June round-up

Sign-in overlay
Make the most of CareHQ's security controls with the option to customise security settings for your account.

June saw the release of smart message templates for CareHQ, additional flexibility around security settings for accounts, the publication of our annual pen test as well as a number of other improvements and fixes.

Web application security assessment for CareHQ

Each year we commission a web application security assessment (commonly known as a pen test) of CareHQ from an independent CREST certified security specialist. The latest assessment is available in full to clients on request.

In summary this year's assessment concluded that:

  • Zero issues were identified due to the good practice that was implemented throughout the entire platform.
  • CareHQ development team have spent significant effort in securing the web platform, which was evidenced by the amount of good practice witnessed throughout the testing.
  • Currently, it is improbable that the underlying server or application users will be compromised in any way.

Security is a priority for CareHQ and we continue to review and take measures to improve and address risks.

Additional security control options

We've now introduced additional settings to allow security controls to be configured to meet the needs of individual clients. The following security controls are now configurable per account:

  • Session lifespans - the amount of time a user can be inactive having signed into CareHQ before their session will expire.
  • 2-FA/M-FA required - 2-factor or multi-factor authentication, where a user must use a second device such as a mobile phone and authenticator app to sign-in, can now be required for all users. Previously 2-FA/M-FA was available but always optional for users.
  • Disable persistent sessions - some applications, including CareHQ, allow users to select a Remember me option when signing in. Selecting this option allows the user to remain signed in after the browser is closed. When the user next opens the browser (assuming it's within the session lifespan) they will remain signed in. It's now possible to disable this option.
  • IP address restrictions - this has always been an option but it's worth repeating that CareHQ can be locked down to a set of IP addresses.

Other updates & fixes

  • CareHQ now supports smart message templates that allow you to send personalised emails and text messages to care seekers, clients and location contacts without typing a word.
  • An FNC application date can now be set for residents / service users which is used to generate an outstanding applications list within the FNC report.
  • Added additional filters for searching for care enquiries and service users including: service type, dementia, respite, funding type, sales channel, referrer type and referrer.
  • The acquisitions report has been updated so that figures within tables now link through to a list of the care enquiries related to the selected figure.
  • It is now possible to configure invoice runs to generate new invoices as draft by default. Up until now the invoice run would auto approve invoices, this remains the default setting.
  • Added real-time event notifications to CareHQ. This is part of a large remit of work underway to provide real-time reporting for relevant dashboards such as the sales pipeline report. Real-time event notifications are now used to update the main navigation when key events occur such as a new message being received or a new action being assigned to you.
  • A new sign-in overlay has been added which appears if a user's session expires while the browser is open. This allows users to sign back in without leaving the current page or losing any data entered but not yet saved.
  • The ability to read Assessment data via the API has been released.
  • The care enquiry API endpoint now supports flagging a care enquiry as from an untrusted source. This is useful in scenarios where enquiries are added via the API before being manually reviewed which may allow invalid or SPAM enquiries to be added. A common example of this is when importing care enquiries from your website into CareHQ. When flagged as from an untrusted source CareHQ allows any user to close and delete the care enquiry as an invalid care enquiry.
  • Issue resolved where respite and dementia values were not correctly set for care enquiries imported from the TrustedCare integration. All affected data has been corrected.
  • Fixed issue where the link against figures on the FNC report did not correctly link through to relevant results for regional and location user roles.
  • Fixed validation rule for the Day of the month field with billing contracts which allowed the day to be set as 0.
  • The room availability form now takes a service user's dementia information into account when setting the initial room type to search for.
  • Funding type can now be manually set if a billing contract is not present for a service user.