Due to the continuous increase in intensity and sophistication of cyberattacks as technology advances, every industry that interacts directly or indirectly with technology is vulnerable. Particularly in industries such as healthcare, where the primary interaction with technology is the storage and use of confidential user data such as Personal Identifiable Information (PII), and Personal Health Information (PHI), threat actors seek to target such systems in order to harvest the data for use in their malicious activities.
As the world seeks to improve and digitize medical services through electronic diagnosis and healthcare delivery, several unwanted actions are impeding its efficiency. Following the increased digitization of services due to the Covid-19 pandemic, security breaches have intensified. Healthcare was the sector that experienced the most cyberattacks during this time, second only to the financial sector.
The UAE saw a 55% increase in data breaches related to healthcare entities during the pandemic’s peak in 2020. An even higher figure was recorded in 2021. A similar hike in cyberattacks targeted at healthcare institutions is also experienced in first-world countries, including the US.
At the top of the high-profile cybersecurity breaches the ransomware attack on NHS Moorfields Hospital in the UK, which led to the exfiltration of over 60 GB of data that included employee IDs and patient data, among other confidential information. Because of the continuous increase in security breaches in the healthcare sector, there is a need to improve cybersecurity practices among hospitals and other health-related organizations, which is one of the reasons ADHICS was developed.
What is ADHICS?
In 2018, the Department of Health, Abu Dhabi (DoH), launched the development of an Abu Dhabi Healthcare Information and Cybersecurity Standard (ADHICS) to combat data theft and other cybersecurity attacks. The standard includes several rules and recommendations designed to assist healthcare organizations in establishing and maintaining a high level of security for patient data, as well as guaranteeing public confidence in the privacy and confidentiality of their health data.
ADHICS assists the UAE in enforcing cybersecurity practices in the healthcare industry so that it can compete with global standards. The standard is applicable to all healthcare-related entities, including medical facilities, diagnostic labs, pharmacies, healthcare professionals, health insurance companies, and support staff who have access to patient’s health, diagnostic, and personal information.
Given that ADHICS was only released in 2019, barely a year before the Covid-19 pandemic, many organizations have yet to fully implement its recommendations and adhere to the standards. This created space for numerous threat actions during the sudden increase in e-healthcare at the height of the Covid-19 pandemic.
While the consequences of the attacks were regrettable, they served as a wake-up call for many other healthcare institutions to pay closer attention to their cybersecurity status. The attacks ultimately increased the adoption, compliance, and enforcement of ADHICS, and the UAE healthcare industry is benefiting greatly as a result.
Benefits of ADHICS on the UAE Healthcare Industry
ADHICS standards compliance has numerous advantages for the healthcare organization, the patients, and the healthcare staff—from protecting the confidentiality of patient data to educating healthcare workers about the value of security, to assisting hospitals and medical centers in avoiding the loss that frequently follows cyberattacks.
In general, ADHICS has contributed to the establishment of a solid groundwork for the ongoing implementation of security best practices and guidelines for a more trustworthy digital healthcare service in the UAE. Furthermore, the health standard contributes to the improvement of the UAE healthcare sector in the following ways:
1. Protection of healthcare information
The ADHICS emphasizes the importance of conducting periodic risk assessments and identifying critical assets that may be vulnerable to cyberattacks. As more healthcare organizations adopt ADHICS and implement this guideline, the likelihood of an attack that results in a breach of user data decreases. As a result, healthcare facilities in the UAE are growing more confident in their ability to safeguard their patients’ information.
2. Enhancement of Trust in Healthcare Personnel and Institutions
The healthcare industry is heavily reliant on trust between a healthcare institution, the patient, and the staff who care for the patient. A strained relationship between these entities as a result of a lack of trust in healthcare institutions to keep their data private means that the healthcare institution’s business operations will be disrupted. Aside from the IT system, the ADHICS standard imposes processes and practices that ensure that every member of the healthcare staff embraces security practices in their daily activities, thereby ensuring that they do not act as potential penetration points for threat actors. By implementing these guidelines, ADHICS increases customer trust and reliability in healthcare personnel and institutions in the UAE.
3. Business Continuity
By implementing ADHICS, organizations gain control and can easily detect and mitigate business-critical cyberattacks. By bringing the risks associated with patient information security down to a known and acceptable level, ADHICS improves operational predictability and lowers the uncertainty of business operations. The foreknowledge and predictability also help healthcare organizations avoid security breaches and ensure business continuity.
4. Information Control
ADHICS assists healthcare facilities in taking complete control of the flow of information and customer data within the organization. The standard ensures that healthcare entities are aware of every activity and contact that involves the health data of their patients by providing well-defined guidelines for formulating policies and procedures for security awareness, technology, and management controls.
5. Awareness on Information Ownership
Healthcare staff frequently disagrees about who oversees maintaining which data as an organization expands and grows in various ways. ADHICS implements a structured approach to data storage, assisting each employee in understanding their role in storing patient information.
6. Improvement in Security Posture
Depending on their potency, cyberattacks can disrupt services and cause significant financial loss. ADHICS improves the overall security posture of healthcare organizations as active participants in the UAE’s technological economy by implementing actions such as periodic security audits and employee sensitization.
Threat actors are increasingly targeting healthcare organizations to obtain confidential data that will allow them to infiltrate individuals and conduct malicious activities. Because of this custody of sensitive data, the healthcare industry is more vulnerable to cyberattacks and data breaches caused by malware, ransomware, phishing, and insider threats. However, with the publication and increasing adoption of the Abu Dhabi Healthcare Information and Cybersecurity Standard (ADHICS), these attacks are gradually being overpowered. As the ADHICS compliance is enforced by making it a requirement for the renewal of health worker licenses, more and more healthcare entities will embrace it, and it will shape the general cybersecurity posture of the UAE healthcare industry.