Mobile EPCS with Epic Haiku and Canto

System Requirements

  • The latest version of the Imprivata ID mobile app on the Apple App Store or Google Play

  • Imprivata G4 appliance

  • Connection from Imprivata appliance to Imprivata Cloud Platform

  • Enterprise Access Management for EPCS and Mobile EPCS licenses

  • The latest version of Epic Haiku or Canto mobile app

Mobile EPCS

Minimum Supported Versions (for customers who purchased Mobile EPCS on or before April 1, 2025)

  • Imprivata Confirm ID ID 24.1 or later

  • Epic May 2024 and later.

  • Epic Special Update Versions

    • February 2024 with SU E10804032

    • November 2023 with SU E10708512

    • August 2023 with SU E10611502

Minimum Supported Versions (for customers who purchased Mobile EPCS after April 1, 2025)

  • Imprivata Enterprise Access Management 25.1 or later (ImprivataCloud Platform tenant is required for Mobile EPCS with 25.1)

  • Epic May 2024 and later.

  • Epic Special Update Versions

    • February 2024 with SU E10804032

    • November 2023 with SU E10708512

    • August 2023 with SU E10611502

Mobile EPCS — Recommended Versions

These versions include updates to support NetBIOS domain name in the Login Domain field (EMP item 49) in Epic.

  • Imprivata Confirm ID 24.1 or later

  • Epic May 2024 and later.

  • Epic Special Update Versions

    • February 2024 with SU E10804032

    • November 2023 with SU E10708512

    • August 2023 with SU E10611502

Restrictions

  • Face recognition is available only for institutionally identity proofed providers; individually identity proofed providers (DigiCert identity proofing) can use a hard token and password on both iOS and Android.

  • Face recognition is not available for desktop EPCS MFA.

Geographic Availability

Mobile EPCS is available in all US states.

Configure Integration To Support EPCS

Imprivata Enterprise Access Management (formerly Imprivata Confirm ID) supports two-factor authentication for mobile EPCS with Epic Haiku and Canto. Before configuring mobile EPCS, configure the Enterprise Access Management integration with Epic Haiku and Canto. See Integrate Your EMR Application.

CAUTION:

If Epic Haiku and Canto has previously been added as an app, it must be removed and re-added to properly configure the username format. After you have removed the integration, re-add the integration with the proper username format as described here.

  1. In the Imprivata Admin Console, go to Applications > EPCS and clinical workflows integrations.

  2. On the EPCS and clinical workflows integrations page, go to the Applications section and click Add an application.

  3. Select Epic Haiku and Canto.

  4. Select the username format used by Epic Haiku and Canto.

    The Epic username format can be found in the Login domain field in Epic (EMP item 49).

    The option for NetBIOS format usernames (for example, domain\user) is only available with Imprivata Confirm ID 24.1 and later.

    With earlier versions, email format usernames is the default. Confirm you are using the proper format.

  5. If the Imprivata signed certificate for the enterprise is already installed, click OK.

    If the Imprivata signed certificate for the enterprise is not installed, browse to locate the IMPCVF file.

  6. Click OK.

  7. Your EMR application is listed with the expiration date of the certificate. You can update or remove the certificate directly on this page.

    NOTE:

    NOTE: To complete this activation, the Imprivata appliance must have access to the Internet via HTTPS, and the connection to the Imprivata cloud must be completed. See Set Up Enterprise.

    After you have configured the Epic Haiku and Canto integration, then in the Imprivata Admin Console, on the EPCS and clinical workflows integrations page, the row for Epic Haiku and Canto lists the Imprivata Integration URL, the Imprivata cloud unique Tenant ID for your enterprise, and a SAML Issuer URL.

Configure Workflow Policy For Mobile EPCS

Any users already enabled for EPCS are now enabled for Mobile EPCS with Epic Haiku and Canto.

Configure Mobile EPCS authentication methods:

  1. In the Imprivata Admin Console, go to UsersWorkflow Policy.

  2. On the Workflow policy page > EPCS Workflows section, select mobile authentication methods.

  3. In the EPCS workflows section, go to Associate user policies and confirm the user policies associated with this workflow.

  4. Click Save.

Epic Configuration

Create a new Authentication Device (E0G) record in Chronicles:

  1. On the General Settings screen, set Platforms to Mobile.

  2. On the Mobile Settings screen, set Mobile auth type to SAML.

  3. On the SAML Auth Settings screen, set the following values:

    • Web Form Base URL: https://confirmidauth.cloud.imprivata.com/SAML2/SSO/Redirect

    • External App Base URL: https://confirmidauth.cloud.imprivata.com/iid

    • Organization ID: This can be found on the Imprivata Admin Console > EPCS and clinical workflows integrations page > Epic Haiku and Canto row > Tenant ID

    • External App iOS App Store URL: https://apps.apple.com/us/app/imprivata-id/id991327711

  4. On the Web Device Settings screen, set the following values:

    • Token Type: SAML 2

    • SAML Issuer: This can be found in the Imprivata Admin Console > EPCS and clinical workflows integrations page > Epic Haiku and Canto row > SAML Issuer URL

    • SAML Key File: This is the path (in UNIX format) to the certificate file downloaded for Epic Haiku and Canto from the Imprivata Admin Console > EPCS and clinical workflows integrations page.

Specify that Imprivata performs Two Factor Authentication in Hyperspace

  1. Depending on your platform, there's two different paths:

    • Hyperdrive — Open the Authentication Administration activity, select the active configuration, and open the Authentication Device Factor Administration tab.

    • Classic Client — Open the Login Device Factor Administration activity.

  2. Enter the Authentication Device (E0G) record you created for Imprivata in the left column and the number 2 in the right column.

Configure the Authentication Workflow in Hyperspace

  1. Open the Authentication Administration activity and select the active configuration.

  2. Open the tab for the level in the facility hierarchy to which you want to apply the new device record (most likely the System level).

  3. Select or add workflow context Mobile E-Prescribing Controlled Medications - First Context [5141] in the left-hand table.

  4. Enter the Authentication Device (E0G) record you created for Imprivata as the Primary Device in the top-right table.

Verify User Build in Hyperspace

  1. Make sure that all users which need access to mobile EPCS have their username from your directory system entered in the System Login field (EMP item 45). This should typically be the SAM Account Name. Support for use of User Principal Name is supported as of Epic version August 2024.

  2. If the System Login field contains the SAM Account Name, the Login Domain field (EMP item 49) must be set to your organization's domain name. This might be set in individual user records or applied using linkable templates. Typically, the Login Domain is expected to be the NetBIOS domain name, but it can also be set to the organization's full domain name, for example, including ".COM", ".ORG", ".EDU", and so on, if needed. This should be the same domain name that Imprivata uses, which can be found in the Imprivata Admin Console.