Exploring the UAE's New Healthcare Cyber Regulations

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:19] Hello and welcome to the CyberPHIx, your audio resource for information security, privacy, risk and compliance, specifically for the health care industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from information thought leaders in health care, cybersecurity and privacy. In this episode, we'll be speaking with Mohammed Fadlala. Mohamed is the co-founder and privacy practice lead at Archlight, the premiere provider of health care, cybersecurity and privacy services consulting services in the Middle East and North Africa region. I'll be speaking with Mohammed today about the new cybersecurity and privacy regulations that have recently come into effect in the UAE. We'll try to get a lay of the land on these new regulations and implications for health care in the UAE as well as here in the U.S. So let's dive into another great conversation with yet another amazing guest, Mohammed Fadlallah.

Brian Selfridge: [00:01:12] Hello and welcome to the CyberPHIx leading podcast for information security, privacy and compliance, specifically for the health care industry. I'd like to welcome my guest, Mohammed Fadlala. Mohammed is the co-founder and privacy practice lead at Arclight, the premiere provider provider of health care, cybersecurity and privacy consulting services in the Middle East and North Africa region.

Brian Selfridge: [00:01:32] Mohammed has 15 years of experience leading audit assurance and advisor engagements in a variety of areas, including HIPAA Compliance, ISO 27001 certifications, ERM data privacy, security breach notification so much more within leading organizations, including the Mayo Clinic target Grant Thornton and the state of Minnesota. He's received several awards and honors, including Mayo Clinic Star Award for Service Excellence Target Corporations Above and Beyond Award, as well as serving as a standard setting judge for the CISA examination with ISACA. I also want to note that Archlight are also partners with us here at Meditology in support of our joint delivery of services to the health care organizations in the United Arab Emirates or UAE and those regions. I'm very excited to speak to Mohammed today about new cybersecurity and privacy regulations and risk management in the UAE and Middle East and North Africa region as they've recently come into effect in the UAE, particularly the regulations over the last couple of years. So, Mohammed, thank you so much for joining us. Really excited to speak with you today.

Mohammed Fadlalla: [00:02:35] Thank you very much, Brian

Brian Selfridge: [00:02:39] Let's start with some of the these regulations, I know that's relatively new new activity over the last couple of years. From what I understand, there are several new laws and even a couple of standards that have cropped up in the last few years targeting cybersecurity and privacy in the UAE specifically, I think 2019 through now. It's been they seem to be popping up every year. What's prompting all this this government action? Why now?

Mohammed Fadlalla: [00:03:05] Sure, sure. So over the past decade or so, starting probably in 2008, the EMR adoption journey started here in the UAE. So a lot of organizations that a lot of states here in the UAE started implementing EMRs and then moving towards HIE health care information exchanges and kind of falling in line with the overall strategy of the country to to follow the global trend of digital transformation. I using big data and all of those laws, those things. So it was, I guess, just kind of part of that, keeping up with the technology, how regulations and technology kind of outpaces regulations and regulatory implementations. This regulation really was just to keeping pace with all of this all of this movement towards digital digitizing the health care space.

Brian Selfridge: [00:04:05] Excellent. Can you give us a sense of what some of the new laws and regulations are, maybe just at a high level? I know there's been a handful. I'm having trouble keeping track of them myself.

Mohammed Fadlalla: [00:04:13] So the main one that was passed, which is the ICT. This was a federal law in 2019 law, too, concerning the use of information and communication technology in the area of health care. So that's the main federal law that was passed in 2019. It was published on the 14th of February of 2019. And it really gave the Ministry of Health and Prevention the authority to require that all health care authorities at the state level, at the alert level, to bring their data into a centralized health care hub, which is overseen by by the Ministry of Health and Prevention. So that was kind of one of the core elements of that regulation. Along with that, also the data protection requirements that are included in the law and also the localizing health care data within the U.S. So it's more like residing in. So those are the three elements of that law. But then it was again, it's a federal law. It was at a high level. It has 31 articles, and it really gave them the authority back to the states or the Emirates or the local derby and Dubai and their respective health authorities to publish more granular and more detailed requirements from both privacy and security. So along with that, we have, for example, in Abu Dhabi, the Department of Health Standards and Patient Privacy. And there's another one on cybersecurity as well. The Dubai Health Authority has warned also that is telemedicine, for example. So it really just kind of went back again to the state level to provide more of the detail behind that. So those are the key elements of the regulations that are really governing the space as a result.

Brian Selfridge: [00:06:30] So how do these new regulations compare or maybe contrast to some of the maybe the U.S. health care regulations, and are you familiar with those or any others that that you've come across or are they similar or are they or are they completely different animal altogether?

Mohammed Fadlalla: [00:06:43] Yes, so, I mean, there are there are similarities, there are some differences, so, you know, we used to the hyper regulation, for example, in the US having all of the detail in the actual body of the text of the regulation to have regulation. So they have their regulation broken up into three main rules that are that impact us in terms of the impact a little covered entities and business associates being the privacy, security and the breach notification rules. This one is a little bit different. The federal law is very high level, doesn't have a lot of detail in it. Along with that also there was a cabinet decision, which is like an executive regulation that followed that to provide some more detail, but still not at the level that we are used to with the federal regulation similar to it. So that's probably the difference is that the federal law here is less detailed than the one in the US and more of the authority is given to the states, the key states here being that be in Dubai to develop the details which come in the form of standards.

Brian Selfridge: [00:07:51] So that's interesting, that delegation down to the states for the sort of requirements in particular now, does the how about the enforcement and the penalty structure? Does that also fall on the states or is that at the federal level? How does how is that and maybe what's the penalty structure look like? What's what happens if we don't if we don't get this right? What are the penalties

Mohammed Fadlalla: [00:08:11] The penalty structure is very straightforward. It's up to a million durhams per violation. And so that's that's very straightforward there. And then, you know, the oversight and the the the governance of this regulation is at the ministry level. So that's at the federal level with the Ministry of Health and Prevention, which is short and does more. So we'll have this kind of like the OCR in the US, the Office for Civil Rights. They're the authority that governs the health care space, primarily with the other states, the states that are that that are there, that don't have a health authority or distinct authority. So the Emirates has seven Emirates, there are seven Emirates, Abu Dhabi, Dubai are the largest, and then there are five other Emirates that are governed actually by more hop. But then there is governance at the state level for Dubai and Abu Dhabi by their distinct health authorities. So then the health authorities also have their, you know, separate level of authority and governance over their own entities that that operate within within their state. So they have penalties and they have requirements and they do their own audits on.

Brian Selfridge: [00:09:32] Now, I know we won't be able to get into every single provision in all of these regs and standards, but I'm curious about one area around breach notification in particular, because that's been such a a hot button issue here in the states. Some of the new laws that are being drafted up in Congress have, you know, for example, you have to notify the federal authorities if you had a breach within 24 hours. The breach, like it's getting really, really pretty crazy because historically, you know, a lot of organizations just had the breach and kind of swept under the rug, you know, and and didn't want anybody to know about it. Is that is that something that's been contemplated in these new UAE regulations or is it not quite gotten to that that specificity yet?

Mohammed Fadlalla: [00:10:12] Yeah, it hasn't gotten to that specific specificity level yet. It's not as specific as what we have in the US. So there are some requirements or the executive regulation, for example, Article five states, you know, if there's any suspicious activity related to security and privacy that should be reported. But when and how all those details that that we see in like the breach notification rule, it's important to note that, you know, there is a lot of emphasis or there's a lot of movement towards best practices, international best practices. So they are looking at like they have better regulation. They look at you deeper. They look at those international best standards and practices as models to follow. So I wouldn't be surprised that, you know, maybe in another few years there's something more details comes out that requires entities to report and provide them with more guidance and more specific requirements on how to report and when to report and what to write. But it's not there yet. So there's there's something for them to be learned or something for them to learn from what's what's happening in the US, for example.

Brian Selfridge: [00:11:36] So I want to ask you a little bit about the just the makeup of the health care delivery system in the UAE and more broadly Middle East, North Africa is there. You know, in the states here, we obviously have a mix between government owned health care entities and private and and small and large and conglomerates. There's a lot of mergers and acquisitions. It's crazy over here. What does it look like? You tell me a little bit about the makeup of health care delivery in the UAE. And, you know, what about how many? I'm sure you don't know exactly, but about how many types of organizations are they? Are they conglomerates or are they all independent? Yeah, we'd love to get a sense of that.

Mohammed Fadlalla: [00:12:10] Sure, absolutely. So, you know, the journey of health care here in the U.S. has taken more twists and turns of evolution, right? So it evolves. The way it began here is that it was mostly or mainly just government owned health care entities owned and operated the the even the health insurance that the coverage was was also overseen by the government. Very straightforward, very simple. Similar to what what I guess maybe the U.K., the like the socialized medical system, but then in the 90s and early 2000, that that that changed. So there was more of a trend towards privatization of health care. So now it's kind of a hybrid blend between government owned and operated entities and then private care and private partnerships or partnerships with US organizations, for example, are very, very prominent US organizations that are that have partnered here with UAE institutions, both government and private sector. So Cleveland Clinic, Johns Hopkins, Mayo Clinic, Children's Hospital. And then you have companies like Johnson and Johnson, for example, and and others have come to the region and formed partnerships to deliver care and deliver, you know, different aspects of care. So so that is kind of the the the the current trend thing. Also, we have, for example, in January 2020, a new hospital opened its doors in creating one of the largest hospitals, providing care for patients with serious and complex medical conditions. And I think part of that was the fact that there were a lot of patients that were being sent overseas for care. So going into places like the United States, Mayo Clinic, even Clinic, and the expenditure on average for one of those patients was a quarter of a million dollars or just one trip.

Mohammed Fadlalla: [00:14:09] So if you think about the expense for a patient, it gives a very good business case for bringing some of that back and forming these partnerships and saving some cost and also just making it a bit more efficient and more cost effective for the government, while at the same time tapping into those resources, into that excellent health care model that's present in the US in a more partnership oriented model. So that is the current structure for for for for the health care industry. There is about 60 or so health care insurers. So it's a little bit overcrowded here. But you have companies like Cigna, Aetna, all of those big major players have come to the market that are then obviously the local health care insurers that are governed by like the health authorities in Abu Dhabi and Dubai. So you have the man with, like health plans, like, for example, then you have ones also in Dubai, for example, that are also for the Dubai residents and citizens. So it's a mix between public and also private health care insurers that's also present in the markets as well. So it's a very diverse market, very fast growing, a lot of expenditure in the market, about maybe four or five, close to five percent of GDP is being expended on on health care, the health care sector. So it's a very huge chunk. So, yeah, that's that's kind of what it looks like.

Brian Selfridge: [00:15:49] And do the regulations apply to both the health care delivery provider sector as well as the payers there, or is there any kind of differentiation into those different groups?

Mohammed Fadlalla: [00:16:01] Yeah, so, I mean it is very, very far reaching, so medical providers, health care insurers, health care, it, you know, vendors, cloud providers, all of those entities and organizations fall under the table. So they are definitely covered by this regulation. And again, going back to the, you know, talking a bit about the challenges with that is that, you know, there is obviously a lot of requirements here that are causing some to worry, especially the IP providers, providers, because of the data residency, the localization aspects, because then it really becomes a very tough thing for and it's been been a difficult issue for organizations seeking clarity on what this does to them, how this impacts them in terms of their ability to transfer data outside of the tapping into data providers that are that are not in the United Arab Emirates. And I think part of that is that the UAE goal is to bring some of that back into the UAE, benefiting the local economy and ensuring that there is more control over the data, that the security of the data and ensuring that there's more that's contained within the borders.

Brian Selfridge: [00:17:28] So it sounds like there's a lot to cover. It's very broad and there's a lot to consider. How do you recommend organizations in the UAE that are just trying to get a handle on these new regulations? How do they get started? What are maybe some of the first things you recommend they do to get an idea of their level of compliance or their their exposure to the regulations, those types of things?

Mohammed Fadlalla: [00:17:50] Yeah, I mean, if you think about what happened in the US, you know, the HIPAA was passed in nineteen ninety six and then went through a lot of, you know, changes after that in 2008, 2009 with the High Tech Act and then the omnibus rules in 2012. And there are still some changes happening. And all we're talking about. Twenty five years. Right. You know, that is you look at that example and what that did to organizations in the US and all of the questions that are still people don't get it. You know, there are still people who don't get what HIPAA is and think, you know, this is HIPAA. Right. And when someone says this is HIPAA, they think that this is a violation. So there's a lot of you know that I don't say ignorance, but vagueness and room for like interpretation. Where does this apply? Where does this not apply? So I think that's just not true. And I'm probably not going to, like, completely go away as far as like the actual adoption of the law being compliant with the law. I think a lot of that is going to depend on on the authorities and what the authorities do next.

Mohammed Fadlalla: [00:18:57] Do they actually start audits similar to the OCR audits that happened in the U.S.? Do they apply more harsh penalties? They modify and amend the laws and addendums to the law that put more requirements on like things such as breach notification? I think some of those things are going to spur more action from providers and entities. For now, I think a lot of organizations are looking at these laws, you know, wanting some of them wanting to be proactive so that are organizations that are reporting incidents and breaches, even though there isn't really a mandate to report or like what? They're just being proactive. They're being irresponsible in the reporting. But I think a lot of that is going to change in the future once these there's more clarity and there's just more education. And there's unfortunately more people falling into traps of compliance violations and and maybe some publicity along with that might be kind of the tough way for people to do. You'll wake up to the new reality and start adopting, adopting and following these laws.

Brian Selfridge: [00:20:06] Well, that's certainly the way it went here as well in the early days, it took a lot of those high profile enforcement actions to get people to to wake up. It still happens. Amazing to me. Organizations that are being investigated by OCR that have never done a risk assessment, for example, or haven't done any kind of policy and procedure development updates in the twenty five years since it came out. Is there anything we can learn from? I know you've been in the US health care system as well for a long time. Anything we can learn or apply from that experience that that might be useful to these organizations getting started and help accelerate or not wait until that, you know, that penalty or that big event to actually get get their act together and start being more proactive?

Mohammed Fadlalla: [00:20:48] Sure. I mean, I think, you know, the compliance departments, you know, privacy officers, security officers, we look at these laws, you know, and start asking questions, what can we do? And if they are not able to answer that internally, you know, go seek help from the authorities or from experts in the field to perform at least, you know, readiness assessments or assessment things that just get them started on knowing where do they stand with these laws? You know, the risk assessments are obviously very important and they should be happening regardless of the existence of the law. We know from a security best practice, you know, the fact that there are a lot of the EMR adoptions almost at a rate where it's all entities have implemented some sort of an EMR so that that security risk is there. So having these risk assessments is very, very important and ensuring that there is some compliance gap assessments just to ensure that, you know, where do we start with the law we're doing we're supposed to do we are within within the confines or are we within what's legally allowable? I think those are good things to do, you know, forming these relationships and partnerships and just taking advantage of that and talking to each other, I think is also important. So these forums that that that hosted events where people can actually talk and chat, for example, you know what I know from the US, you know what? If a law is about to be published or it's open to public comment, so that is something that's really healthy.

Mohammed Fadlalla: [00:22:21] I think that, you know, if it's not happening here, maybe it's something that that could be adopted here to really just get feedback and get kind of the pulse, because it helps then in reducing regulations that are that are fine tuned and very well aligned to what's happening. They're not disjointed. They're not going to like lead to a lot of negative impacts. They're not going to have a burden that is unbearable by organizations. So large organizations can absorb some smaller some of these regulations can be a killer for them, you know, in terms of penalties and things like that. So I think, yes, for sure, starting with an assessment, the gap assessment and talking to people who have expert experience and expertise in the field, consultants that have experience and expertise to help with that. And then looking forward to what's what's really important is just kind of looking towards the future and using maybe some of the experience that, you know, health care providers in the US, their journey with like HIPPLE, for example, to foresee what might actually happen next here and the IT, because the way from my observation, a lot of the things that are happening here are following the path of things that have happened in the US, for example. So I think getting getting some of that learning from those lessons and applying it in the UAE will be helpful.

Brian Selfridge: [00:23:52] One of the things that took us a long time to get a handle on was around certifications and sort of getting some external validation of our security programs outside just following the letter of the law, as is any of that happening in the UAE yet, or is there any value to getting particularly maybe the vendors that you were mentioning there in scope for this getting certified? I don't know if it's if it's ISO or something else, but do you see that coming to play yet? Or is that is that to too far a degree of maturity that, you know, they're not really ready for at this point?

Mohammed Fadlalla: [00:24:22] No, I think actually, I think from what I'm observing, this is definitely something that could could very well be taken advantage of and applied here because, you know, we are, for example, JCAHO, the joint commission, you know, those those certifications are happening. So it's really not something that I would think is is far fetched to start going down that path for these providers. So having these certifications, these attestations, all of these things that prove you are compliant, you are aligning with best standards and best practices, I think is good business in general, good business strategy for a lot of these companies. You know, number one, you're protecting your assets, right? You're protecting protecting your organization, your organization assets. Number two, your kind of reading between the lines with all of these regulations and standards that there are really just mimicking a lot of these international best practices and going down that road, down that path. So why not be proactive rather than wait for that to be imposed and then pushed from the top start, really kind of from the bottom up and do your own work internally. So naturally, then you would look at these international best practices and the standards of certifications such as ISO twenty seven thousand one or I trust or just out to stations like SOC2. If you wanting to align, for example, with HIPAA, or GDPR are all of these are options that are available I think are very, very useful, very helpful. And, and, and they do a lot, you know, in terms of benefit for these organizations, if not just compliance.

Mohammed Fadlalla: [00:26:03] It's also good in terms of protecting assets, as I mentioned before, and also from a competitive advantage, competitive marketing advantage and all of these things. You can publish those websites and show people that you are falling following these these international aspects. The other thing, too, is that the consumers, you know, the customers, the clients, the patients, the populations that are being served by these entities are going to become more if they're not already become more aware of their rights and their patients rights in their know the privacy rights. So then you're going to have pressure that's coming not just from regulators, but they have pressure coming from clients. And some clients may choose to go to organizations that have a better handle on their security and privacy if they really value their own security and privacy. And I don't think that that's also something that's that that that that that, you know, given the local culture, you know, this is a very conservative culture, traditionally very private culture. A lot of people go outside of the UAE to get their get outside of the UAE just for privacy sake. So if you are trying to keep some of that business here and give you know, providers give customers and patients comfort that their data is being protected, I would say that following these international best practices and standards of certification infestation would allow you to do that and publish that and then show people that you are doing the right thing.

Brian Selfridge: [00:27:35] Well, Mohammed, this has been such an excellent conversation, I want to be respectful of your times I think, given the time difference and probably keeping up late into the evening and you need to you need to eat and sleep and do lots of important other things. I just want to wrap up maybe with any closing thoughts you have for for our audience and anything we've covered. Any takeaways that you'd like our folks to leave with here as they think about how this might play out going forward or steps that they can take today to get ready?

Mohammed Fadlalla: [00:28:03] Sure, yeah, I know, I think, again, just looking at what's happening here, obviously with the experience that we've had in the US, I think that this is going to be a very interesting journey for health care providers here with these laws. There's a lot that's happening. There's already a lot happening because of the pandemic telehealth adoption obviously rates that services all of these things are just impacted by so many factors. So with all of these factors and then kind of the strategies and the push for the digital transformation, all of these different factors are really pushing people in the direction of having to really look deep and close into their own internal environments to ensure that they are up to par with with with the trends and the changes that are happening. So I would say that, you know, for organizations the best just again, like I said, be proactive, ask questions, lean on experts to get answers for help if needed as well, and can be an exciting journey. And we look forward to seeing how this evolves and what it means and what it does to all of these organizations here. The.

Brian Selfridge: [00:29:17] Fantastic, and I would second that recommendation to talk to the experts and and you are certainly the top of the top, so we'll guide our audience to come to reach out to you for for any and all questions. Although I know you're very busy. I'm sure you'll I'm sure you can help along the way. So I'd like to thank you so much, Mohammed, for joining us today. My guest has been Mohammed Fadlalla, who is a co-founder and privacy practice leader for Archlight in the UAE. So thank you so much, Mohammed, for taking the time to share your insights with our audience today. This has been really wonderful.

Mohammed Fadlalla: [00:29:46] Thank you, Brian, I appreciate the opportunity and we look forward to seeing all this evolves and thank you again for the opportunity.

Brian Selfridge: [00:30:03] Again, I would like to thank my guest, Mohammed Fadlalla, for sharing his perspective on the new UAE security and privacy regulations, I found it particularly interesting to learn about the broad scope of the new laws and the emphasis on protecting the data in particular, as well as the privacy of UAE patients. We'll stay close with Mohammed to see how this all plays out as we look to collectively help accelerate data and privacy protections for all health care entities wherever they reside in the UAE, the US and more broadly, of course,

Brian Selfridge: [00:30:45] Thanks again for tuning into this discussion today. As always, we'd like to hear your feedback and hear from your listeners. Feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is [email protected] Thanks once again for joining us for this episode of the CyberPHIx. We look forward to having you join us for another session coming up soon.