The recent cyberattack in the US highlighted the vulnerability of hospitals to the growing threat of cybercriminals. Facilities in several states, operated by Prospect Medical Holdings, were involved in the data security incident in which hackers disrupted hospital computer systems. Emergency rooms were forced to close, and ambulances had to be diverted while security experts worked to resolve the issue.
Healthcare organisations globally are now a prime target for cyberattacks and facilities in Saudi Arabia (KSA) are not immune. The weakest link in any computer system is the user and when hospital data becomes compromised, the stakes are high, providing cybercriminals with opportunities to exploit. Identifying potential vulnerabilities and implementing cybersecurity strategies is crucial to mitigating these risks. Investments in IT infrastructure, skill development, and enhanced regulatory frameworks are essential for safeguarding the resilience and security of KSA’s healthcare systems.
Related: Strengthening cybersecurity and data privacy in healthcare
While KSA has seen impressive development in line with Vision 2030, as healthcare becomes more digitised and interconnected, the potential for cyberattacks inevitably grows. Cybersecurity measures to safeguard sensitive patient information and ensure the seamless delivery of critical medical services has never been higher.
The frequency and severity of cyberattacks on organisations are alarming. Between mid-2021 and mid-2022, KSA and the UAE experienced the highest number of ransomware attacks among GCC nations, as reported by cybersecurity company Group-IB. Group-IB's CEO, Dmitry Volkov, highlighted ransomware as a significant threat for 2023, with rising ransom demands.
According to IBM’s Cost of a Data Breach Report, in 2023, data breaches cost organisations an average of US$4.45 million, a 15 per cent increase in three years. With 51 per cent of companies planning increased security investments post-breach, including incident response, employee training, and threat detection tools, the urgency to strengthen cybersecurity measures in healthcare is evident.
A report by a leading cybersecurity company, Proofpoint Inc., revealed the majority of top hospitals in the UAE and KSA are lagging behind on basic cybersecurity measures. The findings were based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis. DMARC enhances email communication security with three protection levels — monitor, quarantine and reject. The analysis revealed only 28 per cent of UAE and KSA hospitals have implemented ‘reject’ — the strictest level of protection, which means many users are not protected from potential e-mail fraud.
Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint, said: “The healthcare industry is rapidly becoming a target for cybercriminals due to the sensitive patient data these institutions hold. From an attacker’s perspective, healthcare organisations are high-value targets for ransomware attacks as they would have great motivation to pay up to restore systems quickly.”
He added: “A broader security strategy will be crucial to secure the future of the healthcare sector in the UAE and KSA, which has been identified as a priority under the respective national agendas of both countries. The healthcare industry must pursue a security strategy focusing on people because threats will continue to convince victims to click malicious links, download unsafe files, install malware, and disclose sensitive information. Their security strategy will have to adapt to new business models to protect health information wherever it is stored – whether within the hospital or beyond.” (source)
Common cyber threats include data breaches, ransomware and Distributed Denial of Service (DDoS) attacks which overwhelm a network so it can no longer operate. In ransomware attacks, hackers infect files, making them inaccessible until a ransom is paid. When these attacks hit hospitals, internet-based tools critical to patient care, patient health records, imaging and lab results, and communication links with other departments or hospitals are cut-off, leading to major financial and reputational damage.
Sophisticated attacks demonstrate the need for stringent cybersecurity measures in healthcare. Key vulnerabilities in the healthcare systems of GCC countries could range from insufficient IT infrastructure to data management practices. Relying heavily on third-party vendors for healthcare technology could also introduce security risks if providers do not have stringent cybersecurity protocols. A lack of comprehensive disaster recovery and business continuity plans can impact the healthcare system's ability to quickly respond to an attack.
Related: Why data governance in healthcare is essential to improve quality of care
Healthcare institutions in KSA should be implementing cybersecurity strategies to shield against these threats. Establishing a security culture is also vital in raising awareness and protecting healthcare organisations. Security practices must be built in alongside regular employee training, best practices implemented with support from cybersecurity experts, and the use of multi-factor authentication, firewalls, encryption, backups and incident response plans are imperative.
Collaboration among stakeholders including KSA’s healthcare institutions, IT experts, and cybersecurity firms is needed which requires knowledge sharing on vulnerabilities, customised tech solutions, and risk assessments. Continuous monitoring, cutting-edge technology integration, and regulatory compliance will ensure greater protection. The key is to always plan for the unexpected with drills and develop advanced strategies through joint innovation and research efforts. Together, these endeavours can create a resilient defence, safeguarding Saudi Arabia’s critical healthcare systems and patient data against the growing threat of cyberattacks.
To learn more about the latest developments in Saudi Arabia's healthcare industry, attend the Global Health Exhibition taking place from 29-31 October at Riyadh Front Exhibition & Conference Center (RFECC). Click here to know more.
