Knowledge base » System Administration Functions » EpiSoft & epi-me / eAdmissions Cybersecurity Features - Two Factor Authentication and Single Sign On (SSO)
EpiSoft & epi-me / eAdmissions Cybersecurity Features - Two Factor Authentication and Single Sign On (SSO)
Purpose
This article explains the cybersecurity features EpiSoft offers for login by healthcare provider staff to either of its EMR or epi-me (aka eAdmissions) applications.
> Patient login is out of scope of this article
From 30th June 2023, EpiSoft is no longer offering a username / password only login method so organisations can take up either of Two-Factor Authentication or SAML-based Single Sign On.
After reading this article, healthcare providers should be aware:
1a. How to adopt Two Factor Authentication ("2FA") for Staff Login, and;
1b. How to strengthen the minimum password complexity for Staff
OR
2. How to adopt SAML-based single-sign-on for Staff Login
Notes on Terminology
Two Factor Authentication refers to the use of a separate 'passcode' to authenticate access to an online system, in addition to a username and password. In the EpiSoft example, the passcode is a time-limited code issued via publicly-available smartphone authenticator apps which are linked to a user's smartphone.
SAML refers to Security Assertion Markup Language and is a standard used to transfer identity data between an identity service and a service provider. EpiSoft is the service provider, and the identity provider is typically hosted by the healthcare provider.
Prerequisites
1. If your organisation does not already have a SAML-compatible identity service, then only options 1a and 1b above are currently available to you.
2. Options 1a and 1b require each of your organisation's staff accessing epi-me to have a smartphone device they can access at all times they need to access epi-me.
________________________________________________________________________________________
1a. Two-Factor Authentication for Staff Login
This is for staff login and does not affect patients using the epi-me portals.
All organisations (except organisations that wish to implement SAML authentication instead) are encouraged to adopt this additional user authentication measure for added security.
Regardless of the organisation's adoption state, all EpiSoft support staff access to any customer production environment is protected by 2FA.
Each organisation can choose to have 2FA enabled or not. The 2nd factor will be remembered for that user for that device and that browser for 30 days and then will ask you to enter the validator code again. Your users can tick 'remember me' so they don't have to be prompted for second factor at every login.
The user will be asked for the 2nd factor (code from app) again if:
1) they use a different device to access epi-me
2) 30 days have elapsed since their last 2FA check
3) they clear their browser cookies
4) they use a different browser (that is switch from Edge to Chrome)
Tip! Please ensure your users are aware they should never select 'remember be' on a shared computer or other device or a that is not secure / unique to them.
Before any organisation can implement 2FA, your organisation will need to confirm an implementation plan, and relay this plan to all end-users well ahead of implementation. All organisations must have the available support to assist your end-users in re-authenticating their EpiSoft accounts to ensure business continuity.
In preparation for switching on 2FA, please ensure you have completed the following checklist
1. All your users are using a modern supported browser (Chrome, Edge, Firefox) - We do not guarantee this function will work on IE11 (for which we are in the process of withdrawing support)
2. All your users have a Smartphone
3. All your users have downloaded an Authenticator App of your organisation's choosing
Important! EpiSoft recommends Google Authenticator as this have been tested for compatibility with EpiSoft. However it does not mean you cannot use another authenticator app - it just isn't guaranteed to be supported.
If you are planning on implementing 2 factor authentication, please let us know via help@episoft.com.au so that we can schedule an implementation plan with you. We will need to stagger the roll out across different customers in order to provide dedicated assistance to you and your end users as it will be a login change to your end users.
Once you have completed the checklist and we have jointly agreed a date for implementation, we will switch this function on for you.
Once the functionality is enabled for your organisation or community, all existing users will be prompted at their next login to scan the QR code to obtain a validator code to their authenticator app.
All new EpiSoft users will be sent a Registration email (from mp-reply@episoft.com.au) that contains a their Username, plus a link to finalise their password and 2FA credentials.
Once the link from the email has been clicked, users will confirm their password, as well as their two security questions and answered which are essential when retrieving forgotten passwords.
Users will then be displayed the page below, where they will be required to complete the final step of the 2FA process.
The QR code scan should take you to your Authenticator App to complete the setup. However if it does not automatically do this, open your Authenticator App, there should be a little PLUS + sign in the bottom right. If you click this you will get option to scan the QR code from within the app.
If you have multiple login accounts to EpiSoft, you may need to do this. You can store 2 factor validator codes for all your different user names in the same app.
Frequently Asked Question - What if my staff get a new phone?
If your staff change phones after implementing 2 factor, once the Authenticator app is installed on their new device, you will need contact your local EpiSoft administrator (not EpiSoft) who can reset your account to 'not configured for 2FA' to be resent the QR code.
System administrators - before removing a 2FA configured account by editing the user and hitting the button, please use the challenge questions and answers to verify the end user identity if you are not familiar with the end user.
Please ensure you follow the app instruction steps to remove the login token from your old phone.
1b. Minimum password complexity for Staff Login
In addition to Two Factor Authentication, EpiSoft can configure a custom minimum password complexity rule (ie. password length, whether special characters are required) to support your organisation's password policy.
Frequently Asked Question - When will this password complexity rule apply?
When a user next sets their password:
> For new customers - this will apply when they register
> For existing customers - this will apply when the user's password is reset
Please contact help@episoft.com.au to request a custom minimum password complexity rule.
In the absence of a custom password complexity rule, EpiSoft's default, recommended complexity rule will apply.
2. SAML-based Single Sign On for Staff Login
Single Sign On is a different means of accessing your EpiSoft application that allows your organisation to share your staff's Active Directory credentials with EpiSoft to eliminate the need for a separate username and password. The users and their roles will still be required to be setup in the application as per normal (although EpiSoft are looking to enhance the function to share roles details, and perform provisioning / deprovisioning in the future). Once authenticated in the organisational network, staff will be able to access the application without a username and password.
Overview of implementation:
Implementation of single sign on is subject to a separate project plan and test cycle per customer and attracts a cost.
1. EpiSoft will request a technical discovery meeting with your organisation's network / IT staff to understand how you have implemented single sign on and if it is compatible for SAML. We will also seek to understand what unique identifier (eg. email address) your single sign on application uses.
2. If your single sign on service is SAML-compatible, EpiSoft will provide 'metadata' that can be configured in your single sign on service, which should generate return metadata that you provide back to EpiSoft.
Tip! Ideally, the metadata should be provided via a static URL which means that any certificates used to authenticate the single sign on service at the customer end are automatically provided to EpiSoft in the event they expire and are renewed. This avoids a manual renewal of the certificate.
3. EpiSoft will then provide you with a dedicated login URL for Staging for staff accessing the application that is single sign on compatible.
4. You will perform User Acceptance Testing to verify that the dedicated login URL allows them to single sign on into the application.
5. EpiSoft will repeat steps 2 & 3 for the production login URL to the application for staff, and you will perform Production Verification Testing (repeat of Step 4 but in production).
6. EpiSoft and you will agree a Go-Live date and time when all your staff users are required to login to the application using the single sign on URL.
7. At Go-Live time, EpiSoft will scramble all your staff user passwords and remove their ability to reset their passwords (a temporary backup of user's Reset Password challenge questions will be taken by EpiSoft if rollback is required). From this point on, your organisation's staff users will only be able to login with single sign on, and only to the single sign on login URL. Your organisation needs to notify all staff users of the new login URL, and revoke the old login URL.
8. In the unlikely event rollback be required, EpiSoft will restore your staff user's Reset Password challenge questions and all staff users will need to reset their passwords, and re-use the former username / password-based login URL.
Change to staff user registration process:
To prevent staff users from circumventing the single sign on URL, no passwords are issued by default by the EpiSoft authentication platform. However, if your organisation's system administrators accidentally tick the 'Send registration email' when setting up a new user, this will override the default and issue a password setup link to the user.
Showing the location of the 'Send registration email' field on the New User page.
Tip! If you accidentally tick this - no problem. If the user has not already registered, simply tell them to ignore the email and use your organisation's dedicated single sign on URL. If they have registered, please notify help@episoft.com.au and request their password and Reset Password questions be scrambled.
Further, on the cutover to single sign on, your organisation's users will be swapped to a SAML-equivalent user Role which deactivates their ability to reset their own password, which is the only other means to circumvent single sign on authentication.
Setting up your user accounts to match your single sign on service identifier:
Depending on what 'unique identifier' your organisation's single sign on service uses, an 'Active Directory Name' may need to be configured in the staff user accounts in the application. This field should match the username in your single sign on service.
Showing the location of the Active Directory Name field in the staff user account
If your single sign on service uses email address as the unique identifier, then you need to ensure that the email address is correct instead.
Showing the location of the Email field in the staff user account
Tip! Regardless of what the 'unique identifier' is, you must ensure that there is only one active user account per identifier in the application. eg. you cannot have two user accounts sharing the same email or Active Directory Name, the application will not know which one to single sign on the user to.
Frequently Asked Question - If I forgot to deactivate a duplicate user account and a user single signs on to the wrong account, what do I need to do?
First, deactivate the unwanted, duplicate account. Then, click the Remove SAML Login Links button on BOTH the duplicate accounts. Then ask the user to reattempt the single sign on.
Showing the location of the Remove SAML Login Links button in the epi-me staff user account
User Acceptance Testing and Production Verification Testing:
Assessing that single sign on has worked is very simple. If your user account is configured correctly (see 'Setting up your user accounts to match your single sign on service identifier' above) and your user account has access to an organisation, then you should see the 'My Communities' page.
Showing an example of the My Communities page for one user after they have single-signed-on.
This article explains the cybersecurity features EpiSoft offers for login by healthcare provider staff to either of its EMR or epi-me (aka eAdmissions) applications.
> Patient login is out of scope of this article
From 30th June 2023, EpiSoft is no longer offering a username / password only login method so organisations can take up either of Two-Factor Authentication or SAML-based Single Sign On.
After reading this article, healthcare providers should be aware:
1a. How to adopt Two Factor Authentication ("2FA") for Staff Login, and;
1b. How to strengthen the minimum password complexity for Staff
OR
2. How to adopt SAML-based single-sign-on for Staff Login
Notes on Terminology
Two Factor Authentication refers to the use of a separate 'passcode' to authenticate access to an online system, in addition to a username and password. In the EpiSoft example, the passcode is a time-limited code issued via publicly-available smartphone authenticator apps which are linked to a user's smartphone.
SAML refers to Security Assertion Markup Language and is a standard used to transfer identity data between an identity service and a service provider. EpiSoft is the service provider, and the identity provider is typically hosted by the healthcare provider.
Prerequisites
1. If your organisation does not already have a SAML-compatible identity service, then only options 1a and 1b above are currently available to you.
2. Options 1a and 1b require each of your organisation's staff accessing epi-me to have a smartphone device they can access at all times they need to access epi-me.
________________________________________________________________________________________
1a. Two-Factor Authentication for Staff Login
This is for staff login and does not affect patients using the epi-me portals.
All organisations (except organisations that wish to implement SAML authentication instead) are encouraged to adopt this additional user authentication measure for added security.
Regardless of the organisation's adoption state, all EpiSoft support staff access to any customer production environment is protected by 2FA.
Each organisation can choose to have 2FA enabled or not. The 2nd factor will be remembered for that user for that device and that browser for 30 days and then will ask you to enter the validator code again. Your users can tick 'remember me' so they don't have to be prompted for second factor at every login.
The user will be asked for the 2nd factor (code from app) again if:
1) they use a different device to access epi-me
2) 30 days have elapsed since their last 2FA check
3) they clear their browser cookies
4) they use a different browser (that is switch from Edge to Chrome)
Tip! Please ensure your users are aware they should never select 'remember be' on a shared computer or other device or a that is not secure / unique to them.
Before any organisation can implement 2FA, your organisation will need to confirm an implementation plan, and relay this plan to all end-users well ahead of implementation. All organisations must have the available support to assist your end-users in re-authenticating their EpiSoft accounts to ensure business continuity.
In preparation for switching on 2FA, please ensure you have completed the following checklist
1. All your users are using a modern supported browser (Chrome, Edge, Firefox) - We do not guarantee this function will work on IE11 (for which we are in the process of withdrawing support)
2. All your users have a Smartphone
3. All your users have downloaded an Authenticator App of your organisation's choosing
Important! EpiSoft recommends Google Authenticator as this have been tested for compatibility with EpiSoft. However it does not mean you cannot use another authenticator app - it just isn't guaranteed to be supported.
If you are planning on implementing 2 factor authentication, please let us know via help@episoft.com.au so that we can schedule an implementation plan with you. We will need to stagger the roll out across different customers in order to provide dedicated assistance to you and your end users as it will be a login change to your end users.
Once you have completed the checklist and we have jointly agreed a date for implementation, we will switch this function on for you.
Once the functionality is enabled for your organisation or community, all existing users will be prompted at their next login to scan the QR code to obtain a validator code to their authenticator app.
All new EpiSoft users will be sent a Registration email (from mp-reply@episoft.com.au) that contains a their Username, plus a link to finalise their password and 2FA credentials.
Once the link from the email has been clicked, users will confirm their password, as well as their two security questions and answered which are essential when retrieving forgotten passwords.
Users will then be displayed the page below, where they will be required to complete the final step of the 2FA process.
The QR code scan should take you to your Authenticator App to complete the setup. However if it does not automatically do this, open your Authenticator App, there should be a little PLUS + sign in the bottom right. If you click this you will get option to scan the QR code from within the app.
If you have multiple login accounts to EpiSoft, you may need to do this. You can store 2 factor validator codes for all your different user names in the same app.
Frequently Asked Question - What if my staff get a new phone?
If your staff change phones after implementing 2 factor, once the Authenticator app is installed on their new device, you will need contact your local EpiSoft administrator (not EpiSoft) who can reset your account to 'not configured for 2FA' to be resent the QR code.
System administrators - before removing a 2FA configured account by editing the user and hitting the button, please use the challenge questions and answers to verify the end user identity if you are not familiar with the end user.
Please ensure you follow the app instruction steps to remove the login token from your old phone.
1b. Minimum password complexity for Staff Login
In addition to Two Factor Authentication, EpiSoft can configure a custom minimum password complexity rule (ie. password length, whether special characters are required) to support your organisation's password policy.
Frequently Asked Question - When will this password complexity rule apply?
When a user next sets their password:
> For new customers - this will apply when they register
> For existing customers - this will apply when the user's password is reset
Please contact help@episoft.com.au to request a custom minimum password complexity rule.
In the absence of a custom password complexity rule, EpiSoft's default, recommended complexity rule will apply.
2. SAML-based Single Sign On for Staff Login
Single Sign On is a different means of accessing your EpiSoft application that allows your organisation to share your staff's Active Directory credentials with EpiSoft to eliminate the need for a separate username and password. The users and their roles will still be required to be setup in the application as per normal (although EpiSoft are looking to enhance the function to share roles details, and perform provisioning / deprovisioning in the future). Once authenticated in the organisational network, staff will be able to access the application without a username and password.
Overview of implementation:
Implementation of single sign on is subject to a separate project plan and test cycle per customer and attracts a cost.
1. EpiSoft will request a technical discovery meeting with your organisation's network / IT staff to understand how you have implemented single sign on and if it is compatible for SAML. We will also seek to understand what unique identifier (eg. email address) your single sign on application uses.
2. If your single sign on service is SAML-compatible, EpiSoft will provide 'metadata' that can be configured in your single sign on service, which should generate return metadata that you provide back to EpiSoft.
Tip! Ideally, the metadata should be provided via a static URL which means that any certificates used to authenticate the single sign on service at the customer end are automatically provided to EpiSoft in the event they expire and are renewed. This avoids a manual renewal of the certificate.
3. EpiSoft will then provide you with a dedicated login URL for Staging for staff accessing the application that is single sign on compatible.
4. You will perform User Acceptance Testing to verify that the dedicated login URL allows them to single sign on into the application.
5. EpiSoft will repeat steps 2 & 3 for the production login URL to the application for staff, and you will perform Production Verification Testing (repeat of Step 4 but in production).
6. EpiSoft and you will agree a Go-Live date and time when all your staff users are required to login to the application using the single sign on URL.
7. At Go-Live time, EpiSoft will scramble all your staff user passwords and remove their ability to reset their passwords (a temporary backup of user's Reset Password challenge questions will be taken by EpiSoft if rollback is required). From this point on, your organisation's staff users will only be able to login with single sign on, and only to the single sign on login URL. Your organisation needs to notify all staff users of the new login URL, and revoke the old login URL.
8. In the unlikely event rollback be required, EpiSoft will restore your staff user's Reset Password challenge questions and all staff users will need to reset their passwords, and re-use the former username / password-based login URL.
Change to staff user registration process:
To prevent staff users from circumventing the single sign on URL, no passwords are issued by default by the EpiSoft authentication platform. However, if your organisation's system administrators accidentally tick the 'Send registration email' when setting up a new user, this will override the default and issue a password setup link to the user.
Showing the location of the 'Send registration email' field on the New User page.
Tip! If you accidentally tick this - no problem. If the user has not already registered, simply tell them to ignore the email and use your organisation's dedicated single sign on URL. If they have registered, please notify help@episoft.com.au and request their password and Reset Password questions be scrambled.
Further, on the cutover to single sign on, your organisation's users will be swapped to a SAML-equivalent user Role which deactivates their ability to reset their own password, which is the only other means to circumvent single sign on authentication.
Setting up your user accounts to match your single sign on service identifier:
Depending on what 'unique identifier' your organisation's single sign on service uses, an 'Active Directory Name' may need to be configured in the staff user accounts in the application. This field should match the username in your single sign on service.
Showing the location of the Active Directory Name field in the staff user account
If your single sign on service uses email address as the unique identifier, then you need to ensure that the email address is correct instead.
Showing the location of the Email field in the staff user account
Tip! Regardless of what the 'unique identifier' is, you must ensure that there is only one active user account per identifier in the application. eg. you cannot have two user accounts sharing the same email or Active Directory Name, the application will not know which one to single sign on the user to.
Frequently Asked Question - If I forgot to deactivate a duplicate user account and a user single signs on to the wrong account, what do I need to do?
First, deactivate the unwanted, duplicate account. Then, click the Remove SAML Login Links button on BOTH the duplicate accounts. Then ask the user to reattempt the single sign on.
Showing the location of the Remove SAML Login Links button in the epi-me staff user account
User Acceptance Testing and Production Verification Testing:
Assessing that single sign on has worked is very simple. If your user account is configured correctly (see 'Setting up your user accounts to match your single sign on service identifier' above) and your user account has access to an organisation, then you should see the 'My Communities' page.
Showing an example of the My Communities page for one user after they have single-signed-on.
