§ 164.306 Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any anticipated threats or hazards to the security or integrity of such information. (3) Protect against any anticipated uses or disclosures of such information not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.
In cyber security one of the first points, you learn is the CIA triangle. What information needs to be confidential or private? Maintain its integrity and be available when needed. As you can see from the paragraph above, HIPAA works within that mindset as well.
Consider it this way, what information needs to be confidential, maintain integrity and be available. Put that information inside the triangle. Of course, HIPAA is putting patient information in the triangle, but you could put financial information, proprietary information, even DOD works within this basic principle.
The best place to begin a strong security management plan is to identify what information should be included in the CIA triangle. Obviously, patient data falls in that triangle, but what about other he practices financials. Any information that could cause financial or reputational harm should be considered and labeled Private or Confidential.
Once you identify what information should be in the triangle, the next step would be to identify where that information is created, transmitted, or stored. What computers or devices have that information? What applications have that information?
The next step would be to create a mapping of how the information flows through the practice and most importantly, who is touching or seeing that information both internally and externally.