1 / 46

VA/DEA PKI e-Prescribing Pilot for Controlled Substances

VA/DEA PKI e-Prescribing Pilot for Controlled Substances. Rob Silverman, PharmD January 13, 2005. Topics. e-Prescribing in Department of Veterans Affairs VA/DEA PKI Pilot Participants Other roles Goals Security Examples Findings. e-Prescribing is the norm at a VA Medical Center.

declan
Download Presentation

VA/DEA PKI e-Prescribing Pilot for Controlled Substances

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VA/DEA PKI e-Prescribing Pilot for Controlled Substances Rob Silverman, PharmD January 13, 2005

  2. Topics • e-Prescribing in Department of Veterans Affairs • VA/DEA PKI Pilot • Participants • Other roles • Goals • Security • Examples • Findings

  3. e-Prescribing is the norm at a VA Medical Center • Transmit prescriptions directly to the VA pharmacy • Legend drugs • Over-the-counter items provided by VA • Document items obtained elsewhere • Result: a complete medication and patient allergy/adverse reaction history available at any VA workstation in the hospital, remote clinic, or via VPN access, with real-time order checks

  4. Schedule II controlled substances • Under 21 CFR 1306, a C-II controlled substance may only be dispensed from a WRITTEN prescription signed by the practitioner • This creates one exception to an otherwise all-electronic prescribing environment

  5. The VA/DEA PKI Pilot • An “ongoing” pilot... although the formal review period has ended, the system is still in daily use and items are fixed as new issues come up • Scope of the project … demonstrate the application of a digital signature in place of a written signature for electronic transmission of prescriptions

  6. http://www.deadiversion.usdoj.gov/ecomm/index.html

  7. Participants • Original pilot: 50 Hines physicians were selected based on volume of Schedule II prescriptions written in the preceding 3 month period • Current usage: approximately 2 dozen active providers, some from original study and some added since

  8. “Can’t tell the players without a scorecard” DEA PEC (DEA’s selected contractor) VA Office of Information Emerging Technologies Infrastructure CPRS & Pharmacy VISN Information Security Officer Local Information Security Officer CPRS Coordinator IRM Workstation setup Central server Other participant roles

  9. Specific goals • Create the infrastructure necessary to transmit a digitally signed prescription within the VistA CPRS system • Kernel (the EMR’s “operating system”) • CPRS (provider access to the electronic health record) • Pharmacy • VA PKI certificates • Compare the existing ELECTRONIC signature to the PKI-enabled DIGITAL signature

  10. A continuum of signature methods • Written signature • Ink and paper • Captured signature • Credit card machine at the store • VA’s use of iMedConsent application • Electronic signature • Provider knows an electronic code • Digital signature (PKI) • Provider knows an electronic code and possesses a smart card with matching information

  11. Security • Digital Signature • Prescription Integrity - The content of a prescription has not been altered in transit. • Non-Repudiation - The sender of a prescription cannot deny sending it. • Authentication - The sender of a prescription is the person claimed and not an imposter. http://www.deadiversion.usdoj.gov/ecomm/e_ordrs/index.html

  12. Security – the current process • Provider contacts Clinical Informatics Service [CIS], requests to be a participant in the DEA PKI program • CIS contacts PEC • PEC locates provider’s record in a database extract from DEA, transfers it to a registrant database

  13. Security – the current process • PEC confirms registration back to CIS and transmits that registration to a VA database • CIS gives provider an application/registration form • Acting as an “identity proofing agent”, CIS witnesses the application form signature • Could be the local ISO or their delegate • Photo ID required • Resident physicians without individual DEA numbers also require pharmacy authorization

  14. Security – the current process • Application form faxed to VISN ISO, acting as LRA (local registration authority) • VISN ISO has a registration database that matches the PEC database • An 8-digit enrollment number is generated

  15. Security – the current process • Enrollment number is returned securely to the local ISO • That number is then delivered in person to the applicant • Provider registers for the electronic certificate at http://vaww.va.gov/vapkidea (takes user to https://vaww1.va.gov/vapkidea/client/userEnrollMS.htm) • Other Tasks for the Card • Select PIN Number • Photo printed on card

  16. “ActiveCard Upgrade Instructions” – given to the Hines physicians with their card and enrollment number

  17. Security – the current process • Upon completion of the preceding steps, CIS activates the provider in the computer system as eligible to participate

  18. What makes that so secure? • The certificate from the web site matches their DEA number • Their VistA CPRS account matches their DEA number • Prescription signature indicates • Knowledge of VistA CPRS access/verify code • Knowledge of the VistA CPRS electronic signature code • Possession of the photo ID smart card • Knowledge of the card’s PIN number • Certificate has not been revoked

  19. Scaling the process nationally • The next few slides repeat the previous steps with a suggestion of how some areas are likely to change when this system is deployed nationally

  20. Security – possible scenario for national deployment • Providers are eligible to participate by virtue of having a current and valid DEA registration … no need for manual addition to an enrollment database

  21. Security – possible scenario for national deployment • Provider obtains a registration form from the DEA website and signs it in the presence of the station’s authorized “identity proofing agents” • Could be the local ISO or their delegate • Photo ID required

  22. Security – possible scenario for national deployment • Application form transmitted to the LRA, possibly still the VISN ISO • An 8-digit enrollment number is generated • Enrollment number is returned securely to the local ISO • That number is then delivered in person to the applicant

  23. Security – possible scenario for national deployment • Provider registers for the electronic certificate at a VA hosted web site https://vaww1.va.gov/vapkidea/client/userEnrollMS.htm • PIN number and card photo are probably already done because this card is used for • Access to the grounds • Access to parking • Access to building • Other PKI activities, such as secure email

  24. Security – possible scenario for national deployment • Provider notifies CIS that they have obtained a digital certificate so that CIS can enable VistA CPRS to accept digital signature

  25. What makes that so secure? • The certificate from the web site matches their DEA number • Their VistA CPRS account matches their DEA number • Prescription signature indicates • Knowledge of VistA CPRS access/verify code • Knowledge of the VistA CPRS electronic signature code • Possession of the photo ID smart card • Knowledge of the card’s PIN number • Certificate has not been revoked

  26. Ordering is relatively unchanged --- place the order as usual

  27. Sign the order using regular CPRS functionality, with the Electronic Signature Code

  28. CPRS will prompt for the Smart Card PIN when it recognizes a C-II medication being signed

  29. Activity: 09/10/2004 14:15 New Order entered by SILVERMAN,CALL Order Text: MORPHINE TAB,SA 30MG TAKE ONE TABLET BY MOUTH TWICE A DAY Quantity: 60 Refills: 0 Nature of Order: ELECTRONICALLY ENTERED Dig Signature: SILVERMAN,CALL on 09/10/2004 14:16 CPRS will identify the order as DIGITALLY signed when both the electronic signature and smart card PIN have authenticated the order.

  30. The VistA pharmacy application will also identify the order as DIGITALLY signed, indicating to the pharmacist that a paper copy is not necessary. Orders that fail to validate against the digital signature are displayed to the pharmacist once, and then automatically cancelled by the system.

  31. Findings of the pilot • First and foremost • IT WORKS! • Time savings to practitioners • No need to deliver the prescription to the pharmacy • Prescriptions are complete • One-stop-shopping, all prescriptions can be handled in the same manner • Permanent “storage” of the prescription is now an electronic file vs. boxes of prescription sheets

  32. Issues solved in the pilot • The system has been maintained through • Change in smart card type (x1) • Change in certificate issuance authority (x1) • Change in smart card software (x2) • Change in COM object (x10 !)

  33. More items solved • Workstation installation functions for “all users” • PIN caching for multiple Rx’s in the same patient profile at the same time • Forced VA to re-evaluate the drug file settings to clearly define a “schedule II drug”

  34. Some “gotchas” • Biometrics testing experience • Precise MC 100 used during pilot • Example of alternative: Identix Biotouch • PowerUser access to computer systems • Tied to a specific smart card vendor

  35. Items for discussion • Security needs for a DEA certificate are different than a VA email certificate (sign & encrypt) • How many copies of the certificate may exist? • Default setup is different in a clinic than an office environment • Does card-based logon save time? • Remembering password vs. PIN

  36. Future model • One ideal outcome of the pilot would be a DEA registration website that allowed online payment of a physician’s renewal, provided immediate response, and delivered a new PKI certificate at that time.

  37. Contact information Rob Silverman Hines VA Hospital 708-202-5040 Robert.Silverman2@med.va.gov

More Related