Password security recommendations

Information security is an important part of IT operations, especially within the scope of operating an Electronic Medical Record. BestNotes is committed to providing up-to-date security measures and best practices to all those we serve.

In order to ensure we are staying up-to-date on industry best-practices, we continually monitor many trusted sources for updated information. Once of these trusted sources is the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). NIST has published a document titled "Digital Identity Guidelines" outlining their recommendations for securing and protecting a person's digital identity, as well as how to securely verify the identity of anyone attempting to access a computer network. This document has been updated regularly and is available online at Digital Identity Guidelines.

Following the updated guidelines provided by NIST, BestNotes has updated our best practice recommendations and developed additional capabilities within BestNotes's products to help ensure safe and secure access for all users to BestNotes's systems.

While BestNotes has updated our own recommendations and default settings, we continue to offer capabilities for your customers to determine which practices are appropriate for their users, including additional restrictions and procedure controls to meet regulatory requirements or IT department policies. We recommend following the guidance of reputable bodies such as NIST and using resources such as the one linked above to inform and drive development of IT department policies.

Password settings

BestNotes provides several options for System Administrators to control password and security options for their users. To select the options for your database, navigate as indicated below:

  1. Log in as System Administrator. You will be required to enter your personal secondary login.
  2. Select "Settings" then select "Users."
  3. Select "Password Settings."

Each available option is described below, as well as the BestNotes recommended setting.

Screenlock Timeout

Recommended setting: 30 minutes.

The BestNotes application includes a Screenlock feature that will hide the contents of the screen and prevent any user action until the user provides their account password. This is intended to prevent access to patient information by unauthorized users in the event a user walks away from their computer without manually locking the screen. This option sets the number of minutes before a user's BestNotes session is locked from inactivity.

Minimum Password Length

Recommended setting: 10 characters

This option sets the minimum number of characters users must include in their account password. Longer passwords are shown to provide superior account protection over shorter passwords.

Maximum Password Age

Recommended setting: Disabled.

This option sets the number of days before a user must reset their password. Forcing users to reset their password on a specific frequency has been shown to lead them to choosing easy to remember passwords and to change them in very predictable ways.

Unique Password Each

Recommended setting: 1 generation.

This option sets the number of password changes a user must perform before being able to reuse a previously used password. When a password change is required, the user should choose a different password, but no other constraints regarding the chosen password should be applied.

Passwords must contain

Recommended setting: No option selected

These options specify which character sets a user must use when creating a password.

Forcing password complexity requirements on users has been shown to lead them to choosing easy to remember passwords and to meet the complexity requirements in very predictable ways.

Maximum Failed Login Attempts

Recommended setting: 5 attempts.

This option sets the number of failed attempts on a single device before the user will be prohibited from logging in for a short time (the lockout period is an additional setting discussed below). This setting protects from malicious users attempting to guess a user's password by limiting the number of malicious login attempts, a technique known as Brute Force Attack.

This setting is designed to prevent malicious users from logging in as a user without knowing the user's account password. If the actual user has been locked out based on this setting, their account can be unlocked from the "User Details" screen.

Lockout Period

Recommended setting: 5 minutes

This option sets the number of minutes a user account and/or device will be locked out after the number of unsuccessful login attempts has been reached. This setting protects from malicious users attempting to guess a user's password by limited the number of malicious login attempts, a technique known as Brute Force Attack.

Lockout message

Recommended setting: "Your access to BestNotes has been locked due to excess login failures. Please contact your system administrator to have your account unlocked or retry in [*]."

The lockout message will appear when a user is locked out due to failed login attempts. The "[*]" will insert the number of minutes that has been selected in the "Lockout period" option, and this number will adjust with the countdown until the account is unlocked. The recommended setting above is what will display by default. If you would like to customize this message, you can send in a request to BestNotes Support. As mentioned in the "Maximum failed login attempts" above, an account can be unlocked from the "User Details" screen.

More options

In the lower right hand corner of the "Password Settings" page you will see a "More" option. By selecting this option you can access additional options listed below.

Force All User Password Reset

This option will force a password reset for every single user in the database the next time they login.

Inactivate All Users

This option will inactivate every user in the database except for the System Administrator accounts. This means that the account you login with the "sysadmin" username, as well as any account with the "System Administrator" checkbox will be the only active accounts after selecting this button.



Back to top of page