windowsnerd.com

notes from an admin for himself. you can read it if you want.

Entries Comments


Custom Search






Oh hell no, Logmein bought Citrix Goto products. No BAA/HIPAA compliance for you!

28 April, 2017 (11:12) | complaining, Mindless Blather, security, software

Logmein acquired the fleet of Goto products from Citrix last year. We moved away from logmein because they refused to offer or acknowledge they were responsible for a BAA for HIPAA data per the HITECH Omnibus of 2013. Now we are sad about our use of gotomeeting, webinar, training and gotoassist. Citrix offered us a BAA for the whole Goto line, it was great.

I used some leverage from needing a new license to get information from GetGo sales. Logmein hates talking to you in writing about this subject. After a few weeks of prodding and promises that weren’t kept by sales folks:

 

BAAs are only needed when GetGo, Inc. is acting as a business associate by creating, receiving, maintaining or transmitting PHI on behalf of Covered Entities or other Business Associates. Because the GoTo Services do none of these things, GetGo, Inc is not a business associate. Our standard Terms of Service also prohibit using the GoTo Services for these purposes. Use of the GoTo Services does not create a business associate relationship subject to HIPAA compliance obligations, and Covered Entities/Business Associates don’t need to have a BAA in place with GetGo, Inc in order to use the GoTo Services. For these reasons, GetGo, Inc is not required to and does not sign BAAs for the GoTo Services. 

 

The GoTo Services are not intended to and do not create, receive, maintain or transmit PHI, so the GoTo services do not have to comply with HIPAA. This is because the GoTo Services use screen-sharing technology and only transmit keyboard and mouse commands. The actual PHI stays at the user’s location. Any image of PHI on the screen is fully encrypted and sending these images does not constitute “transmission” for purposes of HIPAA. It is more accurate to say that the GoTo Services support HIPAA compliance. Because of the technical and security measures GetGo, Inc has implemented, when used properly, the services can help you fulfill your HIPAA compliance obligations to keep data secure and confidential

GetGo should do a little light reading like slide 20 step 6 on this handy guide from HHS:

http://www.wedi.org/forms/uploadFiles/362A500000091.toc.7.26_Combined.pdf

Encryption has very little to do with it. It isn’t even “required” by the Omnibus although you would be an idiot not to.

They say they aren’t transmitting data… but they are. I told them they are. Chuckle, which means they have to provide a BAA according to the Omnibus. Citrix’s lawyers agreed with me. Maybe Getgo fired them.

Here are some fun facts you should think about when dealing with Logmein.

Refusing a BAA means they aren’t confident in their security. They are refusing to be liable for protecting your PHI. If they were secure they wouldn’t mind a small amount of risk. If they didn’t have any responsibility they would sign a BAA because they could never be fined.

Things to think about:

  • Any data on the screen of the machine you are controlling with PHI is TRANSMITTED using goto products (according to paragraph 1 above I’m prohibited from transmitting PHI. According to Paragraph 2 it is encypted and a magical unicorn waves its horn and says now it isn’t PHI.)
  • Encryption keys are controlled by GetGo, not you
  • Root level access is in the possession of GetGO for the following purposes- running as a service, autoupdating the client software, authentication using your root credentials which are stored in their directory service.
  • Directory service- all the credentials are stored by GetGo for your account unless you have SSO. Either way, they have admin access to your machine. Think about that. What other software allows full backdoor full screen remote access to a machine in your inventory?
  • Network services – Clients are sitting there listening on an open network port, Getgo is responsible for the security of that client.
  • Data storage – Gototraining and I think webinar have the ability to save data for use in presentations. Why shouldn’t my users be allowed to do a presentation at a hospital with live patient data if users are allowed to view it?
  • All relationships in the chain with a BAA involved between CE’s and BA’s must be covered with a BAA. If I contract with a backup company to transmit or store PHI, they have to provide a BAA. They do. Hell even Salesforce has a BAA with me.

I could list quite a number of controls that are required in order to do an audit with HITRUST for HIPAA compliance that aren’t done by GetGo products. I’m not willing to spend too much more time opining and typing. The important thing is getting the BAA for the liability shift.

The most entertaining bit in all of this is their explanation of use- You aren’t allowed to transmit PHI in the first paragraph… But you can because of the magic encryption in the second. I wish it made a fairy noise and sparkled on the screen when it does this.

Bottom line, in my opinion GetGo/Logmein has ruined yet another product line due to their Ostrich approach to things. Not total crap, they are cool products. They work really well. Just not something that belongs in health care -HIPAA/HITECH, PHIPA, PIPEDA, or PCI type spaces. Cross your fingers and hope they don’t screw up lastpass.

 

«

 

Comments

Comment from Daniel
Time: April 28, 2017, 6:22 pm

If all they are doing is transmitting data – not viewing, handling, processing it – and it is encrypted, they would not be considered a BAA. I’m assuming you have end-to-end encryption using this service? In the same way that you do not need a BAA with every telecom, node and (now I’m just making stuff up) that your encrypted data uses between two entities.

“Other Situations in Which a Business Associate Contract Is NOT Required: With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html?language=es

Comment from Daniel
Time: April 28, 2017, 6:30 pm

I had another thought; I’m really not spamming, I swear!

Are you actually required to have a BAA with a company (I’m not saying it wouldn’t be smart to do it) who is holding your encrypted data. Say for argument’s sake YOU encrypt a batch of data and THEN upload it, are you required to have a BAA? Compare this to having an encrypted laptop stolen from your car. There is no breach notice required in this instance, as there is no actual disclosure of PHI.

Thoughts?

Write a comment