Talk to a Security Expert Now: (800) 721-9177

Electronic prescriptions of controlled substances – a key area where information security is paramount

Earlier this month the Drug Enforcement Administration (DEA) revised their regulations surrounding the writing of prescriptions for controlled substances electronically. The rule had been published in March on the Federal Register and is now effective. Streamlining the process associated with the e-prescribing of controlled substances has many benefits including cost reduction and improvement in the quality of care. At a recent conference some of the challenges in this area were discussed by Leisa Jenkins, executive director of CareSpark. In the region that the CareSpark RHIO serves, fraud associated with the use of controlled substances is rampant. Patients routinely take advantage of the lack of consistent medical record and cross-state jurisdictional issues to gain fraudulent access to controlled substances. Solving this problem requires that provider organizations invest in information systems and processes that address the issue. Security, privacy and compliance requirements are significant.

This area is a clear example where information security is a business enabler, a topic that I have discussed in earlier posts. It is also an area where the provider organization must ensure that they have thought through the legal defensibility associated with their information security programs.

Let’s now look at some of the security guidelines and requirements necessary for a provider organization to take advantage of e-prescribing. These recommendations apply generally to e-prescribing overall, but look closely at the problem in the context of controlled substances.
One of the critical security issues in this area is authentication. In order to meet the requirements mandated by the DEA an e-prescribing application must comply with security needs on several levels. At the heart of these requirements is two factor authentication. This is necessary for creating a controlled substance prescription, signing the prescription and obtaining the necessary credential. As usual, the National Institute of Standards and Technology (NIST) have provided guidance in this area. Specifically, the guidelines put forward in NIST special publication 800-63-1 provide recommendations. The important take-away is that authentication in the area of e-prescribing for controlled substances requires two factor authentication at NIST assurance level 3. There are several ways to meet this requirement but some technical approaches are rather advanced. Product/service combinations that I would recommend are the solutions from Anakam. In evaluating an authentication solution for this area it is not only a matter of strong security, but also dealing efficiently with the ease of use and workflow considerations in a medical environment.

Beyond authentication there are many additional challenges to deploying and sustaining a secure environment for a mission critical application such as e-prescribing. A useful point of reference is provided by Center for International and Strategic Studies (CSIS). In this report they describe the 20 critical controls necessary for effective cyber defense. Much of the work has been drawn from the experience of blue team members inside the Department of Defense. A conclusion of this report is consistent with our own experience at Redspin that application security is an area where significant investment is required. Information security teams that are charged with supporting mission critical applications such as e-prescribing need to focus not only on perimeter controls, but also on additional areas such as log monitoring, vulnerability remediation process and malware defense.

In subsequent posts I will delve further into some of the application security specifics, as well as discuss the aspects of legal defensibility associated with an information security program in this area.

This Post Has One Comment
  1. Hi John, one of the issues with MFA is cost, accessibility and practicality. We have patented a new software biometric that does not require any hardware and can be accessed from any PC anywhere. We submitted two briefs to the DEA and healthcare community during public comment period. A software biometric will be another great option for physicians in lieu of a token or hardware based biometric. The following is an excerpt of our brief. If you would like more information please visit our web site at http://www.biosig-id.com or send me an e mail at [email protected]

    BioSig-ID offers a new twist to the traditional biometrics like fingerprints or facial scans. These static biometrics rely on physical (anatomical) attributes unique to each individual. In contrast, BioSig-ID relies on behavioral attributes which are unique to each of us. This gesture/signature technology is activated using just your mouse, stylus, touchpad, (or even finger) to authenticate the identity of the user. BioSig-ID captures HOW you write/draw (speed, direction, angle, length, height etc…) and stores these unique characteristics in a secure database. Only the “real” user can authenticate themselves in subsequent log-ins. These unique biometric characteristics cannot be borrowed, duplicated or shared and represent the highest level of identity authentication and
    security. BioSig-ID technology also offers multiple layers of identity proofing that provide choices and flexibility. Our closed loop technology provides a self service auto password reset and provides extra flexibility for continuity. The system can be configured to work with any device that accepts an input and a flash component. Since our system sits in front of other systems and we use a client server architecture we can usually integrate well with most systems.
    Jeff Maynard CEO – Biometric Signature ID

Leave a Reply

Your email address will not be published. Required fields are marked *