Adjusting the session timeout length

Overview

By default, Relevant logs users out after 30 minutes of inactivity. This is a security feature designed to help ensure that the PHI in Relevant remains protected.

However, 30 minutes may not be the right setting for your organization’s specific needs. For this reason, the session timeout length can be customized, anywhere from 30 minutes up to 8 hours.

If you’d like to change this setting, have your Relevant project lead email support@relevant.healthcare. This decision should be made in consultation with your IT or information security team.

Checking your current session length

To see your current setting, run the following query:

select session_timeout_in_minutes from rdm.settings

Security considerations

Logging users out after a certain period of inactivity is required by HIPAA (see 45 CFR § 164.312(a)(2)(iii)), and is also recommended by numerous security frameworks, including NIST 800-53 (see AC-12: Session Termination).

This requirement is designed to minimize the risk of unauthorized access if a user leaves their session unattended—for example, by walking away from their computer. Although setting some time limit is prescribed, it’s typically left up to the organization to decide how long the period of inactivity should be.

Relevant’s default session timeout is set to 30 minutes. This short timeout is designed to support a strong security and compliance posture, but it also comes with usability tradeoffs. When providers and care teams are forced to re-enter passwords frequently, it can create friction in their workflows. In addition, session timeouts for Relevant’s application may be redundant with a local workstation timeout; in this case, we may be adding friction without doing much to actually improve security.

Ultimately, deciding what the appropriate session timeout should be is a compliance decision for your organization. If you are considering a longer timeout, we suggest that you ensure the following conditions are met:

  • Local workstation logins are unique to the user. Each user logging into a workstation should have their own, individual username and password. This is a standard part of workstation compliance.
  • Local workstations have a timeout. Most often, this means that Windows automatically logs out or locks the screen after a certain period of inactivity. This, too, is a standard part of workstation compliance.
  • PHI access in Relevant is restricted by IP address. Relevant can restrict PHI access to a set of allowed IP addresses. Enabling this feature can help ensure that sessions with access to PHI will only originate on workstations under your administrative control.