I’ve been wanting to write about ePrescribing controlled substances since 9/13/09. In fact, I even did write post about the FDA approving a pilot to do electronic prescribing of controlled substances which I posted on that day. Turns out, it was a press release that was sent to me prematurely, so I hid it from view.
Well, a couple weeks ago, the Drug Enforcement Administration (DEA) released it’s interim final rule on ePrescribing of controlled substances (PDF). John Halamka described some of the most important details of this rule on his blog:
(a) To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:
(1) Something only the practitioner knows, such as a password or response to a challenge question.
(2) Something the practitioner is, biometric data such as a fingerprint or iris scan.
(3) Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.
(b) If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in § 1311.08, for cryptographic modules or one-time-password devices.
(c) If one factor is a biometric, the biometric subsystem must comply with the requirements of § 1311.116.
Halamka also suggests they’ll consider 3 approaches to support strong authentication:
*Fingerprints (Bio-Key software?)
*Hard Tokens (such as those provided by RSA)
*Cell Phones (As Gemalto talked about in this video)
I also recently heard someone tell me that the banking has a 6 percent failure rate for matching people. It’s hard for me to believe that it’s high and that the banking industry is willing to deal with that type of failure rate. Of course, that’s not good enough for controlled substances. So, they’re going to have to find some way to lower the patient matching failure rate. Although, I wonder what the failure rate is with the current model. Seems like electronic prescribing shouldn’t make it any worse than it currently is.