sync: auto-sync from HOWARD-HOME at 2026-04-23 06:21:23

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-23 06:21:23

clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md

@@ -165,7 +165,8 @@ Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M36
 | **G4. Take out of staging, directory sync ONLY (no Password Hash Sync)** | Hybrid identity appears in Entra. Passwords remain separate between AD and M365. | None — users sign in exactly as today | 48 hours stable with no new support tickets about sign-in |
 | **G5. Announce + enable Password Hash Sync** | AD password hash pushes to Entra. Next Outlook / Teams / Edge launch, prompts once for password. Users enter AD password. | **ONE password prompt, once.** After that: one password for everything. | Zero unresolved helpdesk tickets; test user confirms PC + Outlook + OWA work on same password |
 | **G6. Conditional Access policies go live in REPORT-ONLY mode** | CA evaluates every sign-in and records what WOULD have been blocked, but doesn't actually block. | None | 7–14 days of logs reviewed — zero "would have been blocked" events for legitimate users. Fix trusted-location / compliance gaps as needed. |
-| **G7. CA enforcement flip** | Policy blocks out-of-scope sign-ins for real. | Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. | Break-glass account confirmed working. Meredith notified. |
+| **G7. CA enforcement flip** | Policy blocks out-of-scope sign-ins for real. | Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. | Break-glass account confirmed working. Meredith notified. **User comms sent 48h before flip** — see G7a below. |
+| **G7a. Pre-enforcement user comms (MUST run before G7)** | Query Entra sign-in logs for any licensed user with >0 off-site sign-ins in last 30 days. Anyone NOT in `SG-External-Signin-Allowed` gets a targeted email: "Starting [date] you will only be able to sign into Cascades email and apps from inside the building. If you work from home / travel / check email on your phone off-site, reply to Meredith by [date-1] to be added to the allow-list." | Users who legitimately work off-site get warned; those who don't get confirmation that silent behavior change is coming. | Report from Entra sign-in logs shows comms sent to every off-site-active user. No silent blocks at G7 cutover. |
 | **G8 (separate project). ALIS SSO Enterprise App registration** | "Sign in with Microsoft" option appears on ALIS login. Existing ALIS username/password keeps working during transition. | Optional new sign-in button. | N/A — rollout when ALIS support has provided federation metadata. |
 
 **Rollback points:** G3 through G5 all have clean reverse paths (remove from staging, disable PHS, reset individual passwords). G6/G7 CA policies can be disabled with one click. Only hard-to-reverse step is G1's AD renames — mitigated by the pre-change reg-exports/backups already in the `D:\Backups\pre-entra-connect-*` folder from the 2026-04-22 preflight remediation.

clients/cascades-tucson/docs/security/hipaa-review-2026-04-22.md

@@ -7,6 +7,37 @@
 
 ---
 
+## Findings classified ACTIVE ONGOING VIOLATION — present-tense gap
+
+### A1. Synology role-based shared-login accounts with PHI access
+
+**Rule:** 45 CFR §164.312(a)(2)(i) Unique User Identification (Required).
+
+**Current state:** The Synology NAS `cascadesds` (192.168.0.120) hosts 7 role-based shared-credential local accounts that multiple humans sign into. Several of these accounts have access to shares containing PHI (`homes`, `Management`, `pacs`). Per `docs/migration/synology-permission-inventory.md` these accounts are:
+
+- `Accounting`
+- `Dining Manager`
+- `Front Desk`
+- `mcnurse`
+- `Memcare Receptionist`
+- `memcarenurse`
+- `Nurse Tower`
+
+**Gap:** These are NOT scheduled for remediation until Phase 4 (Synology retirement + CS-SERVER file-share cutover), which will be weeks away at best. **Every day until Phase 4, these shared credentials are an active Required-spec violation if any of them access PHI shares.** The `pacs` share (likely medical imaging) and `Management` (clinical admin docs) are the highest-risk.
+
+**Options:**
+1. **Accelerate disable.** Immediately disable shared logins on Synology + force users onto their personal AD-synced accounts. Risk: breaks known workflows, disrupts front-desk / nursing stations that rely on shared logins today.
+2. **Documented risk-acceptance in Risk Analysis.** Capture the exception explicitly: "7 Synology shared-login accounts remain operational until Phase 4 cutover, target [date]. Compensating controls: physical access restricted to Cascades building, shift-based sign-in sheets on each shared workstation, monthly SMB access-log review by Howard." Meredith signs the residual-risk acknowledgment.
+3. **Hybrid.** Disable the highest-sensitivity shared accounts immediately (`mcnurse`, `memcarenurse`, `Nurse Tower` if they touch `pacs`), accept risk on the less-sensitive ones (`Accounting`, `Front Desk`).
+
+**Decision required:** Which option does Meredith prefer? Option 2 is most common but the residual-risk paperwork has to be real, not just assumed.
+
+**Detection:** Monthly sample of Synology SMB access logs for those accounts, mapped against shift schedules.
+
+**Target resolution:** Phase 4 (Synology retirement) OR explicit immediate-disable event. Whichever comes first.
+
+---
+
 ## Findings classified CRITICAL — must fix before rollout
 
 ### C1. Shared agency logins would violate §164.312(a)(2)(i) — Unique User Identification