Finally: A Safe and Secure Encrypted eRx System for Controlled Substances-But Will Physicians Be Allowed to Use It?

Pain Management, March 2010, Volume 3, Issue 2

Although there was a 181% increase in the use of e-prescribing across the country from 2008 to 2009, the prohibition on the use of this new technology to prescribe controlled substances (schedule II -- schedule V) has been a key barrier holding e-prescribing back from widespread adoption. Here is a look at the pilot program that led to the nation's first DEA-approved electronically transmitted prescription for a controlled substance.

The story of a pilot program that led to the nation’s first DEA-approved electronically transmitted prescription for a controlled substance.

Although there was a 181% increase in the use of e-prescribing across the country from 2008 to 2009, the prohibition on the use of this new technology to prescribe controlled substances (schedule II - schedule V) has been a key barrier holding e-prescribing back from widespread adoption.

Controlled substances make up roughly 11% of every prescription written, and these prescriptions are written by approximately 90% of all providers. With this said, it is evident that the ban on e-prescribing creates a problem for a majority of providers who wish to use an electronic system. The inability to write a controlled drug electronically creates the need for a provider to implement two office workflows—one for all electronic prescriptions, and one for the controlled substances that must be written by hand. This inconsistency in workflow ultimately defeats the purpose of e-prescribing as a whole.

Until now, the Drug Enforcement Agency (DEA) has placed an outright ban on using new technology for the prescribing of any controlled substances, fearing that the systems in place are not secure enough to be trusted with highly abused and addictive medications. Although the DEA issued a proposed rule for the e-prescribing of controlled substances in June of 2008, they are subject to mandates under the Controlled Substances Act that call for a closed system of control for the manufacturing, distributing, and dispensing of controlled substances, making finalization of these rules very difficult without a proven and safe method of secure electronic prescribing.

Addressing the situation at hand, Michael Blackman, MD, CMIO of Berkshire Health Systems, has stated that, “the lack of approved standards has contributed to a delay in realizing the full patient safety, clinical benefits, and risk reductions that are known to result from e-prescribing, including: better medication management and coordination of care, better decision support, clinician workflow

improvement, and reduction of medication errors. Until there’s one process for e-prescribing all drugs, the medical community won’t fully realize the workflow efficiencies that the technology allows”.

Acknowledging this pressing issue, industry leaders have known that in order for e-prescribing and healthcare IT as a whole to become the norm, there must be a cooperative agreement between vendors, users, and the DEA permitting the e-prescribing of controlled substances. Providers who prescribe controlled substances cannot afford to split their practice into two separate workflows. What they need is a solution to this problem that will enable them to reap the benefits of an electronic system without slowing down their entire office.

The first steps toward eRx

Following talks at a 2006 symposium held by the DEA, the spark was lit when DrFirst, Inc., an e-prescribing solutions provider, met with the DEA to discuss a safe and measurable way to overcome the security and accountability issues that have been holding e-prescribing back for so long. This meeting, along with funding from the Agency for Healthcare Research and Quality (AHRQ), spawned the Electronic Prescribing of Controlled Substances (EPCS) pilot program.

Right from the start, the DEA identified a set of security elements that must be addressed in a health IT solution for the EPCS. Authentication was the first issue mentioned by the DEA, as it is imperative to be able to positively identify the signer of any prescription and be able to correctly identify those who are sending and receiving all prescription data. Non-repudiation was another concern—the system would have to ensure that any and all parties to a prescribing activity could not reasonably deny their participation. The DEA also stressed the necessity for record integrity that would ensure that the prescription’s data and signature have not been altered after it has been signed. Due to the legal ramifications of this project, and the DEA’s concerns with drug abuse, all systems in place had to have the legal sufficiency for the DEA to successfully prosecute if a misuse occurred. All abuses of the system would have to be able to be tracked and proven beyond a reasonable doubt. Signature verification was also a necessity in order to ascertain that an identified signer intended to endorse the writing of a prescription. The final DEA requirement was for all information to be confidential. Only authorized persons were allowed to have access to any of the data from the EPCS project.

With these requirements in mind, DrFirst, Inc. collaborated with the Massachusetts Department of Public Health; Berkshire Health Systems, Inc.; eRx Network; and Brandeis University’s Heller School for Social Policy and Management to enhance Dr. First’s existing e-prescribing system by adding the security features required for approval by the DEA.

The EPCS team chose Berkshire County, MA, as the ideal location to host this pilot due to its relative seclusion, providing a controlled and extremely measurable environment. eRx Network provided a secure and safe connection to pharmacies in the county and was willing to step forward and participate in this unprecedented project.

Security is the key

The specific aims of the project included developing and verifying a system to allow safe and secure EPCS, linking the system with the existing Massachusetts Prescription Monitoring Program for Schedule II controlled substances, conducting evaluations of process and outcomes (including improvements in patient care, risk reductions, patient and clinician benefits, patient safety, and confidentiality), and disseminating the findings accordingly. Additionally, the team focused on keeping the process simple and within the existing workflow, maintaining consistency between e-prescribing systems and pharmacies, introducing multiple validation checks, supporting NCPDP “SCRIPT” Industry Standards, and ensuring there were no changes in responsibility associated with dispensing controlled drugs.

To address the DEA’s main security issue, the project team implemented a new two-factor authentication system to allow providers to send a prescription. The EPCS team had to select unique identifiers that would provide physicians with an easy method of verifying their identity. The choice was between something physicians knew (a password), something they did (insert a card or key into a computer), or something they are (a biometric scan). Solving this problem, the team introduced the use of a “crypto key” that, when paired with a unique password, provides the necessary two-factor authentication enabling a provider to prescribe a controlled drug electronically. A crypto key similar to a thumb/USB drive was issued to each provider in the pilot program. With these in place, the first step in writing a prescription was for a provider to log in to DrFirst’s Rcopia system and prepare the script. To actually send the prescription, the provider entered his or her “signature” (numeric password) while the crypto key was inserted into the computer. Once the key was in place and the signature was verified, the provider could send the desired prescription. At that point, the prescription is sent through a series of secure networks as it touches servers from DrFirst, the DEA, and eRx Network before it reaches its final destination: the pharmacy.

Using this method of delivery, the system bound each physician to his or her unique crypto key, and each individual prescription to its point-of-care vendor. This level of security and transparency helped appease the many security concerns because it enables detailed audits to be generated and made available to the DEA, pharmacy boards, and local and federal law enforcement agencies.

“Security issues have long clouded the issue of e-prescribing controlled substances. We proposed a schema that not only uses tight security for prescribers using the system, but uses the current trusted network between the e-prescribing or EMR application and the pharmacy,” said Peter N. Kaufman, MD, CMO of DrFirst, Inc.

A promising beginning

After identifying how the system would work, but before beginning the program, the EPCS team conducted research on the opinions of potential users of this new technology. Some of the key findings were:

- 65% of prescribers expect EPCS to improve clinical practice and quality.

- 25.3% expected EPCS to initially disrupt their practice.

- 44.9% reported that being required to use a signature authenticating token would be an inconvenience.

- 35.3% reported they might not use EPCS if required to carry the signature token (crypto key) at all times.

With the opinions of providers duly noted, the new system in place, and physicians and pharmacies on board, the EPCS team was able to finally test their pilot, and after much anticipation, at 12:05pm EDT on Monday, September 14, 2009, Prakash Darji, MD, of Berkshire Medical Group, sent the nation’s first DEA-approved prescription of a controlled substance electronically, using DrFirst’s Rcopia e-prescribing application.

In response to the 156 prescriptions written in the first month of the pilot, Michael Blackman, MD, CMIO of Berkshire Health Systems stated, “A barrier to e-prescribing has been removed with the success of this pilot, which is the improvement in practice workflow through the elimination of the need for two separate prescription-writing systems.”

Although the pilot was successful in proving that current eRx technology is capable of providing the needed security to send controlled substances electronically, it also revealed issues that must be addressed if the system is to function efficiently on a large scale. Users of the EPCS pilot experienced problems authenticating their crypto keys and loading the drivers necessary to complete this authentication. The nature of the crypto key itself prevented doctors from using their PDAs, which do not have a USB port but are often used in e-prescription writing. Additionally, the DEA would need to finalize its position regarding which locations would be permitted to provide identity proofing for doctors before they begin. Options for this include state law enforcement, local hospitals, pharmacy boards, and even local post offices. Inconsistencies in individual state legislation are a huge barrier to successful national adoption; for example, five states currently outlaw the prescribing of controlled substances independently from the DEA. The identification of these scalability issues will prove to be critical to the production of a system that when fully embraced will provide doctors and patients with the full benefits of an e-prescribing system.

“We have been waiting a long time to see the first electronic prescription for controlled substances to be sent from a qualified physician to a participating retail pharmacy. It is exciting to see this important evolution from paper to electronic transaction. This method will improve safety and reduce abuse and diversion,” said Rick Safe, Vice President of Clinical Services for eRx Network, an Emdeon company. “This project is able to identify the components of the DEA’s proposed ruling that are effective as well as pointing out the areas of concern. The key to this project is to show that the industry standard communication and transaction message (NCPDP SCRIPT), which has been used for several years for non-controlled substances, can be effectively used for controlled drugs as well.”

Finally, a Breakthrough?

DEA publishes interim rule on e-prescribing controlled substances

While this article was being edited prior to publication, the Drug Enforcement Administration published an interim final rule, with a comment period, to permit e-prescriptions for controlled substances. The rule will “permit pharmacies to receive, dispense, and archive electronic prescriptions for controlled substances. The regulations, according to DEA, are an addition to, not a replacement of, existing rules governing controlled substances.” View the complete text of the rule online at the Federal Register website. When asked to comment on the DEA rule, a spokesperson from DrFirst replied via e-mail that “DrFirst is currently in the process of reviewing the 334-page DEA interim final rule. Based on a limited initial review, we applaud the DEA for taking a positive step in the right direction toward eliminating the final barrier to e-prescribing with this new rule, and for listening to the comments they received regarding the Notice of Proposed Rulemaking (NPRM) last fall. Upon our cursory review, it appears the DEA will be requiring controlled substances to be signed and authenticated using two-factor authentication, but they will allow one of those factors to be either a biometric or a hard token. They are also expanding the methods of identity proofing, including remote secure methods. We will be submitting comments after having a chance to digest the ruling in detail.”