Cybersecurity for UAE healthcare — protecting patient data
Healthcare · UAEAll Four In Force

Cybersecurity for UAE Healthcare: What a Clinic Actually Has to Have in Place

Applies to: clinics, diagnostic centres, labs, telehealth & health-tech in the UAE

Rules in force: ADHICS v2.0 · NABIDH · Federal Health Data Law (FL 2/2019) · UAE PDPL

The short answer

A healthcare provider in the UAE is governed by up to four overlapping rules at once: ADHICS v2.0 if it is licensed in Abu Dhabi, NABIDH if it is licensed in Dubai, the Federal Health Data Law (Federal Law 2 of 2019) everywhere in the country, and UAE PDPL for every category of personal data that is not a patient health record. None of these is a future deadline — all four are in force today. The practical consequence: a clinic owns its own security obligations even when it outsources its EMR or PMS, and the penalty for getting it wrong is measured in licence risk, not just fines.

The regulatory map, by where you are licensed

ADHICS v2.0 — Abu Dhabi

  • Issued by: Department of Health, Abu Dhabi (DoH)
  • Status: Enforced — Basic controls from November 2024, Advanced from May 2025
  • Covers: healthcare entities licensed in the Emirate of Abu Dhabi
  • Breach window: notify the DoH within 72 hours

NABIDH — Dubai (the tighter clock)

  • Issued by: Dubai Health Authority (DHA) — Data & Health Information Protection Policy (HISHD/PP-13, 2022)
  • Status: In force, effective 10 November 2024
  • Covers: all Dubai-licensed providers — hospitals, clinics, diagnostic labs, telehealth, pharmacy chains
  • Breach window: notify the UAE Information Office and DHA within 24 to 48 hours

Federal Health Data Law — UAE-wide

  • Instrument: Federal Law 2 of 2019
  • Status: In force since 2019, across the entire UAE
  • Requires: patient health data held inside the UAE; cross-border transfer restricted without the required approval

UAE PDPL — everything that is not a patient record

  • Instrument: Federal Decree-Law 45 of 2021 — in force since 2 January 2022 (Executive Regulations pending)
  • The nuance: PDPL explicitly exempts patient health records (ADHICS, NABIDH and the Federal Health Data Law govern those)
  • Still covers: employee records, vendor contracts, marketing contacts, administrative data

The trap: clinics assume "we are healthcare, so PDPL does not touch us." Half right. Your patient records are out of PDPL scope — but your HR files, supplier contracts, and marketing database are squarely in it.

Breach-notification: two emirates, two clocks

Where licensedRulebookNotify whomWithin
Abu DhabiADHICS v2.0Department of Health (DoH)72 hours
DubaiNABIDHUAE Information Office + DHA24 to 48 hours

Full detail: NABIDH 24–48h vs ADHICS 72h — two UAE healthcare breach windows.

Where clinics actually get breached

Not generic. These are the four most common ways a UAE healthcare provider is exposed.

  1. PHI pasted into an AI tool (shadow AI). A staff member drops patient notes into a public chatbot to summarise them. The data has left every controlled system you have — no audit trail, no consent basis. See hands-on AI defence.
  2. EMR / PMS misconfiguration. The clinic outsources the platform and assumes the vendor "handles security." Access controls stay at default, audit logging is off, and an over-permissioned account exposes the full record set.
  3. Ransomware that halts the clinic. Encrypted records are not a billing problem — they are a patient-safety event. Delayed diagnoses, cancelled procedures, and a regulator asking why the notification window was missed.
  4. The third-party billing or lab vendor as the entry point. The attacker does not breach you directly. They breach the small vendor with a live connection into your systems, and walk in through that trust.

The controls a healthcare provider must have

What an ADHICS or NABIDH auditor expects to see — and what closes the four scenarios above.

  • Identity & access control on clinical systems — role-based access on the EMR/PMS, least privilege, no shared logins, MFA on anything internet-facing.
  • Encryption of patient data — at rest and in transit, with key management documented.
  • Network segmentation — clinical systems and connected devices isolated from the general office network.
  • Continuous monitoring & detection — watching the clinical network and EMR access in real time, not reading logs after the fact.
  • A tested incident-response plan with the right clocks — a runbook that knows the 72-hour ADHICS window and the 24–48-hour NABIDH window.
  • Third-party / vendor controls — security clauses and access review for every billing, lab, and EMR vendor with a connection in.
  • Audit-ready evidence — access logs, encryption status, incident records, vendor controls, kept current.

You can hold all of this without hiring an in-house security team — that is what a managed security partner is for. Run the in-house-vs-managed numbers on the cost calculator.

Frequently Asked Questions

Is my EMR vendor responsible for ADHICS or NABIDH compliance?

No — not on your behalf. The vendor secures its platform; the licensed provider remains accountable for how patient data is accessed, stored, and protected inside the clinic. Auditors examine the clinic, not the software company. Outsourcing the system does not outsource the obligation.

What is the breach-notification window for health data in Dubai versus Abu Dhabi?

They are different, and a clinic needs to know which clock it is on. Abu Dhabi (ADHICS): notify the Department of Health within 72 hours. Dubai (NABIDH): notify the UAE Information Office and the DHA within 24 to 48 hours (HISHD/PP-13). A Dubai-licensed facility is on the tighter clock.

Does PDPL apply to patient records?

Partially. PDPL explicitly exempts patient health records — those are governed by ADHICS, NABIDH, and the Federal Health Data Law. PDPL does apply to every other category of personal data a clinic holds: employee records, vendor contracts, marketing contacts, and administrative data.

Is NABIDH only for hospitals?

No. NABIDH applies to all healthcare providers licensed in the Emirate of Dubai — hospitals, clinics, diagnostic labs, telehealth platforms, and pharmacy chains. Abu Dhabi providers follow ADHICS v2.0 instead. The Federal Health Data Law (Federal Law 2 of 2019) applies across the whole UAE.

What does a clinic need beyond the security built into its EMR?

The EMR secures its own platform. The clinic still owns identity and access control across all its systems, network segmentation, monitoring and detection, an incident-response plan that meets the notification windows, third-party vendor controls, and the audit evidence pack. The EMR is one component, not the whole control set.

Are the UAE healthcare rules a future deadline we can plan for?

No. ADHICS, NABIDH, the Federal Health Data Law, and PDPL are all in force today. There is no grace period to wait out. All four are tracked, with sources, on the nshield.io regulatory registry.

Start with a free external security assessment

We review your current setup against ADHICS, NABIDH, PDPL, and the Federal Health Data Law, and hand you a written findings report. No obligation. Built for clinics, diagnostic centres, and health-tech firms in the 50–250 range.

Book a free assessment

Sources & related