azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa4ac2ea37a32e0fde79ff87a109ffbcb01dc787
claudetools/clients/cascades-tucson/docs/security/hipaa.md
Howard Enos 56f7a53bf4 docs: Cascades Microsoft BAA resolved — covered by MCA for Business plan subscribers 
Gap #13 in hipaa.md marked resolved. Same update in hipaa-caregiver-controls.md and m365.md.
Confirmed 2026-05-14: no separate HIPAA BAA acceptance exists or is required for M365 Business
plan tenants under the Microsoft Customer Agreement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 18:49:50 -07:00

110 lines
8.8 KiB
Markdown
Raw Blame History

# HIPAA Compliance — Cascades
## Why HIPAA Applies
Cascades is an assisted living facility with health services staff (nurses, medtechs, health services director). They handle Protected Health Information (PHI) through:
1. **ALIS** (https://www.go-alis.com/) — cloud-hosted clinical/medical records system, accessed via web browser on staff PCs
2. **Synology NAS (cascadesDS)** — stores resident/facility data locally that falls under HIPAA
3. **CS-SERVER file shares** — migration target for Synology data; will become the primary secured storage
4. **M365 email** — staff may send/receive resident-related information via cascadestucson.com email
## Project Mission
Cascades was taken over from a previous MSP that left the environment insecure and non-compliant. The core objective of the migration project is to **get Cascades secure and HIPAA compliant**. Every migration phase ties back to this goal.
## Current HIPAA Gaps
| # | Gap | Severity | HIPAA Rule | Migration Phase |
|---|-----|----------|------------|-----------------|
| 1 | **No backup exists** | Critical | §164.308(a)(7) — Contingency Plan | Phase 0 (WSB → Synology) + Phase 4 (offsite) |
| 2 | **Synology stores PHI with no access auditing** | Critical | §164.312(b) — Audit Controls | Phase 4 (move to CS-SERVER with NTFS audit) |
| 3 | **Shared accounts** (Receptionist, Culinary, saleshare, directoryshare) | High | §164.312(a)(2)(i) — Unique User ID | Phase 5 (replace with individual accounts) |
| 4 | **No MFA on M365** | High | §164.312(d) — Person Authentication | Can enable now (Security Defaults, free) |
| 5 | **No disk encryption (BitLocker)** | High | §164.312(a)(2)(iv) — Encryption | Phase 2.6 GPO (free with Windows Pro) |
| 6 | **Permissive floating firewall rule** | High | §164.312(e)(1) — Transmission Security | Phase 1.6 (post-migration lockdown) |
| 7 | **Non-IT staff in Domain Admins** | High | §164.312(a)(1) — Access Control | Phase 2.2 (remove Meredith.Kuhn, John.Trozzi) |
| 8 | **Most PCs not domain-joined** | Medium | §164.308(a)(3) — Workforce Security | Phase 3 (domain join all staff PCs) |
| 9 | **No GPOs enforced** (password policy, screen lock) | Medium | §164.308(a)(5) — Security Awareness | Phase 2.6 (Security Baseline GPO) |
| 10 | **Kitchen iPads on same VLAN as staff PCs** | Medium | §164.312(e)(1) — Transmission Security | Restrict iPads to kitchen printers only |
| 11 | **ALIS browser access on shared PCs** | Medium | §164.312(d) — Person Authentication | Phase 5 (individual logins, no shared accounts) |
| 11b | **Caregiver shared-phone access — no MFA factor** | (compensating-controls architecture — see [`hipaa-caregiver-controls.md`](hipaa-caregiver-controls.md)) | §164.312(a)(1), §164.312(d), §164.306(b) | Live 2026-05-11 with pilot user `pilot.test`; staged caregiver rollout pending pilot SSO verify |
| 12 | **No BAA verified with ALIS** | Medium | §164.308(b)(1) — Business Associates | Verify with management |
| 13 | **Microsoft BAA — covered by MCA** | Resolved | §164.308(b)(1) — Business Associates | Microsoft HIPAA BAA is automatically included in the Microsoft Customer Agreement (MCA) for Business plan subscribers. No separate acceptance step exists or is required. Confirmed 2026-05-14. |
| 14 | **Sandra Fish still global admin** | Low | §164.308(a)(3) — Workforce Security | Create break-glass admin, remove Sandra |
| 15 | **No M365 backup** | Low | §164.308(a)(7) — Contingency Plan | Future — Veeam Backup for M365 |
## How Migration Phases Address HIPAA
| Phase | What It Does | HIPAA Controls Addressed |
|-------|-------------|------------------------|
| Phase 0 — Safety Net | Windows Server Backup → Synology SMB share | Backup, contingency plan |
| Phase 1 — Network | VLAN migration, firewall lockdown, guest isolation | Transmission security, access control |
| Phase 2 — Server Prep | AD cleanup, security groups, GPOs (BitLocker, passwords, screen lock) | Access control, audit, encryption, unique user ID |
| Phase 3 — Domain Join | All staff PCs under centralized management | Workforce security, device management |
| Phase 4 — Synology Retirement | Move data to CS-SERVER with NTFS permissions + audit logging | Audit controls, access control, integrity |
| Phase 5 — Hardening | Remove shared accounts, RDS cleanup, final lockdown | Unique user ID, person authentication |
## Systems and PHI Flow
```
Nurses/MedTechs (staff PCs)
├──► ALIS (cloud, go-alis.com) — clinical/medical records
│ └── ALIS responsible for their own HIPAA compliance + BAA
├──► Synology NAS (cascadesDS, 192.168.0.120) — resident/facility data (MOVING TO CS-SERVER)
├──► CS-SERVER (192.168.2.254) — file shares, AD, DNS (migration target)
└──► M365 (cascadestucson.com) — email, may contain PHI in messages/attachments
```
## Non-PHI Systems (out of HIPAA scope)
| System | Purpose | Notes |
|--------|---------|-------|
| Kitchen iPads (9 units) | Food order taking | No PHI — only need access to kitchen thermal receipt printers. **Managed via ManageEngine MDM** |
| Kitchen thermal printers | Receipt printing | Bistro (TM-T88VII, 192.168.2.207) + Kitchen (TM-U220IIB, 10.0.20.225) |
| Resident room VLANs | Resident personal devices (TVs, phones) | No PHI — isolated /28 per room |
| Ring cameras (8 units) | Security cameras | No PHI |
| GoDaddy | Website hosting (cascadestucson.com) | Public website, no PHI |
## New Findings from Audit (2026-03-20)
| # | Gap | Severity | HIPAA Rule | Notes |
|---|-----|----------|------------|-------|
| 16 | **3 shared accounts with no password** (Nurses, memfrtdesk, Front Desk) — these PCs access ALIS | Critical | §164.312(a)(2)(i) — Unique User ID | NURSESTATION-PC, MEMRECEPT-PC, RECEPTIONIST-PC |
| 17 | **No audit logging on CS-SERVER** (Object Access = No Auditing) | Critical | §164.312(b) — Audit Controls | Cannot track who accessed PHI files |
| 18 | **13 months without Windows updates** on DESKTOP-LPOPV30 | High | §164.308(a)(1) — Security Management | 6 machines 3+ months behind |
| 19 | **Expired SSL certificate** on CS-SERVER (2025-04-02) | High | §164.312(e)(1) — Transmission Security | Causes Schannel errors |
| 20 | **krbtgt password 569 days old** | High | §164.312(a)(1) — Access Control | Should rotate every 180 days |
| 21 | **RDP without NLA** on ASSISTMAN-PC, DESKTOP-U2DHAP0 | High | §164.312(e)(1) — Transmission Security | Credential exposure risk |
| 22 | **TightVNC on MEMRECEPT-PC** | High | §164.312(a)(1) — Access Control | Unauthorized remote access tool |
| 23 | **No LAPS** — same local admin password on all machines | Medium | §164.312(a)(1) — Access Control | Lateral movement risk |
| 24 | **RestrictAnonymous = 0** on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed |
| 25 | **Protected Users group empty** | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected |
| 26 | **Share permissions: Everyone=FullControl** on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming |
| 27 | **Microsoft Teams not deployed or HIPAA-configured** for staff | Medium | §164.312(e)(1) — Transmission Security + §164.308(b)(1) — Business Associates | Roll out Teams to all staff with HIPAA-appropriate controls: retention policies for chat/channel/meeting recordings, external sharing restrictions, DLP for PHI in messages, meeting recording consent, guest access disabled by default. Microsoft BAA (#13) confirmed covered by MCA. |
## Quick Wins (Free, Can Do Now)
1. **Enable MFA on M365** — Security Defaults in Entra ID (free, takes 5 minutes)
2. ~~**Sign Microsoft BAA**~~**RESOLVED 2026-05-14:** Covered automatically by Microsoft Customer Agreement for Business plan subscribers. No action needed.
3. **Verify ALIS BAA** — Ask management if they have a signed BAA with go-alis.com
4. **BitLocker GPO** — Enable via Security Baseline GPO once PCs are domain-joined (Phase 2.6)
## Recommendations (Paid)
| Service | Why | Cost | Priority |
|---------|-----|------|----------|
| Veeam Backup for M365 | Protect email/OneDrive containing PHI | ~$2-4/user/mo | Medium |
| Business Premium upgrade | DLP (prevent PHI in outbound email), Defender, Conditional Access | +$10/user/mo (~$340/mo net after shared mailbox savings) | Low — most gaps covered by free controls |
## Notes
- Cascades is assisted living, not a hospital — but nurses and medtechs handle PHI, making HIPAA applicable
- Previous MSP left the environment non-compliant — this project is a remediation effort
- ALIS handles the heavy clinical data in the cloud — local HIPAA focus is on access control, backup, encryption, and audit trails
- Kitchen area (iPads, thermal printers) is out of HIPAA scope — food service only
Reference in New Issue View Git Blame Copy Permalink