Shiny New ASUS Router - VPN Question

[drmaximus]

I got a shiny new ASUS RT-AC68U router and noticed it has a built in VPN server function. Could I set this up and have open dental installed on my computer at home and access everything at the office or is this too slow and not worth the hassle? I currently use logmein but noticed the router can do this and was wondering if anyone has tried this or if it has less lag than logmein? I have a 10M download / 1.5M upload speed connection at home and the office.

Thanks

[Justin Shafer]

Try something like this:
https://code.google.com/p/rt-n56u/wiki/BuiltInVpnServer

Remember HIPAA. You are not allowed to transfer data between the home and office without using 256 bit encryption or DES.

This router does not seem to offer that. I don't think the encryption is compliant with HIPAA\HITECH. So, you probably can't use it.

[Justin Shafer]

Lawbreakers and their home routers... JUST KIDDING

Be sure to read LogMeIn's HIPAA Document.
https://secure.logmein.com/welcome/docu ... _HIPAA.pdf

[KevinRossen]

You are not allowed to transfer data between the home and office without using 256 bit encryption or DES.

I'm going to respectfully disagree with this statement. I have never seen any official documentation that states 256-bit encryption is a requirement. In fact, encryption isn't even really officially a requirement, but it is as close to a requirement as it can be without really being required. See this website for an in-depth discussion.

I really think that a VPN connection is a reasonably secure method for a private practice dentist to connect from home to an office server.

[drmaximus]

The router is capable of doing OpenVPN which would get me the 256bits of encryption just in case

[Justin Shafer]

Just throw on DD-WRT. But know what you are doing!

I will ask this guy. Alert Boot Developer.

http://www.alertboot.com/blog/blogs/end ... reach.aspx

HIPAA/HITECH Data Breach Safe Harbor

It shouldn't be news to any HIPAA covered-entities that the HITECH Act amended HIPAA, or that there is a new data breach notification requirement in that amendment. The new rules went into effect over a year ago, so if you're hearing about this now...well, get moving and secure your data.

Also in the "not-news" category: there is a safe harbor component to the breach notification requirement. Namely, any cases where ePHI (electronic protected health information) is lost but encrypted don't apply to the notification requirement.

There is a caveat, however. Nowhere is it specified what type of encryption one should be using. Instead, readers of the guidelines will notice that they're referred to NIST publications regarding encryption.

On the functional equivalent of a safe harbor:

This guidance is intended to describe the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 in the event of a breach. [19008 Federal Register / Vol. 74, No. 79 / Monday, April 27, 2009 / Rules and Regulations, my emphasis]
On encryption software and NIST:

(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices.

(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140–2 validated. [42742 Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009 / Rules and Regulations]

NIST rules out any encryption that wasn't tested by them, so if you're using something that was contracted out to be built for you, but never validated by NIST, you're not getting safe harbor from the HITECH breach notification requirements. Likewise if you're using encryption software that is outdated, like those found in Windows Word 2003 or earlier, as mentioned by El Emam et al.

It's not just a matter of using encryption. You've got to use the right encryption: FIPS 140-2 validated encryption.

You've Got to Wonder...

Reading the above, you've got to wonder if there are HIPAA-covered entities out there that are essentially breaking the law because they don't know better.

[Justin Shafer]

He also wrote a great article about Dentrix.
http://www.alertboot.com/blog/blogs/end ... ption.aspx

[Justin Shafer]

So are we supposed to use FIPS-140-2 Compliant encryption for data in motion?

That will be my question. And that is why I pulled the LAWBREAKER joke.

So I guess the REAL question is:

Do you want to have to notify patients that someone broke into your home and stole your home pc and router. Be sure to secure that.

Joy

*cough* *cough* you should set a root password for mysql.

[Justin Shafer]

You are not allowed to transfer data between the home and office without using 256 bit encryption or DES.

I'm going to respectfully disagree with this statement. I have never seen any official documentation that states 256-bit encryption is a requirement. In fact, encryption isn't even really officially a requirement, but it is as close to a requirement as it can be without really being required. See this website for an in-depth discussion.

I really think that a VPN connection is a reasonably secure method for a private practice dentist to connect from home to an office server.

I don't think he should use a VPN at all. Especially now. I think he should stay on LogMeIn. Beef up it's security. Just because you disagreed. There needs to be a troll icon.

[Justin Shafer]

http://www.hhs.gov/ocr/privacy/hipaa/ad ... 800113.pdf

Here we are... So NIST would prefer us to use SSL or IPSEC which is easy, but pointless unless you use FIPS 140-2 compliant routers in order to gain the ability not to inform patients that a possible gateway into the office was breached.

Which leads to the next question.

Do you legally have to notify if someone stole your vpn client?

And I know JUST the person to ask. PogoWasRight.
https://twitter.com/JShafer817/status/4 ... 1549412353

I bet it says no.

[B.Thomas]

If you want a simple VPN solution that is encrypted try Hamachi by Logmein. It is a software based VPN through your computers instead of router to router. I am getting ping times of less than 10ms between my two offices. Way easier than installing Open VPN

[Justin Shafer]

Yep.. I like Hamachi.. I use it with RSync. It uses 256 AES Encryption. Which I would no longer do in this day in age.. syncing the PMS to the doctors house.

Naaaaa.....

[KevinRossen]

Yep.. I like Hamachi.. I use it with RSync. It uses 256 AES Encryption. Which I would no longer do in this day in age.. syncing the PMS to the doctors house.

Naaaaa.....

On the whole syncing data thing, I think it's very easy to get paranoid about following every last detail in HIPAA to the little dots above the i's, but you can miss the point of the laws. They are in place to protect PHI. There are so many layers of laws out there that could make you think you should never print anything with patient info on it (in case someone else sees the name).

Syncing data is fine, as long as it's encrypted all along the way. If not, services like Lighthouse, Demandfore, and Practice Mojo would not exist. After all, if all we were doing was syncing just our patients' first and last names, that would be considered PHI, so it would need to be encrypted.

Here's my "sync" setup:
1) Data on my server is encrypted via BitLocker
2) ALL drives that I use for backups are encrypted via BitLocker
3) I have two cloud-based backups. In both cases, the data is encrypted & compressed BEFORE being synced.
4) On the systems which I test my backups, the drives are encrypted.

Basically, every step along the way the data is protected. Can it be cracked? Of course it's possible. There is no fool-proof way to guarantee that no one will ever be able to break encryption schemes. Just ask the NSA.

[Justin Shafer]

Here is what I do:

Backup with Windows Server Backup to a dedicated external drive, BitLocker. (Daily)
Backup to external drives labeled A, B, C or whatever that is rotated. I prefer 5. I use SyncBack Pro, BitLocker (no more truecrypt). (Daily)

I do not encrypt the internal drives on the server unless requested. This is for data recovery purposes mainly. If the doctor wants a server that cannot be stolen then I would implement BitLocker tied to the TPM, and then require a PIN at bootup, maybe add the USB Verification as well, but 3 seems overkill.

====================================
Cloud.

Before I would backup to doctors house, and install all the PMS software I could so he could use this to VERIFY the data worked well. That was really the main reason for installing the software. To verify the data was there, and changing.
This was then backed up to an external drive, and SyncBack would hold versions of files in hidden directories. Eventually at some point when HITECH started coming around, etc.. I realized that were going to need to encrypt the offsite data, even though the probability is really low that someone is going to steal the data. So we used TrueCrypt. Now TrueCrypt is considered "bunk". So.... Back to BitLocker, or something else....

And I decided that this whole backup to the doctors house is just not worth maintaining. Plus the doctors home pc needs to have updates installed to properly view the data.... I just decided....

idrive.com.. screw it. I was syncing to an Amazon Bucket, but... It's not user friendly, as I have been reminded.

https://www.idrive.com/online-backup-hipaa.htm

If the x-rays can be afforded along with scanned documents, GREAT. My main concern is the PMS database and other databases, as they risk corruption from a drive crash. I don't trust many doctors to check their backup logs, I do trust them to blindly rotate drives though. X-Rays are always easy to get back... A healthy database, is not.

[Justin Shafer]

I would also like to add, that if the server has dual power supplies, it is a security risk. If the server is set to automatically mount encrypted partitions\drives after Windows has been booted.

Because someone can connect their own UPS and run off with the server, while BitLocker has been mounted. If the server is locked at a Control-Alt-Delete Screen.. then they can attempt to exploit Windows, and eventually break through.



And I still would want redundant power supplies... so I need some form of software that detects when the server has been moved, so it will perform an emergency shutdown. But nobody has asked me to do that yet. Like the network card has been unplugged or perhaps proximity or.. something. Ideas?

[KevinRossen]

I need some form of software that detects when the server has been moved, so it will perform an emergency shutdown. But nobody has asked me to do that yet. Like the network card has been unplugged or perhaps proximity or.. something. Ideas?

Maybe something like this:

Code: Select all

:End 
ping google.com 
If %errorlevel% == 1 ( 
echo noreply 
shutdown -r -t 0 
) 
If %errorlevel% == 0 (
GoTo :End 
) 
:End 

[Justin Shafer]

I want something that works in a quorum. With some sort of key that can be identified....Lets say we have 2 OpenSSH Servers running on the network... Both have the same public\private keys (uniqueness). How could we use this to create a script. Hmmmmm

If we use that script, the server will reboot if the internet goes down, etc... Needs to work without the internet, and in a quorum (at least 2 objects to verify against).

Something boolean, if we were able to successfully login using a key. Yes or no. If no... try second server.. If no again, REBOOT FORCEFULLY.

JASON... OH JASON..

Got any ideas?

I will try a batch script with ssh.exe, and if that does not work.. we will need more help.