Abu Dhabi, United Arab Emirates: In a decisive move to fortify its healthcare sector against escalating cyber threats, the United Arab Emirates has unveiled a refined regulatory strategy, aiming to shield hospitals and medical institutions from crippling ransomware attacks and data breaches.
The urgency stems from a stark reality: healthcare, a critical lifeline, has become a prime target for cybercriminals. Its inherent vulnerability, often stemming from historical underinvestment in cybersecurity, has left it exposed to the predatory tactics of ransomware groups.
Abu Dhabi, a key emirate within the UAE, has taken a leading role, releasing the second iteration of its Abu Dhabi Healthcare Information and Cyber Security (ADHICS) Strategy. This comprehensive framework mandates stringent cybersecurity standards for all healthcare stakeholders, from hospitals and insurers to medical device manufacturers.
“Healthcare is no different [from other industries], but the data set is extremely sensitive, both in terms of health records and financial transactions,” explains Darren Gale, associate vice president of sales at cybersecurity firm Fortra. “The criticality of medical care means hospitals are more likely to pay ransoms.”
The statistics paint a grim picture. Healthcare topped the list of ransomware targets in 2024, accounting for a staggering 23% of all incidents handled by incident response firm Kroll. Microsoft’s research reveals a 300% surge in ransomware attacks on healthcare globally over the past decade, with the recent Change Healthcare breach serving as a stark reminder of the potential for devastating disruption.
Osama Alzoubi, vice president for the Middle East and Africa at Phosphorus Cybersecurity, underscores the allure of medical data on the black market. “Medical information is one of the most valuable commodities, fetching up to ten times the price of financial records,” he warns.
The ADHICS Strategy, built upon six pillars – governance, resilience, capabilities, partnerships, maturity, and innovation – seeks to foster a holistic approach to cybersecurity. Recognizing the time-sensitive nature of healthcare delivery, the strategy emphasizes the need for security controls that do not impede patient care.
“The Standard’s holistic approach covers the whole organization not just IT, and encompasses people, processes, and technology across the lifecycle of health information,” the document states.
While the ADHICS framework is currently specific to Abu Dhabi, its influence is expected to extend across the UAE and the wider Middle East. “Each Emirate is creating their own guidelines for best practice of technical controls,” Gale observes. “The other 5 emirates are likely to closely follow what DOH [Department of Health] has produced in Abu Dhabi.”
The growing threat landscape, characterized by “an increasingly aggressive adversarial landscape,” has prompted a region-wide push for enhanced cybersecurity. Governments and industries across the Gulf Cooperation Council (GCC) are collaborating to develop robust regulatory frameworks.
Microsoft’s research highlights the cascading effects of ransomware attacks on hospitals, with significant increases in emergency arrivals, waiting times, and critical medical conditions. The need for proactive cybersecurity measures has never been more urgent.
The UAE’s proactive stance in strengthening its healthcare sector’s cyber defenses sets a precedent for the region, demonstrating a commitment to safeguarding critical infrastructure and patient well-being in an increasingly volatile digital landscape.
