On June 27, 2008, DEA published a Notice of Proposed Rulemaking (NPRM) to revise the regulation to allow creation, signature, transmission and processing of controlled substances electronically. The DEA gave consideration to over 200 comments while drafting the IFR.

The DEA’s obligation as noted in the rule, is to ensure that the regulations minimize, to the greatest extent possible, the potential for diversion of a controlled substance resulting from non-registrants gaining access to electronic prescribing applications and systems.  The concern of insufficient Security has been the main barrier to allowing the ePrescription of controlled substances.  The authentication methods used in online or desktop applications is generally username and password.  Passwords are easily guessed or broken by using various password guessing programs.

In response to these concerns, the DEA is adopting an approach to identity proofing (verifying that the authenticated user is who he/she claims to be) and logical access control (verifying that the authenticated user has the authority to perform the requested operation).  The DEA will require registrants to apply to certain federally approved credential service providers (CSP) or certification authorities to obtain security certificates.

The strongest requirement of the IFR will be authentication.  The DEA is proposing a two-factor authentication which is defined as two of the following:  something you know, something you have, something you are.  Authentication based only on knowledge factors, such as user names and passwords,  are easily compromised because they can be observed, guessed, or hacked and used without the practitioners knowledge.

The US Government has been using this similar approach for all electronic initiatives.  A draft of the federal electronic authentication guideline can be found here:  http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf

The Federal Register is expected to publish the Interim Final rule on March 31, 2010, which will kick off a 60-day comment period.

A draft of the interim final rule (IFR) was posted on March 24, 2010.  The draft can be found here:  http://www.federalregister.gov/OFRUpload/OFRData/2010-06687_PI.pdf