The healthcare industry in the Middle East faces increasing cybersecurity challenges, primarily due to its historical lack of focus on cyber defenses. As hospitals and medical organizations become prime targets for ransomware attacks, regional governments are tightening cybersecurity regulations to protect critical infrastructure.
One of the latest initiatives is Abu Dhabi’s updated Healthcare Information and Cyber Security (ADHICS) Strategy. This second version of the cybersecurity framework not only introduces strict requirements for hospitals, insurance companies, medical device manufacturers, and related healthcare organizations but also ensures they can safeguard sensitive patient data and medical operations more effectively.
According to Fortra, a cybersecurity firm that analyzed the strategy in March, ADHICS marks a significant advancement in modernizing defenses while simultaneously improving patient care.
“Healthcare is no different from other industries when it comes to cybersecurity risks,” said Darren Gale, Associate VP of Sales at Fortra. “But given the sensitivity of medical records and financial transactions, robust security measures are crucial.”
Healthcare organizations have increasingly become a top target for ransomware groups. The critical nature of medical services, combined with cybersecurity gaps, makes hospitals more likely to pay ransoms to restore operations quickly.
In 2024, healthcare accounted for 23% of all incident response engagements handled by cybersecurity firm Kroll. Additionally, ransomware attacks on healthcare organizations surged to 400 cases globally, including the major breach of Change Healthcare, marking a 300% increase over the past decade, according to a Microsoft study.
The Middle East’s Healthcare Vulnerability to Ransomware
While half of all ransomware attacks targeted organizations in the U.S., the Middle East is seeing a growing number of incidents, according to the Cyber Threat Intelligence Integration Center (CTIIC).
Despite this rising threat, cybersecurity adoption remains insufficient. In the UAE and Saudi Arabia, nearly 72% of leading hospitals have not implemented basic email security using Domain-based Message Authentication, Reporting, and Conformance (DMARC). Alarmingly, 31% of hospitals lack DMARC security entirely, according to Proofpoint’s July 2023 report.
The high value of medical data on the black market also makes hospitals prime targets. Osama Alzoubi, VP for the Middle East and Africa at Phosphorus Cybersecurity, emphasized in a December op-ed that medical records are worth up to 10 times more than financial records on illicit marketplaces.
Lessons from Abu Dhabi’s Cybersecurity Initiative
The UAE and Saudi Arabia are leading efforts to enhance cybersecurity in critical industries. In February, financial institutions across the Gulf Cooperation Council (GCC) participated in a regional cyber exercise to test their incident response capabilities.
The ADHICS Strategy provides a structured approach for hospitals and healthcare institutions to strengthen cybersecurity without disrupting patient care. The framework focuses on six key pillars:
- Governance – Establishing leadership and oversight in cybersecurity.
- Resilience – Ensuring the ability to detect, respond, and recover from cyberattacks.
- Capabilities – Enhancing technical defenses and workforce skills.
- Partnerships – Encouraging collaboration between government and private sectors.
- Maturity – Implementing best practices aligned with global standards.
- Innovation – Integrating advanced security technologies to safeguard healthcare systems.
The ADHICS framework emphasizes security across the entire organization, covering people, processes, and technology. By educating employees about cybersecurity risks, it aims to integrate best practices into daily operations without delaying patient care.
Although ADHICS currently applies only to Abu Dhabi, other UAE emirates and Middle Eastern nations are expected to adopt similar models.
Cyberattacks on hospitals and clinics can have devastating consequences, extending beyond data breaches. According to Microsoft’s research, a ransomware attack on one hospital can cause:
- 35% increase in emergency room arrivals at nearby facilities.
- 48% longer wait times for medical services.
- Double the number of confirmed stroke cases due to delayed treatments.
- 81% surge in cardiac arrest cases, leading to preventable fatalities.
These findings echo a 2021 report by the Cybersecurity and Infrastructure Security Agency (CISA), which concluded that ransomware attacks place extreme pressure on short-staffed hospitals, disrupting patient care and creating life-threatening situations.
The Need for Stronger Cybersecurity in Healthcare
With cybercriminals becoming more aggressive, Middle Eastern healthcare providers are prioritizing security. Hospitals and clinics must comply with the ADHICS standard, ensuring robust security postures that incorporate:
- Technical cybersecurity controls.
- Regulatory compliance with regional standards.
- Comprehensive risk management and training programs.
The Middle East’s healthcare industry faces a rapidly evolving cyber threat landscape. Governments are responding by implementing stricter cybersecurity frameworks, ensuring that hospitals and medical institutions are well-protected.
The ADHICS standard in Abu Dhabi serves as a blueprint for the region, reinforcing the importance of holistic cybersecurity strategies. As cyber threats continue to escalate, healthcare organizations must prioritize security investments to protect patient data and critical medical infrastructure.
