This is a security concern
please read about how this is handled in EMRs (google, read, etc) to get more context.
how can we make a consistent system for this across our EMR?
time to logout should be customizable.
there should be a (pop-up?) warning (you will be automatically logged out in X minutes if you do no action)
Start with the simplest system possible. then improve / evolve