The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of minimum security standards for protecting all electronic private health information (ePHI) that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit. The Security Rule contains the administrative, physical, and technical safeguards that CEs and BAs must put in place to secure ePHI. With that in mind, what types of information system components need to be heavily scrutinised to help protect the confidentiality and integrity of ePHI?  What types of controls would you recommend implementing to safeguard ePHI?  Cite resources and references that back up your assertions.

The Health Insurance Portability and Accountability Act of 1996 established federal standards that mandate the protection of sensitive health information. Systems that must be scrutinized heavily to verify that protection includes access control systems, authentication logs, transmission channels, and storage environments. Data should be encrypted while in transit and storage. Multifactor authentication and role-based access controls should be utilized. Servers should not be physically accessible to those who are not authorized. TLS, VPNs, and secure APIs should be utilized to prevent data from being intercepted. Perhaps most importantly, all staff should have security training so they are prepared against all threats, including but not limited to social engineering, phishing, or other technical pitfalls, which can result in a data breach.