Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust



Similar documents
A Planning Guide for Electronic Prescriptions for Controlled Substances (EPCS)

SAML for EPCS (Electronic Prescription of Controlled Substances)

VASCO: Compliant Digital Identity Protection for Healthcare

How to Optimize Epic Clinical Workflows with Imprivata

BEYOND IDENTITY PROOFING: How EHRs Can Become More Than Just Vendors

20 Practical Tips on Single Sign-On and Strong Authentication from Healthcare IT Professionals

DEA's New Proposed Regulations For E-Prescribing

California State Board of Pharmacy and Medical Board of California

E-Prescribing of Controlled Substances (EPCS) New York State Board for Podiatry

Electronic Prescribing In New York State

Electronic Prescribing of Controlled Substances

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Provide access control with innovative solutions from IBM.

Healthcare Information Security Today

Enabling Fast and Secure Clinician Workflows with One-Touch Desktop Roaming W H I T E P A P E R

Electronic Prescriptions for Controlled Substances (EPCS)

Top 5 Reasons to Choose User-Friendly Strong Authentication

Strengthen security with intelligent identity and access management

May 21, Docket No. DEA-218. Dear Drug Enforcement Administration;

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Boost Healthcare Security and Patient Care with Imprivata Enhanced VDI

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

esign Online Digital Signature Service

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

McKesson Practice Choice TM Electronic Prescribing of Controlled Substances (EPCS) Frequently Asked Questions

etoken Single Sign-On 3.0

User Authentication Guidance for IT Systems

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

A brief on Two-Factor Authentication

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

5 Day Imprivata Certification Course Agenda

Strong Authentication for Healthcare

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

IDaaS: Managed Credentials for Local & State Emergency Responders

Innovations in Digital Signature. Rethinking Digital Signatures

E-Signature. The Pharmacy Perspective

How To Control A Record System

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Identity: The Key to the Future of Healthcare

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Multi-Factor Authentication of Online Transactions

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Managed Portable Security Devices

FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES

HIPAA Security Matrix

Authentication Levels. White Paper April 23, 2014

Strong Identity Authentication for First Responders

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Business-Driven, Compliant Identity Management

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

EPCS FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES. Revised: January 2016

TECHNOLOGY PARTNER CERTIFICATION BENEFITS AND PROCESS

STRONGER AUTHENTICATION for CA SiteMinder

Re: Docket No. DEA-218, Electronic Prescriptions for Controlled Substances

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Why Use Electronic Transactions Instead of Paper? Electronic Signatures, Identity Credentialing, Digital Timestamps and Content Authentication

WHITE PAPER Usher Mobile Identity Platform

Protect Your Customers and Brands with Multichannel Two-Factor Authentication

The CIO s Guide to HIPAA Compliant Text Messaging

Chapter 1, OneSign Authentication Methods Chapter 2, Two-Factor Authentication in OneSign Chapter 3, Emergency Access Privileges

Using Entrust certificates with VPN

LogMeIn HIPAA Considerations

InfoGard Healthcare Services InfoGard Laboratories Inc.

You Can Survive a PCI-DSS Assessment

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

CoSign for 21CFR Part 11 Compliance

Did you know your security solution can help with PCI compliance too?

The Convergence of IT Security and Physical Access Control

Information Security Basic Concepts

Virtual desktops in hospitals: streamlining clinical workflows

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

White Paper. BD Assurity Linc Software Security. Overview

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

IBM Security Privileged Identity Manager helps prevent insider threats

Transcription:

Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust Imprivata Confirm ID and the DEA Interim Final Rule on EPCS

Technology requirements to comply with the DEA criteria for EPCS include: A method for identity proofing prescribers. The ability to assign different access levels to prescribers. Two-factor authentication for prescription signing that includes two of the following modalities: something you have, something you are, or something you know. Controls on prescriptions to prevent signed orders from being changed or allowing duplicate orders to be filled. Ongoing audit trail for all activities from identity proofing to prescription signing. Auditing and reporting for all discrepancies (such as unauthorized access attempts). The DEA Interim Final Rule (IFR) allowing electronic prescribing of controlled substances (EPCS) is designed to help healthcare organizations ensure that a provider is legally authorized to prescribe controlled substances. It stipulates thorough authentication credentialing to ensure that only verified providers can order electronic prescriptions. Imprivata Confirm ID helps organizations meet these requirements by establishing a secure, auditable chain of trust for the entire EPCS process. Imprivata Confirm ID streamlines provider identity proofing, supports supervised enrollment, and offers two-factor authentication for prescription signing. Imprivata Confirm ID meets regulatory requirements and gives care providers a fast, secure, and easy-to-use solution for prescribing controlled substances electronically. This paper describes how Imprivata Confirm ID addresses several DEA requirements for EPCS. Full compliance requires a combination of processes and technologies beyond the scope of this paper, however. For a more detailed discussion on the practices, see A Quick Guide to EPCS. How Imprivata Confirm ID Creates a Secure, Auditable Chain of Trust The DEA IFR contains a number of requirements designed to track and audit the connection between practitioners and the signatures they use to order electronic prescriptions for controlled substances. Imprivata Confirm ID helps secure, audit, and verify this end-to-end process, starting with identity proofing and extending to the act of signing prescriptions. Figure 1 shows the end-to-end EPCS process and the aspects addressed by Imprivata Confirm ID. Figure 1: Imprivata Confirm ID helps organizations meet several key DEA requirements for EPCS

Imprivata Confirm ID supports each phase of this process through a combination of processes and technologies, including: Streamlined identify proofing (institutional and individual) Supervised enrollment of authorized prescribers FIPS-compliant biometric fingerprint readers and tokens that meet two-factor authentication requirements for e-prescription signing Comprehensive auditing and retention of permissions and authorized two-factor authentication credentials Complete audit reports Integration with all leading EMR systems and e-prescribing applications Imprivata Confirm ID provides dedicated signing workflows for the approval process and audits all approval process events. Identity Proofing To enable EPCS, the DEA IFR requires confirmation of the identity of all providers authorized to prescribe controlled substances. The rule allows two types of identity proofing: institutional (hospitals can identity proof providers internally) or individual (providers can use a third-party credential service provider). For institutions, Imprivata Confirm ID streamlines the identity-proofing process by enabling administrators to easily assign specific roles and responsibilities for identity proofing and retaining records for audit and reporting purposes. For individual practitioners, Imprivata Confirm ID integrates with GSAapproved third-party credential service providers to satisfy the DEA identityproofing requirements for EPCS. Access Control After identity proofing, hospitals and institutions must give practitioners appropriate access controls for e-prescribing systems, as well as two-factor authentication credentials (described in the next section). For DEA compliance, at least two separate individuals must be involved in approving or changing access controls for individual providers. Imprivata Confirm ID provides dedicated signing workflows for the approval process and audits all approval process events. For individual practices and non-institutional registrants, the individual who receives the identity proofing and credentials from a GSA-approved thirdparty credential service provider uses those credentials to set access controls for other members of the practice.

Imprivata Confirm ID helps hospitals and practices link the physical identity of authorized prescribers to their electronic prescriptions for controlled substances. Supervised Enrollment Imprivata Confirm ID streamlines the process of enrolling credentials for providers once they have been sufficiently identity-proofed. This includes enrolling their credentials to align with the two-factor authentication modalities they are permitted to use for EPCS. Administrators can assign individuals responsible for supervised enrollment, separating them from individuals in charge of identity proofing (as mandated by the DEA interim final rule). Because this process is also automated, administrators can provide a complete audit trail to demonstrate compliance. Two-Factor Authentication The DEA EPCS requirements mandate that two of the following approved authentication modalities be used when signing a prescription: Something the prescriber knows (such as a password or knowledge question) Something the prescriber has (such as a token or phone) Something the prescriber is (a biometric, such as a fingerprint scan) Imprivata Confirm ID supports the two-factor authentication modalities allowed by the DEA for EPCS, giving organizations the flexibility to select the two-factor authentication option that best fits provider workflow requirements based on how, when, and where EPCS will take place. Supported modalities include: One-Time Password Tokens Imprivata Confirm ID offers the option of using tokens that generate one-time passwords (OTPs). Imprivata Confirm ID provides out of the box support for FIPS 140-2 compliant OTPs. With this approach, a physician carries a small hardware device that generates a one-time password as a second authentication factor, functioning as the something the prescriber has modality. Biometric Authentication The DEA IFR mandates that the biometrics used for EPCS must meet FIPS-201 Personal Identity Verification (PIV) requirements and have a false match rate of less than 1 in 1,000. Imprivata Confirm ID offers a fingerprint biometric authentication that meets FIPS-201 requirements. Imprivata uses HTTPS between the client device and the server to secure biometric data in transit between authorized systems. All biometric data is transmitted using symmetric encryption and secured on the server using AES encryption. Further, templates are sent to the Imprivata Confirm ID server within the context of a proprietary session. The server maintains session state, and only accepts the template for authentication once per session. This design protects EPCS systems from replay attacks that capture data and attempt to use it later.

Audit and Reporting Imprivata Confirm ID offers detailed reporting capabilities to establish a secure, auditable chain of trust for the entire EPCS process. Imprivata Confirm ID helps organizations demonstrate and prove compliance with DEA and state-level EPCS requirements by delivering comprehensive reports that document the identity proofing, supervised enrollment, and prescription signing processes, including unauthorized access attempts and other potential discrepancies. Imprivata Confirm ID also stores audit records for at least two years to meet DEA specifications, but this timeframe can be configured for longer record keeping periods, in accordance with individual state requirements. Summary Imprivata Confirm ID is a fast, secure solution that creates an auditable chain of trust for the entire EPCS process. Imprivata Confirm ID helps hospitals and practices link the physical identity of authorized prescribers to their electronic prescriptions for controlled substances. It streamlines provider identityproofing, enables supervised enrollment, and enforces two-factor authentication requirements for prescription signing while maintaining a comprehensive audit trail throughout the entire EPCS process. Imprivata Confirm ID streamlines the process of enrolling credentials for providers once they have been sufficiently identity-proofed. For more information, visit www.imprivata.com/epcs.

About Imprivata Imprivata is a leading provider of authentication and access management solutions for the healthcare industry. Imprivata s single sign-on, authentication management and secure communications solutions enable fast, secure and more efficient access to healthcare information technology systems to address multiple security challenges and improve provider productivity for better focus on patient care. Over 2 million care providers in more than 1,000 healthcare organizations worldwide rely on Imprivata solutions. Imprivata is the category leader in the 2012 and 2013 Best in KLAS Software & Services Report for SSO, and SSO market share leader according to HIMSS Analytics. For further information please contact us at: 1 781 674 2700 or visit us online at www.imprivata.com Offices in: Lexington, MA USA Santa Cruz, CA USA Uxbridge, UK Paris, France Nuremberg, Germany Den Haag, Netherlands Copyright 2014 Imprivata, Inc. All rights reserved. Imprivata and OneSign are registered trademarks of Imprivata, Inc. in the U.S. and other countries. All other trademarks are the property of their respective owners. WP-Confirm-ID-V1-1214

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information