Table of Contents

Live App Security Settings: HIPAA Plans

Danielle Kellogg Updated by Danielle Kellogg

Here at Knack, we take the security of your data seriously. We know that as a hospital, health care provider or anyone who works with Personal Health Information (PHI) in the United States, you are bound by specific privacy requirements when it comes to the data of those patients. As a HIPAA compliant software provider, you can use Knack to create database applications for storing and managing your PHI.

This article describes the Live App security settings in Knack which are included in the HIPAA plan. For Builder security settings always available for all Knack plans, please see our "Builder Security Settings" article.

What do I need to use Live App Security Settings on a HIPAA Plan?

In order to access these security settings in your Knack apps, you’ll need to have purchased the HIPAA plan on your Knack account.

Where do I access Live App Security Settings on a HIPAA Plan?

The location of each of these settings is outlined in the detailed sections below. 

Summary of Settings

  • Inactivity Logout: Being inactive for 15 minutes logs you out of the Live App. Options: 1, 5, 10, 15, 30, 60 minutes
  • Passwords: No common passwords, minimum of 8 character passwords. Options: 1 number, 1 special character, 1 uppercase character, 1 lowercase character, password expires every 60 days, can't use last 3 passwords
  • Failed Logins: Lockout after 3 failed attempts within a 15 time period, lockout for 15 minutes after the failed attempts, sends user an email when they've been locked out. Options: Allow user to request password to reset account, send user an email no lockout
  • IP Whitelisting: targets a Live App and which IP addresses can access that Live App
  • Secure Browser: When an HTTP:// URL is accessed, it automatically redirects to the HTTPS:// version. 

Inactivity Logout

Inactivity logout provides security measures to automatically log out your users when they are inactive within the Live App.

HIPAA Requirements & Defaults

By default, the inactivity logout is turned on and is set to automatically log out the Live App user after 15 minutes of inactivity. It can be disabled.

Activation

Inactivity logout settings can be enabled from the Settings section of the Builder under the User Logins.

Users must be enabled before this setting is available.

This setting is enabled by clicking the checkbox next to “Automatically log out after 15 minutes of inactivity”. From there, you can change the default logout time and edit the message that appears on-screen to users 1 minute before the specified logout time.

Be sure to click “Save Settings” at the bottom of the page to save your requirements.

Whatever option is selected for the live app inactivity timer will also be applied to the builder. So account owners and shared builders will also be logged out of the builder based on this setting.

Options

Knack’s available options for inactivity logout:

Description

Default

Options

Automatically log out after X minutes of inactivity

15

1, 5, 10, 15, 30, 60

Inactivity Message (this message is editable)

Still there? If so, click “Remain Logged In” below.

Passwords

Requiring longer and more complex passwords is a good way to help ensure that your Live App pages are secure.

HIPAA Requirements & Defaults

By default, the password requirements turned on are and cannot be disabled:

  • A minimum of 8 characters
  • No common words

Activation

Password settings can be enabled from the Settings section of the Builder under the User Logins.

Users must be enabled before this setting is available.

This setting is enabled automatically. You can check or uncheck the boxes to include the password requirements you desire your users follow when creating passwords.

You can also have the customer’s passwords expire every 60 days (this message is customizable) and make sure they don’t use their last three passwords (this message is customizable).

Be sure to click “Save Settings” at the bottom of the page to save your requirements.

Options

Knack’s available options for passwords:

Description

Default

Passwords for an app must include:

Minimum 8 characters

enabled

No common passwords

enabled

Must include at least 1 number

disabled

Must include at least 1 special character

disabled

Must include at least 1 uppercase letter

disabled

Must include at least 1 lowercase letter

disabled

Additional Settings

Expire every 60 days (this message is editable)

Your password has expired, please reset it below.

Cannot reuse last 3 passwords (this message is editable)

You cannot use a password you've previously used. Please try a different one.

Failed Logins

Failed login settings help to prevent brute force attacks (also known as brute force hacking). This is a trial and error method used by application programs to access secured data behind login access through exhaustive effort (using brute force) rather than employing intellectual strategies. Knack’s failed login settings help to provide protection against these repeated login attempts.

HIPAA Requirements & Defaults

The default of locking out Live App users after 3 failed attempts within a 5 minute time period for 15 minutes is applied to HIPAA apps and cannot be edited or disabled.

Activation

Failed login settings can be enabled from the Settings section of the Builder under the User Logins.

Users must be enabled before this setting is available.

This setting is automatically enabled, but can be disabled by clicking the checkbox next to “Lock out users after too many failed logins”. From there, you can change the default number of failed attempts and length of times before a user can attempt to log in again. The message that appears on screen when users have been locked out is editable. Another option sends an email to the user if they’ve been locked out and/or allow them to reset their password again themselves.

Be sure to click “Save Settings” at the bottom of the page to save your requirements.

Options

Knack’s available options for brute force login prevention:

Description

Default

Options

Lockout after X failed attempts within a X time period

3 || 15

3, 5, 10 || 1, 5, 15, 60

Lockout for X (length of time) after the above-failed attempts

5

5, 15, 60, 1 day, Forever

Lockout message (this message is editable)

Account locked due to too many failed login attempts. Please wait before trying again.

Allow user to request password reset to unlock account

disabled

NA

Allow user to request password reset to unlock account (this message is editable)

You may also <a href="/#/knack-password/forgot">reset your password</a> to unlock your account.

Send user an email when locked out

enabled

NA

Email message (this message is editable)

For your security, we're alerting you to the fact that your account has been locked out due to too many failed login attempts. If this was not you, please alert your admin right away.

Lockout forever options on the “Lockout for X (length of time) after the above-failed attempts” sets the "Accounts" user role status to "locked". This status can only be changed sending the user a reset password email. Alternatively, if the option to "Allow user to request password reset to unlock account " has been checked on the app, the user can unlock their account and reset their password by utilizing the “forgot?” link on the app’s login page.

IP Whitelisting

IP Whitelisting targets a Live App and which IP addresses can access that Live App, both for hosted and embedded apps. It is not currently possible to use this feature to block any particular IP addresses or range of addresses.

This feature does not affect access to the API in general. The API is secured by API keys so additional IP protection is not needed.

HIPAA Requirements & Defaults

There are no requirements or defaults for this security setting on 

Activation

IP whitelisting can be enabled from the Settings section of the Builder under the App Settings > Security tab.

This setting is enabled by checking the checkbox next to this setting. Be sure to click “Save Settings” at the bottom of the page to save your requirements.

Options

There are no options for this security setting.

Secure Browser

With this setting enabled, if anyone accesses your Live App on HTTP://, they'll automatically redirect to the HTTPS:// version.

HIPAA Requirements & Defaults

This setting is automatically enabled for apps on a HIPAA plan, but can be disabled by unchecking the box next to “Force the browser to use HTTPS to encrypt all traffic.”

Note that turning this off is done at your own risk and would potentially open your users up to being able to access your App via a non-secure endpoint (HTTP instead of HTTPS). 

Activation

Secure browser settings can be enabled from the Settings section of the Builder under the App Settings > Security tab.

This setting is enabled by checking the checkbox next to this setting. Be sure to click “Save Settings” at the bottom of the page to save your requirements.

Options

There are no options for this security setting.

Notes & Troubleshooting

  • For more information on keeping your apps secure, check out our Security Best Practices.
  • HIPAA accounts cannot currently add template apps to the dashboard.

How did we do?

Live App Security Settings

Manage Roles & Permissions

Contact