New Resources

DEA eRx Rule
Quick summary of new e-prescribing rule for controlled substances  

More Info

Mar 23 -- Jun 1
Bill Pankey, Tunitas Group will lead the San Francisco ISACA Chapter CGEIT Class

More Info

Apr 21 -- Jun 23
Bill Pankey, Tunitas Group to mentor a SANS Forensics and Incident Response- Advanced Hacking Mentoring Class

More Info

 

New Webcasts

May 20
Healthcare IT Balanced Scorecard

Jun 10  
Assessing Indidividual Harm for HITECH Breach Notification Decisions

Jul 15  
Extended Enterprise Risk Management

More Info

 

 

DEA Publishes Interim Final Rule for Electronic Prescription for Contolled Substances

Digital Signatures or 2-Factor Authentication Required--Passwords Not Acceptable

03.29.2010

DEA has updated 21 CFR Parts 1300, 1304, 1306, 1311 to establish the requirements under which DEA registrants may electronically prescribe controlled substances. The new Rule backs away from the PKI mandate promoted in the draft, replaces it with 2 factor authentication, and eliminates any dependency on intermediaries for security or storage.   

Two-Factor Authentication.  Under the Interim Final Rule (IFR) institutions are permitted to incorporate the required identity proofing into their existing staff credentialing process. They must issue 2-factor authentication credentials dedicated to the prescription signing function.  The second factor must be either a biometric or a hard token. Alternatively individual prescribers may obtain a digital certificate from any CA that is cross certified with the Federal Bridge CA. 

DEA clearly states its intention "... minimize to the greatest extent possible, the potential for diversion of controlled substances ..." by stemming access to e-prescribing applications and prescriptions by non authorization parties.  It feels the IFR is a good balance of meeting this objective while simplifying prescribers obligations and providing flexibility in terms of mandated technologies and standards. 

Review before signing.  Prior to signing (via 2-factor authentication or by digital certificate), the prescriber must be presented with a list of controlled substance prescriptions which are "ready for signature."  The prescriber is expected to review the prescription for accuracy of the DEA required data excepting the patient's address.  After confirming accuracy, the prescriber will sign the prescription.  If the prescriber does not sign using a digital certificate, then the application must digitally sign.  All signed prescriptions must be stored for a minimum of two years. 

Single patient bulk signing.  The draft requirement to send immediately after the signature function is eliminated.  This allows for the signed prescription to be amended with addition data to comply with state requirements, but none of the DEA 1306 data may be changed.  Prescribers are permitted to sign multiple controlled substance prescriptions for a single patient at one time; but may not bulk sign mulitple patient prescriptions. 

Cleartext transmission. Signed prescriptions may be queued up for transmission at a later time. The digital signature need not be communicated with the electronic prescription provided the transmission format provides a field in which to indicate the prescription was ditially signed.  The receiving pharmacy or pharmacist must treat any prescription that is not receiving with a digital signature or missing the field code as unsigned.  No encryption requirement for the e-prescription is specified. 

Yet passwords still persist.  There is an interesing dichotomy in the DEA security perspective. Passwords are no longer allowed as part of the specified 2-factor authentication credential. DEA clearly states that pins and passwords do not sufficient protect against its primary concern of preventing misuse of credentials or electronic prescription.  Yet it has failed to specify any requirement for protection of the private key associated with the digital certificate used by either the individual prescriber, the application, or the receiving pharmacy.   Common industry practice permits these keys to be installed with no protection and invoked automatically. 

Printed prescriptions are not electronic. In response to comments, DEA has revised its position on the printing of e-prescriptions. In the IFR, e-prescriptions that have been transmitted can be printed, but must be clearly marked as a copy-not valid for dispensing. Printed copies of transmitted e-prescriptions may not be manually signed.  Alternatively, an application may print a prescription for signing and dispensing but only if the original was not successfully transmitted to a pharmacy. A warning must be included on the printed prescription in the case of a failed transmission effort as a means of alerting pharmacies to the need for heightened scrutiny for duplication.  This type of printed prescription must be manually signed. 

Faxed prescriptions are paper.   DEA designates faxed prescriptions as paper and therefore they must manually signed.  A manually signed prescription, even if electronically created, may be faxed directly to the pharmacy.  Note that e-prescriptions once tranmitted may not be subsequently signed unless the transmission failed and the pharmacy is alerted per the procedure described above. DEA does not recognize state laws to the contrary such as in California or New Mexico.

Conclusions.  The IRF seems to be a reasonable approach to limiting the threat of misuse of the prescriber's identity, but given current level of criminal activity present on the net, the failure to address transmission encryption, private key protection, and insider misuse seems at best a lost opportunity and at worst an invitation to abuse.

 

 

© 2010 Tunitas Group  |   Contact our Health IT Experts or call us at 209- 754-9130 |   Privacy Policy   |   Terms of Use