Files

Howard Enos 7e2e3a5882 sync: auto-sync from HOWARD-HOME at 2026-04-23 06:21:23

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-23 06:21:23

2026-04-23 06:21:24 -07:00

14 KiB

Raw Blame History

HIPAA Compliance Review — 2026-04-22 User Account Rollout

Reviewed by: Howard Enos (Computer Guru) Scope: Decisions captured in docs/cloud/user-account-rollout-plan.md as of 2026-04-22 Trigger: Client request for a pre-execution compliance check before creating / disabling accounts Primary references: 45 CFR Part 164 Subpart C (HIPAA Security Rule), NIST SP 800-66 Rev 2 (Feb 2024), HHS OCR guidance

Findings classified ACTIVE ONGOING VIOLATION — present-tense gap

Rule: 45 CFR §164.312(a)(2)(i) Unique User Identification (Required).

Current state: The Synology NAS cascadesds (192.168.0.120) hosts 7 role-based shared-credential local accounts that multiple humans sign into. Several of these accounts have access to shares containing PHI (homes, Management, pacs). Per docs/migration/synology-permission-inventory.md these accounts are:

Accounting
Dining Manager
Front Desk
mcnurse
Memcare Receptionist
memcarenurse
Nurse Tower

Gap: These are NOT scheduled for remediation until Phase 4 (Synology retirement + CS-SERVER file-share cutover), which will be weeks away at best. Every day until Phase 4, these shared credentials are an active Required-spec violation if any of them access PHI shares. The pacs share (likely medical imaging) and Management (clinical admin docs) are the highest-risk.

Options:

Accelerate disable. Immediately disable shared logins on Synology + force users onto their personal AD-synced accounts. Risk: breaks known workflows, disrupts front-desk / nursing stations that rely on shared logins today.
Documented risk-acceptance in Risk Analysis. Capture the exception explicitly: "7 Synology shared-login accounts remain operational until Phase 4 cutover, target [date]. Compensating controls: physical access restricted to Cascades building, shift-based sign-in sheets on each shared workstation, monthly SMB access-log review by Howard." Meredith signs the residual-risk acknowledgment.
Hybrid. Disable the highest-sensitivity shared accounts immediately (mcnurse, memcarenurse, Nurse Tower if they touch pacs), accept risk on the less-sensitive ones (Accounting, Front Desk).

Decision required: Which option does Meredith prefer? Option 2 is most common but the residual-risk paperwork has to be real, not just assumed.

Detection: Monthly sample of Synology SMB access logs for those accounts, mapped against shift schedules.

Target resolution: Phase 4 (Synology retirement) OR explicit immediate-disable event. Whichever comes first.

Findings classified CRITICAL — must fix before rollout

C1. Shared agency logins would violate §164.312(a)(2)(i) — Unique User Identification

Original plan: create reliable1@cascadestucson.com and reliable2@cascadestucson.com as shared accounts for rotating Reliable Agency caregivers.

Rule: §164.312(a)(2)(i) Unique User Identification is a Required implementation spec (not Addressable). HHS has explicitly answered this in public FAQ: covered entities may not assign the same log-on ID to multiple employees. There is no compensating-control carve-out because Required specs don't permit alternatives. NIST SP 800-66 Rev 2 maps this to SP 800-53 IA-2 (Identification and Authentication) and AC-2 (Account Management), which likewise require individual accounts.

Decision 2026-04-22: Drop reliable1 / reliable2. Require Reliable Agency to supply individual caregiver names before any shift where PHI access is needed. Per-person accounts only. If the agency won't commit, agency staff work under direct supervision of a Cascades-employed caregiver who is signed in — no independent PHI access.

Docs updated: user-account-rollout-plan.md §6 and Wave 1; cascades-staff-working-list-2026-04-22.md; cascades-staff-editor-2026-04-22.html; p2-staff-candidates.md; caregiver-m365-p2-rollout.md; cascades-staff-followup-2026-04-22.md.

C2. Britney Thompson mailbox must be placed on Litigation Hold before disable + mailbox conversion

Rule: §164.308(a)(3)(ii)(C) Termination Procedures + §164.316(b)(2)(i) 6-year documentation retention.

Issue: Business Standard doesn't include unlimited archive/hold. Converting a licensed mailbox to shared can trim content based on default retention settings, potentially purging PHI subject to state medical-records retention (AZ = 7 years post-last-encounter) or subpoena.

Decision: Before disabling britney.thompson:

Place mailbox on Litigation Hold (verify Business Standard has Exchange Online Plan 2 features; if not, temporarily assign an EOA or E3 before harvest)
Designate a named custodian (recommended: Meredith Kuhn as Executive Director, or Lois Lane as Health Services Director)
Then disable sign-in, revoke tokens
Then convert to shared and harvest user license

Documentation of the termination action retained ≥6 years per §164.316(b)(2).

C3. Microsoft M365 BAA not yet signed

Rule: §164.308(b)(1) Business Associate contracts.

Issue: docs/cloud/m365.md line 12 and docs/security/hipaa.md gap #13 note that no Microsoft HIPAA BAA has been signed. Every day Cascades uses M365 for PHI without a BAA is a continuing Security Rule violation. Every new account we provision expands that exposure.

Decision: Sign the Microsoft BAA before Wave 1 — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA. Free, 5 minutes.

Parallel: verify or secure an ALIS BAA (go-alis.com) before any new caregiver accesses ALIS.

C4. No formal Risk Analysis on file (§164.308(a)(1)(ii)(A) — Required)

Rule: A formal risk analysis covering scope, threats, likelihood, impact, and control effectiveness is Required (not Addressable).

Issue: Cross-doc sweep confirmed no standalone risk analysis document exists. The existing hipaa.md gap list is a useful inventory but does not meet the Security Rule's definition.

Decision: Produce docs/security/risk-analysis-2026-04.md following the NIST 800-66 Rev 2 §3 framework before Wave 2. Reference it in every Addressable-spec decision.

Findings classified HIGH — fix in Wave 1 or before

H1. M365 audit log retention default (1 year) is insufficient

Rule: §164.312(b) Audit Controls + §164.316(b)(2) 6-year documentation retention. OCR enforcement posture treats audit logs as documentation subject to the 6-year clock.

Decision: Purchase Microsoft Purview Audit (Premium) add-on (10-year retention) OR configure a retention policy for 7 years via E5 Compliance OR monthly export to immutable Azure Blob. Decision documented in Security Rule Implementation Register (see M2 below).

H2. No documented break-glass emergency access account (§164.312(a)(2)(ii) — Required)

Decision: Create breakglass@cascadestucson.com — cloud-only (not AD-synced), excluded from all CA policies, protected by FIDO2 security key + unique vaulted password in clients/cascades-tucson/breakglass.sops.yaml, sign-in alerted to Howard + Meredith, quarterly test sign-in. Must exist before disabling any other admin accounts.

H3. `\\CS-SERVER\homes` SMB3 encryption not enabled; folder redirection routes PHI to that share

Rule: §164.312(a)(2)(iv) Encryption/Decryption + §164.312(e)(2)(ii) Transmission Encryption (both Addressable).

Issue: CONTEXT.md notes EncryptData=false on the homes share. Folder redirection GPO pushes Documents / Desktop / Downloads — including staff-generated PHI — to that share. In-transit encryption is off; at-rest encryption status on CS-SERVER's D: drive is not documented.

Decision: Before Alma / Kyla folder redirection goes live:

Set-SmbShare -Name homes -EncryptData $true (immediate, free)
Verify / enable BitLocker on CS-SERVER D: drive
Document both decisions in Implementation Register

H4. Drivers need Privacy Rule training + signed sanctions acknowledgment (workforce, not IT)

Rule: §164.530(b)(1) Privacy training for workforce; §164.530(e) sanctions apply to all workforce; §160.103 defines workforce inclusive of workers with no electronic system access.

Issue: Decision that drivers don't need IT access is correct; however, drivers encounter PHI on pickup sheets (rider names, appointment context).

Decision (not an IT deliverable): Flag to Meredith. Drivers need annual short-form Privacy training, signed confidentiality / sanctions acknowledgment, and documented pickup-sheet handling procedures. If dispatch uses personal phones for texts with rider names, those phones now trigger mobile-device safeguards (§164.312(a)(1) + (e)) — consider moving dispatch to a controlled channel.

Findings classified MEDIUM — address before Wave 3 (caregiver bulk)

M1. Automatic-logoff duration not codified for shared front-desk PCs and MSDM sign-out

Rule: §164.312(a)(2)(iii) Automatic Logoff (Addressable).

Decision:

GPO CSC - Shared Workstation: screen lock at 10 min idle, sign-out at 30 min idle, disable Fast User Switching
MSDM global sign-out timer: 15 min idle
Both documented in Implementation Register as the Addressable-spec implementation

M2. No Security Rule Implementation Register

Rule: §164.306(d)(3) Addressable spec decisions; §164.316(b)(1)-(2) documentation retention.

Decision: Create docs/security/implementation-register.md — one row per Addressable spec (encryption at rest, encryption in transit, automatic logoff, emergency access mode, integrity controls) with: decision, rationale tied to risk analysis, alternative measure if applicable, owner, next review date. This is the artifact OCR asks for in an audit.

M3. Reliable Agency — Business Associate status not determined

Decision: Ask Meredith for the Reliable Agency staffing contract. Confirm direct-control language (workforce) vs. agency-directed (Business Associate). If no workforce-control language, either secure an addendum OR sign a BAA with Reliable. No individual agency-caregiver accounts created until this is sorted.

M4. Christine Nyanzunda's single-account dual-role access scoping

Rule: §164.308(a)(4)(ii)(B) Access Authorization (Addressable — minimum necessary).

Decision: Single account retained (MC Admin + part-time MedTech). Document in Implementation Register that operational simplicity was weighed against strict minimum-necessary. Mitigation: rely on ALIS's internal role-based access controls to scope her view based on shift / context if supported.

Findings classified GOOD — HIPAA-aligned decisions being kept

Building-only CA default + allow-list for outside sign-in — defensible implementation of §164.312(a)(1) Access Control, stronger than baseline
Shared front-desk PCs with individual M365 accounts — fully compliant (identity is per-person; hardware sharing is fine)
MSDM shared phones with per-user Entra sign-in — satisfies unique-ID + automatic-logoff on the mobile tier
Drivers with no electronic PHI access — correct minimum-necessary scoping on the IT side
Same-day account disable on termination — meets termination-procedure timing
Business Premium tenant-wide recommendation — provides the P1 + Defender + DLP + Intune baseline the rest of the design relies on
Decline to reinstate Sandra Fish admin — correct; 2026-04-14 revocation stands

Open questions unresolved at review time

#	Question	Owner
1	Does Business Standard (current SKU for 23 users) include Exchange Online Plan 2 features needed for Litigation Hold? If not, what's the cheapest path to EOA on Britney's mailbox before harvest?	Howard (verify in M365 Admin Center)
2	Reliable Agency staffing contract — direct-control language or not?	Meredith
3	Audit retention path chosen (Purview Premium add-on vs. E5 Compliance vs. export to immutable storage)?	Meredith (budget) + Howard (design)
4	BitLocker state on CS-SERVER D: drive — enabled, encrypted-no-protectors, or off?	Howard (verify onsite or via SSH)

14 KiB Raw Blame History