Implementing a successful EPCS and multifactor authentication strategy for healthcare

Key facts

Industry: Healthcare

Location: Pennsylvania

Beds: 697

EHR: Epic


  • Alarming mock phishing results led to cybersecurity concerns
  • Complex DEA requirements created barriers to EPCS adoption
  • Fraud and diversion risks associated with paper prescriptions


  • More than 10,000 users enrolled for authentication for remote network access
  • 82% of prescriptions for controlled substances are prescribed electronically
  • Improved clinical workflow efficiency and increased patient safety and satisfaction

WellSpan Health is a 697-bed health system with six hospitals and more than 250 clinics across south and central Pennsylvania. WellSpan has more than 19,000 employees, including more than 1,500 physicians.

Like many organizations, WellSpan was faced with needing to address healthcare’s increasingly sophisticated security, compliance, and workflow challenges. And after some mock phishing tests, the team at WellSpan knew that they needed to address their cybersecurity tactics.

“We knew we were vulnerable to attack,” says Dr. Robert Lackey, Associate Chief Medical Information Officer at WellSpan Health. “We actually did some mock phishing tests with our employees to see how many would fall prey to a phishing attempt. Alarmingly, about 15% of them clicked on the fake link, and 4% of those individuals entered their credentials when prompted.”

After getting the results of their mock phishing attempts, the team at WellSpan knew that they needed to address their cybersecurity vulnerabilities, and so they looked to multifactor authentication solutions to combat phishing and other network security vulnerabilities. However, they knew that to ensure wide-spread adoption and security, they would need to find a solution  that balanced a convenient clinical workflow with security needs.

At the same time, WellSpan was also contending with a need to address the challenges of paper prescriptions, including:

  • Increased risk of forgery, diversion, and fraud
  • Limited visibility into medication adherence
  • Inefficient workflows for providers, including how to physically deliver prescriptions to patients

They knew that implementing electronic prescribing of controlled substances (EPCS) could solve their problems, but they would also need to contend with the specific and important DEA regulations that govern EPCS. WellSpan, therefore, was also looking for an end-to-end solution to meet their EPCS requirements in a DEA-compliant manner – one that addressed more than just the two-factor authentication component.

The solution

With those needs in mind, the team sought to find the correct vendor and solution for their multifactor authentication and EPCS needs.

“When picking an authentication solution, you need to balance different security requirements with the ability to keep your clinical workflows efficient,” says Lackey. “It’s important for IT to protect PHI and other data, but it’s also important that clinicians have a seamless workflow and a consistent authentication workflow that allows them to be compliant.”

For WellSpan, Imprivata Confirm ID® was the solution that could help ensure secure and convenient multifactor authentication for remote access and EPCS workflows.

Remote access
Imprivata Confirm ID for Remote Access improved security at WellSpan by enabling two-factor authentication for remote network access, cloud applications, and Windows servers and desktops. They also have plans to quickly implement it for other clinical workflows. Thus far, WellSpan has been able to secure access to their systems while also decreasing the ability for hackers to access the network with stolen usernames and passwords.

Imprivata Confirm ID for EPCS is the most comprehensive platform for all components of ensuring convenient – and DEA-compliant – EPCS workflows, including:

  • Identity proofing
  • Supervised enrollment of credentials
  • Two-factor authentication
  • Auditing and reporting

“For many years, our organization had concluded that the DEA regulations were just too hard to follow, and we waited to see if they would ease up on those. And, of course, they didn’t,” says Lackey. “But Imprivata Confirm ID for EPCS ticked all the boxes of the requirements that have allowed us to, in a compliant manner, enable EPCS for our clinicians.”

The importance of a single-vendor solution
Imprivata Confirm ID provided WellSpan with a comprehensive identity and multifactor authentication platform that centralized authentication across the enterprise, ensuring a convenient and familiar authentication experience across remote access and EPCS workflows while also establishing end-to-end compliance.

“Not only does Imprivata Confirm ID have the infrastructure and support to be able to do EPCS,” says Lackey, “but we can use the same system for authentication into our systems. Being able to rely on one platform for both has been easy from an implementation perspective, but has also ensured a single and convenient authentication experience for our staff.”


To ensure a seamless implementation experience, WellSpan ensured that the implementation and deployment team was made up of the right individuals. This included IT and clinical champions to represent the internal WellSpan team, but also representatives from other vendors who would need to be involved – for WellSpan, that included representatives from Epic and SureScripts.

And because WellSpan was implementing both Imprivata Confirm ID for Remote Access and Imprivata Confirm ID for EPCS, they found that it made sense to have both projects handled by a single project manager.

Enrollment and identity proofing
Enterprise staff were able to enroll for authentication for remote access in a simple process: users where able to self-enroll via a custom website where they could enroll their token as well as a phone number for SMS notifications.

Getting enrolled to be EPCS-enabled, however, required additional steps. The DEA requires identity proofing processes to validate the identities of those looking to be able to prescribe controlled substances – two-factor authentication credentials cannot be issued to practitioners who haven’t been identity proofed.

As a DEA-registered health system, WellSpan was able to use institutional identity proofing for identity proofing clinicians who would be prescribing controlled substances electronically. This meant that, because WellSpan had already conducted extensive background checks, practitioners seeking EPCS rights needed only to present a government-issued ID in-person to be identity proofed and to be in enrolled in two-factor authentication.

Once practitioners were identity proofed, logical access controls were put in place to ensure that they have appropriate permissions to access the EPCS function with their EHR and prescribing application.

While there were many steps required to enable EPCS in a DEA-compliant manner, Imprivata Confirm ID for EPCS enabled WellSpan to feel confident in their rollout.


WellSpan had set out to address workflow and security vulnerabilities and inefficiencies related to network access and EPCS – and with Imprivata Confirm ID, they were able to ensure security and efficient clinical workflows across enterprise workflows.

At present, more than 10,000 users are enrolled for two-factor authentication for remote network access, access to Office 365 accounts, and access to clinical applications. This has significantly reduced the risk of phishing and hacking of the WellSpan system, Lackey says.

When it comes to EPCS, more than 900 users at WellSpan have been enrolled to prescribe controlled substances electronically. Such wide-spread adoption has led to 82% percent of all controlled substances being prescribed electronically. EPCS has also led to improved provider workflow efficiency and increased patient safety and satisfaction.

“With Imprivata Confirm ID, we’ve been able to solve for all of our needs for EPCS and multifactor authentication for remote access. We’re very pleased with how things are going so far,” says Lackey. “And, we’re well-positioned to address everything we need to tackle in the future, like ensuring 100% EPCS compliance in time for the state mandate and ensuring continued authentication support for future workflows and applications.”