Breaking Down EPCS Authentication Methods

    September 2019 | Todd Johnson, Manager of Identity Management Solutions

    Expert Insights, Identity & Access Management

    A Medicare Part D program will require EPCS starting January 2021. This has left many hospitals scrambling to stay ahead of these and future state mandates.

    Electronic prescribing of controlled substances (EPCS) is one of the hottest topics in healthcare right now. New York and Maine were early responders to the country’s opioid epidemic by mandating EPCS, and other states quickly followed suit. In fact, 27 states have mandated EPCS since 2016!


    EPCS Projects Take Time

    EPCS projects take time – more than most people realize. By putting the legwork in now, you can ensure a solution that meets the demands of physicians and the workflow requirements of your clinical environment. 

    EPCS (2)

    I discussed EPCS in my last post and referenced our EPCS Planning Guide  as a helpful starting point for hospitals beginning their EPCS journey. Now it’s on to stage two, which is exploring the various modality options for EPCS and considerations depending upon EMR.  


    Authentication Modalities

    Forward Advantage is a long-term partner and authorized reseller/implementer of Imprivata authentication and single sign-on solutions. We are well-versed in all things “authentication” and break down the options as something you know, something you are, and something you have.

    EPCS (Something you have, are and know)

     What's Your EMR?

    This is the first question I always ask hospitals that are exploring EPCS. Some methods of EPCS authentication are only available to Epic and MEDHOST customers. As of right now, MEDITECH and McKesson customers are limited to two choices for EPCS authentication. These are:

    1)  Manual OTP token (Symantec token by DrFirst) paired with the DrFirst passphrase

    2)  Active Directory password combined with fingerprint

    For the purposes of this post, I have broken down the options for EPCS authentication according to three EMR types: MEDITECH, MEDHOST, and Epic. As always, my team and I are happy to discuss this information in more detail and can demonstrate an EPCS workflow with your specific EMR. 

    EPCS-Something you know,are,have-Blog Post FINAL (1)

    What's Most Popular Among Physicians?

    There are pros and cons to each authentication method and differing popularity levels among physicians. For instance, hospitals should consider whether manually-entered tokens are a good fit for their physicians. We often hear of struggles with this method, as distractions and other requests can prevent the prompt entering of tokens before they expire.

    Hands-free authentication is extremely popular among physicians. If they see this technology, they’ll want it.  It works as a hands-free (type-free) application that can communicate with the PC where the transaction is taking place. The physician types a password, and the computer uses a Bluetooth to communicate with the phone. The code goes straight through the Bluetooth into the system without physicians having to do a thing.

    A push token is also an application on the physician’s phone that is very popular. The physician scans a fingerprint or types a password at a computer, and the application pops up a message on his or her phone to accept or decline assigning a medication order.


    Avoid Surprises 

    To avoid surprises, keep these considerations in mind when implementing an authentication method for EPCS:

       • FIPS 201 Compliant Fingerprint  Readers are required to do fingerprint EPCS signing events. In Ohio, a lot of customers have had fingerprint readers in place for a number of years for CPOE. However, many of those fingerprints were registered on older devices. If you’re a MEDITECH customer in Ohio, be prepared to go through re-enrollment of fingerprints for physicians.

       • Supervised enrollment is required for ALL modalities. If you plan to only do passwords and tokens (that live on phones), you’ll have to go through re-enrollment frequently because physicians toss old phones without realizing they still need the token to re-enroll the new phone.

       • If you use fingerprints, then #2 above doesn’t apply because physicians can scan their already-enrolled fingerprint to re-register with the new phone.


    See It For Yourself

    Forward Advantage understands the pressure of the EPCS mandates, and our team is here to help! Reach out to us during any step to explore your options for EPCS and the best authentication method for your organization.


    New call-to-action



    Subscribe to Our Blog

    Stay up-to-date on Forward Advantage News, Customer Success Stories, Industry Trends and Expert Insights.