As part of the completion of the Certified Cyber Insurance Specialist (CCIS) training, Rohit Kanthra compiled an industry analysis of cyber risks in the UAE healthcare sector. In recent years, the UAE government has taken remarkable steps to combat cyberattacks, yet the majority of hospitals lack basic cyber security measures. The UAE is taking several steps to protect its citizens and residents from cyberattacks. The government has dedicated a Computer Emergency Response Team (aeCERT) to improve the standards of information security in the UAE and protect the IT infrastructure from potential risks and violations. However, the healthcare industry stores and processes vast amounts of sensitive and valuable data, including personal health information, medical records, insurance details, and payment information. This data is highly sought after by cybercriminals for various purposes, such as identity theft, financial fraud, or selling on the black market.
Key Cyber Risks in the UAE Healthcare Sector
The UAE prioritizes providing residents with high-quality healthcare services, evident through substantial investments in infrastructure, technology, and human resources. The Dubai Health Authority (DHA), Health Authority Abu Dhabi (HAAD), and Ministry of Health and Prevention (MOHAP) regulate and license healthcare facilities and professionals. Health insurance is mandatory for all UAE residents, contributing to the growth of the private healthcare sector and enhancing accessibility to services. The healthcare system is comprised of public services offered by the Ministry of Health and Prevention and other governmental bodies, alongside a significant role played by the private sector, with numerous hospitals, clinics, and medical centers throughout the country. The UAE has also enacted Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes which took effect on January 2, 2022.
Lack of DMARC Protection in UAE Healthcare
An email protection service is of paramount importance to combat cyber risk in the healthcare industry.Domain-based Message Authentication, Reporting and Conformance, also known as DMARC, is an email authentication protocol. It works by verifying a sender’s identity prior to allowing the message to reach the intended destination. It is therefore particularly effective at preventing spoofing attacks.
However, a report by Proofpoint Inc. reveals that only 69% of UAE hospitals have published a DMARC record, leaving 31% with no steps of protection. Additionally, 72% of the top hospitals in the UAE are lagging behind on basic cybersecurity measures. The analysis conducted on the top hospitals revealed that only a mere 28% have implemented the required level of DMARC protection.
Improved Technology for Patient Care
The UAE healthcare industry has embraced digital advancements in healthcare technology. Telemedicine services, electronic medical records, and artificial intelligence applications are just some examples of how technology is being leveraged to enhance patient care and improve efficiency within the industry. Cybersecurity threats like phishing, man-in-the-middle attacks, zero-day exploits, network vulnerabilities, and ransomware pose significant risks. These incidents jeopardize patient safety, data protection, and operational continuity in the healthcare industry. The immense value of healthcare data on the DarkNet makes the industry an attractive target for attackers.
Mitigating Cyber Risks in the UAE Healthcare Sector
Internal threats, like malicious insiders, human error, and third-party risks from vendors and service providers further exacerbate vulnerabilities in the UAE healthcare industry. To address these risks, healthcare facilities must prioritize cybersecurity measures, including employee training, software updates, network segmentation, strong access controls, data encryption, incident response planning, and collaboration with cybersecurity experts. Additionally, proper vendor assessments and due diligence, along with secure communication channels, are crucial for mitigating supply chain vulnerabilities and maintaining data privacy and compliance.
The government’s commitment to improving healthcare access and the growing medical tourism sector contribute to the continued growth and development of the industry. The UAE has not seen any major cyberattacks in the healthcare industry but it is certainly not immune and as the UAE embraces more technological advancement in the healthcare industry it is becoming more and more vulnerable.