Hands Free Authentication for Imprivata Confirm ID
This
Overview
Hands Free Authentication automatically and securely retrieves a one-time password (OTP) from the provider's device to authenticate when signing electronic prescription orders. The OTP, which is generated every 30 seconds by the Imprivata ID app, is validated over an encrypted, low-energy Bluetooth connection between the endpoint computer and the provider's device. This workflow results in minimal disruption to the clinical workflow, as the provider does not have to touch or handle the device.
The Imprivata ID app can be downloaded from Google Play and the iTunes App Store.
Notes:
- Hands Free Authentication can only be used as a second factor of authentication.
- Hands Free Authentication is not currently allowed by the Ohio State Board of Pharmacy for non-EPCS workflows.
Getting Started
For specific configuration steps related to the sections below, first see Planning an Imprivata Confirm ID Implementation, and then see Installing and Configuring Imprivata Confirm ID.
Certificate Requirements
If the Symantec token is embedded in Imprivata ID, and your users will be using Imprivata ID for Hands Free Authentication, your enterprise requires the following certificates be uploaded to the enterprise:
- Imprivata signed certificate — Enables secure communication between the Imprivata server and the Imprivata ID app. For instructions on requesting the certificate from Imprivata and uploading it to the enterprise, see Upload an Imprivata Signed Certificate for Imprivata ID Hands-Free Authentication.
- Symantec VIP Credentials certificate — Allows for the connection between Imprivata and the Symantec token service (if needed). See Configuring the Symantec Connection for details.
Endpoint Computer Requirements
For the complete list of supported devices, see Imprivata Confirm ID Supported Components.
Hands Free Authentication for Imprivata Confirm ID is currently supported on Teradici PCoIP® Zero Clients via VMware Horizon View virtual desktops. Teradici PCoIP® Zero Clients automatically recognize the Imprivata USB Receiver via the device's native USB redirection support. However, by default USB redirection on VMware Horizon View virtual desktops is disabled.
An Imprivata ID USB Receiver must be connected to each endpoint computer on which Imprivata ID Hands Free Authentication will take place. The Imprivata ID USB Receiver is not required when a provider enrolls Imprivata ID.
IMPORTANT: Make sure the Imprivata ID USB Receiver is not located in a metal enclosure and is located in close proximity to where providers will sign orders.
Provider Requirements
All providers using Hands Free Authentication must have an iOS or Android device with the following:
iOS Requirements
|
Android Requirements
|
Identity Proofing Requirements
If you have providers who are configured in the Imprivata Admin Console as Individual providers (they may not prescribe using your institution's DEA number), then you need to configure Imprivata Confirm ID to enable identity proofing.
Imprivata ID For Administrators with Multiple Usernames
One Imprivata ID can be enrolled to multiple usernames. Administrators can authenticate to more than one account with the same Imprivata ID token:
-
In the Imprivata Admin Console, go to the gear icon > Settings.
-
In the section Imprivata ID, select Allow one Imprivata ID token for multiple accounts.
-
Click Save. An Imprivata ID can now be enrolled to more than one Imprivata username. There is no restriction by role; any Imprivata ID can now be enrolled again to any Imprivata user (if their user policy permits Imprivata ID enrollment).
End Of Life: Imprivata ID Symantec Token (IMSY)
The ability to enroll Imprivata ID with an IMSY token has been removed.
All phones already enrolled with Imprivata ID and the IMSY token will still work, but when those users replace their phone and/or reinstall Imprivata ID, they will receive the IMPR token instead.
Symantec VIP tokens are not affected.
Rolling Out Hands Free Authentication to Users
Like other Imprivata Confirm ID authentication methods, providers must enroll their Imprivata ID:
- The Imprivata ID app can be enrolled using the Imprivata Confirm ID enrollment utility. Depending on how you configure Imprivata Confirm ID, supervised enrollment may be required.
- You can allow Imprivata Confirm ID Remote Access users to enroll the Imprivata ID app remotely.
Imprivata recommends that enrollment supervisors and Imprivata ID users receive training about Hands Free Authentication to ensure seamless adoption in your organization.
The following educational materials can be used to train enrollment supervisors and Imprivata ID users about Hands Free Authentication;
| Document | Audience | Description | Format |
|---|---|---|---|
| Introducing Hands Free Authentication (HTML Email Template) |
|
Customizable HTML email template you can use to announce Hands Free Authentication support to providers in your organization; includes a link for downloading the Imprivata ID app and instructions on how to enroll their Imprivata IDs. How to use this template:
|
.HTML |
| Introducing Imprivata ID for Remote Access (HTML Email Template) |
|
Customizable HTML email template you can use to announce Remote Access support to users in your organization; includes a link for downloading the Imprivata ID app and instructions on how to enroll their Imprivata IDs. How to use this template:
|
.HTML |
| Imprivata Confirm ID Enrollment Guide for Supervisors | Enrollment supervisors | Instructions for witnessing and attesting to provider enrollment of Imprivata IDs, OTP tokens, and fingerprints for e-prescribing controlled substances. | |
| How to Enroll Your Imprivata ID | Institutional providers | Instructions for Institutional providers (providers who have been identity proofed by hospital staff) on how to enroll their Imprivata ID. | |
| How to Complete Identity Proofing and Enroll Your Imprivata ID | Individual providers | Instruction for Individual providers (providers who cannot use an institution's DEA number) on how to complete identity proofing and enroll their Imprivata ID for Hands Free Authentication. | |
| Imprivata ID Phone Readiness Checklist | Providers | Visual overview of the optimal configuration for Imprivata ID. Intended to be distributed to providers for training and/or posted at workstations. |
Troubleshooting
Imprivata IDs are Not Validated Automatically on Specific Devices
If specific users are experiencing issues with push authentication, make sure the Imprivata ID app is running on the user's device.
If that doesn't resolve the issue, make sure the user's device meets all of the following requirements:
iOS Requirements
|
Android Requirements
|
If a Database Restore Happens During or After Imprivata ID Enrollments
If the Imprivata database is restored while users are enrolling Imprivata IDs, or after Imprivata IDs have been enrolled, the users must re-enroll their Imprivata IDs. Contact Imprivata Customer Support for assistance.
Individual Identity Proofing Errors
You can resolve some errors that occur during DigiCert identity proofing. If the error message instructs you to
- "Delete record and notify user to restart identity proofing", or
- "Delete identity proofing record and notify user to restart process"
Delete the user's record but do not delete the user:
- In the Imprivata Admin Console, go to Users > Users and find the user in the database.
- On the user detail page, go to DigiCert Individual Identity Proofing and click Delete Record. This action is permanent and the user must identity proof again for EPCS.
- Notify the user to start identity proofing again.
If you delete the entire user from the Imprivata Confirm ID database, you will have to wait five days for the system to reset before they can use that same email address again for identity proofing.
EPCS Signing with VIP Token After Digicert Identity Proofing
Clinicians who e-prescribe controlled substances with a Symantec VIP token can continue to use this token with Imprivata Confirm ID after identity proofing with Digicert. The following workaround is only applicable for:
- users who have already completed identity proofing with Symantec NSL and
- enrolled their VIP token for EPCS and
- completed identity proofing with Digicert and
- are associated with the Imprivata Confirm ID EPCS workflow and
- that workflow allows OTP tokens for authentication.
- In the Symantec VIP Manager, remove the user's VIP software token (Users > Search User > Edit Details > Credential > Remove)
- In the Imprivata Admin Console, remove the user's VIP software token: Go to Users > Symantec VIP Credentials, select the user, and click Remove From This User.
- In the Symantec VIP Manager, disable the user's account (Users > Search User > from the Search Results page, click Disable Credential)
- In the Symantec VIP Manager, enable the user's account again (Users > Search User > from the Search Results page, click Enable Credential).
- Advise the user to re-enroll the Symantec VIP token with Imprivata Confirm ID.
Imprivata Cloud Connection Status
Cloud Connection
Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:
- If you're not on the Cloud Connection page already: In the Imprivata Admin Console, click the gear icon > Cloud connection.
- Services will enter your Enterprise ID and cloud provisioning code.
- Click Establish trust.
The cloud connection must be established by Imprivata Services.
Cloud Connection Status
You can review the status of your enterprise's connection to the Imprivata cloud at any time. Status notifications are displayed on the Imprivata Admin Console, and the cloud connection status of every appliance at every site is also available:
-
In the Imprivata Admin Console, go to the gear icon > Cloud connection.
-
Every appliance host is listed with its status. If there are problems with a connection, recommendations for resolving the problem are displayed here.
