Files
claudetools/clients/cascades-tucson/docs/proposals/2026-technology-plan-review.md
Howard Enos 855a67d612 sync: auto-sync from HOWARD-HOME at 2026-06-24 13:59:29
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-24 13:59:29
2026-06-24 13:59:58 -07:00

15 KiB

Cascades of Tucson - Technology Plan Review

[SUPERSEDED 2026-06-24] This first-pass draft predates the 2026-06-24 wiki recompile and contains stale facts (CS-SERVER "RAID critical" -> actually HEALTHY; 48.75 hrs/0 tickets -> 48.25 hrs/6 tickets; no Helpany sensors). Use instead:

  • Client deliverable: cascades-technology-plan-2026-06-24.pdf (+ .html source) - polished, current.
  • Internal execution plan: ../REMAINING-WORK-PLAN.md (canonical 7-workstream plan). Kept for history only.

Prepared for the planning meeting requested by Ashley Jensen (week of 2026-06-23 / 2026-06-30). Organized to Ashley's exact agenda: for each area we cover Current state -> Gaps -> Action steps -> Timeline -> Priority. Prepared by ACG (Az Computer Guru). Source of truth: wiki/clients/cascades-tucson.md (compiled 2026-06-23) + live systems. Contract: prepaid hour block @ $175/hr; 48.75 hrs remaining (Syncro, live 2026-06-23). 0 open tickets.


0. Executive summary - established priorities

The single theme across every area is Cascades runs PHI on one 16-year-old server with no redundancy, while the surrounding identity, network, and voice layers have been substantially modernized over the last 90 days. The top priorities, in order:

# Priority Area Why it's #1-tier
P1 Replace / de-risk CS-SERVER Hardware, DR Single Dell R610 (~2009) DC holding all PHI; OS RAID-1 mirror DEGRADED 2026-06-15 (running on one aging spindle, zero redundancy). Data-loss + total-outage exposure.
P2 Close HIPAA audit + access gaps Security No audit logging on the PHI share; audit-retention infra approved but not built; caregiver device allow-list still report-only; ALIS BAA unverified.
P3 Unify malware/EDR coverage Malware prevention The PHI server is NOT under managed AV/EDR (Bitdefender); leftover previous-MSP Datto agents still installed.
P4 Verify & formalize DR/continuity Disaster recovery Cloud backup now running (gap closed 2026-06-15) - must confirm it is image/bare-metal + retention, then document a real DR/BC plan and test a restore.
P5 Finish voice quality + M365 relicensing Communication, Software Voice VLAN done; last fix (Poly 5GHz lock) is waiting on Vertical. 31 users still on a SUSPENDED M365 license - time-sensitive.
P6 Establish an AI acceptable-use policy Use of AI No governance today; HIPAA makes uncontrolled staff use of public AI a PHI-leak risk. Pairs with the KPI-dashboard analytics opportunity.

1. Hardware & Software

Current state

  • CS-SERVER - Dell PowerEdge R610 (~2009, 16+ yrs). Single Domain Controller doing everything: AD, DNS, DHCP, file server, Hyper-V host, print server. Windows Server 2019.
  • Synology cascadesDS NAS (DSM 7.2.1) - legacy file storage, transitioning to backup-only.
  • pfSense firewall (Netgate, dual-WAN) + full UniFi network: 77 U7-Pro access points, 12 managed switches.
  • ~29 managed workstations (Syncro). Active domain migration to cascades.local + Microsoft Entra hybrid identity is well underway.
  • Microsoft 365 - Business Premium across the org.

Gaps

  • [CRITICAL] CS-SERVER OS mirror is degraded (one drive failed 2026-06-15) - C: (OS/AD) is running on a single aging 5400 RPM laptop spindle with no redundancy. This is also the root cause of "server is slow" reports.
  • Single point of failure - one elderly DC; if it dies, AD/file/print/DHCP all go down at once.
  • EOL workstations - Lupe Sanchez's PC (Gateway i3-2120, Win11-unsupported) flagged for replacement; Chef-PC needs a full reinstall.
  • M365 relicensing - 31 users still assigned to a SUSPENDED Business Standard license; 31 Business Premium seats sit free. Time-sensitive.
  • ~25 switch ports negotiating 100 Mbps instead of gigabit (cabling/NIC); 3 switches offline.

Action steps

  1. Interim: replace CS-SERVER OS drives with 2x 480 GB enterprise SSD (gated on verified backup first).
  2. Strategic: scope a server replacement / DC modernization - the real fix for the SPOF and the slowness.
  3. Replace Lupe's workstation; reinstall Chef-PC (open tickets #32194, #32254).
  4. Complete M365 relicensing (31 Standard -> Premium).
  5. After WiFi stabilizes: correct the 100 Mbps switch ports and investigate the 3 offline switches.

Timeline - SSD swap near-term (once backup verified); relicensing immediate; workstation swaps near-term; server-replacement a larger project to scope jointly. Priority: HIGH (P1).


2. Communication Technology

Current state

  • Email - Microsoft 365 / Exchange Online. SPF, DKIM, and DMARC (p=quarantine) all published. Shared mailboxes grievances@ and Surveys@ created 2026-06-12.
  • Voice - Vertical hosted/cloud PBX. 37 devices (28 Poly WiFi handsets + 8 AudioCodes desk phones + the Vertical management desktop) consolidated onto an isolated Voice VLAN 30 (completed 2026-06-19) - HIPAA-segmented, phones marking DSCP EF for QoS.
  • WiFi - heavily optimized 2026-06-19: 5 GHz retransmits roughly halved, 2.4 GHz power rebalanced, ~587 concurrent clients across 77 APs.

Gaps

  • Residual dropped calls - several Poly handsets cling to the saturated 2.4 GHz band despite strong 5 GHz signal. Fix is a phone-side 5 GHz-only lock - request is with Vertical (Richard Turner), awaiting their push. This is the last open voice item.
  • Bistro phone missing - one bad phone was pulled; a replacement is pending.
  • Voice QoS designed but not yet built (insurance for WAN failover / saturation).
  • 6 GHz WiFi band is dark - the largest untapped clean wireless capacity; enabling it needs a WPA3 conversion on the main SSID (supervised change).
  • DMARC sits at quarantine (could progress to reject); DMARC reports route to an unmonitored mailbox.

Action steps - chase the Vertical 5 GHz lock to closure; install/re-key the Bistro replacement; build voice QoS; plan the supervised 6 GHz / WPA3 change window. Timeline - voice closeout is days-out pending Vertical; QoS and 6 GHz are scheduled change windows. Priority: MEDIUM-HIGH (P5).


3. Security for Sensitive Data (HIPAA / PHI)

Current state - HIPAA is the primary compliance driver. PHI lives on CS-SERVER and in ALIS (clinical EHR). A modern, identity-based access-control model is largely deployed:

  • Microsoft Entra Conditional Access splits staff into two postures - caregivers locked to the Cascades network + approved devices (credentials useless off-site); office/clinical staff get MFA off-site.
  • ALIS single sign-on is live (Entra is the second factor).
  • Caregiver device-lockdown GPO - auto screen-lock at 3 min, auto sign-out at 15 min (HIPAA 164.312(a) for shared PHI devices).
  • Voice VLAN isolation, per-room network L2 isolation, MFA for all users, DMARC enforcement.

Gaps (open HIPAA items)

  • No audit logging on the PHI file share (164.312(b)); Object Access auditing disabled; no SMB encryption on the Homes share.
  • Audit-retention infrastructure (90-day + 6-year) approved 2026-04-29 but not yet built.
  • Break-glass admin accounts not created; FIDO2 keys unconfirmed.
  • ALIS Business Associate Agreement (BAA) with Medtelligent not yet verified.
  • Caregiver device allow-list still in report-only mode (cutover pending); ALIS-native 2FA should be disabled in favor of Entra SSO-only.
  • Exposed credential - a Synology sign-in credential was committed in plaintext to our vault history; rotate it.

Action steps - enable file-share/object-access auditing + build the retention store; create break-glass accounts; obtain/verify the ALIS BAA; complete the caregiver allow-list cutover; rotate the exposed Synology credential. Timeline - auditing + retention is the headline near-term HIPAA workstream. Priority: HIGH (P2).


4. Services Purchased or Contracted (vendor inventory)

Service Vendor Purpose Note for review
Managed IT services ACG Support / projects Prepaid block, 48.75 hrs remaining
Microsoft 365 Microsoft Email, identity, Office Relicensing 31 users (see Hardware/Software)
ALIS Medtelligent Clinical EHR (PHI) BAA verification required
Hosted voice Vertical Phone system 5 GHz lock pending with them
Internet (dual-WAN) Cox Fiber primary + coax failover WAN2 upload still to be measured
Cloud backup MSP360 / CloudBerry (-> ACG) Off-site backup Installed 2026-06-15 (see DR)
Firewall / network Netgate (pfSense) + UniFi Perimeter + LAN/WiFi Healthy, optimized
Endpoint security Bitdefender AV/EDR Partial coverage (see Malware)
Line-of-business SaaS QuickBooks, Bill.com, Relias (LMS), You've Got Leads (CRM), TELS / Direct Supply (facilities), Focus HR (HR/payroll), Helpany (caregiver app), POS Operations Catalogued for the KPI dashboard

Gaps - ALIS BAA; no central contract/renewal calendar; M365 license true-up. Action - build a one-page renewal/BAA tracker. Priority: MEDIUM.


5. Assistive Technology

Current state - In ACG's current scope, the resident/clinical-facing technology is ALIS (clinical EHR) and Helpany (the caregiver app). A physical access-control vendor engagement is on record (ticket #32324, 2026-05-26). No dedicated resident accessibility / nurse-call / emergency-call system is currently documented under ACG management.

Gap / open question - Ashley's agenda lists assistive technology "if any." We should clarify scope with her: does she mean resident-facing assistive/accessibility devices, nurse-call / emergency-response systems, or staff-facing clinical tooling? That determines whether this becomes an ACG workstream or stays vendor-owned.

Action step - confirm definition + current vendors at the meeting; if any of it touches PHI or the network, fold it into the security and DR plans. Priority: CLARIFY FIRST.


6. Disaster Recovery & Continuity

Current state

  • Cloud backup is now running - MSP360/CloudBerry to ACG's backup server, installed 2026-06-15, which closed the longstanding "no backup" HIPAA gap. Last full completed SUCCESS 2026-06-22 (0 errors).
  • Synology is being repurposed as a secondary/backup target.
  • pfSense config is backed up (vaulted + on-box); Netgate AutoConfigBackup to be enabled.
  • Proven outage procedure - the 2026-06-23 planned building power outage was handled with a clean, scripted self-shutdown of all core devices and verified-clean recovery (after an unclean 2026-06-17 outage taught the lesson). UPS + iDRAC auto-recovery + Synology auto-restart provide bring-up backstops.

Gaps

  • Verify the backup is image-based / bare-metal + system-state, not just files, and that retention is set - before relying on it.
  • No AD redundancy - single DC = no failover for login/file/DNS.
  • Degraded RAID keeps data-loss risk live until the SSD swap.
  • No formal written DR/BC plan - no documented RTO/RPO, no tested restore.
  • UPS battery-side placement of all core gear not fully verified onsite.

Action steps - confirm backup completeness + run a test restore; document a DR/BC plan with RTO/RPO; add a second (or cloud-hosted) DC for AD redundancy; finish the SSD swap; enable AutoConfigBackup; verify UPS coverage. Timeline - backup verification + test restore is the immediate item; DR/BC document and AD redundancy pair with the CS-SERVER replacement project. Priority: HIGH (P4).


7. Malware Prevention & Virus Protection

Current state

  • Bitdefender GravityZone (ACG's managed security platform) protects Cascades endpoints - 3 endpoints currently enrolled in the tenant as of last audit.
  • GuruRMM (ACG's RMM) is deployed for monitoring/patching; Microsoft Defender / Exchange Online Protection cover email.

Gaps

  • [IMPORTANT] CS-SERVER - the PHI server - is NOT in Bitdefender (no managed AV/EDR on the most sensitive box).
  • Leftover previous-MSP agents - Datto RMM (CentraStage) + Datto EDR (Infocyte/DattoAV) are still installed alongside our tools, causing agent sprawl and contributing to the server slowness.
  • Only ~3 of ~29 managed devices are confirmed in Bitdefender - coverage is incomplete and needs a full audit.

Action steps

  1. Enroll CS-SERVER and all remaining workstations into Bitdefender.
  2. Remove the legacy Datto stack everywhere it remains.
  3. Standardize on Bitdefender (AV/EDR) + GuruRMM (management) + Defender/EOP (email) and run a coverage audit so 100% of devices report in.

Timeline - run the coverage audit before the meeting; remediation is near-term. Priority: HIGH (P3). (Note: exact live endpoint counts to be confirmed via a Bitdefender coverage pull just before the meeting.)


8. Use of AI

Current state - There is no production AI system deployed at Cascades today. The nearest active item is the KPI dashboard Ashley requested (2026-06-17): a single dashboard pulling KPIs across ALIS, QuickBooks, Bill.com, Relias, the CRM, TELS, Focus HR, etc. Recommended path is Phase 1 scheduled exports -> SharePoint -> Power BI, Phase 2 API automation - an analytics/automation foundation that AI can later build on. It is parked pending Ashley's day-one KPIs.

Gaps / opportunities

  • No AI acceptable-use policy - the key governance gap. In a HIPAA environment, uncontrolled staff use of public AI tools (ChatGPT, etc.) is a PHI-leak risk. A simple policy + guardrails should come first.
  • Microsoft 365 Copilot is a natural opportunity (the org already has M365), but needs HIPAA review before enabling on PHI-adjacent data.
  • Vendor AI features (e.g., any AI inside ALIS or other SaaS) should be reviewed against their BAAs.

Action steps - (1) draft an AI acceptable-use policy for staff; (2) evaluate M365 Copilot with HIPAA guardrails; (3) progress the KPI dashboard as the sanctioned analytics path; (4) review vendor AI features against BAAs. Timeline - policy first (quick); Copilot + dashboard are scoped opportunities. Priority: MEDIUM (P6) - governance before adoption.


Suggested meeting flow

  1. Walk the priorities table (Section 0) - agree on the order.
  2. Lead with CS-SERVER replacement (P1) + DR verification (P4) - they are the same conversation and the biggest risk-reducers.
  3. HIPAA security gaps (P2) + malware coverage (P3) - the compliance block.
  4. Voice closeout + M365 relicensing (P5) - quick wins / time-sensitive.
  5. AI policy + KPI dashboard (P6) - forward-looking.
  6. Clarify "assistive technology" scope (Section 5) with Ashley.
  7. Agree timelines + which items draw against the prepaid block vs. a separate project quote (server replacement).

Pre-meeting to-do for ACG (to make this airtight)

  • Live Bitdefender coverage pull (exact enrolled vs. unmanaged device counts).
  • Live Syncro hours confirmation (currently 48.75 hrs).
  • Confirm the cloud backup is image/bare-metal + retention (the DR linchpin).
  • Get a rough budget number for the CS-SERVER replacement to bring to the meeting.