GCC
ADHICS
Abu Dhabi Healthcare Information & Cyber Security Standard
v2 (2024)
47 controls · 11 domains
Mandatory for: Abu Dhabi healthcare entities
About this framework
ADHICS v2 is Abu Dhabi's cybersecurity standard for healthcare, issued by the Department of Health. It sets the controls for protecting patient data and health information systems across governance, assets and operations. Version 2, effective from August 2024, significantly expands the 2019 original — adding domains for AI governance, IoMT (Internet of Medical Things) security, and cloud healthcare controls — and applies a tiered model so smaller clinics implement a proportionate subset.
Why it matters
Healthcare data is among the most sensitive an organisation can hold, and Abu Dhabi treats it accordingly: ADHICS compliance is a condition of operating as a DoH-regulated healthcare entity. But beyond licensing, the standard reflects a real duty of care — patients trust providers with information that cannot be un-leaked. ADHICS v2's new IoMT and cloud domains acknowledge how modern care actually runs. 786 Cyber maps the controls to your tier and keeps the evidence ready, so protecting patient data and keeping your licence are the same piece of work.
Who needs this
Mandatory for all DoH-regulated healthcare entities in Abu Dhabi — facilities, professionals, diagnostic labs, pharmacies, payers and insurers, and any party handling patient health data.
The control structure
- Governance Security strategy, roles, risk management and compliance.
- Asset & access management Protecting health information systems and controlling who can reach patient data.
- Operations & resilience Secure operations, incident handling and continuity.
- Third-party & cloud Supplier security and cloud healthcare controls.
- Emerging-technology domains AI governance and IoMT (medical device) security. Controls are applied by tier — Basic / Transitional / Advanced — based on entity size and criticality.
How 786 Cyber helps
- Tier-aware assessment Maps only the controls your entity needs, gaps ranked by impact.
- Generated policies For healthcare governance and data protection, pre-populated for your organisation.
- Asset and IoMT visibility To support the technical domains.
- Continuous evidence For DoH assessment and licensing.
- AI-assisted validation Enriches the analysis; clinical and security judgement stays with your team.
Cross-framework coverage
Controls in ADHICS also cover:
CIS Controls 20 shared
NCA ECC-2 20 shared
Qatar NIA 20 shared
UAE IA 20 shared
NIST CSF 19 shared
See how ADHICS connects to the rest → the Security Universe
Control domains
HR · Human Resources Security 4
HR 1
Human Resources Security Policy
Signed/approved HR security policy; version & review date; distribution record.
Do you have an approved HR security policy covering recruitment, employment and termination for staff, contractors and third parties?
HR 2
Prior to Employment
Background-check procedure & sample results; employment contract template with security/NDA clauses.
Are background checks completed before hiring, and do contracts include security responsibilities and confidentiality terms?
HR 3
During Employment
Awareness campaign schedule & attendance logs; role-based training records; disciplinary procedure.
Do staff receive security & privacy awareness and role-based training on a defined schedule, with a disciplinary process for breaches?
HR 4
Termination or Change of Employment and Role
Leaver/mover checklist; asset-return records; access-revocation tickets; internal transfer process.
On termination or role change, do you recover assets, revoke access/privileges and communicate the change to stakeholders?
AM · Asset Management 5
AM 1
Asset Management Policy
Asset management policy; medical-device inventory section; approval & review record.
Do you maintain an approved asset management policy that explicitly addresses medical devices and equipment?
AM 2
Management of Assets
Asset inventory (connected & not connected); assigned owners; acceptable-use policy; BYOD control set.
Is there a complete, owned and maintained inventory of all information assets, with acceptable-use and BYOD controls?
AM 3
Asset Classification and Labelling
Classification scheme; labelled asset samples; tagging/registration records.
Are assets classified and labelled to a defined scheme, including assets received from third parties?
AM 4
Asset Handling
Handling procedures by classification; removable-media controls; media transfer/movement logs.
Are handling, removable-media, medical-device and transfer procedures applied per asset classification?
AM 5
Asset Disposal
Secure disposal procedure; certificates of destruction; disposal register (owner, media, method, date).
Are assets disposed of beyond recovery when no longer needed, with disposal records kept?
PE · Physical and Environmental Security 3
PE 1
Physical and Environmental Security Policy
Physical/environmental security policy; approval & review record.
Do you have an approved physical & environmental security policy protecting information assets?
PE 2
Secure Areas
Secure-area map & perimeter definition; access logs; owner list; environmental controls; loading-bay procedure.
Are secure areas defined with perimeters, access controls, owners, environmental protection and controlled delivery/loading?
PE 3
Equipment Security
Equipment siting/maintenance procedures; cabling protection; off-site authorisation; clear desk/screen policy.
Is equipment (incl. medical devices), cabling and off-site equipment protected, with a clear desk/screen policy enforced?
AC · Access Control 6
AC 1
Access Control Policy
Access control policy; approval & review record.
Do you have an approved access control policy ensuring access to assets is controlled and secured?
AC 2
User Access Management
Joiner/leaver process; privileged-access register; credential/password standard; default-credential change records.
Are user registration/de-registration, privilege allocation (need-to-know) and credential management formally controlled?
AC 3
Equipment and Devices Access Control
Device access control list; teleworking access procedure; Telemedicine compliance evidence.
Is access to removable media, portable/medical devices and teleworking sites restricted per role, including DoH Telemedicine requirements?
AC 4
Access Reviews
Access-review schedule; completed review reports; remediation actions.
Are user access rights and privileges reviewed periodically?
AC 5
Network Access Control
Network access policy; rogue-device detection logs; port/whitelist config; wireless security config.
Is network access controlled — authorised access, device detection, diagnostic-port control, routing and secured wireless?
AC 6
Operating System Access Control
Authentication standard (MFA where relevant); unique-ID provisioning records; utility-program restriction config.
Are secure log-on/log-off, unique user IDs with authentication, and restricted use of utility programs enforced?
CO · Communication and Operation Management 12
CO 1
Communication and Operation Management Policy
Communication/operations management policy; approval & review record.
Do you have an approved communication & operation management policy?
CO 2
Operational Procedures and Responsibilities
Hardening/configuration baselines; documented SOPs; change-management procedure; environment-segregation evidence.
Are hardening baselines, operating procedures, change management and segregated dev/test/staging/prod environments in place?
CO 3
Planning and Acceptance
Capacity monitoring reports; system acceptance/test criteria & sign-offs.
Are capacity requirements monitored and acceptance criteria set for new systems and changes?
CO 4
Malware Protection
Endpoint AV/EDR config & coverage; email/web gateway protection; email authentication (SPF/DKIM/DMARC).
Are anti-malware controls deployed on endpoints and at gateway level for web and email traffic?
CO 5
Backup and Archival
Backup policy & schedule; restore-test results; archival/retention procedure.
Are backups of essential information taken and tested, with defined archival and retention processes?
CO 6
Logging and Monitoring
Logging standard; SIEM/central log config; NTP time-sync config; DLP solution evidence.
Is logging & monitoring enforced with centralised log management, time synchronisation and data-leakage prevention?
CO 7
Security Assessment and Vulnerability Management
Annual assessment schedule; VA/pen-test reports; data-handling/destruction agreement with assessors.
Are periodic independent technical assessments (e.g. VA/pen-test) performed, with assessment data protected afterwards?
CO 8
Patch Management
Patch management procedure; patch status/tracking reports; obsolete-software register.
Are formal patching procedures defined, with obsolete-software restrictions and patch tracking?
CO 9
Information Exchange
Information-exchange procedure & agreements; media-in-transit controls; messaging security config; UAE email-domain evidence.
Are secure information-exchange procedures, exchange agreements, physical-media protection and electronic-messaging controls in place (incl. UAE-domain email)?
CO 10
Electronic Commerce
E-commerce security controls; transaction integrity controls; public-system content review process.
Is e-commerce / online-transaction information and publicly accessible information protected?
CO 11
Information Sharing Platforms
List of information-sharing platforms; connection security requirements; secure-connectivity capability evidence.
Is connectivity to information sharing platforms secure and controlled, with a maintained list and defined security requirements?
CO 12
Network Security Management
Network management procedure; segregation/VLAN design; wireless site-survey & security config.
Are all networks managed and protected, segregated by criticality, and wireless networks secured?
DP · Privacy and Protection Practices 3
DP 1
Privacy and Protection Practices
Data privacy policy; consent records; lawful-basis register; data processing inventory & DPIAs; breach procedure (incl. DoH notification).
Do you have a data privacy programme covering consent, lawful/fair/transparent processing, lifecycle protection, DPIAs, processor controls and breach handling for PII/PHI?
DP 2
Appointment of Data Protection Officer
DPO appointment letter; DPO qualifications; applicability assessment.
Have you appointed a suitably skilled Data Protection Officer where required?
DP 3
Data Subject Rights
Data-subject-rights procedure; sample request log & responses.
Can you fulfil data subject rights requests (access, correction, etc.) for PII/PHI?
CS · Cloud Security 1
CS 1
Cloud Security Policy
Cloud security policy; shared-responsibility matrix; cloud control configuration evidence.
Do you have a cloud security policy and implement controls (incl. shared-responsibility model) to protect cloud environments?
TP · Third Party Security 2
TP 1
Third Party Security Policy
Third-party security policy; approval & review record.
Do you have an approved third-party security policy?
TP 2
Third Party Service Delivery and Monitoring
Third-party agreements with security clauses/SLAs; monitoring & review reports; change-control records.
Are third-party security requirements/SLAs enforced, monitored and changes controlled through a formal process?
SA · Information Systems Acquisition, Development, and Maintenance 6
SA 1
Information Systems Acquisition, Development, and Maintenance Policy
SA/SDLC policy; approval & review record.
Do you have a secure systems acquisition, development & maintenance policy?
SA 2
Security Requirement of Information Systems and Applications
Secure SDLC standard; developer training records; validation/control evidence.
Are security engineering principles, developer training and input/data validation applied to systems and applications?
SA 3
Cryptographic Controls
Cryptography/key-management policy; encryption standards (at rest/in transit); key management evidence.
Are cryptographic controls used effectively (encryption, key management) to protect health information?
SA 4
Security of System Files
Software-installation control; source-code access restrictions; test-data handling procedure.
Is software installation controlled and are test data and source code protected?
SA 5
Outsourced Software Development
Outsourced-development agreement with security requirements; code review/acceptance evidence.
Is outsourced software development supervised and controlled to secure engineering standards?
SA 6
Supply Chain Management
Supplier security requirements; supply-chain risk strategy; critical-supplier/second-source register.
Do you manage supply-chain risk — supplier conformance, strategy, deficiency handling and supply assurance for critical assets?
IM · Information Security Incident Management 3
IM 1
Information Security Incident Management Policy
Incident management policy; approval & review record.
Do you have an approved information security incident management policy?
IM 2
Incident Management and Improvements
Incident response procedure; CSIRT charter & roster; classification scheme (DoH matrix); test/exercise reports; incident log.
Are incident procedures, a CSIRT, classification, response testing and incident records in place?
IM 3
Information Security Events and Weakness Reporting
Event/weakness reporting procedure; threat-intel sources/membership; sample reports.
Do you report security events/weaknesses and participate in information-sharing/threat-intel communities?
SC · Information Systems Continuity Management 2
SC 1
Information Systems Continuity Management Policy
Continuity planning policy; approval & review record.
Do you have an approved information systems continuity planning policy?
SC 2
Information Systems Continuity Planning
Business Impact Analysis; continuity/recovery plans (RTO/RPO); test results & maintenance records.
Have you conducted a BIA and developed and tested information systems continuity & recovery plans?
Frequently asked questions
What is ADHICS v2?
The Abu Dhabi Healthcare Information and Cyber Security Standard from the Department of Health — the cybersecurity standard for Abu Dhabi healthcare, with v2 effective August 2024.
Who must comply with ADHICS?
All DoH-regulated healthcare entities in Abu Dhabi and any party handling patient health data.
What changed in v2?
It expands the 2019 original with new domains for AI governance, IoMT (medical device) security and cloud healthcare controls.
What are the ADHICS tiers?
Basic, Transitional and Advanced — control applicability scales with entity size and criticality, so smaller clinics implement a proportionate set.
Related frameworks
Ready to assess against ADHICS?
Start free trial →