Mobile EPCS with Epic Haiku and Canto

Mobile EPCS — Minimum Supported Versions

  • Imprivata Confirm ID 23.2 or later

  • Epic February 2023 (retrofitted back to February 2022 in SUs)

Mobile EPCS — Recommended Versions

These versions include updates to support NetBIOS domain name in the Login Domain field (EMP item 49) in Epic.

  • Imprivata Confirm ID 24.1 or later

  • Epic May 2024 and later.

  • Epic Special Update Versions

    • February 2024 with SU E10804032

    • November 2023 with SU E10708512

    • August 2023 with SU E10611502

Configure Integration To Support EPCS

Imprivata Confirm ID supports two-factor authentication for mobile EPCS with Epic Haiku and Canto. Before configuring mobile EPCS, configure the Imprivata Confirm ID integration with Epic Haiku and Canto. See Integrate Your EMR Application.

CAUTION:

If Epic Haiku and Canto has previously been added as an app, it must be removed and re-added to properly configure the username format. After you have removed the integration, re-add the integration with the proper username format as described here.

  1. In the Imprivata Admin Console, go to Applications > EPCS and clinical workflows integrations.

  2. On the Confirm ID Integrations page, go to the Applications section and click Add an application.

  3. Select Epic Haiku and Canto.

  4. Select the username format used by Epic Haiku and Canto.

    The Epic username format can be found in the Login domain field in Epic (EMP item 49).

    The option for NetBIOS format usernames (for example, domain\user) is only available with Imprivata Confirm ID 24.1 and later.

    With earlier versions, email format usernames is the default. Confirm you are using the proper format.

  5. If the Imprivata signed certificate for the enterprise is already installed, click OK.

  6. If the Imprivata signed certificate for the enterprise is not installed, browse to locate the IMPCVF file.

  7. Click OK.

  8. Your EMR application is listed with the expiration date of the certificate. You can update or remove the certificate directly on this page.

    NOTE: To complete this activation, the Imprivata appliance must have access to the Internet via HTTPS, and the connection to the Imprivata cloud must be completed. See Set Up Enterprise.

    After you have configured the Epic Haiku and Canto integration, then in the Imprivata Admin Console, on the Confirm ID Integrations page, the row for Epic Haiku and Canto lists the Imprivata Integration URL, the Imprivata cloud unique Tenant ID for your enterprise, and a SAML Issuer URL.

Configure Workflow Policy For Mobile EPCS

Any users already enabled for EPCS are now enabled for Mobile EPCS with Epic Haiku and Canto.

Configure Mobile EPCS authentication methods:

  1. In the Imprivata Admin Console, go to UsersWorkflow Policy.

  2. On the Confirm ID workflow policy page > EPCS Workflows section, select mobile authentication methods.

  3. In the EPCS workflows section, go to Associate user policies and confirm the user policies associated with this workflow.

  4. At the top or bottom of the Confirm ID workflow policy page, click Save.

Epic Configuration

Create a new Authentication Device (E0G) record in Chronicles:

  1. On the General Settings screen, set Platforms to Mobile.

  2. On the Mobile Settings screen, set Mobile auth type to SAML.

  3. On the SAML Auth Settings screen, set the following values:

    • Web Form Base URL: https://confirmidauth.cloud.imprivata.com/SAML2/SSO/Redirect

    • External App Base URL: https://confirmidauth.cloud.imprivata.com/iid

    • Organization ID: This can be found on the Imprivata Admin ConsoleConfirm ID Integrations page > Epic Haiku and Canto row > Tenant ID

    • External App iOS App Store URL: https://apps.apple.com/us/app/imprivata-id/id991327711

  4. On the Web Device Settings screen, set the following values:

    • Token Type: SAML 2

    • SAML Issuer: This can be found in the Imprivata Admin ConsoleConfirm ID Integrations page > Epic Haiku and Canto row > SAML Issuer URL

    • SAML Key File: This is the path (in UNIX format) to the certificate file downloaded for Epic Haiku and Canto from the Imprivata Admin ConsoleConfirm ID Integrations page.

Specify that Imprivata performs Two Factor Authentication in Hyperspace

  1. Depending on your platform, there's two different paths:

    • Hyperdrive — Open the Authentication Administration activity, select the active configuration, and open the Authentication Device Factor Administration tab.

    • Classic Client — Open the Login Device Factor Administration activity.

  2. Enter the Authentication Device (E0G) record you created for Imprivata in the left column and the number 2 in the right column.

Configure the Authentication Workflow in Hyperspace

  1. Open the Authentication Administration activity and select the active configuration.

  2. Open the tab for the level in the facility hierarchy to which you want to apply the new device record (most likely the System level).

  3. Select or add workflow context Mobile E-Prescribing Controlled Medications - First Context [5141] in the left-hand table.

  4. Enter the Authentication Device (E0G) record you created for Imprivata as the Primary Device in the top-right table.

Verify User Build in Hyperspace

  1. Make sure that all users which need access to mobile EPCS have their username from your directory system entered in the System Login field (EMP item 45). This should typically be the SAM Account Name. Support for use of User Principal Name is planned in a future release.

  2. If the System Login field contains the SAM Account Name, the Login Domain field (EMP item 49) must be set to your organization's domain name. This might be set in individual user records or applied using linkable templates. Typically, the Login Domain is expected to be the NetBIOS domain name, but it can also be set to the organization's full domain name, for example, including ".COM", ".ORG", ".EDU", and so on, if needed. This should be the same domain name that Imprivata uses, which can be found in the Imprivata Admin Console.