To access the Entity Access Management application, you need to navigate in your internet browser to the URL https://eam.healthdata.be. The following landing page appears on your screen.

Healthdata.be applications such as HD4DP v2 and healthstat.be process sensitive personal information. Therefore, strictly controlled processes are used to grant access to these applications.

The Entity Access Management (EAM) portal of healthdata.be facilitates these processes. In this article we describe how to use it. To navigate to the EAM application, enter the URL https://eam.healthdata.be in your internet browser.

Note: As the documentation of the EAM portal is being updated on a regular basis, please be advised to check the Release notes first.

Select one of the following capacities that suits your position in order to request access to an HD application:

• End-users
• Single IT points-of-contact, also 'IT SPOC'
• International users

Standard End-users

To request access to healthdata.be applications (such as HD4DP v2 and healthstat.be) as a standard end-user, you need to click on REQUEST ACCESS in the blue text box in the middle of the screen.

You will be directed to the next screen, where you select the button Log in with eID.

Clicking on this button leads you to the government's Federal Authentication Service (FAS), where you can log in with multiple digital keys with eID or digital identity.

If you choose to connect with ItsMe, you can enter your cell phone number.

Follow the instructions on your mobile device via the ItsMe application.

Once you have run through the ItsMe login procedure, you want to select the green confirmation button (available in FR and NL) in the screen below to access the Sciensano environment.

After selection of the confirmation button, you are logged in to the EAM portal as indicated by the My profile and Log out options that appear at the top-left of your screen.

When selecting the REQUEST ACCESS link in the blue highlighted text box, in order to fill out the Request access form, the following message appears:

Click on the My profile link in the message to go to your profile page:

Validation of this user profile is necessary in order to enter and complete the Request access form.
Start with selecting the Edit tab to complete your profile information.

Next to the profile information that is automatically prefilled based on your eID data, you need to complete the following fields:

NIHDI Number: Your NIHDI number, if available.

Organization: Add the organization(s) you are affiliated with. This field includes the name and NIHDI number of the organization.

Email address: Mandatory field for which the content can't be retrieved from the eID. Your email address will be used for communication regarding the profile validation and access request.

State: Select one of the options (see image underneath):

• Draft: This status indicates that you have not finished completing the profile fields yet. Only you can see the filled in data at this stage. Modification of the profile information is restricted to the status "Draft". You can however Save profile information as Draft to finalize and send it for validation at a later point in time.
• Validation Requested: The provided user profile information is complete and you want to send it for validation to the SPOC.

Click on the Save button to send your profile information to the SPOC. An Access Denied message appears on the screen, indicating you can't modify your filled in and sent profile information anymore.

When you now return to the My profile page you will see that your user profile has the pending status. Also, the Edit tab has disappeared, preventing from further modifications:

Your user profile will soon be validated by the IT SPOC of your organization, which will look as follows:

After validation of your profile by the SPOC, you select Home to return to the EAM portal page.

Attention: Do not select the button "Request SPOC rights", since this leads you to the process of requesting access as a SPOC.

In the EAM portal page you want to select the REQUEST ACCESS link in the blue highlighted text box again.

Select the hospital you are affiliated with for the application(s) and project(s) you want to request access to.

You can now start completing the Request Access form.

Please fill in all required fields (indicated with a red asterisk *), make a selection in the mandatory drop-down lists and, optionally, tick the check boxes for additional help and/or information.

Type of login field:

If you select "Belgium resident" for the field “Type of Login”, entering the mobile phone number is optional.

If you are a "Non-Belgium resident", the Mobile phone number field becomes mandatory to allow for the two factor authentication:

'Role of requestor in project' field

Select your role in the project: Local Study Lead, Local Study Associate or Local Study Support.

Your role determines your access options in the HD application for this project and does not necessarily corresponds to the staff structure within your organization. Read more about the scope of the roles in User roles in HD4DP v2.

'Author group user belongs to' field

When selecting Local Study Lead or Local Study Associate the data entered in the previous fields First name of the requestor and Last name of the requestor are automatically used to create your Author Group.

When selecting Local Study Support an extra field appears: Author group user belongs to. This field contains a drop-down list with Author group names. Select the one that applies to your profile. The author group names list is automatically populated and specific to the organization you have selected above.

HD4DP2.0 field

Click in the field under HD4DP2.0 if you want to access the application to make registrations for the selected project:

Healthstat.be field

Click in the field under healthstat.be if you want to access the reporting of the selected project:

It can happen that a user inadvertently submits requests for access to the same applications and/or projects. The requests are screened for duplicates by checking on organization number, role, author group and project code. In case duplicates are detected, the end-user will receive the following message:

Once you have completed the Request Access form, click on the Submit button. When the submission was successful, you will receive a confirmation message.

Single IT points-of-contact (IT SPOC)

A single-point of contact or SPOC is a role that extends beyond the function of a VTE/RAE. More specific, it can be any employee within an organization whom this role has been assigned to.

To request access to healthdata.be applications such as like HD4DP v2 and healthstat.be as a single-point of contact (SPOC), you want to select GIVE ACCESS in the white text box to the right of the screen.

If you have not yet requested access to these forms, and therefore are not recognized as a user with the SPOC role, you will receive the following message:

In this case you want to select My Profile (top left in the menu) and click on the button Request access (soon: "Request SPOC rights").

The Request access [RAE] screen pops up.

Fill in all requested fields and click on the Submit button.

After submission of the RAE form healthdata.be support carries out a background check considering your SPOC authority within the organization mentioned, and will send you a confirmation e-mail with a special token. Once you have received this token, return to the My Profile page and select the button Enter access token.

The Access token screen appears:

Fill in the NIHDI code for your organization and the access token you received per e-mail. After clicking on Submit, you will be redirected to the EAM portal page, where you again select GIVE ACCESS.

The ACCESS REQUEST form appears. By filling out the requested fields, a SPOC is able to give access to users within their organization who want to access a healthdata.be application (HD4DP2.0 or Healthstat).

Once you have completed the Access Request form, click on the Submit button. When the submission was successful, you will receive a confirmation message.

If you now return to My profile, you will see that it has been extended with the information "Responsible Access Entry" under User role(s). Also the tabs Profiles, Requests, Batch create requests and Edit have been added.

The Profiles tab of the validated SPOC profile offers the possibility to Search, Select and Sort profiles. Selected user profiles in the list can be Validated or Rejected via the Action drop-down menu.

In the Requests tab the SPOC can manage the overview of requests. More information is to be found on SPOC actions upon a request.

See documentation under Give access to multiple users in batch for more information on the Batch create requests tab.

Saved user profile information can't be modified, unless upon action of the SPOC. The Edit tab offers the option to enter the NIHDI number, add organizations, modify the email address and toggle the state between Validated or Rejected. Select the Save button to install the new profile information.

International users

For international users a link to a special form will be provided:

https://eam.healthdata.be/forms/hd_eam_access_request_user_int

Selecting this link redirects you to a more extensive Request Access form. Fill in all required fields (indicated with a red asterisk *), make a selection in the mandatory drop-down lists and, optionally, tick the check boxes for additional help and/or information:

After submitting the form, an e-mail is sent to the Service Desk staff for an identification and authorization process. If the request is approved, the international user receives an e-mail with account information. International users, however, are not able to log in, nor can they consult overviews of requests at this moment.

This documentation is being updated regularly. We try to provide as correct, complete and clear as possible information on these pages. Nevertheless, if you see anything in the documentation that is not correct, does not match your experience or requires further clarification, please create a request (type : request for information) via our portal (https://sciensano.service-now.com/sp) or send us an e-mail via support.healthdata@sciensano.be to report this documentation issue. Please, do not forget to mention the URL or web address of the page with the documentation issue. We will then adjust the documentation as soon as possible. Thank you!

The healthdata.be service (Sciensano) processes each incident report according to a Standard Operating Procedure (SOP). A public version of this SOP "HD Incident Management Process" is also available on this portal docs.healthdata.be.

To submit an incident related to projects and applications in production and facilitated or managed by Sciensano's healthdata.be service, you must first log into the HD Service and Support portal: https://sciensano.service-now.com/sp.

After the login step, you will arrive at the main page of the portal.

On the main page, you must select "Get Help".

A new page with the title "Create an incident" will appear.

You can now document your incident or problem by providing the following information:

Please indicate the urgency of resolving your issue based on its criticality to the business.

Please indicate the type of problem you are experiencing.

When the problem type "Application" is selected, two additional fields appear: "Project Name" and "Application".

Please select the appropriate information.

Please describe clearly and briefly (1 sentence) the subject of your problem.

Please describe the problem in detail. The following aspects are important for us to understand and solve the problem:

• a description of the actions you want to perform but fail to perform (e.g. provide us with a field name, a validation rule, a button, etc.)
• a description (if possible) of the sequential steps you follow to use the service or the application of healthdata.be for which you need support;
• a brief description of the technical problem you are experiencing (e.g. error messages)

We strongly recommend that you add a screenshot describing the problem (IMPORTANT: do not provide us with patient data!).

You can add the screenshot by clicking on "Add attachments".

On the right side of the form, the mandatory information items of the incident form are listed. When these fields are completed, their names disappear from the "required information" box.

The form can only be submitted if all required fields are filled in, by pressing the green "Submit" button.

If all required fields have not been completed, a warning message will appear at the top of the form.

In addition, missing mandatory fields will be highlighted in green.

When the incident form has been successfully submitted, a preview of your submission appears in a new screen.

On the right side of the screen you will find the details, including the incident number.

On the left side of the screen, you will find a chronology of your incident processing, starting with your creation.

To request information about the healthdata.be platform, you first need to log in to the HD Service and Support portal: https://sciensano.service-now.com/sp.

After the login step, you will arrive at the main page of the portal.

On the main page select "Request something".

A new page with the different types of request will appear.

Select the box "Request for information about HD".

A new page with the titles of the Request for information about HD will appear.

You can now document your request by providing following information:

Provide a short and clear description of your request for information (1 sentence).

Provide a detailed description of your request for information.

If available, please upload additional documents relevant for this request for information about HD.

On the right side of the form, the required information elements of the request form are listed. When these fields are completed, these field names will disappear in the "required information" box.

Only after all required fields have been completed, a form can be submitted by selecting the green Submit button.

If not all required fields were completed a warning message will appear on top of the form.

Also the missing required fields will be highlighting in green.

When the request form was successfully submitted, an overview of your request will appear in a new screen.

On the right of the screen, you will find the details , including the Request number

On the left of the screen, you will find a timeline of the handling your request, starting with your creation.

WHAT IS THE PROBLEM?

Sciensano blocks e-mails from organizations if the configuration of their e-mail and/or DNS services allow potential abuse by spammers/attackers. More specifically, if the configuration enables other senders to impersonate your organisation by allowing them to mimic your organization’s e-mail “Header From”.

In other words, they can send phishing and spam mails that cannot be distinguished from genuine mails from your organization.

If you’re responsible for managing your ICT infrastructure, keep reading. If not, pass this message on to your ICT department or to the ICT service that’s managing your ICT infrastructure.

HOW TO SOLVE IT?

You’ll have to verify that your configuration complies with “Sender Alignment” security requirements.
More specifically, your mail services and DNS will have to be configured according to ICT standards.

These configurations are common, well-documented and supported by hosting companies. Some useful links:

• https://dmarcian.com/alignment/
• https://mxtoolbox.com/dmarc/spf/spf-alignment
• https://o365info.com/how-does-sender-verification-work-how-we-identify-spoof-mail-the-fiveheros-spf-dkim-dmarc-exchange-and-exchange-online-protection-part-9-of-9/

We’ve noticed that this issue frequently occurs in organizations which moved their ICT infrastructure to cloud services such as Microsoft (O365), Amazon, Google, and MS Azure without properly configuring the ICT infrastructure which is not managed by these providers.

The configurations and recommendations need to be implemented on the customer’s ICT infrastructure, either internally or externally. DNS and Mail services are the main ICT platforms for these actions.

THE USE OF DIFFERENT DOMAINS IN THE MAIL SENDING PROCESS

E-mails contain an “Envelope From” and a “Header From”. Both need to match to avoid that the mail is blocked.

Some examples:

1. A public service is using its new domain name in the “Header From” and its old domain name in the “Envelope From”.

• Envelope From = noreply@publicservice.fgov.be
• Header From = noreply@publicservice.belgium.be

➔ These e-mails will be blocked.

Remark: Because it’s a noreply address, the sender will not even be aware of us rejecting the e-mail …

2. An organization is using a cloud service (Freshservice) for its helpdesk tool and the “Envelope From” has not been customised.

• EnvelopeFrom = bounces+us.3.52773-helpdesk=organisation.be@emailus.freshservice.com
• Header From = helpdesk@organisation.be

➔ These e-mails will be blocked.

3. A company uses a cloud service (Amazon SES) to send the delivery notification and the “Envelope From” has not been customized.

• Envelope From = 01020188573f374-96de6437-9134-45f4-8aa6-3e9ac18d5848-000000@euwest-1.amazonses.com
• Header From = noreply@company.be

➔ These e-mails will be blocked.