Multi-factor authentication – “best practice” for risk mitigation according to Department of Health and Human Services
Two-factor authentication is required by DEA for EPCS
Prevents many data breaches. Two-factor authentication gives your organization an additional layer of security when accessing PHI and helps your organization comply with the Technical Safeguards defined in the HIPAA Security Rule. Two-factor authentication devices generate one-time passwords (OTPs) that augment the commonly used, insecure static user name/ password combination thus rendering hacker attacks infective.
No more password reset calls to your helpdesk! Two-factor authentication will significantly reduce “forgot-my-password” calls and help reduce associated costs
- Satisfies DEA’s Requirements for Electronic Prescription of Controlled Substances (EPCS)
- Maintains existing provider workflow
- FIPS compliant
- Helps ensure HIPAA, and Meaningful Use compliance
- Natively integrated with Cerner’s Millennium®, PowerChart® Ambulatory
Why you need two-factor authentication for your Cerner Millennium System?
DEA regulations mandate the use of two-factor authentication when a prescription for a controlled substance is submitted electronically. That means that all EPCS enabled electronic prescribing systems must support such technology and all authorized prescribers (such as physicians and nurse practitioners) must be equipped with appropriate security tools. In practical terms, all users of Cerner Millennium that wish to prescribe controlled substances electronically need to possess one of the two-factor authentication tools/devices as required by the DEA.
What is two-factor authentication?
Two-Factor Authentication (or frequently referred to as multi-factor authentication) is a method of verifying a user’s identity electronically that requires at least two elements. Simply put, it’s using a combination of at least two factors to prove that you are who you claim to be:
- Factor 1 – Something you know. Your user name and regular static password or PIN.
- Factor 2 – Something you have. A one-time password (a 6-digit code) generated by your hardware or software token.
- Factor 3 – Something you are. Biometrics.
Two-factor authentication is required when prescribing controlled substances electronically at all times. The combination of a user ID and password is considered to be only one factor, because it requires only information that a user knows, so that’s not sufficient.
In order to be compliant with EPCS, authentication credentials must be SEPARATE from the device used to access the e-prescribing application. So if you’re prescribing from a mobile device, and you’re using a software authenticator on that device, you are NOT in compliance. A FIPS 140-2 compliant (or Federal Information Processing Standard) hardware OTP token will ensure that authorized prescribers can use both PC and mobile applications.
OneSpan Digipass for Cerner Millennium
Cerner and OneSpan Data Security have partnered to deliver a compliant and secure solution to Cerner customers in the most convenient way. OneSpan authentication technology has been natively integrated in Cerner Millennium to maintain existing workflows and minimize additional steps and integration debacles.
Cerner is now a Value Added Reseller of OneSpan’s two-factor authentication solutions including:
- Hardware authentication “tokens”
- DIGIPASS GO7 – one-button, FIPS compliant device
- DIGIPASS 270 – PIN protected for added security
- Mobile authenticators
- DIGIPASS for Mobile – FIPS certification pending*
How it works - at login
Within Millennium, applications can require two-factor authentication upfront when the user first logs in.
How it works - at workflow
The application can require two-factor authentication only during certain workflows within the application, such as when a provider is prescribing a controlled substance or when the provider is viewing sensitive data, such as data derived from Medicare/Medicaid claims.
This “step-up” authentication allows added usability and only requests two-factor authentication when the application requires it and, in addition, does not overload the user by having to enter subsequent consecutive requests for authentication.
No additional development work - take advantage of the native integration. Cerner has done all development work so you don’t have to, drastically reducing the cost and complexity of implementation and support. With no need for additional databases or servers, you can get up and running quickly, and with minimal resources.
Guaranteed Compliance – OneSpan offers the only one-time password OTP hardware token that is FIPS 140-2 Level 2 Certified and satisfies the DEA requirements for EPCS. Mobile token certification is pending*.
Fully Scalable - OneSpan’s DIGIPASS authentication technologies can accommodate as few as two or as many as 100,000+ users— all on the same backend platform and without any overhaul in infrastructure. All you need to do is to purchase additional licenses and authenticators.
Long-term Savings – OneSpan’s FIPS Compliant DIGIPASS GO7 token has an average life span of 10+ years and no artificial expiration date.
Where to buy
Cerner is an official Value Added Reseller of OneSpan two-factor authentication products. Please contact a OneSpan representative or your Cerner customer care representative for more information and a quote.
*Certification expected July 2017.