12 KiB
Cascades of Tucson — CARF Technology & System Plan: Input Worksheet
Purpose: collect the few facts only Cascades/ACG leadership can supply, so the final CARF-format Technology and System Plan can be built complete (no placeholders). Everything marked >> NEEDED << is an input from you. Everything else is pre-filled from ACG's records and is yours to correct. Prepared by Az Computer Guru · drafted 2026-06-24. Costs left blank are [ACG TO PRICE] (we verify, never guess).
Part 1 — Plan header & governance (CARF Section 1 requirements)
| Field | Value |
|---|---|
| Accreditation program | >> NEEDED << (Aging Services — which: Assisted Living / CCRC / other?) |
| CARF manual year / edition | >> NEEDED << (2025 or 2026 Aging Services Standards Manual — so we cite the exact standard number) |
| Standard reference | Technology and System Plan (Section 1 "CARF Plans") — confirm number from your manual |
| Plan period / fiscal year covered | >> NEEDED << |
| Plan owner (Cascades) | >> NEEDED << (suggest: Administrator / Ashley Jensen) |
| Prepared with (IT partner) | Az Computer Guru (Mike Swanson, Howard Enos) — pre-filled |
| Approved/adopted by (leadership) | >> NEEDED << (Executive Director name + title) |
| Date adopted | >> NEEDED << |
| Last reviewed / Next annual review | >> NEEDED << (CARF requires at least annual review with a dated record) |
Part 2 — Needs basis (CARF: plan must be based on the needs of persons served, personnel, stakeholders)
Draft below — confirm or edit:
- Persons served (residents & families): reliable building Wi-Fi and phone service; resident-safety monitoring (fall detection); strict confidentiality of personal health information; access to assistive/adaptive technology where needed. >> confirm / add <<
- Personnel (staff & caregivers): secure on-site access to the clinical record (ALIS) and email; dependable phones and workstations; protection against credential theft and lost/stolen devices. >> confirm / add <<
- Other stakeholders (vendors, payers, regulators): HIPAA confidentiality, business continuity, auditable records. >> confirm / add <<
Part 3 — Strategic-plan alignment (CARF: plan aligns to the strategic plan)
One paragraph tying technology priorities to Cascades' strategic goals. >> NEEDED << — please share your top 2–3 strategic goals (e.g. resident safety, census growth, regulatory standing) and we will write the alignment paragraph.
Part 4 — The eight areas (CARF action-document format)
For each area, fill the four input fields: Responsible person, Estimated/actual cost, Target date, Completion date. Current state / needs / vendor are pre-filled.
1. Hardware
- Current: Dell PowerEdge R610 server (verified healthy 2026-06-24, all drives online); Synology NAS; pfSense firewall; UniFi network (77 APs, 12 switches); ~29 staff PCs; resident/safety devices.
- Unmet / projected needs: restore server redundant power supply; install enterprise SSDs already purchased; replace end-of-life PCs; longer-term server replacement off the 16-yr-old R610.
- Possible vendor: Az Computer Guru (Dell hardware).
- Responsible person: >> NEEDED << (suggest ACG) · Cost: [ACG TO PRICE] · Target date: >> NEEDED << · Completion: PSU/SSD pending
2. Software
- Current: Microsoft 365 (Business Premium); Windows Server 2019; clinical EHR (ALIS); line-of-business apps.
- Unmet / projected needs: move 31 users off the suspended M365 license onto Business Premium (time-sensitive); finish staff domain migration; upgrade Windows Home PCs to Pro.
- Possible vendor: Microsoft / Az Computer Guru.
- Responsible person: >> NEEDED << (suggest ACG) · Cost: [ACG TO PRICE] (license true-up) · Target date: >> NEEDED << · Completion: in progress
3. Security
- Current: identity-based access control (Entra), MFA, caregiver on-site/approved-device lockdown, isolated voice & resident-data network segments, email filtering.
- Unmet / projected needs: enable file-access audit logging on the resident-data share; build audit-retention storage (90-day + 6-year); create emergency break-glass admin accounts with security keys.
- Possible vendor: Microsoft / Az Computer Guru.
- Responsible person: >> NEEDED << (suggest ACG) · Cost: [ACG TO PRICE] (audit-retention build) · Target date: >> NEEDED << · Completion: pending
4. Confidentiality
- Current: PHI access limited by role and security group; encryption in transit; single sign-on to ALIS; caregiver PCs auto-lock and sign out; per-room and voice network isolation.
- Unmet / projected needs: confirm signed Business Associate Agreement (BAA) with ALIS/Medtelligent; enable SMB encryption on the resident-data share; rotate one historically-exposed credential.
- Possible vendor: Az Computer Guru / Medtelligent.
- Responsible person: >> NEEDED << · Cost: minimal/internal · Target date: >> NEEDED << · Completion: pending
5. Backup policy
- Current: cloud backup (MSP360) verified running 2026-06-24 — last run succeeded, ~576 GB protected off-site, daily incrementals.
- Unmet / projected needs: confirm/extend to full system-image (bare-metal) backup for the server; run and document a test restore (CARF looks for this); set/confirm retention.
- Possible vendor: Az Computer Guru / MSP360.
- Responsible person: >> NEEDED << (suggest ACG) · Cost: [ACG TO PRICE] · Target date: >> NEEDED << · Completion: backup live; image + restore-test pending
6. Assistive technology (persons served) — biggest input gap
- Current (known): Helpany "Paul" resident-safety sensors — ceiling radar fall/motion detection, no camera, no microphone; rolling out floor by floor.
- >> NEEDED — full resident-facing inventory: nurse-call / emergency-call / pendant system? hearing loops or assistive listening? adaptive/accessible computers or devices? resident/guest Wi-Fi for telehealth or family contact? Anything else residents use to maintain function/independence.
- Possible vendor: Helpany / [nurse-call vendor?] — >> NEEDED <<
- Responsible person: >> NEEDED << · Cost: >> NEEDED << (vendor-billed) · Target date: >> NEEDED << · Completion: Helpany in rollout
7. Disaster recovery preparedness
- Current: documented power-outage runbook with scripted clean shutdown and verified recovery (June 2026); UPS protection; backup running.
- Unmet / projected needs: written DR/business-continuity plan with target recovery times (RTO/RPO); add server redundancy; complete the system-image backup + restore test (links to area 5).
- Possible vendor: Az Computer Guru.
- Responsible person: >> NEEDED << (suggest ACG) · Cost: [ACG TO PRICE] · Target date: >> NEEDED << · Completion: procedure proven; written plan pending
8. Virus protection — close before survey if possible
- Current: managed antivirus (Bitdefender) on endpoints; Microsoft Defender + email filtering.
- Unmet / projected needs: enroll the main server and all remaining PCs into managed antivirus; remove the previous IT provider's leftover security agents; run a coverage audit so every device reports in.
- Possible vendor: Az Computer Guru / Bitdefender.
- Responsible person: >> NEEDED << (suggest ACG) · Cost: [ACG TO PRICE] (per-endpoint) · Target date: >> NEEDED << · Completion: pending
(Extra, not CARF-required) Communication technology / Services & contracts / Use of AI
- Ashley's list also included these. We will carry them as supplementary sections (phones + Wi-Fi device network; vendor/contract register; an AI acceptable-use policy). No CARF fields required, but the AI-use policy strengthens the Security area. >> confirm you want these kept <<
Part 5 — Supporting evidence the surveyor may also request (status)
| Evidence | Status |
|---|---|
| DR procedure tested + documented | Have (June outage runbook + verified recovery) |
| Backup running + successful test restore | Backup verified; restore test owed |
| Security risk assessment (dated) | Substance exists (HIPAA gap list); package + date it |
| Confidentiality controls in place | Have (access model, MFA, isolation); audit logging pending |
| Antivirus coverage all devices | Gap (server + cleanup) |
| Plan reviewed annually w/ sign-off | To create (Part 1 governance block) |
Part 6 — Cost estimates (verified via live web lookup 2026-06-24)
Per ACG policy these are verified against current vendor/retail pricing, not estimated from memory. Sources cited below the table. "ACG labor" draws the prepaid block (48.25 hrs @ $175/hr) unless quoted as a separate project.
| Item | Area | Qty | Cost (verified) | Notes |
|---|---|---|---|---|
| R610 redundant power supply (refurb, RN442 717W) | Hardware / DR | 1 | ~$99 one-time | Restores lost PSU redundancy; cheap, do soon |
| Enterprise SSD 480 GB (Samsung PM893) | Hardware | 2 | ~$320–350 (already purchased) | Sunk cost; planned install on a maintenance window |
| M365 Business Premium relicense (31 users) | Software | 31 | likely $0 new spend | Our records show 31 Premium seats already owned + free; reassign the 31 suspended-Standard users to them and drop Standard. If those seats are NOT a paid subscription: $22/user/mo = $682/mo (~$8,184/yr). Verify subscription status. |
| Windows Home → Pro upgrade | Software | 5 | ~$495 (~$99/device; ACG to source via CSP, may be lower) | Howard handling keys |
| Replacement workstations (OptiPlex i5 / 16 GB / 512 NVMe, Win 11 Pro) | Hardware | 2 | ~$1,400–1,900 (~$700–950 ea) | Lupe Sanchez EOL + spare for new hire (#32194) |
| Break-glass FIDO2 YubiKeys (5-series) | Confidentiality | 2 | ~$110 (already ordered per records) | Approximate |
| Azure audit-log retention (Log Analytics 90 d + 6 yr archive) | Security | — | ~$50–120/mo consumption (log-volume dependent) + one-time ACG build | Firm up after measuring actual audit-log volume |
| Managed antivirus, all devices incl. server | Virus protection | — | Included in existing ACG Bitdefender managed security + ACG labor to enroll server / remove legacy Datto agents | Client (Mike) is deploying AV |
| DR written plan + system-image confirm + restore test | DR | — | ACG labor (prepaid block) | Restore test deferred per client (revisit after AV + basic items) |
| Security risk assessment (dated package) + file-share audit logging | Security | — | ACG labor (prepaid block); no license cost | |
| Long-term server replacement (PowerEdge T360-class) | Hardware / DR | 1 | ~$4,000–7,000 configured (formal quote required) | Depends on spec + Windows Server licensing + CALs; separate project |
One-time hardware/licensing subtotal (excludes the optional server replacement): ~$2,300–2,950, of which ~$320–350 (the SSDs) is already spent. Plus ~$50–120/mo Azure. The server replacement is a separate ~$4–7k project to quote when you're ready.
Pricing sources (2026-06-24): M365 Business Premium $22/user/mo · M365 July 2026 price changes (Premium unchanged) · Samsung PM893 480 GB ~$160–175 · Windows 11 Home→Pro upgrade ~$99 · Azure Log Analytics $2.30/GB ingest, ~$0.10/GB/mo retention, ~$0.02/GB/mo archive · Dell R610 717W redundant PSU refurb ~$99 · Dell PowerEdge T360 tower (from ~$1,900 base) · Dell OptiPlex business desktop i5/16 GB
What we do once you return this
- Build the final CARF Technology and System Plan (Cascades-branded, ACG as preparer) in CARF action-document format, complete with your owners/costs/dates.
- Package the security risk assessment + DR plan as named attachments.
- Deliver as a print-ready PDF for leadership adoption and the survey file.