VA/DEA PKI e-Prescribing Pilot for Controlled Substances

Rob Silverman, PharmDJanuary 13, 2005

Topics

e-Prescribing in Department of Veterans Affairs

VA/DEA PKI Pilot Participants Other roles Goals

Security Examples Findings

e-Prescribing is the norm at a VA Medical Center

Transmit prescriptions directly to the VA pharmacy Legend drugs Over-the-counter items provided by VA Document items obtained elsewhere

Result: a complete medication and patient allergy/adverse reaction history available at any VA workstation in the hospital, remote clinic, or via VPN access, with real-time order checks

Schedule II controlled substances

Under 21 CFR 1306, a C-II controlled substance may only be dispensed from a WRITTEN prescription signed by the practitioner

This creates one exception to an otherwise all-electronic prescribing environment

The VA/DEA PKI Pilot

An “ongoing” pilot ... although the formal review period has ended, the system is still in daily use and items are fixed as new issues come up

Scope of the project … demonstrate the application of a digital signature in place of a written signature for electronic transmission of prescriptions

http://www.deadiversion.usdoj.gov/ecomm/index.html

Participants

Original pilot: 50 Hines physicians were selected based on volume of Schedule II prescriptions written in the preceding 3 month period

Current usage: approximately 2 dozen active providers, some from original study and some added since

Other participant roles

“Can’t tell the players without a scorecard”

DEA PEC (DEA’s selected contractor) VA Office of Information

Emerging Technologies Infrastructure CPRS & Pharmacy

VISN Information Security Officer

Local Information Security Officer

CPRS Coordinator IRM

Workstation setup Central server

Specific goals

Create the infrastructure necessary to transmit a digitally signed prescription within the VistA CPRS system Kernel (the EMR’s “operating system”) CPRS (provider access to the electronic health

record) Pharmacy VA PKI certificates

Compare the existing ELECTRONIC signature to the PKI-enabled DIGITAL signature

A continuum of signature methods

Written signature Ink and paper

Captured signature Credit card machine at the store VA’s use of iMedConsent application

Electronic signature Provider knows an electronic code

Digital signature (PKI) Provider knows an electronic code and

possesses a smart card with matching information

Security

Digital Signature Prescription Integrity - The content of a

prescription has not been altered in transit.

Non-Repudiation - The sender of a prescription cannot deny sending it.

Authentication - The sender of a prescription is the person claimed and not an imposter.

http://www.deadiversion.usdoj.gov/ecomm/e_ordrs/index.html

Security – the current process

Provider contacts Clinical Informatics Service [CIS], requests to be a participant in the DEA PKI program

CIS contacts PEC PEC locates provider’s record in a

database extract from DEA, transfers it to a registrant database

Security – the current process

PEC confirms registration back to CIS and transmits that registration to a VA database

CIS gives provider an application/registration form

Acting as an “identity proofing agent”, CIS witnesses the application form signature Could be the local ISO or their delegate Photo ID required Resident physicians without individual DEA

numbers also require pharmacy authorization

Security – the current process

Application form faxed to VISN ISO, acting as LRA (local registration authority)

VISN ISO has a registration database that matches the PEC database

An 8-digit enrollment number is generated

Security – the current process

Enrollment number is returned securely to the local ISO

That number is then delivered in person to the applicant

Provider registers for the electronic certificate at http://vaww.va.gov/vapkidea (takes user to https://vaww1.va.gov/vapkidea/client/userEnrollMS.htm)

Other Tasks for the Card Select PIN Number Photo printed on card

“ActiveCard Upgrade Instructions” – given to the Hines physicians with their card and enrollment number

Security – the current process

Upon completion of the preceding steps, CIS activates the provider in the computer system as eligible to participate

What makes that so secure?

The certificate from the web site matches their DEA number

Their VistA CPRS account matches their DEA number

Prescription signature indicates Knowledge of VistA CPRS access/verify code Knowledge of the VistA CPRS electronic

signature code Possession of the photo ID smart card Knowledge of the card’s PIN number Certificate has not been revoked

Scaling the process nationally

The next few slides repeat the previous steps with a suggestion of how some areas are likely to change when this system is deployed nationally

Security – possible scenario for national deployment

Providers are eligible to participate by virtue of having a current and valid DEA registration … no need for manual addition to an enrollment database

Security – possible scenario for national deployment

Provider obtains a registration form from the DEA website and signs it in the presence of the station’s authorized “identity proofing agents” Could be the local ISO or their delegate Photo ID required

Security – possible scenario for national deployment

Application form transmitted to the LRA, possibly still the VISN ISO

An 8-digit enrollment number is generated

Enrollment number is returned securely to the local ISO

That number is then delivered in person to the applicant

Security – possible scenario for national deployment

Provider registers for the electronic certificate at a VA hosted web site https://vaww1.va.gov/vapkidea/client/userEnrollMS.htm

PIN number and card photo are probably already done because this card is used for

Access to the grounds Access to parking Access to building Other PKI activities, such as secure

email

Security – possible scenario for national deployment

Provider notifies CIS that they have obtained a digital certificate so that CIS can enable VistA CPRS to accept digital signature

What makes that so secure?

The certificate from the web site matches their DEA number

Their VistA CPRS account matches their DEA number

Prescription signature indicates Knowledge of VistA CPRS access/verify code Knowledge of the VistA CPRS electronic

signature code Possession of the photo ID smart card Knowledge of the card’s PIN number Certificate has not been revoked

Ordering is relatively unchanged --- place the order as usual

Sign the order using regular CPRS functionality, with the Electronic Signature Code

CPRS will prompt for the Smart Card PIN when it recognizes a C-II medication being signed

Activity:09/10/2004 14:15 New Order entered by SILVERMAN,CALL Order Text: MORPHINE TAB,SA 30MG TAKE ONE TABLET BY MOUTH TWICE A DAY Quantity: 60 Refills: 0 Nature of Order: ELECTRONICALLY ENTERED Dig Signature: SILVERMAN,CALL on 09/10/2004 14:16

CPRS will identify the order as DIGITALLY signed when both the electronic signature and smart card PIN have authenticated the order.

The VistA pharmacy application will also identify the order as DIGITALLY signed, indicating to the pharmacist that a paper copy is not necessary. Orders that fail to validate against the digital signature are displayed to the pharmacist once, and then automatically cancelled by the system.

Findings of the pilot

First and foremostIT WORKS!

Time savings to practitioners No need to deliver the prescription to the

pharmacy Prescriptions are complete One-stop-shopping, all prescriptions can

be handled in the same manner Permanent “storage” of the prescription is

now an electronic file vs. boxes of prescription sheets

Issues solved in the pilot

The system has been maintained through Change in smart card type (x1) Change in certificate issuance authority

(x1) Change in smart card software (x2) Change in COM object (x10 !)

More items solved

Workstation installation functions for “all users”

PIN caching for multiple Rx’s in the same patient profile at the same time

Forced VA to re-evaluate the drug file settings to clearly define a “schedule II drug”

Some “gotchas”

Biometrics testing experience Precise MC 100 used during pilot Example of alternative: Identix

Biotouch PowerUser access to computer

systems Tied to a specific smart card vendor

Items for discussion

Security needs for a DEA certificate are different than a VA email certificate (sign & encrypt) How many copies of the certificate may

exist? Default setup is different in a clinic than

an office environment

Does card-based logon save time? Remembering password vs. PIN

Future model

One ideal outcome of the pilot would be a DEA registration website that allowed online payment of a physician’s renewal, provided immediate response, and delivered a new PKI certificate at that time.

Contact information

Rob SilvermanHines VA Hospital708-202-5040Robert.Silverman2@med.va.gov