Howard Enos
8d975c1b44
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7.8 KiB
7.8 KiB
HIPAA Compliance — Cascades
Why HIPAA Applies
Cascades is an assisted living facility with health services staff (nurses, medtechs, health services director). They handle Protected Health Information (PHI) through:
- ALIS (https://www.go-alis.com/) — cloud-hosted clinical/medical records system, accessed via web browser on staff PCs
- Synology NAS (cascadesDS) — stores resident/facility data locally that falls under HIPAA
- CS-SERVER file shares — migration target for Synology data; will become the primary secured storage
- M365 email — staff may send/receive resident-related information via cascadestucson.com email
Project Mission
Cascades was taken over from a previous MSP that left the environment insecure and non-compliant. The core objective of the migration project is to get Cascades secure and HIPAA compliant. Every migration phase ties back to this goal.
Current HIPAA Gaps
| # | Gap | Severity | HIPAA Rule | Migration Phase |
|---|---|---|---|---|
| 1 | No backup exists | Critical | §164.308(a)(7) — Contingency Plan | Phase 0 (WSB → Synology) + Phase 4 (offsite) |
| 2 | Synology stores PHI with no access auditing | Critical | §164.312(b) — Audit Controls | Phase 4 (move to CS-SERVER with NTFS audit) |
| 3 | Shared accounts (Receptionist, Culinary, saleshare, directoryshare) | High | §164.312(a)(2)(i) — Unique User ID | Phase 5 (replace with individual accounts) |
| 4 | No MFA on M365 | High | §164.312(d) — Person Authentication | Can enable now (Security Defaults, free) |
| 5 | No disk encryption (BitLocker) | High | §164.312(a)(2)(iv) — Encryption | Phase 2.6 GPO (free with Windows Pro) |
| 6 | Permissive floating firewall rule | High | §164.312(e)(1) — Transmission Security | Phase 1.6 (post-migration lockdown) |
| 7 | Non-IT staff in Domain Admins | High | §164.312(a)(1) — Access Control | Phase 2.2 (remove Meredith.Kuhn, John.Trozzi) |
| 8 | Most PCs not domain-joined | Medium | §164.308(a)(3) — Workforce Security | Phase 3 (domain join all staff PCs) |
| 9 | No GPOs enforced (password policy, screen lock) | Medium | §164.308(a)(5) — Security Awareness | Phase 2.6 (Security Baseline GPO) |
| 10 | Kitchen iPads on same VLAN as staff PCs | Medium | §164.312(e)(1) — Transmission Security | Restrict iPads to kitchen printers only |
| 11 | ALIS browser access on shared PCs | Medium | §164.312(d) — Person Authentication | Phase 5 (individual logins, no shared accounts) |
| 12 | No BAA verified with ALIS | Medium | §164.308(b)(1) — Business Associates | Verify with management |
| 13 | No BAA with Microsoft (M365) | Medium | §164.308(b)(1) — Business Associates | Sign Microsoft BAA via M365 admin |
| 14 | Sandra Fish still global admin | Low | §164.308(a)(3) — Workforce Security | Create break-glass admin, remove Sandra |
| 15 | No M365 backup | Low | §164.308(a)(7) — Contingency Plan | Future — Veeam Backup for M365 |
How Migration Phases Address HIPAA
| Phase | What It Does | HIPAA Controls Addressed |
|---|---|---|
| Phase 0 — Safety Net | Windows Server Backup → Synology SMB share | Backup, contingency plan |
| Phase 1 — Network | VLAN migration, firewall lockdown, guest isolation | Transmission security, access control |
| Phase 2 — Server Prep | AD cleanup, security groups, GPOs (BitLocker, passwords, screen lock) | Access control, audit, encryption, unique user ID |
| Phase 3 — Domain Join | All staff PCs under centralized management | Workforce security, device management |
| Phase 4 — Synology Retirement | Move data to CS-SERVER with NTFS permissions + audit logging | Audit controls, access control, integrity |
| Phase 5 — Hardening | Remove shared accounts, RDS cleanup, final lockdown | Unique user ID, person authentication |
Systems and PHI Flow
Nurses/MedTechs (staff PCs)
│
├──► ALIS (cloud, go-alis.com) — clinical/medical records
│ └── ALIS responsible for their own HIPAA compliance + BAA
│
├──► Synology NAS (cascadesDS, 192.168.0.120) — resident/facility data (MOVING TO CS-SERVER)
│
├──► CS-SERVER (192.168.2.254) — file shares, AD, DNS (migration target)
│
└──► M365 (cascadestucson.com) — email, may contain PHI in messages/attachments
Non-PHI Systems (out of HIPAA scope)
| System | Purpose | Notes |
|---|---|---|
| Kitchen iPads (9 units) | Food order taking | No PHI — only need access to kitchen thermal receipt printers. Managed via ManageEngine MDM |
| Kitchen thermal printers | Receipt printing | Bistro (TM-T88VII, 192.168.2.207) + Kitchen (TM-U220IIB, 10.0.20.225) |
| Resident room VLANs | Resident personal devices (TVs, phones) | No PHI — isolated /28 per room |
| Ring cameras (8 units) | Security cameras | No PHI |
| GoDaddy | Website hosting (cascadestucson.com) | Public website, no PHI |
New Findings from Audit (2026-03-20)
| # | Gap | Severity | HIPAA Rule | Notes |
|---|---|---|---|---|
| 16 | 3 shared accounts with no password (Nurses, memfrtdesk, Front Desk) — these PCs access ALIS | Critical | §164.312(a)(2)(i) — Unique User ID | NURSESTATION-PC, MEMRECEPT-PC, RECEPTIONIST-PC |
| 17 | No audit logging on CS-SERVER (Object Access = No Auditing) | Critical | §164.312(b) — Audit Controls | Cannot track who accessed PHI files |
| 18 | 13 months without Windows updates on DESKTOP-LPOPV30 | High | §164.308(a)(1) — Security Management | 6 machines 3+ months behind |
| 19 | Expired SSL certificate on CS-SERVER (2025-04-02) | High | §164.312(e)(1) — Transmission Security | Causes Schannel errors |
| 20 | krbtgt password 569 days old | High | §164.312(a)(1) — Access Control | Should rotate every 180 days |
| 21 | RDP without NLA on ASSISTMAN-PC, DESKTOP-U2DHAP0 | High | §164.312(e)(1) — Transmission Security | Credential exposure risk |
| 22 | TightVNC on MEMRECEPT-PC | High | §164.312(a)(1) — Access Control | Unauthorized remote access tool |
| 23 | No LAPS — same local admin password on all machines | Medium | §164.312(a)(1) — Access Control | Lateral movement risk |
| 24 | RestrictAnonymous = 0 on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed |
| 25 | Protected Users group empty | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected |
| 26 | Share permissions: Everyone=FullControl on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming |
Quick Wins (Free, Can Do Now)
- Enable MFA on M365 — Security Defaults in Entra ID (free, takes 5 minutes)
- Sign Microsoft BAA — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA
- Verify ALIS BAA — Ask management if they have a signed BAA with go-alis.com
- BitLocker GPO — Enable via Security Baseline GPO once PCs are domain-joined (Phase 2.6)
Recommendations (Paid)
| Service | Why | Cost | Priority |
|---|---|---|---|
| Veeam Backup for M365 | Protect email/OneDrive containing PHI | ~$2-4/user/mo | Medium |
| Business Premium upgrade | DLP (prevent PHI in outbound email), Defender, Conditional Access | +$10/user/mo (~$340/mo net after shared mailbox savings) | Low — most gaps covered by free controls |
Notes
- Cascades is assisted living, not a hospital — but nurses and medtechs handle PHI, making HIPAA applicable
- Previous MSP left the environment non-compliant — this project is a remediation effort
- ALIS handles the heavy clinical data in the cloud — local HIPAA focus is on access control, backup, encryption, and audit trails
- Kitchen area (iPads, thermal printers) is out of HIPAA scope — food service only