The Senate Committee on Commerce, Science, and Transportation today released its analysis of the 2013 Target Data Breach, using the “intrusion kill chain” framework from Lockheed Martin as its analytical tool. In short, the analysis shows that although Target likely failed at multiple steps along the chain to stop the breach, the opening salvo by the attackers was waged on a Target vendor, Fazio Mechanical Services.

Although details are not reported, the report does suggest that the attacker may “have sent malware-laden emails to Fazio at least two months before the Target data breach began.”  Target’s supplier portal and facilities management pages were apparently viewable on the Internet, and files from the sites “allowed the attacker to map Target’s internal network prior to the breach.”  Unfortunately, Fazio was also using a free version of an anti-malware product, which did not provide real-time protection and was intended only for individual consumer use.

The message to Business Associates—and Covered Entities—is quite clear:  the weakest link may be outside the primary organization.  A crucial component of cybersecurity is ensuring that Covered Entities, and also Business Associates and subcontractors, have completed a HIPAA Security Rule risk assessment in the last 12 months, and that the analysis adequately assesses threats, vulnerabilities, and controls.