Overview
Security is critical for protecting sensitive customer, patient, and operational data in BScheduler. This guide covers security configuration, best practices, and policies to keep your BScheduler instance secure.
Before You Begin
Required Permission: Administrator
Security Responsibilities:
- Administrators are responsible for system security
- All users share responsibility for protecting credentials
- Regular security reviews are essential
- Compliance requirements vary by industry (HIPAA for healthcare, etc.)
Access Security Settings
- Log in to BScheduler as an Administrator
- Navigate to Administration in the main menu
- Click User Settings
- Select Security
Password Policies
Setting Password Requirements
Recommended Password Requirements:
✅ Minimum length: 12 characters or more ✅ Complexity: Require uppercase, lowercase, numbers, and special characters ✅ Expiration: 90-day password rotation ✅ History: Prevent reuse of last 5 passwords ✅ Lockout: Lock account after 5 failed login attempts
Password Best Practices for Users
For Strong Passwords:
- Use at least 12 characters
- Combine uppercase and lowercase letters
- Include numbers and special characters
- Avoid dictionary words
- Don't use personal information (birthdays, names)
- Don't reuse passwords from other systems
Examples of Strong Passwords:
- ✅
Tr!ck$2024Jul! - ✅
B$ched#M@y15 - ✅
W3lc0m#2024!
Examples of Weak Passwords:
- ❌
password123 - ❌
company2024 - ❌
abc12345
Two-Factor Authentication (2FA)
What is Two-Factor Authentication?
2FA adds an extra layer of security by requiring:
- Something you know (password)
- Something you have (phone, authentication app)
Even if a password is compromised, attackers can't access the account without the second factor.
Enabling Two-Factor Authentication
When available in your BScheduler instance:
- Navigate to Administration > User Settings > Security
- Enable 2FA requirement for:
- All users (recommended)
- Administrator users only (minimum recommendation)
- Specific roles
User Enrollment:
- Users enroll during first login after 2FA is enabled
- Uses authentication app (Google Authenticator, Microsoft Authenticator, etc.)
- Backup codes provided for recovery
2FA Best Practices
For Organizations: ✅ Require 2FA for all Administrator accounts ✅ Strongly recommend 2FA for all users ✅ Provide clear enrollment instructions ✅ Maintain backup access method for locked-out users
For Users: ✅ Use authentication app (not SMS if possible) ✅ Save backup codes in secure location ✅ Don't share authentication device ✅ Update authentication app if changing phones
Account Lockout Policies
Configuring Account Lockout
Purpose: Prevents brute force password attacks
Recommended Settings:
- Failed Login Attempts: 5 attempts
- Lockout Duration: 30 minutes
- Reset Method: Administrator unlock or time-based auto-unlock
Unlocking Locked Accounts
When the user is locked out:
- Navigate to Administration > User Settings > User Management
- Locate the locked user
- Open user profile
- Look for lockout indicator
- Click Unlock Account button
- User can attempt login again
Before unlocking:
- Verify user identity
- Confirm legitimate user (not attacker)
- Consider why lockout occurred
- Reset password if compromise suspected
Session Management
Session Timeout Settings
Purpose: Automatically logs out inactive users
Recommended Settings:
- Timeout Duration: 30-60 minutes of inactivity
- Warning: 5-minute warning before timeout
- Re-authentication Required: After timeout
User Account Security
Account Creation Security
Best Practices:
- Unique Usernames: Never share usernames between users
- Unique Emails: Each user has their own email address
- Strong Initial Passwords: Use strong temporary passwords
- Force Password Change: Require change on first login
- Email Verification: Verify user email addresses
Regular Account Reviews
Quarterly Review Checklist:
- Review the list of active users
- Deactivate accounts for users who left the organization
- Verify role assignments are still appropriate
- Check for unused accounts (no login in 90+ days)
- Review Administrator accounts (minimize number)
- Verify branch assignments are current
Deactivating vs. Deleting Users
When an employee leaves:
Recommended: Deactivate ✅ Preserves historical data ✅ Maintains audit trail ✅ Can be reactivated if needed ✅ Shows who created/modified appointments
Not Recommended: Delete ❌ Loses historical data ❌ Breaks audit trail ❌ Cannot be recovered ❌ May cause data integrity issues
To Deactivate:
- Open user profile
- Go to User Information tab
- Uncheck "Active" checkbox
- Save
Role-Based Access Control (RBAC)
Principle of Least Privilege
Grant users the minimum permissions needed for their job:
Implementation:
- Identify job function
- Determine the minimum necessary permissions
- Assign appropriate role
- Grant additional permissions only when justified
- Review permissions regularly
Example:
- Front desk receptionist → CSR role (not Administrator)
- Technician → Field User role (not CSR)
- IT staff → Administrator (limit to 2-3 people)
Limiting Administrator Access
Administrators have full system access - limit this role to:
- IT/System administrators
- Operations managers with a genuine need
- 2-3 people maximum
If someone needs specific admin functions:
- Create a custom role with only the needed permissions
- Don't grant full Administrator access
Data Access Security
Branch-Based Access Control
Limit data visibility using branch assignment:
- Assign users only to branches they support
- Review multi-branch assignments regularly
- Remove branch access when no longer needed
Customer/Patient Data Protection
Best Practices:
- Access Logging: Enable audit logs (if available)
- Export Controls: Limit who can export data
- Training: Train staff on data privacy
- Compliance: Follow industry regulations (HIPAA, etc.)
Need Help?
If you have security questions or need to report a security concern:
Email: support@bluetread.com