Get Demo

Healthcare Cybersecurity Regulations in GCC — UAE ADHICS, Qatar & Oman

GCC healthcare organizations face unique cybersecurity obligations. Learn about UAE ADHICS, Qatar health data protection and patient record security requirement

📅 Published: June 2026 🔐 Cybersecurity • GCC Compliance ⏱️ 2,500 words

Healthcare providers in the GCC must comply with a fragmented set of sector-specific cybersecurity regulations, of which the UAE’s Abu Dhabi Healthcare Information and Data Security (ADHICS) standard is the most mature, while Qatar and Oman are rapidly developing their own mandatory frameworks. For any healthcare organisation operating across multiple emirates or GCC states, achieving and demonstrating compliance with these regulations is a non-negotiable prerequisite for licensing, data sharing, and patient trust.

Why Healthcare Cybersecurity Regulations in the GCC Are Unique

Healthcare cybersecurity regulations in the GCC differ from general data protection laws (such as the UAE PDPL or Qatar's PDPPL) because they impose additional, sector-specific controls on medical devices, electronic health records (EHRs), clinical data sharing, and business continuity in healthcare settings. These regulations are typically enforced by health authorities rather than data protection offices, meaning compliance is tied directly to a facility’s operating license.

Across the GCC, the key healthcare cybersecurity regulations include:

Deep Dive into UAE ADHICS Healthcare Cybersecurity

What Is ADHICS and Who Must Comply?

ADHICS is the mandatory cybersecurity standard for all healthcare facilities licensed by the Department of Health – Abu Dhabi. It applies to hospitals, clinics, medical laboratories, pharmacies, and any entity that stores, processes, or transmits health information within the emirate. The standard requires compliance with a defined control framework across 15 domains, including access control, cryptography, incident management, and medical device security.

ADHICS is built upon ISO/IEC 27001 and NIST frameworks but adds healthcare-specific controls such as requirements for clinical system availability, medical device patching, and health data breach notification within 72 hours.

Key ADHICS Requirements for 2025

ADHICS Domain
Key Requirement
Compliance Criticality
Access Control
Role-based access with mandatory multi-factor authentication (MFA) for all clinical system access
Critical
Medical Device Security
Inventory and risk classification of all connected medical devices; segmentation from IT networks
Critical
Incident Management
Report significant cybersecurity incidents to DoH within 72 hours; maintain incident response plan tested annually
Critical
Data Encryption
Encrypt all health data at rest and in transit using FIPS 140-2 validated or equivalent cryptographic modules
Critical
Business Continuity
Recovery Time Objective (RTO) of ≤ 4 hours for critical clinical systems; annual BCP testing
Mandatory

How to Achieve ADHICS Compliance

Achieving ADHICS compliance requires a structured, evidence-based approach. Most healthcare organisations engage a compliance assessor approved by the DoH, who evaluates controls against the standard. The process typically follows four phases:

1

Gap Analysis and Scoping

Map all in-scope systems, data flows, and medical devices against the 15 ADHICS domains. Identify control weaknesses, particularly in network segmentation, access controls, and incident response. A formal gap assessment against the ADHICS baseline is the first deliverable.

2

Remediation Planning and Implementation

Develop a remediation roadmap prioritising critical and high-risk findings. Implementation typically involves deploying SIEM for log management and threat detection, implementing MFA across all clinical systems, and segmenting medical device networks. Organisations should use a compliance automation platform to track control evidence in real time.

3

Internal Audit and Evidence Collection

Conduct an internal readiness audit against the ADHICS controls. Collect and organise policy documents, configuration records, access logs, training records, and incident reports into a compliance evidence repository. Automated evidence collection tools significantly reduce manual effort here.

4

External Certification Audit

Engage a DoH-approved ADHICS assessor for the formal certification audit. The assessor will validate controls, review evidence, and issue a compliance certificate valid for two years, with annual surveillance audits in between.

CISO note: ADHICS certification does not exempt healthcare providers from compliance with UAE PDPL or the newly enacted Federal Data Protection Law. Healthcare organisations must maintain a dual compliance posture — meeting both sector-specific and general data protection requirements. The penalty for non-compliance with ADHICS can include license suspension, fines, and mandatory reporting to the DoH.

Qatar Healthcare Cybersecurity Regulations

MoPH Data Governance and NIS Alignment

Qatar does not have a single healthcare cybersecurity standard equivalent to ADHICS. Instead, healthcare cybersecurity is governed by three overlapping instruments: the Ministry of Public Health (MoPH) Data Governance Policy, the Qatar National Cybersecurity Strategy, and the regulatory oversight of the Qatar Financial Centre (QFC) for certain healthcare organisations. The MoPH policy mandates that all healthcare data be stored within Qatar and that healthcare providers implement the National Information Assurance (NIA) controls published by the National Cybersecurity Agency (NCSA).

Key compliance requirements include:

Key difference from UAE ADHICS: Qatar's regulatory structure is less prescriptive in terms of domain-specific controls for medical devices or clinical system availability. However, the 24-hour breach notification window is stricter than ADHICS's 72-hour requirement. Healthcare organisations in Qatar should treat the MoPH policy as the minimum baseline and expect tighter enforcement as Qatar's National Health Strategy 2023–2030 matures.

Oman Health Data Protection Requirements

Ministry of Health and ODPA Framework

Oman’s healthcare cybersecurity landscape is governed by two primary authorities: the Ministry of Health (MoH) and the Oman Data Protection Authority (ODPA). The MoH issues sector-specific cybersecurity guidelines for all healthcare facilities, while the ODPA enforces the broader Personal Data Protection Law (PDPL), which has specific provisions for sensitive health data.

Healthcare providers in Oman must comply with the following requirements:

Oman’s MoH has also signalled its intention to develop a dedicated healthcare cybersecurity standard, aligned with NIST CSF 2.0 and ISO 27001, by 2026. Healthcare providers should treat the current ODPA and MoH requirements as a transitional baseline and begin preparing for a more comprehensive sector-specific framework.

Comparative GCC Healthcare Cybersecurity Compliance

Requirement
UAE (ADHICS)
Qatar (MoPH + NIA)
Oman (MoH + ODPA)
Dedicated healthcare cybersecurity standard
Yes
Partial
Partial
Breach notification timeline
72 hours to DoH
24 hours to MoPH + NCSA
72 hours to ODPA
Data localisation for health data
Required (within UAE)
Required (within Qatar)
Required (within Oman)
Medical device security controls
Explicit
Implicit
Implicit
Mandatory compliance certification
Yes (ADHICS certificate)
Self-assessment + audit
DPIA + audit
Penalty for non-compliance
License suspension, fines
Fines, regulatory action
Fines, ODPA enforcement

Common Gaps and Compliance Challenges

Despite differences in regulatory maturity, healthcare organisations across the GCC consistently face three compliance gaps:

Ready to Simplify Healthcare Compliance Across the GCC?

Managing ADHICS, MoPH, NIA, and ODPA requirements manually is unsustainable — especially for multi-site healthcare providers. CyberSilo’s compliance platform maps each regulation to a unified control framework, automates evidence collection, and provides real-time compliance dashboards for auditors and CISOs.

How to Build a Unified Healthcare Compliance Program

Healthcare providers operating across multiple GCC jurisdictions face a choice: manage compliance separately for each regulator, or adopt a unified controls framework that satisfies all requirements simultaneously. The unified approach is more efficient, reduces audit fatigue, and provides better visibility for CISOs and risk managers.

Step 1: Map Regulations to a Common Control Framework

Map ADHICS, MoPH, NIA, and ODPA requirements to a common baseline such as NIST CSF 2.0 or ISO 27001. This mapping reveals overlapping controls — for example, access control requirements across all four regulations — and identifies genuine gaps where specific local controls are needed. The mapping becomes the single source of truth for compliance activities across all facilities.

Step 2: Implement Continuous Monitoring and Automation

Manual compliance management cannot scale across multiple hospitals, clinics, and jurisdictions. Use a SIEM platform with built-in compliance reporting for healthcare regulations. ThreatHawk SIEM, for example, includes pre-built report templates for ADHICS log requirements, allowing compliance teams to generate evidence packages for audits in minutes rather than weeks. Similarly, automate DPIA workflows, vendor risk assessments, and policy management through a GRC platform.

Step 3: Conduct Cross-Jurisdiction Tabletop Exercises

A breach that affects patients in Abu Dhabi, Doha, and Muscat requires simultaneous notifications to the DoH, MoPH, and ODPA — each with different timelines and formats. Regular tabletop exercises that test multi-jurisdiction incident response are essential. Ensure your incident response plan includes escalation paths for each regulator, and that the plan is tested at least annually with all facilities involved.

Future Outlook: Healthcare Cybersecurity in the GCC

The trajectory across the GCC is clear: healthcare cybersecurity regulations will converge toward a common baseline of mandatory controls, shorter breach notification timelines, and stricter enforcement. Qatar and Oman are actively developing dedicated healthcare cybersecurity standards, and Saudi Arabia's NPHIES platform already imposes technical security requirements for health data exchange. Healthcare providers should treat current compliance baselines as a floor, not a ceiling, and invest in scalable compliance infrastructure that can adapt to regulatory evolution.

Our Conclusion & Recommendation

Healthcare cybersecurity compliance in the GCC is no longer optional — it is a licensing, operational, and reputational requirement. The UAE's ADHICS remains the most mature and prescriptive standard, but Qatar and Oman are closing the gap rapidly. For any healthcare provider with a presence in more than one GCC state, the only sustainable approach is a unified compliance program built on a common controls framework, continuous monitoring, and automated evidence management.

CyberSilo’s compliance platform and ThreatHawk SIEM are purpose-built for multi-regulatory GCC environments, mapping controls across ADHICS, MoPH, NIA, ODPA, and NPHIES to a single, auditable framework. We recommend engaging our team for a gap assessment and compliance roadmap tailored to your healthcare organisation’s specific regulatory footprint across the region.

Get Your Healthcare Compliance Assessment

Not sure which regulations apply to your healthcare facilities across the GCC? Our team will map your locations and systems, identify gaps, and provide a clear remediation plan with timeline and budget estimates.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!