diff --git a/clients/cascades-tucson/docs/cloud/m365.md b/clients/cascades-tucson/docs/cloud/m365.md index 296c764..6523b7f 100644 --- a/clients/cascades-tucson/docs/cloud/m365.md +++ b/clients/cascades-tucson/docs/cloud/m365.md @@ -287,6 +287,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account 11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email. 12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA. 13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free). +14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. ## Notes diff --git a/clients/cascades-tucson/docs/security/hipaa.md b/clients/cascades-tucson/docs/security/hipaa.md index bda2a63..3f80d5a 100644 --- a/clients/cascades-tucson/docs/security/hipaa.md +++ b/clients/cascades-tucson/docs/security/hipaa.md @@ -84,6 +84,7 @@ Nurses/MedTechs (staff PCs) | 24 | **RestrictAnonymous = 0** on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed | | 25 | **Protected Users group empty** | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected | | 26 | **Share permissions: Everyone=FullControl** on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming | +| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Depends on Microsoft BAA (#13). | ## Quick Wins (Free, Can Do Now)