Security & Infrastructure
      Back to home
      1. Knowledge Base
      2. Security & Infrastructure

      Live App Security Settings: HIPAA Plans

      This article describes the Live App security settings in Knack, which are included in the HIPAA plan.

      Here at Knack, we take the security of your data seriously. We know that as a hospital, medical clinic, healthcare provider, or anyone who works with Personal Health Information (PHI) in the United States, you are bound by specific privacy requirements when it comes to the data of your patients.

      As a HIPAA-compliant software provider, you can use Knack to create database applications for storing and managing your PHI.

      This article describes the Live App security settings in Knack, which are included in the HIPAA plan. For Builder security settings always available for all Knack plans, please see our Builder Security Settings article.

       

      This article covers the following topics:

       

      What do I need to be able to use Live App Security Settings on a HIPAA Plan?

      In order to access these security settings in your Knack apps, you’ll need to have purchased the HIPAA plan on your Knack account. Please use the contact form on this page to learn more about our HIPAA compliant package. 

      Where do I access Live App Security Settings on a HIPAA Plan?

      The location of each of these settings is outlined in the detailed sections below. In general, all of these options can be found in the app's settings under App Settings > Security or under User Logins:

      hipaa1

      Summary of Settings:

      • Inactivity Logout: Being inactive for 15 minutes logs you out of the Live App.

        • Options available: 1, 5, 10, 15, 30, and 60 minutes

      • Passwords: No common passwords, a minimum of 8 character passwords.

        • Options available: 1 number, 1 special character, 1 uppercase character, 1 lowercase character, password expires every 60 days, and can't use the last 3 passwords

      • Failed Logins: Lockout after 3 failed attempts within a 15 time period, lockout for 15 minutes after the failed attempts, and send the user an email when they've been locked out.

        • Option available: Allow users to request a password to reset their account.

      • IP Whitelisting: Targets a Live App and which IP addresses can access that Live App.

      • Secure Browser: When an http:// URL is accessed, it automatically redirects to the https:// version. 

       

      Inactivity Logout

      Inactivity logout ensures the implementation of security measures that automatically log out users from the Live App when they remain inactive.

      HIPAA Requirements & Defaults

      The inactivity logout feature is enabled by default, automatically logging out the Live App user after 15 minutes of inactivity. However, if desired, this feature can be disabled.

      Activation

      Inactivity logout settings can be enabled from the Settings section of the Builder under the User Logins: 

      hipaa2

      To enable this setting, simply click on the checkbox next to "Automatically log out after 15 minutes of inactivity." From there, you have the option to customize the default logout time and edit the on-screen message that prompts users one minute before they are logged out.

      Notes:

      • Users must be enabled before this setting is available. See our article here to learn more about users and access.
      • The selected inactivity timer option for the live app will also be applied to the Builder. This means that account owners and shared builders will also be automatically logged out of the Builder based on this setting.
      • Please be sure to select "Save Settings" at the bottom of the page in order to save your preferences.
       

      Options

      Knack’s available options for inactivity logout:

      Description

      Options

      Automatically log out after X minutes of inactivity

      1, 5, 10, 15, 30, 60

      Inactivity Message 

      You have the flexibility to personalize the message according to your preferences.
       

      Passwords

      Implementing longer and more complex passwords is an effective measure to enhance the security of your Live App pages.

      HIPAA Requirements & Defaults

      The password requirements are enabled by default and cannot be disabled:

      • A minimum of 8 characters

      • No common words

      Activation

      Password settings can be enabled from the Settings section of the Builder under the User Logins section.

      Note: Users must be enabled before this setting is available. See our article here to learn more about users and access.

       

      hipaa3

      This setting is automatically enabled. You have the option to select or deselect the boxes to customize the password requirements that you want your users to adhere to when creating passwords.

      Additionally, you can choose to set a password expiration of 60 days for your users (this message can be personalized) and enforce the rule that they are unable to reuse their previous three passwords (this message can also be personalized).

      Note:  Please be sure to click “Save Settings” at the bottom of the page to save your requirements.

       

      Options

      Knack’s available options for passwords:

      Description

      Default

      Passwords for an app must include:

       

      Minimum 8 characters

      enabled

      No common passwords

      enabled

      Must include at least 1 number

      disabled

      Must include at least 1 special character

      disabled

      Must include at least 1 uppercase letter

      disabled

      Must include at least 1 lowercase letter

      disabled

      Additional Settings

       

      Expire every 60 days (this message is editable)

      Your password has expired; please reset it below.

      Cannot reuse last 3 passwords (this message is editable)

      You cannot use a password you've previously used. Please try a different one.
       

      Failed Logins

      Knack's failed login settings are designed to safeguard against brute force attacks, also known as brute force hacking. This method involves application programs attempting multiple login attempts through exhaustive effort, rather than employing intellectual strategies, in order to access secured data behind login access.

      By implementing Knack's failed login settings, you can effectively protect your Live App against these repeated login attempts.

      HIPAA Requirements & Defaults

      The default of locking out Live App users after 3 failed attempts within a 5-minute time period for 15 minutes is applied to HIPAA apps and cannot be edited or disabled.

      Activation

      Failed login settings can be enabled from the Settings section of the Builder under the User Logins.

      Note: Users must be enabled before this setting is available.

       

      This setting is enabled by default, but you have the option to disable it by selecting the checkbox next to "Lock out users after too many failed logins". From there, you can customize the number of failed attempts and the length of time before a user can try to log in again.

      The on-screen message displayed when users are locked out can be customized. Additionally, there is an option to send an email to the user if they have been locked out, and they can also reset their password themselves.

      hipaa4

      Note: Please be sure to click “Save Settings” at the bottom of the page to save your requirements.

       

      Options

      Knack’s available options for brute force login prevention:

      Description

      Default

      Options

      Lockout after X failed attempts within a X time period

      3 || 15
      • 3, 5, 10 failed logins
      • 1, 5, 15, 60 minute period

      Lockout after the above-failed attempts

      5

      5, 15, 60, 1 day, Forever

      Lockout message (this message is editable)

      The account is locked due to too many failed login attempts. Please wait before trying again.

       

      Allow users to request a password reset to unlock their account

      disabled

      NA

      Allow users to request a password reset to unlock their account (this message is editable)

      You may also <a href="/#/knack-password/forgot">reset your password</a> to unlock your account.

       

      Send the user an email when they're locked out

      enabled

      NA

      Email message (this message is editable)

      For your security, we're alerting you to the fact that your account has been locked out due to too many failed login attempts. If this is not you, please alert your admin right away.

       
       

      Note: The option to lock out the user forever after a certain number of failed login attempts sets the "Accounts" user role status to "locked." This status can only be reversed by sending the user a reset password email.

      Alternatively, if the option to "Allow user to request password reset to unlock account" has been checked on the app, the user can unlock their account and reset their password by utilizing the “forgot?” link on the app’s login page.

       

      IP Whitelisting

      IP Whitelisting allows you to specify which IP addresses can access your Live App, whether it is hosted or embedded. However, please note that this feature does not currently support blocking specific IP addresses or ranges.

      This feature does not impact overall API access. The API is already protected by API keys, so there is no need for additional IP protection.

      HIPAA Requirements & Defaults

      There are no requirements or defaults for this security setting.

      Activation

      IP whitelisting can be enabled from the Settings section of the Builder under the App Settings > Security tab.

      This setting is enabled by checking the checkbox next to this setting. 

      hipaa5

      Note:  Be sure to click “Save Settings” at the bottom of the page to save your requirements.

       

      Secure Browser

      By enabling this setting, when users access your Live App on http://, they will be automatically redirected to the https:// version for enhanced security.

      HIPAA Requirements & Defaults

      This setting is automatically enabled for apps on a HIPAA plan but can be disabled by unchecking the box next to “Force the browser to use HTTPS to encrypt all traffic.”

      Caution: Please be aware that disabling this setting carries a potential risk as it may allow users to access your App through a non-secure endpoint (HTTP instead of HTTPS). It is recommended to keep this setting enabled for enhanced security.

      Activation

      Secure browser settings can be enabled from the Settings section of the Builder under the App Settings > Security tab.

      This setting is enabled by checking the checkbox next to this setting. Be sure to click “Save Settings” at the bottom of the page to save your requirements.

      hipaa6

       

      Notes

      • For more information on keeping your apps secure, check out our Security Best Practices.

      • HIPAA accounts currently do not have access to add template/sample apps.