Definition

The Abu Dhabi Healthcare Information and Cyber Security (ADHICS) Standard Version 2 is issued by the Department of Health – Abu Dhabi (DoH) and mandates cybersecurity and data-protection controls for all DoH-licensed healthcare facilities. It comprises 18 control families covering asset management, access control, clinical data security and medical-device security. Compliance is required for DoH licence renewal and is assessed through a combination of self-assessment, third-party audit and DoH inspection.

Why it matters

The pressure on Regulatory (UAE/GCC) programmes is shifting in specific, observable ways:

• DoH licence renewal conditions since 2023 require submission of an ADHICS V2 compliance evidence package; healthcare providers that miss the submission window face licence-validity suspensions affecting all clinical operations.
• ADHICS V2 Control Family 7 (Medical Device Security) introduces MDS2 form requirements and network segmentation mandates for connected medical devices not present in V1, catching many facilities off-guard during transition.
• Healthcare data breaches in the UAE carry PDPL Article 10 penalties plus DoH disciplinary action; facilities with documented ADHICS compliance receive mitigated enforcement treatment under DoH incident response protocols.
• Multi-site hospital networks face scope complexity — each licensed facility is a separate DoH entity requiring individual evidence packages; a centralised evidence library reduces duplication by 40–60%.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• ADHICS V2 self-assessment questionnaire — control family, control ID, status, evidence reference, facility name, assessment date.
• Asset inventory — IT and medical device register, connectivity flag, ADHICS V2 CF7 MDS2 form attached, network segment.
• Access control audit log — Active Directory / Entra ID export, quarterly user access review sign-off, privileged account count.
• Data classification register — data category, storage location, encryption status (AES-256 at rest), access control applied.
• Third-party audit report — auditor name, ADHICS accreditation status, findings by control family, remediation plan.
• DoH submission confirmation — submission reference, date, DoH acknowledgement letter, outstanding queries log.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: IT Director and Compliance Officer conduct ADHICS V2 gap assessment across all licensed facilities; prioritise Control Family 7 (medical devices) and CF10 (incident management) as highest-gap areas.
• Day 31–60: IT Security Engineer inventories all networked medical devices; collects MDS2 forms from manufacturers; implements VLAN segmentation for device traffic per CF7 requirements.
• Day 61–90: Compliance Officer builds centralised evidence library (SharePoint) with per-facility tabs; populates with access-review logs, asset registers and training records; validates with DoH submission template.
• Day 90+: Engage DoH-accredited third-party auditor for pre-submission review; address findings; submit ADHICS V2 evidence package to DoH portal ahead of licence-renewal deadline.
• Ongoing: Compliance Officer runs quarterly control reviews; updates evidence library within 30 days of any significant IT or clinical system change; tracks DoH query responses within 10 business days.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• ADHICS V2 compliance score: ≥85% of controls rated 'fully implemented' at DoH submission; ≤10% rated 'partial' with remediation timelines.
• Medical device inventory coverage: 100% of networked medical devices registered and MDS2 forms on file within 60 days of assessment.
• Access review cadence: 100% of user accounts reviewed quarterly; stale accounts disabled within 5 business days of review.
• Incident notification: 100% of reportable healthcare data incidents notified to DoH within 72 hours per ADHICS V2 CF10.
• Evidence library currency: evidence artefacts dated within 12 months for ≥95% of controls at submission date.

How it played out

The engagement began the way these always do — a specific trigger (anonymised playbook from a successful abu dhabi rollout — scope, evidence library and doh submission.) and an executive sponsor with limited patience for theoretical answers.

The first instinct on the client side was to add tooling. The first instinct on our side was to fix the regulator-mapped control library so that whatever tooling was added would have somewhere defensible to land.

What surprised the team — and worth noting for anyone running similar Regulatory (UAE/GCC) work — is how much of the value came from re-sequencing existing activities rather than introducing new ones.

• Trigger. The work was sponsored after a near-miss the executive team could no longer rationalise.
• First week. Stabilise the supervisory return / self-assessment; pause anything that risked making it worse.
• Weeks 2–6. Rebuild the working evidence cadence; the regulator-facing story followed naturally once the internal cadence was honest.
• What we'd do differently. Engage the CEO ahead of supervisory meetings on day one, not after the diagnostic.

Pitfalls we keep seeing

Across MAST Consulting Group's Regulatory (UAE/GCC) portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: no single source of truth across multiple supervisors. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: evidence packs that are unique to each regulator instead of harmonised. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: controls listed against the regulator but not operating consistently. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: thematic-review responses prepared in the week of the visit. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Regulatory (UAE/GCC) engagements because the integrations are cheap and the evidence is defensible:

• evidence repository with regulator tagging — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• data extracts from core systems on a fixed cadence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• a unified control framework (UCF) in a GRC tool or curated spreadsheet — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Regulatory (UAE/GCC) programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this field note is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Regulatory (UAE/GCC) programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.