Configure the Security Policy for Your Organization

In order to help your organization stay compliant, IntakeQ provides a set of security configurations that you can use to enforce your security policies. Once these policies are set, they will apply to all IntakeQ users under your account, including the account owner, practitioners and assistants.

To set up your security policies, navigate to "More > Team > Security Policies".

Each field allows you to configure a different security aspect. Let's look closer at what each field does:

Password Requirements: This field lets you set typical password complexity requirements, like the inclusion of numbers, upper-case letters, symbols, etc. It also includes a "Use password blacklist", which uses a list of the 160,000 most common passwords used in dictionary attacks and prevents them from being used. The latest NIST recommendation is to use the blacklist option instead of forcing the user to use special characters, however, since some organizations take a while to update their policies, we kept all the options available.

Session should end after: This option allows you to determine when to terminate a user session after a period of inactivity.

Disable the "Trust this device" option: IntakeQ allows users to keep a session "alive" for 1 week if they choose to do so. If your organization needs to comply with HIPAA, this may not be in accordance with your policies. This setting lets you disable this feature, so that even when a user chooses to keep the session alive for 1 week, IntakeQ will terminate it based on the session timeout setting discussed above.

Password change policy: This setting lets you enforce a password expiration period for your organization. This means that after a predetermined period, users will have to set up a new password. This policy has recently been discouraged by NIST, but we included it here because some organizations still use this policy.

Require 2-Factor Authentication for all accounts: This option is self-explanatory. When enabled, every user under your account will be forced to activate 2-Factor Authentication in order to use their account. For more information on how this works, see the following article: Enhanced Security: 2-Step Authentication

Patient session should end after: This option allows you to determine when to terminate a client form session after a period of inactivity.

Expire Patient forms: This option allows you to determine an expiration date for a form in relation to the date when the client first started to fill out the form. For example, when set to 7 days, clients will need to submit the form within 7 days after they first logged in.

Enable Captcha on all public forms: Enable this if you notice bots spamming form submissions as it'll force a verification to prevent bots from submitting forms.