Configure the Security Policy for Your Organization

PracticeQ provides security settings to help your organization stay compliant. Once set, they will apply to all users under your account, including the account owner, practitioners and assistants.

1. Click More → Team → Security Policy.
2. Make your selections in each field:
   
   1. Password Requirements: Set password complexity requirements, such as the inclusion of numbers, upper-case letters, and symbols. One option is Use password blacklist, which uses a list of the 160,000 most common passwords used in dictionary attacks and prevents them from being used. The latest NIST (National Institute of Standards and Technology) recommendation is to use the blacklist option instead of forcing the user to use special characters; however, since some organizations take a while to update their policies, we keep all options available.
   2. Session should end after: Determine when to terminate a user session after a period of inactivity.
   3. Disable the "Trust this device" option: PracticeQ allows users to keep a session active for one week if they choose to do so. If your organization needs to comply with HIPAA, this may not be in accordance with your policies. This setting disables this feature, so that even when a user chooses to keep the session alive for one week, PracticeQ will terminate it based on the session timeout setting entered above.
   4. Password change policy: Enforce a password expiration period for your organization. After a predetermined period, users will have to set up a new password. This policy has recently been discouraged by NIST, but we included it here because some organizations still use this policy.
   5. Require 2-Factor Authentication for all accounts: Force every user in your account to activate 2-Factor Authentication in order to log in to PracticeQ. For more information on how this works, see the following article: Enhanced Security: 2-Step Authentication. 
   6. Force 2-Factor Authentication on every login: Force users to authenticate at every login via an authenticator app or a text message code.
   7. Patient session should end after: Determine when to terminate a client form session after a period of inactivity.
   8. Expire Patient forms: Determine an expiration date for a form in relation to the date when the client first started to fill out the form. For example, when set to 7 days, clients will need to submit the form within 7 days after they first logged in.
   9. Enable Captcha on all public forms: Force a verification to prevent bots from submitting forms. Enable this if you notice bots spamming form submissions.
   10. Require 2-Factor Authentication for all client portal accounts: Force clients to authenticate when logging in to the portal.
   11. When sending forms, do not pre-populate mapped fields: Do not allow PracticeQ to fill in previously mapped fields from the client profile in forms sent to clients.
   12. Telehealth: Disable client portal requirement: Allow clients to schedule Telehealth appointments without first accepting a client portal invitation.
   13. Prevent patients from changing their email/name in the client portal: Lock the email and name fields in the client portal so that clients cannot edit them. 
3. Click Save after you make your selections.