A few questions:
- How exactly did the third-party get compromised? What network segmentation was in place or not?
- How much is the breach going to cost Sentara?
- Did Sentara conduct any cyber security due diligence with the third-party vendor? Vulnerability assessments? Monitoring?
- How was the breach detected? Did Sentara detect it? Or were they notified from elsewhere? What worked? What didn’t work?
It’s critically important to work closely with HIPAA/HITECH business associates on a technical cyber security level since the hackers will take advantage of the weakest link in the connected IT systems.
Heck…with any business associate…Target was compromised through an HVAC vendor. If the company networks are connected, they need to be under continuous monitoring and vulnerability tested at least annually.