The electronic transmission of healthcare information always raises privacy and security concerns. And with the DEA now allowing for prescriptions of controlled substances to be transmitted electronically (Electronic Prescriptions for Controlled Substances - EPCS), security concerns are further increased.
As such, the Drug Enforcement Administration (DEA) aims to provide security assurance via an initiative that requires DEA approved 3rd party certification organizations:
As part of this program, Drummond Group has been authorized to serve as a neutral third-party certification organization of EPCS applications and as an auditor of the security processes employed by hospitals, physicians and pharmacies if they have EHR/EPCS software applications installed on site.
To earn EPCS Application Certification, EPCS systems must undergo a rigorous certification process where we carefully review and test EPCS applications to provide assurance that the application fully meets all of the requirements of the Drug Enforcement Administration's Interim Final Rule for Electronic Prescriptions for Controlled Substances.
During this process, we rely on our deep experience in software certification to ensure that these systems can demonstrate compliance to the detailed technical requirements enumerated in the EPCS Interim Final Rule 21-CFR Parts 1300, 1304, 1306, 1311 and others incorporated by reference. Drummond Group's skilled auditors and security personnel have developed tests, procedures and even software components to review the products they are asked to certify.
In addition, where the software application is an Installed application on site (vs. an ASP-based hosted application) Drummond Group works with either the software vendor to facilitate a rollout plan or directly with hospitals, physicians and pharmacies where the application is installed.
Where the EPCS software application is an ASP-based hosted solution (such as a cloud based solution accessed through your web browser), Drummond Group works with the software vendor to ensure that Processing Integrity is addressed at the Data Center where the software application is hosted. And for pharmacies, practitioners or hospitals using an ASP-based hosted solution the Processing Integrity assessment onsite is not necessary as it is performed at the Data Center.
In both cases, the goal of Processing Integrity validation is to assess the security practices where the application is installed, that they reflect the recommendations, the implementation and use of appropriate security controls promulgated by the National Institute of Standards and Technology (NIST) in Special Publication 800-53A (and by incorporation, 800-53) and as required by DEA through their Processing Integrity Clarification.
The ultimate goal of the EPCS Application certification and Processing Integrity security assessment is to provide confidence that the organization is operating a compliant EPCS software application that implements EPCS according to the DEA regulations, and can do so in a manner that addresses the processing integrity requirement. The organization wanting to use EPCS must demonstrate that it is using an Audited/Certified EPCS application, and if installed on site, that it has implemented policies, procedures and appropriate technology to mitigate the risk from intentional attacks and unintentional vulnerabilities.
While such security exposures can never be completely eliminated, the risk of their occurrence and the impact they have can be reduced, and the likelihood of their detection can be greatly enhanced.
Even though security concerns are heightened with controlled substances, facilitating electronic prescribing of these drugs is an important step for healthcare. Adding controlled substances to the e-prescribing capability will help the industry more fully realize the benefits of automation. EPCS accounts for about 11% of all medication orders, a significant portion of the total. By enabling organizations to electronically prescribe these substances, the healthcare industry will be able to truly move toward a paperless environment.
Drummond Group's EPCS certification and assessment program is just one of our healthcare programs. We also certify electronic health records and controlled substance ordering systems (CSOS) – making us the only third-party organization to act as a certifier for all three of these healthcare initiatives.
To register for EPCS Certification, visit: EPCS Registration
To view the EPCS FAQs, see the EPCS Testing and Certification FAQ
To request EPCS certification program testing please fill out the form below and a member of our staff will be in contact with you.