sync: auto-sync from HOWARD-HOME at 2026-04-23 06:21:23
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-04-23 06:21:23
This commit is contained in:
@@ -7,6 +7,37 @@
|
||||
|
||||
---
|
||||
|
||||
## Findings classified ACTIVE ONGOING VIOLATION — present-tense gap
|
||||
|
||||
### A1. Synology role-based shared-login accounts with PHI access
|
||||
|
||||
**Rule:** 45 CFR §164.312(a)(2)(i) Unique User Identification (Required).
|
||||
|
||||
**Current state:** The Synology NAS `cascadesds` (192.168.0.120) hosts 7 role-based shared-credential local accounts that multiple humans sign into. Several of these accounts have access to shares containing PHI (`homes`, `Management`, `pacs`). Per `docs/migration/synology-permission-inventory.md` these accounts are:
|
||||
|
||||
- `Accounting`
|
||||
- `Dining Manager`
|
||||
- `Front Desk`
|
||||
- `mcnurse`
|
||||
- `Memcare Receptionist`
|
||||
- `memcarenurse`
|
||||
- `Nurse Tower`
|
||||
|
||||
**Gap:** These are NOT scheduled for remediation until Phase 4 (Synology retirement + CS-SERVER file-share cutover), which will be weeks away at best. **Every day until Phase 4, these shared credentials are an active Required-spec violation if any of them access PHI shares.** The `pacs` share (likely medical imaging) and `Management` (clinical admin docs) are the highest-risk.
|
||||
|
||||
**Options:**
|
||||
1. **Accelerate disable.** Immediately disable shared logins on Synology + force users onto their personal AD-synced accounts. Risk: breaks known workflows, disrupts front-desk / nursing stations that rely on shared logins today.
|
||||
2. **Documented risk-acceptance in Risk Analysis.** Capture the exception explicitly: "7 Synology shared-login accounts remain operational until Phase 4 cutover, target [date]. Compensating controls: physical access restricted to Cascades building, shift-based sign-in sheets on each shared workstation, monthly SMB access-log review by Howard." Meredith signs the residual-risk acknowledgment.
|
||||
3. **Hybrid.** Disable the highest-sensitivity shared accounts immediately (`mcnurse`, `memcarenurse`, `Nurse Tower` if they touch `pacs`), accept risk on the less-sensitive ones (`Accounting`, `Front Desk`).
|
||||
|
||||
**Decision required:** Which option does Meredith prefer? Option 2 is most common but the residual-risk paperwork has to be real, not just assumed.
|
||||
|
||||
**Detection:** Monthly sample of Synology SMB access logs for those accounts, mapped against shift schedules.
|
||||
|
||||
**Target resolution:** Phase 4 (Synology retirement) OR explicit immediate-disable event. Whichever comes first.
|
||||
|
||||
---
|
||||
|
||||
## Findings classified CRITICAL — must fix before rollout
|
||||
|
||||
### C1. Shared agency logins would violate §164.312(a)(2)(i) — Unique User Identification
|
||||
|
||||
Reference in New Issue
Block a user