Skip to main content

Security Settings: Password Policies, Access Restrictions & Audit Logs

The Security Settings module is designed to protect sensitive patient health information (PHI) and clinic data. This module centralizes the enforcement of security best practices, access limitations, and the documentation of system activity to ensure regulatory compliance and data integrity.

1. Password Policies

Define the strength and longevity of staff credentials to prevent unauthorized account access.

  • Complexity Requirements: Mandate minimum password length, use of alphanumeric characters, symbols, and case sensitivity.
  • Rotation Policy: Set mandatory expiration timelines for passwords (e.g., every 90 days) to minimize credential vulnerability.
  • Reuse Limitations: Prevent users from cycling through recent passwords to ensure unique security patterns.
  • Account Lockout: Configure the number of failed login attempts before a user account is temporarily locked.

2. Access Restrictions

Control the technical environment from which staff can access the Invent Medical platform.

  • IP Whitelisting: Restrict platform access to specific network IP addresses, ensuring that the system can only be accessed from within the clinic’s secure network.
  • Multi-Factor Authentication (MFA): Require a secondary verification step (e.g., authenticator app, SMS code, or email token) for all user logins.
  • Session Management: Set automatic logout intervals for idle user sessions to protect accounts on unattended terminals.
  • Geolocation Blocking: Optionally restrict login access to specific geographic regions to prevent international unauthorized access attempts.

3. Audit Logs

Maintain a comprehensive record of system activity for compliance, security audits, and troubleshooting.

  • Activity Tracking: Log all user actions, including login/logout timestamps, patient record views, data modifications, and document exports.
  • Retention Policy: Define how long audit logs are stored in the system before they are archived or purged, according to your local record-keeping regulations.
  • Alert Triggers: Configure automated alerts for suspicious activity, such as bulk data exports or multiple failed access attempts.
  • Reporting: Generate exportable audit reports for administrative review or formal compliance inspections.

4. How to Configure

  1. Navigate to Settings > Security Settings.
  2. Password Policy: Adjust complexity and rotation settings.
  3. Restrict Access: Enable MFA and define your IP whitelist ranges.
  4. Audit Configuration: Select the activities to be logged and set your log retention schedule.
  5. Finalize: Click "Save Security Policy" to apply the changes clinic-wide.

5. Frequently Asked Questions

  • What happens if a staff member gets locked out? Administrators can verify the user’s identity and manually unlock the account via the "User Management" dashboard.
  • Can I monitor if an account is being used from a new device? Yes, the system logs the device fingerprint/browser info; you can configure alerts to notify administrators when a user logs in from an unrecognized device.
  • Are audit logs editable? No, audit logs are immutable records designed specifically for forensic and compliance purposes; they cannot be altered or deleted by standard system users.