Security settings
Clinic-level security policies — 2FA enforcement, session timeout, password rules.
Overview
Per-clinic security policies. Enforce 2FA, set session timeout, password complexity, IP restrictions. Different from per-user security (which lives in My Profile).
Prerequisites
- Owner or Admin role
Steps
Open Security settings. Settings → Security.
Set 2FA enforcement. Optional / Recommended / Required. Required forces every user to enable 2FA before they can sign in.
Set session timeout. Minutes of inactivity before auto-sign-out. 15-30 reasonable for shared computers; 240 max.
Set password rules. Minimum length (default 12), required character classes (mixed case, numbers, symbols), reuse prevention (last 5 passwords).
Set IP allow-list (optional). If your clinic only operates from specific IPs, restrict sign-in to those. Risk: blocks remote access too.
Set anomaly alerts. Detect unusual sign-in patterns — different country, different time-of-day, repeated failed attempts.
Save. Changes apply on next sign-in for affected users.
Review the audit log. Audit Log — see who changed what when. Audit log retention is 7 years.
Expected outcome
- Clinic-wide policies enforced consistently
- Anomalies surface as alerts
- Audit log captures every change
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| 2FA enforcement locked staff out | They didn't enroll in time | Owner can grant temporary 24h grace via support |
| IP allow-list too tight | Blocks legit remote staff | Add their IPs or disable IP restriction |
| Session timeout too short | Staff get logged out mid-task | Increase to 60 minutes for desktop users |
| Anomaly alerts noisy | Threshold too low | Tune thresholds in Alerts settings |
| Want SSO | Enterprise feature in roadmap | Submit feature request |