ABU DHABI HEALTHCARE

INFORMATION AND CYBER SECURITY

STANDARD
[ADHICS]

FREQUENTLY ASKED QUESTIONS

Question: What is ADHICS?

ABU DHABI HEALTHCARE INFORMATION AND CYBER SECURITY STANDARD (ADHICS) is a sector level standard
Answer:
by Department of Health (DoH), mandated to all healthcare entities in Abu Dhabi

Question: What is the scope of ADHICS?

Any entity which stores, processes and/or deals with health information from the emirate of Abu Dhabi needs to
Answer:
be compliant with the applicable controls of the standard.

Question: How many controls are there in the standard?

The standard has 692 Controls (162 Primary Controls and 530 Secondary Controls) in 11 Domains.

Primary Controls Sub-Controls Total

Answer: Basic 73 255 328

Transitional 56 162 218

Advanced 33 113 146

Question: Do I need to be compliant with all the controls?

The minimum mandated controls are defined in the standard as per the category/type of the entity.

Control Category Facility Type

Basic • All Facility types
Answer: • Hospital with a bed capacity 1 to 20
Basic + Transitional • Centers & Clinics
• Pharmacy Establishments

• Hospital with a bed capacity 21 and above

Basic + Transitional + Advanced
• Payers (Insurers, Brokers, TPAs)

Question: What is AAMEN Program?

All information security standards, related Audits, Compliance Monitoring & Certifications, and all activities
Answer: initiated by Department of Health towards the enforcement of these initiatives are collectively called the AAMEN
Program.

Question: Will Department of Health help us in achieving the required compliance?

The entities are required to be capable of understanding and implementing the requirements. Department of
Answer:
Health may assist by providing guidelines.
Question: Where can I get more information about the standard?
The controls are defined in the ABU DHABI HEALTHCARE INFORMATION AND CYBER SECURITY [ADHICS]
Standard (DOH/SD/ADHICS/0.9), and the guidelines for implementation have been provided through ADHICS
Implementation Guidelines (DOH/Guidelines/ADHICS/0.9).
Answer:
Both these documents are available on below links:
 Abu Dhabi – Healthcare Information and Cyber Security Standard
 Guidelines for the implementation of the Abu Dhabi Healthcare Information and Cyber Security Standard
Question: Do I need dedicated Information Security personnel to be compliant with ADHICS?

Answer: The roles and responsibilities need to be defined and assigned to competent personnel.

We are a small clinic with one doctor, two nurses and an administrator. Do we need to be compliant with
Question:
ADHICS?

Answer: Yes. The minimum mandated controls are defined in the standard as per the category/type of the entity.

Question: What happens if we don’t comply?

The compliance requirements shall be added to the existing Audit process and the license registration/renewal
Answer:
process.

Question: Will we be able to integrate with Malaffi, Abu Dhabi Health Information Exchange (ADHIE) if we don’t comply?

The Malaffi team has identified a minimum set of controls from ADHICS. Compliance to these controls is a pre-
requisite to onboarding with Malaffi.
Answer:
You shall obtain more information about Malaffi integration from [email protected] or Malaffi website
www.malaffi.ae

Question: What about cloud computing compliance requirements?

Controls related to cloud computing are defined in the standard under CM4. Also, it is not permitted to store,
develop, or transfer data and health information outside UAE that is related to health services provided within the
Answer:
country as per the Federal Law No. (2) For the year 2019 On the Use of Information and Communications
Technology (ICT) in Healthcare.

Question: Where can I contact for more details?

[email protected]
Abu Dhabi Health Information Security Program +971 2 419 3612
[email protected]

Answer:

[email protected] +971 2 419 3777