UCHealth’s mission is to improve lives: in big ways through learning, healing and discovery, and in small personal ways through human connection. UCHealth measures success by patient health outcome and satisfaction. Along these lines, one major area that needed improvement was how patients are prescribed and receive their medications. UCHealth explored the benefits of moving from paper prescriptions to electronic prescriptions. The cost and management of paper prescriptions was high – tamper-resistant paper used for prescriptions, for example, costs up to $1 per sheet. In addition, there was a high cost burden to secure and manage tamper-resistant paper. The paper had to be put inside locked drawers. Other costs include mailing, printing, duplicate prescriptions (if lost) and crossover (if doctors were not in the office, another doctor had to write the prescription). It was estimated that mailing and printing alone cost one of UCHealth’s clinics $10,000 to $15,000 per month.
Even though the benefits of electronic prescriptions outweigh those of paper prescriptions, UCHealth had to consider the impact of the Electronic Prescription of Controlled Substances (EPCS) regulation. One EPCS requirement is that organizations must use a multi-factor authentication (MFA) solution to prescribe controlled medications. UCHealth tested several solutions. They quickly eliminated key fob-based solutions because they were not convenient to use for clinicians. They considered a fingerprint-based solution, but the overall cost was too high. At UCHealth, clinicians are mobile and not bound to a workstation. They can be in the emergency department, in their office, at a local clinic or at home. Investing in 4,000-plus fingerprint devices (one for each possible workstation that a clinician could work at), and the additional cost to manage and deploy them wasn’t feasible.
UCHealth deployed Duo Access for their Epic application, which they use to approve e-prescriptions of controlled substances. UCHealth found Duo’s push-based authentication for prescription approval was easiest to use compared to any other authentication solutions they had tested. Previously, clinicians could only issue prescriptions during work hours from the hospital or clinic. Without access to tamper-proof paper, patients couldn’t get a refill during nights or weekends. Patients had to either wait until the doctor was back in the office or their doctor had to request another colleague to sign-off on the prescriptions. In both scenarios patients had a poor experience, since their wait time was several hours to days.
With Duo, clinicians could approve prescriptions from anywhere, improving the patient experience. UCHealth’s Dr. CT Lin said, “our clinicians loved the simplicity of Duo Push to their phone or smartwatch to authenticate.”
Before they started rolling out Duo, UCHealth also had to meet the ID proofing requirements laid out in EPCS. The process was a little easier after deploying an Electronic Health Record (EHR) application since they had already checked the identity of and documented every clinician on staff that was granted access to the EHR. For address verification, they created an internal portal where clinicians can input their mobile number and Epic credentials, and this information is verified against the information in their database.
UCHealth started with a small group of pilot users to gather feedback. After a successful pilot phase, they opened enrollment for all users. Within weeks, thousands of users enrolled to use Duo to approve e-prescriptions. The enrollment was fast, partly because user feedback was positive. In fact, Duo’s success elevated users’ expectations for other IT projects. They expect more user friendly products such as Duo.
After the success of EPCS project, UCHealth is looking to expand Duo to other use cases, such as secure access to VPN to prevent attackers from remotely accessing internal resources. Another driver to expand the usage of Duo is to satisfy partner requirements. Some organizations, Anthem, for example, will only partner with organizations that are secured and protected with MFA.