15 KiB
Cascades of Tucson - Technology Plan Review
[SUPERSEDED 2026-06-24] This first-pass draft predates the 2026-06-24 wiki recompile and contains stale facts (CS-SERVER "RAID critical" -> actually HEALTHY; 48.75 hrs/0 tickets -> 48.25 hrs/6 tickets; no Helpany sensors). Use instead:
- Client deliverable:
cascades-technology-plan-2026-06-24.pdf(+.htmlsource) - polished, current.- Internal execution plan:
../REMAINING-WORK-PLAN.md(canonical 7-workstream plan). Kept for history only.
Prepared for the planning meeting requested by Ashley Jensen (week of 2026-06-23 / 2026-06-30). Organized to Ashley's exact agenda: for each area we cover Current state -> Gaps -> Action steps -> Timeline -> Priority. Prepared by ACG (Az Computer Guru). Source of truth:
wiki/clients/cascades-tucson.md(compiled 2026-06-23) + live systems. Contract: prepaid hour block @ $175/hr; 48.75 hrs remaining (Syncro, live 2026-06-23). 0 open tickets.
0. Executive summary - established priorities
The single theme across every area is Cascades runs PHI on one 16-year-old server with no redundancy, while the surrounding identity, network, and voice layers have been substantially modernized over the last 90 days. The top priorities, in order:
| # | Priority | Area | Why it's #1-tier |
|---|---|---|---|
| P1 | Replace / de-risk CS-SERVER | Hardware, DR | Single Dell R610 (~2009) DC holding all PHI; OS RAID-1 mirror DEGRADED 2026-06-15 (running on one aging spindle, zero redundancy). Data-loss + total-outage exposure. |
| P2 | Close HIPAA audit + access gaps | Security | No audit logging on the PHI share; audit-retention infra approved but not built; caregiver device allow-list still report-only; ALIS BAA unverified. |
| P3 | Unify malware/EDR coverage | Malware prevention | The PHI server is NOT under managed AV/EDR (Bitdefender); leftover previous-MSP Datto agents still installed. |
| P4 | Verify & formalize DR/continuity | Disaster recovery | Cloud backup now running (gap closed 2026-06-15) - must confirm it is image/bare-metal + retention, then document a real DR/BC plan and test a restore. |
| P5 | Finish voice quality + M365 relicensing | Communication, Software | Voice VLAN done; last fix (Poly 5GHz lock) is waiting on Vertical. 31 users still on a SUSPENDED M365 license - time-sensitive. |
| P6 | Establish an AI acceptable-use policy | Use of AI | No governance today; HIPAA makes uncontrolled staff use of public AI a PHI-leak risk. Pairs with the KPI-dashboard analytics opportunity. |
1. Hardware & Software
Current state
- CS-SERVER - Dell PowerEdge R610 (~2009, 16+ yrs). Single Domain Controller doing everything: AD, DNS, DHCP, file server, Hyper-V host, print server. Windows Server 2019.
- Synology cascadesDS NAS (DSM 7.2.1) - legacy file storage, transitioning to backup-only.
- pfSense firewall (Netgate, dual-WAN) + full UniFi network: 77 U7-Pro access points, 12 managed switches.
- ~29 managed workstations (Syncro). Active domain migration to
cascades.local+ Microsoft Entra hybrid identity is well underway. - Microsoft 365 - Business Premium across the org.
Gaps
- [CRITICAL] CS-SERVER OS mirror is degraded (one drive failed 2026-06-15) - C: (OS/AD) is running on a single aging 5400 RPM laptop spindle with no redundancy. This is also the root cause of "server is slow" reports.
- Single point of failure - one elderly DC; if it dies, AD/file/print/DHCP all go down at once.
- EOL workstations - Lupe Sanchez's PC (Gateway i3-2120, Win11-unsupported) flagged for replacement; Chef-PC needs a full reinstall.
- M365 relicensing - 31 users still assigned to a SUSPENDED Business Standard license; 31 Business Premium seats sit free. Time-sensitive.
- ~25 switch ports negotiating 100 Mbps instead of gigabit (cabling/NIC); 3 switches offline.
Action steps
- Interim: replace CS-SERVER OS drives with 2x 480 GB enterprise SSD (gated on verified backup first).
- Strategic: scope a server replacement / DC modernization - the real fix for the SPOF and the slowness.
- Replace Lupe's workstation; reinstall Chef-PC (open tickets #32194, #32254).
- Complete M365 relicensing (31 Standard -> Premium).
- After WiFi stabilizes: correct the 100 Mbps switch ports and investigate the 3 offline switches.
Timeline - SSD swap near-term (once backup verified); relicensing immediate; workstation swaps near-term; server-replacement a larger project to scope jointly. Priority: HIGH (P1).
2. Communication Technology
Current state
- Email - Microsoft 365 / Exchange Online. SPF, DKIM, and DMARC (
p=quarantine) all published. Shared mailboxesgrievances@andSurveys@created 2026-06-12. - Voice - Vertical hosted/cloud PBX. 37 devices (28 Poly WiFi handsets + 8 AudioCodes desk phones + the Vertical management desktop) consolidated onto an isolated Voice VLAN 30 (completed 2026-06-19) - HIPAA-segmented, phones marking DSCP EF for QoS.
- WiFi - heavily optimized 2026-06-19: 5 GHz retransmits roughly halved, 2.4 GHz power rebalanced, ~587 concurrent clients across 77 APs.
Gaps
- Residual dropped calls - several Poly handsets cling to the saturated 2.4 GHz band despite strong 5 GHz signal. Fix is a phone-side 5 GHz-only lock - request is with Vertical (Richard Turner), awaiting their push. This is the last open voice item.
- Bistro phone missing - one bad phone was pulled; a replacement is pending.
- Voice QoS designed but not yet built (insurance for WAN failover / saturation).
- 6 GHz WiFi band is dark - the largest untapped clean wireless capacity; enabling it needs a WPA3 conversion on the main SSID (supervised change).
- DMARC sits at
quarantine(could progress toreject); DMARC reports route to an unmonitored mailbox.
Action steps - chase the Vertical 5 GHz lock to closure; install/re-key the Bistro replacement; build voice QoS; plan the supervised 6 GHz / WPA3 change window. Timeline - voice closeout is days-out pending Vertical; QoS and 6 GHz are scheduled change windows. Priority: MEDIUM-HIGH (P5).
3. Security for Sensitive Data (HIPAA / PHI)
Current state - HIPAA is the primary compliance driver. PHI lives on CS-SERVER and in ALIS (clinical EHR). A modern, identity-based access-control model is largely deployed:
- Microsoft Entra Conditional Access splits staff into two postures - caregivers locked to the Cascades network + approved devices (credentials useless off-site); office/clinical staff get MFA off-site.
- ALIS single sign-on is live (Entra is the second factor).
- Caregiver device-lockdown GPO - auto screen-lock at 3 min, auto sign-out at 15 min (HIPAA 164.312(a) for shared PHI devices).
- Voice VLAN isolation, per-room network L2 isolation, MFA for all users, DMARC enforcement.
Gaps (open HIPAA items)
- No audit logging on the PHI file share (164.312(b)); Object Access auditing disabled; no SMB encryption on the Homes share.
- Audit-retention infrastructure (90-day + 6-year) approved 2026-04-29 but not yet built.
- Break-glass admin accounts not created; FIDO2 keys unconfirmed.
- ALIS Business Associate Agreement (BAA) with Medtelligent not yet verified.
- Caregiver device allow-list still in report-only mode (cutover pending); ALIS-native 2FA should be disabled in favor of Entra SSO-only.
- Exposed credential - a Synology sign-in credential was committed in plaintext to our vault history; rotate it.
Action steps - enable file-share/object-access auditing + build the retention store; create break-glass accounts; obtain/verify the ALIS BAA; complete the caregiver allow-list cutover; rotate the exposed Synology credential. Timeline - auditing + retention is the headline near-term HIPAA workstream. Priority: HIGH (P2).
4. Services Purchased or Contracted (vendor inventory)
| Service | Vendor | Purpose | Note for review |
|---|---|---|---|
| Managed IT services | ACG | Support / projects | Prepaid block, 48.75 hrs remaining |
| Microsoft 365 | Microsoft | Email, identity, Office | Relicensing 31 users (see Hardware/Software) |
| ALIS | Medtelligent | Clinical EHR (PHI) | BAA verification required |
| Hosted voice | Vertical | Phone system | 5 GHz lock pending with them |
| Internet (dual-WAN) | Cox | Fiber primary + coax failover | WAN2 upload still to be measured |
| Cloud backup | MSP360 / CloudBerry (-> ACG) | Off-site backup | Installed 2026-06-15 (see DR) |
| Firewall / network | Netgate (pfSense) + UniFi | Perimeter + LAN/WiFi | Healthy, optimized |
| Endpoint security | Bitdefender | AV/EDR | Partial coverage (see Malware) |
| Line-of-business SaaS | QuickBooks, Bill.com, Relias (LMS), You've Got Leads (CRM), TELS / Direct Supply (facilities), Focus HR (HR/payroll), Helpany (caregiver app), POS | Operations | Catalogued for the KPI dashboard |
Gaps - ALIS BAA; no central contract/renewal calendar; M365 license true-up. Action - build a one-page renewal/BAA tracker. Priority: MEDIUM.
5. Assistive Technology
Current state - In ACG's current scope, the resident/clinical-facing technology is ALIS (clinical EHR) and Helpany (the caregiver app). A physical access-control vendor engagement is on record (ticket #32324, 2026-05-26). No dedicated resident accessibility / nurse-call / emergency-call system is currently documented under ACG management.
Gap / open question - Ashley's agenda lists assistive technology "if any." We should clarify scope with her: does she mean resident-facing assistive/accessibility devices, nurse-call / emergency-response systems, or staff-facing clinical tooling? That determines whether this becomes an ACG workstream or stays vendor-owned.
Action step - confirm definition + current vendors at the meeting; if any of it touches PHI or the network, fold it into the security and DR plans. Priority: CLARIFY FIRST.
6. Disaster Recovery & Continuity
Current state
- Cloud backup is now running - MSP360/CloudBerry to ACG's backup server, installed 2026-06-15, which closed the longstanding "no backup" HIPAA gap. Last full completed SUCCESS 2026-06-22 (0 errors).
- Synology is being repurposed as a secondary/backup target.
- pfSense config is backed up (vaulted + on-box); Netgate AutoConfigBackup to be enabled.
- Proven outage procedure - the 2026-06-23 planned building power outage was handled with a clean, scripted self-shutdown of all core devices and verified-clean recovery (after an unclean 2026-06-17 outage taught the lesson). UPS + iDRAC auto-recovery + Synology auto-restart provide bring-up backstops.
Gaps
- Verify the backup is image-based / bare-metal + system-state, not just files, and that retention is set - before relying on it.
- No AD redundancy - single DC = no failover for login/file/DNS.
- Degraded RAID keeps data-loss risk live until the SSD swap.
- No formal written DR/BC plan - no documented RTO/RPO, no tested restore.
- UPS battery-side placement of all core gear not fully verified onsite.
Action steps - confirm backup completeness + run a test restore; document a DR/BC plan with RTO/RPO; add a second (or cloud-hosted) DC for AD redundancy; finish the SSD swap; enable AutoConfigBackup; verify UPS coverage. Timeline - backup verification + test restore is the immediate item; DR/BC document and AD redundancy pair with the CS-SERVER replacement project. Priority: HIGH (P4).
7. Malware Prevention & Virus Protection
Current state
- Bitdefender GravityZone (ACG's managed security platform) protects Cascades endpoints - 3 endpoints currently enrolled in the tenant as of last audit.
- GuruRMM (ACG's RMM) is deployed for monitoring/patching; Microsoft Defender / Exchange Online Protection cover email.
Gaps
- [IMPORTANT] CS-SERVER - the PHI server - is NOT in Bitdefender (no managed AV/EDR on the most sensitive box).
- Leftover previous-MSP agents - Datto RMM (CentraStage) + Datto EDR (Infocyte/DattoAV) are still installed alongside our tools, causing agent sprawl and contributing to the server slowness.
- Only ~3 of ~29 managed devices are confirmed in Bitdefender - coverage is incomplete and needs a full audit.
Action steps
- Enroll CS-SERVER and all remaining workstations into Bitdefender.
- Remove the legacy Datto stack everywhere it remains.
- Standardize on Bitdefender (AV/EDR) + GuruRMM (management) + Defender/EOP (email) and run a coverage audit so 100% of devices report in.
Timeline - run the coverage audit before the meeting; remediation is near-term. Priority: HIGH (P3). (Note: exact live endpoint counts to be confirmed via a Bitdefender coverage pull just before the meeting.)
8. Use of AI
Current state - There is no production AI system deployed at Cascades today. The nearest active item is the KPI dashboard Ashley requested (2026-06-17): a single dashboard pulling KPIs across ALIS, QuickBooks, Bill.com, Relias, the CRM, TELS, Focus HR, etc. Recommended path is Phase 1 scheduled exports -> SharePoint -> Power BI, Phase 2 API automation - an analytics/automation foundation that AI can later build on. It is parked pending Ashley's day-one KPIs.
Gaps / opportunities
- No AI acceptable-use policy - the key governance gap. In a HIPAA environment, uncontrolled staff use of public AI tools (ChatGPT, etc.) is a PHI-leak risk. A simple policy + guardrails should come first.
- Microsoft 365 Copilot is a natural opportunity (the org already has M365), but needs HIPAA review before enabling on PHI-adjacent data.
- Vendor AI features (e.g., any AI inside ALIS or other SaaS) should be reviewed against their BAAs.
Action steps - (1) draft an AI acceptable-use policy for staff; (2) evaluate M365 Copilot with HIPAA guardrails; (3) progress the KPI dashboard as the sanctioned analytics path; (4) review vendor AI features against BAAs. Timeline - policy first (quick); Copilot + dashboard are scoped opportunities. Priority: MEDIUM (P6) - governance before adoption.
Suggested meeting flow
- Walk the priorities table (Section 0) - agree on the order.
- Lead with CS-SERVER replacement (P1) + DR verification (P4) - they are the same conversation and the biggest risk-reducers.
- HIPAA security gaps (P2) + malware coverage (P3) - the compliance block.
- Voice closeout + M365 relicensing (P5) - quick wins / time-sensitive.
- AI policy + KPI dashboard (P6) - forward-looking.
- Clarify "assistive technology" scope (Section 5) with Ashley.
- Agree timelines + which items draw against the prepaid block vs. a separate project quote (server replacement).
Pre-meeting to-do for ACG (to make this airtight)
- Live Bitdefender coverage pull (exact enrolled vs. unmanaged device counts).
- Live Syncro hours confirmation (currently 48.75 hrs).
- Confirm the cloud backup is image/bare-metal + retention (the DR linchpin).
- Get a rough budget number for the CS-SERVER replacement to bring to the meeting.