Healthcare Penetration Testing in UAE - DHA, ADHICS, HIPAA Guide

Healthcare penetration testing in the UAE operates at the intersection of federal cybersecurity baselines, emirate-specific health data regulations, and international healthcare frameworks relevant to customers and partners. For UAE hospitals, clinics, healthtech startups, and Hospital Information System (HIS) vendors, the regulatory mapping is the most frequently misunderstood part of the engagement scope.

This guide walks through the specific regulatory frameworks UAE healthcare entities answer to, what each requires of penetration testing programmes, the attack surfaces most commonly under-tested, and how to structure an engagement that will satisfy both local and international stakeholders.

The UAE Healthcare Regulatory Stack

Healthcare cybersecurity in the UAE is layered - federal, emirate-level, international customer frameworks, and sector adjacent regulations all apply.

Federal baseline

• NESA / NCA Information Assurance Standards - the UAE federal cybersecurity framework. Healthcare CII entities (tier-1 hospital networks, critical health infrastructure) are explicitly in scope.
• UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) - UAE’s GDPR-equivalent. Health data receives heightened protection.

Dubai Health Authority (DHA)

For Dubai-licensed healthcare entities, DHA sets specific operational and information security requirements. DHA’s cybersecurity expectations reference federal frameworks (NESA) and add sector-specific controls covering:

• Patient data confidentiality and integrity
• Electronic Medical Record (EMR) system security
• Medical device security for connected clinical equipment
• Telemedicine and digital health platform security
• Third-party HIS vendor security assessment

Abu Dhabi - ADHICS

The Abu Dhabi Healthcare Information and Cyber Security (ADHICS) Standard is the most mature and explicit healthcare cybersecurity framework in the UAE, developed by the Department of Health - Abu Dhabi (DOH). ADHICS mandates:

• Comprehensive information security management system
• Specific penetration testing requirements for healthcare information systems
• Annual testing of HIS, EMR, and patient-facing platforms
• Third-party and supplier security assurance
• Medical device security assessment
• Cross-border data flow controls for patient data

For Abu Dhabi healthcare entities, ADHICS is the primary reference - it is more prescriptive than NESA and sets the bar for what UAE healthcare penetration testing looks like in practice.

Sector-specific adjacent requirements

• MOHAP (Ministry of Health and Prevention) - federal oversight for healthcare entities outside Dubai and Abu Dhabi jurisdiction
• JAWDA (SEHA quality standards) - quality framework that touches on information security

International customer frameworks

Many UAE healthcare entities serve international patients or partner with international platforms. This introduces additional framework references:

• HIPAA - if serving US patients or US-based healthcare platforms, HIPAA testing expectations apply
• HITRUST CSF - an industry-developed healthcare security framework increasingly requested by international partners
• GDPR - if serving EU patients or partnering with EU healthcare systems
• SOC 2 Type II - if serving enterprise healthcare customers or health insurers

Healthcare Attack Surfaces Frequently Under-Tested

Across UAE healthcare penetration testing engagements, recurring gaps:

Electronic Medical Record (EMR) systems

Often treated as “internal and trusted” and excluded from external-perimeter-focused testing. But EMR systems are the highest-value target in any healthcare environment and routinely have:

• Broken access control allowing cross-patient record access
• Inadequate audit logging of privileged access
• Legacy protocols (HL7 v2, DICOM) with no authentication or integrity
• Third-party integration points with weak access controls
• Insufficient session management for clinical workstations

Medical devices and IoMT

Connected medical devices - infusion pumps, patient monitors, imaging equipment, surgical robotics - have specific attack surfaces that general IT testing misses:

• Hardcoded credentials (still common in deployed medical equipment)
• Unpatched operating systems running embedded in devices
• Medical device networks insufficiently segmented from general IT
• Proprietary protocols with no authentication or encryption
• Firmware update mechanisms lacking signature verification

See our IoT penetration testing service for the methodology.

Hospital Information Systems (HIS) integrations

HIS platforms integrate with laboratory systems, radiology, pharmacy, billing, insurance, and patient portals. Each integration is an attack surface. HL7 and FHIR API integrations routinely show:

• Authentication weaknesses on FHIR endpoints
• Authorization gaps allowing cross-facility data access
• Inadequate validation on HL7 message processing
• Legacy MLLP transport without encryption in internal networks

Telemedicine and patient portals

Patient-facing digital channels are the fastest-growing healthcare attack surface. Common findings:

• IDOR allowing cross-patient appointment or record access
• Inadequate identity verification during telemedicine session initialization
• Insecure direct object references in lab result delivery
• Mobile app issues (we test those separately via mobile app pentest)
• Session management flaws in multi-device access flows

Medical research and clinical trial platforms

UAE has a growing medical research sector. Clinical trial platforms and research data repositories require specific testing for:

• De-identification integrity (can PHI be re-identified?)
• Statistical disclosure attack surface
• Cross-study data isolation
• Research IRB access control enforcement

Insurance and claims processing

For hospital systems with integrated insurance and claims processing, this is a high-value fraud target with specific attack surfaces - claims submission integrity, payment routing manipulation, and cross-insurer data leakage.

Common Findings in UAE Healthcare Engagements

Patterns across recent UAE healthcare pentesting engagements:

• Broken access control on EMR - cross-patient record access via parameter manipulation (highest frequency, highest severity)
• Legacy DICOM or HL7 interfaces accessible without authentication on internal networks
• Medical device network not effectively segmented from general IT, allowing lateral movement from phished administrative workstations to connected clinical equipment
• Inadequate audit logging of privileged EMR access - difficult to retrospectively determine if a breach occurred
• Patient portal IDOR or authorization flaws enabling cross-patient data exposure
• Third-party HIS vendor access insufficiently restricted - contractors with more network access than their function requires
• Hardcoded credentials in medical device firmware still found in deployed devices

Structuring a Healthcare Pentest Engagement

A comprehensive healthcare penetration testing engagement for a UAE hospital or health-tech vendor typically includes:

Annual engagement scope:

• EMR / HIS platform (internal + external attack surfaces)
• Patient portal and telemedicine channels
• Medical device network and segmentation verification
• Selected critical medical devices (imaging, monitoring, clinical workstations)
• HL7 / FHIR integration endpoints
• Third-party integration points (insurance, labs, pharmacy, radiology)
• Staff-facing clinical applications
• Administrative and billing systems

Quarterly targeted testing:

• Patient-facing web and mobile applications
• Public API endpoints
• High-change components

Specialist scopes as needed:

• Medical device security assessment (IoMT-specific)
• Clinical trial platform testing
• Research data repository testing

Compliance deliverables:

• ADHICS control mapping (for Abu Dhabi entities)
• DHA requirement mapping (for Dubai entities)
• HIPAA Security Rule mapping (for US-touching entities)
• HITRUST CSF mapping (if customer-facing)
• PDPL alignment notes

How pentest.ae Handles Healthcare Engagements

We run healthcare penetration testing for UAE hospitals, clinics, healthtech startups, and HIS vendors. Our engagements are scoped against ADHICS, DHA, HIPAA, and HITRUST as relevant. Our team includes researchers with experience testing EMR platforms, medical device networks, and clinical information systems - not generalist pentesters retrofitting to healthcare scope.

We coordinate with your clinical engineering team for medical device scope, we respect clinical availability constraints during testing windows, and our reports are structured for audit and regulatory submission.

Related Resources

• Penetration Testing UAE - full service overview
• IoT Penetration Testing - medical device security
• Mobile App Penetration Testing - patient portal apps
• API Security Testing - HL7, FHIR, integration API testing
• NESA Penetration Testing Guide - UAE federal framework
• Healthtech Industry Page - our healthcare sector focus