCreate Configuration.
  2. Enter a unique ID and name for your Authentication Configuration record.
  3. In the Config Type field enter Authentication Device Settings.
  4. Repeat step 2 but this time, enter the name of your Authentication Configuration record into the Authentication Configuration Record field.

Add Duo as the Secondary Authentication Device

  1. Open Hyperspace and go to Epic buttonAdminAccess ManagementAuthentication Administration.
  2. Accept the active record, which should be the Authentication Configuration record verified or created in the previous step.
  3. Select the System level.
  4. Select the desired Context.
  5. Set the first authentication method you want users to be prompted with as the Primary Device. Typically this is the standard user name and password workflow "Default Login".
  6. Set the Duo Authentication Device you created earlier as the Secondary Device.
  7. Click Accept.
  8. Close Hyperspace and re-launch in order for the new configuration to take effect.

Verify or Create the Authentication Configuration Record

Ensure that there is an entry for Authentication Configuration Record in Chronicles by going to d^%ZeUSTBLHyperspaceMiscellaneous Security Settings. If no Authentication Configuration Record is defined then create and define one.

  1. In Chronicles, go to d ^ee0aEnter DataCreate Configuration.
  2. Enter a unique ID and name for your Authentication Configuration record.
  3. In the "Config Type" field enter Authentication Device Settings.
  4. Repeat step 2 but this time, enter the name of your Authentication Configuration record into the Authentication Configuration Record field.

Create the Duo Authentication Device

  1. In Hyperspace, go to Epic buttonAdminGeneral AdminCategory List Maintenance.
  2. In the Category Editor set the following fields, then click Accept:

    Database Service Configuration [E0A]
    Item 700 (should be your Authentication Configuration Record).
  3. Click Generate ID.

  4. Choose and enter a Title and Abbreviation.
  5. Enter DuoSecurity.EpicAuthenticationDevice into the Login Device ProgID field.
  6. Click Save.
  7. Exit Category List Maintenance.

Add Duo as the Secondary Authentication Device

  1. In Hyperspace, go to Epic buttonAdminAccess ManagementAuthentication Administration.
  2. Accept the active record, which should be the Authentication Configuration record verified or created in the previous step.
  3. Select the System level.
  4. Select the desired Context.
  5. Set the first authentication method you want users to be prompted with as the Primary Device. Typically this is the standard user name and password workflow "Default Login".
  6. Set the Duo Authentication Device you created earlier as the Secondary Device.
  7. Click Accept.
  8. Close Hyperspace and re-launch in order for the new configuration to take effect.

Contact Epic technical support for detailed instructions and more information about adding authentication devices.

Test Your Setup

To test your setup, log into Epic Hyperspace and perform a test e-Prescription workflow. The Duo Prompt appears after you enter your Epic username and password. Upon approval of the Duo authentication request on your selected device, the Duo client passes the approval to Epic Hyperspace and the e-Prescription workflow resumes.

Note that the Duo Prompt shown by the Epic application does not support self-service enrollment nor device management.

If you cancel either the Epic or Duo authentication prompts, you are taken back to the signing step of the e-Prescription workflow.

Advanced Configuration With Group Policy

Additional client-side configuration options for Duo may be configured via Active Directory Group Policy. To create and apply the Duo Authentication for Epic Group Policy Object (GPO):

  1. Download the Duo Authentication for Epic Group Policy template files and documentation.
  2. Extract the contents of the zip file and copy the files into your domain's Administrative Templates store.
    \\your.domain.local\sysvol\your.domain.local\Policies\PolicyDefinitions\DuoEpic.admx
    \\your.domain.local\sysvol\your.domain.local\Policies\PolicyDefinitions\en-us\DuoEpic.adml  
  1. On your domain controller or another system with the Windows Remote Server Administration Tools installed, launch the Group Policy Management console (GPMC).
  2. Expand your forest and navigate down the tree to Group Policy Objects. Right-click the Group Policy Objects folder and click New. Enter a name for the new GPO (such as "Duo Epic Client") and click OK.
  3. Right-click the new GPO created in step 4 and click Edit. Navigate to Computer Configuration\Policies\Administrative Templates and expand Duo Authentication for Epic.
  4. Double-click a setting to configure it. When you've finished configuring settings, close the policy editor.
  5. Apply the new GPO for Epic to domain member workstations by linking the policy to the desired OU or container.

    Group Policy Editor

For additional information about using GPOs and administrative templates, please see Microsoft's Group Policy documentation collection.

Please contact Duo Support if you need to configure the Duo Authentication for Epic client settings without using Group Policy.

Troubleshooting

Need some help? Take a look at the Epic Frequently Asked Questions (FAQ) page or try searching our Epic Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

Epic Authentication Network Diagram

  1. Begin Epic Hyperspace e-Prescription workflow.
  2. Primary authentication.
  3. Duo Authentication for Epic connection established to Duo Security over TCP port 443.
  4. Secondary authentication via Duo Security’s service.
  5. Duo Authentication for Epic receives authentication response.
  6. Epic Hyperspace e-Prescription workflow continues.

Ready to Get Started?

Sign Up Free