As licensed mental health and addiction professionals, our responsibility to our clients extends beyond the therapy or counseling room. The Biden-Harris Administration’s National Cybersecurity Strategy Implementation Plan (NCSIP), introduced in March, highlights the significance of this extended duty. Also known as the 2023 Cybersecurity Plan or Cybersecurity Strategy, this comprehensive blueprint is designed to enhance cyber resilience, mitigate cyber threat activities, and distribute cyber defense responsibilities throughout the US, including our addictions and mental health field.
The NCSIP 2023 Cybersecurity Plan
The NCSIP, a pivotal part of the 2023 Cybersecurity Plan, details over 65 federal programs that align with the National Cybersecurity Strategy. Several of these programs are already underway and carry significant implications for the healthcare sector, particularly for mental health professionals.
Key Features of the Proposed Cybersecurity Strategy
The proposed cybersecurity strategy aims to revolutionize our digital ecosystem. Its vision encompasses the development of a smart grid, expanding the Internet of Things (IoT), and establishing a real-time global collaboration network. Realizing this vision hinges on the cybersecurity and resilience of the underlying technologies.
Our current digital ecosystem is prone to disruptions and exploitations, often by malicious entities. Thus, changes are imperative to ensure a defendable, resilient digital space where defending systems is costlier than attacking them. The strategy aligns the digital ecosystem with the principles of the Declaration for the Future of the Internet and the Freedom Online Coalition, emphasizing data security and resilience to catastrophic outcomes.
Recognizing the Malicious Actors
Cyber threats have escalated from minor disturbances to major attacks on critical infrastructure and sophisticated campaigns to undermine public trust. These threats originate from various countries and criminal syndicates, threatening US interests. For instance, China poses the most persistent threat, extending beyond intellectual property theft. Russia uses cyber capabilities to destabilize regions and interfere globally, weakening US alliances. Governments like Iran and North Korea are also ramping up malicious cyber activities. Such threats necessitate a robust cybersecurity plan.
2023 Cybersecurity Plan: Shifting Responsibilities
The 2023 Cybersecurity Plan delineates a shift in cyberspace defense responsibilities. The plan emphasizes that the onus of data protection and system reliability will be on the owners and operators of critical systems, including mental health professionals managing sensitive client data. The Federal Government will ensure private entities secure their infrastructure and counter cyber threats.
This strategy consolidates cybersecurity efforts into the new investments made under the Bipartisan Infrastructure Law and other acts. The White House views the strategy as an evolution towards a secure digital ecosystem, not a replacement.
Behavioral Health Action Plan for Complying with NCSIP
Given the context of the NCSIP, mental health professionals may want to consider the following actions:
- Stay Informed. Familiarize yourself with the National Cybersecurity Strategy and its implementation plan, particularly the aspects relevant to the healthcare sector. Understand the potential cybersecurity threats to your practice and the industry at large.
- Cybersecurity Training. Regularly update your knowledge and skills in cybersecurity practices. Encourage your staff to participate in cyber hygiene training to protect patient information and reduce the risk of cyberattacks.
- Secure Patient Data. Ensure all patient data is stored and transferred securely. Use secure networks, encrypted communication channels, and robust data protection software.
- Vendor Evaluation. Conduct thorough security evaluations if using third-party data storage or management services. Contact them to ask about their compliance with NCSIP. When considering additional features to accommodate disabled clients and patients, only use HIPAA-compliant companies that provide Business Associate Agreements. These may include transcription tools, translation tools, close-captioning tools, magnification features, text-to-speech (TTS) tools, and form builders. Only work with vendors that comply with relevant cybersecurity standards and regulations.
- Develop an Incident Response Plan. Create a step-by-step, written incident response plan for potential cyber threats. This plan should outline steps to take in case of a data breach or cyberattack, including restoring systems and notifying affected parties.
- Insurance. Consider investing in cyber insurance to cover the costs associated with potential breaches, including recovery operations, legal fees, and patient notifications.
- Regular Updates and Maintenance. Regularly update software, systems, and devices to protect against known vulnerabilities.
- Advocate for Cybersecurity. Be a vocal advocate for robust cybersecurity measures in the healthcare industry, emphasizing the importance of patient data security.
- Collaborate. Work with IT professionals and cybersecurity experts to improve your practice’s defenses and stay updated on the latest threats and best practices.
- Compliance. Ensure compliance with federal and state cybersecurity regulations, including the Health Insurance Portability and Accountability Act (HIPAA).
In an increasingly digital world, a robust cybersecurity strategy is a necessity. As mental health professionals, we must stay informed, proactive, and vigilant. NCSIP and the broader 2023 Cybersecurity Plan offer a roadmap for us to protect our practice and, more importantly, ensure our patients’ and clients’ trust and safety. Let’s collectively strive toward a secure, resilient, and ethically-driven digital ecosystem in addictions and mental health care.
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.
Advanced Telehealth Regulations & Ethical Issues: Best Practices & Informed Consent
Essentials of practice guidelines published by the leading professional associations, explained with a focus on what-to-do rather than theory that leaves you empty-handed.
Telehealth Law & Ethical Course Bundle
This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.