Healthcare Cybersecurity UAE | ADHICS, DHA, DOH Compliance | eSHIELD IT Services

Cybersecurity for hospitals, clinics, and health data processors in UAE — ADHICS compliance, DHA/DOH requirements, patient data protection, medical device secur

Healthcare Cybersecurity Services UAE — ADHICS, DHA, DOH, and Patient Data Protection

Quick Answer — What cybersecurity standards apply to healthcare in UAE?

Healthcare organisations in the UAE are governed by ADHICS v2 (Abu Dhabi Health Information and Cyber Security standard), DHA cybersecurity requirements for Dubai Health Authority-licensed entities, and DOH (Department of Health) controls for Abu Dhabi facilities. The UAE PDPL classifies health data as a sensitive category requiring elevated protection. All licensed health facilities must implement documented information security controls or risk regulatory action and licence review.

Why Healthcare Cybersecurity in the UAE Demands Specialist Attention

A ransomware attack against a hospital is not simply a data breach — it is a patient safety event. When clinical systems go offline, doctors lose access to medication histories. Imaging systems become unavailable. Operating theatre scheduling collapses. In 2023 and 2024, healthcare institutions across the Middle East experienced exactly these scenarios.

The UAE healthcare sector presents a specific risk profile that general cybersecurity firms are not equipped to address:

  • Operational technology (OT) and medical devices run on legacy software with no patch mechanism and are directly connected to clinical networks
  • Electronic Health Record (EHR) platforms hold the most sensitive category of personal data under UAE law, creating both regulatory and reputational exposure
  • Clinical workflows cannot tolerate the downtime that would be acceptable in commercial IT environments — a 4-hour system outage in a hospital has life-safety implications
  • Third-party integrations — insurance portals, lab systems, pharmacy networks, government health registries — multiply the attack surface significantly
  • Staff security awareness is structurally harder in healthcare: clinical staff prioritise patient care, not security protocols, and are prime targets for phishing

eSHIELD brings cybersecurity expertise built for healthcare environments — where the tolerance for disruption is zero and the regulatory obligations are layered.

Regulatory Landscape — Healthcare Cybersecurity in the UAE

1. ADHICS v2 — Abu Dhabi Health Information and Cyber Security Standard

ADHICS v2 is the most comprehensive healthcare-specific cybersecurity standard in the UAE. Mandated by the Department of Health (DOH) for all Abu Dhabi-licensed health facilities, it covers:

  • 14 control domains including access control, audit and accountability, configuration management, incident response, and system and communications protection
  • Health information security governance — board-level accountability for health data security
  • Medical device security — specific requirements for connected devices in clinical environments
  • Business continuity and clinical resilience — recovery time objectives appropriate for life-safety systems
  • Third-party health information exchange — security requirements for data shared with insurers, labs, and government registries
  • Annual self-assessment with mandatory gap remediation timelines

All healthcare facilities licensed by the DOH in Abu Dhabi — including hospitals, day surgery centres, polyclinics, diagnostic centres, and pharmacies — must comply with ADHICS v2.

2. DHA Cybersecurity Requirements — Dubai Health Authority

Healthcare entities licensed by the Dubai Health Authority (DHA) are subject to DHA’s healthcare information security framework, which draws on international standards (ISO 27001, NIST) and UAE-specific requirements. Key obligations include:

  • Patient data protection aligned with Dubai’s data governance frameworks
  • Incident reporting to DHA for breaches involving patient health information
  • Cybersecurity considerations within DHA’s Health Information Exchange (HIE) participation requirements
  • Regular security assessments for systems storing or transmitting patient data

DHA-licensed facilities operating health information systems connected to the Dubai HIE face additional security requirements around data integrity, authentication, and audit trails.

3. DOH — Department of Health, Abu Dhabi

The DOH serves as both the ADHICS standard body and the licensing authority for Abu Dhabi healthcare facilities. Beyond ADHICS, DOH regulatory guidance covers:

  • Telemedicine security requirements (particularly relevant post-2020 adoption)
  • Requirements for health data hosting — restrictions on offshore storage of patient records
  • Audit rights and the DOH’s authority to inspect health information security controls

4. UAE PDPL — Patient Data as Sensitive Personal Data

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) classifies health and medical data as sensitive personal data requiring the highest level of protection. Obligations specific to healthcare organisations include:

  • Explicit consent for processing sensitive health data (with limited exceptions for direct patient care)
  • Data minimisation — collecting only the health data necessary for the clinical or administrative purpose
  • Enhanced security measures — technical and organisational controls proportionate to the sensitivity of health data
  • 72-hour breach notification to the UAE Data Office for breaches involving sensitive personal data
  • Data subject rights — patients have rights to access, correct, and in some circumstances delete their health records
  • Cross-border transfer restrictions — health data transfers outside the UAE require specific legal basis

Healthcare organisations that process data for patients in Abu Dhabi’s ADGM or Dubai’s DIFC free zones may also face additional data protection requirements under those jurisdictions’ frameworks.

5. HAAD — Historical Context

The Health Authority of Abu Dhabi (HAAD) was the predecessor to the DOH. Organisations that implemented health information security programmes under HAAD guidelines should ensure they have mapped to the current DOH/ADHICS v2 requirements, as there are material differences.

Healthcare Risks We Address

Ransomware Targeting Hospital Systems

Healthcare is the sector most frequently targeted by ransomware groups globally, and UAE hospitals are not exempt. Ransomware actors specifically target healthcare because:

  • Clinical systems cannot be taken offline for extended periods, increasing the likelihood of ransom payment
  • Healthcare networks often have poor network segmentation, allowing lateral movement from a single compromised endpoint to EHR servers and imaging systems
  • Backup integrity in healthcare environments is frequently insufficient to support rapid recovery

Our approach addresses ransomware risk through network segmentation, immutable backup architecture, endpoint detection and response (EDR), and clinical-aware incident response planning.

Medical Device and IoT Vulnerabilities

Modern hospital environments contain hundreds to thousands of networked devices — infusion pumps, patient monitors, imaging equipment, ventilators, and surgical robots. The majority run operating systems that cannot be patched. Many have default credentials that were never changed during installation.

These devices present a specific risk: they are connected to clinical networks, often in the same network segment as EHR systems, and they cannot be taken offline for security remediation. Our medical device security assessment identifies these vulnerabilities and defines compensating controls — network isolation, traffic monitoring, and access controls — that reduce risk without disrupting clinical operations.

EHR System Breaches

Electronic Health Record systems — including Epic, Cerner, Meditech, and locally deployed systems — are primary targets because they aggregate comprehensive patient data across clinical, administrative, and billing functions. EHR breaches in the UAE create simultaneous obligations: clinical notification, regulatory notification to DHA or DOH, and PDPL breach notification.

Our EHR security assessments test authentication controls, role-based access implementation, audit log integrity, and integration security for connected lab and imaging systems.

Clinical Workflow Disruption

The security control that would be routine in a commercial environment — taking a system offline for patching, blocking an external IP range at the firewall — can have direct clinical impact in a hospital. Security decisions must be made with clinical workflow input. Our healthcare security programme includes a clinical impact assessment for every significant control change, ensuring that security improvements do not create patient safety risks.

Our Healthcare Cybersecurity Services

ADHICS v2 Gap Assessment

A structured evaluation of your current security posture against all 14 ADHICS v2 control domains:

1. Structured review of existing policies, procedures, and technical controls 2. Interviews with IT, clinical informatics, and compliance stakeholders 3. Technical sampling of key control implementations 4. Gap register scored by domain, severity, and remediation complexity 5. Prioritised roadmap with effort and cost estimates for each gap 6. Board-ready report in DOH-compatible format

Typical duration: 4–6 weeks for a mid-sized hospital. Output is directly usable for DOH submission.

Medical Device Security Assessment

Purpose-built assessment for clinical device environments:

  • Device discovery and inventory — identifying every networked device on clinical networks, including those not in the asset register
  • Vulnerability scanning of medical devices using non-disruptive, clinical-safe scanning methods
  • Network segmentation analysis — are clinical devices isolated from administrative and guest networks?
  • Default credential review on accessible management interfaces
  • Traffic analysis — identifying unexpected communication from devices to external endpoints
  • Compensating control recommendations for unpatched devices

EHR Penetration Testing

Authenticated and unauthenticated security testing of EHR platforms:

  • Privilege escalation testing — can a ward nurse access records outside their clinical scope?
  • Audit log integrity — can audit records be modified or deleted?
  • Integration point testing — APIs connecting EHR to lab, radiology, pharmacy, and insurance systems
  • Authentication security — session management, MFA implementation, password policy enforcement
  • Data export controls — can patient data be extracted in bulk by non-administrative users?

Staff Security Awareness Training for Clinical Teams

Security training designed for clinical staff — not for IT teams. Our healthcare awareness programme:

  • Phishing simulation using clinical-context lures (patient referral emails, lab result notifications, medical device vendor communications)
  • Training modules specifically built for clinical workflows — short, scenario-based, and relevant to ward staff, nursing, and clinical administration
  • Role-based training for high-risk roles: clinical administrators, EHR super-users, and staff with privileged access
  • Measurable outcomes — phishing click rates, training completion, and knowledge assessment scores
  • Reporting for DHA/DOH compliance evidence

Incident Response for Healthcare

Healthcare incident response requires clinical continuity planning alongside technical response. Our healthcare IR service includes:

  • 4-hour on-site response SLA for retainer clients in Dubai and Abu Dhabi
  • Clinical system recovery prioritisation — working with clinical leadership to sequence system restoration by patient safety impact
  • Parallel regulatory track — PDPL notification preparation, DHA/DOH incident notification, and clinical notification drafting simultaneously
  • Forensic evidence collection without disrupting patient care
  • Post-incident resilience review — changes to backup, segmentation, and detection to prevent recurrence

ISO 27001 for Healthcare Organisations

ISO 27001 certification is increasingly requested by international insurance partners, healthcare group headquarters, and government health authorities as evidence of mature information security governance. For UAE healthcare organisations:

  • We scope ISO 27001 implementation to align with ADHICS v2, maximising overlap between frameworks
  • Implementation timeline for a mid-sized clinic or specialist hospital: 8–12 months
  • Certification audit support through an accredited certification body
  • Post-certification maintained through our ongoing compliance retainer

Pricing — Healthcare Cybersecurity Services

ServiceIndicative Price Range (AED)
ADHICS v2 Gap Assessment (clinic/polyclinic)AED 15,000 – 22,000
ADHICS v2 Gap Assessment (hospital)AED 25,000 – 35,000
Medical Device Security AssessmentAED 18,000 – 40,000
EHR Penetration TestingAED 20,000 – 45,000
Healthcare VAPT (full scope — network + apps + devices)AED 35,000 – 60,000
Staff Awareness Training (annual programme)AED 12,000 – 28,000
Incident Response RetainerAED 8,000 – 18,000 per month
ISO 27001 Implementation (healthcare, full programme)AED 55,000 – 95,000
Annual ADHICS Compliance RetainerAED 40,000 – 100,000 per year

Pricing varies by facility size, system complexity, and scope. All engagements are scoped after an initial assessment. VAT applicable at 5% where applicable.

What Makes eSHIELD Different in Healthcare

We do not apply a generic cybersecurity methodology to healthcare environments and assume clinical context will be irrelevant. It is always relevant.

Clinical environment awareness. Our assessors understand that a port scan against a medical device can cause it to malfunction. We use approved, non-disruptive scanning techniques validated against clinical device environments.

Regulatory precision. ADHICS v2, DHA requirements, and the UAE PDPL have specific language, specific evidence requirements, and specific reporting formats. We produce documentation in the format that regulators actually use — not generic reports that create additional work for your compliance team.

Bilingual clinical engagement. Our team works comfortably with clinical, IT, and compliance stakeholders. We do not require your clinical informatics team to translate security concepts for us.

Frequently Asked Questions

1. Is ADHICS compliance mandatory for all healthcare facilities in Abu Dhabi?

Yes. ADHICS v2 is mandatory for all healthcare facilities licensed by the Department of Health (DOH) in Abu Dhabi. This includes hospitals, day surgery centres, polyclinics, specialist clinics, diagnostic imaging centres, and pharmacies. Non-compliance can result in regulatory action including licence review. DOH conducts periodic audits and can request evidence of ADHICS compliance at any time.

2. What is the difference between DHA and DOH cybersecurity requirements, and which applies to us?

The Dubai Health Authority (DHA) licenses and regulates healthcare facilities in Dubai. The Department of Health (DOH) — formerly HAAD — licenses and regulates facilities in Abu Dhabi. If you operate in Dubai, you are subject to DHA requirements. If you operate in Abu Dhabi, you are subject to DOH and must comply with ADHICS v2. Facilities operating in both emirates must satisfy both regulatory bodies. Facilities in DIFC or ADGM free zones should seek specific regulatory advice on applicable frameworks.

3. How does UAE PDPL affect healthcare organisations specifically?

The UAE PDPL classifies health and medical data as sensitive personal data — the highest protection category under the law. Healthcare organisations must obtain explicit patient consent for processing health data, implement enhanced security measures, and notify the UAE Data Office within 72 hours of a breach involving patient data. The PDPL applies regardless of whether you are licensed by DHA or DOH.

4. Can medical devices be included in a penetration test without disrupting patient care?

Yes, with the right methodology. Standard penetration testing tools can cause medical devices to malfunction, freeze, or restart — which is obviously unacceptable in a clinical environment. Our medical device security assessment uses non-disruptive, approved techniques: passive traffic analysis, review of management interfaces, credential testing on isolated test environments where available, and vendor documentation review for devices that cannot be directly tested. We conduct all assessments during planned windows with clinical team coordination.

5. What is the realistic timeline to achieve ADHICS v2 compliance from a standing start?

The timeline depends on the current maturity of your security programme. A facility with basic IT controls but no formal ADHICS programme should plan for 6–12 months to reach full compliance. The gap assessment (4–6 weeks) identifies the specific gaps. Remediation of critical gaps — particularly access control, incident response, and audit logging — typically takes 3–4 months. Documentation, policy development, and staff training account for an additional 2–3 months. We can accelerate timelines for facilities facing regulatory deadlines.

6. Does ISO 27001 satisfy ADHICS requirements?

ISO 27001 and ADHICS v2 have significant overlap — both cover governance, risk management, access control, and incident response. However, ADHICS v2 includes healthcare-specific requirements — particularly around medical device security, clinical system continuity, and health information exchange — that ISO 27001 does not specifically address. ISO 27001 certification is a strong foundation and reduces the effort required to achieve ADHICS compliance, but it does not substitute for ADHICS compliance. We structure programmes to achieve both simultaneously where possible.

Related Services

  • [VAPT Services UAE](/vapt-services-uae/) — Vulnerability assessment and penetration testing across all platforms
  • [ISO 27001 Consultant UAE](/iso-27001-consultant-uae/) — ISO 27001 implementation and certification support
  • [Data Privacy UAE](/data-privacy-uae/) — UAE PDPL compliance for health data processors
  • [Managed SOC Services UAE](/managed-soc-services-uae/) — 24/7 threat monitoring for healthcare environments
  • [Virtual CISO UAE](/virtual-ciso/) — Fractional CISO for healthcare organisations without a security leader

Book Your Free Healthcare Security Assessment

A complimentary initial assessment covers your regulatory obligations under ADHICS, DHA, and UAE PDPL, identifies your highest-priority security gaps, and provides a realistic roadmap. No sales pitch — specific, clinical-context output.

[Book Your Free Healthcare Security Assessment →](#contact)

Or contact us directly:

Call Us