Attributed by Osama Alzoubi, Middle East and Africa VP at Phosphorus Cybersecurity

As Saudi Arabia races ahead in digital healthcare transformation, a quieter vulnerability lingers in the background: medical imaging systems that can be found – and sometimes accessed – directly from the public internet. Imaging infrastructure, diagnostic platforms, and hospital information systems are being modernized at speed improving outcomes, accelerating workflows, and bringing advanced clinical capabilities to more communities. But beneath this progress lies a quieter risk that rarely makes headlines: medical imaging systems being exposed on the public internet due to simple configuration errors.

Not a dramatic cyberattack. Not a threat actor breaching a firewall. Just avoidable misconfigurations that leave sensitive patient data reachable by anyone who knows where to look.

Medical imaging systems in Saudi Arabia face a persistent security challenge that differs from dramatic cyberattacks. Patient data exposure often occurs through configuration errors that leave systems accessible on the public internet. These technical oversights represent a significant vulnerability in healthcare’s digital infrastructure.

The Kingdom’s Personal Data Protection Law (PDPL) establishes strict requirements for handling health data. This legislation, modeled after international standards, mandates enhanced protection for medical information and imposes penalties for unauthorized disclosure. Hospitals must implement organizational and technical measures to prevent data exposure.

Radiology departments increasingly use digital platforms for case discussions and second opinions. Without proper configuration, these systems might allow unintended access to patient records. Teleradiology services, which expanded significantly during the pandemic, require secure transmission protocols to protect data during remote consultations.

When we hear about data breaches, we often imagine skilled hackers penetrating security systems. The reality is often simpler and more preventable. “Exposed” typically means a system is reachable from the public internet due to setup choices, not a sophisticated intrusion.

This happens in real-world healthcare settings for straightforward reasons: rushed deployments to meet clinical deadlines, vendor-supplied default configurations that were never changed, remote support access left open for convenience, and legacy systems that were connected to modern networks without proper security reviews.

The scale is significant. Research has identified over 1.2 million reachable devices and systems globally, including MRI scanners, X-ray systems, and related medical infrastructure. These are not theoretical vulnerabilities. They represent actual systems that can be found and accessed from anywhere with an Internet connection.

What gets exposed is more than images

Medical imaging files are not simply pictures. They carry identifiers and metadata that can connect scans directly to real people. Patient names, dates of birth, identification numbers, and clinical details often travel alongside the diagnostic images themselves.

This matters for several reasons. Beyond the obvious privacy violation, exposed patient imaging data creates risks of identity fraud, potential coercion or blackmail, serious reputational damage to healthcare institutions, and erosion of the trust patients place in their medical providers.

Security monitoring platforms have documented cases where exposed systems allowed direct access to both images and patient data—offering a level of detail that should never be open to anyone outside the clinical team.

Why this keeps repeating worldwide

Hospitals everywhere use similar device types and manage comparable data flows. The result is that the same setup mistakes appear repeatedly across different countries and healthcare systems. What starts as one hospital’s misconfiguration becomes everyone’s common failure mode.

The medical devices themselves often come with similar default settings. Imaging servers, picture archiving systems, and diagnostic viewers are deployed in comparable ways. When basic security steps are skipped during installation, the exposure follows a predictable pattern.

Health sector cybersecurity guidance from international authorities emphasizes the need for repeatable baseline controls precisely because these patterns recur. Reducing exposure requires not innovation, but consistent application of known protective measures.

Healthcare organizations face a common vulnerability pattern. A major healthcare provider addressed similar challenges across hundreds of hospitals, discovering that default passwords, vulnerable firmware, and device misconfigurations created entry points that threatened patient care and hospital operations across more than 500,000 connected medical and operational devices.

The Saudi-specific layer: connectivity at cluster scale

Saudi Arabia’s healthcare transformation includes the expansion of health clusters that connect multiple facilities into integrated networks. This approach improves care coordination and resource sharing, but it also means that one weak link can affect multiple sites.

National interoperability initiatives support the sharing of imaging and diagnostic reports across the healthcare system. The Saudi health ministry has established specifications for imaging data exchange through the national health information exchange platform, enabling providers to access patient scans regardless of where they were originally performed.

This connectivity is essential for modern healthcare delivery. It allows specialists to review scans remotely, supports second opinions, and ensures continuity of care when patients move between facilities. However, it also increases the need for consistent configuration rules and security standards across all connected sites.

When imaging systems within a cluster are not uniformly secured, the exposure risk multiplies. A misconfigured system in one facility can potentially provide access to data from across the entire cluster network.

A practical checklist hospitals can act on

Healthcare institutions can take concrete steps to reduce exposure risk. These are not theoretical recommendations but proven measures that address the most common vulnerabilities.

First, create a complete inventory. Every hospital should maintain a current list of what is connected to its network, including imaging devices, storage servers, viewing stations, web portals, and remote access tools. You cannot protect what you do not know exists.

Second, check external exposure. Verify that nothing sensitive is reachable from the public internet. This requires technical scanning from outside the hospital network to identify systems that respond to external queries. Many organizations discover exposures they did not realize existed.

Third, restrict remote access properly. Remote connections for maintenance and support should be tightly controlled, require strong authentication methods, and be removed entirely when no longer needed. Convenience should never override security when patient data is involved.

Fourth, implement safe setup procedures. Develop standard build guides for imaging systems, change all default passwords and settings, clearly document who owns each system, and establish responsibility for applying security patches and updates. Industry experience shows that default credentials remain one of the lowest barriers for attackers seeking entry into healthcare networks.

Fifth, conduct continuous checks. Exposure scanning should happen after any network changes, not just once annually. Healthcare networks evolve constantly, and new vulnerabilities can appear whenever systems are added or reconfigured.

These steps align with guidance from international cybersecurity authorities and health sector regulators, which emphasize reducing exposed services and strengthening baseline controls as priority actions for healthcare organizations.

The governance fix: make secure setup part of how clusters run

Individual hospital efforts are necessary but not sufficient. At the cluster level, governance structures must embed security into standard operations.

This begins with cluster-wide minimum standards for imaging systems and remote access. Every facility within a cluster should follow the same baseline security requirements, ensuring consistent protection regardless of which site a patient visits.

Clear ownership must be established for every system. Someone specific should be responsible for applying patches, approving access requests, and regularly checking for exposure. When accountability is diffuse, critical tasks get overlooked.

Procurement processes offer another leverage point. Purchase agreements should require vendors to provide secure default configurations, enable comprehensive logging capabilities, and commit to supported update cycles for the life of the equipment. Security should be a selection criterion, not an afterthought.

These governance approaches reflect sector framework guidance that encourages structured programs and repeatable controls rather than ad hoc responses to individual incidents.

Saudi Arabia has invested heavily in national cybersecurity frameworks and regulatory oversight across critical sectors, including healthcare. The foundation exists. The next step is ensuring those protections extend fully to the expanding ecosystem of IoT and IoMT devices — where simple configuration gaps can undermine otherwise sophisticated digital progress.

Prevent avoidable incidents

The goal is not perfection. Healthcare systems are complex, and some level of risk will always exist. The goal is removing the easiest path for data exposure: systems sitting openly on the public internet waiting to be found.

In connected healthcare, the quickest wins come from two simple principles: visibility and access control. Know what you have connected, and shut the doors that do not need to be open.

For Saudi Arabia’s health clusters, this represents an achievable objective. The infrastructure investments being made across the Kingdom’s healthcare sector create an opportunity to build security into expansion rather than retrofitting it later.

Medical imaging systems serve an essential clinical purpose. They should not also serve as unintended windows into patient data. With practical steps and consistent governance, hospitals can fix this quiet risk before it becomes a public incident.

In digital healthcare, exposure is rarely a mystery. It is usually a configuration. The question is not whether hospitals can fix it, but whether they will do so before patients pay the price.

By Federico Pienovi, CEO for APAC & MENA at Globant

When technologies go exponential, even experts are caught off guard. Generative AI is one of those inflection points and nowhere is this tension more profound than in healthcare and aging, particularly in the Gulf region where demographic realities are driving unprecedented transformation. In Saudi Arabia, the population over 60 is expected to increase fivefold by mid-century, making longevity no longer just a Western debate but a Middle Eastern economic and social reality where AI moves from optional to existential.

While most organizations struggle to operationalize AI beyond demos, Saudi Arabia and the UAE are building system-level infrastructure that represents the real story. Saudi Arabia is embedding AI throughout its healthcare system through Vision 2030, with the Saudi Genome Program using multi-omics data—genomics, proteomics, metabolomics—and AI to shift from reactive to predictive care, moving beyond isolated diagnostics toward continuous early detection models.

Riyadh recently showcased the world’s first fully robotic heart transplant, CAR-T cell therapy advancements, VR-based medical education, and mobile stroke units with advanced diagnostics, while digital twin technology and precision medicine are becoming standard rather than experimental. These initiatives reflect a national longevity strategy that positions geroscience research and personalized digital twins as core infrastructure, with private-sector innovators like Rewind building AI-powered diagnostics to prevent disease before it emerges.

The UAE has gone even further, treating longevity as a national industry with Abu Dhabi’s Pura Longevity Clinic offering AI-integrated assessments and personalized prevention programs that combine nutrition, sleep, fitness, and mental health services, positioning longevity medicine as mainstream rather than elite. Dubai aims to become the global capital of “well-care”, biohacking, stem-cell therapies, and AI-driven anti-aging, as part of a broader strategy to engineer the “100-year life” through advanced preventive and regenerative medicine.

The UAE now hosts 680 longevity companies and 670 investors across 100 innovation hubs spanning PharmTech, telemedicine, advanced cosmetics, mental health, and wellness, making longevity a full economic sector. The Institute for Healthier Living Abu Dhabi is building a Healthy Longevity Medicine ecosystem with longevity-focused clinical care, innovation hubs, and population health research, while government-level commitment is evident through Abu Dhabi’s Department of Health convening global forums to accelerate personalized healthcare and longevity science.

Beyond the Hype: The Human Element

But here’s the uncomfortable truth: more AI doesn’t automatically mean better health. Like millions of others tracking sleep, monitoring recovery, and measuring stress variability, we risk becoming surrounded by dashboards of health metrics where everything is quantified and notified, yet the more data we collect, the more a critical question emerges—are we actually healthier, or simply more informed about our anxiety?

The healthcare system risks repeating the same mistake enterprises made with digital transformation, adding layers of technology without redesigning the underlying architecture, creating more apps, more portals, more fragmented experiences, with noise disguised as progress.

Harvard Medical School researchers have highlighted how AI can already match or exceed clinicians in specific diagnostic tasks, particularly in imaging and pattern recognition, while MIT’s Jameel Clinic has demonstrated how machine learning models can accelerate drug discovery cycles from years to months, and McKinsey estimates that generative AI could unlock up to $100 billion annually in value across pharma and medical products alone.

Yet the promise of AI in aging is not about adding intelligence everywhere,it’s about reducing friction and elevating judgment through agentic AI systems capable of orchestrating actions autonomously across complex environments, moving healthcare from reactive to anticipatory with adaptive health pathways tailored to biology, behavior, and environment instead of generic wellness advice.

We must be careful because biology is not software, data can be biased, predictions can be misinterpreted, and AI systems trained predominantly on specific datasets may fail in other populations, making governance, explainability, and medical accountability foundational requirements rather than afterthoughts.

The Bigger Picture

From a technology executive’s perspective, the next decade will redefine healthcare economics as systems shift from hospital-centered to prevention-centered models, payment structures evolve toward outcome-based frameworks, and AI doesn’t replace physicians but enables those who leverage it to outperform those who don’t.

The Middle East understands this transformation, with the UAE’s push into genomics and Saudi Arabia’s investments in biotech and digital health reflecting recognition that longevity will shape national competitiveness, where healthy lifespan, not just GDP, will define prosperity.

In these nations where governments are investing heavily in smart hospitals, genomics programs, and national AI strategies, the opportunity is enormous as they position themselves as global hubs for the future of healthspan and aging, demonstrating that AI is moving from experimentation to infrastructure with longevity becoming a national economic and healthcare priority.

Dr Maheen Hasib, Global Programme Director for BSc Data Sciences, School of Mathematical and Computer Sciences, Heriot-Watt University Dubai

Artificial intelligence (AI) and data science are no longer distant or experimental ideas. They quietly sit behind many of the decisions that shape our everyday lives: how patients are diagnosed, how job applications are filtered, how loans are approved etc. These systems increasingly influence who gets opportunities and who does not. That reality makes one question impossible to ignore: who is building the algorithms that shape our future?

As a Programme Director for the Data Sciences programme at Heriot-Watt University, this question is not just academic for me, it is deeply personal. Every year, I meet capable, curious, and motivated young women who are genuinely interested in data science. Yet many hesitate. Not because they lack ability, but because they are unsure whether they truly belong in the field. Too often, they do not see people (like themselves) reflected in AI research, technical teams, or leadership roles. And that absence matters.

When bias in AI feels uncomfortably familiar

AI systems are often described as objective or neutral, yet they are trained in data shaped by human history, something that is far from neutral. When training data reflects existing gender imbalances, AI systems can replicate and even magnify those patterns. This has led to technologies that perform less accurately for women, fail to capture women’s health needs, or disadvantage women in recruitment and evaluation processes.

For many women, these outcomes feel uncomfortably familiar. They echo everyday experiences of being overlooked, misunderstood, or underrepresented. In most cases, this is not the result of deliberate exclusion. It is the consequence of design choices made without diverse perspectives at the table.

Why representation goes beyond numbers

Representation in AI and data science is often discussed in terms of statistics or diversity targets. But at its core, representation is about perspective. When women are involved in developing AI systems, they help shape how problems are defined, what data are considered relevant, and which risks are taken seriously.

From an academic perspective, diverse teams produce more robust research and better-tested models. From a human perspective, they help ensure that AI systems work for the full range of people they are meant to serve. Inclusion improves both technical quality and social impact, it strengthens the science and the society it serves.

Women and the future of ethical AI

Many women working in AI are already at the forefront of discussions around fairness, transparency, explainability, and responsible data use. These are not peripheral concerns; they are central to building trustworthy AI. Ethical AI requires asking difficult questions: Who might be harmed when a system fails? Whose data is missing? Who is affected by design decisions that seem minor on the surface?

By advocating for human-centered approaches, women in AI are helping shift the field beyond purely performance-driven metrics toward systems that balance innovation with responsibility.

Education, encouragement, and visibility matter

At Heriot-Watt University Dubai, we make a deliberate effort to encourage women to pursue data science, not just as a degree, but as a long-term career. This means creating supportive learning environments, highlighting female role models, and openly discussing the wide range of paths that data science can lead to. Students need to see that success in AI does not follow a single template.

Equally important are spaces where women can connect, share experiences, and feel supported. As an ambassador for Women in Data Science, I have seen how such events play a vital role. They create visibility, build confidence, and remind women that they are not alone. We need more of these initiatives, not as one-off celebrations, but as sustained platforms for mentorship, networking, and growth.

Encouraging women in AI is not about lowering standards or meeting quotas. It is about recognizing that inclusive participation leads to better research, more ethical technologies, and systems that genuinely reflect the societies they shape.

Conclusion

As AI and data science continue to influence our world, we must ask not only what these systems do, but who designs them. Supporting women to study data science, pursue AI careers, and step into leadership roles is essential to building technologies that are fair, responsible, and trustworthy. Through education, visibility, and initiatives, we can help ensure that the future of AI is shaped by many voices.

The future of AI should be one where women do not simply use technology but actively shape it.