EUROMOD is a statistical micro-simulation meta-model to describe models of tax policies and tax benefits based on household income in European countries. This meta-model makes it possible to simulate, evaluate and compare the various policies adopted and to give an estimate of the impact of work incentives on the population of each country as well as at the level of the EU zone as a whole. It is used both to calculate the effects of existing policies and to assess the impact of tax advantage policy reforms on poverty, inequality and national budgets. 

The model is used as an instrument to conduct scenario analyses based on simulations using client statistical software, called EUROMOD, thus facilitating the work of researchers and decision-makers in order to assess the various political hypotheses. EUROMOD is a universal tool standardized for the EU: it is designed to produce models and results relevant for all European countries. 

EUROMOD is an open access tool. It consists of 3 elements: 

• the software application 
• built-in policy rules that are updated via software to reflect existing policies as of the 30^th of June each year. They enrich all the standard EUROMOD protocols 
• input micro-data which are processed by the software 

It was developed by the Institute for Social and Economic Research (ISER) at the University of Essex. Since 1^st January 2021, the management has been taken over by the Joint Research Center of the European Commission. (https://euromodweb.jrc.ec.europa.eu/  ). 

At the Belgian level, the Federal Public Service - Social Security (FOD-SZ) wants to be able, with the help of partners, to use this model to go further and work on more precise administrative data from several data sources to be able to estimate in advance a number of effects of policy reforms in the field of social protection. This concerns both the budgetary impact and an estimate of which persons and families will mainly see their income change. 
This part is called BELMOD: Tax-benefit micro simulation model for Belgium .

The BELMOD model was developed as the modernisation of MIMOSIS. This project has ended as of August/September 2022. The exploitation and further updating of BELMOD (the model, not the project) is now an operational objective of the FPS Social Security.  

Its purpose was twofold: 

• at the technical level, the project aims to modernise the current microsimulation model of the FPS Social Security (MIMOSIS) and 
• in terms of content, an inventory of policy measures to reduce the non-take-up (NTU) of social rights in Belgium will be drawn up 

The additional data sources currently are: 

• administrative data from both the Labor Market & Social Protection data warehouse 
• data from the Federal Public Service - Finances: STIPAD/CADNET heritage cadaster and data from IPCAL tax returns (citizens' tax calculation sheets) 
• STATBEL data 

The BELMOD model is managed by the FOD-SZ and was developed in collaboration with the Federal Planning Bureau, the KU Leuven and the University of Antwerp.

In this context, healthdata.be was asked to implement and provide a “Desktops-as-a-Service” platform enabling external researchers to access and analyze data remotely in a secured environment. 

The remote access system (Citrix environment) should allow users to remotely operate the EUROMOD software and to consult the BELMOD output without them being able to copy the data. Moreover, since the output of the microsimulation model are also .txt files with data on an individual level, it must not be downloadable. Data are stored on a file server, not in databases. 

The SCN-P-XAWBELMOD machine is an isolated server without access to the Internet.

Several organizations, depending on the projects, will use the BELMOD environment.

KSZ and FOD-SZ will upload the data on the HD SFTP server in the BELMOD_IN folder. An automated process will then move the uploaded files to the BELMOD server in the corresponding BELMOD_IN folder.  

This data will be accessed via the Citrix machine SCN-P-XAWBELMOD for analysis by the researchers. The generated reports are placed in a validation directory by researchers. Only a data publisher can validate the data and move the file(s) to the export directory of the corresponding project.  

Afterwards the files will be automatically uploaded to the SFTP server BELMOD_OUT directory. 

The users will access the Citrix environment through the VPN remote.healthstat.be making use of their provisioned accounts on Active Directory (AD).  

 

The connection gets checked in through the Citrix controller (WIV-P-DDC01), then users get access to the BELMOD server where the applications are installed. These applications are used to carry out the analysis. 

The BELMOD server is placed in its own OU, separated from all other XAW servers. 

Users are grouped in AD. These groups are all under the same OU. The SCN-P-XAWBELMOD server is accessed by two different types of accounts. These types are:

• Normal users: "BELMOD users SCN-P-XAWBELMOD" 
• Limited users: "BELMOD users SCN-P-XAWBELMOD limited users" 

As it stands, the normal users are allowed to connect to the desktop version of the server. Limited users may only connect to the EUROMOD published application. The limited users are also further restricted in their usage of the server, as they cannot use things like the recycling bin, control panel etc. Furthermore, all users are restricted from accessing the different drives on the server. 

Users are grouped in so-call "global groups" in AD. These global groups are all under the same OU. 

The computer object and the different user groups are all located in the DHD.local domain.

General description of the application UM-EM

User manual of the application UM-EM

Technical manual of the application UM-EM

Support services UM-EM

Local manager of UM-EM

Service and Support portal of healthdata.be (Sciensano)

General description of the eHealth TTP service

User manual of the eHealth TTP service

Technical manual of the eHealth TTP service

Support services eHealth TTP service

Support portal of eHealth

General description of the application eHBox

User manual of the application eHBox

Technical manual of the application eHBox

Support services eHBox

Local manager of eHBox

Support portal of eHealth

General description of the application eHBox client

User manual of the application eHBox client

Technical manual of the application eHBox client

Support services eHBox client

Local manager of eHBox client

Support portal of healthdata.be (Sciensano)

Within the BELMOD Desktop application (SCN-P-XAWBELMOD machine) the following restrictions apply to all users: 

• no internet access 
• no access to the C:\ drive 
• unable to check and modify file or directory properties
• unable to install software 
• unable to turn off or restart the server 
• no copy-paste between the BELMOD server and local machine 

There are two distinctive type of applications users: 

• Euromod application users: have access to the Euromod Citrix application. 
• Full application users: have access to the BELMOD Citrix Desktop application containing all requested applications (including EUROMOD) – see full list via section 6. 

There are also Local Administrators. They have extra privileges and have access to all the files and directories on the E:\ drive.

Note: Should the local administrators need a new project to be created, an RFI must be reported via Service Now (see section How to create and submit a request for information) with the project name, corresponding directories and users requiring access to that project and in which group(s) they need to have access to. 

Users have access to the Citrix server via following link →  https://remote.healthstat.be/vpn/index.html

Note:  If new credentials are required, a local Administrator has to create and submit a Service Now ticket (see section How to create and submit a request for information) with the following information: 

• First Name. Last Name 
• Phone number 
• E-mail address
• Citrix limited user or Citrix full access user 
• User access → member of which group(s) 

The E:\ drive has a continuous backup available. 
Users can restore their own deleted files via the ‘recycle bin’ application. 
If it is not possible to recover a file, a Service Now ticket can be created so that healthdata.be can forward the restore request to Arxus. 

The healthdata.be service (Sciensano) processes each incident report according to a standard operating procedure (SOP). A public version of this SOP "HD Incident Management Process" is also available on this portal docs.healthdata.be. 

To submit an incident related to projects and applications in production and facilitated or managed by Sciensano's healthdata.be service, you must first log into the HD Service and Support portal: https://sciensano.service-now.com/sp.

After the login step, you will arrive at the main page of the portal. 

When logging in for the first time, you will have to complete your profile e.g. with contact data, in order to follow up on your ticket. Once the profile has been submitted, you want to return to the main page of the portal.  

On the main page, you must select "Get Help". 

The following Create incident page will appear. 

You can now document your incident or problem by providing the following information: 

 
Indicate the Urgency of resolving your issue based on its criticality to the business. 

After selection of the Role you take up, a list of Applications relevant for you becomes available: select the application you are experiencing a problem with. 

Search and select the desired Project by entering a key word, the HD project number or the project abbreviation. 

Now, describe clearly and briefly (1 sentence) the subject of your problem. 

Please describe the problem in detail. The following aspects are important for us to understand and solve the problem: 

• a description of the actions you want to perform but fail to perform (e.g. provide us with a field name, a validation rule, a button, etc.) 
• a description (if possible) of the sequential steps you follow to use the service or the application of healthdata.be for which you need support; 
• a brief description of the technical problem you are experiencing (e.g. error messages) 

We strongly recommend that you add a screenshot describing the problem (IMPORTANT: Do not provide us with patient data!). 

You can add the screenshot by clicking on "Add attachments". 

On the right side of the form, the mandatory information items of the incident form are listed. When these fields are completed, their names disappear from the "required information" box. 

The form can only be submitted if all required fields are filled in, by pressing the green "Submit" button. 

If all required fields have not been completed, a warning message will appear at the top of the form. 

In addition, missing mandatory fields will be highlighted in green. 

When the incident form has been successfully submitted, a preview of your submission appears in a new screen. 

On the right side of the screen you will find the details, including the incident number. 

On the left side of the screen, you will find a chronology of your incident processing, starting with your creation. 

To submit a request for information, please follow the healthdata.be work instructions described underneath.

Procedure overview diagram

Procedure as work instructions

STEP 1. User requests an information

Action: A user requests an information. This can be : 

• An explanation on a project, … 

• A list 
• … 

STEP 2. Service Desk creates a ticket Request For Information

Action: If the user did not create a ticket from the portal, the Service Desk creates a ticket, of type Request for Information on behalf of the user 

Mandatory fields are the subject and description. 

The request is submitted by clicking on ‘Order now’

STEP 3. Service Desk investigates the request and enriches the request 

Action: Service Desk opens the requested item, linked to the request, and investigates the needs of the requestor. If necessary, the Service Desk will add clarification info in the customer communication, which is visible for the user. 

STEP 4. Fulfill the request 

Action: If the Service Desk knows how to fulfill the requested item, they will execute the action. If they do not know how, they will first investigate if they are able to fulfill the requested item or if they have to assign the requested item to another assignment group (step 6)

STEP 5. Set the requested item to ‘Closed Complete’ 

Action: Service Desk or 2L-assignment group will inform the user by entering a user friendly comment in the ‘customer communication’ field and set the requested item to the state ‘Closed Complete’ 

STEP 6. Assign the requested item to L2-group 

Action: if no fulfillment possible, the Service Desk will assign the requested item to a L2-assignment group. 

STEP 7. Fulfill the request 

Action: the L2-assignment group will fulfill the requested item and execute step 5. 

WHAT IS THE PROBLEM?

Sciensano blocks e-mails from organizations if the configuration of their e-mail and/or DNS services allow potential abuse by spammers/attackers. More specifically, if the configuration enables other senders to impersonate your organisation by allowing them to mimic your organization’s e-mail “Header From”.

In other words, they can send phishing and spam mails that cannot be distinguished from genuine mails from your organization.

If you’re responsible for managing your ICT infrastructure, keep reading. If not, pass this message on to your ICT department or to the ICT service that’s managing your ICT infrastructure.

HOW TO SOLVE IT?

You’ll have to verify that your configuration complies with “Sender Alignment” security requirements.
More specifically, your mail services and DNS will have to be configured according to ICT standards.

These configurations are common, well-documented and supported by hosting companies. Some useful links:

• https://dmarcian.com/alignment/
• https://mxtoolbox.com/dmarc/spf/spf-alignment
• https://o365info.com/how-does-sender-verification-work-how-we-identify-spoof-mail-the-fiveheros-spf-dkim-dmarc-exchange-and-exchange-online-protection-part-9-of-9/

We’ve noticed that this issue frequently occurs in organizations which moved their ICT infrastructure to cloud services such as Microsoft (O365), Amazon, Google, and MS Azure without properly configuring the ICT infrastructure which is not managed by these providers.

The configurations and recommendations need to be implemented on the customer’s ICT infrastructure, either internally or externally. DNS and Mail services are the main ICT platforms for these actions.

THE USE OF DIFFERENT DOMAINS IN THE MAIL SENDING PROCESS

E-mails contain an “Envelope From” and a “Header From”. Both need to match to avoid that the mail is blocked.

Some examples:

1. A public service is using its new domain name in the “Header From” and its old domain name in the “Envelope From”.

• Envelope From = noreply@publicservice.fgov.be
• Header From = noreply@publicservice.belgium.be

➔ These e-mails will be blocked.

Remark: Because it’s a noreply address, the sender will not even be aware of us rejecting the e-mail …

2. An organization is using a cloud service (Freshservice) for its helpdesk tool and the “Envelope From” has not been customised.

• EnvelopeFrom = bounces+us.3.52773-helpdesk=organisation.be@emailus.freshservice.com
• Header From = helpdesk@organisation.be

➔ These e-mails will be blocked.

3. A company uses a cloud service (Amazon SES) to send the delivery notification and the “Envelope From” has not been customized.

• Envelope From = 01020188573f374-96de6437-9134-45f4-8aa6-3e9ac18d5848-000000@euwest-1.amazonses.com
• Header From = noreply@company.be

➔ These e-mails will be blocked.