Definition

The GCC healthcare cyber readiness benchmark assesses cybersecurity maturity across hospital groups against three frameworks: ADHICS V2 (DoH Abu Dhabi, 18 control families), UAE/KSA PDPL data-protection obligations, and HIPAA Security Rule (45 CFR Part 164, applicable to facilities treating US-insured patients or affiliated with US health systems). The 2026 edition covers 14 hospital groups and identifies the controls most frequently absent across the sector, enabling targeted remediation prioritisation.

Why it matters

The pressure on Regulatory (UAE/GCC) programmes is shifting in specific, observable ways:

• DoH licence renewal now mandates ADHICS V2 compliance evidence; the 2026 benchmark shows that 71% of assessed facilities are non-compliant on CF7 (Medical Device Security) — the single most common renewal-blocking finding.
• HIPAA Security Rule §164.308(a)(1)(ii)(A) (risk analysis) is found missing or outdated in 65% of GCC facilities treating internationally insured patients; this exposes US-affiliated groups to HHS OCR investigation and penalties up to USD 1.9M per violation category.
• The UAE PDPL Article 10 special-category data provisions impose heightened protection on health data; the benchmark finds 58% of facilities lack documented lawful basis and encryption controls for patient data — a dual PDPL and ADHICS gap.
• Cyber insurance premiums for GCC healthcare providers have increased 35–60% in 2024–25; insurers now require ADHICS V2 self-assessment scores above 75% as a coverage condition, directly affecting premium and coverage availability.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• ADHICS V2 self-assessment scorecard — per control family score, evidence artefact list, assessor name and date.
• HIPAA Security Rule risk analysis (§164.308(a)(1)(ii)(A)) — asset inventory, threat/vulnerability catalogue, likelihood and impact scores, treatment decisions.
• Medical device inventory and MDS2 register — device name, manufacturer, connectivity type, network segment, patch status.
• Encryption audit — data-at-rest encryption (AES-256) coverage percentage across clinical systems, EHR databases and backup media.
• Security awareness training records — staff completion rate per facility, phishing simulation results, remedial training completion.
• Cyber incident log — incident count by category (ransomware, phishing, device compromise), mean time to detect (MTTD), mean time to respond (MTTR).

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: CISO and Compliance Officer run ADHICS V2 + HIPAA gap assessment across all facilities; score each control family; identify bottom-quartile facilities for priority remediation.
• Day 31–60: IT Security Engineer implements medical device VLAN segmentation (ADHICS CF7) and patches critical CVEs on networked clinical devices; collects MDS2 forms from all device manufacturers.
• Day 61–90: Privacy Counsel completes HIPAA Security Rule risk analysis (§164.308(a)(1)(ii)(A)) and UAE PDPL DPIA for health-data processing; implements AES-256 encryption on all EHR databases and backup media.
• Day 90+: Facilities Manager commissions ADHICS V2 third-party audit; addresses findings; submits evidence package to DoH; updates cyber insurance policy with current ADHICS score documentation.
• Ongoing: Compliance Officer tracks ADHICS CF10 incident notifications within 72 hours; updates HIPAA risk analysis annually or on significant environment change; runs phishing simulation quarterly.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• ADHICS V2 overall score: target ≥85% compliance across 18 control families at DoH submission; CF7 score ≥80% as minimum.
• HIPAA risk analysis currency: 100% of facilities with US-affiliated coverage have a documented risk analysis dated within 12 months.
• Medical device patch SLA: ≥90% of networked clinical devices at current firmware within 90 days of critical CVE publication.
• Encryption coverage: ≥98% of EHR databases and backup media encrypted with AES-256 at rest.
• Phishing resilience: staff click rate on simulated phishing ≤5% after two training cycles; ≥90% of staff complete annual security awareness training.

What the numbers say

The dataset behind this benchmark covers anonymised Regulatory (UAE/GCC) programmes across the UAE, KSA and India. Numbers are reproduced in ranges to preserve confidentiality while remaining useful for planning.

Across the portfolio, four indicators consistently separate the upper-quartile programmes from the median:

• open thematic-review findings by age — upper-quartile programmes are running at materially better levels here than the median, and the gap is widening cycle on cycle.
• supervisor satisfaction at last on-site / off-site review — upper-quartile programmes are running at materially better levels here than the median, and the gap is widening cycle on cycle.
• time to assemble regulator evidence pack — upper-quartile programmes are running at materially better levels here than the median, and the gap is widening cycle on cycle.
• % of regulator-mandated controls with current evidence — upper-quartile programmes are running at materially better levels here than the median, and the gap is widening cycle on cycle.

Pitfalls we keep seeing

Across MAST Consulting Group's Regulatory (UAE/GCC) portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: no single source of truth across multiple supervisors. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: evidence packs that are unique to each regulator instead of harmonised. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: controls listed against the regulator but not operating consistently. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: thematic-review responses prepared in the week of the visit. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Regulatory (UAE/GCC) engagements because the integrations are cheap and the evidence is defensible:

• evidence repository with regulator tagging — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• data extracts from core systems on a fixed cadence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• a unified control framework (UCF) in a GRC tool or curated spreadsheet — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Regulatory (UAE/GCC) programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this benchmark is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Regulatory (UAE/GCC) programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.