Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006



Similar documents
Client Security Risk Assessment Questionnaire

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

CHIS, Inc. Privacy General Guidelines

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

E-Signature. The Pharmacy Perspective

Payment Card Industry Self-Assessment Questionnaire

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

IBX Business Network Platform Information Security Controls Document Classification [Public]

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

White Paper. BD Assurity Linc Software Security. Overview

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Information Security Overview

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Network Security Guidelines. e-governance

Copyright Telerad Tech RADSpa. HIPAA Compliance

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

HIPAA Security Series

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

How Managed File Transfer Addresses HIPAA Requirements for ephi

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

HIPAA Privacy & Security White Paper

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

HIPAA Compliance and Wireless Networks

Healthcare Compliance Solutions

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

H.I.P.A.A. Compliance Made Easy Products and Services

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

INFORMATION SECURITY PROGRAM

Supplier Information Security Addendum for GE Restricted Data

Connecticut Justice Information System Security Compliance Assessment Form

Cybersecurity Health Check At A Glance

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Implementation Guide

GE Measurement & Control. Cyber Security for NEI 08-09

Did you know your security solution can help with PCI compliance too?

HIPAA Security Alert

Potential Security Vulnerabilities of a Wireless Network. Implementation in a Military Healthcare Environment. Jason Meyer. East Carolina University

Procedure Title: TennDent HIPAA Security Awareness and Training

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

LogMeIn HIPAA Considerations

HIPAA: In Plain English

FileCloud Security FAQ

General HIPAA Implementation FAQ

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Compliance Guide

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Concept Series Paper on Electronic Prescribing

Retention & Destruction

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Payment Card Industry Data Security Standard

Decision on adequate information system management. (Official Gazette 37/2010)

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

CoSign for 21CFR Part 11 Compliance

Standard: Event Monitoring

The Comprehensive Guide to PCI Security Standards Compliance

enicq 5 System Administrator s Guide

How To Write A Health Care Security Rule For A University

Electronic Prescriptions for Controlled Substances (EPCS)

Montclair State University. HIPAA Security Policy

FINAL May Guideline on Security Systems for Safeguarding Customer Information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

FormFire Application and IT Security. White Paper

Passing PCI Compliance How to Address the Application Security Mandates

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

HIPAA Security Education. Updated May 2016

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA PRIVACY AND SECURITY AWARENESS

Data Management Policies. Sage ERP Online

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

SonicWALL PCI 1.1 Implementation Guide

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

PCI DSS Requirements - Security Controls and Processes

Transcription:

Electronic Prescribing of Controlled Substances Technical Framework Panel Mark Gingrich, RxHub LLC July 11, 2006

RxHub Overview Founded 2001 as nationwide, universal electronic information exchange Encompass five of the largest pharmacy benefits managers (PBMs) CaremarkPCS, Express Scripts, Medco Health Solutions 160 million covered lives (and growing with addition of new participants ~80% commercial market) Pharmacare, Argus Additional 50 million covered lives Includes participation by point-of-care technology vendors, electronic medical record vendors, health plans, hospitals, and pharmacies Processing over 4.3 million transactions a month that correlate to a point-of-care patient visit 20.5 million incoming eligibility in 1H2006 (26.5M in 2005) 2.2 million med history summaries in 1H2006 (2.5M in 2005) 111 thousand electronic prescriptions in 1H2006 (33K in 2005)

Electronic Prescribing Security and esignature Infrastructure Certified Point of Prescriber / Practice Care Vendor Router Pharmacy (POC) Pharmacy #101 Desktop Tablet PC Secure POC Network POC Server with Firewall Secure Network Router Server with Firewall Secure Network Pharmacy Central Server with Firewall Secure Internal Pharmacy Network Pharmacy #102 Pharmacy #103 Clinic/Practice Central PC Pharmacy #104 PDA Pharmacy #105 -- Authentication: POC authenticates prescribers before assigning unique IDs to them (IDs are unknown to prescribers). -- Security: Authenticated prescribers are granted access to POC technology, where they login with unique usernames and passwords. -- Security: Prescribers send prescription data to POC server through POC s secure channel ( ). -- Prescribers sign contracts authorizing the POC to act as their authorized agent in sending erxs. -- Wireless technologies (e.g. tablet PCs and PDAs) contain their own security profiles to prevent unauthorized access or interception ( ). -- Authentication: POC and Router verify each other s static IP addresses, IDs and passwords before opening secure channel for transporting an erx. -- Security: Prescriber initiates erx being sent from the POC server to the Router server through the Router s https secure channel ( ). -- Security: Use of PHI (protected health information) must be in accordance with HIPAA standards for the purpose of treatment, payment or healthcare operations. -- Authentication: Router verifies the IP addresses, IDs and passwords of each participant (POC and Pharmacy) before opening secure communication channels. -- Security: Router adheres to security policies which are consistent with HIPAA security guidelines. -- Security: Router performs internal assessments using security scanning tools for network and system security. -- Security: Router maintains only enough information to allow for routing, auditing and support. -- Security: Router may not view or modify erxs, except when translating from one messenging standard to another (e.g. HL7 to NCPDP). -- Authentication: Pharmacy and Router verify each other s IP addresses, IDs, and passwords before opening a secure channel ( ) for transporting erxs. -- Authentication: Pharmacy stores a crossreference table containing DEAs and their unique IDs (assigned by POCs). -- Audit Trail: Pharmacists may contact a POC or prescriber at any time to verify the authenticity of an erx. -- Audit Trail: POC, Router and Pharmacy maintain transaction logs that may be used for auditing purposes. -- Authentication: Pharmacy (Central Server) and each Pharmacy site verify each other s IP addresses, IDs, and passwords before opening a secure channel ( ) for transporting erxs. 11/16/2004 11/22/2004

Requirement Administrative Safeguards Physical Safeguards Security: What does HIPAA require of a Covered Entity to achieve Security of Protected Health Information Description prevent, detect, document, contain and correct security violations; determine appropriate, limited access to be given to identified individuals; ensure workforce training regarding security policies; provide planned response to threatening occurrences (natural disasters, vandalism, etc.); implement periodic technical testing and evaluations. Appropriately limit physical access to electronic information systems, hardware, software and facilities in which they are housed against unauthorized access. erx Technical Safeguards Organizational Safeguards Implement unique names/numbers to track access; emergency access procedures; audit controls that record and examine system access and activity; protection against improper alteration/destruction; procedures to authenticate user access; measures to protect information being transmitted against unauthorized access or modification without detection. Note: Current industry standard is SSL ( channel encryption ); encryption of data during transmission is addressable, not required. Enter into Business Associate contracts with all applicable entities obligating them to comply with similar requirements. Documentation Requirements Document policies and procedures applicable to the foregoing, including actions taken and assessments made; such documents must be retained for six (6) years, appropriately made available, and reviewed periodically for updates/revisions.

RxHub Practices Point Of Care (POC) user authentication and authorization contractually required IP Address verification sender and receiver Participant ID and password verification Secure encrypted channel Transaction audit Date/time, sender, receiver, control numbers Meets HIPAA requirements for PHI Prescriber and pharmacy are identified in the transaction based on the SCRIPT standard Provider directory physician IDs, NCPDP ID, name, address, phone Industry accepted security controls/processes implemented RxHub only opens SCRIPT payload for version translation Validates payload Routing only for transactions on same version of NCPDP standard Future: translation from HL7 to NCPDP SCRIPT Note: As secure (if not more) than paper or fax prescriptions

The RxHub Security Architecture Firewall rules restrict access of these devices to a specific set of participant IP addresses. All traffic into this environment must be SSL encrypted (HTTPS), also enforced by the firewall. Authentication of the particpant system user must be performed by the particpant system. Per ANSI, NCPDP and HL7 transaction standards, Authorization is validated by username/ password contained within the transaction data stream. Participant passwords stored by RxHub are MD5 Hash encrypted before storing in the database. Password authentication occurs during transaction processing by hashing the password and comparing the encrypted value to that stored in the database. Additional RxHub business logic enforces contracted business relationships between Participant and RxHub, among Participants, and to participant data. Workstation Participant Host System Internet Private Virtual Connection Server Server Server Frame Relay Cloud Firewalls do not allow network traffic directly between participant systems. Private Virtual Connection Private Virtual Connection Private Virtual Connection HTTP traffic is SSL encrypted. Per ANSI, NCPDP and HL7 transaction standards, Authorization is valided by the username /password contained within the transaction data stream. PBM Host Systems

RxHub Security Summary Based on the Information Security Forum s Standard of Good Practice Annual risk assessments & staff security training Use of Intrusion Detection System Minimal access Firewall policy Password Policy & automatic screen lock Use of SSL and digital certificates for data in transit Daily encrypted backups performed, secure offsite rotation Hardened Operating Systems Data Retention Policy minimum data required to complete transactions data expired/de-identified as appropriate Appropriate Use policy for phone, fax, email, computers, internet Use of anti-spam & antivirus software at PC and email server Automated application of Microsoft patches (Win XP, SP2) Use of secure document disposal service Established Change Management and Problem Management Processes

Electronic Prescribing Issues Today some state regulations are inconsistent or unclear Prescriptions can be written in a different state than the pharmacy that fills the prescription State regulations don t always consider electronic prescribing and in some cases prohibit electronic prescribing Pharmacists unsure of how to determine authenticity of an electronic prescription Pharmacists may call prescriber to verify Pharmacist may print and fax the prescription to prescriber for signature The definition of electronic signature is not clear

Recommendation Current standards and best practices provide the necessary processes and protections to support electronic prescribing of both controlled and noncontrolled substances. Security systems and procedures POC user authentication and authorization Unique user ID s and passwords Unique participant ID s and passwords Secure encrypted channels for communications IP address verification Transaction audits Allow translation between standards and versions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information