Adam Shostack 
There are changes coming to HIPAA security rules and I have some thoughts on what that will mean for organizations.
https://shostack.org/blog/hipaa-nprm-threat-modeling/
https://shostack.org/blog/hipaa-nprm-threat-modeling/
Lemniscate@adamshostack The part about many providers likely not having threat models really resonates. I expect that number to be huge, with many companies claiming to have ‘whiteboarded’ something out years ago and having retained no records whatsoever.