Security best practices

Enforce 2FA for all clinic users. Settings → Security → 2FA enforcement: Required. Single biggest reduction in account takeover risk.

Use passkeys where supported. Phishing-resistant. Faster than typing passwords. See Passkeys.

Set short session timeout for shared computers. Front-desk computers typically log multiple staff in throughout a day. Set 15-min idle timeout to avoid leaving sessions open.

Review staff list quarterly. Settings → Staff — disable users who've left. Active accounts for departed staff are a real risk.

Review audit log alerts weekly. Spend 10 minutes scanning Settings → Security → Audit Log for anomalies. Set up automated alerts for the routine ones.

Train staff on phishing. Common attack: email impersonating support asking for password reset. Teach staff: support never asks for passwords. Real reset flows always use the Forgot password link.

Don't reuse passwords across systems. A breach elsewhere shouldn't grant access here. Encourage password managers.

Use strong sender-domain authentication. SPF, DKIM, DMARC for your sending domain. Stops scammers spoofing you to your patients.

Lock the registration code. If using public enrolment, regenerate the code after a campaign so old QR codes can't enrol stale prospects.

Have a written incident response plan. Even one page. Who calls whom, what to disable, how to communicate with patients.