Two-factor authentication is an important step to safeguarding your patient information - it requires a user to register when they log in from a device using a text code to their mobile phone (recommend) or an email verification code.
You can also bypass two-factor authentication for specific locations, e.g., your office or home, by saving trusted IP addresses if desired.
- Saving Trusted IP Addresses to Bypass Two-Factor Authentication (as an Admin)
- Setting up Two-Factor Authentication (as an Admin)
- Setting up Individual Two-Factor Authentication
- Additional Security Recommendations
Saving Trusted IP Addresses to Bypass Two-Factor Authentication (as an Admin)
To bypass two-factor authentication for specific locations, e.g., your office or home, you can save trusted IP addresses.
Go to Settings > Business > User Management > IP Access Management > Add my IP
Note - if you add your office IP address, it will apply to everyone logging in from that office IP so only one person needs to add the office IP!
Saving Trusted IP Addressed to Bypass Two-Factor Authentication for Non-Admin Users
Admins can also save trusted IP addresses for non-admin users! To do so, please navigate to Settings > Business > User Management > IP Access Management > Add IP for another user:
Then Select a User > Select IP address to whitelist > Add a description (optional) > and Save & Close.
Setting up Two-Factor Authentication for your Staff Users (as an Admin)
As an Admin, you can now set two-factor authentication for each of your users under Settings > Business > User Management > Edit User. We strongly recommend an Admin user setting this up for each non-Admin user to ensure a secure account.
Toggle the 2FA button at the bottom of the page and decide if the verification code should be sent via email or text. Please make sure to click Save Access for User when you are finished.
Setting up Individual Two-Factor Authentication (Non-Admin)
Individual users can also add two-factor authentication under Settings > Business > Individual User Preferences
- Log in to OptiMantra and navigate to the "Settings"
- Click on User Preferences (very bottom of the list)
-
Select the Two-Factor Authentication Tab
- Check the box to enable two-factor authentication.
- Choose your preferred authentication method: email or text message
- If you opt for a text message, ensure your user profile has a valid text message number.
Logging In with Two-Factor Authentication
- The next time you log out and attempt to log back into OptiMantra, a verification code will be sent to your chosen method (email or text)
- Enter the verification code and you'll be able to login to your account.
-
Once you enable Two-Factor Authentication, it will be required every time you log in unless you save a trusted IP address and are logging in from that location.
Each user needs to enable two-factor authentication for their OptiMantra account. Please encourage all practice users to set up two-factor authentication for added security.
Troubleshooting Two-Factor Authentication Code Delivery
If you are set up to receive codes via email and they are not delivering, the email carrier may be filtering the code as spam or junk mail, or staking it with previously deleted code emails.
To avoid this, please add support@optimantra.com and donotreply@optimantra.com to your trusted contacts. Then, please reattempt login.
If issues continue, please contact our support team.
Troubleshooting Repeated Code Requirements After Whitelisting IP
Please Note: IP whitelisting may not be applicable for all users. Some internet service providers (especially home or mobile networks) frequently change IP addresses, which can prevent the whitelist from functioning as expected.
If this happens, you may need to update your IP or continue using two-factor authentication at those locations. You can also contact your internet provider for more information about their IP address standards and whether they offer static IP options.
Additional Security Recommendations
In addition to enabling Two-Factor Authentication (2FA) as an additional layer of security to significantly reduce the risk of unauthorized access even if login credentials are compromised:
- Ensure computers in the practice are not left open or unlocked, especially in front desk areas available to patients.
- Implement and enforce strong password policies for all staff members accessing the EMR system (we require a combination of uppercase and lowercase letters, numbers, and special characters) and regularly request that all members of your team update their passwords.
- Don't share passwords or log-ins across team members, and don't write down your passwords written out or printed anywhere near your computer
Monitor and Install Regular Software Updates and Patches:
- Ensure that your computer and browser applications are up to date with the latest security patches.
- In Chrome, you'll see this type of reminder in the top right corner (we recommend using Chrome as your browser!)
Talk To Your Team About Cyber Awareness:
- Remind your team to be vigilant of phishing attacks, social engineering, and other common cyber threats. Because you get lots of emails from lots of patients, remind them never to open any emails or attachments that are not expected or come from an unknown email address.
Network Security:
- Secure your practice's network with a robust firewall and regularly update antivirus and anti-malware software.
- Restrict access to the EMR system to authorized personnel only, and consider implementing virtual private networks (VPNs) for secure remote access.
Use HIPAA-compliant Email That Includes Data Encryption or Communicate through the Patient Portal:
- Utilize tools with encryption to protect sensitive data both in transit and at rest. This adds an extra layer of security, especially when exchanging patient information with other healthcare providers or third-party services.
- If you're not using HIPAA-compliant email, use the patient portal to share sensitive medical information.