Monday, March 29, 2010

E-Prescribing Controlled Substances

Last week, the Drug Enforcement Administration released its long awaited Interim Final Rule on e-Prescribing of Controlled Substances

It's 334 pages long, but the most important portion is section § 1311.115 which describes the need for two factor authentication when prescribing controlled substances. Here's the detail

(a) To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:
(1) Something only the practitioner knows, such as a password or response to a challenge question.
(2) Something the practitioner is, biometric data such as a fingerprint or iris scan.
(3) Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.
(b) If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in § 1311.08, for cryptographic modules or one-time-password devices.
(c) If one factor is a biometric, the biometric subsystem must comply with the requirements of § 1311.116.

In a previous blog, I wrote about the many technologies which support strong authentication.

For e-Prescribing of controlled substances BIDMC will investigate 3 approaches

*The use of fingerprint biometrics using web-based software from Bio-Key as described in my cool technology blog.

*The use of hard tokens such as those provided by RSA.

*The use of cell phones as a two factor authentication device such as sending a PIN number via SMS after each e-prescribing session. Anakam has a complete suite of tools to implement this workflow.

Although there will be some burden/inconvenience imposed on clinicians through the use of two factor authentication, I believe it will ultimately save time. Why?

Today's e-prescribing workflow is fractured. I can write for Lipitor with fully electronic NCPDP 8.1 formatted, vocabulary controlled, end to end secure transactions. However I write for Oxycontin with a pen and paper. I have to split my time between a screen and a pen for the same encounter with the same patient depending on the drug I'm writing for. In the Emergency department, approximately 30% of all prescriptions are for controlled substances (i.e. pain control after trauma).

With fully electronic workflows, I can write for all meeds, digitally sign the enter order set, get a PIN sent to my cell phone in 2 seconds and then send the transactions to the pharmacy of the patient's choice without a pen, paper or hassle.

I look forward to our controlled substance e-prescribing pilots. Ultimately it will be a win/win/win for patients, providers, and pharmacies.

6 comments:

Glen said...

Perhaps this new rule will serve as an impetus for standardization of two-factor authentication. Despite all the hoopla about the technology, it remains wholly proprietary. It is not subject to trusted independent verification and comparison of the strength of various types of authentication. And therefore one cannot calculate the risk mitigation value versus the cost in order to make a sound business decision.

The same is true for biometrics.

Strong authentication, by itself, does not provide authorization, privacy protection, auditing, administrative controls, and other things that make-up a complete security regime, e.g., per ONC's recent IFR.

The DEA has made one step in a journey. I only wish it was better coordinated with ONC's IFR.

Donald Green MD said...

It is hard to take comfort from these rulings since they do not address the underlying problems of opiate abuse. Many that abuse opiate prescriptions fall into categories that do not depend on e-prescribing. They commit identity theft and then use this to make their own prescriptions. They pose as needy patients and obtain prescriptions. They steal medications from unsuspecting friends and relatives. Larger thefts take place from places of storage and distribution. The latter makes up a large share of how these pills are obtained. I understand that there are Federal regulations imposed on the profession to be met but it is also our responsibility to point out that this will not be much of a solution. If a certain direction is encoded it becomes very difficult to change it.

The Medical Quack said...

There certainly are many choices out there for authentication. One area I have been reading about and connect with are Microsoft Tags. There's a company that goes beyond the public information and encrypts the tags called RazCode. These are already in development for PHRs with HealthVault and Google Health with using a cell phone to put your EOB into your PHR.

I think the same technology could possibly have some use with e-prescribing too as there's a portal and sign in for providers too. I had one doctor comment on my blog about how he really like how Golf Magazine uses them so he can immediately have access to information on how to improve his golf swing, so one MD familiar with them already:)

http://ducknetweb.blogspot.com/2009/10/razcodewindows-tags-bar-coding-to-add.html

The basic version of the Tags is free and I have also recommended a potential use for scanning devices for recall, before used in surgery as patients have been implanted with defective devices and died due to a malfunctioning implant. This part of the plan is public information and the tag can be changed to indicate a recall, simple, scan that device before surgery. With cell phone technology and everyone updating phones you have an endless supply of phones for scanners to use without a carrier connection that can be put on Wi-Fi to connect for information on recalls and/or new safety information too. I did a big write up here and drug companies could benefit as well with finding stolen drugs, i.e. Eli Lilly. I would think from the other side of the coin that the DEA might like this:)

http://ducknetweb.blogspot.com/2010/02/tags-for-use-in-healthcare-medical.html

Again, these are just some thoughts I had here on a technology that might be simple, cost effective and maybe a part of a solution here for e-prescribing authentication and with the technology being investigated for use in other areas of healthcare, maybe a sense of familiarity could help. I have also written to the FDA about the potential too.

I have played around a bit too with making a couple of my own tags and I really like the feature that dials a phone number too.

I agree with you on carrying around a token too as that is something else to worry about and to have with you at all times.

Thanks for letting me contribute here and I hope perhaps I may have added something maybe worthwhile for thought.

Mary Dee said...

In the discussion so far about the DEA's draft IFR on e-Prescribing of Controlled Substances, I've only seen comments about the two-factor authentication part of the requirements. There is also a requirement for a two-body solution to writing the prescription which will change the workflow somewhat. To quote the IFR, "One person will enter the data; a registrant
must approve the entry, using the two-factor authentication protocol, before access
becomes operational."

So the new workflow for controlled substances will indeed be different and more cumbersome than the current workflow for non-controlled substances, if I'm understanding this right.

Peter N. Kaufman, MD (Chief Medical Officer, DrFirst) said...

I haven't made it through the entire IFR yet, but what I've seen looks like DEA listened to the NPRM comments and worked to incorporate them into the IFR. I'm posting to correct a misconception that may be taken from Mary Dee's comment. In the IFR, the requirement for two people to approve is for logical access control (that is, for program setup regarding who is qualified to use the program and send eprescriptions for controlled drugs (EPCS)). This is on page 48 of the IFR. The 2-factor authentication, described on pages 78-83, does not require a second person. In fact, the DEA modified their prior strict requirements to allow more flexibility in workflow for signing of EPCS.

Anonymous said...

Authentication does not eliminate the potential abuses from ePrescribing controlled substances. Additionally, EMR vendors will charge practices higher fees for the privilege of having the ability to ePrescribe controlled meds. This will only serve to add more costs to physicians who are already forced to invest capital for an EMR system. After all, EMR companies will need to monetize their investment in development and certification.

I think a solution to this problem is one that combines a hard copy script with electronic validation at the pharmacy is the ultimate security. NuNova offers such a system. Every controlled medication script generated by their system has directions for the pharmacist to validate the hard copy electronically. Once validated, the pharmacist can choose to have the electronic data downloaded into their system. Since each script in their system is considered unique, the validation process is one and done with no chance for duplication or altering. I only wish the DEA had looked into their system which has been working well and without the need to change the regulations yet again.