Don, your point is well taken and that's why I am following my REC's advice on the toolkits for security implementation. I don't want to give back $18,000 plus fines and penalties if audited and found not be compliant with MU attestation.
Despite what the others were kind enough to post from the CMS website, the toolkit they gave us is loaded with references derived from HIPAA security measures. In fact the entire toolkit is created specifically to the HIPAA security rules.
I agree with Sandeep that their is a major emphasis on physical security. In fact many of the questions on the internal audit are geared at physical security and accidental errors by staff. Malicious outside attacks are barely covered in the security audit.
One main point to remember, it's an internal audit. Think of it this way: you conduct a self-review of your potential security breaches. you identify none, you are done. You identify a few, write a brief policy in the policy manual for the office addressing the security deficiency and you are done. What was tedious is going through the entire slef-audit, reviewing dozens upon dozens of potential scenarios and dozens of questions asking about the security of my system.
Best of luck! I'm sure you'll do fine.
