Security: Restricting users from accessing your database outside of a specified IP address

Completed

Follow

Permanently deleted user

• June 08, 2017 00:29

Whilst ease of access on any internet abled device is fantastic it brings major security issues. The security is only as strong as the weakest password/username combo that any member of staff has and I don't want my junior DA's showing their boyfriends any of my practice data.

Firstly can we harden up on password requirements - force complex passwords?

Secondly how about 2-factor authentication (2FA)? My thoughts are that the ideal would be with hardware such as a Yubikeys and a fall-back to either SMS code or registered code-generator (Symantec's VIP access or Google Authenticator perhaps).

Finally how about the ability to restrict individual or group access by ip.

Loving the software BTW!

2

• Official comment

  

  Kenny Ha

  • June 10, 2020 04:43
  • Edited

  Hi Everyone,

   

  Thank you for all your feedback, as part of our complete security improvement we have implemented your recommendation for the following:

  1. Restrict user login based on time of the day or day of the week. [learn more]
  2. Restrict user login based on User's Location. Great alternative to two-step authentication on shared computer. [learn more]

  • Set static internet address for your location to restrict user login within clinic network only.
  • Set static internet address for user home to restrict user login within home network only.
  • Create your own private network to ensure sensitive patient information can only be accessed at approved locations only.

  We have also implemented the following:

  1. Advance User's Device and Location detection.

  • Help user look out for suspicious account activities.
  • Easy to detect if your account was accessed in Russia especially if you have not been there recently.

  2. Receive email notification when user security setting is updated.

  3. Receive email notification whenever login attempts from new devices are detected.
  

  • This is an extra layer of security to ensure new login attempt is really you.
  • Easy to detect if someone else is using your account without approval.

  Comment actions Permalink
• 

  Permanently deleted user

  • June 13, 2017 04:11
  • Edited

  Hi Tony,

  Thanks for posting a feature request! These are all great ideas, and I think they would make excellent additions to Core Practice! I have separated the three requests into their own post, for easier management as we complete each feature. I have also created a post for complex passwords and another for two-factor authentication. In this post, I will be addressing your final request.

  I love the idea of restricting individuals or groups by an IP address! That would drastically increase the security, limiting particular users from accessing it when away from the office. I have escalated this request to our project management system to be built. Thanks again!

  0

  Comment actions Permalink
• 

  Permanently deleted user

  • January 23, 2018 23:04

  Hi all,

  We have some more support for this feature, coming from the team at Boon Dental. Thanks to everyone for contributing to our feature requests! Follow these posts to keep updated on our progress. Thanks again!

  0

  Comment actions Permalink
• 

  Saints Dental Management

  • February 03, 2020 05:36

  Its a good idea to restrict the users to business hours of the practice with additional options to allow out of working hours access.

  0

  Comment actions Permalink
• 

  Dan Robbins

  • April 30, 2020 11:35

  Please introduce an email address option for 2 Step Authorisation. A Google Authenticator option would be good too.

  0

  Comment actions Permalink

Please sign in to leave a comment.