Securing Healthcare by Strengthening Identity Verification

CMS Controlled Substances DEA digital innovation DoseSpot Electronic Prescribing of Controlled Substances Electronic Prescriptions Forged Prescriptions Fraud healthcare technology In the News Medicare
March 25, 2024

Over the past decade, the delivery of healthcare services has undergone a digital revolution, including ePrescribing and identity proofing—a process implemented to validate an individual’s identity in a remote transaction. As telehealth gains momentum, the prescribing world will have to be adept as in-person opportunities for identity verification diminish.

The Evolution of ePrescribing:

The digital transformation of prescriptions is not new. ePrescribing has been around for years. The Electronic Prescribing of Controlled Substances (EPCS), a set of regulations introduced by the U.S. Drug Enforcement Agency (DEA) in 2010 and enforced by the Centers for Medicare and Medicaid Services (CMS) from January 1, 2023, marked a significant milestone. EPCS not only facilitated the adoption of ePrescribing but also set standards for its implementation. It brought an additional layer of security to an old-age paper prescribing process, particularly for substances with the potential for abuse – controlled substances. It serves as a powerful deterrent to common fraudulent activities like altering prescription details, stealing blank prescription pads and forms, or doctor shopping.

As of January 2023, providers are mandated to issue prescriptions for controlled substances to Medicare Part D beneficiaries electronically. Although technology has advanced, so have the tactics of unscrupulous actors, who frequently exploit weaknesses within ePrescribing systems and impersonate healthcare providers.

In January of this year, a Florida man was accused of organizing a crime ring where hackers were able to pose as a prescribing physician and electronically prescribe tens of thousands of controlled substances to pharmacies across the country. Authorities in New York were able to arrest him as he was collecting a cash payment of nearly $14 thousand dollars while delivering the diverted drugs.

The Shift Away from Knowledge-Based Authentication (KBA) to More Robust Verification Tools

Ensuring that prescribers are who they claim to be is a critical component of ePrescribing controlled substances. When the DEA established ePrescription rules in 2010, the standard for identity verification included Knowledge-Based Authentication (KBA). This involved posing a series of questions that the prescriber should know. However, over time, bad actors adapted by using bots and other methods to answer these questions.

Advanced biometric authentication, such as fingerprint or facial recognition, is gaining traction in identity proofing. Biometric security harnesses unique physical or behavioral traits for identification purposes, with facial, fingerprint, or voice recognition being among the types of biometrics used in the verification process.

The implementation of two-factor authentication aims to enhance security by protecting practitioners from misuse of their credentials by insiders and external threats, ensuring control over biometric or hard token authentication. The DEA regulations require ePrescriptions to possess a two-factor authentication for prescribers.

It accepts two of the following factors for two-factor authentication credentials to satisfy the requirements:

As of today, any biometric meeting specified criteria can be used as the biometric factor in a two-factor authentication credential for signing and prescribing controlled substances.

The standards established by the DEA in 2010 not only paved the way for the adoption of ePrescribing at the federal level but also empowered states to create their own mandates. Several states already require compliance for both controlled and non-controlled prescriptions.

DoseSpot offers a seamless solution for providers to verify they are who they say they are before writing their first electronic prescription. Reducing friction and creating safeguards in the end-to-end process continues to be a priority as software evolves. We are committed to innovation and future-proofing our solution to keep up with the evolution of health tech. Currently, we are upgrading our identity proofing process to include facial recognition identity proofing to safeguard customer data even further. 

Why Facial Recognition Identity Proofing?

Facial recognition identity proofing adds an extra layer of protection by verifying providers’ identity through a quick and secure facial scan. This method offers significant advantages over traditional passwords and 2-factor authentication, including:


The DEA’s ruling in 2010 set the stage for a revolutionary shift in the prescription process to ePrescribing, representing a significant stride towards a more secure, efficient, and error-free healthcare system. As technology continues to shape the industry and challenges emerge, HIPAA-compliant solutions like DoseSpot stand as a crucial solution to integrate into a practice to not only protect the practice but also patients.