Industry · Healthcare

Cybersecurity for UAE healthcare.

Hospitals · Clinics · Diagnostic labs · Telehealth · Pharma · Health-tech. Two breach-notification windows — NABIDH 24–48h in Dubai and ADHICS 72h in Abu Dhabi. One set of patient records.

The misframing

Most UAE healthcare IR runbooks are written to 72 hours. If you're Dubai-licensed, you're 24 hours late.

DHA Policy HISHD/PP-13 tightened Dubai's window to 24–48 hours in August 2024 — superseding the 2022 policy most existing runbooks reference. Multi-emirate clinic groups need two breach protocols, not one.

Book a 20-minute IR review →See the full registry →

Healthcare vertical · six mandates

Two regulators, two clocks, one patient record.

Primary-source-validated. Updated against the underlying statute or the regulator's own page, not secondary analyses.

UAE healthcare cybersecurity and data-protection mandates — reference, regulator, key requirements, deadline, status, maximum penalty.
MandateRegulatorKey requirementsDeadlineMax penalty
NABIDH (Dubai)
DHA HISHD/PP-13 (Aug 2024, eff. Nov 2024)
Enforced
Dubai Health AuthoritySecure health information exchange; PHI localization; EMR audit trails; PDPL-aligned consent flows; cybersecurity standards; breach notification 24–48h to UAE Information Office + DHA.In force · HISHD/PP-13 eff. 10 Nov 2024License revocation
ADHICS v2.0 (Abu Dhabi)
DoH Abu Dhabi ADHICS v2 (2024)
Enforced
Abu Dhabi DoHPHI encryption; role-based EMR access; full data localization; cybersecurity monitoring; annual security audits; DPIA for health tech.v2.0 May 2024 · Basic Nov 2024 (passed) · Advanced May 2025 (passed)License suspension
Federal Health Data Law
Federal Law 2/2019
Enforced
MOHAPMandatory UAE localization of all electronic health records; cross-border transfers prohibited without ministerial approval.In forceAED 1K–1M per violation + license action
UAE PDPL
Fed. Decree-Law 45/2021
In force
UAE Data OfficePatient data consent; data minimisation; breach notification; DPIA for health IT; cross-border transfer ban for special-category data.In force since 2 Jan 2022 · ER pendingPending ER (cited range AED 50K–10M)
Federal Cybercrime Law
Fed. Decree-Law 34/2021
Enforced
Public ProsecutionCriminal liability for unauthorized access to EMRs, ransomware on hospital systems, patient data theft.In forceAED 100K–3M per offense + prison
NCS 2025–2031
UAE Cybersecurity Council
Strategic framework
Cybersecurity CouncilMFA on clinical systems; vendor risk management for health-tech suppliers; incident response plans.Phased 2025–31No direct NCS penalties (via underlying laws)

Source: UAE primary legislation and regulator-issued policies. Full method and source domains in our UAE Regulations Registry.

What we find

Three gaps that repeat, across UAE healthcare providers.

Specific to UAE healthcare, not generic hospital IT hygiene.

01

IR runbook written to ADHICS 72h only

Template downloaded in 2022 or 2023, documented against “72-hour DoH notification.” Still valid for any Abu Dhabi facility. Invalid for every Dubai-licensed site. Multi-emirate groups have one runbook where they need two.

02

DHA notification address still the 2022 one

Playbook references HISH@dha.gov.ae — the pre-2024 contact. The current address is datacompliance@dha.gov.ae. First notification under the old address bounces; clock is already running.

03

Cross-border EHR transfers, no ministerial approval

Third-party analytics tools, diagnostic AI services, or telehealth platforms moving de-identified patient records outside the UAE without the Federal Health Data Law's case-by-case MOHAP approval on file. De-identification is not exemption.

How we work with UAE healthcare

Clinical-operations-aware, not generic managed security.

Dual-regime IR runbooks

Written for multi-emirate operators. NABIDH 24–48h and ADHICS 72h paths, severity-classified, with tested notification templates for both regulators.

EMR-aware access reviews

Role-based access against clinical-workflow realities — not generic IAM. Built around NABIDH audit-trail requirements and ADHICS role-based EMR access mandates.

24/7 SOC from Dubai Silicon Oasis

Monitoring and managed detection from our UAE-based Security Operations Centre — clinical-hours-aware escalation, understanding of healthcare incident-response priorities.

Common questions

Answers medical directors and IT heads actually ask.

What is the NABIDH breach notification window?+
The NABIDH breach notification window is 24 to 48 hours from detection, to both the UAE Information Office and the Dubai Health Authority. The exact window depends on severity classification under DHA Policy HISHD/PP-13 Section 4.23.4(d). The notification email also changed in 2024 — from HISH@dha.gov.ae to datacompliance@dha.gov.ae — so runbooks dated before that still route to the wrong inbox.
How is NABIDH different from ADHICS?+
NABIDH is the Dubai Health Authority's framework and runs a tighter 24–48-hour breach notification window; it was updated by DHA Policy HISHD/PP-13 effective November 2024. ADHICS v2.0 is the Abu Dhabi Department of Health's framework and runs a 72-hour window, with Basic compliance due November 2024 (passed) and Advanced due May 2025 (passed). Multi-emirate clinic groups are governed by both at once.
Does PDPL apply to patient data?+
Patient health records are exempt from PDPL under its Article 2 scope provisions — those are governed by NABIDH (Dubai), ADHICS (Abu Dhabi), and the Federal Health Data Law (nationwide). PDPL does cover every other category of personal data a healthcare organization holds, though: employee records, vendor contracts, marketing contacts, administrative data. Healthcare operators therefore run both regimes in parallel.
Can we store electronic health records outside the UAE?+
No. The Federal Health Data Law (Federal Law 2 of 2019, issued by MOHAP) mandates UAE localization of all electronic health records. Cross-border transfer is prohibited unless there is explicit ministerial approval, reviewed case-by-case. This applies across all seven emirates and covers EHRs, PACS images, lab results, and the de-identified derivatives that analytics vendors sometimes treat as exempt.
Do you work with Dubai-only clinics, or multi-emirate groups too?+
Both. Complexity scales with footprint: a single Dubai-licensed clinic runs one regime (NABIDH + PDPL + Federal Health Data Law), while a multi-emirate group adds ADHICS v2.0 on top for any Abu Dhabi operations. Our incident response runbooks are written for the dual-window case, so severity-classification produces the right 24h vs 72h decision automatically.
What does a healthcare IR runbook assessment include?+
A healthcare IR runbook assessment reviews your current incident-response documentation against NABIDH HISHD/PP-13 and ADHICS v2.0, rebuilds the severity classification to produce the correct 24h vs 48h decision path for Dubai, updates DHA notification contacts to the current datacompliance@dha.gov.ae address, produces a multi-emirate-aware escalation matrix, and dry-runs the result in a tabletop exercise. Output is a clinical-operations-ready runbook, not a policy document.

Start with an IR review

Twenty minutes. Dual-regime runbook gap report within a week.

A 20-minute call to understand your facility footprint and obligations. Followed by a written gap analysis against NABIDH HISHD/PP-13, ADHICS v2.0, the Federal Health Data Law, and PDPL — whichever apply — with prioritised remediation. No obligation.

Book the call →Email info@nshield.io →