From 223dc861c23c690ee9fb1ea7265aa5518021f8f6 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Wed, 22 Apr 2026 14:16:02 -0700 Subject: [PATCH] docs(cascades): track Teams HIPAA rollout as new gap Added Teams deployment + HIPAA-appropriate configuration as a tracked gap (hipaa.md #27) and M365 issue (m365.md #14). Cites transmission security + BAA requirements and outlines controls needed (retention, DLP, external sharing lockdown, guest access, meeting consent). Dependency on Microsoft BAA flagged. Co-Authored-By: Claude Opus 4.7 (1M context) --- clients/cascades-tucson/docs/cloud/m365.md | 1 + clients/cascades-tucson/docs/security/hipaa.md | 1 + 2 files changed, 2 insertions(+) diff --git a/clients/cascades-tucson/docs/cloud/m365.md b/clients/cascades-tucson/docs/cloud/m365.md index 296c764..6523b7f 100644 --- a/clients/cascades-tucson/docs/cloud/m365.md +++ b/clients/cascades-tucson/docs/cloud/m365.md @@ -287,6 +287,7 @@ Syncs AD accounts to M365/Entra ID. Users log into Windows with their AD account 11. **sysadmin has no mailbox license** — Only Power Automate Free. May need Exchange if used for email. 12. **No Microsoft BAA signed** — M365 email may contain PHI (resident data). HIPAA §164.308(b)(1) requires a Business Associate Agreement with Microsoft. Sign via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA. 13. **No MFA enabled** — No Security Defaults or Conditional Access configured. HIPAA §164.312(d) requires person authentication. Enable Security Defaults at minimum (free). +14. **Microsoft Teams not deployed or HIPAA-configured** — Teams needs to be rolled out to all staff with HIPAA-appropriate policies before it can be used for any PHI-adjacent communication. Config checklist: retention policies (chat, channel messages, meeting recordings), DLP rules flagging SSN/MRN/patient-identifier patterns, external sharing locked down, guest access disabled by default, meeting recording consent banner enabled, auto-record OFF, PSTN/voicemail storage reviewed. Depends on Microsoft BAA (#12) being signed first. ## Notes diff --git a/clients/cascades-tucson/docs/security/hipaa.md b/clients/cascades-tucson/docs/security/hipaa.md index bda2a63..3f80d5a 100644 --- a/clients/cascades-tucson/docs/security/hipaa.md +++ b/clients/cascades-tucson/docs/security/hipaa.md @@ -84,6 +84,7 @@ Nurses/MedTechs (staff PCs) | 24 | **RestrictAnonymous = 0** on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed | | 25 | **Protected Users group empty** | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected | | 26 | **Share permissions: Everyone=FullControl** on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming | +| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Depends on Microsoft BAA (#13). | ## Quick Wins (Free, Can Do Now)