Press

ecfirst Press

Date: Aug 18, 2016

PCI QSA Designation Requirements Successfully Met by ecfirst


Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. Websolv Computing, dba ecfirst, has successfully completed the requirements and is qualified as a PCI QSA.

Discuss your PCI DSS requirements, including risk and vulnerability assessment, penetration testing, policy development, and training with ecfirst.

Date: November 26, 2015

HIPAA Settlement Reinforces Lessons for Users of Medical Devices


Lahey Hospital and Medical Center (Lahey) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts.

Lahey notified OCR that a laptop was stolen from an unlocked treatment room during the overnight hours on August 11, 2011. The laptop was on a stand that accompanied a portable CT scanner; the laptop operated the scanner and produced images for viewing through Lahey’s Radiology Information System and Picture Archiving and Communication System. The laptop hard drive contained the protected health information (PHI) of 599 individuals. Evidence obtained through OCR’s subsequent investigation indicated widespread non-compliance with the HIPAA rules, including:

  • Failure to conduct a thorough risk analysis of all of its EPHI.
  • Failure to physically safeguard a workstation that accessed EPHI.
  • Failure to implement and maintain policies and procedures regarding the safeguarding of EPHI maintained on workstations utilized in connection with diagnostic/laboratory equipment.
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident.
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident.
  • Impermissible disclosure of 599 individual’s PHI.

In addition to the $850,000 settlement, Lahey must address its history of noncompliance with the HIPAA Rules by providing OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance.

Contact ecfirst to learn more about how to conduct a comprehensive and thorough risk analysis exercise with a credible risk management program.

Date: September 10, 2015

Cyber Risk = Business Risk, Brief by Cyber Security Expert Pabrai in 4th Annual Phoenix Security & Audit Conference, Arizona


Just as the banks of a river, compliance safeguards and cyber security controls are vital to mitigating the risk to business. Like water in a river, sensitive, confidential information flows through all areas of the business. How prepared is the business from cyber attacks to compromise Personally Identifiable Information (PII) or confidential data such as Electronic Protected Health Information (EPHI)?

Date: August 19, 2015

Are Your Applications HIPAA Compliant? Complimentary! Checklist for HIPAA Application Security


Over the past year, the cost of data breaches due to malicious or criminal attacks has increased from an average of $159 to $174 per record. Cyber attacks on healthcare organizations as well as business associates are on the rise. HIPAA mandates require that the EPHI processing applications meet defined requirements. Healthcare applications must be formally assessed to ensure HIPAA mandates are met. A cyber attack on an enterprise application may lead to a breach with EPHI accessed by unauthorized individuals.

Date: May 09, 2015

Pabrai Confirmed to Speak on Cyber Security at AHIP Conference, Nashville

Cybersecurity is a national security issue that requires strong collaboration between the public and private sectors to accurately assess emerging threats and prevent future breaches. Learn what the health plan community is doing in partnership with government and other stakeholders to protect consumers, identify potential threats and secure member information. Learn what other industries are doing and lessons that might be translated to the health plan community.

Date: 5/27/2014

Technical Vulnerability Assessment is a HIPAA Compliance Mandate

Technical Vulnerability Assessment is a HIPAA Compliance Mandate
IRVINE, CALIFORNIA, USA – May 25, 2014: A key requirement of the HIPAA Security Rule compliance mandate is that organizations’ must conduct a comprehensive and thorough assessment of the potentials risks and vulnerabilities to the confidentiality, integrity, and availability (CIA) of all sensitive information such as Personally Identifiable Information (PII) or Protected Health Information (PHI).

Date: 3/25/2014

Toolkits for HIPAA, ISO & PCI DSS Released

IRVINE, CA USA — HIT/HIPAA UPDATE NEWS SERVICE — MARCH 20, 2014: Compliance mandates, such as HIPAA and HITECH, as well as international security standards such as ISO 27000 and PCI DSS, require organizations to develop a comprehensive and actionable set of policies and supporting capabilities.

Date: 3/11/2014

iPCR Product from Forte, Validated as HIPAA Compliant by ecfirst

NEWPORT BEACH, CALIFORNIA USA – March 4, 2014

Forte Holdings has combined technological expertise with input from medical workers to develop software that supports and improves patient care and administrative processes within the healthcare industry.

Date: 3/10/2014

Skagit County, Washington Breach Report Leads to OCR Investigation & HIPAA Fine

Skagit County, Washington, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. Skagit County agreed to a $215,000 monetary settlement and to work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance program.

Date: 2/6/2014

MARS-E, Exchange Security

DES MOINES, IOWA, USA – February 6, 2014: There is no integrated, comprehensive approach to security and privacy that respects applicable federal requirements under FISMA, HIPAA, HITECH, ACA, the Privacy Act, Tax Information Safeguarding Requirements, and state and other federal regulations.

Date: 1/24/2014

Middle East Security Conference Features U.S. Cyber Security Expert Pabrai

IRVINE, CALIFORNIA, USA – Jan 24, 2014: The recent massive data breach at U.S. retail giant Target is becoming a nightmare. Over 110 million impacted and details continue to emerge about Personally Identified Information (PII) compromised from credit card swipe machines and other systems.

Date: 1/14/2014

Meaningful Use Security Risk Analysis: Audit Ready? Webinar by HIPAA & Cyber Security Expert Pabrai, Jan 16 @ 10:30 am Central

IRVINE, CALIFORNIA, USA – January 16, 2014: A key requirement of Meaningful Use is that organizations’ conduct a comprehensive and thorough assessment of the potentials risks and vulnerabilities to the confidentiality, integrity, and availability (CIA) of all Protected Health Information (PHI). This is defined in the core objective and associated measurement. It impacts Eligible Professionals (EP) and Eligible Hospitals (EH)…

Date: 01/14/2013

Massachusetts AG Fines Billing & Pathology Firms $140,000 for HIPAA Breach

BOSTON – Former owners of a Marblehead-based medical billing practice and four pathology groups have agreed to collectively pay $140,000, settling allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump, Attorney General Martha Coakley announced today …