Knowledge base » Release Notes - EpiSoft/CareZone » 2023/10/25 Episoft Major Spring Release - Security Notes
2023/10/25 Episoft Major Spring Release - Security Notes
As a mandatory prerequisite for sites wanting to use EpiSoft for eScript, EpiSoft has introduced enhanced cybersecurity measure of each organisation being able to set its preferred system timeout. This will lock the user out of their session in EpiSoft until they enter their password (or pin number).
Even if you are not planning to implement eScripts implementing a system time out is good security practice generally so we strongly recommend all EpiSoft organisations implement this.
What does time-out protect? If you walk away from your computer or stay logged in at end of day, another person with access to your computer could take over your login to EpiSoft, potentially accessing records or modifying data that you have not authorised.
The shorter the timeout, the lower the risk of this occurring. The trade off is - the shorter the timeout, the more annoying / inconvenient for you to have to re-authenticate. So we've made the re-authenticate function easier by introducing a pin number.
For on-premise customers that do not want to implement an application timeout because your virtual machine already does this, you can still benefit from the implementation of our pin number function if you:
1) have users that need to sign protocols as OK to be published - this action requires 1 or 2 users to enter their password (they can use a 4 digit pin instead)
2) sign drug adminsitration charts that require 1 or 2 users to enter their password (they can use a 4 digit pin instead)
3) sign drug phone orders that requires 1 or 2 users to sign they have heard and confirmed the phone order with entry of their password (they can use a 4 digit pin instead)
If you would like to implement EpiSoft time-out for all users in your organisation and/or pin number signature for convenience of relevant users accessing the above functions, here is how:
The organisation administrator has access to the Organisation Preferences page in which they can set the timeout and/or pin number functions as shown below. This new section Security Settings is near the bottom of the Org Preferences page.
How do I set the pin number if my administrator doesn't make it mandatory or reset or if I have forgotten my pin?
This is done under System Administration >> User Preference. Right near the top of the page. See below.
Why is this under User Preference when Password is reset under My Details in the My communities page? Because the timeout and pin are within EpiSoft system; password management is controlled by our separate authentication platform EpiDirectory.
If you cannot see the Set Pin or Reset Pin option under your User Preference page, that is because your Organisation Administrator hasn't yet enabled pins in the Org Admin page above (Contact your Organisation Administrator).
If you have advanced privileges on the User Preferences page to set other user preference, you cannot set a Pin on behalf of another user. Your pin is like your password or your pin to your credit card - not to be shared with any other user.
So if my org administrator has also introduced the Episoft TIMEOUT function, what happens? See below:
So if my Organisation administrator has set up pin number function (for timeout or just for eSignature) and they have made it mandatory, what will I see?
When I log in, I will get prompted to enter my pin for the first time (see below).
When I go to sign for a drug or publish protocol or sign a phone order, I will be prompted for my pin (by default) or my password (as per previous).
What happens if I forget my pin and I get timed out. Hit Logout instead of Login in the window. This will take you back to the My Communities page. After you have logged back in the long way, go to System Administration >> User Preferences >> Reset Pin and set a 4 digit pin that will be easier to remember. See below
IMPORTANT FINAL NOTE: Please treat your pin number with all the protection you currently do to your password or your bank account pin.
This is your eSignature in EpiSoft and should be known only to yourself.
Even if you are not planning to implement eScripts implementing a system time out is good security practice generally so we strongly recommend all EpiSoft organisations implement this.
What does time-out protect? If you walk away from your computer or stay logged in at end of day, another person with access to your computer could take over your login to EpiSoft, potentially accessing records or modifying data that you have not authorised.
The shorter the timeout, the lower the risk of this occurring. The trade off is - the shorter the timeout, the more annoying / inconvenient for you to have to re-authenticate. So we've made the re-authenticate function easier by introducing a pin number.
For on-premise customers that do not want to implement an application timeout because your virtual machine already does this, you can still benefit from the implementation of our pin number function if you:
1) have users that need to sign protocols as OK to be published - this action requires 1 or 2 users to enter their password (they can use a 4 digit pin instead)
2) sign drug adminsitration charts that require 1 or 2 users to enter their password (they can use a 4 digit pin instead)
3) sign drug phone orders that requires 1 or 2 users to sign they have heard and confirmed the phone order with entry of their password (they can use a 4 digit pin instead)
If you would like to implement EpiSoft time-out for all users in your organisation and/or pin number signature for convenience of relevant users accessing the above functions, here is how:
The organisation administrator has access to the Organisation Preferences page in which they can set the timeout and/or pin number functions as shown below. This new section Security Settings is near the bottom of the Org Preferences page.
How do I set the pin number if my administrator doesn't make it mandatory or reset or if I have forgotten my pin?
This is done under System Administration >> User Preference. Right near the top of the page. See below.
Why is this under User Preference when Password is reset under My Details in the My communities page? Because the timeout and pin are within EpiSoft system; password management is controlled by our separate authentication platform EpiDirectory.
If you cannot see the Set Pin or Reset Pin option under your User Preference page, that is because your Organisation Administrator hasn't yet enabled pins in the Org Admin page above (Contact your Organisation Administrator).
If you have advanced privileges on the User Preferences page to set other user preference, you cannot set a Pin on behalf of another user. Your pin is like your password or your pin to your credit card - not to be shared with any other user.
So if my org administrator has also introduced the Episoft TIMEOUT function, what happens? See below:
So if my Organisation administrator has set up pin number function (for timeout or just for eSignature) and they have made it mandatory, what will I see?
When I log in, I will get prompted to enter my pin for the first time (see below).
When I go to sign for a drug or publish protocol or sign a phone order, I will be prompted for my pin (by default) or my password (as per previous).
What happens if I forget my pin and I get timed out. Hit Logout instead of Login in the window. This will take you back to the My Communities page. After you have logged back in the long way, go to System Administration >> User Preferences >> Reset Pin and set a 4 digit pin that will be easier to remember. See below
IMPORTANT FINAL NOTE: Please treat your pin number with all the protection you currently do to your password or your bank account pin.
This is your eSignature in EpiSoft and should be known only to yourself.
