The State of Healthcare Cybersecurity in the Kingdom of Saudi Arabia: A Comparative Analytical Study in Jeddah
Keywords:
Health Cybersecurity, Health Cybersecurity, Data Privacy, Data Privacy, Saudi Personal Data Protection Law (PDPL), Saudi Personal Data Protection Law (PDPL), GDPR, GDPR, Jeddah, Jeddah, Organisational Axis, Organisational Axis, Technical Axis, Technical Axis, Human Axis, Human Axis, Stratified Random Sampling, Stratified Random Sampling, Quantitative and Qualitative Analysis, Quantitative and Qualitative AnalysisAbstract
Background:This paper sought to research and examine the issue of privacy and cybersecurity of health data in healthcare centres in Jeddah Governorate with reference to the legislative context of countries, specifically the Saudi Personal Data Protection Law (PDPL).
Methods:The study was designed based on three principal axes, including the organisational axis (strength of organisational policy, procedures of compliance and notification systems), the technical axis (infrastructure preparedness, encryption, backup systems, and multi-factor authentication), and the human axis (awareness of the staff and cybersecurity culture). The analysis was qualitative and quantitative in nature by employing a descriptive-analytical approach the research gathered data in the field using structured questionnaires and semi-structured interviews. The stratified random sampling was employed and the final sample of the 380 respondents of six healthcare facilities was taken that provided the variety of professional representation, i.e., physicians, nurses, technicians, administrators, and IT professionals.
Results:The findings revealed out that the organisational dimension was the most rated (mean = 4.05) and there were significant differences in sector based with government hospitals leading. The technical dimension had a score of 3.72 with no significant differences in sectors. The human dimension scored the least (mean = 3.45) and yet there was a strong positive relationship with the technical dimension, indicating that the most effective solution to technical practices is to enhance the awareness and training.
Conclusion:The results revealed gaps between local laws and international standards, recommending improvements in notification systems, technical infrastructure, and mandatory training to ensure data security and build trust in healthcare organisations
Downloads
References
Al-Kahtani N, Al-Sahrani A, Al-Shammari M, et al. Saudi Arabia's readiness for digital health transformation: Comparing public and private healthcare sectors in the Eastern Region. Securing Health Data in the Digital Age: Challenges, Regulatory Frameworks, and Strategic Solutions in Saudi Arabia.
Ponemon Institute. Cost of a data breach report 2023. IBM Security.
Kluge E, Howard W, Werner B, et al. Cybersecurity and data privacy in healthcare: Ethical and legal considerations. BMC Med Ethics. 2022;23(1):1–10. doi:10.1186/s12910-022-00783-3
Aljedaani W, Alomar N, Bamasoud A. Security challenges of the Internet of Medical Things (IoMT) in smart healthcare: A review. Int J Adv Comput Sci Appl. 2020;11(10):1–9. doi:10.14569/IJACSA.2020.0111001
Saudi Data & Artificial Intelligence Authority. Personal Data Protection Law (PDPL) and implementing regulations. Saudi Data & Artificial Intelligence Authority (SDAIA); March 2023.
United States Department of Health & Human Services. Summary of the HIPAA privacy rule. U.S. Department of Health & Human Services; 2013.
European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off J Eur Union. 2016;L 119:1–88.
Jalali MS, Kaiser JP. Cybersecurity in hospitals: A systematic, organisational perspective. J Med Internet Res. 2018;20(5):e10059. doi:10.2196/10059
Appari A, Johnson ME. Information security and privacy in healthcare: Current state of research. Int J Internet Enterp Manag. 2010;6(4):279–314. doi:10.1504/IJIEM.2010.035624
Hakami N, Alshareef H, Helal M. A security framework to protect ePHI in Saudi Arabia's healthcare infrastructure. Int J Adv Appl Sci. 2024;11(4):167–181. doi:10.21833/ijaas.2024.04.019
Shadadi E, Ibrahim R, Ghadafi E. Exploring cybersecurity and phishing attacks within healthcare institutions in Saudi Arabia: A narrative review. World Acad Sci Eng Technol Int J Comput Inf Eng. 2025;19(4).
Aljedaani W, Alshammari R, Alfarraj O. Security awareness of end users of mobile health applications: An empirical analysis. IEEE Access. 2020;8:123599–123613. doi:10.1109/ACCESS.2020.3007530
Cyber Press. Kill hacking group claims breach of Saudi Arabia Oxyhealth Clinics. Cyber Press; November 11, 2024.
Group-IB. Hi-Tech Crime Trends 2022/2023 report [Cyber-security research]. Arab News; January 17, 2023.
Proofpoint. UAE and KSA hospitals exposed to email scam, Proofpoint warns. TECHx Media; July 13, 2023.
Yawson RM. Systems thinking and the future of health informatics: A systems approach to health data privacy and cybersecurity. J Am Med Inform Assoc. 2021;28(6):1222–1229. doi:10.1093/jamia/ocab013
Alhussain T, Drew S, AlGhamdi R, Turki. A governance framework for cybersecurity in Saudi Arabian healthcare organisations: Bridging national and international regulations. Health Policy Technol. 2022;11(3):100635. doi:10.1016/j.hlpt.2022.100635
European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off J Eur Union. 2016;L 119:1–88.
United States Department of Health & Human Services. Summary of the HIPAA security rule. U.S. Department of Health & Human Services; 2013.
Group-IB. Hi-Tech Crime Trends 2022/2023 report. Group-IB; January 17, 2023.
Alhussain T, Drew S, AlGhamdi R, Alhussain T. A governance framework for cybersecurity in healthcare organisations in Saudi Arabia: Bridging national and international regulations. Health Policy Technol. 2022;11(3):100635. doi:10.1016/j.hlpt.2022.100635
Alhussain T, Drew S, AlGhamdi R, Alhussain T. A governance framework for cybersecurity in healthcare organisations in Saudi Arabia: Bridging national and international regulations. Health Policy Technol. 2022;11(3):100635. doi:10.1016/j.hlpt.2022.100635
Saudi Data & Artificial Intelligence Authority. Personal Data Protection Law (PDPL) and implementing regulations. Saudi Data & Artificial Intelligence Authority (SDAIA); March 2023.
United States Department of Health & Human Services. Summary of the HIPAA security rule. U.S. Department of Health & Human Services; 2013.
Shadadi E, Ibrahim R, Ghadafi E. Exploring cybersecurity and phishing attacks within healthcare institutions in Saudi Arabia: A narrative review. World Acad Sci Eng Technol Int J Comput Inf Eng. 2025;19(4)..
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution 4.0 International License.
You are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
Terms:
- Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
- No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
