Remote Access & HIPPA
-
@mmicha said in Remote Access & HIPPA:
@black3dynamite said in Remote Access & HIPPA:
Don't no much about HIPPA, but I would definitely enabled Two Factor Authentication (2FA) if you end up using MeshCentral and adjust the password requirements.
I've already enabled that. I'm more concerned with using it in a medical environment. I was hoping to use one tool across all the organizations and because this one has medical records it throws a wrench into the mix.
While I understand the desire to have a single console that allows you to control everything... I wonder if in today's world it wouldn't be prudent to keep a control system like this limited to some number of workstations or clients to keep your entire client client from getting trashed in the case of a breach.
Now I'm sure someone will tell me why this is a bad idea. -
@mmicha said in Remote Access & HIPPA:
@black3dynamite said in Remote Access & HIPPA:
Don't no much about HIPPA, but I would definitely enabled Two Factor Authentication (2FA) if you end up using MeshCentral and adjust the password requirements.
I've already enabled that. I'm more concerned with using it in a medical environment. I was hoping to use one tool across all the organizations and because this one has medical records it throws a wrench into the mix.
Question: What does that have to do with anything?
Answer: Nothing.Why don't you step back and try to think about what you are trying to do here.
You are trying to have remote connectivity to a system. Beyond ensuring that you cannot randomly see potential PHI, there is no requirement for anything here.
So When you setup your tool, you disable connections without consent, so that the responsibility of ensuring there is no PHI visible is on the user prior to clicking to allow the connection. Additionally, if the tool provides a screen prior to connection, as ConnectWise does, you disable the feature. Done.
You are over complicating things.
-
@Dashrender said in Remote Access & HIPPA:
While I understand the desire to have a single console that allows you to control everything... I wonder if in today's world it wouldn't be prudent to keep a control system like this limited to some number of workstations or clients to keep your entire client client from getting trashed in the case of a breach.
What is the point of multiple systems? What are you thinking you are going to gain? Instead you are growing the attack vector. Instead of a single system to patch you have multiple.
-
@mmicha said in Remote Access & HIPPA:
I manage a few different locations for my organization. I was looking to setup (Mesh Central) or purchase a service like Splashtop to access systems remotely easier.
However, one location I support deals with medical records for children and so I am thinking I need something HIPPA compliant. I don't know a lot about that, but from what I read as long as the connection is encrypted you are compliant.
Does anyone else use Mesh Central in a setting like this? It is certainly a lot cheaper to host a $5 server and run it vs the expense of a tool like Splashtop.
Thanks!
@mmicha said in Remote Access & HIPPA:
I manage a few different locations for my organization. I was looking to setup (Mesh Central) or purchase a service like Splashtop to access systems remotely easier.
However, one location I support deals with medical records for children and so I am thinking I need something HIPPA compliant. I don't know a lot about that, but from what I read as long as the connection is encrypted you are compliant.
Does anyone else use Mesh Central in a setting like this? It is certainly a lot cheaper to host a $5 server and run it vs the expense of a tool like Splashtop.
Thanks!
https is encryption. Just disable port 80 access or use a standard redirect from 80 to 443. Use certbot to provide your security keys, and call it done.
-
HIPAA doesn't require encryption.
However, if your chosen encryption method meets the FIPS 140-2 standards, HIPAA will provide a safe harbor for you in the event of a data breach.
The problem is that FIPS 140-2 compliance is time consuming and not cost effective for most remote access developers/providers.
-
@JasGot said in Remote Access & HIPPA:
HIPAA doesn't require encryption.
However, if your chosen encryption method meets the FIPS 140-2 standards, HIPAA will provide a safe harbor for you in the event of a data breach.
The problem is that FIPS 140-2 compliance is time consuming and not cost effective for most remote access developers/providers.
It's very important to note that FIPS 140-2 compliant is not the same as FIPS 140-2 certified. In order to be certified, it must go through a painful ATO process which can take over a year.
With all that being said, HIPAA is extremely lenient, too lenient. Basically as long as you are using some sort of common sense, you'll meet HIPAA
-
@IRJ said in Remote Access & HIPPA:
With all that being said, HIPAA is extremely lenient, too lenient. Basically as long as you are using some sort of common sense, you'll meet HIPAA
And there is a really good chance that if you don't use common sense, you'll still meet HIPAA
-
@scottalanmiller said in Remote Access & HIPPA:
@IRJ said in Remote Access & HIPPA:
With all that being said, HIPAA is extremely lenient, too lenient. Basically as long as you are using some sort of common sense, you'll meet HIPAA
And there is a really good chance that if you don't use common sense, you'll still meet HIPAA
Like using faxes...
-
@Dashrender said in Remote Access & HIPPA:
@scottalanmiller said in Remote Access & HIPPA:
@IRJ said in Remote Access & HIPPA:
With all that being said, HIPAA is extremely lenient, too lenient. Basically as long as you are using some sort of common sense, you'll meet HIPAA
And there is a really good chance that if you don't use common sense, you'll still meet HIPAA
Like using faxes...
Now that said - Medicaid/Medicare programs are currently tied to Merit-based Incentive Payment System (MIPS)/meaningful use incentive programs.
In the beginning, these programs paid providers directly for "going above and beyond" with features that where claimed to improve patient care. This was meant to entice providers to adobt EHRs and other programs, policies, reportings that would otherwise likely never be implemented. Of course, they started out as totally voluntary with a reward but at the same time providers were told there would come a time when they would be come required, and if not fulfilled, the providers willing to Medicaid/Medicare would be penalized.
Well that penalty time is either here or nearly here.All that was to help you understand that the new Merit-based Incentive Payment System (MIPS)/meaningful use programs now have a measure on what percent of doctor to doctor communication is going through Direct Messaging vs faxing. If the faxing is to high, the providers will be penalized... so they are finally working to move past faxes.
Sadly, the system is still to broken - as Direct Messaging is not meant for anything more than Provider to Provider communication. This leaves out many non-Providers who still need this information, like the patient, lawyers, insurance companies, etc. Now insurance companies already get the information via a different secure method, but patients and lawyers don't... and if you send to them, they count against you in the faxing scheme.
-
@IRJ said in Remote Access & HIPPA:
It's very important to note that FIPS 140-2 compliant is not the same as FIPS 140-2 certified
Yes! And thank you for spotting that. It's the Certification that is a total PITA.
-
@Dashrender said in Remote Access & HIPPA:
@Dashrender said in Remote Access & HIPPA:
@scottalanmiller said in Remote Access & HIPPA:
@IRJ said in Remote Access & HIPPA:
With all that being said, HIPAA is extremely lenient, too lenient. Basically as long as you are using some sort of common sense, you'll meet HIPAA
And there is a really good chance that if you don't use common sense, you'll still meet HIPAA
Like using faxes...
Now that said - Medicaid/Medicare programs are currently tied to Merit-based Incentive Payment System (MIPS)/meaningful use incentive programs.
In the beginning, these programs paid providers directly for "going above and beyond" with features that where claimed to improve patient care. This was meant to entice providers to adobt EHRs and other programs, policies, reportings that would otherwise likely never be implemented. Of course, they started out as totally voluntary with a reward but at the same time providers were told there would come a time when they would be come required, and if not fulfilled, the providers willing to Medicaid/Medicare would be penalized.
Well that penalty time is either here or nearly here.All that was to help you understand that the new Merit-based Incentive Payment System (MIPS)/meaningful use programs now have a measure on what percent of doctor to doctor communication is going through Direct Messaging vs faxing. If the faxing is to high, the providers will be penalized... so they are finally working to move past faxes.
Sadly, the system is still to broken - as Direct Messaging is not meant for anything more than Provider to Provider communication. This leaves out many non-Providers who still need this information, like the patient, lawyers, insurance companies, etc. Now insurance companies already get the information via a different secure method, but patients and lawyers don't... and if you send to them, they count against you in the faxing scheme.
Ohio Medicare and Medicade providers still have to use an Internet Explorer plugin to access the state system. It's nothing but scary to anyone that knows anything about security.
-
@travisdh1 said in Remote Access & HIPPA:
@Dashrender said in Remote Access & HIPPA:
@Dashrender said in Remote Access & HIPPA:
@scottalanmiller said in Remote Access & HIPPA:
@IRJ said in Remote Access & HIPPA:
With all that being said, HIPAA is extremely lenient, too lenient. Basically as long as you are using some sort of common sense, you'll meet HIPAA
And there is a really good chance that if you don't use common sense, you'll still meet HIPAA
Like using faxes...
Now that said - Medicaid/Medicare programs are currently tied to Merit-based Incentive Payment System (MIPS)/meaningful use incentive programs.
In the beginning, these programs paid providers directly for "going above and beyond" with features that where claimed to improve patient care. This was meant to entice providers to adobt EHRs and other programs, policies, reportings that would otherwise likely never be implemented. Of course, they started out as totally voluntary with a reward but at the same time providers were told there would come a time when they would be come required, and if not fulfilled, the providers willing to Medicaid/Medicare would be penalized.
Well that penalty time is either here or nearly here.All that was to help you understand that the new Merit-based Incentive Payment System (MIPS)/meaningful use programs now have a measure on what percent of doctor to doctor communication is going through Direct Messaging vs faxing. If the faxing is to high, the providers will be penalized... so they are finally working to move past faxes.
Sadly, the system is still to broken - as Direct Messaging is not meant for anything more than Provider to Provider communication. This leaves out many non-Providers who still need this information, like the patient, lawyers, insurance companies, etc. Now insurance companies already get the information via a different secure method, but patients and lawyers don't... and if you send to them, they count against you in the faxing scheme.
Ohio Medicare and Medicade providers still have to use an Internet Explorer plugin to access the state system. It's nothing but scary to anyone that knows anything about security.
oh yeah, don't get me started.... the gov't passes laws, but doesn't have to follow them.
-
@Dashrender said in Remote Access & HIPPA:
oh yeah, don't get me started.... the gov't passes laws, but doesn't have to follow them.
Well they pass laws says that the law doesn't apply to them.
Actually the law seems pretty clear... you can't use their system.
-
I would be more worried about a vulnerability in the javascript framework supporting MeshCentral, so i would NOT put the MeshCentral server on the internet directly, but inside VPNs. Each of the sites on one VPN and the HIPAA site on another standalone VPN. MeshCentral inside both VPNs.
I would second what @JaredBusch said about the HIPAA site and automatic control of the desktop. I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
Lastly, there is a spot in the meshCentral configuration file and a cli option that logs anyone in without authentication - "User". It was meant for testing, enable "User" and all authentication is bypassed and logons occur automatically. One just might think keepass autologon was working really fast. So delete the User option from /opt/meshcentral/meshcentral-data/config.json and never pass it on the cli. Ditto for the "nousers" option.
-
@rjt said in Remote Access & HIPPA:
I would be more worried about a vulnerability in the javascript framework supporting MeshCentral, so i would NOT put the MeshCentral server on the internet directly, but inside VPNs. Each of the sites on one VPN and the HIPAA site on another standalone VPN. MeshCentral inside both VPNs.
And limit it to MC traffic, not open traffic between sites.
-
@rjt said in Remote Access & HIPPA:
I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
If you have an admin account, you should be good without rebooting anyway.
-
@rjt said in Remote Access & HIPPA:
I would second what @JaredBusch said about the HIPAA site and automatic control of the desktop. I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
You either have consent on or off, you don't flip flop without having what seems like a clear workaround to what is supposed to be a security benefit.
-
@scottalanmiller said in Remote Access & HIPPA:
@rjt said in Remote Access & HIPPA:
I would be more worried about a vulnerability in the javascript framework supporting MeshCentral, so i would NOT put the MeshCentral server on the internet directly, but inside VPNs. Each of the sites on one VPN and the HIPAA site on another standalone VPN. MeshCentral inside both VPNs.
And limit it to MC traffic, not open traffic between sites.
Don't encourage stupid. What would be the point of this? What is the gain?
MeshCenctral (MC), and ScreenConnect, encrypt all communication between the agent on the client and the tech connection. This is done before/outside of web traffic SSL, always has been.
The web traffic to the MC server can or can not be SSL, that is a separate piece.
-
@Dashrender said in Remote Access & HIPPA:
@rjt said in Remote Access & HIPPA:
I would second what @JaredBusch said about the HIPAA site and automatic control of the desktop. I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
You either have consent on or off, you don't flip flop without having what seems like a clear workaround to what is supposed to be a security benefit.
I have not, yet, looked back at the MC consent setup once it was implemented. Assuming it was done correctly, consent is permission based, so you could have an account that does not require consent. But you would need auditing on any use of the account.
-
@JaredBusch said in Remote Access & HIPPA:
@Dashrender said in Remote Access & HIPPA:
@rjt said in Remote Access & HIPPA:
I would second what @JaredBusch said about the HIPAA site and automatic control of the desktop. I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
You either have consent on or off, you don't flip flop without having what seems like a clear workaround to what is supposed to be a security benefit.
I have not, yet, looked back at the MC consent setup once it was implemented. Assuming it was done correctly, consent is permission based, so you could have an account that does not require consent. But you would need auditing on any use of the account.
I was pretty much assuming the use of two accounts - or (more crazily) log in with admin - change the permission, etc... but again, that would be crazy.
But the ability to do that more or less defeats the purpose... because you can choose to be a bad guy and just change that setting as you want and see what you want.... yeah logs are supposed to show what you're doing - but still.
But you have clients who have you in that spot, do you have a during hours and after hours account you use to support them?