ONC has announced updates to the Security Risk Assessment framework that OCR encourages HIPAA covered entities to use in conducting their risk assessments. Remember, conducting a risk assessment is a required Security Rule safeguard; since you gotta do it, you might as well do it right. I highly recommend poking around in the tool, even if you aren't actually doing an assessment, because it makes you think about your own data security. Very useful help, especially from a bureaucracy.