Middle Eastern hospitals were targeted by cyberattacks more in 2023 than in any other year. Hospitals need to include securing the network of connected devices that make up the Internet of Things (IoT) and more specifically the Internet of Medical Things (IoMT) as part of their implementation of new laws, to prevent attacks, and reduce risk. But what is the right order of investment and strategic planning for CISOs and IT in Middle Eastern Hospitals?

Saudi Arabia Ranked #2 in the World in Cybersecurity and Also Sees Many Attacks Annually

The cybersecurity regulatory regime of the Kingdom of Saudi Arabia is leading the Middle East and is now ranked number two behind the United States in terms of commitment to cybersecurity in the most recent Global Cybersecurity Index report. This is understandable given that the kingdom recorded 22.5 million cyberattacks in 2020, each of which cost $6.5 million at the time. The most recent data placed the cost of a breach at an average of SAR 29.9 million, equivalent to $7.9 million. The healthcare sector has the third-highest breach cost in the region, reaching a total cost of SAR 32.46 million.

New Laws: Personal Data Protection Law and Why It Matters 

The Kingdom of Saudi Arabia is leading the Middle East with massive leaps forward in terms of cybersecurity strategy. Within 24 months, Saudi Arabia has released its new Personal Data Protection Law 2023 (PDPL), Data Cybersecurity Controls, Operational Technology Cybersecurity Controls, the cybersecurity toolkit 2.0, and the guide to essential cybersecurity controls implementation. 

The Kingdom of Saudi Arabia’s Personal Data Protection Law was put into force on September 14, 2023, with a one-year grace period to comply with its statutes. The law is broadly modeled on the 2016 General Data Protection Regulation passed in the European Union, and includes features like:

• Data breach notification is required within 72 hours 
• The appointment of a data protection officer in the organization
• Carrying out legitimate interest assessments and data protection assessments 
• Strict obligations on anyone handling personal data

These rules are a major leap forward for Saudi Arabia and put the regulatory framework in place for companies to be held accountable during a data breach. The disclosure requirements specifically will likely necessitate operational changes for many organizations in the healthcare sector. 

This regulation puts a fine point on data protection within Saudi Arabia, including the penalties for noncompliance. Every company has to comply with these rules and implement practices in line with the regulations or face fines of up to 3 million Saudi Riyals and imprisonment for up to two years. With this shift in the laws, Saudi Arabia is clear in its emphasis on better cybersecurity nationally and leadership in the region on taking cybersecurity seriously with legislation and investment.

Why the Middle Eastern Healthcare Sector Is a Target

Over the last 20 years, the Middle Eastern healthcare market has spent substantial time and money improving the standard of care for its citizens with universal healthcare, electronic medical records, and telemedicine among other technological improvements. Unfortunately, investing in better care also opens up the healthcare sector to cyberattacks. 

Cybergangs have noticed the lack of preparedness. According to Group-IB research, 42 companies in the Gulf Cooperation Council area experienced ransomware attacks between mid-2021 and mid-2022. Saudi Arabian companies made up 29% of those affected during that period, for a total of 12 ransomware attacks that Group-IB identified. These are only the ones that are known, of course, as disclosure requirements have lagged in Saudi Arabia until the passage of the PDPL. As Middle Eastern hospitals implement more and more advanced medical devices, including IoMT devices for patient care and IoT devices for facility management, these risks become greater. Given the new regulations for enforcement of the PDPL, it’s incumbent on healthcare organizations to improve their data protection and enhance the defenses of their data infrastructure. This is vitally important in light of the cybercriminal group APT34, which could be based in Iran, targeting Saudi Arabian targets with the Menorah malware since August 2023.

The Kingdom’s OTCC Shifts the Conversation to IoT and IoMT

The Kingdom of Saudi Arabia’s National Cybersecurity Agency released Operational Technology Cybersecurity Controls in 2022 that align with the recent update to the Personal Data Protection Law. These controls outline specific requirements related to industrial control systems and operational technology. In the case of the Saudi Arabian healthcare sector, this is related to the IoT and IoMT systems within the hospital like CT scans, MRI machines, and other network-accessible devices.

To secure connected equipment within the facility, Saudi Arabian hospitals need to prioritize their activities in the right order: 

With the OTCC and the new PDPL, the Kingdom of Saudi Arabia is taking massive leaps forward in cyberdefense and the rest of the Middle East is set to follow next. Hospitals would do well to look into better security measures, especially for IoT and IoMT devices, as these regulations come into full force in September of 2024. It behooves hospitals to investigate all possible pathways in that regard to keep their patient data secure.

To learn more about Asimily, visit Booth C94 at GISEC at the Dubai Trade Center April 22-25; download our download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.