Identity-proofing and two-step authentication for e-prescribing

When paper prescriptions were the dominant way to dispense medication, physicians relied on their signature, and security features in prescription pads, to ensure that only authorized prescriptions were dispensed.

It was a fairly low-tech solution subject to abuse, especially when patients abusing controlled substances were doctor shopping. Now that the Drug Enforcement Administration allows for the e-prescribing of controlled substances under the Electronic Prescriptions for Controlled Substances (EPCS) interim final rule, e-prescribing systems rely on strong security features to prevent doctor shoppers and abuse of schedule II, III and IV controlled substances and to ensure that only an authorized prescriber is issuing prescriptions.

Two of the strongest security features are identity proofing and two-factor authentication, and both play a key role in e-prescribing.

       Want to learn more? Register for one of our upcoming webinars. They’re free! 

Identity proofing

Identity proofing is a process of issuing credentials to users that relies on the physician or prescriber to provide and verify information that would be known only to the physician, both when requesting credentials to access the system, and when using those credentials to access the system.

The process asks for personally identifiable information known only to the individual in order to validate the person’s identity. Common questions asked as part of identity proofing are for the mother’s maiden name and the last four digits of the Social Security number.

Some identity proofing systems will ask someone requesting credentials to confirm certain information that is available via credit reporting agencies that would be known by the person being verified. For example, such a system might furnish four addresses and ask the person to click the address among the four where he or she once resided.

Another question might name four automobile loan financiers, and ask that the applicant for credentials confirm which lender once provided a car loan to the applicant. These processes are critical to ensuring that credentials are issued only to qualified users and that users are periodically verified to ensure their credentials have not been compromised.

With instances of doctor shopping and abuse of controlled substances on the rise, effective identify proofing was a key factor in the DEA’s decision to enable e-prescribing of controlled substances under the DEA’s requirements.

Two-factor authentication process

A second key security feature used to prevent abuse of controlled substances by controlling access to e-prescribing software is known as two-factor authentication, also known as two-step verification.

Two-factor authentication is essentially the requirement that the physician possess and use two distinct elements in order to gain access to the e-prescribing tool. For example, the physician may enter a username and password into an e-prescribing software tool.

Before granting access, the e-prescribing system might send a text with an access code to the cell phone of the physician. In order to gain access to the system, the physician would then enter the one-time use code from the text message. In order to compromise access, someone would need to have access to both the provider’s user identification and password AND the mobile phone of the provider.

Some advanced systems are using things such as a thumb or fingerprint or voice as a factor for authentication, which is obviously more secure and unique to the user.

Two-factor authentication helps with compliance with security elements that facilitate the ECPS law because it’s seen as unlikely that an outsider seeking authorized access would be able to gain control of both factors needed to gain access, thus adding increased security.

Learn More About EPCS