California’s Ambitious Online Drug Database

California drug database

Despite its budgetary woes, California plans to plunk down $3.5 million in a massive effort to put its statewide database of prescribed drugs on the Internet.

The project, scheduled for completion by next year, is a bid to prevent drug addicts and dealers from acquiring duplicate prescriptions from unwitting doctors and pharmacists. It also will modernize what state Attorney General Jerry Brown described in his announcement as a “horse and buggy” system.

Currently, doctors and pharmacists have to query the state database maintained by the California Department of Justice by fax or phone. The database is queried manually, which results in responses to queries taking up to “a couple of weeks,” Gareth Lacy, press secretary at the state attorney general’s office, told

The problem is severe: In 2005, 598,000 people visited hospital emergency rooms in California because of the nonmedical use of prescription or other drugs, and 55 percent of these involved the use of multiple drugs.

Physicians are playing their part in the problem. In May, Dr. Wesley Albert was arrested in Lake Elsinore for writing large quantities of prescription drugs from a hotel room which led to someone’s death in Riverside. State agents are conducting an ongoing investigation of doctors in Los Angeles and Orange Counties in connection with the death of multimillionaire heiress Anna Nicole Smith.

The state’s database, the Controlled Substance Utilization Review and Evaluation System or CURES, now contains 86 million records of patients who have been prescribed Schedule II, III and IV drugs in California as well as information about the prescriptions, the drugs and the prescribers.

The drugs covered include morphine, Ritalin, methadone, Vicodin, anabolic steroids, codeine, Valium and Ambien. The prescription drugs most heavily abused in California are Vicodin, Oxycontin, Xanax, codeine and Valium.

Last year, the state attorney-general released 53,000 patient activity reports, which reflect all controlled substances dispensed to an individual, to doctors and pharmacies; since January this year, it has released more than 11,000 reports.

The manual system is “very slow and inefficient and we want to make it faster and better,” Lacy said.

It’s about the money

Money is scarce now in California. Governor Arnold Schwarzenegger has said that the state is $20 billion in the red, and legislators are spending most of their time grappling with this issue.

Attorney-general Brown has turned to the private sector for the cash, lining up the Troy and Alana Pack Foundation to get the money needed for the hardware and software.

The non-profit foundation was set up by Bob Pack, whose children, Alana and Troy, aged seven and ten years, respectively, were hit by a driver under the influence of dangerous narcotics gathered from different doctors.

The driver, Jimena Barreto, was convicted in May 2005 of second-degree murder for her role in the children’s deaths after a three-week trial.

The seeds of the online database project were sown later that year, when the foundation worked with California State Senator Tom Torlakson, chairman of the Senate Appropriations Committee, to have Senate Bill 734 passed. This authorizes the tamper-resistant prescription pads now used in the state, and permitted online access to CURES pending the acquisition of private funding.

Page 2 of 2

The Troy and Alana Pack Foundation is working with Kaiser Permanente of Oakland, Calif., the nation’s largest HMO; the California State Board of Pharmacy; and the state attorney-general’s office to develop the new database.

When implemented, the online database will provide doctors, pharmacies, midwives, registered nurses, authorized law enforcement agencies and medical profession regulatory boards with real-time access to CURES.

It will be the largest online prescription drug database in the United States, according to the state attorney general’s office.

The database will reside in the California Department of Justice datacenter, which meets security standards mandated by HIPAA , the Healthcare Insurance Portability and Accountability Act.

Protections include automated, redundant control and communication systems, monitoring and intrusion detection tools and disaster recovery plans and systems. The database also will be compliant with current federal security and encryption standards — including encoding stored and transmitted confidential data, officials said.

Strict authorization and access logging also are key parts of the system.

“Users must prove they’re authorized, like they do now, and they’ll only get a temporary user name and password,” Lacy said. A new user name and password is required for each access.

Security issues

However, these security measures may not be enough.

“When you look at all the attacks happening on the Internet now, it’s very clear that the attackers are going after databases because it’s easier to steal tens of millions of records out of a database than to phish someone for his records, and you get a bigger payday,” Toby Weiss, president and CEO of database security vendor Application Security, told

“I think attackers are going to line up to hit this database.”

Hardening a database against attacks is not enough, Weiss said. Its owners must implement a process to continuously keep it secure. “If you harden your database perfectly on Monday, new attacks and exploits may come along on Tuesday,” Weiss, who claims his company has “the world’s largest knowledge database” for database security problems, explained.

Instead of offering a database with millions of records, “it makes more sense to design a system whereby a doctor or pharmacy might send a request saying it’s going to fill a prescription for, say Oxycontin, for someone, and the system answers yes or no,” Weiss added.

News Around the Web