Versions Compared

Version Old Version 5 New Version Current
Changes made by

Scott Peterson

Scott Peterson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

How it Works

A brief high level summary of the features and selling points for the HIMSA Identity Service is provided below.

AuthenticationImage Added

Audience

This introduction has been created for HIMSA Member Companies and Employees. Some content is useful for Hearing Care Businesses (HCB) and Hearing Care Professionals (HCP), but different publications will later be prepared for these groups.

The content is prepared assuming it will be read by product/project managers, software developers, or IT specialists.

Introduction

With Noah ES, HIMSA has implemented a HIMSA Identity Service that makes use of service that uses IT industry standards and best practices to ensure that the Hearing Care Professional (HCP) is in fact, for example, Brian Jones (, who uses the email address bjones@email.com).  Once authenticated, Brian is able to can make use of the Noah ES features.  At this point, Brian's HIMSA Identity is available for other approved applications to make use of.

HIMSA SSO and Noah ES accounts were designed to be used by HCBs so that all applicable employees could be managed under one account for the HCB.

Q: Does Is the business that Brian works for need required to subscribe to and use Noah ES in order to make use of the Identity Service?

A: As implemented today yes, but HIMSA can easily make smaller adjustments so that it is possible for the Identity Services to be available without requiring that Noah ES be purchased.  HIMSA has assumed that it offering this service at no charge to the HCB would be beneficial to the hearing health care industry as a whole and also provide for some helpful sales exposure for also using Noah ES.

Image Removeduse HIMSA SSO?

A: No. HIMSA has created a new product called HIMSA SSO (Single Sign-on), which is free for Hearing Care Businesses (HCB). Current Noah ES customers already have a HIMSA SSO-based identity.

Identity

The main identity of a HIMSA SSO user is their email address.

Tip

Behind the scenes the true identity is comprised of:

  • A globally unique ID assigned to the user

  • A globally unique ID assigned to the HIMSA SSO or Noah ES account

This enables users to:

  • Work for more than one HCB and still be separately identified

  • Change their email address without destroying their connection to established HIMSA SSO compatible services

Q: A common question that HIMSA receives from HIMSA member companies is - “Is HIMSA verifying that bjones@email.com is really Brian Jones, a licensed HCP located in the United States?”

A: No, HIMSA SSO is not able to promise this. HIMSA SSO can claim that bjones@email.com is part of a business set up in Noah ES or HIMSA SSO AND has control of the email address bjones@email.com. HIMSA SSO sends a special and limited-use link to the registered email for the user to complete their user account setup.

This topic is continued in the Authorization section.

Who Benefits?

Image Added

HCBs and HCPs

HCPs stand to gain the most from HIMSA SSO. With this system, they will only need to use one user account (email address), password, and possibly another MFA device when accessing other industry websites and services.

Q: Why not focus on asking HCPs to use other solutions such as Google, Apple, and Microsoft account integration that are often on many websites today?

A: HIMSA SSO is designed to be a business account. This means that it is possible for the business administrator to centrally manage the users that are associated with their business. For example, if Brian Jones resigns from HCB A, it is only necessary for the HCB to deactivate his HIMSA SSO user account. Brian Jones will also not be able to gain access to any member applications with the HIMSA SSO account + email address combination, as authentication will no longer be possible.

HIMSA Member Companies

It is fair to say that supporting HIMSA SSO will create more work for HIMSA member companies. The main focus is to remove pain points (e.g., HCPs do not need to remember user names and passwords for each web service they use. Additionally, centralizing user management for HCBs will be appreciated.)

It is envisioned that removing this pain point will make it easier for member companies to promote their web applications.

Q: Does HIMSA assume that HIMSA SSO will replace current or newly implemented identity and authentication systems a HIMSA member company implemented for their own applications (e.g., often referred to as “local accounts”).

A: No. Additionally, looking at similar systems in other industries, it is normal for the application to provide a “local account” as well.

HIMSA

HIMSA hopes to use HIMSA SSO to draw attention and grow the adoption rate of Noah ES while helping promote the use of cloud-based applications.

Authentication

Authentication of bjones@email.com is currently accomplished via Brian entering his HIMSA SSO password. Once the password is entered correctly, the user is considered authenticated.

HIMSA SSO also provides additional authentication options

  • Brian’s user account can be set up to require MFA codes texted to a registered phone number

  • Brian’s company may also subscribe to advanced identity systems (e.g., Azure AD) and still use HIMSA SSO; see the “Advanced Systems” section below

Note: HIMSA makes uses of Microsoft B2C authentication services to support authentication via password and MFA.

Authorization

Authorization is solely provided by the application provided by the HIMSA member company. Noah ES has no features that attempt to standardize authorization.

Authorizing an HCB and/or HCP can be accomplished by:

  • Use the HIMSA SSO API to determine if the account is a Noah ES or HIMSA SSO account

  • Use the API to determine if the current interactive user is set up as a Business Decision Maker, Administrator or regular user.

Tip

  • More likely, It is assumed that the member company application will challenge the interactive user with information that correct user would know about the company creating the application. For example, the member application can ask for account number and other identifiable information. If accurate, then the use of the HIMSA SSO user accounts for that business can be used.

  • The member application will also be responsible for deciding what types of features that different users may be able to use.

  • These two above steps could also be considered as a way to add further strength of the identity of the HCP and HCB

Easy Identification

During the day, Brian may have need to make use of a web site website application provided by manufacturer A.  Manufacturer A is a HIMSA member company and is a trusted integrator with the HIMSA Identity ServiceSSO.  In this example, Brian is wishing to make use of an order system.

When Brian arrives at the web site he will have the ability to gain access to protected functionality without needing to enter in a user name and passwordwebsite, he can access protected functionality without using different credentials.

Q: Does the HIMSA Identity at all influence what Brian can do in the system (e.g. how much product can he order)?  Are the feature offering controlled by HIMSA in anywaythis mean that the member companies ' websites automatically use Brian’s credentials?

A: Not at all, the HIMSA identity proves that Brian is bjones@email.com but the manufacturers application decides the functionality and level of access.

Image Removed

No, Brian will most likely need to enter his HIMSA SSO credentials. This is also impacted by how recently Brain has used the member's website and how long the website has been configured to allow Brian to use it without having to be authenticated again.

Image Added

Seamless Movement Between Different Systems and Companies

Brian's company also works with Manufacturer B which provides a web-based system for remote fitting/care.  Even though the systems  systems are completely separate, Brian does not need to login again a different user account but can rather use his HIMSA SSO Identity to gain access to the remote care functionality.

Q: Will the HIMSA Identity service make it easier for a manufacturer to create different applications such as order systems or remote care solutions?

A: Not directly. Although it is entirely feasible to solely rely on the HIMSA Identity service   HIMSA assumes that most manufacturers will still wish to provide individual identity systems and offer HIMSA's as a very nice option. This also means that any existing authentication systems put into place can continue to exist along side with provided support for using a common HIMSA Identity.

For Brian, the HIMSA Identity Service can provide for a better overall user experience, for example:

  • Brian does not need to enter in his password each time he visits another system, he does not need a separate password for each system.
  • If Brian forgets his password he will work his Noah ES administrator or potentially HIMSA to get logged back in.

Q: Since Brian has the ability to login Since Brian can log into systems provided by manufacturer manufacturers A and B does this mean that, for example, manufacturer A can gather some data or insight into the activity related to manufacturer B?

A: No, this is not possible.

Image RemovedImage RemovedImage AddedImage Added

Directory Features

Image Removed

The identity service will provide Image Added

HIMSA SSO provides for the storage of basic information about the business, such as location name, address, and other contact information. It will also be possible for different employees to be recorded and assigned to different office locations.

User types, such as Business Decision Makers (i.e., can sign agreements with HIMSA)  and Administrators, are also defined.

Manufacturers Benefit 

Location and User Information is available to manufacture manufacturer applications to assist in on-boarding onboarding a business as easily as possible.  Manufacturers will also be able to determine when HIMSA Identity SSO accounts have been disabled, signaling that the individual is most likely no longer employed, the . The manufacturer make may take any action within their applications if they wish.


Advanced Systems

Image Removed

Image Added

Hospitals, large chains/groups, businesses with special security needs, or advanced setups (e.g., use of a physical PIV card) have already

have

had most of their software systems

setup

set up to use products such as Microsoft Active Directory or Azure Active Directory.

These businesses really dislike using separate identity systems as each separate system represents a level of complexity for the administration of their business.  These businesses will most likely not accept to abandon their chosen solution for HIMSA products as well as other online-based systems.

To accommodate this situation

HIMSA’s Identity service

, HIMSA SSO is implemented and ready to integrate with other approved systems so that HIMSA can still deliver a high-quality identity for uses with Noah ES and associated applications.

Manufacturers Benefit 

This

HIMSA SSO supports this type of integration

will be taken care

, so

that

manufacturers do not need to worry about

them

it.  As far as

a

the manufacturer is concerned, it is just working with the HIMSA SSO Identity Service.   For example, if Brian's company has decided to

using

use Azure Active Directory, this change will

not

have no impact

for

on manufacturer-created applications.

Future Proofing

Image RemovedImage Removed

Identity and authentication for software application applications is a fast-changing field and that will most likely change quickly during the next few years.  For example, the next large change is assumed to come with moving away from the use of using passwords and replacing them with authentication App Apps and easy-to-use hardware devices.  Microsoft and other companies are working very hard on addressing this topic.  Rather then than forcing users to deal with the ever-increasing number of password changes and complexity, other methods are sure to become the standard in the future.

Manufacturers and HIMSA's Benefit 

As this field changes, HIMSA SSO will be able to make adjustments to the Identity Management Systems to make sue use of new standards , without causing a direct impact on the development of Noah ES or applications that integrate with Noah ES or the Identity Services.

In other words, HIMSA can perform the work once, and all companies may then enjoy the benefit of this work.

Project Update

The HIMSA IAM Committee, well represented for all of HIMSA's partner companies, has made very good process since the initial project kick off meeting in February 2019.  The currently understood project work is almost done, below is a list of highlights:

  • A completed set of user stories that the committee members are pleased with.  The user stories cover uses cases from both the perspective of the manufacturer developing applications as well as uses cases representing how Hearing Care Professionals (HCB) will make use of and enjoy the identity features.   The last meeting meeting took place at the end of June 2019
    • HIMSA is currently creating a sample application and test environment that enable the committee members and HIMSA product management to further model and test the user stories.  We may find that some minor adjustments to the users stories are needed

    .