Protecting Electronic Prescriptions

In 2010 the US Drug Enforcement Agency, responding to an alarming increase in drug abuse, finalized a rule that requires the electronic prescribing of controlled substances (EPCS). Among its requirements: that all software programs used to produce and process EPCS orders need to be certified as DEA-compliant, including the software used by pharmacies to which EPCS requests are sent. In parallel, EPCS serves as a means to improve physician workflow, without having to find a prescription form, fill it out, sign it and then hand it off to their patient.

In the UK, the Electronic Prescription Service (EPS) enables prescribers — such as general practitioners and practice nurses — to send prescriptions electronically to a dispenser (such as a pharmacy) of the patient's choice. This makes the prescribing and dispensing process more efficient and convenient for patients and staff.



Since its inception more than 70 percent of pharmacies are able to receive prescriptions for controlled substances electronically. Additionally, EPCS is increasingly prolific, now legal in all 50 states and the District of Columbia. New York was the first state to require that all prescriptions be sent electronically via its I-STOP Act (Internet System for Tracking Over-Prescribing). More recently, Maine passed a law which similarly requires all opiod prescriptions be sent electronically from July 1, 2017.

To satisfy these emerging EPCS regulations, healthcare practitioners must undergo in-person or remote identity proofing before they can receive a two-factor authentication token.

The authentication token must be a FIPS 140-2 certified hardware token or software token with a FIPS 140-2 certified cryptographic module.

Additionally, authentication credentials must be SEPARATE from the device used to access the e-prescribing app. So if you’re prescribing from a mobile device, and you’re using a software authenticator on that device, you are NOT in compliance.

DIGIPASS for Mobile - OTP - 580x573 -


VASCO solutions enable healthcare providers and healthcare software vendors to rapidly implement EPCS with improved compliance and greater efficiency.

Solution options include:

  • FIPS 140-2 Level 2 certified
  • Easy to use (one touch button device)
  • Fully supported by VACMAN and IDENTIKEY products

emptyDIGIPASS for Mobile:
  • Frictionless, authentication and e-signing experience for mobile users
  • Integrated with VASCO's patented CRONTO technology and Open QR codes

DIGIPASS for Apps:
  • Comprehensive SDK that natively integrates application security, two-factor authentication and transaction signing into mobile applications
  • Drives new levels of interconnected mobile app security and intelligence without performance lags or customer visibility
  • Easy to use
    - Biometric authentication (selfie, fingerprint)
    - Support for push notification

MYDIGIPASS for Healthcare:
  • Certified as full-service Credential Service Provider (CSP) at NIST SP 800-63 Level of Assurance 3 under the SAFE-BioPharma FICAM Trust Framework
  • One-stop shop for EHR vendors and hospitals that includes: identity proofing, credential issuance and delivery

Cybersecurity across the US Health Landscape

Michael Magrath, Director of Healthcare Business Development, North America VASCO and Chairman of the HIMSS Identity Management and Task Force discusses the implications of identity management and multi-factor authentication on EPCS, HIPAA, NSTIC, SAFE-BioPharma and more.


Related Content

Related Products

Related Products

This website uses cookies to improve user experience, functionality and performance. If you continue browsing the site, you consent to the use of cookies on this website. Note that you can change your browser/cookie settings at any time. To learn more about the use of cookies and how to adjust your settings, please read our cookie policy.