Jul 25, 2025
Khalifa Al Shehhi
The digitalization of Abu Dhabi's healthcare is transforming care, but it also introduces significant cybersecurity risks as more data and devices connect. Safeguarding sensitive health data is now essential.
To address these risks, the Department of Health Abu Dhabi (DoH) launched a comprehensive Healthcare Information and Cybersecurity Strategy aligned with national and global benchmarks. This document sets a vision for governance, resilience, capabilities, and innovation in healthcare cybersecurity.
To implement this strategy, DoH requires adoption of the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS), which outlines technical and procedural controls for compliance, risk mitigation, and cyber resilience across healthcare entities.
Together, these frameworks establish a clear, unified defense strategy, positioning Abu Dhabi as a leader in healthcare cybersecurity.
DoH Cybersecurity Strategy Overview
Purpose and Scope of the Strategy
The Abu Dhabi Healthcare Cybersecurity Strategy, issued by the Department of Health (DoH), defines a top-down strategic framework to guide the Emirate’s healthcare sector in mitigating cyber risks and ensuring secure digital transformation. Its scope encompasses all healthcare entities licensed by DoH, including hospitals, clinics, insurers, vendors, and third-party service providers that handle or process health information within Abu Dhabi.
The strategy emphasizes the need for uniform cybersecurity governance, secure infrastructure, skilled personnel, and continuous sector-wide collaboration. It aligns closely with the UAE National Cybersecurity Strategy and supports Abu Dhabi’s broader digital health objectives, including the use of artificial intelligence (AI), electronic medical records, and Health Information Exchange (HIE) platforms such as Malaffi.
Vision Statement
“To enable the cyber-secure digital transformation of the healthcare services and to provide adequate assurance on information security, while enhancing the consumer experience in healthcare delivery.”
This vision emphasizes resilience, assurance, and user-centricity, establishing cybersecurity as a critical enabler of health sector innovation.
Mission Statement
The mission focuses on delivering safe, secure, and sustainable digital healthcare services by:
Establishing sector-wide leadership and oversight
Building resilient infrastructure for rapid response and recovery
Developing cybersecurity competencies across the healthcare workforce
Defining standardized risk management methodologies
Enhancing policies, procedures, and technical standards
Fostering collaboration, innovation, and threat intelligence sharing
The Six Strategic Pillars
The DoH strategy is structured around six interdependent pillars. Each pillar defines a strategic objective area and provides a set of targeted initiatives to achieve it.
Pillar | Focus Area | Strategic Objective |
1. Cybersecurity Governance | Sector-wide leadership and accountability | Establishing clear roles, governance structures, and decision-making authority |
2. Cybersecurity Resilience | Incident response and recovery | Enabling continuity and containment capabilities in the face of cyber incidents |
3. Cybersecurity Capabilities | Workforce and process maturity | Enhancing sector-wide awareness, skills, and secure system development practices |
4. Cybersecurity Partnerships | Multilateral collaboration | Facilitating information sharing and joint threat mitigation among entities |
5. Cybersecurity Maturity | Measurement and control assurance | Institutionalizing audits, assessments, and policy enforcement |
6. Cybersecurity Innovation | Secure technology adoption | Encouraging secure deployment of AI, IoT, and cloud platforms in care delivery |
Table 1. The Six Strategic Pillars
These pillars serve as the foundation for all cybersecurity activities across Abu Dhabi’s healthcare sector and are reflected operationally through the ADHICS standard.
Role of ADHICS
What is ADHICS?
The Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS) is the official cybersecurity implementation framework issued by the Department of Health – Abu Dhabi. It translates the strategic vision outlined in the DoH Cybersecurity Strategy into a comprehensive set of technical controls, governance models, and procedural policies.
ADHICS is mandatory for all DoH-licensed healthcare entities operating within the Emirate and applies to both digital and physical health information systems, including shared platforms such as Malaffi, Shafafiya, and other third-party infrastructure.
Purpose and Legal Foundation
The standard was developed in support of:
UAE Federal Law No. (2) of 2019, governing the use of ICT in healthcare.
The UAE National Cybersecurity Strategy identifies healthcare as one of the country's nine critical sectors.
TRA/TDRA guidance and NCEMA 7000 continuity regulations.
ADHICS complements these mandates by providing sector-specific cybersecurity guidance that aligns with international standards such as ISO/IEC 27001 and NIST, but tailors them to the realities of healthcare operations.
The Role of ADHICS in Strategy Implementation
Where the DoH strategy defines the “what” (e.g., build sector resilience), ADHICS specifies the “how” by:
Standardizing control requirements across healthcare entities
Establishing baseline policies for 20+ critical security domains
Defining roles, responsibilities, and governance structures
Setting performance expectations through maturity models and audits
ADHICS acts as the enforcement and measurement mechanism of the strategy.
The Three-Layer Governance Model
To comply with ADHICS a three-tier cybersecurity governance structure for all entities:
Layer | Role | Description |
ISGC (Information Security Governance Committee) | Executive Oversight | Entity-level management body accountable for strategic decisions and policy endorsement |
HIIP (Healthcare Information Security Implementation Planning Workgroup) | Cybersecurity Management | Interfaces with the DoH and internal departments to ensure alignment with strategic goals. |
ISG (Implementation Stakeholders Group) | Technical Implementation | Executes daily operational and technical cybersecurity tasks and projects |
Table 2. The Three-Layer Governance Model
This layered governance ensures that cybersecurity responsibilities are distributed, documented, and auditable, regardless of entity size or complexity.
Control Applicability and Entity Maturity
ADHICS uses a tiered control applicability model based on the entity’s:
Licensing type (e.g., hospital, clinic, pharmacy)
Operational complexity
Risk exposure
Entities are categorized as Basic, Transitional, or Advanced, with corresponding control requirements tailored to their size and maturity. This ensures that even small providers can comply proportionately while high-risk organizations meet more stringent standards.
Mapping Strategy to ADHICS Controls
The Department of Health's strategic pillars provide a directional blueprint for enhancing its cybersecurity posture. ADHICS serves as the operational arm, implementing specific controls, policies, and workflows that fulfill each strategic objective.
This section presents a detailed mapping of the six strategic pillars to their corresponding ADHICS implementation domains, showing how vision translates into verifiable actions.
1. Cybersecurity Governance → Role-Based Oversight and Documentation
Strategic Goal: Establish a formal governance framework with clear accountability and leadership oversight.
1. Cybersecurity Governance → Role-Based Oversight and Documentation
Strategic Goal: Establish a formal governance framework with clear accountability and leadership oversight.
ADHICS Implementation:
Mandatory formation of three-layer governance: ISGC, HIIP, and ISG.
Defined roles and responsibilities for executive sponsors, department heads, and cybersecurity implementers.
Governance structures must be documented, regularly reviewed, and auditable to ensure transparency and accountability.
Use of dedicated forums and tools for internal and external coordination.
2. Cybersecurity Resilience → Incident Response and Continuity Controls
Strategic Goal: Ensure robust sector-wide capabilities to detect, respond to, and recover from cyber threats.
ADHICS Incident Response Workflow
ADHICS Implementation:
Development of Incident Response Playbooks, aligned with threat scenarios and business impact.
Sector-wide Business Continuity (BCM) and Disaster Recovery (DR) plans referencing NCEMA 7000.
Real-time threat intelligence sharing through Abu Dhabi Healthcare CERT and CTIC.
Implementation of network monitoring systems, patch management, and systematic lifecycle controls for legacy medical systems.
3. Cybersecurity Capabilities → Workforce Development and Secure System Design
Strategic Goal: Build a cybersecurity-aware workforce and secure application environment.
ADHICS Implementation:
Mandatory security awareness and training programs for all personnel, including role-based modules.
Integration of cybersecurity into onboarding and HR policies, including pre-employment screening and non-disclosure clauses.
Promotion of secure development lifecycle (SDLC) principles for software, platforms, and health applications.
Encouragement of automation in incident detection and orchestration to minimize response delays.
4. Cybersecurity Partnerships → Vendor Oversight and Threat Intelligence Sharing
Strategic Goal: Strengthen multilateral collaboration and promote shared security responsibility.
ADHICS Implementation:
Vendor risk management and third-party security policy templates.
Requirement for security clauses in vendor contracts and system access agreements.
Collaboration with biomedical teams for quality and security controls on medical devices.
Shared platforms for vulnerability and patch intelligence, supported by the DoH Healthcare CERT.
5. Cybersecurity Maturity → Audits, Assessments, and Continuous Improvement
Strategic Goal: Institutionalize measurement, compliance, and adaptive improvement.
ADHICS Implementation:
Annual risk assessments and compliance audits against ADHICS and international benchmarks.
Implementation of control maturity models, customized by entity type (Basic, Transitional, Advanced).
Requirement for maintenance of risk registers, asset inventories, and access reviews.
Defined lifecycle for policy review and updates based on emerging threats and operational gaps.
6. Cybersecurity innovation → Safe Adoption of New Technologies
Strategic Goal: Encourage secure deployment of emerging healthcare technologies and innovation.
ADHICS Implementation:
Change management procedures to accommodate new technologies without exposing vulnerabilities.
Governance around the secure deployment of AI, IoT, and cloud platforms.
Controls for secure information exchange, including encryption standards and interoperability safeguards, are in place.
Cybersecurity evaluation criteria are embedded into procurement and vendor onboarding workflows.
Strategy-to-Control Mapping
DoH Cybersecurity Pillars Mapped to ADHICS Controls
Strategic Pillar | ADHICS Implementation Focus |
Governance | Three-tier governance (ISGC, HIIP, ISG), accountability, audit trails |
Resilience | Incident response plans, threat intelligence feeds, BCM/DR testing |
Capabilities | Workforce training, HR security controls, secure design practices |
Partnerships | Vendor access controls, consortiums, device quality collaboration |
Maturity | Risk assessments, audit readiness, policy lifecycle management |
Innovation | Secure adoption of emerging technologies and interoperability standards |
Table 3. Strategy-to-Control Mapping
Legal & Regulatory Alignment
The effectiveness of Abu Dhabi’s healthcare cybersecurity model lies not only in its internal structure but also in its alignment with national laws, sectoral mandates, and global cybersecurity practices. The DoH Cybersecurity Strategy and ADHICS Standard are both firmly grounded in the UAE’s legal and regulatory framework, ensuring enforceability and interoperability across government and healthcare entities.
1. UAE Federal Law No. (2) of 2019 – ICT in Healthcare
This federal law mandates that all healthcare providers:
Ensure security and confidentiality of patient health information
Use approved ICT systems for clinical and administrative purposes
Implement necessary technical and organizational measures to prevent unauthorized access, alteration, or loss of data
ADHICS directly supports compliance with this law by:
ADHICS Data Classification Levels
Establishing mandatory information security governance structures
Providing control sets for data classification, access control, and auditability
Enforcing breach notification procedures and disciplinary protocols
2. UAE National Cybersecurity Strategy
The UAE National Cybersecurity Strategy, spearheaded by the Telecommunications and Digital Government Regulatory Authority (TDRA), recognizes healthcare as one of the nine critical national sectors. Its objectives include:
Protecting critical infrastructure
Reducing systemic cyber risk
Promoting cybersecurity awareness and skills
The DoH strategy aligns with this national vision by:
Creating a sector-specific cybersecurity maturity model
Promoting partnerships through Healthcare CERT and intelligence platforms
Enabling innovation while maintaining acceptable risk thresholds
3. NCEMA 7000 – Business Continuity Management Standard
The National Emergency Crisis and Disaster Management Authority (NCEMA) BCM standard (7000:2021) serves as the regulatory benchmark for business continuity and disaster recovery in the UAE.
ADHICS enforces NCEMA compliance by requiring:
Development and testing of business continuity plans (BCPs)
Documentation of failover mechanisms for critical IT systems
Entity-wide incident response frameworks aligned with BCM requirements
4. TRA/TDRA Guidance and Integration with National CERT
While the DoH manages the sector-specific Abu Dhabi Healthcare CERT, ADHICS entities must also integrate with the national cybersecurity infrastructure, including:
UAE National CERT (aeCERT)
National threat intelligence sharing platforms
Secure-by-design principles embedded in public-private partnerships
5. Global Framework Compatibility
Though tailored for Abu Dhabi’s healthcare environment, ADHICS is broadly aligned with:
ISO/IEC 27001 – Information Security Management
ISO 27799 – Health Informatics Security
NIST CSF – Cybersecurity Framework for Critical Infrastructure
GDPR principles – Where applicable to international partnerships and data handling
This ensures that ADHICS-compliant organizations can more easily align with international partners, investors, and regulators.
What Healthcare Entities Must Do
For healthcare providers, insurers, and service partners operating under the Department of Health – Abu Dhabi, the combination of the DoH Cybersecurity Strategy and ADHICS is not advisory it is a compliance requirement. Entities must translate these frameworks into measurable internal action across people, process, and technology.
This section outlines the key responsibilities and actions that entities must take to meet regulatory expectations.
ADHICS Compliance Journey for Healthcare Entities
1. Understand Your Classification and Applicability Level
ADHICS applies to all DoH-licensed entities but differentiates control requirements based on:
Entity size and complexity
Risk exposure
Operational maturity
Entities are classified as:
Basic: Low-complexity clinics, pharmacies, etc.
Transitional: Medium-sized or multi-specialty centers
Advanced: Hospitals, insurers, or facilities with interconnected systems and third-party dependencies
Entities must identify their control category and apply the corresponding baseline policies, governance structures, and reporting obligations.
2. Establish the Required Governance Structure
Every healthcare organization must formally constitute:
An Information Security Governance Committee (ISGC) for executive oversight
A HIIP Workgroup for coordination with DoH and internal alignment
An Implementation Stakeholder Group (ISG) for day-to-day operational control
All three groups must have documented mandates, regular meeting schedules, and defined responsibilities. Smaller entities can scale down the structure, but all roles must be addressed.
3. Implement and Customize Baseline Policies
ADHICS provides 20+ baseline policy templates, including:
Information Security Policy
access Control Policy
Asset Classification and Management
Physical and Environmental Security
HR Security, Remote access, and Password Management
Third-Party Security and Incident Response
Entities must customize, approve, and enforce these policies while ensuring all users (staff and vendors) are trained on them.
4. Conduct a Risk Assessment and Maintain an Asset Register
Maintain an up-to-date asset inventory (hardware, software, data, personnel, infrastructure)
Perform a formal cyber risk assessment at least annually
Develop a risk register based on threat likelihood and impact
Apply classification labels (Secret, Confidential, Restricted, Public) to data and systems
These activities must be documented and reviewed by the governance committee.
5. Prepare for Continuous Monitoring, Reporting, and Audits
Conduct internal assessments against ADHICS control domains
Submit compliance status reports to DoH as required
Implement continuous monitoring systems and alerting mechanisms
Engage with Abu Dhabi Healthcare CERT for incident response coordination and threat intelligence feeds
Non-compliance or failure to report may result in penalties, reputational damage, or regulatory suspension.
6. Train the Workforce and Manage access
Enforce pre-employment screening
Conduct role-based cybersecurity awareness training
Enable multi-factor authentication, least privilege access, and privileged access monitoring
Review all logical and physical access regularly and revoke unused credentials
Human factors remain a major vulnerability To comply with ADHICS organizations to reduce this risk systematically.
7. Engage with Vendors Under a Cybersecurity Compliance Lens
Include cybersecurity clauses in all third-party contracts
Restrict access to sensitive systems and require an NDA and compliance verification
Review security posture of connected medical devices, software, and cloud platforms
Vendors are treated as extensions of the attack surface their controls must align with ADHICS.
Summary of Immediate Action Items
Task | Responsibility |
Determine control level (Basic, Transitional, Advanced) | Compliance Lead / CIO |
Form governance committees (ISGC, HIIP, ISG) | Executive Management |
Implement baseline policies | IT / Risk / HR / Operations |
Conduct asset and risk assessments | Information Security Officer |
Train staff and restrict Access | HR and IT |
Audit third parties and enforce secure contracts | Procurement / IT Security |
Report incidents and compliance with DoH | HIIP and CERT Liaison |
Table 4. Summary of Immediate Action Items
When implemented fully, these measures help organizations achieve both regulatory compliance and operational resilience, ensuring that cyber threats do not compromise patient safety or trust.
Key Takeaways.
As Abu Dhabi continues its efforts to digitalize healthcare, cybersecurity is no longer a supporting function it is a core operational requirement. The synergy between the Department of Health’s Cybersecurity Strategy and the ADHICS Implementation Guidelines offers a powerful model for healthcare entities to secure sensitive information, ensure regulatory compliance, and build long-term resilience.
Here are the key takeaways:
1. Cybersecurity is Mandatory
ADHICS is a DoH-mandated standard, enforceable under UAE Federal Law. Healthcare entities must implement the defined controls and governance frameworks within specified timelines or face regulatory consequences.
2. Strategy Provides the Direction, ADHICS Enables the Execution
The six pillars of the DoH Cybersecurity Strategy offer a clear vision: governance, resilience, capabilities, partnerships, maturity, and innovation. ADHICS operationalizes these pillars through detailed controls, roles, policies, and technical requirements.
3. Governance Is a Shared Responsibility
Cybersecurity is not the sole responsibility of the IT department. Under ADHICS, entities must the active involvement of leadership (ISGC), mid-management (HIIP), and technical teams (ISG). Cross-functional coordination is critical to success.
4. Risk Management Must Be Continuous and Evidence-Based
ADHICS Risk Scoring Matrix
Entities must maintain:
A risk register
An asset inventory
Role-based access logs
Documentation of training, audits, and incidents
Compliance is not just about configuration it is about traceable, repeatable processes.
5. Third-Party Risk Is a First-Class Concern
Third-Party Security Checklist (ADHICS)
Vendors, service providers, and connected platforms are part of your cyber risk surface. To comply with ADHICS specific controls for third-party access, agreements, and medical device security.
6. Alignment with National and Global Standards
ADHICS ensures consistency with:
UAE Federal ICT Law No. 2 (2019)
UAE National Cybersecurity Strategy
NCEMA 7000
ISO/IEC 27001 and NIST CSF
This alignment allows healthcare entities to build security programs that are both locally compliant and internationally credible.
7. Resilience and innovation Can Coexist
The framework encourages innovation such as AI adoption, telemedicine, and health data exchange but not at the expense of security. Secure-by-design principles are embedded into every phase of digital transformation.
Together, these insights reinforce a critical message: Cybersecurity is a strategic enabler of trust, continuity, and care delivery in the digital health age.
