This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
Okta MFA for Electronic Prescribing for Controlled Substances (ePCS)
The guide below outlines the setup process to install the Okta Multifactor Authentication (MFA) provider for ePCS.
Electronic Prescribing for Controlled Substances (ePCS) eliminates paper prescriptions entirely by allowing clinical prescribers to electronically write prescriptions for controlled substances. It also permits pharmacies to receive, dispense and archive these e-prescriptions.
ePCS also creates new “Identity Proofing” responsibilities for vendors, prescribers, and pharmacies by requiring two-factor authentication, more robust audit trails and strict auditing procedures in order to comply with the Interim Final Rule regulating ePCS of the U.S. Drug Enforcement Administration (DEA).
The following diagram shows the information flow.
There are five parts to the configuration, including a preconfiguration step.
Transport Layer Security (TLS) used by the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. Ensure that TLS 1.2 or higher is configured. For instructions, see Okta ends browser support for TLS 1.1.
Before installing the Okta Hyperspace Agent, your orgThe Okta container that represents a real-world organization. must have the following three items configured.
- Configured MFA factors that include the factor to use for ePCS sign in. For instructions, see MFA.htm.
- A group for the end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. who will authenticate with ePCS sign ins. For instructions, see Group Types Used in Okta.
On the Applications page, select Add Application and enter Epic Hyperspace EPCS (MFA) in the search box. Then, add the application. On the General tab, assign any desired application label. You can assign people to the app now or later, as described in step 3, below.
Obtain and run the agent installation file.
- Org admins need to ask Okta Support to provide them with the download link for the Okta Hyperspace Agent (version 1.2.0). For the agent version history, see Okta Hyperspace Agent Version History.
- Download and run this .msi file and accept all defaults. During the installation process, keep Okta open in another window on the Epic Hyperspace EPCS (MFA) application screen to obtain the Okta URL, the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. id, and the client secret that are found on the General tab.
Set up and configure a new device in Chronicles.
- In Chronicles, access the Authentication Devices (E0G) master file and navigate to Enter Data > Create/Edit Device.
Enter a name for the device, such as Okta 2FA.
Enter a new ID of 100000 or greater.
On the General Settings screen, enter Enter 1-Desktop in the Platform field.
- On the General Settings screen, enter a description in the Description field, if desired.
On the Desktop Settings screen, enter OktaHyperspaceLoginDevice.OktaMFADevice in the ProgID field.
- Determine whether there is an Authentication Configuration Record defined in d ^%ZeUSTBL > Hyperspace > Miscellaneous Security Settings. If not, complete the following steps:
- In Chronicles, navigate to d ^e > e0a > Enter Data > Create Configuration.
Enter a unique ID and name for your Authentication Configuration record.
In the Config Type field enter Authentication Device Settings.
Repeat step 2 and enter the name of your Authentication Configuration record into the Authentication Configuration Record field.
The following steps configure Hyperspace to integrate with Okta.
- In Hyperspace, navigate to Authentication Administration (Epic button > AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. > Access Management > Authentication Administration).
- Accept the active record. (This record should be the Authentication Configuration record that you either just verified was set or just created.)
- Select the desired configuration level; for example, System, Service Area, Workstation, etc.
In the Context field, enter E-Prescribing Controlled Medications - First Context.
Set the first authentication method you want users to be prompted with as the Primary Device. Okta anticipates that most organizations will choose the standard user name and password workflow, Default Login, as the first method.
In the Context field, enter E-Prescribing Controlled Medications - Second Context.
Set Okta to be the Primary Device.
Close Hyperspace and relaunch for the new configuration to take effect.