A plain-language summary across the eight areas you asked to review: where each stands today, the open gaps, the action we will take, and when. The headline: the core systems are stable and backups are now verified, so the focus shifts from fixing risk to finishing the modernization already underway.
Core systems are stable. A live hardware check on June 24 confirmed the main server is healthy with all drives online and backups running (an earlier alarm turned out to be a self-corrected glitch). Microsoft 365 and the managed network are in place, and 12 staff PCs are already migrated onto the managed domain.
The server is aging and currently running on one working power supply (its backup supply needs service). Several PCs run Windows Home and cannot join the managed domain until upgraded to Pro; a few are end-of-life. 31 users sit on a Microsoft license that has been suspended.
Restore the second power supply; install the enterprise SSDs already on hand during a planned window; upgrade Home PCs to Pro and finish the migration; replace end-of-life PCs.
Licensing now · upgrades near-term · server replacement a future project to scope together.
Email runs on Microsoft 365 with full sender authentication protecting your domain from spoofing. All 37 phone devices are consolidated onto a dedicated, isolated voice network, and a June Wi-Fi tune-up roughly halved wireless retransmissions building-wide.
Some wireless handsets still attach to the congested 2.4 GHz band, causing occasional dropped calls. The phone vendor confirmed the handsets cannot be pinned to a band one by one.
Stand up a clean, dedicated 5 GHz "device" network for the phones and safety sensors, which both vendors move their equipment onto remotely.
Per-room coverage check next on-site visit · vendor switch-over shortly after.
A modern, identity-based protection system is largely live. Caregiver accounts work only on-site and only on approved devices, so a stolen caregiver password is useless elsewhere. Office and clinical staff use multi-factor sign-in off-site, the clinical system (ALIS) uses single sign-on, and shared caregiver PCs auto-lock and sign out for privacy.
File-access audit logging on the resident-data share is not yet switched on, and the long-term audit-retention storage is approved but not built. Emergency "break-glass" admin accounts and the signed agreement (BAA) with the clinical vendor still need finalizing.
Enable audit logging and stand up retention storage (90 days live, 6 years archived); create break-glass accounts with security keys; confirm the ALIS agreement; complete the caregiver lockdown one device at a time.
Audit logging and caregiver go-live are the immediate priority (P1).
Your technology vendors are inventoried: Microsoft 365, ALIS (clinical records), Vertical (phones), Cox (internet, fiber plus a backup line), MSP360 (cloud backup), Bitdefender (security), and your business applications (QuickBooks, Bill.com, Relias, You've Got Leads, TELS, Focus HR, Helpany, POS).
The clinical-vendor business-associate agreement needs verifying, and there is no single calendar tracking renewals and agreements.
Verify the ALIS agreement and build a one-page renewal and agreement tracker so nothing lapses unnoticed.
Near-term, low effort.
Cascades is rolling out Helpany "Paul" resident-safety sensors: ceiling-mounted radar devices that detect falls and motion. They use radar only, with no camera and no microphone, so resident privacy is fully preserved. Roll-out is floor by floor (floors 1 and 2 first). The clinical system and caregiver app round out the resident-facing technology.
The sensors currently share Wi-Fi with other equipment; they belong on the dedicated, isolated device network described under Communication Technology.
Move the sensors onto the new 5 GHz device network (the vendor transitions them remotely) and continue the floor-by-floor roll-out. If "assistive technology" should also cover nurse-call or accessibility systems, we will fold those in.
Folded into the Wi-Fi device-network work above.
Cloud backup is now running and verified on June 24: the last backup succeeded, about 576 GB is protected off-site, and daily changes are captured. This closed a long-standing gap. June's planned power outage was handled with a clean, scripted shutdown and a verified recovery, proving the procedure works.
We need to confirm the backup is a full system image (not files alone) so the server could be rebuilt quickly after a total failure. The facility still relies on a single primary server, so there is no automatic failover yet.
Confirm or extend backups to full-image, run a test restore, document a written recovery plan with target recovery times, and add server redundancy with the modernization project.
Backup confirmation and test restore near-term · redundancy with the server project.
Managed antivirus (Bitdefender) protects endpoints, with Microsoft Defender and email filtering guarding inboxes.
Coverage is not yet universal. Notably the main server is not under managed antivirus, and leftover software from the previous IT provider is still installed and should be removed.
Enroll the main server and all remaining PCs into managed antivirus, remove the previous provider's leftover agents, and run a coverage audit so every device reports in.
Near-term · exact coverage numbers confirmed before the meeting.
No AI system is in production at Cascades today. The nearest active item is the reporting (KPI) dashboard you requested, which will pull key numbers from ALIS, QuickBooks, Bill.com and others into a single view.
There is no staff policy yet for using public AI tools, which is a data-privacy risk in a healthcare setting.
Draft a short, practical AI acceptable-use policy first; then evaluate Microsoft 365 Copilot with healthcare safeguards; and advance the reporting dashboard as the sanctioned path.
Policy is quick · dashboard proceeds once you confirm the first key metrics.