Home Forums LogMeIn HIPAA compliance

I have been using a Cicso VPN for the past few years but am interested in speeding up my connection. I am usually suspicious of free services and was wondering how safe my data will be on LogMeIn. When I read their service agreement, it appears that they can mine some information. Any opinions?

Currently, there are no HIPAA compliant remote solutions, but this is not because they aren't very secure. It is because the audits change and setting up standards would be difficult. The 3rd party web solutions are very secure but generally less so than RDP and VPN. This is simply by virtue of the 3rd party in the middle. Also, LMI could never market a HIPAA compliant service without charging as, by definition, that would make the user a business. It is a licensing violation to use LMI free version for a business. If you are using RDP with 2008 and above, you can use the TS Gateway, now known as the RDS Gateway, which will give you the most speed and the most security. With the gateway you are using port 443.

The RDP encryption with or without a RDS gateway is the same. But the RDS Gateway does authorization before you access the server, uses a certificate so there can be no site spoofing, and uses 443 which is not really more secure than 3389, in itself, but hackers don't know what protocol to use, which they do with 3389.

This brings us to RDP with port forwarding directly to the router and client. Without using a RDS Gateway, you must open port 3389. Port 3389 is evil, and hackers will sit there all day trying to access your network via it. They know it is there, and they know it is open. If your check your security messages on the server you may see hundreds or thousands of hacker attempts, and the only thing between you and them is a username and password, meaning your password must be strong. Closing 3389 will possibly reveal a zero the next day. If you do need to use RDP in that fashion, then I would recommend changing the port number.

Both VPN's and RDP have good encryption. I have never heard of an IPSec VPN or RDP session being hacked, though it is likely possible. I read last year that of thousands of hacks last year not one was via a encrypted connection. A good VPN can be controlled by a pre-built secured client and a certificate, such that if you don't have the certificate, you cannot connect. In that sense they may offer a little more protection.

VPN's though have one major security flaw, a wide open tunnel allowing all traffic between an unmanaged client and the corporate network. Viruses can traverse, and data can be stolen.

VPN's are much slower if actually accessing data rather than using RDP.

VPN's add overhead so using RDP over a VPN does not perform quite as well as straight RDP.

Still RDP with TSGateway can come down to a guessing game of user name and password. This is why secure passwords and account lockout policies are so important.

This is cool:

If you want security, any accounting firm or one handling critical information will use a two factor authentication process. Secure ID is the best known, but they were hacked 2 years ago :-) I would recommend Scorpion Software's solution. They have a solution specific to SBS and is quite affordable http://www.scorpionsoft.com/docs/authanvil/rwwguard2011/ (link is for SBS 2011, though they have options for 2003 and 2008).

Another issue with LMI is it is far easier for a user to set it up making your network vulnerable if they have local admin rights. When you set up RDP one tends to go to each PC and decide who can access which computer. I have heard that more employees than you think use LMI to clock out on website clock out managers. You can check by looking at the login logs on LMI and compare it.

Forgot to talk about RWW or RWA. This is an extremely secure remote connection and probably just a bit more secure than RDP.

All in all, RDP is probably your best bet, more secure than VPN and much faster depending on what you are doing. As a caveat, this is just factual, and I am not trying to put down my friends who use LMI or GTMPC. It is a very good program, and I use it as well on home home computer. It can be a good backup plan as well. But, you have to decide between licensed and non-licensed.

One thing people should try is the paid version to see if they get better speed. I have heard of that also.

Thanks to Rob Will for some contribution to the above.

Thanks but I do not have Windows Server. It sounds like updating my VPN is the way to go. I appreciate your input.

hi Bert,
is logmein pro any better( $ 70 per yr for 1 computer)
thanks
Bala

Just spoke to LogMeIn and they offer Hamachi which would provide the VPN. They did not recommend the Pro product since I am just looking to log in to the programs on the server. It is only $29/yr and provides support.

Does anyone have experience with this service?
thanks
bala

@bala I doubt it would be worth it. But it depends on what you need. If you are simply looking at remote access, then LogMeIn Free is all you would need. If you are looking for features like FTP (File Manager) and remote printing (printing from the remote printer to your location) and speed, then LogMeIn Pro is the way to go. LMI Pro is at least three times faster in file transfers than Himachi. VPNs tend to be slower than most remote connections.

I have heard that Himachi Pro is much faster than the free version of Himachi.

My guess your answer to the last question is that hundreds on here have experience with LMI free version and less than ten LMI Pro version.

thanks for the info Bert.
bala

If it is a licensing violation to use LMI free, why is it being suggested?

I mostly gave info. I don't really care. But I bet only five people on here pay for their LMI. Can't get away with that with Windows.

Can't speak for the folks at Himachi, but remoting from home to work is supposed to be commercial. Plus, free version has to have constant connectivity or you lose connection. Makes the $29 worth it.

Hi. I am an IT support person. I use LogMeIn Central. It allows me to view hundreds of computer connections. It tells me when a computer is added or taken off of my central account. This tells me if someone points the local machine's LogMeIn client to another machine.

This tool is very helpful to support and connect to multiple machines. If I need to transfer files, monitor other statistics, etc (say on a server) I put the Pro client on it. It is faster than the free client.

If I, or a doctor in the practice, need to connect in faster I always set them up with a Remote Desktop connection to the PC and / or the server. It is much faster in general use. When I am home I always connect to the servers using RDP due to the improved speed.

We only use VPNs to print to remote printers. It is also useful if you have dual ISPs to a site and a switch that can automatically switch to the working ISP when the other goes down.

I have not read anywhere that any "data mining" is done or is used against a client. I am not saying it isn't done, I just haven't heard of it.

Welcome to ACUB and Amazing Charts. Thanks for the info and the RDP backing.

http://amazingcharts.com/ub/ubbthreads.php/topics/54869/Remote_office_logmein_and_inte#Post54869

You may be a good person to comment on the above. I don't think LMI (and would need the Pro version for commercial) will work for remote office, constant on, multiple connections to the server's database especially wireless. Traffic doesn't go back and forth, just controls remote PC with mouse and keyboard.

I have always maintained three things in these scenarios:

1. Either cloud services, which is turnkey
2. TS Server
3. For something like this, get an IT company to do it.

Clear is come is not a solution here.

May as well have posted in the actual thread, lol.

are you talking about employees setting up a secret logmein account on their workstation, or ones that have been given access to the company logmein account?

Both, but usually the latter.

I must be one of the 5 people paying for LogMeIn Pro. Have been subscribing for about 5 years now and with specials averages about $45 a machine. I've had no issues with it. My IT guy uses it to remote in to my server to check up on things as well. Unfortunately, I don't have a deep enough technical background to comment much on security, yet there are better monitoring tools in the subscription version.

LMI is plenty secure if you use good passwords. With all the technology available, good passwords with a minimum of 8 characters, alphanumeric with one capital letter and a number INSIDE the password is strong. As the administrator, the passwords should be made by you in an acromyn or similar and no staff member should make their own password.

LMI Pro is not only legal, the benefits are worth it. If I were using Microsoft with Server 2008 or better, I would use RWA or RDP, which is a no brainer.

I'm late to the conversation, but note what jasman mentioned above. LogMeIn Central extends the EULA to provide you with unlimited users and unlimited free agents even in a business setting. They make their money from the LogMeIn Central contract (which is quite reasonable). If you need additional Pro features (such a remote printing of file manager), just convert that free license to LMI Pro. Of course, remote printing and file management are potentially a big HIPAA no-no.

We use LMI in conjunction with LabTech because the remote control performance is so much better than VNC or RDP.

Welcome Dave.

We use LMI Central, Ignition, and the Free client for the same reasons. We provision a new practice, send them an installer, and are able to join them on their machines in seconds.

Using the deployment and management tools we can selectively allow [and disable] remote access for different users and different computers in the practice.

The stand-alone ignition client is significantly faster than the web-based LMI, and that is what our support and maintenance folks use.