Clinical Workflows

Imprivata Enterprise Access Management - MFA (formerly Imprivata Confirm ID) for Clinical Workflows improves security and regulatory compliance by enabling fast, secure authentication for clinical workflows.

Integrate Imprivata Enterprise Access Management with your EMR for clinical transactions such as medication ordering, witnessing medication wasting, computerized physician order entry (CPOE), and blood administration.

Configure Imprivata Confirm ID API Access

The Imprivata Confirm ID API is an application programming interface to integrate with Imprivata Enterprise Access Management strong authentication.

The API Access option from the gear icon of the Admin Console includes a Confirm ID - API access and security section that allows enabling functionality on a global basis.

There are three modes of access:

  • Full

    Full access enables the ability to use the Confirm ID COM interface. Full access is required in the following areas because of the reliance on the COM interfaces:

    • Clinical Workflows

    • EPCS

    • Imprivata Connector for Epic Hyperdrive

    • Imprivata Connector for Epic Hyperspace

    • When Imprivata Enterprise Access Management MFA needs a password.

  • Restricted

    In restricted mode, access to Password and UserAppCreds resources are disabled. A ResourceRequest that includes an attribute id of Password or UserAppCreds returns a response with a message stating that access is restricted and status code 403.

  • No access

To activate access to the Confirm ID API, select Allow full API access via Confirm ID.

Configure Users

NOTE:

See Planning an Imprivata Enterprise Access Management for MFA Implementation before completing the steps on this page.

Complete the steps in the following sections to get Enterprise Access Management users up and running.

Synchronize to a User Directory

NOTE:

You do not need to perform this step if you have Enterprise Access Management for SSO (Imprivata OneSign) and are using the same user directory.

The Imprivata user database is a mirror of the user directories in all domains from which you create user accounts. When you first install Enterprise Access Management, there are no user accounts in place. To set up the Imprivata user database, you synchronize with the user directories in which your users’ primary accounts are located. See Adding a Network Domain

(Optional) Set Up Administrator Roles

Enterprise Access Management for MFA uses administrator roles and sub-administrator roles with nested scope so you can delegate administrative authority throughout the enterprise. Administrator roles help delegate Enterprise Access Management administration operations throughout an enterprise. See Set up Administrator Roles

Create and Assign User Policies

User policies are associated with Enterprise Access Management MFA workflow policies. Before enrolling Enterprise Access Management users:

  • Create a user policy that is assigned only to providers who are authorized to e-prescribe controlled substances.
  • For example, you can create a user policy called EPCS and then assign it to each user who is authorized to e-prescribe controlled substances.
  • Create any other user policies necessary for Enterprise Access Management for MFA workflows: Non-EPCS, medical device users, and remote access users, depending on your licensed features.

On the Authentication tab of each user policy you create, select the Licensed options required for the authentication methods the users in the policy will use. You may also need to configure authentication options.

See Creating and Managing User Policies for information about configuring user policies.

See Configuring the Enterprise Access Management Workflow Policy for information about configuring MFA workflows and associating user policies.

Configure Provider Identity Proofing

NOTE:

Provider identity proofing is only required for users enabled for DEA-regulated signing workflows.

Identity proofing is the process for validating a provider's identity. Enterprise Access Management for MFA is configured by default for all provider identity proofing to be performed by hospital staff. A user must complete identity proofing before they can complete DEA-regulated workflows such as e-prescribing controlled substances.

After identity proofing is complete, the provider can enroll authentication methods, and after her authentication methods are enrolled, she can use the authentication methods to sign orders with Enterprise Access Management.

If identity proofing for any of your providers will be performed by DigiCert, configure your enterprise as detailed in Identity Proofing.

Configure Enrollment Supervisors

NOTE:

Enrollment supervisors are only required when enrolling users enabled for DEA-regulated signing workflows.

Enrollment supervisors witness and attest to a provider's enrollment of facial biometrics, fingerprints, OTP tokens, and Imprivata IDs for e-prescribing controlled substances.

There are no special technical skills required for an enrollment supervisor beyond using the enrollment utility as described in Witnessing and Attesting to Provider Enrollment. An enrollment supervisor must be configured for this role by an Enterprise Access Management administrator.

NOTE:

Do not assign enrollment supervisors to a user policy that is associated with an MFA workflow.

See Institutional Identity Proofing.

Configure Workflows

The workflow policy controls:

  • The authentication methods that are allowed for each workflow, and

  • The providers who are allowed to use each associated workflow.

Configuring the workflow policy involves:

  1. Specifying the authentication method(s) required to complete each workflow, and

  2. Associating at least one user policy with each workflow.

After a user policy is associated with a workflow, all users to which the user policy is assigned are allowed to:

  • Enroll the authentication methods specified in the policy, and

  • Use the workflow.

See Enterprise Access Management for MFA Authentication Methods for descriptions of authentication methods allowed for MFA workflows.

The following table lists and describes each workflow that requires authentication via Imprivata Enterprise Access Management for MFA. Your applications may not support all available workflows.

Workflow Name in the Workflow Policy Applicable Users Regulations Allowed Authentication Methods (first factor plus second factor, if so specified) License Required
E-prescribe controlled substances —
desktop authentication methods		 Providers who are approved to e-prescribe controlled substances Federal — see below for
specific DEA requirements
  • Fingerprint plus network password
  • Fingerprint plus Imprivata ID
  • Fingerprint plus OTP token*
  • Network password plus Imprivata ID
  • OTP token plus network password
 Confirm ID for EPCS
E-prescribe controlled substances —
mobile authentication methods**		 Providers who are approved to e-prescribe controlled substances Federal — see below for
specific DEA requirements
  • Network password plus facial biometric
  • Network password plus OTP token*
  • OTP token* plus facial biometric

Confirm ID for EPCS,
Mobile EPCS

EPCS access control

DEA registrants who, within the EMR, approve users who have enrolled to e-prescribe controlled substances

NOTE: This is not the same as supervised enrollment.

 Federal — see below for
specific DEA requirements
  • Fingerprint plus network password
  • Fingerprint plus Imprivata ID
  • Network password plus Imprivata ID
  • OTP token plus network password
 Confirm ID for EPCS
E-prescribe non-controlled substances Providers who e-prescribe non-controlled substances State

All

 Confirm ID for Clinical Workflows
Different user authentication Providers who co-sign electronic orders State

All

 Confirm ID for Clinical Workflows
User verification (regulated) Users who perform workflows that require authentication per state regulations State

All

 Confirm ID for Clinical Workflows
User verification (non-regulated) Users who perform streamlined workflows from integrated mobile computing carts and medication dispensing carts and cabinets. None

All

 Confirm ID for Clinical Workflows
Medical device log in Clinicians who log into integrated medical devices with proximity or fingerprint. None

All

 Medical Device Access
Medical device log in — password only

Clinicians who manually log into an integrated medical device with username and password only.

Other authentication methods are not supported.

    Does not require a Medical Device Access license
Medical device different user authentication Clinicians who perform a witness workflow on a medical device None All Confirm ID for Medical Devices
Medical device user verification (non-regulated) Clinicians who require authentication during a clinical workflow on a medical device None All Confirm ID for Medical Devices
Remote access log in Users who log into the network remotely None
  • Password
  • Imprivata ID (Push authentication and manual OTP entry)
  • SMS code authentication
  • OTP token
 Confirm ID for Remote Access

DEA Requirements for Identity Proofing, Fingerprint Authentication, and Imprivata Tokens

CAUTION — Institutions with no DEA Number: For organizations with no institutional DEA number, a Certificate Authority (CA) such as DigiCert must perform identity proofing and issue certificates to your providers for DEA-regulated signing workflows. Credentials tied to a user's identity proofing must be used for DEA-regulated signing workflows.

Institutions with a DEA Number: You may perform identity proofing within your organization with Enrollment Supervisors, or you have the option to use a CA to perform identity proofing.

* Providers who are identity proofed by Norton Secure Login cannot e-prescribe controlled substances using a OneSpan/VASCO OTP token.

** Mobile workflows are available only for iPhone 8 or later with iOS 13 or later, or for iPads with iOS 16 or later. Not available for any other tablets or for any Android devices.

Neither Imprivata ID nor network password as a single factor are allowed by the Ohio State Board of Pharmacy for certain workflows. You are prompted when necessary to delete these authentication methods before saving the workflow policy.

Workflows are configured on the Workflow policy page of the Imprivata Admin Console (Users menu > Workflow Policy). Some workflows can have more than one allowed authentication method.

NOTE: If your organization must adhere to certain state regulations, select the state in which your enterprise is located from the drop-down list in the State-specific regulations area of the Workflow policy page. You may be prompted to delete or change invalid authentication methods depending on the state you choose.

The following diagram illustrates modifying the default fingerprint plus password desktop authentication method for the E-prescribe controlled substances signing workflow. Clicking Add another method allows you to add another authentication method for that workflow.

CAUTION:

When configuring a workflow with two-factor authentication, do not also add single factor authentication that uses one of the same authentication methods.

For example, if you configure Password + Imprivata ID as one method, do not also configure Imprivata ID alone. In this example two-factor authentication would not be enforced.

You can remove authentication methods that you don't want to use, or you may be prompted to remove certain authentication methods if they are not allowed by the regulations of the state you selected at the top of the page. Invalid methods are highlighted in yellow and a notification message appears at the top of the Workflow policy page.

NOTE: Remove invalid authentication methods before saving changes to the workflow policy.

For example, the Ohio State Board of Pharmacy does not allow password as a single authentication factor for certain workflows. The invalid authentication method is shaded yellow, as illustrated below.

You need to associate a user policy (or policies) with each MFA workflow you intend to use. After a user policy is associated with a signing workflow, all users in that user policy are allowed to perform that MFA workflow with the specified authentication methods.

To associate a user policy with an MFA signing workflow:

  1. Click Associate user policies to the right of the workflow on the Workflow policy page. The Choose a user policy box appears.
  3. Click in the box to view a drop-down list of available user policies, or begin typing to search for the user policy you want to associate.
  4. Select the user policy you want to associate. The Associate user policies link changes to Associated with 1 user policy and displays the total number of users contained within the associated user policy.
  5. To associate another user policy, click Associate another user policy.
  7. Repeat these steps for each workflow that your organization uses.

You may improve the user experience by providing a grace period where Imprivata Enterprise Access Management skips second factor authentication:

  1. In the Imprivata Admin Console, go to UsersWorkflow policy.

  2. In the section Workflow options, set a grace period (24 hours, 59 minutes maximum), where a user does not have to complete second factor authentication after proximity card authentication and/or fingerprint authentication.

  3. Click Save.
NOTE:

Grace periods do not apply to EPCS workflows.

To allow users to skip their second factor for Remote Access, see Skip Second Factor for Remote Access.

Configure Endpoint Computers

The following sections describe how to configure the endpoint computers and/or virtual desktops on which Enterprise Access Management MFA enrollment and/or workflows will occur.

Create and Assign Computer Policies

Computer policies set security parameters for each computer in your organization. Each computer must be assigned one computer policy. See Creating and Managing Computer Policies

Configure Virtual Desktop Access

If Enterprise Access Management MFA enrollment or workflows will take place on virtual desktops, then you need to configure Imprivata Virtual Desktop Access for the type(s) of virtual desktops used by your organization.

Set Up Multi-User Workstations

If Enterprise Access Management MFA workflows will take place in a multi-user workstation environment, such as a shared kiosk workstation, then you need to set up multi-user workstations.

Deploy the Imprivata Agent to EAM MFA Endpoints

IMPORTANT: Perform all previous Enterprise Access Management configuration steps listed in Installing and Configuring Enterprise Access Management for MFA before performing this step. MFA features do not "go live" on your users' endpoint computers until the Imprivata agent is deployed.

An Imprivata agent must be installed on each endpoint computer on which MFA enrollment or workflows will take place.

Imprivata provides a variety of agents for different uses. It is important to understand the differences between the agent types to be sure you employ the agent best suited to each user. See Different Imprivata Agents for Different Uses.

You can distribute the Imprivata agent with Microsoft Active Directory (AD) group policy or similar tools, or you can email users a link and have them self-install it. You configure these settings on the Deploy agents page (Computers menu > Deploy agents). See Deploying the Agent.

Connect Authentication Devices

Connect the required authentication devices on each endpoint computer on which Enterprise Access Management MFA enrollment and/or workflows will take place and make sure the devices are working properly.

NOTE: A FIPS-compliant fingerprint reader is required for enrolling and authenticating the fingerprints of providers who are approved to e-prescribe controlled substances.