Review of the EPCS Security Criteria & Understanding Processing Integrity

The Electronic Prescribing of Controlled Substances (EPCS) security criteria are implemented to ensure the secure electronic transmission of prescription information and maintain processing integrity. The concept of processing integrity signifies that data remains intact and unaltered during processing operations from source to destination and in storage. 

There are two common hosting options for EPCS systems: web/cloud  and on-premise. Web hosting involves storing data on third-party servers accessible via the internet while on-premise hosting involves servers physically located at the organization’s place of business and using their own infrastructure.  EPCS certification has different security requirements for each hosting option. 

Web/Cloud Hosted Application Requirements 

The DEA requires that application service providers of Web/Cloud hosted applications undergo an audit to ensure processing integrity and physical security of the application hosting environment. The audit must review the systems used in the creation, transmission, and storage of controlled substance prescription data and confirm that the data is protected from unauthorized access, modification, or deletion. 

The audit must include a review of the security configuration of all systems that interact with EPCS data.  Ensuring those systems are regularly patched, maintained, and configured to protect against internal and external threats.  This assessment should include regular automated vulnerability scans or more robust penetration testing where skilled human resources simulate an attack on the system. 

Web-hosted applications must also ensure the physically hosted environment is secure.  For data centers, this includes ensuring the servers and physical infrastructure are protected from unauthorized access or tampering.  For applications hosted by cloud service providers like Amazon AWS or Microsoft Azure the responsibility for physical security lies with the cloud service provider. As part of your EPCS audit, there are two options to demonstrate adherence to security requirements. 

1. Provide a recently completed third-party security audit.  If you have completed a third-party security audit within the past 2 years, you may provide a copy of that audit report to satisfy the EPCS security criteria.  This audit must have been conducted by a qualified external auditor, and the audit must be conducted in accordance with a robust security framework.  Some examples of these security frameworks include PCI audits, ISO 27001, NIST 800-53, and may utilize penetration testing or vulnerability scanning. 
2. Complete the Drummond Application Provider Security Survey by providing evidence and attestation regarding your security posture.  The Drummond survey contains 46 questions to which you must provide detailed responses and screenshot evidence.  The survey covers basic security controls, backup and disaster recovery, physical security, and advanced security controls. 

When responding to the Drummond security survey, you must provide detailed answers and supporting documentation such as screenshots or policies/procedures.  One-word answers are not acceptable. 

On-Premises Application Requirements 

For applications hosted on-premise at the prescriber or pharmacy location, those entities have responsibility for security. Per the DEA it is not feasible to conduct security audits at each of the hundreds of possible locations as part of the EPCS certification process. Therefore, the security of those environments is the responsibility of the prescriber or pharmacists at that location. 

It is strongly recommended that prescribers and pharmacists hosting an EPCS application on-premise undergo a security assessment of their location to help protect against a breach or compromise of their locally hosted application.