Security & Compliance

February 2026 · 6 min

Overview

Bio Ecko implements defense-in-depth security controls for healthcare data protection. The Security Dashboard at /app/admin/security provides administrators with tools for Two-Factor Authentication (2FA), session management, PHI access auditing, data export controls, and real-time threat monitoring. All security features are designed to meet NABH, HIPAA, and IT Act 2000 compliance requirements.

Two-Factor Authentication (2FA)

All user accounts support TOTP-based two-factor authentication via the MFA Setup panel:

1. Enrollment -- Users scan a QR code with any authenticator app (Google Authenticator, Authy, Microsoft Authenticator)
2. Verification -- Enter a 6-digit code to verify the device is correctly configured
3. Enforcement -- Admins can mandate 2FA for specific roles (e.g., all doctors, all admin users)
4. Recovery -- Recovery codes are generated at enrollment for lost-device scenarios

2FA is powered by Supabase Auth MFA and uses the TOTP standard (RFC 6238). Enrollment status is visible on the Security Dashboard.

Session Timeout

To protect unattended workstations, the system implements automatic session timeout:

• Inactivity Detection -- Tracks mouse, keyboard, and touch events. After 25 minutes of inactivity, a warning dialog appears.
• Grace Period -- Users have 5 minutes to re-authenticate (enter their password or PIN) before the session is terminated.
• Auto-Logout -- If the grace period expires, the user is automatically signed out and redirected to the login page.
• Configurable -- Timeout duration is configurable per organization (default: 30 minutes). High-security areas (pharmacy, controlled substances) can use shorter timeouts.
• Activity Reset -- Any user interaction resets the timer. The timeout only triggers on genuine inactivity.

PHI Access Logging

Every access to Protected Health Information (PHI) is logged for audit compliance:

• Patient Record Access -- When a user opens a patient's chart, the access is logged with user ID, timestamp, patient ID, record type, and access reason
• Break-the-Glass -- For emergency access to restricted records, users must provide a justification reason that is prominently logged and flagged for review
• Bulk Access Alerts -- If a user accesses an unusual number of patient records in a short period, an alert is generated for the security team
• Export Logging -- All data exports (CSV, PDF, Excel) are logged with the export type, record count, and user
• Retention -- PHI access logs are retained for 7 years per regulatory requirements

Access logs are available at /app/admin/audit-logs with filtering by user, patient, date range, and access type.

Data Export Controls

Sensitive data exports are governed by role-based controls:

• Role Restrictions -- Only admin and owner roles can perform bulk patient data exports
• Watermarking -- Exported PDFs include an invisible watermark with the exporting user's identity and timestamp
• Row Limits -- Bulk exports are capped at configurable limits (default: 1000 records per export)
• Audit Trail -- Every export generates an audit log entry with file type, record count, and purpose
• Approval Workflow -- For large exports (>500 records), a two-person approval can be required
• Format Controls -- Export formats can be restricted by role (e.g., receptionists can export PDF only, not CSV)

Threat Monitoring

Real-time security monitoring includes:

• Failed Login Tracking -- Multiple failed login attempts trigger account lockout and admin notification
• Anomalous Access Patterns -- Unusual access times, locations, or volume flagged for review
• Session Hijacking Detection -- Monitors for concurrent sessions from different IP addresses
• Password Policy -- Minimum 8 characters, complexity requirements, password history enforcement
• API Rate Limiting -- Protected API endpoints have rate limits to prevent abuse

Notes

Related topics