This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.
MFA for Electronic Prescribing for Controlled Substances (ePCS)
The guide below outlines the setup process to install the Okta Multifactor AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. (MFA) provider for ePCS.
Electronic Prescribing for Controlled Substances (ePCS) eliminates paper prescriptions entirely by allowing clinical prescribers to electronically write prescriptions for controlled substances. It also permits pharmacies to receive, dispense and archive these e-prescriptions.
ePCS also creates new “Identity Proofing” responsibilities for vendors, prescribers, and pharmacies by requiring two-factor authentication, more robust audit trails and strict auditing procedures in order to comply with the Interim Final Rule regulating ePCS of the U.S. Drug Enforcement Administration (DEA).
The following diagram shows the information flow.
There are five parts to the configuration, including a preconfiguration step.
Transport Layer Security (TLS) used by the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. Ensure that TLS 1.2 or higher is configured. For instructions, see Okta ends browser support for TLS 1.1.
Before installing the Okta Hyperspace Agent, your orgThe Okta container that represents a real-world organization. must have the following three items configured.
- MFA factors configured for use with ePCS sign in:
- Login to your Okta Org as an administrator
- Navigate to Security > Multifactor.
- On the Factor Types tab set target factor active or inactive.
See the Supported Factors section in this document for a list of ePCS supported factors.
For more information on managing factors see Multifactor Authentication.
- End user/GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. who will authenticate with ePCS sign ins:
To manage or add a group:
- Login to your Okta Org as an administrator
- Navigate to Directory > Groups.
- Click Add Group to add a group and provide an appropriate name and description for the new group.
- Click the group name and add appropriate people, or Directories to the group.
For more information see Managing Groups in Okta.
- Install the Epic Hyperspace appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in.
- On the Applications page, select Add Application
- Enter Epic Hyperspace EPCS (MFA) in the search box. Then, add the application.
- Select the General tab.
- Note the value of the ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ID and Client secret.
If required, use the Edit button to change the Application label value.
Use the Show button to display the hidden value of the Client secret.
Obtain and run the agent installation file.
- Org admins need to ask Okta Support to provide them with the download link for the Okta Hyperspace Agent (version 1.2.0). For the agent version history, see Okta Hyperspace Agent Version History.
- On the machine that will host the agent, download and run the .msi file and accept all defaults. During the installation process, keep Okta open in another window on the Epic Hyperspace EPCS (MFA) application screen to obtain the Okta URL, the client id, and the client secret that are found on the General tab.
The MSI file must be downloaded to and run on the machine where the Hyperspace Agent is to be installed.
Set up and configure a new device in Chronicles.
- In Chronicles, access the Authentication Devices (E0G) master file and navigate to Enter Data > Create/Edit Device.
Enter a name for the device, such as Okta 2FA.
Enter a new ID of 100000 or greater.
On the General Settings screen, enter Enter 1-Desktop in the Platform field.
- On the General Settings screen, enter a description in the Description field, if desired.
On the Desktop Settings screen, enter OktaHyperspaceLoginDevice.OktaMFADevice in the ProgID field.
- Determine whether there is an Authentication Configuration Record defined in d ^%ZeUSTBL> Hyperspace > Miscellaneous Security Settings. If not, complete the following steps:
- In Chronicles, navigate to d ^e > e0a > Enter Data > Create Configuration.
Enter a unique ID and name for your Authentication Configuration record.
In the Config Type field enter Authentication Device Settings.
Repeat step 2 and enter the name of your Authentication Configuration record into the Authentication Configuration Record field.
The following steps configure Hyperspace to integrate with Okta.
- In Hyperspace, navigate to Authentication Administration (Epic button > AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. > Access Management > Authentication Administration).
- Accept the active record. (This record should be the Authentication Configuration record that you either just verified was set or just created.)
- Select the desired configuration level; for example, System, Service Area, Workstation, etc.
In the Context field, enter E-Prescribing Controlled Medications - First Context.
Set the first authentication method you want users to be prompted with as the Primary Device. Okta anticipates that most organizations will choose the standard user name and password workflow, Default Login, as the first method.
In the Context field, enter E-Prescribing Controlled Medications - Second Context.
Set Okta to be the Primary Device.
Close Hyperspace and relaunch for the new configuration to take effect.