To comply with regulatory standards for clinical researchers working with sensitive data, Terra will enable a feature that logs out of a session after 15 minutes of idle time. This article outlines the steps to follow to enable this feature and what you can expect from the timeout.
How to enable the timeout
Clinical groups need to take action to enable the timeout feature, following the steps below.
Step 1. Create a group in Terra
For example, a clinical lab creates a managed group such as "my-15-minute-signout-group"). To learn about managed groups in Terra, click here.
1.1. Go to "Main menu" --> "Profile" --> "Groups" by selecting the three lines at the top left:
1.2. Click on "Create a New Group" at the top left of the groups page
1.3. Give your group a name (only letters, numbers, underscores and dashes allowed)
1.4. Select the "Create Group" button
Note that by default, you will be the admin/owner of any group you create.
Step 2: Have support set up security logout
2.1. Contact firstname.lastname@example.org, with the group name and inform them that you need the 15 minute timeout enabled for the group "my-15-minute-signout-group"
2.2.You'll receive a communication from Terra when your group has been added to the timeout access list and the 15-minute timeout is enabled for all group members
You can add Terra users to the group within the "Main menu" --> "Profile" --> "Groups" page.
What to expect during a security logout
Terra keeps track of idle time for recognized clinical users (see below how to set up this functionality). Much like a bank (and for similar security reasons), the system will automatically log out after 15 minutes of idle time. This limits how long sensitive information remains visible on the screen for someone else to see. Read on for details of this feature.
1. One or two minutes before the 15 minute idle period is up, you'll get a warning screen asking if you want to extend the session:
2. If you choose to extend your session, you'll stay on the same screen.
3. If you don't extend, you’ll be logged out and data will no longer be visible on the screen.
4. A dialog box will inform you that your session has expired.
Security timeout when working in multiple tabs or windows
If you have multiple tabs or multiple windows open, the one that is most recently active drives the timer.
If you close your tab at any time, the timer will continue and you will be logged out after a total of 15 minutes. For example, if you close a tab after it was idle for ten minutes, you'll get logged out after five additional minutes.
How timeout works if you have multiple Google accounts
Note that you will be logged out of all Google accounts you are logged into in the browser and you will have to relog into all accounts. To avoid being logged out of other Google accounts, open a private browsing session (incognito mode) when logging into a clinical account.
NIST security requirements
This functionality covers NIST AC-11 and AC-12 requirements (session lock and session timeout).