# HIPAA Compliance — Cascades

## Why HIPAA Applies

Cascades is an assisted living facility with health services staff (nurses, medtechs, health services director). They handle Protected Health Information (PHI) through:

1. **ALIS** (https://www.go-alis.com/) — cloud-hosted clinical/medical records system, accessed via web browser on staff PCs
2. **Synology NAS (cascadesDS)** — stores resident/facility data locally that falls under HIPAA
3. **CS-SERVER file shares** — migration target for Synology data; will become the primary secured storage
4. **M365 email** — staff may send/receive resident-related information via cascadestucson.com email

## Project Mission

Cascades was taken over from a previous MSP that left the environment insecure and non-compliant. The core objective of the migration project is to **get Cascades secure and HIPAA compliant**. Every migration phase ties back to this goal.

## Current HIPAA Gaps

| # | Gap | Severity | HIPAA Rule | Migration Phase |
|---|-----|----------|------------|-----------------|
| 1 | **No backup exists** | Critical | §164.308(a)(7) — Contingency Plan | Phase 0 (WSB → Synology) + Phase 4 (offsite) |
| 2 | **Synology stores PHI with no access auditing** | Critical | §164.312(b) — Audit Controls | Phase 4 (move to CS-SERVER with NTFS audit) |
| 3 | **Shared accounts** (Receptionist, Culinary, saleshare, directoryshare) | High | §164.312(a)(2)(i) — Unique User ID | Phase 5 (replace with individual accounts) |
| 4 | **No MFA on M365** | High | §164.312(d) — Person Authentication | Can enable now (Security Defaults, free) |
| 5 | **No disk encryption (BitLocker)** | High | §164.312(a)(2)(iv) — Encryption | Phase 2.6 GPO (free with Windows Pro) |
| 6 | **Permissive floating firewall rule** | High | §164.312(e)(1) — Transmission Security | Phase 1.6 (post-migration lockdown) |
| 7 | **Non-IT staff in Domain Admins** | High | §164.312(a)(1) — Access Control | Phase 2.2 (remove Meredith.Kuhn, John.Trozzi) |
| 8 | **Most PCs not domain-joined** | Medium | §164.308(a)(3) — Workforce Security | Phase 3 (domain join all staff PCs) |
| 9 | **No GPOs enforced** (password policy, screen lock) | Medium | §164.308(a)(5) — Security Awareness | Phase 2.6 (Security Baseline GPO) |
| 10 | **Kitchen iPads on same VLAN as staff PCs** | Medium | §164.312(e)(1) — Transmission Security | Restrict iPads to kitchen printers only |
| 11 | **ALIS browser access on shared PCs** | Medium | §164.312(d) — Person Authentication | Phase 5 (individual logins, no shared accounts) |
| 11b | **Caregiver shared-phone access — no MFA factor** | (compensating-controls architecture — see [`hipaa-caregiver-controls.md`](hipaa-caregiver-controls.md)) | §164.312(a)(1), §164.312(d), §164.306(b) | Live 2026-05-11 with pilot user `pilot.test`; staged caregiver rollout pending pilot SSO verify |
| 12 | **No BAA verified with ALIS** | Medium | §164.308(b)(1) — Business Associates | Verify with management |
| 13 | **No BAA with Microsoft (M365)** | Medium | §164.308(b)(1) — Business Associates | Sign Microsoft BAA via M365 admin |
| 14 | **Sandra Fish still global admin** | Low | §164.308(a)(3) — Workforce Security | Create break-glass admin, remove Sandra |
| 15 | **No M365 backup** | Low | §164.308(a)(7) — Contingency Plan | Future — Veeam Backup for M365 |

## How Migration Phases Address HIPAA

| Phase | What It Does | HIPAA Controls Addressed |
|-------|-------------|------------------------|
| Phase 0 — Safety Net | Windows Server Backup → Synology SMB share | Backup, contingency plan |
| Phase 1 — Network | VLAN migration, firewall lockdown, guest isolation | Transmission security, access control |
| Phase 2 — Server Prep | AD cleanup, security groups, GPOs (BitLocker, passwords, screen lock) | Access control, audit, encryption, unique user ID |
| Phase 3 — Domain Join | All staff PCs under centralized management | Workforce security, device management |
| Phase 4 — Synology Retirement | Move data to CS-SERVER with NTFS permissions + audit logging | Audit controls, access control, integrity |
| Phase 5 — Hardening | Remove shared accounts, RDS cleanup, final lockdown | Unique user ID, person authentication |

## Systems and PHI Flow

```
Nurses/MedTechs (staff PCs)
    │
    ├──► ALIS (cloud, go-alis.com) — clinical/medical records
    │        └── ALIS responsible for their own HIPAA compliance + BAA
    │
    ├──► Synology NAS (cascadesDS, 192.168.0.120) — resident/facility data (MOVING TO CS-SERVER)
    │
    ├──► CS-SERVER (192.168.2.254) — file shares, AD, DNS (migration target)
    │
    └──► M365 (cascadestucson.com) — email, may contain PHI in messages/attachments
```

## Non-PHI Systems (out of HIPAA scope)

| System | Purpose | Notes |
|--------|---------|-------|
| Kitchen iPads (9 units) | Food order taking | No PHI — only need access to kitchen thermal receipt printers. **Managed via ManageEngine MDM** |
| Kitchen thermal printers | Receipt printing | Bistro (TM-T88VII, 192.168.2.207) + Kitchen (TM-U220IIB, 10.0.20.225) |
| Resident room VLANs | Resident personal devices (TVs, phones) | No PHI — isolated /28 per room |
| Ring cameras (8 units) | Security cameras | No PHI |
| GoDaddy | Website hosting (cascadestucson.com) | Public website, no PHI |

## New Findings from Audit (2026-03-20)

| # | Gap | Severity | HIPAA Rule | Notes |
|---|-----|----------|------------|-------|
| 16 | **3 shared accounts with no password** (Nurses, memfrtdesk, Front Desk) — these PCs access ALIS | Critical | §164.312(a)(2)(i) — Unique User ID | NURSESTATION-PC, MEMRECEPT-PC, RECEPTIONIST-PC |
| 17 | **No audit logging on CS-SERVER** (Object Access = No Auditing) | Critical | §164.312(b) — Audit Controls | Cannot track who accessed PHI files |
| 18 | **13 months without Windows updates** on DESKTOP-LPOPV30 | High | §164.308(a)(1) — Security Management | 6 machines 3+ months behind |
| 19 | **Expired SSL certificate** on CS-SERVER (2025-04-02) | High | §164.312(e)(1) — Transmission Security | Causes Schannel errors |
| 20 | **krbtgt password 569 days old** | High | §164.312(a)(1) — Access Control | Should rotate every 180 days |
| 21 | **RDP without NLA** on ASSISTMAN-PC, DESKTOP-U2DHAP0 | High | §164.312(e)(1) — Transmission Security | Credential exposure risk |
| 22 | **TightVNC on MEMRECEPT-PC** | High | §164.312(a)(1) — Access Control | Unauthorized remote access tool |
| 23 | **No LAPS** — same local admin password on all machines | Medium | §164.312(a)(1) — Access Control | Lateral movement risk |
| 24 | **RestrictAnonymous = 0** on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed |
| 25 | **Protected Users group empty** | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected |
| 26 | **Share permissions: Everyone=FullControl** on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming |
| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Depends on Microsoft BAA (#13). |

## Quick Wins (Free, Can Do Now)

1. **Enable MFA on M365** — Security Defaults in Entra ID (free, takes 5 minutes)
2. **Sign Microsoft BAA** — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA
3. **Verify ALIS BAA** — Ask management if they have a signed BAA with go-alis.com
4. **BitLocker GPO** — Enable via Security Baseline GPO once PCs are domain-joined (Phase 2.6)

## Recommendations (Paid)

| Service | Why | Cost | Priority |
|---------|-----|------|----------|
| Veeam Backup for M365 | Protect email/OneDrive containing PHI | ~$2-4/user/mo | Medium |
| Business Premium upgrade | DLP (prevent PHI in outbound email), Defender, Conditional Access | +$10/user/mo (~$340/mo net after shared mailbox savings) | Low — most gaps covered by free controls |

## Notes

- Cascades is assisted living, not a hospital — but nurses and medtechs handle PHI, making HIPAA applicable
- Previous MSP left the environment non-compliant — this project is a remediation effort
- ALIS handles the heavy clinical data in the cloud — local HIPAA focus is on access control, backup, encryption, and audit trails
- Kitchen area (iPads, thermal printers) is out of HIPAA scope — food service only