Thursday, March 25, 2010

The DEA IFR - Quick Review for ePrescribe

On March 24, the DEA has released its IFR on Electronic Prescriptions for Controlled Substances, which incorporates the public comments received on the NPRM from June 27, 2008. Looking at the current ePrescribe applications on the market today, the DEA IFR will require significant software development, particularly security related. It will also require changes in prescribers' workflows.
Here are the highlights (italicized text is quoted from IFR):

Obtaining Authentication Credentials - Allows remote identity proofing
"DEA is requiring registrants to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their authentication credentials or digital certificates. These CSPs or CAs will be required to conduct identity proofing at National Institute of Standards and Technology (NIST) SP 800-63-1 Assurance Level 3, which allows either in-person or remote identity proofing. Once a Federally approved CSP or CA has verified the identity of the practitioner, it will issue the necessary authentication credential."

Two Factor Authentication - Biometrics may substitute for hard token 
"As proposed, DEA is requiring in this interim final rule that the authentication credential be two-factor. Two-factor authentication (two of the following – something you know, something you have, something you are). In the interim final rule DEA is allowing the use of a biometric as a substitute for a hard token or a password." 

Controlled Substances Pending Lists displaying all data elements
"DEA is requiring that the application display a list of controlled substance  prescriptions for the practitioner’s review before the practitioner may authorize the prescriptions. A separate list must be displayed for each patient. All information that the DEA regulations require to be included in a prescription for a controlled substance, except the patient’s address, must appear on the review screen along with a notice that completing the two-factor authentication protocol is legally signing the prescription."

Two step prescribing - Readiness to sign -> Prompt for two factor  authentication -> Sign
Registrants must indicate that each controlled substance prescription shown is ready to be signed. When the registrant indicates that one or more prescriptions are to be signed, the application must prompt him to begin the two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescriptions. When the two-factor authentication protocol is successfully completed, the application must digitally sign and archive at least the DEA-required information."

No paper duplicates allowed, unless transmission fails
"DEA has clarified that the application may print copies of an electronically transmitted prescription if they are clearly labeled as copies, not valid for dispensing. If a practitioner is notified by an intermediary or pharmacy that a transmission failed, he may print a copy of the transmitted prescription and manually sign it. The prescription must indicate that it was originally transmitted to a specific pharmacy and that the transmission failed."

Digital Signatures - Either by the application or Prescriber Private Key 
"When the practitioner uses his two-factor authentication credential as specified in § 1311.140(a)(4), the electronic prescription application must digitally sign at least the information required by part 1306 of this chapter and electronically archive the digitally signed record. If the practitioner signs the prescription with his own private key, as provided in § 1311.145, the electronic prescription application must electronically archive a copy of the digitally signed record, but need not apply the application’s digital signature to the record".

Audit logs need to be augmented
"The application provider and the registrants must develop a list of auditable events; auditable events should be occurrences that indicate a potential security problem. For example, an unauthorized person attempting to sign or alter a prescription would be an auditable event; "

Daily Audit Checks - 24 hours reporting
"The applications must run the internal audit function daily to identify any auditable events. When one occurs, the application must generate a readable report for the practitioner or pharmacist. If a practitioner or pharmacy determines that there is a potential security problem, they must
report it to DEA within one business day."

No comments:

Post a Comment