-1

I'm writing healthcare software for web and mobile clients. Recently, I come across another new HIPAA rule about Access Control- App Session timeout.

My question is, is it possible to give application setting option from where user can enable-disable security level, instead of forcing them.

Any suggestions?

Floern
  • 31,495
  • 23
  • 98
  • 115
CoDe
  • 10,214
  • 14
  • 74
  • 180

1 Answers1

1

Yes, you must implement the feature to logout automatically in the case of inactivity.

You can also ask to do some action and warn the user before you invalidate the session. Like if you set timeout of 10 minutes, then after the inactivity of 9.5 minutes you can warn user that "Your session will be expired after 30{you can also put the countdown here} seconds, click cancel to continue and OK to logout".

Savan Gadhiya
  • 195
  • 6
  • Thanks Savan, AFAIU, HIPPA tell about to implement & address level of security but I guess user still can have option to enable/disable feature (which anyway will be part of TOS guideline). Is it rally mandate to force such security which may irritated them, say what if they in between of app-call, and it disable your session. – CoDe Aug 14 '16 at 05:03
  • 1
    Hi Shubh, I suggest to you implement automatically logout feature as mentioned in previous comment. However, if you believe that the users will be get affected by popup messages or disabling the sessions; user base, location and accessibility of system should be reviewed properly. [Reference](https://www.hipaa.com/access-control-automatic-logoff-what-to-do-and-how-to-do-it/) ------- Timeout settings will be suggested by the risk analysis, based on size of facility, and location and accessibility of electronic information system devices(from reference). – Savan Gadhiya Aug 14 '16 at 18:11