azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa4ac2ea37a32e0fde79ff87a109ffbcb01dc787
claudetools/clients/cascades-tucson/docs/security/risk-analysis-2026-04.md
Howard Enos 5019db4558 sync: auto-sync from HOWARD-HOME at 2026-04-24 14:31:14 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-24 14:31:14
2026-04-24 14:31:17 -07:00

50 KiB
Raw Blame History

HIPAA Security Rule Risk Analysis — Cascades of Tucson

Document ID: RA-2026-04 Facility: Cascades of Tucson (236-room assisted living + memory care community, Tucson AZ) Covered Entity: Cascades of Tucson LLC Prepared by: Howard Enos, Technician, Arizona Computer Guru (MSP) Reviewed by (Security Official): Mike Swanson, President, Arizona Computer Guru (designated Security Official per §164.308(a)(2)) Counter-signed by (CE leadership): Meredith Kuhn, Executive Director, Cascades of Tucson Date drafted: 2026-04-24 Effective date: On counter-signature Next review: No later than 2027-04-24, or upon material change to environment, workforce, or threat landscape (§164.316(b)(2)(iii)) Supersedes: None — this is the first formal Risk Analysis on file for Cascades of Tucson

1. Purpose and regulatory basis

HIPAA Security Rule §164.308(a)(1)(ii)(A) is a Required implementation specification: every covered entity must "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

This document is that assessment. It follows the structure of NIST SP 800-66 Revision 2 (Feb 2024) Section 3 — Risk Assessment Methodology, which HHS OCR cites as the de-facto framework for Security Rule risk analyses. It is intentionally sized to the scale of Cascades — a single 236-room assisted living community with roughly 70 workforce members — rather than to the scale of a hospital. The goal is an audit-defensible analysis, not a gold-standard one.

Where implementation specifications are Addressable, this document records the decision made, the rationale for that decision, and any compensating controls, as required by §164.306(d)(3). Addressable does not mean optional; it means the covered entity must either implement the spec, implement a reasonable alternative, or document a reasoned decision that neither is appropriate — and document that reasoning in writing. Decisions are cross-referenced to the Security Rule Implementation Register (docs/security/implementation-register.md, tracked as master-plan item B8).

2. Scope (NIST 800-66r2 §3.1 — System Characterization)

2.1 ePHI defined in the Cascades environment

For purposes of this analysis, ePHI at Cascades means any electronic information that identifies a resident (name, room number, date of birth, Medicare/Medicaid ID, insurance info) combined with any information about the resident's health condition, medications, diagnoses, care plan, clinical imaging, incident reports, or service authorization. It does NOT include food-service-only data (kitchen iPad meal orders), facility-only data (work orders with no resident identifier), or marketing data that has never included resident health status.

2.2 Workforce members in scope

Based on the 2026-04-22 staff roster (reports/cascades-staff-2026-04-22.csv, ~70 rows):

  • Clinical workforce (handles PHI directly): Health Services Director, Health Services Manager, Memory Care Director, Memory Care Admin Assistant, Memory Care Nurses, Assisted Living Aides, MedTechs, Caregivers (approx. 39 net-new caregiver roles per Phase 1a rollout plan)
  • Administrative workforce with PHI access (billing, admissions, records): Executive Director, Assistant Executive Director, Business Office Director, Accounting staff, Sales / Move-In Coordinator (limited — pre-admission assessment data)
  • Operational workforce with incidental PHI exposure: Front Desk / Resident Services Receptionist (visitor logs, message-taking), Courtesy Patrol (incident reports), Life Enrichment (activity attendance + limited health accommodations), Drivers (pickup sheets with rider names + appointment context)
  • IT / admin workforce: MSP technicians (Howard Enos, Mike Swanson) with role-based admin access; internal sysadmin@ global admin. All IT access is subject to the Business Associate Agreement between Cascades and Arizona Computer Guru.
  • Out of scope: Culinary / kitchen staff who do not enter the clinical wing and do not use ALIS.

2.3 Systems in scope

System Location ePHI role Owner
ALIS (go-alis.com / Medtelligent) Cloud EHR (SaaS) Primary clinical record — medications, care plans, assessments, incident logs Medtelligent Inc. (Business Associate, BAA to be confirmed — item B2 in master plan)
Microsoft 365 (cascadestucson.com) Cloud — Exchange Online, OneDrive, SharePoint, Teams PHI transit + at-rest in email bodies/attachments, staff OneDrive, planned Teams chat Microsoft Corp. (Business Associate — BAA not yet signed, see §6.1.1)
CS-SERVER (192.168.2.254) On-prem Windows Server 2016, Dell R610 (2009) Primary on-prem file server, AD DC, DNS, DHCP, Hyper-V host for VoIP; hosts \\CS-SERVER\homes (user folder redirection target for PHI-generated documents) Cascades (MSP-managed)
Synology NAS cascadesds (192.168.0.120) On-prem, DSM 7 Legacy file store — Management, pacs, Server, Sandra Fish, homes shares contain PHI. Scheduled for retirement in Phase 4. Cascades (MSP-managed)
Workstations (staff PCs, ~18 audited) On-prem Browser access to ALIS, M365 mailboxes, SMB-mounted CS-SERVER / Synology shares Cascades
Shared caregiver phones (Samsung A15, 25 units, Intune-managed) Mobile ALIS web app, Teams, Authenticator via Microsoft Shared Device Mode Cascades (MSP-enrolled in Intune)
pfSense firewall (192.168.0.1) On-prem Enforces segmentation; terminates Cascades WAN Cascades (MSP-managed)
UniFi Wi-Fi (CSCNet, CSC ENT, Guest) On-prem Transit for ePHI on phones and laptops Cascades (MSP-managed)

2.4 Out-of-scope systems (documented so the scope is defensible)

Kitchen iPads (food orders only, no resident health data), kitchen thermal printers (receipts), resident room VLANs (personal devices, no facility PHI), Ring security cameras (common areas, no clinical content), GoDaddy-hosted public website (no PHI), DirecTV entertainment infrastructure. If any of these systems are later used to process PHI, this scope statement must be updated.

2.5 ePHI flows (simplified data-flow diagram)

Resident / family intake
    │
    ▼
Admissions (Sales / Move-In Coordinator)
    ├── Paper → scanned → email / Management share → ALIS entry
    │
Clinical staff (RN, MedTech, Caregiver)
    ├── ALIS (browser on workstation OR web app on Intune phone)
    ├── Incident reports → Management share / email to Exec
    ├── Paper MARs (non-electronic, outside this analysis)
    │
Executive / Business Office
    ├── M365 mailbox (PHI in emails re: billing, hospice coordination, family)
    ├── CS-SERVER homes share (folder redirection)
    ├── Synology Management share (clinical admin docs) — LEGACY, Phase 4 retire
    │
MSP (Arizona Computer Guru)
    ├── Remote admin via documented BAA scope (no casual PHI browsing)
    ├── Backup storage (WSB → Synology — currently the only backup; HIPAA gap #1)
    │
External disclosures
    ├── Microsoft (platform — BAA pending)
    ├── Medtelligent/ALIS (EHR vendor — BAA pending confirmation)
    ├── Pharmacy, hospice, hospital partners (outside IT scope — paper + fax)
    └── Reliable Agency (contingent caregivers — workforce vs BA classification pending)

3. Data collection (NIST 800-66r2 §3.2 — ePHI inventory)

Per §3.2 the risk analysis must enumerate where ePHI is created, received, maintained, or transmitted. The following inventory was compiled from docs/security/hipaa.md, docs/migration/synology-permission-inventory.md, docs/cloud/m365.md, docs/servers/active-directory.md, and PROJECT_STATE.md.

3.1 ePHI at rest

Location Type of ePHI Approx. volume Access method At-rest encryption Notes
ALIS cloud tenant Full clinical records (MARs, care plans, assessments, incident logs, imaging refs) All 236 residents, historical HTTPS / browser / phone web app Provider-managed (FIPS 140-2 per vendor attestation — to confirm with BAA) Out of scope for Cascades infrastructure hardening; in scope for access-control + SSO
CS-SERVER \\CS-SERVER\homes User-generated PHI (Word docs, Excel, PDFs dropped in redirected Documents/Downloads/Desktop) Growing — every office user SMB from staff PCs BitLocker status on D: drive not yet documented (audit gap, master plan item) SMB3 encryption is currently OFF; scheduled Set-SmbShare -EncryptData $true in master plan Part 6
CS-SERVER other shares Drive mappings (S:, M:, P:, etc.) Per share SMB Same as homes Folder-redirection destination shares must match homes encryption posture
Synology Management share Clinical admin docs, billing refs, care plan exports Active SMB from workstations ext4, not encrypted at-rest per audit High-risk — Phase 4 retirement target
Synology pacs share Likely imaging (PACS = Picture Archiving and Communication System naming convention) Historical SMB from workstations ext4, not encrypted at-rest Highest-risk Synology share
Synology homes, Sandra Fish, Server, chat shares Mixed — user homes, historical director artifacts, staff chat logs Active + legacy SMB ext4 Contains PHI based on RW grants to clinical users
M365 Exchange Online mailboxes PHI in emails, attachments, calendar invites 34 licensed mailboxes Outlook / OWA / mobile Outlook / phone web Service-managed (Microsoft) Licensed under BAA once signed
M365 OneDrive Potential — users may save PHI to OneDrive unintentionally Variable Sync client / web Service-managed No DLP in place today
Staff workstation local disks Cached Outlook OST, browser cache, downloaded attachments 18 audited + ~10 more Local BitLocker broken or missing on 13 of 18 per audit 2026-03-20 HIGH gap (master issue #12)
Caregiver shared phones (Samsung A15) ALIS web app session data, Authenticator, Teams messages 25 devices (1 enrolled, 24 in box) Intune-managed Device-level encryption required by compliance policy CSC - Android Compliance Per-device enforcement verified on pilot device
Backup — Windows Server Backup → Synology SMB share Full CS-SERVER image including PHI shares Growing SMB write from CS-SERVER ext4 underlying volume, no BitLocker on target Only backup that exists; no offsite copy (master issue #1 Critical)

3.2 ePHI in transit

Channel Protocol Encryption Notes
Staff PC ↔ ALIS HTTPS (TLS 1.2+) Server-enforced Good
Phone ↔ ALIS (web app in MSDM) HTTPS (TLS 1.2+) Server-enforced Good
Staff PC ↔ M365 (Outlook, OWA, OneDrive sync) HTTPS (TLS 1.2+) Service-enforced Good (Microsoft side); depends on BAA
Staff PC ↔ CS-SERVER SMB SMB3 SMB3 encryption currently OFF on homes (planned remediation) See §6 H3
Staff PC ↔ Synology SMB SMB2/3 Not encrypted Phase 4 decommission
Email sent to external partners (pharmacy, hospice, hospital) SMTP over TLS (opportunistic) Variable depending on recipient MTA No outbound DLP to enforce mandatory TLS + subject-line rules
MSP remote admin (Arizona Computer Guru) Multiple tools (RMM, RDP) TLS / NLA required per audit remediation (2026-03-20) RDP-without-NLA findings have been resolved
Phone cellular / hotspot path Carrier-side Carrier-side Conditional Access "Cascades Office" Named Location steers phones to Wi-Fi; off-network use is flagged

3.3 PHI creation points

Every clinical shift generates ePHI. The most common creation points:

  • Caregiver documentation in ALIS (per-resident tasks, observations) — phone or workstation
  • Incident reports drafted in Word, emailed to Exec / Health Services Director, archived on Management or homes shares
  • Scanned intake paperwork (admission, advance directives, physician orders) uploaded to ALIS or Management share
  • Internal email chains re: hospice transition, hospital return, family care conferences — all contain PHI in message bodies

4. Threats and vulnerabilities (NIST 800-66r2 §3.3 — Threat & Vulnerability Identification)

The following threat sources are considered in this analysis, aligned to NIST SP 800-30r1 Appendix D categories:

  • T-Adv — Adversarial (external criminal attacker, opportunistic ransomware, targeted phishing, credential-stuffing, insider-turned-malicious)
  • T-Acc — Accidental (workforce mistake — misaddressed email, wrong attachment, lost phone, accidental deletion)
  • T-Str — Structural (equipment failure — the 16-year-old CS-SERVER is Exhibit A; disk failure, PSU failure, software bug, vendor outage)
  • T-Env — Environmental (power loss, fire, water, HVAC failure, theft from facility)

Each threat is paired with one or more environment-specific vulnerabilities drawn from the audit findings and the 2026-04-22 HIPAA review.

4.1 Threat-vulnerability pairs specific to Cascades

# Threat Vulnerability at Cascades (grounded in repo docs) Source
TV-01 T-Adv — credential theft / phishing No MFA enforced on M365 historically (Security Defaults not enabled); 34 Business Standard accounts; some without recent password rotation docs/cloud/m365.md line 14; master issue #15
TV-02 T-Adv — ransomware / malware 6 machines >3 months behind on Windows Updates; BitLocker broken or missing on 13 of 18 audited PCs; LAPS not deployed (same local admin password fleet-wide) docs/issues/audit-findings-2026-03-20.md items #3, #12, #13
TV-03 T-Adv — lateral movement post-compromise krbtgt password 569+ days old; RestrictAnonymous=0 fixed but LDAP channel binding not configured; Protected Users group empty audit-findings items #20, #24, #25
TV-04 T-Adv / T-Acc — shared-account abuse (anyone in a PHI-access role can sign in with no attribution) 7 Synology shared-credential accounts with RW to PHI shares: Accounting, Dining Manager, Front Desk, mcnurse, Memcare Receptionist, memcarenurse, Nurse Tower. Plus 3 workstation shared local accounts with NO password (NURSESTATION-PC Nurses, MEMRECEPT-PC memfrtdesk, RECEPTIONIST-PC Front Desk). docs/migration/synology-permission-inventory.md §Shares; audit item #5
TV-05 T-Adv — impersonation / business email compromise No Defender anti-impersonation configuration on Business Standard; DMARC now at p=quarantine (2026-04-21) but spoofing recheck only had a 26-hour clean window at time of write docs/cloud/m365-impersonation-protection.md; reports/2026-04-21-post-dmarc-spoofing-recheck.md
TV-06 T-Adv — third-party / BA exposure Microsoft HIPAA BAA not signed (active Required-spec violation under §164.308(b)(1)); ALIS BAA not yet confirmed by Medtelligent; Reliable Agency workforce-vs-BA status undetermined docs/cloud/m365.md line 12; HIPAA review 2026-04-22 C3, M3
TV-07 T-Acc — misaddressed email containing PHI Business Standard SKU has no DLP; no per-user outbound warning for PHI patterns (SSN, MRN) docs/cloud/m365.md line 101
TV-08 T-Acc — lost / stolen phone with an active ALIS session Shared caregiver phones issued in a 24/7 facility; high physical turnover; phone compliance policy enforces 6-digit PIN + 1-minute inactivity + encryption, but the human can always hand off mid-session PROJECT_STATE.md Intune rollout; ALIS web-app policy
TV-09 T-Acc — accidental over-share on SMB Everyone = Full Control on multiple CS-SERVER shares (Culinary, directoryshare, Roaming per audit); PHI may land in the wrong share via folder redirection without the user realizing audit item #14, #26
TV-10 T-Str — CS-SERVER catastrophic hardware failure 2009 Dell R610 — 16 years old — is the ONLY domain controller, ONLY file server, ONLY DNS/DHCP, ONLY Hyper-V host. Ransomware / disk / PSU failure is an extinction event audit item #2 Critical
TV-11 T-Str — no audit trail of PHI file access CS-SERVER Object Access auditing currently disabled (No Auditing); Synology ext4 provides no auditable file-access log. If a breach happens we cannot tell who read what. audit item #6 Critical; docs/security/hipaa.md gap #17
TV-12 T-Str — data loss from lack of backup CS-SERVER has no offsite backup. WSB → Synology is on-prem only and on the same physical power/fire/theft footprint. No M365 backup. audit item #1 Critical
TV-13 T-Str — audit log retention below 6-year HIPAA floor M365 audit default is 1 year, but §164.316(b)(2)(i) requires 6-year documentation retention HIPAA review 2026-04-22 H1
TV-14 T-Str — permissive firewall rule bleeds resident-VLAN traffic into staff VLAN Floating pfSense rule #4 passes all IPv4 traffic, defeating room-to-room and resident-to-staff isolation audit item #8 Critical
TV-15 T-Env — physical theft / loss of workstation Low — facility is keycard-controlled during off hours — but any workstation with a local cache of PHI (OST, downloaded attachments) and broken BitLocker is a potential breach audit item #12 combined with building access posture
TV-16 T-Env — power / water / fire Single DC co-located with all facility IT in one room; no tested disaster-recovery runbook docs/security/hipaa.md gap #1
TV-17 T-Adv — former-employee access never revoked Audit 2026-03-20 found 7 enabled-but-gone AD accounts + 5 disabled-but-not-deleted (cleaned 2026-04-13). Termination Procedures (§164.308(a)(3)(ii)(C)) not previously documented. docs/servers/active-directory.md §Account Removals; HIPAA review C2
TV-18 T-Adv — Kitchen iPad / resident-VLAN lateral access 9 kitchen iPads on INTERNAL VLAN with access to staff resources; resident VLAN bleed per TV-14 audit item #29
TV-19 T-Adv — stale / unauthorized remote-access tooling TightVNC on MEMRECEPT-PC; Splashtop on all 19 machines; Datto RMM on CS-SERVER; N-able Take Control, RemotePC, TeamViewer, GoTo all present from previous MSP audit item #20
TV-20 T-Acc — workforce not trained on Privacy Rule / sanctions No evidence of annual HIPAA Privacy training records for non-clinical workforce (drivers, courtesy patrol, life enrichment, front desk) HIPAA review 2026-04-22 H4

5. Existing controls (NIST 800-66r2 §3.4 — Control Analysis)

These are the controls actually in place as of 2026-04-24, not controls that are "planned" or "recommended." Planned controls are tracked in §7 Risk Treatment.

5.1 Administrative safeguards in place

Control Implementation HIPAA cite
Designated Security Official Mike Swanson, Arizona Computer Guru (MSP Owner) §164.308(a)(2)
MSP Business Associate relationship Arizona Computer Guru operates under BAA with Cascades §164.308(b)(1)
Workforce access controls via AD security groups Security groups SG-Management-RW, SG-Sales-RW, SG-Server-RW, SG-Chat-RW, SG-Culinary-RW, SG-IT-RW, SG-Receptionist-RW, SG-Directory-RW, SG-Caregivers created 2026-04-22; role-based access model §164.308(a)(4)
Termination — same-day account disable practice Implemented 2026-04-22 for Britney Thompson (prior to litigation-hold remediation) §164.308(a)(3)(ii)(C)
AD Recycle Bin enabled Enables account recovery within 180 days; confirmed 2026-03-21 §164.308(a)(7) supports integrity
MSP change documentation All changes logged to session-logs/, reports/, and PROJECT_STATE.md; master plan in PLAN-AND-QUESTIONS-2026-04-24.md §164.316(b)(1)

5.2 Physical safeguards in place

Control Implementation HIPAA cite
Keycard-controlled facility access Standard assisted-living physical access controls §164.310(a)(1)
CS-SERVER in locked IT room Confirmed via onsite visits §164.310(a)(2)(ii)
Intune device inventory for mobile tier 25 Samsung A15 shared phones enrolled or queued; dynamic device-group membership via enrollment profile §164.310(d)(1)
Workstation siting Front-desk workstations visible to staff only; clinical workstations in nurse stations not accessible to residents §164.310(b)

5.3 Technical safeguards in place

Control Implementation HIPAA cite
Unique User ID — office staff All M365 staff have personal first.last@ UPNs (shared mailboxes are access-delegated, not shared-credential) §164.312(a)(2)(i)
Unique User ID — caregivers (mobile tier) MSDM-based per-user Entra sign-in on shared phones; each caregiver has own AD + Entra identity §164.312(a)(2)(i)
Automatic logoff — mobile tier Android compliance policy enforces 1-minute inactivity screen lock + 6-digit numericComplex PIN; encryption required; root + SafetyNet + App Integrity enforced §164.312(a)(2)(iii) Addressable
Transmission encryption — M365 TLS 1.2+ enforced by Microsoft for Outlook / OWA / OneDrive / Teams §164.312(e)(1)
Transmission encryption — ALIS TLS 1.2+ enforced by Medtelligent §164.312(e)(1)
Encryption at rest — mobile tier Android Enterprise device-level encryption required by compliance policy §164.312(a)(2)(iv) Addressable
Person / entity authentication — office users M365 password-based, MFA will be enforced by Conditional Access post-Entra-Connect §164.312(d)
Person / entity authentication — caregivers Entra ID + MSDM + Conditional Access "Cascades - Phone MFA Exception" (MFA waived only when user ∈ SG-Caregivers AND device compliant AND sign-in from Cascades WAN IP); MFA required everywhere else §164.312(d)
DMARC Policy p=quarantine; pct=100 deployed 2026-04-21 (Mike); SPF and DKIM in place §164.312(e)(1) supports transmission integrity
DMARC post-deploy verification Spoofing recheck reports/2026-04-21-post-dmarc-spoofing-recheck.md confirmed quarantine working 26h clean window §164.312(e)(1)
Malware protection Windows Defender + MSP AV agent (Datto AV migrating to GuruRMM stack) §164.308(a)(5)(ii)(B)
MSP-managed patching GuruRMM AutoPatch running; 5 of 6 critically behind machines patched overnight 2026-03-20 §164.308(a)(5)(ii)(B)
Account lockout 5 attempts / 30 minutes, enforced in Default Domain Policy 2026-03-09 §164.308(a)(5)(ii)(D)
MDM compliance + restrictions Intune config profile CSC - Android Shared Phones Restrictions (factoryResetBlocked, no USB, no unknown sources, screenCaptureBlocked, no dev settings, update window 02:00-06:00 UTC); CSC - CSCNet Wi-Fi (WPA2-Personal) §164.310(d), §164.312(a)(1)
RDP hardened NLA required on all remaining RDP endpoints; audit finding for ASSISTMAN-PC + DESKTOP-U2DHAP0 resolved 2026-03-20 §164.312(e)(1)
Remote-access tooling consolidation Plan in place; TightVNC and legacy MSP tools flagged for removal §164.312(a)(1)

5.4 Organizational safeguards in place

Control Implementation HIPAA cite
Business Associate relationships identified Microsoft (BAA pending, item B1 — this is an active gap), Medtelligent/ALIS (pending confirmation, item B2), Arizona Computer Guru (executed) §164.308(b)(1)
Policy & procedure documentation This Risk Analysis + Security Rule Implementation Register (B8, in drafting) + Termination Procedures (B4, in drafting) + Synology shared-login risk-acceptance form (B6, in drafting) §164.316(b)(1)

6. Risk determination — likelihood × impact (NIST 800-66r2 §3.5)

Likelihood and impact are rated on a low / medium / high scale using the following rubric tailored to a single-facility covered entity:

  • Likelihood — Low: event plausible but has not been observed in this environment or comparable ones in the last 24 months, AND existing controls materially reduce exposure.
  • Likelihood — Medium: event has been observed in comparable environments (assisted living, small healthcare) in the last 24 months, OR existing controls have known gaps.
  • Likelihood — High: event has been observed in this environment OR is actively present as an unresolved gap on the day this analysis is signed.
  • Impact — Low: small number of records (<10 residents), limited to non-sensitive categories (e.g., scheduling), recoverable without OCR notification.
  • Impact — Medium: moderate exposure (10100 records) or single sensitive record (e.g., memory-care diagnosis disclosed externally); may trigger state breach-notification law (AZ has a 45-day notification clock for >1,000 residents — Cascades is below this threshold but OCR reporting still applies).
  • Impact — High: bulk exposure (≥100 records), full facility record loss, OR operational continuity hit (ALIS inaccessible for >24 hours during a clinical shift).

Overall risk tier: [CRITICAL] is reserved for pairs that are High × High; [HIGH] for High × Medium or Medium × High; [MEDIUM] for Medium × Medium or Low × High / High × Low; [LOW] for all others.

6.1 Risk ratings per threat-vulnerability pair

# Threat-vuln Likelihood Impact Tier Rationale
TV-01 Credential theft / phishing — no MFA historically Medium High [HIGH] Controls improving (DMARC, planned CA, planned Entra Connect + MFA) but baseline today is still pre-MFA. An admin mailbox compromise today gives full M365 tenant access.
TV-02 Ransomware / malware — patch + BitLocker gaps Medium High [HIGH] 5 of 6 critically-behind machines have been patched, but BitLocker is broken on 13 of 18 PCs, and LAPS is not deployed. A ransomware hit on CS-SERVER combined with TV-12 (no offsite backup) is an extinction event.
TV-03 Lateral movement / AD compromise Medium High [HIGH] krbtgt is overdue for rotation; LDAP channel binding not configured; Protected Users empty. Post-compromise blast radius is extreme because CS-SERVER is the only DC.
TV-04 Shared-account abuse on Synology + shared workstations High High [CRITICAL] 7 Synology shared logins are a present-tense Required-spec violation. 3 workstation shared accounts have no password. Active-ongoing gap; must be addressed with Phase 4 cutover + interim risk acceptance (B6).
TV-05 Impersonation / BEC Low High [MEDIUM] DMARC is now at p=quarantine with a clean recheck; no Defender anti-impersonation but DMARC materially lowers likelihood. Impact remains high because Executive Director mailbox is a high-value target.
TV-06 BA not in place (Microsoft + ALIS) High High [CRITICAL] Microsoft BAA unsigned = active Required-spec violation under §164.308(b)(1). Every day of use is a continuing violation. Remediation is a 5-minute portal click (master plan B1 / T0-3). ALIS BAA confirmation is a 1-email 1-2-week turnaround (B2).
TV-07 Misaddressed email / DLP gap Medium Medium [MEDIUM] No DLP today. Small-facility email volumes keep likelihood moderate. Business Premium upgrade (Track C / Phase 1a) unlocks DLP.
TV-08 Lost / stolen shared phone mid-session Medium Medium [MEDIUM] Compliance-policy 1-minute inactivity + 6-digit PIN + device encryption + Intune remote wipe make data-at-rest exposure low; mid-session handoff is the residual concern.
TV-09 Over-share on SMB / wrong share Medium Medium [MEDIUM] Everyone=FullControl on Culinary/directoryshare/Roaming is flagged; folder-redirection destination homes is already scoped per-user. Remediation path exists (security groups + NTFS tightening).
TV-10 CS-SERVER hardware failure Medium High [HIGH] 16-year-old Dell R610 is well past vendor-supported life. Operational-continuity impact dwarfs the confidentiality impact. Hardware replacement is a Track C / Wave 5 work item (Q39).
TV-11 No audit trail of PHI file access High High [CRITICAL] Required spec §164.312(b). CS-SERVER Object Access auditing is disabled today; Synology ext4 provides no file-access log. Breach attribution impossible.
TV-12 Data loss from backup gap Medium High [HIGH] WSB → Synology exists but is co-located; no offsite; no M365 backup. A single site event = total loss.
TV-13 Audit log retention <6 years High Medium [HIGH] M365 default 1-year retention < §164.316(b)(2) 6-year floor. Continuously out of compliance. Decision pending (B5).
TV-14 Pfsense floating rule #4 / VLAN bleed Medium High [HIGH] Resident VLAN can reach staff VLAN today. Any infected resident device has a path to staff resources. Phase 1.6 scoped-rule replacement.
TV-15 Physical theft of workstation with broken BitLocker Low Medium [MEDIUM] Facility access controls reduce likelihood; but 13 of 18 PCs lacking real disk encryption means any single theft = potential cached-PHI exposure.
TV-16 Environmental — power / fire / water Low High [MEDIUM] Commercial building, HVAC-conditioned IT room; no tested DR runbook. Likelihood low but recovery posture is weak if it happens.
TV-17 Former-employee access not revoked Low Medium [MEDIUM] Post-2026-04-13 AD cleanup and 2026-04-22 M365 orphan deletes have closed this. Formal Termination Procedures (B4) will lock the improvement in.
TV-18 Kitchen iPad / resident VLAN lateral access Medium Medium [MEDIUM] 9 kitchen iPads on INTERNAL VLAN; no PHI on iPads themselves but they could be a pivot point. Restrict-to-printer-IPs rule is planned.
TV-19 Stale / unauthorized remote-access tooling Medium High [HIGH] TightVNC on MEMRECEPT-PC is unauthorized remote access with no password — a direct admin-level foothold if discovered. Other tools are legitimate-MSP but over-installed.
TV-20 Workforce not formally trained on Privacy Rule Medium Medium [MEDIUM] No evidence of annual Privacy Rule training records for non-clinical workforce; §164.530(b)(1) is a Privacy Rule training requirement (operationally relevant to Security Rule sanctions).

6.2 Top-tier risks summary

[CRITICAL] — must be resolved or formally risk-accepted before next review:

  • TV-04 — shared-credential accounts with PHI access
  • TV-06 — Microsoft BAA unsigned (continuing Required-spec violation)
  • TV-11 — no audit trail for PHI file access

[HIGH] — actively being remediated in master plan Track A / B / C:

  • TV-01, TV-02, TV-03, TV-10, TV-12, TV-13, TV-14, TV-19

7. Risk treatment plan (NIST 800-66r2 §3.6 — Risk Response)

Each risk is assigned a treatment posture: Mitigate, Transfer (to a Business Associate via BAA), Accept (with documented residual-risk acknowledgment), or Avoid (stop doing the thing that creates the risk). Addressable-spec decisions are recorded here and cross-referenced to the Security Rule Implementation Register (docs/security/implementation-register.md, item B8 in master plan).

7.1 Required specifications — must be implemented

Spec Status Action
§164.308(a)(1)(ii)(A) Risk Analysis In progress — this document Counter-sign, file, schedule annual review 2027-04-24
§164.308(a)(3)(ii)(C) Termination Procedures Documentation pending (B4 in master plan) Howard drafts from current same-day-disable practice; Mike + Meredith sign; filed by 2026-05-02
§164.308(b)(1) Business Associate contracts — Microsoft Active violation T0-3: Meredith signs Microsoft HIPAA BAA via M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA. 5 minutes. Target: before Phase 1 caregiver pilot sign-in.
§164.308(b)(1) Business Associate contracts — Medtelligent/ALIS Pending confirmation B2: Meredith / ALIS support — 1-2 week vendor turnaround. Parallel to Track A.
§164.312(a)(2)(i) Unique User Identification — office staff Implemented Preserve in Implementation Register
§164.312(a)(2)(i) Unique User Identification — Synology Active violation (7 shared accounts) Path: (a) Phase 4 Synology retirement, OR (b) accelerated disable now with workflow disruption. Interim: Meredith signs risk-acceptance form (B6) with compensating controls — physical access control + shift sign-in sheets + monthly SMB access-log review by Howard — pending until Phase 4 cutover date.
§164.312(a)(2)(i) Unique User Identification — workstation shared local accounts Active violation 3 PCs (NURSESTATION-PC Nurses, MEMRECEPT-PC memfrtdesk, RECEPTIONIST-PC Front Desk) with passwordless shared logins. Resolved when Phase 3 domain join + Phase 5 shared-account replacement completes. Interim: same risk-acceptance form (B6) applies.
§164.312(b) Audit Controls Partially implemented CS-SERVER: enable Object Access auditing in Wave 5 hardening (documented in Implementation Register). Synology: accept that ext4 provides no audit trail; retire in Phase 4. M365: see §164.316(b)(2) below.
§164.312(d) Person / Entity Authentication In progress Post-Entra-Connect: Conditional Access policy "Cascades - Phone MFA Exception" (Report-only → On) gates office staff + caregivers. Office staff get standard MFA; caregivers get the building-only Named Location exception by design.
§164.316(b)(1) Policies & Procedures documentation In progress Implementation Register (B8) is the single index. Each policy/procedure links back to the Register row and cites this Risk Analysis.
§164.316(b)(2)(i) 6-year retention of documentation Decision pending — three options, see §7.3

7.2 Addressable specifications — decision record

For each Addressable spec, HIPAA requires a documented decision: implement as specified, implement an alternative, OR document why neither is reasonable and appropriate.

Spec Decision Rationale Alternative / compensating control Owner Register row
§164.308(a)(7)(ii)(A) Data Backup Plan Implement (in progress) WSB → Synology exists; offsite is a gap Offsite backup target to be added in Wave 5. Interim: accept co-located backup with documented recovery runbook Howard Reg-01
§164.308(a)(7)(ii)(B) Disaster Recovery Plan Implement (abbreviated) Single-facility CE, no distributed ops Written DR runbook for CS-SERVER rebuild; tested annually Howard + Mike Reg-02
§164.308(a)(7)(ii)(C) Emergency Mode Operation Implement (paper fallback) ALIS outage / network outage → paper MAR sheets; documented in Health Services SOP (not an IT deliverable — flag for Meredith + Lois Lane) N/A Meredith + Lois Lane Reg-03
§164.310(d)(2)(i) Disposal Implement Decommissioned drives destroyed via NIST SP 800-88 sanitization or physical shredding per MSP procedure N/A Howard Reg-04
§164.310(d)(2)(ii) Media Re-use Implement Same procedure as Disposal before re-use N/A Howard Reg-05
§164.312(a)(2)(ii) Emergency Access Procedure Documented decision — current posture retained Two named global admins (sysadmin@ — Howard; Mike — via his Arizona Computer Guru admin identity), both Arizona-based, both contactable 24/7 via MSP on-call. Microsoft support portal provides documented tenant-recovery path for lost-admin scenarios. No specific hardware requirement (FIDO2 / YubiKey / otherwise) is prescribed by §164.312(a)(2)(ii) and none is adopted at this time. This decision will be revisited if: (a) the admin pair changes such that both are no longer geographically diverse or availability-diverse, (b) the tenant adds additional high-sensitivity workloads, OR (c) the annual review finds the current posture inadequate. 24/7 MSP on-call + Microsoft support tenant-recovery procedures Mike (Security Official) Reg-06
§164.312(a)(2)(iii) Automatic Logoff — mobile tier Implement Intune CSC - Android Compliance: 1-minute inactivity lock, 6-digit PIN, device encryption N/A Howard Reg-07
§164.312(a)(2)(iii) Automatic Logoff — shared workstations Implement Planned GPO CSC - Shared Workstation: screen lock 10-min idle, sign-out 30-min idle, Fast User Switching disabled N/A Howard Reg-08
§164.312(a)(2)(iv) Encryption & Decryption (at rest) Implement BitLocker on all workstations (Wave 5); BitLocker verification on CS-SERVER D: drive (audit gap); SMB3 encryption on \\CS-SERVER\homes scheduled via master plan Part 6 N/A Howard Reg-09
§164.312(e)(2)(i) Integrity controls (in transit) Implement TLS 1.2+ everywhere; DMARC p=quarantine; SMB3 signing N/A Howard + Mike Reg-10
§164.312(e)(2)(ii) Encryption (in transit) Implement Same as §164.312(e)(2)(i) N/A Howard Reg-11

7.3 Audit log retention — option set (§164.316(b)(2)(i))

Per the HIPAA review 2026-04-22 H1, M365 audit default of 1 year is below the 6-year documentation-retention floor. Decision pending (Meredith, master plan item B5). Three options are on the table; no specific product is mandated by HIPAA:

  • Option A — Microsoft Purview Audit (Premium) add-on. 10-year audit log retention. Approximately $3/user/month.
  • Option B — M365 Compliance retention policy at 7 years. $0 incremental if Cascades proceeds with the Business Premium tenant-wide upgrade already teed up for Phase 1a.
  • Option C — Monthly export to immutable Azure Blob Storage. $0 licensing; requires a scheduled script and monitoring. Operational burden falls on the MSP.

Each option is reasonable and appropriate under §164.316(b)(2). The master plan flags Option B as the default path because it stacks on a purchase already planned, but the formal choice and Implementation Register entry are pending Meredith's direction.

7.4 Track A / B / C master-plan cross-references

The master plan (PLAN-AND-QUESTIONS-2026-04-24.md) is the operational artifact that remediates these risks on a schedule:

  • Track A (phones-first pilot, target Monday 2026-04-27) — addresses TV-01 (MFA via CA), TV-04 (per-person caregiver identities on phones via MSDM), TV-06 (Microsoft BAA T0-3), partial TV-08 (compliance policy already live), TV-09 (by design caregivers don't touch SMB shares).
  • Track B (HIPAA baseline — this Risk Analysis is B3) — B1 Microsoft BAA, B2 ALIS BAA, B3 this doc, B4 Termination Procedures, B5 audit-retention decision, B6 Synology risk acceptance, B7 Emergency Access decision, B8 Security Rule Implementation Register.
  • Track C (later phases) — Phase 2/3 sync (remaining TV-04, TV-17), Phase 4 Synology retirement (closes TV-04 on the Synology side), Phase 5 shared-account replacement (closes TV-04 on workstation side), Wave 5 hardening (TV-02, TV-03, TV-11, TV-12 remaining gaps, new DC hardware for TV-10).

8. Residual risks (after planned controls are in place)

Even after master-plan Tracks A through C are complete, the following residual risks remain. These are the risks Cascades knowingly carries, per the Security Rule's "reasonable and appropriate" standard (§164.306(b)).

# Residual risk Why it remains Tier Compensating posture
R-1 Synology shared-login exposure until Phase 4 cutover Workflow disruption of immediate disable exceeds acceptable operational risk to resident care. Phase 4 retirement is scheduled but weeks-to-months away depending on John Trozzi input on share usage. [HIGH] Physical facility access control, shift-based workstation sign-in sheets, monthly SMB access-log review by Howard, Meredith signs risk-acceptance form (B6). Reviewed at each Wave milestone.
R-2 CS-SERVER single-point-of-failure until hardware refresh 16-year-old Dell R610 remains the only domain controller until new server + second DC in Wave 5 / Track C. Hardware replacement requires capex approval from Meredith (Q39). [HIGH] Daily WSB backup (on-prem), extracted warranty coverage (none — hardware is out of support), runbook for emergency rebuild, PRTG + GuruRMM alerting on CS-SERVER service status.
R-3 Audit-trail completeness for pre-CS-SERVER / pre-ALIS activity Object Access auditing was off prior to Wave 5 hardening. Historical file-access events on CS-SERVER cannot be reconstructed. [MEDIUM] Going-forward auditing meets §164.312(b); documented in Register as a point-in-time baseline.
R-4 Third-party BA chain Microsoft and Medtelligent are BAs; their own BAs and subcontractors are not individually visible to Cascades [MEDIUM] Reliance on BAA obligations for downstream BAs per §164.308(b)(2) and §164.314(a)(2)(i)(B); no further diligence required of CE.
R-5 Business Standard SKU limits on DLP + anti-impersonation + Defender Full DLP + anti-impersonation require Business Premium / Defender P1-P2. Tenant-wide Business Premium is teed up for Phase 1a but not yet purchased. [MEDIUM] DMARC p=quarantine is in place; targeted protection will follow the purchase. Mailbox monitoring by MSP continues.
R-6 No immutable offsite backup Current WSB → Synology is co-located. Offsite destination + immutability are Wave 5 work. [MEDIUM] Physical controls reduce likelihood of total-site loss; still not acceptable long-term. Target: Wave 5.
R-7 Conditional Access "Cascades Office" Named Location depends on static WAN IP If Cox rotates the pfSense WAN IP, CA exception fails open (MFA prompts everywhere) or closed (locks caregivers out) depending on posture. [LOW] T0-2 is to verify WAN IP is static on the Cox circuit. If not static, a Named Location update hook (scheduled script or MSP runbook) is required. Documented as Register row when CA goes live.
R-8 Reliable Agency workforce vs BA classification If Reliable staff work under agency direction and access ALIS independently, Reliable is a Business Associate requiring a BAA. If they work under Cascades direction, they are workforce and subject to Cascades training/sanctions. [LOW] No independent PHI access until classification is resolved (HIPAA review M3). Agency caregivers work under Cascades-employed caregiver supervision in the interim.

9. Methodology limitations and information-gap flags

This analysis was drafted from repository documentation and MSP onsite observations. The following items could not be confirmed from repo docs and need CE / leadership input before the next review cycle:

  1. ALIS vendor attestation on FIPS 140-2 validated cryptography — cited in §3.1 but not in repo; requires ALIS support confirmation (tied to B2 BAA work).
  2. BitLocker state on CS-SERVER D: drive — documented as a gap in HIPAA review H3; needs Howard onsite or SSH verification.
  3. Annual Privacy Rule training records for non-clinical workforce — §164.530(b)(1); requires Meredith to confirm if training has been delivered, by whom, and whether signed acknowledgments exist.
  4. Sanctions policy for workforce HIPAA violations — §164.530(e); Meredith to confirm if Cascades has a written sanctions policy separate from general HR discipline.
  5. Reliable Agency staffing contract language — workforce-vs-BA classification (R-8); Meredith to provide.
  6. Historical breach / complaint records — whether any past OCR inquiry, state DOI referral, or resident / family HIPAA complaint exists at Cascades; affects "documented history of incidents" in future risk analyses.
  7. Paper PHI handling — paper MARs, pickup sheets, incident report forms; outside the electronic-only scope of this analysis but within the CE's overall Privacy Rule obligations.
  8. Physical safeguards audit for remote workforce — if any workforce member (e.g., Executive Director on PTO) accesses PHI from a personal home network, home-office safeguards belong in this analysis. Not currently observed.
  9. State-law overlays — Arizona medical-records retention (7 years post-last-encounter), Arizona breach notification thresholds. Addressed at the CE-leadership / legal-counsel level, not by MSP.

Each item above is flagged for next-review closure. None individually invalidates this analysis.

10. Signatures

By signing below, the parties acknowledge that this Risk Analysis has been reviewed and accepted as the current risk baseline for Cascades of Tucson, and that the risk-treatment plan in §7 and residual-risk acknowledgments in §8 reflect the covered entity's formal position as of the effective date.

Prepared by (MSP Technician):

Howard Enos — Arizona Computer Guru

Signature: ____________________________________ Date: ____________

Approved by (Designated HIPAA Security Official):

Mike Swanson — President, Arizona Computer Guru LLC

Signature: ____________________________________ Date: ____________

Counter-signed by (Covered Entity leadership):

Meredith Kuhn — Executive Director, Cascades of Tucson

Signature: ____________________________________ Date: ____________

Appendix A — Control inventory (existing + planned)

ID Control Status HIPAA cite Source
CTL-01 Designated HIPAA Security Official In place §164.308(a)(2) Mike Swanson
CTL-02 Business Associate Agreement — Microsoft Pending (active violation) §164.308(b)(1) Master plan B1 / T0-3
CTL-03 Business Associate Agreement — Medtelligent (ALIS) Pending confirmation §164.308(b)(1) Master plan B2
CTL-04 Business Associate Agreement — Arizona Computer Guru (MSP) In place §164.308(b)(1) Executed
CTL-05 AD security groups for role-based access (SG-*) In place (created 2026-04-22) §164.308(a)(4)(i) docs/servers/active-directory.md
CTL-06 AD Recycle Bin In place (2026-03-21) §164.308(a)(7) support audit item log
CTL-07 Same-day termination disable In practice (Britney Thompson 2026-04-22) §164.308(a)(3)(ii)(C) HIPAA review
CTL-08 Written Termination Procedure In drafting (B4) §164.308(a)(3)(ii)(C) Master plan
CTL-09 Formal Risk Analysis (this document) In drafting / signature §164.308(a)(1)(ii)(A) This doc
CTL-10 Security Rule Implementation Register In drafting (B8) §164.316(b)(1) Master plan
CTL-11 Synology shared-login risk-acceptance form In drafting (B6) §164.306(b) Master plan
CTL-12 M365 MFA via Conditional Access Planned (Track A A7) §164.312(d) Master plan
CTL-13 M365 Security Defaults (pre-CA baseline) Planned fallback if CA delays §164.312(d) Master plan
CTL-14 DMARC p=quarantine; pct=100 In place (2026-04-21) §164.312(e) support reports/2026-04-21-post-dmarc-spoofing-recheck.md
CTL-15 SPF + DKIM In place §164.312(e) support m365.md
CTL-16 Intune Android compliance policy In place (2026-04-21) §164.312(a)(2)(iii)(iv) PROJECT_STATE
CTL-17 Intune device restrictions config profile In place §164.310(d), §164.312(a)(1) PROJECT_STATE
CTL-18 MSDM (Microsoft Shared Device Mode) for caregiver phones In place §164.312(a)(2)(i), (d) PROJECT_STATE
CTL-19 Conditional Access Named Location "Cascades Office" Planned (Track A A2) §164.312(a)(1), (d) Master plan
CTL-20 SMB3 encryption on \\CS-SERVER\homes Planned (Part 6 executable) §164.312(e)(2)(ii) Master plan
CTL-21 BitLocker on workstations Gap (13 of 18 broken/missing) §164.312(a)(2)(iv) audit-findings #12
CTL-22 LAPS (Windows Local Administrator Password Solution) Planned (Wave 5) §164.312(a)(1) audit-findings #13
CTL-23 CS-SERVER Object Access auditing Planned (Wave 5) §164.312(b) audit-findings #17
CTL-24 krbtgt password rotation (180-day cadence) Planned (Wave 5) §164.312(a)(1) audit-findings #20
CTL-25 Protected Users group population Planned (Wave 5) §164.312(a)(1) audit-findings #25
CTL-26 Offsite backup (immutable) Planned (Wave 5) §164.308(a)(7)(ii)(A) audit-findings #1
CTL-27 Second domain controller + hardware refresh Planned (Track C Wave 5) §164.308(a)(7) support audit-findings #2
CTL-28 RDP with NLA In place §164.312(e)(1) audit-findings #19 (closed)
CTL-29 Account lockout (5 attempts / 30 min) In place §164.308(a)(5)(ii)(D) audit-findings #18
CTL-30 Annual Risk Analysis review Annual cadence (next 2027-04-24) §164.308(a)(1)(ii)(A) This doc §10
CTL-31 Audit log retention to 6-year floor Option A / B / C — decision pending (B5) §164.316(b)(2) Master plan
CTL-32 Emergency Access Procedure — documented admin posture In place (this doc §7.2) §164.312(a)(2)(ii) This doc

Appendix B — Cross-reference to 2026-04-22 HIPAA review findings

Review finding Status in this Risk Analysis
A1 — Synology shared-login accounts TV-04 / R-1, risk-accepted via B6 until Phase 4
C1 — agency shared logins (reliable1/reliable2) Resolved 2026-04-22 (not created); individual accounts required
C2 — Britney Thompson litigation hold Documented in Termination Procedures (B4)
C3 — Microsoft BAA unsigned TV-06 — active Required-spec violation, T0-3
C4 — no formal Risk Analysis This document resolves that finding
H1 — M365 audit log retention TV-13, decision pending (B5)
H2 — break-glass admin account Superseded: §7.2 Emergency Access Procedure decision (two-admin posture + Microsoft recovery path, no hardware prescription)
H3 — SMB3 encryption + BitLocker on CS-SERVER CTL-20, CTL-21
H4 — drivers + Privacy Rule training §9 information-gap item 3
M1 — automatic logoff timers CTL-07 (mobile) / Reg-08 (shared workstations)
M2 — Security Rule Implementation Register CTL-10 (B8)
M3 — Reliable Agency BA classification R-8
M4 — Christine Nyanzunda dual-role Documented in Implementation Register

End of document.

Reference in New Issue View Git Blame Copy Permalink