This page covers best practices for keeping your practice's accounts and data secure.
- Log out when you finish using the system, especially on shared devices
- Sessions expire after 30 minutes of inactivity
- If you suspect someone else has accessed your account, change your password immediately
The system records key actions for audit purposes:
| Action |
Logged |
| User login/logout |
Yes |
| Patient record created/updated |
Yes |
| Appointment booked/cancelled |
Yes |
| Clinical note added |
Yes |
| User account changes |
Yes |
| Role/permission changes |
Yes |
Practice Managers can view the audit log from Staff → Audit Log.
As a Practice Manager, you should:
- Monthly: Review the list of active staff accounts. Disable any for staff who have left
- Monthly: Review the audit log for unusual activity (e.g. logins at odd hours, bulk data exports)
- Quarterly: Review role assignments to ensure staff have appropriate permissions
- On departure: Immediately disable the account of any staff member leaving the practice
Signs that may indicate a security issue:
- Staff receiving password reset emails they did not request
- Unknown patients appearing in the system
- Appointments or records modified at unusual times
- Staff unable to log in despite correct credentials (may indicate account lockout from repeated failed attempts)
If you suspect a security breach or data loss:
- Immediately change any affected passwords
- Contact VeriPath support via the contact details in the Troubleshooting guide
- Do not delete or modify any related data — it may be needed for investigation
- Minimum 8 characters
- Must include uppercase, lowercase, and a number
- Passwords expire every 90 days
- Do not reuse the last 5 passwords
- Never share passwords with colleagues
All staff accounts require MFA. See the MFA guide for setup and recovery procedures.