Time-out settings (sometimes written as "timeout settings") have an important security role in clinical informatics applications to minimize the potential for unauthorized accessing of clinical information.
According to the Oxford University Press Dictionary of Computing (1), a time-out is "a condition that occurs when a process which is waiting for either an external event or the expiry of a preset time interval reaches the end of the time interval before the external event is detected."
With clinical software applications, the application closes after a designated time-out period. To resume use of the application, the user must log back in to the application.
Choosing a time-out setting
In clinical informatics applications, the determination of an appropriate time-out interval can be difficult. If a time-out setting is too long, security can be compromised. If a time-out setting is too short, users can become frustrated by the need to repeatedly log-in after relatively brief periods without computer activity.
The frequent interruptions that characterize clinical workflow can lead to an excessive number of time-outs when the user is at the computer but attending to another task. However, such interruptions can also lead logged-in users to physically leave the computer terminal, potentiallyr compromising data integrity and security.
Specific time-out durations
In clinical settings, time-out settings typically range from 5 to 15 minutes. Settings in which clinical information may be perceived as more sensitive (e.g., mental health, infectious diseases) may use even shorter time-out periods of several minutes (2). Shorter time-outs may also be needed when mobile devices are used in unsecured areas (3), for example, rolling laptop or tablet computers that may be left unattended in hospital hallways or examination rooms. On the other hand, computer systems located in more secure areas (e.g., intensive care units) may use longer timeout settings (4).
Different system features can have distinct time-out durations. For example, Cimino and colleagues (5) describe a system in which a session can be terminated by a “long time-out” after an hour of inactivity whereas password re-entry is needed after a “short time-out” period with 5 minutes of inactivity.
Examples of actual use
At Cedars-Sinai the routine time-out for data viewing is 5 mins, but that is dynamically extended to longer periods (10-15 mins or longer) depending on the type of entries or editing required for specific screens.
However, regardless of the application time-out, they wanted to be able to cover screens more quickly. The clinical workstation group developed a neat trick to do this for both privacy purposes and delivery of timely information to clinicians. They took advantage of a feature in Win XP that allows images to be dropped into a folder and then automatically used as a succession of screen savers, like a PowerPoint show. New screensaver images are pushed out remotely as needed. The Windows screen time-out is set to 2 mins (although time-outs as short as 1 min are possible). The designated screens fade in and out with keyboard and mouse inactivity. These screens are used to deliver highly effective safety messages including reminders about hand washing and illegal abbreviations, which helped to earn a perfect safety score on the last JCAHO survey. The screensaver images have also been used to announce new system features or important policies and procedures. In fact, these screensavers became so popular as billboards that a governance and approval process needed to be developed for them. Like any other screensaver, they disappear instantly with a key or mouse tap, so they are not obtrusive. Now our workstations work for us even when they are idle.
1. A Dictionary of Computing. Oxford University Press, 2004. Oxford Reference Online. Oxford University Press. Accessed 9 April 2006.
2. Privacy Risk Assessment Team: Final Report. Synapse Mental Health Information System. Accessed 27 May 2006.
3. Time for a PC Lockdown. ComputerWeekly.com 15 November 2005. Accessed 27 May 2006.
4. Hripcsak G, Cimino JJ, Sengupta S. WebCIS:large scale deployment of a Web-based clinical information system. Proc AMIA Symp 1999: 804-8. Accessed 27 May 2006.
5. Cimino JJ, Sengupta S, Clayton PD, Patel VL, Kushniruk A, Huang X. Architecture for a Web-based clinical information system that keeps the design open and the access closed. Proc AMIA Symp 1998: 121-5. Accessed 27 May 2006.