Rules - 2010

FR Doc 2010-6687[Federal Register: March 31, 2010 (Volume 75, Number 61)]
[Rules and Regulations]
[Page 16235-16319] From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr31mr10-17]

[[Page 16235]]

Part II

Department of Justice

-----------------------------------------------------------------------

Drug Enforcement Administration

-----------------------------------------------------------------------

21 CFR Parts 1300, 1304, 1306, and 1311

Electronic Prescriptions for Controlled Substances; Final Rule

[[Page 16236]]

-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1300, 1304, 1306, and 1311

[Docket No. DEA-218I] RIN 1117-AA61

Electronic Prescriptions for Controlled Substances

AGENCY: Drug Enforcement Administration (DEA), Department of Justice.

ACTION: Interim Final Rule with Request for Comment.

SUMMARY: The Drug Enforcement Administration (DEA) is revising its regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically. The regulations will also permit pharmacies to receive, dispense, and archive these electronic prescriptions. These regulations are in addition to, not a replacement of, the existing rules. The regulations provide pharmacies, hospitals, and practitioners with the ability to use modern technology for controlled substance prescriptions while maintaining the closed system of controls on controlled substances dispensing; additionally, the regulations will reduce paperwork for DEA registrants who dispense controlled substances and have the potential to reduce prescription forgery. The regulations will also have the potential to reduce the number of prescription errors caused by illegible handwriting and misunderstood oral prescriptions. Moreover, they will help both pharmacies and hospitals to integrate prescription records into other medical records more directly, which may increase efficiency, and potentially reduce the amount of time patients spend waiting to have their prescriptions filled.

DATES: This rule has been classified as a major rule subject to Congressional review. The effective date is June 1, 2010. However, at the conclusion of the Congressional review, if the effective date has been changed, the Drug Enforcement Administration will publish a document in the Federal Register to establish the actual effective date or to terminate the rule.

The incorporation by reference of certain publications listed in the rule is approved by the Director of the Federal Register as of June 1, 2010.

Written comments must be postmarked and electronic comments must be submitted on or before June 1, 2010. Commenters should be aware that the electronic Federal Docket Management System will not accept comments after Midnight Eastern Time on the last day of the comment period.

ADDRESSES: To ensure proper handling of comments, please reference "Docket No. DEA-218" on all written and electronic correspondence. Written comments sent via regular or express mail should be sent to the Drug Enforcement Administration, Attention: DEA Federal Register Representative/ODL, 8701 Morrissette Drive, Springfield, VA 22152. Comments may be sent to DEA by sending an electronic message to dea.diversion.policy@usdoj.gov. Comments may also be sent electronically through http://www.regulations.gov using the electronic comment form provided on that site. An electronic copy of this document is also available at the http://www.regulations.gov Web site. DEA will accept attachments to electronic comments in Microsoft Word, WordPerfect, Adobe PDF, or Excel file formats only. DEA will not accept any file formats other than those specifically listed here.

Please note that DEA is requesting that electronic comments be submitted before midnight Eastern Time on the day the comment period closes because http://www.regulations.gov terminates the public's ability to submit comments at midnight Eastern Time on the day the comment period closes. Commenters in time zones other than Eastern Time may want to consider this so that their electronic comments are received. All comments sent via regular or express mail will be considered timely if postmarked on the day the comment period closes.

FOR FURTHER INFORMATION CONTACT: Mark W. Caverly, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, 8701 Morrissette Drive, Springfield, VA 22152, Telephone (202) 307-7297.

SUPPLEMENTARY INFORMATION: Comments: DEA is seeking additional comments on the following issues: Identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

Posting of Public Comments: Please note that all comments received are considered part of the public record and made available for public inspection online at http://www.regulations.gov and in the Drug Enforcement Administration's public docket. Such information includes personal identifying information (such as your name, address, etc.) voluntarily submitted by the commenter.

If you want to submit personal identifying information (such as your name, address, etc.) as part of your comment, but do not want it to be posted online or made available in the public docket, you must include the phrase "PERSONAL IDENTIFYING INFORMATION" in the first paragraph of your comment. You must also place all the personal identifying information you do not want posted online or made available in the public docket in the first paragraph of your comment and identify what information you want redacted.

If you want to submit confidential business information as part of your comment, but do not want it to be posted online or made available in the public docket, you must include the phrase "CONFIDENTIAL BUSINESS INFORMATION" in the first paragraph of your comment. You must also prominently identify confidential business information to be redacted within the comment. If a comment has so much confidential business information that it cannot be effectively redacted, all or part of that comment may not be posted online or made available in the public docket.

Personal identifying information and confidential business information identified and located as set forth above will be redacted and the comment, in redacted form, will be posted online and placed in the Drug Enforcement Administration's public docket file. Please note that the Freedom of Information Act applies to all comments received. If you wish to inspect the agency's public docket file in person by appointment, please see the FOR FURTHER INFORMATION paragraph.

1. Legal Authority
2. Regulatory History
3. Discussion of the Interim Final Rule
4. Discussion of Comments
   1. Introduction
   2. Identity Proofing and Logical Access Control
      1. Identity Proofing
      2. Access Control
   3. Authentication Protocols
   4. Creating and Signing Electronic Controlled Substance Prescriptions
      1. Reviewing Prescriptions
      2. Timing of Authentication, Lockout, and Attestation
      3. Indication That the Prescription Was Signed
      4. Other Prescription Content Issues
      5. Transmission on Signing/Digitally Signing the Record
      6. PKI and Digital Signatures
   5. Internal Audit Trails
   6. Recordkeeping, Monthly Logs
      1. Recordkeeping
      2. Monthly Logs
   7. Transmission Issues
      1. Alteration During Transmission
      2. Printing After Transmission and Transmitting After Printing
      3. Facsimile Transmission of Prescriptions by Intermediaries
      4. Other Issues
   8. Pharmacy Issues
      1. Digital Signature
      2. Checking the CSA Database
      3. Audit Trails
      4. Offsite Storage
      5. Transfers
      6. Other Pharmacy Issues
   9. Third Party Audits
   10. Risk Assessment
   11. Other Issues
       1. Definitions
       2. Other Issues
       3. Beyond the Scope
   12. Summary of Changes From the Proposed Rule
5. Section-by-Section Discussion of the Interim Final Rule
6. Incorporation by Reference
7. Required Analyses
   1. Risk Assessment for Electronic Prescriptions for Controlled Substances
   2. Executive Order 12866
   3. Regulatory Flexibility Act
   4. Congressional Review Act
   5. Paperwork Reduction Act
   6. Executive Order 12988
   7. Executive Order 13132
   8. Unfunded Mandates Reform Act of 1995

I. Legal Authority

DEA implements the Comprehensive Drug Abuse Prevention and Control Act of 1970, often referred to as the Controlled Substances Act (CSA) and the Controlled Substances Import and Export Act (21 U.S.C. 801- 971), as amended. DEA publishes the implementing regulations for these statutes in Title 21 of the Code of Federal Regulations (CFR), Parts 1300 to 1399. These regulations are designed to ensure an adequate supply of controlled substances for legitimate medical, scientific, research, and industrial purposes, and to deter the diversion of controlled substances to illegal purposes. The CSA mandates that DEA establish a closed system of control for manufacturing, distributing, and dispensing controlled substances. Any person who manufactures, distributes, dispenses, imports, exports, or conducts research or chemical analysis with controlled substances must register with DEA (unless exempt) and comply with the applicable requirements for the activity.

Controlled Substances

Controlled substances are drugs and other substances that have a potential for abuse and psychological and physical dependence; these include opioids, stimulants, depressants, hallucinogens, anabolic steroids, and drugs that are immediate precursors of these classes of substances. DEA lists controlled substances in 21 CFR part 1308. The substances are divided into five schedules: Schedule I substances have a high potential for abuse and have no currently accepted medical use in treatment in the United States. These substances may only be used for research, chemical analysis, or manufacture of other drugs. Schedule II-V substances have currently accepted medical uses in the United States, but also have potential for abuse and psychological and physical dependence that necessitate control of the substances under the CSA. The vast majority of Schedule II, III, IV, and V controlled substances are available only pursuant to a prescription issued by a practitioner licensed by the State and registered with DEA to dispense the substances. Overall, controlled substances constitute between 10 percent and 11 percent of all prescriptions written in the United States.

II. Regulatory History

The Controlled Substances Act and Current Regulations. The CSA and DEA's regulations were originally adopted at a time when most transactions and particularly prescriptions were done on paper. The CSA provides that a controlled substance in Schedule II may only be dispensed by a pharmacy pursuant to a "written prescription," except in emergency situations (21 U.S.C. 829(a)). In contrast, for controlled substances in Schedules III and IV, the CSA provides that a pharmacy may dispense pursuant to a "written or oral prescription." (21 U.S.C. 829(b)). Where an oral prescription is permitted by the CSA, the DEA regulations further provide that a practitioner may transmit to the pharmacy a facsimile of a written, manually signed prescription in lieu of an oral prescription (21 CFR 1306.21(a)).

Under longstanding Federal law, for a prescription for a controlled substance to be valid, it must be issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice (United States v. Moore, 423 U.S. 122 (1975); 21 CFR 1306.04(a)). As the DEA regulations state: "The responsibility for the proper prescribing and dispensing of controlled substances is upon the prescribing practitioner, but a corresponding responsibility rests with the pharmacist who fills the prescription." (21 CFR 1306.04(a)).

The Controlled Substances Act is unique among criminal laws in that it stipulates acts pertaining to controlled substances that are permissible. That is, if the CSA does not explicitly permit an action pertaining to a controlled substance, then by its lack of explicit permissibility the act is prohibited. Violations of the Act can be civil or criminal in nature, which may result in administrative, civil, or criminal proceedings. Remedies under the Act can range from modification or revocation of DEA registration, to civil monetary penalties or imprisonment, depending on the nature, scope, and extent of the violation.

Specifically, it is unlawful for any person knowingly or intentionally to manufacture, distribute, or dispense, a controlled substance or to possess a controlled substance with the intent of manufacturing, distributing, or dispensing that controlled substance, except as authorized by the Controlled Substances Act (21 U.S.C. 841(a)(1)).

Further, it is unlawful for any person knowingly or intentionally to possess a controlled substance unless such substance was obtained directly, or pursuant to a valid prescription or order, issued for a legitimate medical purpose, from a practitioner, while acting in the course of the practitioner's professional practice, or except as otherwise authorized by the CSA (21 U.S.C. 844(a)). It is unlawful for any person to knowingly or intentionally acquire or obtain possession of a controlled substance by misrepresentation, fraud, forgery, deception, or subterfuge (21 U.S.C. 843(a)(3)).

It is unlawful for any person knowingly or intentionally to use a DEA registration number that is fictitious, revoked, suspended, expired, or issued to another person in the course of dispensing a controlled substance, or for the purpose of acquiring or obtaining a controlled substance (21 U.S.C. 843(a)(2)).

Beyond these possession and dispensing requirements, it is unlawful for any person to refuse or negligently fail to make, keep, or furnish any record (including any record of dispensing) that is required by the CSA (21 U.S.C. 842(a)(5)). It is also unlawful to furnish any false or fraudulent material information in, or omit any information from, any record required to be made or kept (21 U.S.C. 843(a)(4)(A)).

Within the CSA's system of controls, it is the individual practitioner (e.g., physician, dentist, veterinarian, nurse practitioner) who issues the prescription authorizing the dispensing of the controlled substance. This prescription

[[Page 16238]]

must be issued for a legitimate medical purpose and must be issued in the usual course of professional practice. The individual practitioner is responsible for ensuring that the prescription conforms to all legal requirements. The pharmacist, acting under the authority of the DEA- registered pharmacy, has a corresponding responsibility to ensure that the prescription is valid and meets all legal requirements. The DEA- registered pharmacy does not order the dispensing. Rather, the pharmacy, and the dispensing pharmacist merely rely on the prescription as written by the DEA-registered individual practitioner to conduct the dispensing.

Thus, a prescription is much more than the mere method of transmitting dispensing information from a practitioner to a pharmacy. The prescription serves both as a record of the practitioner's determination of the legitimate medical need for the drug to be dispensed, and as a record of the dispensing, providing the pharmacy with the legal justification and authority to dispense the medication prescribed by the practitioner. The prescription also provides a record of the actual dispensing of the controlled substance to the ultimate user (the patient) and, therefore, is critical to documenting that controlled substances held by a pharmacy have been dispensed legally. The maintenance by pharmacies of complete and accurate prescription records is an essential part of the overall CSA regulatory scheme established by Congress.

American Recovery and Reinvestment Act. On February 17, 2009, the President signed the American Recovery and Reinvestment Act of 2009 (Recovery Act) (Pub. L. 111-5, 123 STAT. 115). Among its many provisions, the Recovery Act promotes the "meaningful use" of electronic health records (EHRs) via incentives. The health information technology provisions of the Recovery Act are primarily found in Title XIII, Division A, Health Information Technology, and in Title IV of Division B, Medicare and Medicaid Health Information Technology. These titles together are cited as the Health Information Technology for Economic and Clinical Health Act or the HITECH Act. Under Title IV, the Medicare and Medicaid health information technology provisions in the Recovery Act provide incentives and support for the adoption of certified electronic health record technology. The Recovery Act authorizes incentive payments for eligible professionals and eligible hospitals participating in Medicare or Medicaid if they can demonstrate to the Secretary of HHS that they are "meaningful EHR users" as defined by the Act and its implementing regulations. Such incentive payments to encourage electronic prescribing are allowed, but penalties in any form, by third party payers are prohibited. These incentive payments will begin in 2011.

On January 13, 2010, HHS published two rules to implement the provisions of the HITECH ACT. The Centers for Medicare and Medicaid Services published a notice of proposed rulemaking entitled "Medicare and Medicaid Programs; Electronic Health Record Incentive Program" (75 FR 1844) [CMS-0033-P, RIN 0938-AP78]. The proposed rule would specify the initial criteria an eligible professional and eligible hospital must meet to qualify for the incentive payment; calculation of the incentive payment amounts; and other payment and program participation issues.

The Office of the National Coordinator for Health Information Technology published an interim final rule entitled "Health Information Technology; Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology" (75 FR 2014) [RIN 0991-AB58]. The interim final rule became effective February 12, 2010. The certification criteria adopted in the interim final rule establish the capabilities and related standards that certified electronic health record technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR incentive programs. The comment period for both rules ended March 15, 2010.

The Office of the National Coordinator for Health Information Technology also published a notice of proposed rulemaking entitled "Proposed Establishment of Certification Programs for Health Information Technology" (75 FR 11328, March 10, 2010) (RIN 0991-AB59) which proposes the establishment of certification programs for purposes of testing and certifying health information technology. The proposed rule specifies the processes the National Coordinator for Health Information Technology would follow to authorize organizations to perform the certification of health information technology.

Electronic Prescription Applications. Electronic prescription applications \1\ and electronic health record (EHR) applications have been available for a number of years and are anticipated by many to improve healthcare and possibly reduce costs by increasing compliance with formularies and the use of generic medications. Electronic prescriptions may reduce medical errors caused by illegible handwriting. Adoption of these applications has been relatively slow, primarily because of their cost, the disruption caused during implementation, and lack of mature standards that allow for interoperability among applications.\2\ Some have also expressed a concern about the inability to use electronic prescription applications for all prescriptions.

---------------------------------------------------------------------------

\1\ "Application" means a software program used to perform a set of functions.

\2\ California Healthcare Foundation. "Gauging the Progress of the National Health IT Technology Initiative", January 2008; Congressional Budget Office, Evidence on the Costs and Benefits of Health IT, May 2008.

---------------------------------------------------------------------------

Electronic prescription applications may be stand-alone applications (i.e., applications that only create prescriptions) or they may be integrated into EHR applications that create and link all medical records and associated information.\3\ Either type of application may be installed on a practitioner's computers (installed applications) or may be an Internet-based application, where the practitioner accesses the application through the Internet; for these latter applications, the application service provider (ASP) retains the records on its servers. For most practitioners and pharmacies, the applications are purchased from application providers. Some large healthcare systems and chain pharmacies, however, may develop and maintain the applications themselves, serving as both the practitioner or pharmacy and the application provider.

---------------------------------------------------------------------------

\3\ The National Alliance for Health Information Technology has defined the terms "electronic Medical record (EMR)," "electronic health record (EHR)," and "personal health record (PHR." Both EMRs and EHRs are defined to be maintained by practitioners, whereas a PHR is defined to be maintained by the individual patient. The main distinction between an EMR and an EHR is the EHR's ability to exchange information interoperably. DEA's use of the term EHR in this rule relates to those records maintained by practitioners, as opposed to a PHR maintained by an individual patient, regardless of how those records are maintained.

---------------------------------------------------------------------------

The existing electronic prescription applications allow practitioners to create a prescription electronically, but accommodate different means of transmitting the prescription to the pharmacy. Practitioners may print the prescription for manual signature; the prescription may then be given to the patient or the practitioner's office may fax it to a pharmacy. Some applications will automatically transmit an image of the prescription as a facsimile. True

[[Page 16239]]

electronic prescriptions, however, are transmitted as electronic data files to the pharmacy, whose applications import the data file into its database. Virtually all pharmacies maintain prescription records electronically; prescriptions that are not received as electronic data files are manually entered into the pharmacy application.

Because of the large number of electronic prescription and pharmacy applications and the current lack of a mature standard for the formatting of prescription data, most electronic prescriptions are routed from the electronic prescription or EHR application through intermediaries, at least one of which determines whether the prescription file needs to be converted from one software version to another so that the receiving pharmacy application can correctly import the data. There are generally three to five intermediaries that route prescriptions between practitioners and pharmacies. For example, a prescription may be routed to the application provider, then to a hub that converts the prescription from one software version to another to meet the requirements of the receiving pharmacy, then to the pharmacy application provider or chain pharmacy server before reaching the dispensing pharmacy. Some application providers further route prescriptions through aggregators who direct the prescription to a hub or to a pharmacy. For closed healthcare systems, where the practitioners and pharmacies are part of the same system, intermediaries are not needed.

Standards. Any electronic data transfer depends on the ability of the receiving application to open and read the information accurately. To be able to do this, the fields and transactions need to be defined and tagged so that the receiving application knows, for example, that a particular set of characters is a date and that other sets are names, etc. The National Council for Prescription Drug Programs (NCPDP) has developed a standard for prescriptions, called SCRIPT, which is generally used by application providers; hospital-based applications may also use Health Level 7 (HL7) standards. SCRIPT is a data transmission standard "intended to facilitate the communication of prescription information between prescribers, pharmacies, and payers." \4\ It defines transactions (e.g., new prescription, refill request, prescription change, cancellation,), segments (e.g., provider, patient), and data fields within segments (e.g., name, date, quantity). Each data field has a number and a defined format (e.g., DEA number is nine characters). The standardization allows the receiving pharmacy to identify and separate the data it receives and import the information into the correct fields in the pharmacy database. SCRIPT does not address other aspects of prescription or pharmacy applications (e.g., what information is displayed and stored at a practice or pharmacy, logical access controls, audit trails). SCRIPT provides for, but does not mandate the use of, some fields (e.g., practitioner first name and patient address) that DEA requires. In addition, although the standard mandates that applications include certain fields, it does not require that those fields be completed before transmission is allowed. The SCRIPT standard is still evolving; the most recent is Version 10 Release 6. The interoperability issues that require intermediaries generally relate to pharmacy and practitioner applications using different versions of the standard as well as varying approaches to providing opening and reading instructions.

---------------------------------------------------------------------------

\4\ National Council for Prescription Drug Programs, Prescriber/ Pharmacist Interface SCRIPT Standard Implementation Guide Version 10.0, October 2006.

---------------------------------------------------------------------------

One intermediary, SureScripts/RxHub, certifies electronic prescription and pharmacy applications for compliance with the SCRIPT standard; SureScripts/RxHub determines whether the electronic prescription application creates a prescription that conforms to the SCRIPT standard and whether the pharmacy application is able to open and read a SCRIPT prescription correctly.\5\ SureScripts/RxHub certification does not address aspects of applications unrelated to their ability to produce or read a prescription in appropriate SCRIPT format.

---------------------------------------------------------------------------

\5\ http://www.surescripts.com/certification.html, accessed April 29, 2009.

---------------------------------------------------------------------------

The Certification Commission for Healthcare Information Technology (CCHIT) is a private, nonprofit organization recognized by the Secretary of HHS as a certification body for EHRs under the exception to the physician self-referral prohibition and safe harbor under the anti-kickback statute, respectively, for certain arrangements involving the donation of interoperable EHR software to physicians and other health care practitioners or entities (71 FR 45140 and 71 FR 45110, respectively, August 8, 2006). CCHIT develops criteria for electronic medical records (EMRs or EHRs) and certifies applications against these criteria. Although electronic prescribing is addressed in the CCHIT ambulatory certification criteria, these criteria do not address all elements with which DEA has concern, such as the particular information required in a prescription. The CCHIT criteria do address security issues, such as access control and audit logs. CCHIT is developing standards for stand-alone electronic prescription applications. DEA has not been able to identify any organization that sets standards for or certifies pharmacy applications for security issues or even for the ability to record and retain information such as dispensing data.

Proposed Rule. On June 27, 2008, DEA published a Notice of Proposed Rulemaking (NPRM) to revise its regulations to allow the creation, signature, transmission, and processing of controlled substance prescriptions electronically (73 FR 36722). The proposed rule followed consultations with the industry and the Department of Health and Human Services, which is responsible for establishing transmission standards for electronic prescriptions and security standards for health information. The proposed rule provided two approaches, one for the private sector and one for Federal healthcare providers. The private sector approach included identity proofing of individual practitioners authorized to sign controlled substances prescriptions prior to granting access to sign such prescriptions, two-factor authentication including a hard token separate from the computer for accessing the signing functions, requirements for the content and review of prescriptions, limited transmission provisions, requirements of pharmacy applications processing controlled substances prescriptions for dispensing, third party audits of the application providers, and internal audit functions for electronic prescription application providers and pharmacy applications. The Federal healthcare providers told DEA that the approach proposed for the private sector was inconsistent with their existing practices and did not meet the security requirements imposed on all Federal systems. The approach proposed for Federal healthcare systems was based, therefore, on the existing Federal systems, which rely on public key infrastructure (PKI) and digital certificates to address basic security issues related to non-repudiation, authentication, and record integrity.

DEA's Concerns. DEA's proposed rule was a response to existing and potential problems that exist when prescriptions are created electronically. It is essential that the rules governing the electronic prescribing of controlled substances do not inadvertently facilitate diversion and abuse and undermine the ability of

[[Page 16240]]

DEA, State, and local law enforcement to identify and prosecute those who engage in diversion. In this vein, DEA's primary goals were to ensure that nonregistrants did not gain access to electronic prescription applications and generate or alter prescriptions for controlled substances and to ensure that a prescription record, once created, could not be repudiated. In the case of at least some existing electronic prescription application service providers, individuals are allowed to enroll online. ASPs may ask for DEA registration and State authorization numbers, although they are not required to do so; the degree to which these are verified is at the discretion of the application provider. Similarly, application providers that sell installed applications may or may not determine whether the practitioners have valid State and DEA authorizations. Where a medical practice purchases an application or service, providers may or may not obtain this information for all practitioners in the practice.

Most of the applications appear to rely on passwords to identify a user of the application. Passwords are often described as the weakest link in security because they are easily guessed or, in healthcare settings, where multiple people use the same computers, easily observed. Where longer, more complex passwords are required by applications as a means to increase their effectiveness, this can actually be counterproductive, as it often causes users to write down their passwords, which weakens overall security.\6\ There are, in general, very limited standards for security of electronic prescription applications and no assurance that even where security capabilities exist, that they are used. For example, applications may be able to set access controls to limit who may sign a prescription, but unless those controls are set properly, anyone in a practice might be able to sign a prescription in a practitioner's name. The Certification Commission for Healthcare Information Technology (CCHIT) requires that an application have logical access controls and audit trails to gain certification, but there is no requirement that these functions be used. More than half the electronic prescription application providers certified with SureScripts/RxHub (for transmission) are not certified with CCHIT.

---------------------------------------------------------------------------

\6\ National Institute of Standards and Technology. Special Publication 800-63-1, Draft Electronic Authentication Guideline, December 8, 2008. Appendix A.

---------------------------------------------------------------------------

Even if there are logical access controls, they may not limit who can perform functions such as approving a prescription or signing it. At medical practices and even more so at hospitals and clinics, many staff members may use the same computers. The person who logged onto the application may not be the person entering prescription information later or the person who transmits the prescription. Some applications have internal audit trail functions, but whether these are active and reviewed is at the practitioner's discretion. In addition, with multiple people using computers, it is unclear that the audit trail can accurately identify who is performing actions. Except for those Federal electronic prescription applications that require practitioners to digitally sign prescriptions, none of the applications transmit any indication that a prescription was actually signed.

With multiple intermediaries moving prescriptions between practitioners and pharmacies, there is no assurance that a prescription may not be altered or added during transmission. Some intermediaries have good security, but there is no requirement for them to do so and practitioners and pharmacies have no control over which intermediaries are used. The pharmacy has no way to verify that the prescription was sent by the practitioner whose name is on the prescription or that if it was, that it was not altered after the practitioner issued it. The evidence of forgery and alteration that pharmacies use to identify illegitimate paper prescriptions do not exist in an electronic record-- not only because electronic prescriptions contain no handwritten signatures, but also because electronic prescriptions are typically created from drop-down menus, which prevent or reduce the likelihood of misspelled drug names, inappropriate dosage forms and units, and other indicators of possible forgery.

The existing processes used for electronic prescriptions for noncontrolled substances, therefore, make it easy for every party to repudiate the prescription. A practitioner can claim that someone outside the practice issued a prescription in his name, that someone else in the practice used his password to issue a prescription, or that it was altered after he issued it either in transmission or at the pharmacy. Proving or disproving any of these claims would be very difficult with the existing processes. DEA and other law enforcement agencies might not be able to prove a case against someone issuing illegitimate prescriptions; equally important, practitioners might have trouble proving that they were not responsible for illegitimate prescriptions issued in their name.

Because regulations do not currently exist permitting the use of electronic prescriptions for controlled substances, there is naturally no evidence of diversion related to electronic prescriptions of these substances. That there is no evidence that other noncontrolled prescription drugs have been diverted through electronic prescriptions is not relevant for several reasons. First, there is a very limited, if any, black market for other prescription medications. Second, there is no reason for law enforcement to investigate diversion of these medications, if it occurs, because such diversion may not be illegal (this would depend on State law). Finally, the number of electronic prescriptions, including refill requests, has not been great (4 percent in 2008, according to SureScripts/RxHub).

In contrast, prescription controlled substances have always carried a significant inherent risk of diversion, both because they are addictive and because they can be sold for significantly higher prices than their retail price. The recent studies showing increasing levels of abuse of these drugs throughout the United States heightens the cause for concern. Accordingly, with controlled substances there is a considerable incentive for individuals and criminal organizations to exploit any vulnerabilities that exist to obtain these substances illegally.

The National Survey on Drug Use and Health (NSDUH) (formerly the National Household Survey on Drug Abuse) is an annual survey of the civilian, non-institutionalized, population of the United States aged 12 or older. The survey is conducted by the Office of Applied Studies, Substance Abuse and Mental Health Services Administration, of the Department of Health and Human Services. Findings from the 2008 NSDUH are the latest year for which information is currently available. The 2008 NSDUH \7\ estimated that 6.2 million persons were current users, i.e., past 30 days, of psychotherapeutic drugs--pain relievers, anti- anxiety medications, stimulants, and sedatives--taken nonmedically. This represents 2.5 percent of the population aged 12 or older. From 2002 to 2008, there was an increase among young adults aged 18 to 25 in the rate of current use of prescription pain

[[Page 16241]]

relievers, from 4.1 percent to 4.6 percent. The survey found that about 52 million people 12 and older had used prescription drugs for non- medical reasons in their lifetime; about 35 million of these had used prescription painkillers nonmedically in their lifetime.

---------------------------------------------------------------------------

\7\ Substance Abuse and Mental Health Services Administration. (2009). Results from the 2008 National Survey on Drug Use and Health: National Findings (Office of Applied Studies, NSDUH Series H-36, DHHS Publication No. SMA 09-4434). Rockville, MD. http:// www.oas.samhsa.gov/nsduh/2k8nsduh/2k8Results.pdf.

---------------------------------------------------------------------------

The consequences of prescription drug abuse are seen in the data collected by the Substance Abuse and Mental Health Services Administration on emergency room visits. In the latest data, Drug Abuse Warning Network (DAWN), 2006: National Estimates of Drug-Related Emergency Department Visits,\8\ SAMHSA estimates that, during that one year, approximately 741,000 emergency department visits involved nonmedical use of prescription or over-the-counter drugs or dietary supplements, a 38 percent increase over 2004. Of the 741,000 visits, 195,000 involved benzodiazepines (Schedule IV) and 248,000 involved opioids (Schedule II and III). Overall, controlled substances represented 65 percent of the estimated emergency department visits involving prescription drugs or over-the-counter drugs or dietary supplements. Between 2004 and 2006, the number of visits involving opioids increased 43 percent and the number involving benzodiazepines increased 36 percent. Of all visits involving nonmedical use of pharmaceuticals, about 224,000 resulted in admission to the hospital; about 65,000 of those individuals were admitted to critical care units; 1,574 of the visits ended with the death of the patient. More than half of the visits involved patients 35 and older.

---------------------------------------------------------------------------

\8\ Substance Abuse and Mental Health Services Administration, Office of Applied Studies. Drug Abuse Warning Network, 2006: National Estimates of Drug-Related Emergency Department Visits. DAWN Series D-30, DHHS Publication No. (SMA) 08-4339, Rockville, MD, 2007. http://dawninfo.samhsa.gov/.

---------------------------------------------------------------------------

People dependent on the drugs are willing to pay a high premium to obtain them, creating a black market for these drugs. The problem of illegitimate prescriptions, which exists with paper prescriptions, is exacerbated by the speed of electronic transmissions and the difficulty of identifying an electronic prescription as invalid. A single prescription can be sent to multiple pharmacies; multiple practitioners' identities can be stolen and each identity used to issue a limited number of prescriptions to prevent a pharmacy or a State prescription monitoring program from noticing an unusual pattern. DEA's goal in the proposed rule was to address these vulnerabilities and ensure that before controlled substance prescriptions are issued electronically, the process is adequately secure to protect both DEA registrants and society.

Based on DEA's concerns, certain requirements must exist for any system to be used for the electronic prescribing of controlled substances:

• Only DEA registrants may be granted the authority to sign controlled substance electronic prescriptions. The approach must, to the greatest extent possible, protect against the theft of registrants' identities.
• The method used to authenticate a practitioner to the electronic prescribing system must ensure to the greatest extent possible that the practitioner cannot repudiate the prescription. Authentication methods that can be compromised without the practitioner being aware of the compromise are not acceptable.
• The prescription records must be reliable enough to be used in legal actions (enforcing laws relating to controlled substances) without diminishing the ability to establish the relevant facts and without requiring the calling of excessive numbers of witnesses to verify records.
• The security systems used by any electronic prescription application must, to the greatest extent possible, prevent the possibility of insider creation or alteration of controlled substance prescriptions.

Comments. DEA received 229 comments, 35 of which were copies. Twenty-one practitioner organizations, 24 pharmacy organizations, 18 States (State licensing boards of medicine and pharmacy, and three State health departments), and 19 application providers were among the commenters. Several States supported the rule as proposed, expressing concern about the security of electronic prescriptions and stating that the rule should prevent insider tampering or creation of controlled substance prescriptions. Advocacy groups concerned with drug use similarly supported the proposed rule as did a few other commenters. A number of commenters generally supported electronic prescriptions without addressing the proposed rule.

Most commenters, however, raised a substantial number of issues about various provisions of the proposed rule; their comments are addressed in detail in section IV of this preamble. On a general level, they expressed concern that the proposed requirements would prove too burdensome and would create a barrier to the adoption of electronic prescribing. They also raised two overarching issues that have affected the approach that DEA has adopted in this interim final rule.

First, the commenters noted that DEA's proposed approach addressed primarily one model for electronic prescription applications, application service providers (ASPs). In this model, the practitioner subscribes to a service and accesses, usually over the Internet, an electronic prescription application that is maintained on the ASP's servers. The ASP controls access to the application, has access to all of the records, and maintains security. The practitioner does not need to install the application or maintain servers that archive the records. Many electronic prescription application providers, particularly those that develop EHRs and hospital applications, install their software on the practitioner's computers. Once the application is installed, the electronic prescription application provider's role is limited to providing technical assistance when needed. Access control, records, and security are handled by the practitioners or their staff. Some of the proposed provisions did not work when the electronic prescription application provider is not involved in logical access control.

Second, many commenters pointed out that the technology continues to evolve, the EHR applications are still changing, and that the standards for electronic prescriptions are not mature. A number of commenters indicated that the current transmission system, which relies on a series of intermediaries to provide interoperability, may not be needed when both technology and the standards evolve. These commenters wanted DEA to provide more flexibility to be able to adjust to advancements as they occur.

III. Discussion of the Interim Final Rule

This section provides an overview of the interim final rule. As noted above, commenters raised a number of issues related to specific proposed provisions. DEA has revised the rule to address commenters' concerns and to recognize the variations in how electronic prescription applications are implemented. In arriving at an interim final rule, DEA has balanced a number of considerations. Chief among these is DEA's obligation to ensure that the regulations minimize, to the greatest extent possible, the potential for diversion of controlled substances resulting from nonregistrants gaining access to electronic prescription applications and electronic prescriptions. At the same time, DEA has sought to streamline the rules to reduce the burden on registrants.

[[Page 16242]]

Another of DEA's goals has been to provide flexibility in the rule so that as technologies and standards mature, registrants and application providers will be able to take advantage of advances without having to wait for a revision to the regulations. Finally, DEA has revised the rules to place requirements on either the application or on registrants so that neither DEA nor registrants are dependent on intermediaries for maintenance of information.

In response to commenters' concerns, DEA is adopting an approach to identity proofing (verifying that the user is who he claims to be) and logical access control (verifying that the authenticated user has the authority to perform the requested operation) that is different from the approach that it proposed. The interim final rule provisions related to these two steps are based on the concept of separation of duties: No single individual will have the ability to grant access to an electronic prescription application or pharmacy application. For individual practitioners in private practice (as opposed to practitioners associated with an institutional practitioner registrant), identity proofing will be done by an authorized third party that will, after verifying the identity, issue the authentication credential to a registrant. As some commenters suggested, DEA is requiring registrants to apply to certain Federally approved credential service providers (CSPs) or certification authorities (CAs) to obtain their authentication credentials or digital certificates. These CSPs or CAs will be required to conduct identity proofing at National Institute of Standards and Technology (NIST) SP 800-63-1 Assurance Level 3, which allows either in-person or remote identity proofing. Once a Federally approved CSP or CA has verified the identity of the practitioner, it will issue the necessary authentication credential.

The successful issuance of the authentication credentials will be necessary to sign electronic controlled substance prescriptions, but possession of the credential will not be sufficient to gain access to the signing function. The electronic prescription application must allow the setting of logical access controls to ensure that only DEA registrants or persons exempted from the requirement of registration are allowed to indicate that prescriptions are ready to be signed and sign controlled substance prescriptions. Logical access controls may be by user or role-based; that is, the application may allow permissions to be assigned to individual users or it may associate permissions with particular roles (e.g., physician, nurse), then assign each individual to the appropriate role. Access control will be handled by at least two people within a practice, one of whom must be a registrant. Once the registrant has been issued the authentication credential, the individuals who set the logical access controls will verify that the practitioner's DEA registration is valid and set the application's logical access controls to grant the registrant access to functions that indicate a prescription is ready to be signed and sign controlled substance prescriptions. One person will enter the data; a registrant must approve the entry, using the two-factor authentication protocol, before access becomes operational.

DEA is allowing, but not requiring, institutional practitioners to conduct identity proofing in-house as part of their credentialing process. At least two people within the credentialing office must sign any list of individuals to be granted access control. That list must be sent to a separate department (probably the information technology department), which will use it to issue authentication credentials and enter the logical access control data. As with private practices, two individuals will be required to enter and approve the logical access control information. Institutional practitioners may require registrants and those exempted from registration under Sec. 1301.22 to obtain identity proofing and authentication credentials from the same CSPs or CAs that individual practitioners use. The institutional practitioner may also conduct the identity proofing in-house, then provide the information to these CSPs or CAs to obtain the authentication credentials. In this last case, the institutional practitioners would be acting as trusted agents for the CSPs or CAs, under rules that those organizations set. Because DEA has made extensive changes to the requirements related to identity proofing and logical access control, DEA is seeking further comments on these issues.

As proposed, DEA is requiring in this interim final rule that the authentication credential be two-factor. Two-factor authentication (two of the following--something you know, something you have, something you are) protects the practitioner from misuse of his credential by insiders as well as protecting him from external threats because the practitioner can retain control of a biometric or hard token. Authentication based only on knowledge factors is easily subverted because they can be observed, guessed, or hacked and used without the practitioner's knowledge. In the interim final rule DEA is allowing the use of a biometric as a substitute for a hard token or a password. If a hard token is used, it must meet FIPS 140-2 Security Level 1 for cryptographic devices or one-time-password devices and must be stored on a device that is separate from the computer being used to access the application. The CSPs and CAs may issue a new hard token or register and provide credentials for an existing token. Regardless of whether a new token is provided and activated or an existing token is registered for the signing of controlled substances prescriptions, communications between the CSP or CA and practitioner applicant must occur through two channels (e.g., mail, telephone, e-mail).

However, while DEA is requiring in this interim final rule that the authentication credential be two-factor, DEA is seeking further comments on this issue. Specifically, DEA seeks comments in response to the following question:

• Is there an alternative to two-factor authentication that would provide an equally safe, secure, and closed system for electronic prescribing of controlled substances while better encouraging adoption of electronic prescriptions for controlled substances? If so, please describe the alternative(s) and indicate how, specifically, it would better encourage adoption of electronic prescriptions for controlled substances without diminishing the safety and security of the system.

DEA is establishing standards with which any biometric being used as one factor to sign controlled substance prescriptions must comply; however, DEA is not specifying the types of biometrics that may be used to allow for the greatest flexibility and adaptation to new technologies in the future. DEA consulted extensively with NIST in the development of these standards and has relied on their recommendations for this aspect of the rule. If a biometric is used, it may be stored on a computer, a hard token, or the biometric reader. Storage of biometric data, whether in raw or template format, has implications for data protection and maintenance. These are considerations that should be weighed by application providers and implementers when choosing where and how biometric data may be stored. Additionally, application providers and implementers may wish to consider using open standard biometric data formats when available, to provide interoperability where more than one application provider may be providing biometric capabilities (e.g., a network that spans multiple entities) and to protect their interests. Because the use

[[Page 16243]]

of biometrics and the standards related to their use were not discussed in the notice of proposed rulemaking, DEA is seeking further comments on these issues.

DEA is requiring that the application display a list of controlled substance prescriptions for the practitioner's review before the practitioner may authorize the prescriptions. A separate list must be displayed for each patient. All information that the DEA regulations require to be included in a prescription for a controlled substance, except the patient's address, must appear on the review screen along with a notice that completing the two-factor authentication protocol is legally signing the prescription. A separate key stroke will not be required for this statement. Registrants must indicate that each controlled substance prescription shown is ready to be signed. When the registrant indicates that one or more prescriptions are to be signed, the application must prompt him to begin the two-factor authentication protocol. Completion of the two-factor authentication protocol legally signs the prescriptions. When the two-factor authentication protocol is successfully completed, the application must digitally sign and archive at least the DEA-required information. If the practitioner is digitally signing the prescription with his own private key,\9\ the application need not digitally sign the record separately, but must archive the digitally signed record. DEA is allowing any practitioner to use the digital signature option proposed for Federal healthcare systems. Unless a practitioner has digitally signed a prescription and is transmitting the prescription with the digital signature, the electronic prescription must include an indication that the prescription was signed.

---------------------------------------------------------------------------

\9\ For technical accuracy, DEA is describing the method of digitally signing as "applying the private key." The private key is a secret quantity stored on the user's token that is used in the computation of digital signatures. Digital certificates contain a related quantity called the public key, which is used to verify signatures generated by the corresponding private key. The user is not required to know, and does not enter either key. A message digest is computed by the signing software on the user's computer, and the portion of the signing function that involves the private key is automatically performed by the user's token, once the user has provided the token and a second authentication factor such as a password or PIN. From the user's perspective, the experience is similar to using an ATM card.

---------------------------------------------------------------------------

The electronic prescription application must generate a monthly log of controlled substance prescriptions issued by a registrant, archive a record of those logs, and provide the logs to the practitioner. The practitioner is not required to review the monthly log.

Because the prescription information will be digitally signed when the practitioner completes the two-factor authentication protocol, the prescription need not be transmitted immediately. Information other than the information that must be digitally signed may be added to the file (e.g., pharmacy URLs) or the prescription may be reviewed (e.g., at a long-term care facility) after it is signed and before it is transmitted to the pharmacy. After the practitioner completes the authentication protocol, the information that the DEA regulations require to be included in a prescription for a controlled substance may not be modified before or during transmission.

DEA has clarified that the application may print copies of an electronically transmitted prescription if they are clearly labeled as copies, not valid for dispensing. If a practitioner is notified by an intermediary or pharmacy that a transmission failed, he may print a copy of the transmitted prescription and manually sign it. The prescription must indicate that it was originally transmitted to a specific pharmacy and that the transmission failed. The pharmacy is responsible for checking to ensure that the prescription was not received electronically and no controlled substances were dispensed pursuant to the electronic prescription prior to filling the paper prescription.

DEA has also clarified that the requirement that the DEA-required contents of the prescription not be altered during transmission applies only to changes to the content (not format) by intermediaries, not to changes that may lawfully be made at a pharmacy after receipt. Pharmacy changes to electronic prescriptions for controlled substances are governed by the same statutory and regulatory limitations that apply to paper prescriptions. Intermediaries may not convert an electronic controlled substance prescription into a fax. Once a prescription is created electronically, all records of the prescription must be retained electronically.

Unless the prescription is being transmitted with a digital signature, either the last intermediary or the pharmacy must digitally sign the prescription; the pharmacy must archive the digitally signed prescription. Both the electronic prescription application and the pharmacy application must maintain an internal audit trail that records any modifications, annotations, or deletions of an electronic controlled substance prescription or when a functionality required by the rule is interfered with; the time and date of the action; and the person taking the action. The application provider and the registrants must develop a list of auditable events; auditable events should be occurrences that indicate a potential security problem. For example, an unauthorized person attempting to sign or alter a prescription would be an auditable event; a pharmacist annotating a record to indicate a change to a generic version of a drug would not be. The applications must run the internal audit function daily to identify any auditable events. When one occurs, the application must generate a readable report for the practitioner or pharmacist. If a practitioner or pharmacy determines that there is a potential security problem, they must report it to DEA within one business day.

Application providers must obtain a third-party audit before the application may be used to create, sign, transmit, or process controlled substance prescriptions and whenever a functionality related to controlled substance prescription requirements is altered, or every two years after the initial audit, whichever occurs first. If one or more certification organizations establish procedures to review applications and determine whether they meet the requirements set forth in the DEA regulations, DEA may allow this certification to replace the third-party audit. DEA will notify registrants of any such approvals of organizations to conduct these third-party certifications through its Web site. At this time, no such certification exists for either electronic prescription or pharmacy applications, but the Certification Commission for Healthcare Information Technology (CCHIT) has developed a program for electronic prescription applications.

All records must be maintained for two years from the date on which they were created or received. Pharmacy records must be backed up daily; DEA is not specifying where back-up files must be stored.

Because DEA is allowing any registrant to use the public key infrastructure (PKI) option proposed for Federal healthcare systems, the interim final rule does not include separate requirements for these systems.

When a prescription is transmitted (outside of a closed system), it moves through three to five intermediaries between practitioners and pharmacies. Although prescriptions could be altered, added, or deleted during transmission, DEA is not regulating transmission. Registrants have no control over the string of intermediaries. A practitioner might be able to determine from his

[[Page 16244]]

application provider which intermediaries it uses to move the prescription from the practitioner to SureScripts/RxHub or a similar service, but neither the practitioner nor the application provider would find it easy to determine which intermediaries serve each of the pharmacies a practitioner's patients may choose. Pharmacies have the problem in reverse; they may know which intermediaries send them prescriptions, but have no way to determine the intermediaries used to route prescriptions from perhaps hundreds of practitioners using different applications to SureScripts/RxHub or a similar service. DEA believes the involvement of intermediaries will not compromise the integrity of electronic prescribing of controlled substances, provided the requirements of the interim final rule are satisfied. Among these requirements is that the prescription record be digitally signed before and after transmission to avoid the need to address the security of intermediaries. DEA realizes that this approach will not prevent problems during the transmission, but it will at least identify that the problem occurred during transmission and protect practitioners and pharmacies from being held responsible for problems that may arise during transmission that are not attributable to them.

Some commenters on the NPRM claimed that the security practices of intermediaries were sufficient to protect electronic prescriptions. These practices, which are voluntary, do not address the principal threats of diversion, which occur before and after transmission. Maintaining the integrity of the record during transmission is of little value if there is no assurance that a registrant created and transmitted the prescription or that pharmacy staff did not alter it after receipt.

DEA wishes to emphasize that the electronic prescribing of controlled substances is in addition to, not a replacement of, existing requirements for written and oral prescriptions for controlled substances. This rule provides a new option to prescribing practitioners and pharmacies. It does not change existing regulatory requirements for written and oral prescriptions for controlled substances. Prescribing practitioners will still be able to write, and manually sign, prescriptions for Schedule II, III, IV, and V controlled substances, and pharmacies will still be able to dispense controlled substances based on those written prescriptions and archive those records of dispensing. Further, nothing in this rule prevents a practitioner or a practitioner's agent from using an existing electronic prescription application that does not comply with the interim final rule to prepare a controlled substance prescription, so that EHR and other electronic prescribing functionality may be used, and print the prescription for manual signature by the practitioner. Such prescriptions are paper prescriptions and subject to the existing requirements for paper prescriptions.

IV. Discussion of Comments

A. Introduction

This section summarizes the 194 comments received to the NPRM by issue and provides DEA's responses. For each issue, DEA first summarizes the proposed rule, then presents the comments and DEA's responses. The subjects are presented in an order that tracks the process of issuing and dispensing a prescription from practitioner to pharmacy. Issues that apply to both types of applications (e.g., third- party audits, recordkeeping) are presented once. General comments and ancillary issues are discussed at the end of this section.

B. Identity Proofing and Logical Access Control

DEA proposed that practitioners would be required to undergo in- person identity proofing, with DEA-registered hospitals, State licensing boards, or law enforcement agencies checking the identification documents. The record of the identity proofing would then have been sent to the electronic prescription application provider, which would use the information to set access controls to ensure that only practitioners eligible to issue controlled substance prescriptions were allowed to sign these prescriptions.

1. Identity Proofing

Comments. Some commenters, including electronic prescription application providers and practitioner organizations, supported identity proofing, but recommended changes to the proposed rule. One physician noted that identity proofing was particularly important to prevent online enrollment without any checks on the veracity of the information submitted. Other commenters, including insurance organizations, some practitioner organizations, and some pharmacy organizations, opposed the requirement for identity proofing, stating that it would be burdensome to practitioners and a barrier to adoption of electronic prescribing. One electronic prescription application provider noted that DEA does not conduct identity proofing for issuing paper prescriptions. Several practitioner organizations and a State Board of Pharmacy stated that there was no assurance that identity proofing would reduce diversion, citing the vulnerabilities of paper prescriptions. One pharmacy chain stated that DEA should restrict access to the database of DEA registration numbers.

DEA Response. DEA continues to believe that it is critical to the security of electronic prescribing of controlled substances that authentication credentials used to sign controlled substance prescriptions be issued only to individuals whose identities have been confirmed based on information presented in, and consistent with, the application (except for institutional practitioners; see discussion below). Without this step, nonregistrants--at a practitioner's office, at an application provider, or elsewhere--could obtain an authentication credential in a registrant's name and use it to issue illegal prescriptions. As DEA discussed in the NPRM, some existing electronic prescription application providers allow people to enroll online, with no checks on whether the person is who he claims to be. Although it is true that DEA does not require in-person identity proofing for registration and allows applications to be filed online, DEA conducts a number of checks on registration applications before issuing a registration. In addition, filing a false registration application is a Federal crime punishable by up to four years in prison under 21 U.S.C. 843. Moreover, electronic prescriptions, unlike written or oral prescriptions, lack the human elements of handwriting or the spoken voice, which a pharmacist can take into account in ascertaining whether the prescription was issued by the actual practitioner or an impostor; identity proofing serves to some degree to fill this void.

In response to comments on whether this requirement will reduce diversion, DEA is well aware of the vulnerabilities of the paper-based prescription system, but that such vulnerabilities exist does not mean that DEA should allow similar or greater vulnerabilities with electronic prescriptions for controlled substances. A forged paper prescription provides forensic evidence of who committed the forgery and can exonerate a practitioner based on that evidence; an electronic prescription issued in a practitioner's name provides no such evidence, making it difficult for law enforcement to identify the person who issued it and difficult for the practitioner to prove that he did not. Restricting access to the CSA database would not solve the problem of patients, medical office staff,

[[Page 16245]]

and pharmacy staff, all of whom have routine access to DEA numbers, issuing fraudulent prescriptions.

DEA recognizes that identity proofing and logical access controls (discussed below) will not stop all misuse of electronic prescription applications. Identity proofing will not prevent a registrant from issuing invalid prescriptions or allowing a staff member to issue prescriptions in his name, and it is not intended to prevent such activity. The purpose of identity proofing is to limit to as great an extent as possible the ability of nonregistrants to obtain an authentication credential and issue electronic controlled substance prescriptions under a practitioner's name.

Comments. A substantial number of commenters raised issues related to who would conduct the identity proofing. The State Boards generally objected to being asked to conduct identity proofing, asserting that they did not have the staff or resources to do so. They noted that they would need to train staff and perhaps seek legislative authority and funding to carry out this function. Other commenters doubted that hospitals or law enforcement agencies would be willing to conduct the checks or thought that DEA intended to charge for the process. Some practitioners objected to the idea of having law enforcement agencies involved. Many commenters objected to the cost of trips to a third party and stated that it would be a barrier to adoption, particularly for practitioners who are not affiliated with a hospital, such as mid- level practitioners and dentists. Some commenters, including electronic prescription application providers, asked that other entities be allowed to conduct identity proofing (e.g., notaries, application providers, passport processing agencies, the American Association of Medical Colleges).

A long-term care facility (LTCF) organization, several information technology organizations, and an application provider suggested that DEA use existing certification authorities (CAs) that issue digital certificates and routinely conduct identity proofing as part of the enrollment process. An information technology firm suggested that DEA establish a set of common criteria under which credential issuers can become accredited, citing the Department of Defense External Certification Authority program as an example. The commenter also suggested that DEA specify that firms qualified as shared service providers by the Federal Bridge Certification Authority (FBCA) could serve as CSPs. A few commenters associated with application providers or information technology organizations asked DEA to consider remote identity proofing systems.

DEA Response. In view of the comments, DEA has revised the requirements for identity proofing to adopt an approach that does not involve parties discussed in the proposed rule. As suggested by some commenters, for individual practitioners in private practice (i.e., those practitioners not seeking access to an institutional practitioner's applications), DEA will use existing certification authorities (CAs) and similar credential service providers (CSPs) that have been approved by a Federal authority. These organizations conduct identity proofing and issue digital certificates and other identity credentials as part of their existing businesses. The standards they use to conduct identity proofing and issue credentials are established in documents (e.g., Certificate Policies, Certificate Practice Statements, and Assurance Frameworks) that are reviewed and approved by Federal authorities and subject to third-party audits for their implementation. DEA is specifying that the identity proofing must meet NIST SP 800-63-1 Assurance Level 3 although a CA or CSP may impose higher standards.

DEA's objective is to ensure that identity proofing and the provision of two-factor authentication credentials will be done by a third party that is not involved in any other part of the electronic prescribing process. This approach is based on the concept of separation of duties, to ensure that the ability to sign controlled substance prescriptions will not depend on the action of a single entity or person. A registrant will need the two-factor authentication credential before he will be able to sign electronic prescriptions for controlled substances, but the possession of the token or tokens associated with the credential will not, itself, authorize a registrant to access the application to sign controlled substances prescriptions. Logical access control will be granted separately. Without the two- factor authentication credential, a practitioner will not be able to sign controlled substance prescriptions even if granted access.

For practitioners who are obtaining a two-factor authentication credential that does not include a digital certificate, DEA is requiring that they obtain their authentication credential from a credential service provider (CSP) that has been approved by the General Services Administration Office of Technology Strategy/Division of Identity Management to conduct identity proofing that meets NIST Sp 800-63-1 Assurance Level 3 or above. For practitioners obtaining a digital certificate, DEA is requiring that they obtain the digital certificate from a certification authority that is cross-certified with the Federal Bridge Certification Authority (FBCA) at a basic assurance level or higher and that conducts identity proofing at NIST SP 800-63-1 Assurance Level 3 or above. DEA believes that shared service providers would be too restrictive and believes that the approach it is implementing provides greater flexibility for the regulated industry.

DEA is not dictating how a CSP or CA conducts identity proofing. The standards for identity proofing are set by the Federal Bridge Certification Authority (FBCA) or the General Services Administration in their certificate policies and frameworks and in NIST SP 800-63-1. Level 3 requires either in-person identity proofing based on checking government-issued photographic identification or remote identity proofing. For in-person identity proofing, Level 3 requires the examination of a government-issued photographic identification, which must be verified with either the issuing agency, credit bureaus, or other similar databases. The verification must confirm that the name, date of birth, and address listed in the application for the credential are consistent with the information in other records checked. The person checking the identification must compare the person with the photograph, record the identification number, address (if listed), and date of birth. If the identification is valid, the issuing organization may authorize or issue the credential and send notice to the address of record; if the identification or other records checked do not confirm the address listed in the application (as may happen if the person has recently moved), the organization must issue credentials in a manner that confirms the address of record (the address of record is the address listed in the application).

For remote identity proofing, Level 3 requires a valid government- issued identification number and a financial account number. These numbers must be confirmed via record checks with either the issuing agency or institution or through credit bureaus or similar databases. The check must confirm that the name, address, date of birth, and other personal information in the records are consistent with the application and sufficient to identify a unique individual. The address or telephone number must be confirmed by issuing the credential in a manner that

[[Page 16246]]

confirms the ability of the applicant to receive communications at the listed address or number. DEA notes that CAs and CSPs may conduct more extensive remote identity proofing and may require additional information from applicants. DEA believes that the ability to conduct remote identity proofing allowed for in Level 3 will ensure that practitioners in rural areas will be able to obtain an authentication credential without the need for travel. DEA expects that application providers will work with CSPs or CAs to direct practitioners to one or more sources of two-factor authentication credentials that will be interoperable with their applications. DEA is seeking comment on this approach to identity proofing.

DEA is not requiring the CSP or CA to check DEA registrations or State authorizations to practice or dispense controlled substances as part of the identity-proofing process; these will be checked as part of logical access control, as discussed in the next section. DEA decided to have checks for the DEA registration, authorization to practice, and authorization to dispense controlled substances for individual practitioners handled separately from identity proofing for three reasons. First, the information that is used to verify identity may not be the information associated with a DEA registration. Government- issued photographic identifications and credit cards usually are associated with home addresses and, perhaps, Social Security numbers; DEA registrations are usually associated with business locations and, in some cases, taxpayer identification numbers. In addition, the registration database that DEA makes available through the National Technical Information Service does not include this personal information, so that a CA or CSP would have to contact DEA for each applicant. Second, some practices or application providers may want some or all of the nonregistrants on the staff to obtain authentication credentials so that there will be only one method of authenticating to the application. The possession of a two-factor authentication credential would not, in these cases, distinguish between those who can sign controlled substance prescriptions and those who cannot. Third, the decision to grant access to the functions that allow a practitioner to indicate that a prescription is ready for signing and to sign controlled substance prescriptions is based on whether the person is a DEA registrant, not on the possession of a two-factor authentication credential. The two-factor authentication credential is a necessary, but not a sufficient, condition for signing a controlled substance prescription. It is logical, therefore, to require the people who set logical access controls, rather than those who conduct identity proofing, to check the DEA and State authorizations to practice and, where applicable, authorizations to dispense controlled substances of prescribing practitioners.

Comments. One medical group association and a healthcare system recommended that the larger practices be allowed to conduct the identity proofing themselves as they already conduct Level 4 identity proofing when they issue credentials.

DEA Response. In view of the comments, DEA has expanded upon the proposed rule to allow institutional practitioners, which are themselves DEA registrants, to conduct the identity proofing for any individual practitioner whom the institutional practitioner is granting access to issue prescriptions using the institution's electronic prescribing application. Because institutional practitioners have credentialing offices, the interim final rule allows those offices to conduct in-person identity proofing, which they can do as part of their credentialing process. DEA is not requiring institutional practitioners to meet the requirements of NIST SP 800-63-1 for identity proofing. As some commenters stated, these institutions already conduct extensive checks before they credential a practitioner. The interim final rule simply requires that before they issue the authentication credential they check the person's government-issued photographic identification against the person presenting it. They must also check State licensure and DEA registrations, where applicable, but they do this as part of credentialing and do not need to repeat the checks for practitioners whom they have already credentialed.

The rule only allows institutional practitioners to conduct in- person identity proofing, not remote identity proofing. There are two reasons for this limitation. First, the practitioners will be visiting the institution on a regular basis so the burden should be relatively low. Second, most institutional practitioners may not have the ability or desire to conduct the credit and other background checks that are part of remote identity proofing at NIST Levels 2 and 3. DEA recognizes that in some large systems, the credentialing office may be at a central location and many staff may work at other locations. In those cases, the institutional practitioner can decide whether to have the staff visit the central location or send someone from the credentialing office to the other locations to conduct the identity proofing. DEA notes that this issue will arise only during the initial enrollment of previously credentialed practitioners. After that, practitioners being newly credentialed by an institution can undergo identity proofing when and where they are credentialed. The rule also requires that the credentialing office check the DEA and State authorizations to practice and, where applicable, authorizations to dispense controlled substances because this check should be part of their standard credentialing process.

Under the rule, the institutional practitioner may issue the two- factor authentication credentials itself or obtain them from a third party, which will have to be a CSP or CA that meets the criteria specified above. In the latter case, the institutional practitioner could have each practitioner apply for the two-factor credential himself, which would entail undergoing identity proofing by the CSP or CA. Alternatively, the institutional practitioner can serve as a trusted agent for the third party. Trusted agents conduct part of the identity proofing on behalf of the CSP or CA and submit the information for each person along with a signed agreement that specifies the trusted agent's responsibilities. DEA emphasizes that institutional practitioners are allowed, but not required, to conduct identity proofing. If an institutional practitioner (e.g., a small hospital or clinic) decides to have each practitioner obtain identity proofing and the two-factor authentication credential on his own, as other individual practitioners do, that is permissible under the rule. DEA is seeking comment on this approach to identity proofing by institutional practitioners.

Comments. An intermediary, a pharmacist organization, and a State asked whether practitioners would need to undergo identity proofing more than once if they used multiple electronic prescription applications. An application provider and a practitioner organization asked if the identity proofing needed to be revalidated every year. Several commenters asked about the need to obtain separate authentication credentials if the practitioner holds multiple DEA numbers.

DEA Response. Identity proofing is required to obtain a two-factor authentication credential. If a practitioner uses multiple applications (e.g., at his practice and at a hospital), he may need to obtain separate authentication credentials, based on the

[[Page 16247]]

following considerations. A practitioner will need to undergo identity proofing for each such credential that he needs unless the applications he wishes to use require authentication credentials from the same CSP or CA; in that case, the CSP or CA will determine whether a single application for identity proofing and issuance of the authentication credential can serve as a basis for issuing multiple credentials. It may also be possible that multiple applications will accept the same two-factor authentication credential. For example, if a practitioner obtains a digital certificate from an approved CA, he may be able to use it to digitally sign prescriptions on multiple applications, if they accept digital signatures. For those practitioners who use more than one DEA registration to issue controlled substance prescriptions, DEA is not requiring a practitioner to have a separate authentication credential based solely on the fact that he uses more than one DEA registration. As for the need for revalidation of identity proofing, those periods will be set by the CSP or CA.

Comments. Practitioner organizations asked if practitioners will be charged for the identity proofing.

DEA Response. DEA expects that the CSP or CA will charge for the issuance of a two-factor authentication credential, which will generally include the cost of identity proofing. Whether practitioners will pay directly or through the application provider will be a business decision on the part of application providers.

Comments. A practitioner organization expressed concern with the proposed rule language that referenced "State licenses" because some States do not issue licenses to mid-level practitioners.

DEA Response. DEA agrees with this commenter and has revised the language in the interim final rule to refer to State authorization to practice and State authorization to dispense controlled substances.\10\

---------------------------------------------------------------------------

\10\ Under the CSA, every person who dispenses a controlled substance must have a DEA registration, and may only dispense controlled substances to the extent authorized by his registration, unless DEA has by regulation, waived the requirement of registration as to such person. 21 U.S.C. 822(a)(2), 822(b), 822(d). To be eligible to obtain a DEA registration, a practitioner must be licensed or otherwise authorized by the State or jurisdiction in which he practices to dispense controlled substances. 21 U.S.C. 802(21), 823(f), 824(a)(3).

---------------------------------------------------------------------------

2. Access Control

In the NPRM, DEA proposed that the identity proofing document had to be submitted to the application provider, which would then check the DEA registration and State authorizations to practice, and set access controls. DEA also proposed that the application providers check DEA registration status weekly and revoke authentication credentials if practitioners' registrations had been terminated, revoked, or suspended.

Comments. A LTCF organization stated that any electronic prescribing application must have, at its core, control over access rights. A practitioner organization also emphasized the need to limit access to signing authority within an application. An electronic prescription application provider stated that it did not set access controls for the applications it sells and installs at medical practices. Although its applications have logical access controls, the practice administrator is responsible for setting the controls. The application provider is not involved in the process.

DEA Response. In its proposed rule, DEA did not adequately differentiate between authentication, authorization, and access. NIST, in its special publication SP 800-12, provides the following description of these three steps:

Access is the ability to do something with a computer resource. This usually refers to a technical ability (e.g., read, create, modify, or delete a file, execute a program, or use an external connection). Authorization is the permission to use a computer resource. Permission is granted, directly or indirectly, by the application or system owner. Authentication is proving (to some reasonable degree) that users are who they claim to be.

NIST SP 800-12 further states:

Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls). Computer-based access controls are called logical access controls. Logical access controls can prescribe not only who or what (e.g., in the case of a process) is to have access to a specific system resource but also the type of access that is permitted. These controls may be built into the operating system, may be incorporated into applications programs or major utilities (e.g., database management systems or communications systems), or may be implemented through add-on security packages.\11\

---------------------------------------------------------------------------

\11\ National Institute of Standards and Technology. Special Publication 800-12 An Introduction to Computer Security--The NIST Handbook, Chapter 17; October, 1995. http://csrc.nist.gov/ publications/nistpubs/800-12/800-12-html/chapter17-printable.html.

---------------------------------------------------------------------------

DEA has revised its approach to access control to remove the application provider and its staff from direct involvement in the process. Instead, the interim final rule will require that the application must have the capability to set logical access controls that limit access to the functions for indicating a prescription is ready for signing and for signing the prescription to DEA registrants. The interim final rule will also limit access to setting these logical access controls. The application may set logical access controls on an individual basis or on roles. If the logical access controls are role- based, one or more roles will have to be limited to individuals authorized to prescribe controlled substances. This role may be labeled "DEA registrant" or physician, dentist, nurse practitioner, etc., provided the role is limited to those authorized to issue controlled substance prescriptions. For an individual practitioner who is an agent or employee of an institutional practitioner, and who has been authorized to prescribe controlled substances under the registration of the institutional practitioner pursuant to 21 CFR 1301.22(c), if logical access controls are role-based, one role will have to be "authorized to sign controlled substance prescriptions." (Other methods of setting logical access controls that NIST cites--location or time--do not appear to be relevant, although applications or users may add such limits based on their own concerns.)

The application logical access control capability must require that data entry of authorizations for setting logical access controls and the functions limited to registrants (indicating that a controlled substance prescription is ready for signing and signing a controlled substance prescription) involve two people. The requirement for two people to be involved in such data entry is frequently used to protect applications from internal security threats. If a person is able, through the use of false identity documents, to obtain a two-factor authentication credential in a registrant's name, he will still not be able to sign controlled substance prescriptions unless he is granted access, by two people (one of whom is a registrant). The interim final rule does not specify in detail how the application must be structured to ensure that two people concur with the data entry; rather, the rule simply requires that the application must not accept these logical access controls without the action of two parties. For example, a small practice with two registrants neither of whom is expecting to leave may decide that only the registrants will perform this function, which may occur only at the initial installation or upgrade of an electronic prescription application to comply with controlled substance

[[Page 16248]]

prescription requirements. In large practices, the registrants might find it beneficial to allow nonregistrants, such as a practice information technology administrator, to administer logical access controls in conjunction with a registrant.

The interim final rule requires that at least one of the people assigned the role of administering logical access control must verify that any registrant granted authorization to indicate that a prescription is ready for signing and to sign controlled substance prescriptions has a valid DEA registration, a State authorization to practice and, where applicable, a State controlled substance authorization. In small practices, this verification may require nothing more than checking expiration dates on the practitioners' DEA Certificate of Registration and State authorization(s), unless there is reason to question the current validity. In larger practices, verification may take more time. Individual registrations can be checked online at DEA's Web site at http://www.deadiversion.usdoj.gov/ by clicking on the Registration Validation button on the left side of the Web page.

Once DEA registration and State authorization to practice and State authorization to dispense controlled substances have been verified, two people must be involved in entering the data to the application to identify those people authorized to indicate that a prescription is ready for signing and to sign controlled substance prescriptions; those two people are also involved in entering data to the application to identify people whose authorization has been revoked. The first person must enter the data. A registrant must then use his two-factor authentication credential to provide the second approval. The application must ensure that until the second approval occurs, logical access controls for controlled substance prescription functions cannot be activated or altered. DEA recognizes that some solo practitioners may not have other employees although it seems unlikely that they do not have at least part-time help for office management and back office functions. DEA is not requiring that the second person be an employee, simply that there be two people involved and that the persons involved be specifically designated by the practitioner(s). For such solo practitioners and for many small practices, logical access controls may need to be set only once because they will usually be set or changed only with staff turnover.

All entries and changes to the logical access controls for setting the controls and for the controlled substance prescription functions must be defined as auditable events and a record of the changes retained as part of the internal audit trail. DEA is seeking comment on this approach to logical access control for individual practitioners.

Logical access must be revoked whenever any of the following occurs: A DEA registration expires without renewal, or is terminated, revoked, or suspended; the registrant reports that a token associated with the two-factor authentication credential has been lost or compromised; or the registrant is no longer authorized to use the practice's application. DEA anticipates that for most practices, logical access controls will be set and changed infrequently, usually when a new registrant joins the practice or a registrant leaves. Even in larger practices, changes to authorizations are likely to occur relatively infrequently.

DEA recognizes that application service providers (ASPs) may currently set access controls, to the extent that they do, at the ASP level and that the interim final rule may require them to reprogram some of their security controls. DEA believes these steps are necessary to ensure that a registrant is involved in the process of setting logical access controls and that these cannot be set or changed without the concurrence of a registrant. If registrants submitted a list of people to be authorized to perform the controlled substance prescription functions to an ASP, there would need to be a process to ensure that the list was from a legitimate source (e.g., notarization), which could be cumbersome, particularly for larger practices where the list may change more frequently than is the case for small practices. In addition, the responsibility for data entry would then rest with ASP staff, who will not have the same degree of interest in protecting registrants from the misuse of the applications as the registrants themselves have.

For institutional practitioners, the setting of logical access controls will necessarily be somewhat different because the registrant is not an individual. The principle, however, is the same. Identity proofing must be separate from setting logical access controls; two individuals must be involved in each step. The interim final rule therefore requires that two individuals from the credentialing office provide the part of the institution that controls the computer applications with the names of practitioners authorized to issue controlled substance prescriptions. The entry of the data will also require the involvement of two individuals. The institutional registrant is responsible for designating and documenting individuals or roles that can perform these functions. Logical access must be revoked whenever any of the following occurs: The institutional practitioner's or, where applicable, individual practitioner's DEA registration expires without renewal, or is terminated, revoked, or suspended; the practitioner reports that a token associated with the two-factor authentication credential has been lost or compromised; or the individual practitioner is no longer authorized to use the institutional practitioner's application. DEA is seeking comment on this approach to logical access control for institutional practitioners.

Comments. An application provider to a major healthcare system agreed that access controls were needed, but noted that in a large healthcare system this is complex because of the variety of practitioners involved and will take time to implement.

DEA Response. The interim final rule does not require applications to distinguish which schedules of controlled substances a registrant is authorized to prescribe. Practitioners are responsible for knowing which schedules they may prescribe; if a practitioner prescribes beyond the extent authorized by his registration, he is dispensing in violation of the CSA.\12\ In addition, asking applications to distinguish among all the variations of prescribing authority may add unnecessary complication to applications that will mostly be used by practitioners who are authorized to prescribe all Schedule II, III, IV, and V substances. This approach should reduce some of the complexity in programming logical access controls because the application providers will not need to distinguish among DEA registrants. DEA also notes that the 2009 security survey of the Health Information and Management Systems Society (HIMSS) indicated that all of the 196 healthcare systems surveyed have established user access controls.\13\

---------------------------------------------------------------------------

\12\ 21 U.S.C. 822(b), 841(a)(1).

\13\ Healthcare Information and Management Systems Society. 2009 HIMSS Security Survey, November 3, 2009. http://www.himss.org/ content/files/HIMSS2009SecuritySurveyReport.pdf.

---------------------------------------------------------------------------

Comments. Several application providers objected to the proposed requirement that they check DEA registration status weekly. DEA Response. Because application providers are no longer responsible for controlling access, DEA has removed this requirement in the interim final rule. People within a practitioner's office or an institutional practitioner

[[Page 16249]]

will be familiar with any issues related to the status of a DEA registration. They will have access to the expiration date of the DEA registration and State authorization(s) to practice and, where applicable, to dispense controlled substances and be able to check with the practitioner to ensure that the registration has been renewed. If a practitioner is subject to suspension or revocation, other registrants in the practice or the institutional practitioner are likely to be aware of the legal problems and can revoke access control.

DEA recognizes that this approach will not prevent a registrant in solo practice from continuing to issue controlled substances prescriptions under an expired, terminated, suspended, or revoked registration. However, it is already clear under existing law and regulations that a practitioner who prescribes or otherwise dispenses controlled substances beyond the scope of his registration is committing a violation of the CSA and subject to potential criminal prosecution, civil fine, and loss of registration. Any practitioner who would use his two-factor authentication credential to issue prescriptions after he is legally barred from doing so would be creating evidence of such criminal activity. As discussed above, the purpose of identity proofing and access control is to prevent nonregistrants from gaining the ability to issue controlled substance prescriptions.

C. Authentication Protocols

Authentication protocols are classified by the number of factors they require. NIST and others recognize three factors: something you know, something you have, and something you are. Combinations of user IDs and passwords are one-factor because they require only information that you know. A standard ATM uses two-factor--something you know (a personal identification number (PIN)) and something you have (bank card). DEA proposed that practitioners be required to use a two-factor authentication protocol to access the electronic prescription application to sign controlled substance prescriptions. DEA proposed that one factor would have to be a hard token that met NIST SP 800-63 Level 4 and that the cryptographic module would have to be validated at Federal Information Processing Standard (FIPS) 140-2 Security Level 2 overall and Level 3 security.

Comments. Three information technology firms asserted that two- factor authentication is not common. They suggested that a clear 'audit log' be generated upon the provider authentication, prescription approval, transmission of prescription, and successful prescription transmittal. They suggested that this audit log should be in the form defined by Healthcare Information Technology Standards Panel (HITSP) T15 "Collect and Communicate Security Audit Trail Transaction." Other commenters noted that the Certification Commission for Healthcare Information Technology (CCHIT) does not require two-factor authentication and has only listed it as a possibility for its 2010 standard. A State Board of Pharmacy supported two-factor authentication, stating that concerns expressed by some members of industry about the added time to complete two-factor authentication are misplaced. It said that the two-factor authentication will take a minimal amount of time compared to the time it takes to move through the multiple screens used to create a prescription in most applications.

DEA Response. DEA agrees that CCHIT does not yet require two-factor authentication. Two-factor authentication is roadmapped by CCHIT in 2010 and beyond. DEA emphasizes, however, that an audit log will not provide any assurance of who issued a prescription. The commenters appear to have confused logical access control with authentication. The problem DEA is addressing with the requirement for two-factor authentication credentials is not that someone may use their own authentication credential to alter or create a prescription, but that a nonregistrant will use a registrant's authentication credential to create and sign a prescription. If a nonregistrant has been able to use a registrant's authentication credential, the audit trail will incorrectly indicate that the registrant was responsible for the prescription. DEA believes that use of two-factor authentication limits this possibility.

As commenters indicated, single-factor authentication usually means passwords alone or in combination with user IDs. NIST states in its special publication SP 800-63-1: "* * * the ability of humans to remember long, arbitrary passwords is limited, so passwords are often vulnerable to a variety of attacks including guessing, use of dictionaries of common passwords, and brute force attacks of all possible password combinations. * * * all password authentication mechanisms are vulnerable to keyboard loggers and observation of the password when it is entered." NIST also states that "* * * many users, left to choose their own passwords will choose passwords that are easily guessed and even fairly short[.]" \14\ This problem is exacerbated in healthcare settings where multiple people may use the same computers and work in close proximity to each other. Even if other staff cannot guess the password, they may have many opportunities to observe a practitioner entering the password. Strong passwords (combinations of 8 or more letters, numbers, and special characters) are hard to remember and are often written down. None of these strategies alters the ability of others in a healthcare setting to observe the password. NIST, in its draft guidance on enterprise password management (SP 800-118) states the following:

---------------------------------------------------------------------------

\14\ National Institute of Standards and Technology. Special Publication 800-63-1, Draft Electronic Authentication Guideline, December 8, 2008, Appendix A. http://csrc.nist.gov/Publications/ PubsSPs.html.

---------------------------------------------------------------------------

Organizations should be aware of the drawbacks of using password-based authentication. There are many types of threats against passwords, and most of these threats can only be partially mitigated. Also, users are burdened with memorizing and managing an ever-increasing number of passwords. However, although the existing mechanisms for enterprise password management can somewhat alleviate this burden, they each have significant usability disadvantages and can also cause more serious security incidents because they permit access to many systems through a single authenticator. Therefore, organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.\15\

---------------------------------------------------------------------------

\15\ National Institute of Standards and Technology. Special Publication 800-118, Guide to Enterprise Password Management (draft), April 2009; http://csrc.nist.gov/publications/drafts/800- 118/draft-sp800-118.pdf.

---------------------------------------------------------------------------

DEA remains convinced that single-factor authentication is insufficient to ensure that a practitioner will not be able to repudiate a prescription he signed.

Comments. Although only a few commenters opposed two-factor authentication, believing that passwords were sufficient, most comments DEA received on the issue raised substantial concerns about the details of the proposed rule on this subject. These concerns focused on the requirement for a hard token and the security levels proposed.

A practitioner organization, a hospital organization, a pharmacy association, a health information technology organization, a healthcare system, other medical associations, and a number of application providers asked DEA to allow the use of biometrics as an alternative to a hard token. The practitioner organization stated that a

PDF File | Next Page

NOTICE: This is an unofficial version. An official version of this publication may be obtained
directly from the Government Printing Office (GPO).