HHS gives HIPAA-covered entities 60 days from when they discover a data breach to notify the department. That means many of the incidents reported to OCR in May were discovered in March, and may have taken place even earlier.
It's surprising comparatively few data breaches were reported in May, said Drex DeFord, healthcare executive strategist at cybersecurity consulting firm CI Security and former health system chief information officer. There are a few reasons why the COVID-19 pandemic might have intersected with a period of relatively few data breach reports, though it's still unclear.
"We have a lot of theories," he said. "But none of them are proven."
It's possible healthcare organizations have had information breached, but have been so overwhelmed with COVID-19 response that their information technology and security staffs haven't been able to investigate or report the incident yet.
"We can't help but wonder if maybe it's just 'We haven't gotten to it yet,' " DeFord said. "Maybe that's part of it."
While there have been reports of hackers launching email phishing attacks that try to take advantage of COVID-19, a cyberattack doesn't always result in a successful breach. Many of the scams seen to date rely on techniques that hospital staff are already trained to avoid—such as scammers posing as a government entity and urging a recipient to open a link that installs malware.
If a hacker was able to intrude into a healthcare organization's computer systems, they could be waiting to deploy their attack, taking time to explore the network.
"They may have set the hook, but not done anything," DeFord said. "Maybe they've just laid low to let this COVID storm pass."
Hackers could be trying to do the right thing by not targeting hospitals that are dealing with COVID-19 response, said Caleb Barlow, CEO and president of cybersecurity consulting firm CynergisTek. Some ransomware gangs in March even claimed they would not attack hospitals during the pandemic.
"Maybe, just maybe, there's a little humanity in the middle of this," Barlow said. "Now, I don't know if that's the case."
On a less altruistic note, Barlow said hackers might not want to draw attention to themselves by bringing down a hospital's operations in the midst of a public health emergency.
Or, they could be sheltering in place and evaluating new methods to break into computer systems.
"Cyber-crime is a human activity—there's literally someone on the other side," Barlow said. "They, too, are going through this pandemic."
It's important to remember that, despite the recent dip in reported data breaches, cybersecurity preparedness in healthcare hasn't gotten better in the last month alone. In fact, it's likely gotten worse with the rise of remote work, where more staff members are using personal laptops and unsecured Wi-Fi networks, Barlow said.
That makes it imperative for hospitals to implement processes like multi-factor authentication, as well as ensuring that remote employees are using a virtual private network.
"The entire threat landscape has changed," Barlow said. "The vulnerabilities here have gone up exponentially."