Folks,
Its more about security of your systems and controlling whom has access with what, with Logmein you basically are giving up that control to an unknown, untrusted 3rd party, that you can't audit, you don't have a BAA ( business associate agreement, or MOU ( memorandum of understanding ( only applies to Govt entities)) which are violations of HIPPA. The sections are the following. NOTE: I am not a Lawyer, none of this constitutes LEGAL ADVICE, and I can't be held responsible for you following any of this advice and causing harm to your organization, you should talk with your Lawyers/Management C levels before doing any of this. I am just interpreting the HIPPA regulations as per what they state in the final rule. Transmissions Security: Section 164.312(e)(1) ( encrypted communications or viewing of EPHI on carious systems access by Logmein) Person or Entity Authentication: Section 164.312(d)(8) (Failure to accurate authenticate who is accessing your EPHI, you don't control the logmein authentication mechanism, you can't audit it, and you can't tie it back into a person or process that you can verifiably claim did or didn't access the EPHI in question) Integrity: Section 164.312 ( c ) (1): If you can audit who has access to your data, then you don't know if its been manipulated or changed from its current state and if its valid or not anymore, thus violation the Integrity of the data. Audit Controls: Section 164.312(b): Again u can't audit who did and didn't login via Logmein, or tie that back to a person, or entity that will state up in a court of law if you take it that far ( Forensically sound logs of the information access and manipulation etc etc) Access Controls: Section 164.312(a)(1): Again you are allowing a 3rd party without a BAA, or MOU access to your systems via an untrusted mechanism that you can't secure or control, access into your information systems? I think we all see the blaring problem is this reguard, you are opening yourself up to all kinds of bad things. Security Management Process: Section 164.308(a)(1): You probably haven't completed a Risk Assessment for this new technology that would have easily outlined the inheirent harm that Logmein and similar Remote Access Solutions can cause with the Confidentially, Integrity and Availability of your systems and data. Security Incident Proceedures: Section 164.308(a)(6): Think about your incident response plan if or probably when one or more of your systems become hacked by a malicious 3rd party that has found a flaw or bug in the logmein process and starts access or stealing your data, corrupting your systems, rootkits, malware, Trojans, backdoors, etc etc, Information blackmail, or general denial service from within your network. What are you going to do then, You let it in the door, you agreed to have your systems access via an insecure mechanism, I don't think you are going to win many court battles trying to argue that you did due diligence or due care process in those reguards. So you might as well write that big fat check and notify the people that there PHI is history and in some hackers hands floating around in 3rd world countries or other nerfarious places of the earth, and that there lives are going to be affected adversely and probably there identity is going to be stolen, or attempt to be stolen via information leaks and lack of judgement. If that doesn't wake up some C levels eyes and have the lawyers stirring, and management putting the Kabosh on Logmein and similar Remote access solutions, then not quiet sure what will. PS: If you want the breakdown of the sections of HIPPA I have and excel spreadsheet that covers each section and the types of questions you all need to be asking yourselves when you deal with these type of issues. Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + ________________________________ From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: Tuesday, December 30, 2008 9:15 AM To: NT System Admin Issues Subject: RE: LogMeIn Lots of reasons. Security & compliancy (HIPAA) come to mind. With a VPN, you know (and have control) who is on the network. ________________________________ From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is "no", but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
