azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eaae28c20175abbc144b2f033bd48e06ebd6f997
claudetools/clients/cascades-tucson/docs/security/hipaa.md
Howard Enos 223dc861c2 docs(cascades): track Teams HIPAA rollout as new gap 
Added Teams deployment + HIPAA-appropriate configuration as a tracked
gap (hipaa.md #27) and M365 issue (m365.md #14). Cites transmission
security + BAA requirements and outlines controls needed (retention,
DLP, external sharing lockdown, guest access, meeting consent).
Dependency on Microsoft BAA flagged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 14:16:02 -07:00

8.2 KiB
Raw Blame History

HIPAA Compliance — Cascades

Why HIPAA Applies

Cascades is an assisted living facility with health services staff (nurses, medtechs, health services director). They handle Protected Health Information (PHI) through:

  1. ALIS (https://www.go-alis.com/) — cloud-hosted clinical/medical records system, accessed via web browser on staff PCs
  2. Synology NAS (cascadesDS) — stores resident/facility data locally that falls under HIPAA
  3. CS-SERVER file shares — migration target for Synology data; will become the primary secured storage
  4. M365 email — staff may send/receive resident-related information via cascadestucson.com email

Project Mission

Cascades was taken over from a previous MSP that left the environment insecure and non-compliant. The core objective of the migration project is to get Cascades secure and HIPAA compliant. Every migration phase ties back to this goal.

Current HIPAA Gaps

# Gap Severity HIPAA Rule Migration Phase
1 No backup exists Critical §164.308(a)(7) — Contingency Plan Phase 0 (WSB → Synology) + Phase 4 (offsite)
2 Synology stores PHI with no access auditing Critical §164.312(b) — Audit Controls Phase 4 (move to CS-SERVER with NTFS audit)
3 Shared accounts (Receptionist, Culinary, saleshare, directoryshare) High §164.312(a)(2)(i) — Unique User ID Phase 5 (replace with individual accounts)
4 No MFA on M365 High §164.312(d) — Person Authentication Can enable now (Security Defaults, free)
5 No disk encryption (BitLocker) High §164.312(a)(2)(iv) — Encryption Phase 2.6 GPO (free with Windows Pro)
6 Permissive floating firewall rule High §164.312(e)(1) — Transmission Security Phase 1.6 (post-migration lockdown)
7 Non-IT staff in Domain Admins High §164.312(a)(1) — Access Control Phase 2.2 (remove Meredith.Kuhn, John.Trozzi)
8 Most PCs not domain-joined Medium §164.308(a)(3) — Workforce Security Phase 3 (domain join all staff PCs)
9 No GPOs enforced (password policy, screen lock) Medium §164.308(a)(5) — Security Awareness Phase 2.6 (Security Baseline GPO)
10 Kitchen iPads on same VLAN as staff PCs Medium §164.312(e)(1) — Transmission Security Restrict iPads to kitchen printers only
11 ALIS browser access on shared PCs Medium §164.312(d) — Person Authentication Phase 5 (individual logins, no shared accounts)
12 No BAA verified with ALIS Medium §164.308(b)(1) — Business Associates Verify with management
13 No BAA with Microsoft (M365) Medium §164.308(b)(1) — Business Associates Sign Microsoft BAA via M365 admin
14 Sandra Fish still global admin Low §164.308(a)(3) — Workforce Security Create break-glass admin, remove Sandra
15 No M365 backup Low §164.308(a)(7) — Contingency Plan Future — Veeam Backup for M365

How Migration Phases Address HIPAA

Phase What It Does HIPAA Controls Addressed
Phase 0 — Safety Net Windows Server Backup → Synology SMB share Backup, contingency plan
Phase 1 — Network VLAN migration, firewall lockdown, guest isolation Transmission security, access control
Phase 2 — Server Prep AD cleanup, security groups, GPOs (BitLocker, passwords, screen lock) Access control, audit, encryption, unique user ID
Phase 3 — Domain Join All staff PCs under centralized management Workforce security, device management
Phase 4 — Synology Retirement Move data to CS-SERVER with NTFS permissions + audit logging Audit controls, access control, integrity
Phase 5 — Hardening Remove shared accounts, RDS cleanup, final lockdown Unique user ID, person authentication

Systems and PHI Flow

Nurses/MedTechs (staff PCs)
    │
    ├──► ALIS (cloud, go-alis.com) — clinical/medical records
    │        └── ALIS responsible for their own HIPAA compliance + BAA
    │
    ├──► Synology NAS (cascadesDS, 192.168.0.120) — resident/facility data (MOVING TO CS-SERVER)
    │
    ├──► CS-SERVER (192.168.2.254) — file shares, AD, DNS (migration target)
    │
    └──► M365 (cascadestucson.com) — email, may contain PHI in messages/attachments

Non-PHI Systems (out of HIPAA scope)

System Purpose Notes
Kitchen iPads (9 units) Food order taking No PHI — only need access to kitchen thermal receipt printers. Managed via ManageEngine MDM
Kitchen thermal printers Receipt printing Bistro (TM-T88VII, 192.168.2.207) + Kitchen (TM-U220IIB, 10.0.20.225)
Resident room VLANs Resident personal devices (TVs, phones) No PHI — isolated /28 per room
Ring cameras (8 units) Security cameras No PHI
GoDaddy Website hosting (cascadestucson.com) Public website, no PHI

New Findings from Audit (2026-03-20)

# Gap Severity HIPAA Rule Notes
16 3 shared accounts with no password (Nurses, memfrtdesk, Front Desk) — these PCs access ALIS Critical §164.312(a)(2)(i) — Unique User ID NURSESTATION-PC, MEMRECEPT-PC, RECEPTIONIST-PC
17 No audit logging on CS-SERVER (Object Access = No Auditing) Critical §164.312(b) — Audit Controls Cannot track who accessed PHI files
18 13 months without Windows updates on DESKTOP-LPOPV30 High §164.308(a)(1) — Security Management 6 machines 3+ months behind
19 Expired SSL certificate on CS-SERVER (2025-04-02) High §164.312(e)(1) — Transmission Security Causes Schannel errors
20 krbtgt password 569 days old High §164.312(a)(1) — Access Control Should rotate every 180 days
21 RDP without NLA on ASSISTMAN-PC, DESKTOP-U2DHAP0 High §164.312(e)(1) — Transmission Security Credential exposure risk
22 TightVNC on MEMRECEPT-PC High §164.312(a)(1) — Access Control Unauthorized remote access tool
23 No LAPS — same local admin password on all machines Medium §164.312(a)(1) — Access Control Lateral movement risk
24 RestrictAnonymous = 0 on CS-SERVER Medium §164.312(a)(1) — Access Control Null sessions allowed
25 Protected Users group empty Medium §164.312(a)(1) — Access Control Admin accounts not protected
26 Share permissions: Everyone=FullControl on multiple shares Medium §164.312(a)(1) — Access Control Culinary, directoryshare, Roaming
27 Microsoft Teams not deployed or HIPAA-configured for staff Medium §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Depends on Microsoft BAA (#13).

Quick Wins (Free, Can Do Now)

  1. Enable MFA on M365 — Security Defaults in Entra ID (free, takes 5 minutes)
  2. Sign Microsoft BAA — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA
  3. Verify ALIS BAA — Ask management if they have a signed BAA with go-alis.com
  4. BitLocker GPO — Enable via Security Baseline GPO once PCs are domain-joined (Phase 2.6)

Recommendations (Paid)

Service Why Cost Priority
Veeam Backup for M365 Protect email/OneDrive containing PHI ~$2-4/user/mo Medium
Business Premium upgrade DLP (prevent PHI in outbound email), Defender, Conditional Access +$10/user/mo (~$340/mo net after shared mailbox savings) Low — most gaps covered by free controls

Notes

  • Cascades is assisted living, not a hospital — but nurses and medtechs handle PHI, making HIPAA applicable
  • Previous MSP left the environment non-compliant — this project is a remediation effort
  • ALIS handles the heavy clinical data in the cloud — local HIPAA focus is on access control, backup, encryption, and audit trails
  • Kitchen area (iPads, thermal printers) is out of HIPAA scope — food service only
Reference in New Issue View Git Blame Copy Permalink