Abu Dhabi Healthcare Information And Cybersecurity Standard V2.0
July 04, 2024
The Department of Health, which is the only body in charge of regulating healthcare services in Abu Dhabi, established the Abu Dhabi Healthcare Information and Cyber Security Standard, or ADHICS. ADHICS is a comprehensive manual for controlling healthcare data in Abu Dhabi and is intended to complement the mission and governmental directives of the DOH. In order to increase public confidence and provide improved information security, it supports government efforts relating to health information exchange. This regulation aims to take information security and data privacy in the Abu Dhabi health sector to international standards.
Here are the key things to consider in ADHICS V2.0:
1) ADHICS v2.0 Publication Date – May 2024
ADHICS v2.0 Effective Date – August 2024
Timeline for compliance: Within 6 months of official program induction/on-boarding or official release of this standard, whichever comes first.
2) ADHICS V2 Standard outlines the control mandates essential to protect health information during its creation, maintenance, access, disclosure, processing, usage, storage, transmission, and disposal, and to maintain the information’s confidentiality, integrity, and availability (including authenticity, accountability, and auditability). The standard establishes process and control demands that should be incorporated and sets out requirements and desired goals at various levels of an entity’s maturity, operational complexity, and risk environment
3) Control Categories - Basic, Transitional, Advance, Service Provider
4) Applicability on entities –
- Hospitals
- Any Center including but not limited to Diagnostic Center, Dialysis Center, Fertilization Center (IVF), Rehabilitation Center
- Health Information Exchange (HIE) Malaffi
- Payers - Insurers & Third-Party Administrator (TPA)
- External entity that is providing healthcare technology and service that generate, access, store, use, process and/or transmit health information in any format of information, such as text, video, audio, photos and images
- These healthcare technology and services providers include but not limited to:
- Medical device or technology Providers
- Electronic Medical Records (EMR) Providers
- Web and Mobile Applications
5) The entity, regardless of its type, shall develop an annual audit program to validate and verify compliance with the provisions of this Standard, and any other information security compliance requirements as they become relevant and valid. Independent audits shall be performed at least annually or in case of any significant change with the agreements of the information asset owners/relevant stakeholders to minimize the risk of disruption to business processes.
6) If the control demands are not relevant to an entity’s business operation, the entity shall produce valid business justification as part of their reports to Department of Health, along with necessary supporting evidence and records.
7) Avoid non-compliance penalties, by thoroughly evaluating the processes and technical infrastructure for security gaps.