Over the last decade, the increased use of Controlled Substance Ordering System (“CSOS”) applications (i.e., platforms used to electronically transmit controlled substance orders) and Electronic Prescriptions for Controlled Substances (“EPCS”) applications (i.e., platforms used to electronically transmit controlled substance prescriptions) have been heralded as the fix-all solution for the innate security risks that have historically plagued DEA Forms 222 and paper prescriptions. However, in recent months, the excitement over the “safe” use of CSOS and EPCS applications has been dampened by a notable increase in security threats to such systems. Criminals have succeeded in creating fraudulent accounts on CSOS systems by taking and using information from DEA-registered practitioners, and they have demonstrated their ability to hack authentication credentials in order to access and use prescribers’ e-signatures on EPCS platforms. As soft spots in CSOS and EPCS applications are increasingly exposed, registrants must start considering whether they can further tighten security measures.

While many of these fairly sophisticated criminal endeavors cannot easily be guarded against by the average pharmacy and practitioner that is primarily concentrated on patient health and treatment, DEA has recently signaled its willingness to hold registrants’ feet to the fire when it comes to security measures that are reasonably within their control.

Earlier this year, DEA, in coordination with South Carolina’s Bureau of Drug Control, took action against a South Carolina pharmacy for failing to provide adequate security for its pharmacist-in-charge’s (“PIC”) CSOS credentials. DEA’s concerns began when the pharmacy was unable to account for 22,056 mL of promethazine with codeine. While some of the unaccounted for inventory was diverted by a pharmacy technician employee due to poor inventory record management, a significant portion was found to have been diverted by a staff pharmacist who stole and used the pharmacy PIC’s CSOS credentials to place over a 100 orders on CSOS. DEA stated that the PIC “failed to properly safeguard his [CSOS] private user identification login and password….” Ultimately, the pharmacy agreed to pay $275,000 to settle with DEA. See DEA’s January 4, 2023 Press Release.

DEA’s action against this South Carolina pharmacy is a sobering reminder to all DEA-registered employers of the importance with ensuring that their employees who hold active CSOS certificates: (1) protect their credentials, (2) refuse to share such credentials with any other individual, and (3) safeguard such credentials in a manner that prevents their disclosure and use. Should any employee have concerns that his or her credentials have been compromised, lost or stolen, he or she must notify DEA’s Certification Authority immediately by requesting revocation of the existing certificate and applying for a replacement certificate.

Review 21 CFR § 1311.30 for obligations regarding the safe use and storage of CSOS certificate credentials.