DEA EPCS Identity Proofing

Electronically prescribing drugs has increased steadily over the years but recently moved towards greater adoption with increased DEA guidance. COVID changed many aspects of identity proofing, and the need for electronic prescriptions skyrocketed. At the same time, the bad actors have seen new opportunities to exploit anything digital. The DEA put out some rules on fulfilling the requirements, but in practice, they give a general guideline to follow NIST level 3 assurance for proofing. Surveying the market, you will see various solutions, all trying to meet the directive. This strategy works well as threat actors do not have a blueprint for what they must collect for various prescribing services. However, once they uncover a workaround for the proofing service, they turn to online communities to resell the services. If you are a service that works with practitioners prescribing drugs with high resell value or usage, you may need extra monitoring and advanced proofing. This is why it is essential to first survey your environment and threat actors before putting a solution in place. A risk matrix will help you create varying defenses against advanced threats. At Trust Swiftly, we typically start by understanding your unique problem and then applying multiple verifications to adjust the amount of friction for each practitioner.

Most verifications follow the basic flow of collecting a U.S. DL, selfie, and liveness checks to establish the identity. However, corroborating proofs such as their address and financial information are required to achieve level 3 assurance. Phone numbers and addresses can be checked automatically using Trust Swiftly or other solutions. A live person option can also be enabled for cases where 3rd party data sources are sparse or believed to be compromised. Another check should be on the DEA Number to validate it is active and that the name and address match another identity source collected in the process. Doing all these steps still does not stop the bad actors from mimicking practitioners. Another layer of control should always be available and even hidden from the users to ensure monitoring of the overall system to prevent widespread abuse. Trust Swiftly has machine learning fraud scoring available, and novel verification approaches unique to the market, which can help keep you one step ahead of most bad actors. Going above and beyond the guidance may be necessary for prescribers dealing with drugs described below with high resell values.

 Marketplace for EPCS Accounts

We researched the market to see how prevalent threat actors were with prescribing themselves and others-controlled substances. We discovered a pervasive threat and economy on the dark web. In earlier articles, we have already shown how easy it is to find and buy fake IDs. Now the same model can be applied to EPCS "Rx". DEA Numbers can be purchased or looked up by vendors. Many of them have access to large databases such as credit reports, driver's license details, and SSNs. Typically, they will find their targets online through LinkedIn or Google to determine which practitioners can prescribe the drugs with the most resell value or use. These can be addictive drugs or ones that are the basis of party drugs. The bad actors then market these services in various groups with coded words for the real drug to prevent any oversight. In groups on Discord, Reddit, and Telegram there are many sharing methods to create even more dangerous drugs from their initially prescribed medication that was illegally obtained (LEAN etc.). They also resell the scripts for certain drugs as a whole ecosystem has been born around it. ERx accounts are also sold, typically, they have shorter lifetimes as some doctors are vigilant, but others may miss the abuse if it is well hidden. These naturally only come with the login information, not the entire identity package. Once the bad actors have created an EPCS practitioner, they try to prescribe to various fake identities that must pick up the prescription at pharmacies. They sometimes will call the pharmacy first to move the medication elsewhere if they succeed better at certain places. Even if they get caught ("runners"), they leave the pharmacy and the police are left looking for a fake person. All the information except the photo would be misleading.

The security of the system is tough to stop when some of the actors are overseas and then outsource the physical process to others. As seen, there are multiple entry points to obtaining EPCS or script access, which has led to abuse on the overall prescription system. Some bad actors have gone to the extreme and have created EPCS with a mix of real and fake information, making it virtually impossible to catch. This type of setup is on the high end of costs, but it shows you the length that bad actors will go to obtain the drugs. At some point, biometrics or a new verification system will be required to stop these new threats.

Unfortunately, we have no insight into how widespread this problem is, but on Reddit for pharmacists, the exact issue was experienced. Pharmacists are not extensively trained in identity verification and typically ask DOB for normal prescriptions and other identifiers such as DL, which can easily be faked. There are vulnerabilities at multiple points that will need to be addressed separately. At Trust Swiftly, we are applying our verifications to the initial onboarding and proofing of a practitioner. However, continuous monitoring at the application level and even the DEA, are required to keep the abuse at bay. Some of these compromised accounts and identities may be lasting months unleashing an untold number of drugs into the U.S.