Monday, November 03, 2008

Push or pull for prescription security?

I recently had a reason to fill two prescriptions on the same day, one at a local pharmacy and the other through a mail-order pharmacy. In both cases, the same doctor was writing the prescriptions.

First, I tried calling the doctor to get copies of the prescriptions to bring to the store and mail off. No luck - he doesn't do that any more. (Maybe if I had an office visit he would, I don't know.) Instead, it's all done electronically - but the two were handled differently by the pharmacies.

For the mail-order pharmacy, I had to call them, give them the name and phone number of my doctor (which they looked up in some sort of registry), the names of the prescriptions, and my insurance and credit card number to pay. They then called the doctor, who approved the prescriptions by phone. For the local prescription, I called the doctor's office, gave them the phone number of the pharmacy which they called and ordered the prescription, which I then picked up and paid for.

So I wondered, is one of these more secure and/or private? I don't think there's a privacy difference - in both cases, my doctor (obviously) knows what prescriptions I'm taking, and so does the pharmacy. In the mail order case, presuming that they really checked the doctor's information I gave them against some sort of authorized prescribers list, then a patient can't get prescriptions without approval (unless I subvert the doctor's telephone system and redirect the approval calls). And in the local pharmacy case, while I could cause the doctor's office to call a fake pharmacy (since I provide them with the phone number), that would have no real value to me.

The most likely problem is if I could convince the mail order pharmacy that the doctor's phone number had changed, and their records were out of date, then I might be able to get prescriptions that aren't authorized. Presumably they have processes in place to prevent those types of attacks - and those processes are hopefully stronger for controlled drugs (e.g., narcotics) than for ordinary medications (e.g., antibiotics).

As a security engineer, I can't help but think about the security aspects of almost anything I see...


Post a Comment

Subscribe to Post Comments [Atom]

<< Home