Why cybersecurity must become a clinical priorityWhy cybersecurity must become a clinical priority

Cyber threats are rising rapidly, and healthcare has become one of the hardest-hit sectors. Data breaches have surged in recent years with the average cost in healthcare and pharmaceuticals climbing to $10.9 million, which is almost double that of financial services. Statistically, the number of breaches has more than doubled over the past decade.  

This makes cybersecurity not just an operational necessity but the foundational bedrock of healthcare integrity. As healthcare providers accelerate digital transformation through smart investments and new technologies, protecting sensitive data and ensuring trust in treatment must be a clinical priority. 

Yet providers face significant challenges in adapting to digitisation. Many still rely on fragmented, outdated systems, often supplemented by paper-based processes, for critical functions like patient records and billing. This creates vulnerabilities due to poor integration and weak security. Talent gaps also hinder progress: there is a shortage of professionals who combine healthcare expertise with digital and analytical skills, forcing reliance on external vendors and limiting the development of in-house capabilities.  

The healthcare sector tends to have lower cybersecurity maturity compared to other sectors, leaving it more vulnerable. Too often, cybersecurity is treated as an IT problem rather than a board-level, clinical risk. In fact, 47% of healthcare leaders report feeling underprepared to respond to cyber threats, highlighting the scale of the gap. 

Related:Healthcare systems under pressure as life expectancy goals intensify

Cyber threats can have catastrophic consequences for providers, disrupting operations and, more critically, endangering patient lives. This risk became tragically clear in September 2020, when a ransomware attack crippled Düsseldorf University Hospital and an ambulance was turned away, leading to the loss of a patient’s life. 

Recently in the Middle East, two healthcare providers fell victim to ransomware attacks. The Everest ransomware group targeted a UAE-based healthcare group, stealing data related to around 1,000 employees and approximately 4GB of confidential information, although core clinical services were unaffected. The industry’s reliance on legacy applications, AI, and connected devices has broadened vulnerabilities and increased the risk of data breaches. These incidents can expose or corrupt sensitive patient data, disrupt service delivery, damage reputations, and ultimately put patient wellbeing at risk. 

Global regulators are increasingly zeroing in on the healthcare sector, imposing stringent cybersecurity requirements to address growing threats to sensitive patient data and critical operations. Frameworks such as HIPAA and HITECH in North America (which set standards for patient data protection), alongside NIS2 in Europe (the EU-wide cybersecurity directive), show how regulation is evolving to protect healthcare systems and ensure resilience in the face of escalating cyber risks. 

Related:Corporate wellness and national strategies aim for good cardiovascular health

In the Middle East, healthcare providers are generally recognised as critical national infrastructure, making business continuity and cybersecurity in this sector integral to national security. However, healthcare-specific regulations remain limited compared to global standards. There is a gap between the level of control established by the North American or European frameworks and the current regulatory landscape in the Middle East. Most providers in the region fall under broader national cybersecurity frameworks rather than sector-specific ones. For instance, in Saudi Arabia, the Essential Cybersecurity Controls (ECCs), established by the National Cybersecurity Authority (NCA), set cybersecurity standards for all sectors, including healthcare. Healthcare-specific cybersecurity practices, however, remain integral given the sensitivity and critical nature of patient safety and privacy.  

Related:Betting big on the future of digital health investments

 Having a healthcare-specific cybersecurity regulatory framework in Middle Eastern countries is therefore a core requirement to ensure that the region is ready for the new world. To achieve this, we recommend that healthcare providers prioritise the following five actions to enhance cybersecurity and operational resilience: 

The urgency for comprehensive cyber resilience stems from converging pressures. Government mandates for Electronic Health Records (EHR) modernisation, data sharing, and AI diagnostics are raising operational complexity and cyber risks. While these advances promise efficiency gains, they also increase vulnerability. At the same time, rising patient expectations for seamless digital experiences and evolving public-private healthcare ecosystems demand greater interoperability and transparency, exposing providers to broader threats. 

Data vulnerability in the healthcare space

• In past years, the healthcare industry has suffered the highest average breach costs at $10.9 million, which is nearly double that of the financial services sector.

• Data breaches have more than doubled in the past decade.

• About 47% of healthcare leaders report feeling underprepared to respond to cyber threats.

• The healthcare industry’s dependence on legacy systems, AI, and connected devices has expanded its vulnerability surface.

• HIPAA and HITECH (North America) and NIS2 (Europe) are leading global cybersecurity regulatory frameworks.

• In Saudi Arabia, the Essential Cybersecurity Controls (ECCs) established by the National Cybersecurity Authority (NCA) apply across all sectors, including healthcare.

• Healthcare is recognised as critical national infrastructure in the Middle East, linking cybersecurity directly with national security.