Transition to NLL organizations

Please note that this document is intended for those who represent an organization, such as a region, municipality or private healthcare provider. For those who act as a private individual or individual professional user, there is a corresponding document called “Transition to NLL – Individual prescriber”

Disclaimer

We have produced this document to make it easier for our customers and their customers. The document describes how we interpret EHM's requirements and what choices we see that you as a prescriber and organization have. However, we disclaim all responsibility regarding the accuracy of our interpretation of EHM's information and any consequences of our customers' decisions.

Our interpretations may contain errors, EHM's requirements and solutions may change, and misunderstandings may arise. We therefore strongly recommend that you verify your decisions with EHM directly. EHM contact information is attached at the end of this document.

EHM's security solution for organizations

For healthcare providers and pharmacies, EHM's regular security solution applies. It is based on the following:

• Use of approved identity providers (IdP): Organizations must connect to an IdP that is connected to Sambi* or Sweden Connect*. See more information under the IdP heading below.
• Security level requirements: All connections must meet LoA3 (Level of Assurance 3) according to EHM guidelines.
• Attribute management: Organizations must be able to provide EHM with correct attributes for their users. The attributes must be managed by an approved attribute source. The HSA directory is an approved source, but it is also possible to set up your own, which must then be approved by EHM.

Both methods are based on the fact that the identification of the user is outside the system that the user is trying to use. This means security advantages and that the same identification can be used for different services. Compare, for example, with how Bank-Id can be used to log in to a number of services, which makes it easier for the user. The downside is that we as a supplier cannot solve this for our customers. 

Use of approved identity providers (IdPs)

An IdP (Identity Provider) is a service or system that handles user authentication and provides identity information to other systems or applications. IdPs are often used in Single Sign-On (SSO) and federated authentication to allow users to log in once and then access multiple services without having to enter their login credentials again.

EHM has decided that connecting organizations must be connected to Sambi or another IdP that is reviewed and approved. For most organizations, this means either connecting to Sambi, or to Ineras IdP-Plus. 

These are two different federation solutions. They are based on trust, which means that all connected organizations must meet their security requirements. Connection can be either direct or via a proxy.

Sambi is a Swedish federation solution for secure identity and access management in healthcare. It is used to ensure that digital services and systems can trust the identities of logged-in users, such as healthcare professionals who need access to patient records. Sambi is based on standards for federated authentication and enables Single Sign-On (SSO) between different actors.

Inera's IdP-Plus or Employee Identity Service IdP – Plus, which is the full name, is reviewed by Digg and follows the trust framework Swedish e-legitimation and Sweden Connect technical framework. It supports login with SITHS eID in the first version, but is planned to support other e-identifications such as Bankid and Freja+. The goal is for it to be technically compatible with the ENA federation when it goes live.

There are several different ways to arrange the IdP that will be required in the future: 

Existing own IdP

Organizations that already have an IdP can:

• Apply for connection to Sambi or Sweden Connect.
• Connect to an approved attribute source.
• Choose an authentication method that meets security level LoA3.

We recommend that you contact EHM for more detailed information.

Connecting to Inera's IdP

Inera has started a project to start a national IdP that enables connection to NLL. The solution is based on SITHS as e-identification and Sweden Connect as identity federation.

The goal is to make it easier for organizations that use SITHS to connect to NLL. Organizations that choose this path can report this to Alfa eCare and we will get back to you with costs and additional agreements. To connect, the organization also needs to meet 5 administrative requirements in the HSA declaration. These are not new but are should requirements in the HSA Trust Declaration, but are now changed to should requirements for access to NLL. See https://inera.atlassian.net/wiki/spaces/OIKH/pages/3651207389/HSA+Tillitsramverk+5.0

More information is available on the Inera website:
https://www.inera.se/aktuellt/nyheter/inera-erbjuder-losning-for-atkomst-till-nationella-lakemedelslistan/

Setting up an IdP using a third party

One solution is to use a proxy for handling IdP, attribute source and connection. The Sambi solution currently has a proxy: Svensk e-identitet. This is how they describe their services:

Svensk e-identitet has been approved as a Sambi agent since 2018 and offers two variants of agent services; Sambi Standard and the simpler and more limited service Sambi Mini. Which of these agent services suits you best depends partly on the size of the organization, partly on the number of users who need secure access via Sambi and partly on how you want to use the federation.

Choosing a connection via an agent, regardless of whether you choose Sambi Standard or Sambi Mini, minimizes your internal resource needs. To find out which type of connection suits you best, we recommend that you read this presentationYou can also contact Swedish e-identity via info@e-identitet.se.

Setting up your own IDP

For organizations that do not have an IdP, there is the option to:

• Install and configure an IdP that meets EHM requirements
• Apply for connection to Sambi or Sweden Connect.
• Connect to an approved attribute source.
• Choose an authentication method that meets security level LoA3.

Setting up your own IDP places high demands on IT and security expertise. It is a relatively complex and expensive path. We recommend that you contact EHM for more detailed information.

Transition to new connection method

Set

After an IDP is set up, it must be connected to our service. For security reasons, the service and the IDP must know each other in advance. So configuration may be needed on both sides. We will return with information on how this configuration is done.

Test

Before transitioning to the new service, we need to test that all parts of the setup are working as they should. This will be done through a new function in your medical record system. The function does nothing more than connect to the new prescription service and then to NLL. In response, you will either receive that everything went as it should or a signal about what is wrong. 

When the service is available, you will be able to run both the old recipe service and the new one for a short time. Should problems arise with the new one, you can therefore choose the old one.

Support from Alfa eCare – For those of you who are customers of Alfa eCare

Alfa eCare will call for online meetings where we will inform our customers about what this change means. The invitation will be coming soon.

Support from Alfa eCare – For those of you who use Prescription through one of our partners

Alfa eCare AB, the provider of the prescription service, offers, at no extra charge, the following support during the transition:

• Written information to our partners, which they can in turn send to their customers. This includes this document as well as information about plans and any changes.
• Information on our website. We continuously update our website with information, links to relevant information, links to our test site, plans and more.
• Test tool that can be used to test your connection. This is accessed via the journal system or on a separate test page. See the schedule below for information on when the test page is available.
• Support for our partners (journal system). As a customer of the partner, you can report problems to them, which they can in turn, if necessary, pass on to us.

Alfa eCare unfortunately cannot offer free support or advice to our partners' customers. For those customers who want more help, we can either recommend that you turn to companies that specialize in this, such as Svensk e-identitet, or we can offer the following packages:

Support package for transition to NLL

• A review of the transition based on your situation in an online meeting.
• Support with setup and testing.
• Limited support. Support is provided upon connection to us. For example, we can investigate what is missing, errors in attributes or responses from EHM if something goes wrong in that regard. However, we cannot help you with configuration of your IDP or similar issues.
• Sending information directly to you. As soon as we have more information about schedules or from EHM, Inera or other actors, we will forward it to you.

Contact your existing supplier for pricing and ordering.

Guide for transitioning to Prescription NLL

As an organization, you must go through the following steps:

• Analyze your current authentication and IDP solutions.
• Select connection method (own IDP, Inera or agent).
• Set up IDP
• Register your IDP with us
• Register our service in your IDP
• Perform connection tests
• Educate your users on news in Recipe NLL
• Run Recipe NLL in parallel with the previous version and verify that everything works without problems
• Switch completely to Recipe NLL