I'm writing healthcare software for web and mobile clients. Recently, I come across another new HIPAA rule about Access Control- App Session timeout.
My question is, is it possible to give application setting option from where user can enable-disable security level, instead of forcing them.
Any suggestions?
Yes, you must implement the feature to logout automatically in the case of inactivity.
You can also ask to do some action and warn the user before you invalidate the session. Like if you set timeout of 10 minutes, then after the inactivity of 9.5 minutes you can warn user that "Your session will be expired after 30{you can also put the countdown here} seconds, click cancel to continue and OK to logout".