Vulnerabilities for Drug Diversion in the Handling, Data Entry, and Verification Tasks of 2 Inpatient Hospital Pharmacies: Clinical Observations and Healthcare Failure Mode and Effect Analysis.

OBJECTIVES: Inpatient hospital pharmacies have a central role in managing controlled substances (CS) throughout the hospital medication use process (MUP). Our objectives were to identify vulnerabilities for diversion in the MUPs of 2 inpatient pharmacies, explore differences between the sites, and characterize the types of vulnerabilities identified.
METHODS: We conducted clinical observations in 2 pharmacies to map their MUPs and performed a healthcare failure mode and effect analysis to proactively identify (1) the critical failure modes (CFMs) that make them vulnerable to diversion and (2) the controls that prevent, mitigate, or enhance the detectability of CFMs.
RESULTS: We conducted 99 hours of observations between May-June and September-October 2018. We observed 36 pharmacy technicians, 4 pharmacists, and 1 clerk as they conducted tasks involving 4 processes common to both sites: procuring CS, receiving CS deliveries to the pharmacy, unit-dose packaging CS oral solids, and distributing CS to hospital units. The tasks and subtasks we mapped in the process flow diagrams led to the identification of 220 failure modes. Of these, 34 were deemed CFMs and were categorized as related to handling CS, data entry, or verification tasks. Three of the CFMs were unique to one site, given that the other site had a control for the CFM.
CONCLUSIONS: Multiple vulnerabilities for diversion exist in inpatient pharmacy processes. Our results provide some much needed detail about how specific vulnerabilities in MUP tasks and subtasks lead to an increased risk of diversion.

Weaknesses in the security and accounting of controlled substances (CS) in hospitals have resulted in unexplained losses or diversion of medications.[1-3] Diversion refers to the transfer of medications away from legitimate medical use to being used unlawfully,[4] such as when medications are stolen for personal use or trafficking. Diversion of CS from the inpatient pharmacy not only impacts the person who diverts but also has repercussions for the hospital and may result in serious harm to patients.[3] People who divert are often experiencing a substance use disorder; gaining access to medications through diversion increases their risk of morbidity and mortality associated with drug use (e.g., overdose or infection from unsterile needles).[3,5] When an incident of diversion is discovered, the person who diverted may lose their job, have their license suspended, or be criminally charged.[3,4,6-8] Diversion puts patients at risk of receiving inadequate care (e.g., patient does not receive analgesia because saline is substituted for an opioid or an impaired healthcare worker provides improper care)[9-13] and contracting viral or bacterial infections from medications or syringes compromised because of tampering.[5,14,15]

Known limitations in hospital processes (e.g., delays in wasting medications facilitates substitution)[16] and resources or technologies (e.g., use of paper records and lack of interoperability between record keeping systems)[17] can compromise inventory tracking and discrepancy resolution, which in turn hinders the ability of hospitals to detect and investigate incidents of diversion.[18]

Inpatient hospital pharmacies are at the center of CS management throughout the hospital and face several unique vulnerabilities to diversion given their role in medication use processes (MUPs; i.e., procuring, preparing, dispensing, storing, and returning or wasting CS).[4,17,19] Media coverage have described several incidents of diversion in the inpatient pharmacy,[20] including creating fake patient files and generating fraudulent prescriptions,[21] tampering with syringes by replacing the CS in loaded syringes with saline,[22] and exploiting internal controls to procure CS.[23] Despite a number of high-profile losses that capture scrutiny and investigation, most CS losses in Health Canada data have been attributed to “unexplained loss,”[1,20] suggesting that inpatient pharmacies are unable or ill-equipped to investigate and analyze a CS loss and, consequently, cannot institute remedial actions. Pharmacy departments and staff have a leading role in implementing MUP best practices. Although recent investigations have begun to describe some of the CS security and accounting vulnerabilities within the hospital,[24,25] systematic knowledge about vulnerabilities in inpatient pharmacy processes is required to better align interventions against the diversion risks and improve the management of CS in hospitals.

Our aim was to understand how medications are kept secure and accounted for in 2 Ontario inpatient pharmacies. The objectives were to identify where vulnerabilities exist in the MUPs at each site, explore differences between sites, and characterize the types of vulnerabilities identified.

METHODS

Our study was composed of 2 integrated parts (observations and risk analysis), as one informed the other (Fig. 1). We conducted clinical observations in 2 inpatient pharmacies to understand and contrast the MUPs between sites and performed a healthcare failure mode and effect analysis (HFMEA) to proactively identify and evaluate vulnerabilities in each MUP. Our approach and methods have been described in a published protocol.[26] A province-wide Research Ethics Board approval was granted for the study through Clinical Trials Ontario (REB #1354).

FIGURE 1

Description of the study design showing the integration of the clinical observations and HFMEA. Arrows show where results from one informs or is informed by the other.

Clinical Observations

Setting and Participants

The inpatient pharmacies of 2 large full-service hospitals in Toronto, Ontario, Canada, were selected for observation (Table 1). We selected hospitals that use different medication management software and automated dispensing cabinet (ADC) platforms and provide representation from one academic and one community academic hospital.

TABLE 1

Observation Settings in 2 Inpatient Hospital Pharmacy Sites

		Site 1	Site 2
Setting	Size of hospital	400 beds	400 beds
	Type of hospital	Community academic	Academic
	Pharmacy hours of operation	Weekdays: 08:00–20:00 Weekends: 08:00–17:00	Weekdays: 07:30–21:00 Weekends: 07:30–17:00
	CS vault and ADC	Omnicell vault Omnicell ADCs	Pyxis C2Safe Pyxis ADCs
Observations	Roles (number of participants)	Pharmacy technician (16) Pharmacist (3)	Pharmacy technician (20) Pharmacist (1) Clerk (1)
	No. observation hours	46 h	53 h

We used purposive sampling to recruit participants for clinical observations. We included pharmacy staff with roles in, or interaction with, at least one component of the MUP, including those who work indirectly with medications (e.g., submitting purchase orders for procurement of medications). Participants provided written informed consent before being observed. The study team emphasized that participation was voluntary and could be stopped at any time for any reason and that we were not assessing or evaluating participant performance.

Data Collection

Observations were conducted for 4 weeks at each site (Site 1: May–June 2018; Site 2: September–October 2018). A pair of observers (i.e., one member of the study team with experience as a hospital pharmacist and one team member with expertise in human factors) unobtrusively shadowed participants as they carried out their daily activities. Each observation session lasted between 2 and 8 hours, depending on the participants’ availability, the shift duration, and the task(s) being observed. Observations took place on all days of the week and during all pharmacy operating hours. We continued to recruit participants and conduct observations until we reached data saturation. Data saturation was reached after 99 hours when we had observed the main responsibilities (tasks) of the participants under observation (n = 41), collected sufficient data to map step-by-step how each task was performed and could describe the environment in which those tasks were completed. Observers took free-form notes, collected artifacts of pharmacy practice (e.g., blank preprinted forms), as well as took photographs of the environment, technology, and supplies. The free-form notes captured step-by-step how participants completed tasks as well as contextual information, including the physical layout of the unit, the roles and shifts covered by staff, and technologies and manual record keeping tools used for documentation. Observers compared their notes and discussed discrepancies until consensus was reached. Free-form notes were fully transcribed into Word and uploaded onto a secure SharePoint site hosted at the study team’s home organization.

Coding of Observation Data

Data collected during observations were uploaded MAXQDA 2018 (VERBI Software, Berlin, Germany) data management and analysis software. One study team member organized the data using predefined codes for tasks and types of processes (e.g., double checking or documenting), a second study team member reviewed the codes, and any discrepancies were resolved through discussion. Coding the observational data created a structured dataset with inputs for the HFMEA, providing information on how and by whom tasks were performed as well as contextual information used during the hazard analysis described hereinafter.

Healthcare Failure Mode and Effect Analysis

We followed the standard approach for performing the HFMEA.[27] Key components of the HFMEA approach include mapping the steps involved in the healthcare process and then listing all possible errors in the execution of that process, otherwise known as “failure modes.” Each failure mode was scored in terms of its severity and probability and further assessed with an HFMEA decision tree. The decision tree determines the priority of the failure mode. A critical failure mode (CFM) is either a failure mode which introduces a process failure by itself or is a failure mode which is not easily prevented or detected by the system.

In our study, the process maps of CS tasks from the clinical observations were used to generate a numbered list of tasks and subtasks for each stage of the MUP. The results presented in this article refer only to tasks that were observed at both sites.

The multidisciplinary HFMEA team was composed of 2 pharmacists and 3 human factors specialists. The team brainstormed failure modes for each subtask by considering how the CS could be tampered with or diverted. As is customary for an HFMEA, failure modes were described for each subtask in isolation (i.e., the HFMEA team did not identify vulnerabilities arising from the combination of 2 or more failure modes). Using two 4-point scales, 2 pharmacists independently scored the failure modes on (a) probability (based on how often the occurrences would likely occur) and (b) severity (based on the ability to account for medication losses, impact to the patients and staff, and financial damages). The definitions of the scoring for the 2 scales are provided in Table A1, http://links.lww.com/JPS/A343. The pharmacists and a human factors specialist then met to compare scores. Discrepancies in the scoring were discussed among the 3 study team members until consensus was reached. Probability and severity scores were multiplied to obtain the hazard score of each failure mode. Two human factors specialists then identified the CFMs using the HFMEA decision tree analysis (Fig. A1, http://links.lww.com/JPS/A344; Table A2, http://links.lww.com/JPS/A345).

The CFMs from both sites were organized according to the site and MUP task from which they were identified. We looked for similarities and differences in CFMs within and between the sites. The analysis considered where, how, and why CFMs could occur to identify common characteristics of the CFMs.

RESULTS

Four stages of the MUP were common to, and observed, at both sites: procurement of CS, receipt of CS deliveries to the pharmacy, unit-dose packaging CS oral solids, and distribution of CS to patient care areas. Detailed process flow diagrams of the numbered tasks and subtasks for each process can be found in the Appendix (Figs. A2–A5, http://links.lww.com/JPS/A346, http://links.lww.com/JPS/A347, http://links.lww.com/JPS/A348, http://links.lww.com/JPS/A349). Although the tasks for completing these MUPs were the same, the order in which the subtasks were completed or the subtasks differed somewhat between sites because of differences in roles and responsibilities, technologies used, and procedures.

Within the 4 MUP stages, across the 2 sites, we identified 220 failure modes. Thirty-four of the failure modes were deemed CFMs. Twenty-five (74%) of these CFMs had hazard scores less than 8 but were considered single-point weaknesses, so proceeded through the decision tree analysis, and were later identified as CFMs. Three categories of failure modes (i.e., handling, data entry, and verification) emerged while analyzing the CFMs (Table 2). Table 3 lists the tasks that occur in each stage of the MUP and the distribution of CFMs by task and CFM category. Eight CFMs (24%) were related to handling tasks, 13 (38%) were related to data entry tasks, and 13 (38%) were related to verification tasks. Table 3 also shows that the greatest numbers of CFMs were related to the distribution of CS to the patient care areas (i.e., hospital units).

TABLE 2

Description of CFM Categories

Category	Description
Handling	Within all stages of the MUP, CS are moved from one place to another or left in holding areas before the next task takes place. Critical failure modes that relate to handling or transporting highlight vulnerabilities to theft, tampering, or substitution. For example, CS left unattended in an unlocked cart would be categorized as a failure mode in handling/transportation. In general, these failure modes impact the physical security of medications.
Data entry	Certain steps in the MUP involve the entering of information or instructions into electronic systems (e.g., to retrieve/return from the CS vault or ADCs). Other steps involve the recording of information manually into paper logbooks or electronic databases. Critical failure modes that relate to data entry or programming highlight vulnerabilities to forgery, hiding discrepancies in inventory counts or accessing CS fraudulently under another individual’s identification. In general, data entry failure modes impact the accuracy of documentation and hinder the traceability of CS transactions.
Verification	Several of the MUP tasks involve having a second individual or using a technology (e.g., barcoding) to verify or check the work of another staff member. For example, when medications are delivered, a second technician checks the information about the delivery recorded in a log book and initials it. Another example is that a witness (nurse) on the unit verifies the medication and double counts the number of doses added to the ADC. The witnessing may be recorded automatically by the ADC or manually on paper. In general, verification failure modes impact the integrity of the medication and accuracy of documentation.

TABLE 3

Number of CFMs Identified in Each Medication Use Process Task Grouped by Category

Medication Use Process Tasks	Category			Total
	Handling	Data Entry	Verification
1. Procure CS for inpatient pharmacy	0	4	2	6
1.1 Determine which CS to procure	0	1	0
1.2 Create purchase order	0	2	0
1.3 Submit purchase order to vendor	0	1	1
1.4 Reconcile invoiced items with purchase order	0	0	1
2. Receive CS from vendor deliveries	1	1	3	5
2.1 Deliver boxes of CS to inpatient pharmacy	0	0	0
2.2 Verify delivered items against packing slip and/or invoice	1	0	2
2.3 Place items into CS vault	0	1	0
2.4 Sign off on delivered items	0	0	1
3. Package CS into unit doses (oral solids)	5	2	1	8
3.1 Retrieve CS from vault for unit dose packaging	1	1	0
3.2 Program unit dose packaging machine	1	0	1
3.3 Run unit dose packaging machine	1	0	0
3.4 Check unit dose packaged items	1	0	0
3.5 Return unit dose packaged items to CS vault	1	1	0
4. Distribute CS to the ADCs on hospital units	2	6	7	15
4.1 Trigger delivery for interim orders, orders for scheduled medications, or restocking of supplies in ADCS on hospital floors	0	1	1
4.2 Retrieve CS from inpatient pharmacy stock	1	2	3
4.3 Deliver CS to hospital units	1	3	3
Total	8	13	13	34

The severity, probability, and hazard scores for each CFM are provided in Table 4. The CFM scores were the same for both sites. Hazard scores ranged from 1 to 9. All handling CFMs had a severity score of 3 (“major”). The median severity scores for data entry and verification CFMs was 2 (“moderate”). Most CFMs (76%) had a probability score of 3 (“occasional”).

TABLE 4

Description of CFMs and Controls Identified at Both Hospital Sites

Category	Description of CFMs and Controls	Site 1	Site 2	S, P, HS
1. Procure CS for inpatient pharmacy
1.1 Determine which CS to procure
Data entry	CFM1.1 The purchasing of CS is initiated despite sufficient stock levels (e.g., by modifying minimum stock thresholds or adding medications to list for purchaser), creating an opportunity for access to a greater quantity of CS	X	X	1, 3, 3
1.2 Create purchase order
Data entry	CFM1.2 The login information of the purchaser (pharmacy technician whose role is to submit purchase orders) is used by another individual to create a medication purchase order, creating an opportunity to order a greater quantity of CS and difficulty in tracing the person responsible	X	X	1, 2, 2
Data entry	CFM1.3 Medication purchase order is created and submitted without the knowledge of the purchaser, creating an opportunity for a shipped order to be diverted once delivered without the purchaser having knowledge that the order existed or was expected	X	X	1, 2, 2
1.3 Submit purchase order to vendor
Data entry	CFM1.4 Medication purchase order is submitted online through vendor’s system without the knowledge of the purchaser (staff member whose role is to submit purchase orders), creating an opportunity to order a greater quantity of CS	X	X	1, 1, 1
Verification	CFM1.5 Online purchase order is authorized by someone other than the licensed pharmacist, but using the licensed pharmacist’s login information, allowing for an unauthorized purchase to be made and making it difficult to trace the person responsible	X	X	1,2,2
1.4 Reconcile invoiced items with purchase order
Verification	CFM1.6 Invoice is not signed and dated by the technician/clerk responsible for receiving the medications, hindering the traceability of CS transactions and compromising accurate documentation	X	X	2, 3, 6
2. Receive CS from vendor deliveries
2.1 Deliver boxes of CS to inpatient pharmacy
2.2 Verify delivered items against packing slip and/or invoice
Handling	CFM2.1 Medications are left unobserved inside the locked pharmacy and accessible by any individuals who have or gain access to the department, creating an opportunity for diversion once the delivered box is opened and set aside with the invoice/packing slip	X	X	3, 2, 6
Verification	CFM2.2 Discrepancy between medications and packing slip/invoice is not identified during second check, making it difficult to trace the origin of a discrepancy and compromising accurate documentation Control2.2: Site 1 has a technician and a pharmacist providing a second and third verification of delivered items against the packing slip/invoice before they are placed in the vault. Site 2 has a second technician conduct the verification, but the pharmacist does not verify the delivered items against the packing slip/invoice before they are added to the vault.	C	X	2, 3, 6
Verification	CFM2.3 Signed and dated packing slip/invoice is not photocopied by the technician responsible for placing items into the CS vault or copy is not filed in vault area, compromising accurate documentation	X	X	1, 3, 3
2.3 Place items into CS vault
Data entry	CFM2.4 Number of units of medication being added to the vault is entered into the system incorrectly (number entered into the system matches the number of expected items on the packing slip/invoice but not the number of items actually being placed in the vault), creating a discrepancy which may not be caught until inventory is counted by another individual	X	X	3, 3, 9
2.4 Sign off on delivered items
Verification	CFM2.5 Receiving invoice/packing slip and/or log book is not signed by the pharmacist, hindering traceability and compromising accurate documentation	X	X	2, 3, 6
3. Package CS into unit doses (oral solids)
3.1 Retrieve CS from vault for unit dose packaging
Data entry	CFM3.1 Technician does not log out of vault after retrieving medication, creating an opportunity for another individual to gain unauthorized access the vault under the technician’s login information	X	X	3, 3, 9
Handling	CFM3.2 Sealed or opened bottle of tablets retrieved from CS vault placed on a counter outside of the locked vault and left unobserved, creating an opportunity for diversion	X	X	3, 3, 9
3.2 Program unit dose packaging machine
Verification	CFM3.3 Unit dosed and packaged tablets have the incorrect information programmed into the automatic unit dose packager/medication management software, resulting in the medication being labeled incorrectly and limiting traceability Control3.3: Site 1 has a second independent checker verifying information programmed into the unit dose packaging machine before the medications are packaged, including the drug name, strength, lot number and expiry date. Site 2 does not conduct a second check at this point in the process.	C	X	2, 3, 6
Handling	CFM3.4 Number of tablets added to the unit dose packager differs from number of tablets retrieved for packaging, creating an opportunity for diversion	X	X	3, 3, 9
3.3 Run unit dose packaging machine
Handling	CFM3.5 Strips of unit dose packaged tablets and bottle of remaining tablets placed in bin on a counter outside of the locked vault and left unobserved, creating an opportunity for diversion	X	X	3, 3, 9
3.4 Check unit dose packaged items
Handling	CFM3.6 Strips of unit dose packaged tablets and bottle of remaining tablets left unobserved on counter (before and after being verified) before placed back into CS vault, creating an opportunity for diversion	X	X	3, 3, 9
3.5 Return unit dose packaged items to CS vault
Data entry	CFM3.7 The medication name, dose or formulation programmed as being added back to the vault differs from the actual medication placed into the CS vault, creating a discrepancy and hindering traceability	X	X	2, 3, 6
Handling	CFM3.8 Strips of unit dosed packaged tablets or bottle of remaining tablets are not placed into CS vault and are left unobserved, creating an opportunity for diversion	X	X	3, 3, 9
4. Distribute CS to the automated dispensing cabinets on hospital floors
4.1 Trigger delivery restocking ADC items or for items to be temporarily stocked in the ADC
Verification	CFM4.1 Order is not verified as a legitimate order, creating an opportunity for an individual to retrieve a CS for a seemingly legitimate purpose/patient and divert (for orders made in medication management software, placed over the phone to inpatient pharmacy, or placed through fax)	X	X	3, 1, 3
Data entry	CFM4.2 Technician or pharmacist indicates that a CS order is discontinued for a patient whose order should not be discontinued, creating an opportunity to retrieve and divert CS previously delivered to the hospital floor	X	X	2, 3, 6
4.2 Retrieve CS from inpatient pharmacy stock
Data entry	CFM4.3 Technician programs CS vault to retrieve a greater or fewer number of unit doses than suggested on the ADC refill list based on minimum and maximum levels for each ADC, creating an opportunity to gain access to a greater quantity of CS	X	X	1, 2, 2
Verification	CFM4.4 An incorrect number of unit doses retrieved or left in the vault is entered and confirmed as being correct during the blind count back, creating a discrepancy and hindering accurate documentation	X	X	1, 3, 3
Data entry	CFM4.5 Technician does not log out of vault after retrieving medication, creating an opportunity for another individual to gain unauthorized access to the vault under the technician’s login information	X	X	2, 2, 4
Verification	CFM4.6 Second technician fails to verify the retrieved medications against the printed receipt listing the items retrieved from the vault, enabling a discrepancy to go unnoticed	X	X	2, 3, 6
Verification	CFM4.7 The second independent check by a technician to verify the retrieved medications does not occur, allowing a discrepancy to go unnoticed and creating an opportunity for the wrong medications to be delivered	X	X	2, 3, 6
Handling	CFM4.8 Medications are unobserved and accessible for tampering or diversion once the items are retrieved from the vault and waiting to be delivered to the hospital floors Control4.8: Site 1 stores the retrieved CS in a locked cart before being checked by a second technician and delivered to the hospital floors. This is the same cart that is used during the delivery at Site 1. Site 2 places the drugs on an unlocked cart in opaque containers.	C	X	3, 3, 9
4.3 Deliver CS to hospital floors
Verification	CFM4.9 Witness does not verify that the medication being added to the ADC cubbie is the same as the name of the medication on the screen and/or stated by the technician, allowing for the incorrect drug to be placed in the wrong cubbie and creating an opportunity to divert the CS and fill the cabinet with another drug	X	X	2, 3, 6
Verification	CFM4.10 Witness does not verify the count of unit doses already in the ADC cubbie before additional unit doses are added, creating an opportunity to introduce a discrepancy	X	X	2, 3, 6
Verification	CFM4.11 Number of unit doses counted/accepted incorrectly by the pharmacy technician and the witness, creating an opportunity to introduce a discrepancy	X	X	2, 3, 6
Data entry	CFM4.12 No reason is entered into the ADC to explain an adjustment to the count or discrepancy in the count, compromising accurate documentation and hindering investigations into discrepancies	X	X	2, 3, 6
Data entry	CFM4.13 The incorrect expiry date is entered into the automated dispensing cabinet, causing a delay in retrieving expired or expiring medications (if input later date than correct expiry date) or enabling individual to retrieve medications prior to their expiry date for diversion (if input earlier date than correct expiry date)	X	X	1, 3, 3
Data entry	CFM4.14 Technician does not log out of the ADC on hospital floor after placing medications in cabinet, creating an opportunity for another individual to gain unauthorized access the ADC	X	X	2, 3, 6
Handling	CFM4.15 Technician does not return discontinued medication to the inpatient pharmacy, instead diverting the CS	X	X	3, 3, 9

HS, Hazard score; P, probability score; S, severity score.

Table 4 describes the CFMs according to the MUP tasks and flags the site from which they were identified. There were 3 CFMs that applied only to 1 site because the other site had a control in place (i.e., mechanism that mitigates the severity of the CFM, prevents the CFM from occurring, or increases the likelihood that it would easily be detected). One of the controls prevents the handling of CS by using a locked cart to store medications once they are removed from the vault and 2 controls prevent discrepancies using additional independent manual checks.

DISCUSSION

We identified 34 CFMs across 4 stages of the MUP that increase the vulnerability of inpatient pharmacies to diversion. The CFMs describe how subtasks in the MUP can fail and be used to gain access to CS and compromise accurate accounting of the medications. The CFMs and their corresponding effects (e.g., purchasing an excess of CS for the inpatient pharmacy stock or permitting unsupervised access to CS storage areas) are consistent with the contributors to diversion described in the literature.[2] Our analysis largely identified the same CFMs at both sites. This is likely due in part to the nature of the tasks conducted by the pharmacy, which are heavily guided by professional practice standards and hospital policies and procedures, as well as the use of ADCs and CS vault systems at both sites. The similarity in findings suggests that there are key subtasks that are vulnerable to diversion, and these vulnerabilities may be similar in other inpatient pharmacies at large hospitals using ADCs.

We found that the CFMs we identified grouped into 3 categories: handling CS, data entry, and verification, which support consideration of specific interventions applying to each category.

The CFMs related to medication handling capture unsupervised CS awaiting the next step in the pharmacy workflow (e.g., CS awaiting entry to the vault or delivery to patient care areas on hospital units). Although the pharmacy is typically considered a secure area, it is possible for unauthorized entry to occur or for pharmacy staff themselves to divert unsupervised CS. Most of the handling CFMs were identified in the tasks for the distribution of CS to the ADCs on hospital units. This is not surprising, as this process includes numerous handoffs between staff as well as the transportation of CS outside of the secure pharmacy area. During the distribution process at site 1, we observed that CS retrieved from the vault are placed in a locked cart (CFM4.8). The locked cart provides a physical barrier, preventing unauthorized access to the CS and maintaining the physical security of the CS before being placed in the ADC. There are security cameras in both hospital sites. The video recordings are not proactively audited, but the presence of the cameras may act as deterrents and the recordings are used when an investigation is required. Greater adoption of locked carts to transfer CS between secure areas, electronic locks restricting access to CS storage areas, and cameras for surveillance of areas with high diversion risk (e.g., remote or high-trafficked areas) are relevant to these CFMs and have been suggested in diversion prevention guidelines.[4,17]

A subset of the CFMs related to data entry highlight the risks of failing to log out of electronic systems, allowing CS ordering, dispensing, and transaction verification to occur under another practitioner’s username and creating an incorrect audit trail. Shortening the time to automatic log out has been suggested in previous guidance to minimize the risk of users accessing medications or creating transaction records under another individual’s username.[17] A control not yet discussed in drug diversion literature is proximity-based authentication methods in addition to passwords, such that when users are no longer in close proximity to electronic systems, it automatically logs them out. Another approach not discussed in the literature is for staff members to review a list of transactions associated with their electronic identity, perhaps at the end of their shift, thereby enabling the identification of fraudulent use of their credentials.

The CFMs related to verification highlighted 2 types of failures: omission of double checks allowing accounting errors to propagate or double checks that intentionally or unintentionally fail to detect inaccuracies. Electronic systems may be useful for the first issue, as they can ensure a second check has been “signed off” before allowing the next task to be performed. Solutions for the second issue are divided between prevention and detection. For example, many of the verification tasks we observed allowed the second staff member (i.e., double checker) to verify CS transactions without the first staff member present. One preventive solution could be requiring the first and second staff member to simultaneously maintain line of sight on all CS being verified, as this could deter tampering or pilferage by an unsupervised double checker. Having additional double checks implemented in the process may serve to detect issues that were missed during the first verification steps. For example, at site 1, we observed additional verification steps not conducted at site 2, which would detect discrepancies between what was delivered to the inpatient pharmacy and what was purchased according to the packing slip or invoice (CFM2.2). However, adding double or triple manual checks to a process may decrease efficiency and even increase the risk of diversion by increasing the number of individuals who handle the CS and have access to the documentation. In the future, technology may become increasingly capable of conducting the independent double checks of CS via camera systems, weight sensors, and counts by radio frequency identification. At the time of this article, the available technology is better positioned to support human auditing (e.g., photographs, video, weight) by creating accurate records of CS product integrity or inventory counts at various stages of the MUP.[28]

Our findings contribute to, and are consistent with, recent literature investigating process failures and safeguards with regard to hospital diversion.[2,24,25] For example, a recent failure mode and effect analysis proposes that many of the pharmacy process failure modes that create vulnerabilities for diversion in the hospital could be prevented using surveillance reports, such as discrepancy trends by medication, whereas others would require implementation of monitoring tools (e.g., cameras) or changes to workflows.[25] A Canadian hospital self-assessing its practices produced similar findings, including the need for secure transport boxes.[24] These interventions would address many of the CFMs identified in our study and are also consistent with safeguards described in a scoping review of diversion literature.[2] Other key safeguards include separation of purchasing and receiving roles, efforts to establish clear audit trails, controlling access to CS storage areas, and maintaining records during distribution of CS.

Recommendations in the literature and guidelines can be configured or implemented in a variety of ways, and pharmacy staff should use those that are best suited for their specific set of conditions and processes. The Institute for Safe Medication Practices describes medication error prevention tools according to a hierarchy effectiveness, which argues that controls that are designed to fix the system (e.g., forcing functions and automation) are more effective than those aimed at individuals (e.g., rules and education).[29] The 3 controls for CFMs identified at only 1 site include those with low and medium effectiveness. Although the use of a locked cart to secure CS while they are being transferred to patient care areas (CFM4.8) provides a strong barrier to access, it is low on the effectiveness scale because it relies on individuals following rules and policies to actually lock the cart and keep the key secure. Controls considered to have medium effectiveness include those that involve additional independent double checks (CFM2.2, verifying items delivered to the pharmacy against an invoice; CFM3.3, verifying the information programmed into the unit dose packager). An example of a highly effective tool that was in place at both sites is the use of ADCs and CS vaults. Automated dispensing cabinets computerize drug inventory counts and maximize the quality of the audit trail. Future improvements to prevent or detect diversion might come from enhancing the interoperability of the electronic systems in use. For example, neither site had interoperability between the systems used to procure CS, the ADC records, and the electronic health records used to document administration of medications to patients. As a result, auditing activities require manual reconciliation of CS transactions that travel “across” these systems.

Our study adds to previous knowledge of factors that contribute to increasing the risk of diversion in hospitals as it is based on an empirical observation of each step in the MUP of 2 different inpatient pharmacies, which has not been previously reported in the literature. Direct observations allowed us to describe the tasks as they were actually performed by pharmacy staff, rather than generating a task list from hospital policies or through discussion, which would have described how the tasks were expected to have been done. As a result, we were able to capture vulnerabilities that may be unique to how specific tasks are executed on a day-to-day basis, which better positions us to evaluate barriers for successful adoption of potential safeguards. Second, we observed and analyzed 2 different inpatient pharmacies to identify variations in roles, processes, equipment, and technology; this enabled us to compare and contrast between sites and strengthened our ability to identify and categorize types of failure modes. Third, we used a single team to identify and score failure modes for both sites, thereby avoiding inconsistencies encountered by others when conducting HFMEA.[30]

There are several limitations to our study. First, we were unable to independently observe every pharmacy role with a second observer because of time constraints, which limits our ability to capture variations in practice. Second, it is possible that staff behaved differently than usual while being observed (e.g., the Hawthorne effect), but such an effect likely biased our observations to identifying the best-case scenario of each pharmacy task and it would not interfere with our ability to hypothesize potential failure modes in the HFMEA phase of our study. Our intention was not to observe actual incidents of diversion. Third, we may not have hypothesized all possible strategies for diversion. Fourth, our study is limited to failure modes related to pharmacy tasks only; failure modes in different clinical units require a separate analysis. Finally, our results may not generalize to pharmacies in other facilities, where workflow may be different (e.g., both study sites had ADCs); however, the types of failure modes discussed in our study provide a starting point for other hospitals when considering the risks present in their unit and investigating any losses of CS from their facility.

CONCLUSIONS

We identified 34 CFMs in inpatient pharmacy processes involving the procurement, receiving, unit dose packaging, and distribution of CS. These CFMs relate to vulnerabilities in handling, data entry, and verification tasks. We discussed controls that may mitigate these vulnerabilities but note that additional research and development may be helpful to address some of the identified CFMs.