ADHICS v2.0 Compliance: What Every Healthcare Facility in Abu Dhabi Needs to Know in 2026

What Changed with ADHICS v2.0

The original ADHICS standard launched in 2019 established foundational cybersecurity requirements for Abu Dhabi healthcare entities. ADHICS v2.0, released in 2024, represents a comprehensive expansion reflecting the evolution of healthcare technology adoption and the corresponding escalation of cyber threats.

The updated standard introduces new domains including AI and emerging technology governance, comprehensive IoMT and medical device security requirements, healthcare-specific cloud security controls with mandatory UAE data residency, a 72-hour breach notification requirement for confirmed security incidents, full third-party risk management obligations, digital AAMEN platform compliance tracking, and detailed PHI data classification with consent management frameworks.

The three-tier compliance structure, Basic, Intermediate, and Advanced, now applies more stringent control requirements based on facility size and complexity. Hospitals with 21 or more beds fall under Advanced controls, requiring implementation of all 692 controls across every domain.

The 11 ADHICS Security Domains

Understanding the scope of ADHICS v2.0 requires recognising that it covers far more than traditional IT security. The framework spans 11 comprehensive domains.

Information Security Governance establishes the foundational policies, procedures, roles, and oversight structures that underpin every other control. Risk Management mandates systematic identification, assessment, and treatment of cybersecurity risks across all healthcare operations. Asset Management requires comprehensive inventories of hardware, software, data, and medical devices with classified sensitivity levels.

Human Resources Security addresses the reality that people remain the weakest link in cybersecurity, covering background checks, awareness training, and access revocation procedures. Physical and Environmental Security extends protection to facilities, server rooms, medical device locations, and paper records. Access Control enforces strict authentication, authorisation, and privilege management for all systems handling patient data.

Operations Management covers secure system administration, change management, and monitoring. Communications Security addresses network protection, data transfer encryption, and secure messaging. Health Information Protection mandates specific controls for electronic medical records, clinical data, and protected health information throughout its lifecycle. Third-Party Security requires due diligence, contractual controls, and ongoing monitoring for every vendor handling healthcare data. Business Continuity demands tested disaster recovery plans, backup procedures, and resilience capabilities.

The Compliance Process: A Practical Walkthrough

Achieving ADHICS v2.0 compliance follows a structured process that, when approached systematically, is far more manageable than the 692-control count initially suggests.

Step 1: Gap Assessment

The starting point is a comprehensive assessment of your current security posture against ADHICS v2.0 requirements. This identifies which controls you already satisfy, which have partial implementation, and which represent genuine gaps. The assessment should cover technical controls, policies, procedures, personnel practices, and physical security measures across all 11 domains.

Step 2: Remediation Roadmap

Gap assessment findings feed into a prioritised remediation plan. Critical gaps, those that pose immediate patient safety or data breach risks, are addressed first. The roadmap includes specific actions, responsible parties, resource requirements, and realistic timelines. For most healthcare facilities, a phased approach over 6 to 12 weeks produces sustainable compliance without overwhelming operational teams.

Step 3: Policy Development and Implementation

ADHICS v2.0 mandates 15+ documented cybersecurity policies. These are not generic templates. They must reflect your actual operational context, technology environment, organisational structure, and risk profile. Effective policies are practical enough for staff to follow and specific enough for auditors to verify.

Step 4: AAMEN Platform Submission

The Department of Health tracks compliance through the AAMEN digital platform. Your facility must submit self-assessment documentation, compliance evidence, and policy records through this platform. The submission quality directly influences your audit experience, comprehensive, well-organised evidence packages correlate strongly with favourable audit outcomes.

Step 5: Ongoing Monitoring and Maintenance

ADHICS compliance is continuous. DOH conducts periodic audits, and the threat landscape evolves constantly. Sustained compliance requires regular risk reassessments, policy refresh cycles, staff training updates, incident response testing, and continuous monitoring of systems and access controls.

The Cost of Non-Compliance

Healthcare facilities that approach ADHICS as optional guidance, rather than mandatory regulation, consistently face more severe consequences than the investment required for proactive compliance. DOH enforcement actions include corrective action plans with mandatory implementation deadlines, financial penalties scaled to the severity and duration of non-compliance, operational restrictions limiting the scope of services a facility can provide, licence suspension for persistent or critical failures, and reputational damage that affects patient trust, staff recruitment, and insurer relationships.

The practical reality is straightforward: the cost of achieving ADHICS compliance is a fraction of the cost of recovering from non-compliance enforcement.

Building Compliance into Competitive Advantage

Forward-thinking healthcare organisations recognise that robust cybersecurity compliance is not just a regulatory burden. It is a competitive differentiator. Facilities that can demonstrate verified ADHICS compliance build stronger trust with patients, attract higher-quality clinical staff, secure more favourable insurer agreements, and position themselves as preferred partners for HealthTech companies seeking compliant deployment environments.

Alpha Health Group brings over 20 years of UAE healthcare experience and a track record of establishing and managing 200+ healthcare facilities to every cybersecurity compliance engagement. We deliver structured, practical compliance programmes that protect your patients, preserve your licence, and build your competitive position in a market where cybersecurity maturity increasingly separates leaders from laggards.

/services/healthtech-registration-approvals  |  /services/healthcare-software-regulatory-advisory  |  /services/telehealth-platform-approval  |  /services/digital-health-market-entry-consulting

• Department of Health Abu Dhabi AAMEN Programme (doh.gov.ae)
• Dubai Health Authority Cybersecurity Standards (dha.gov.ae)
• UAE National Cybersecurity Council (csa.gov.ae)
• ISO 27001 Information Security Management (iso.org)
• NIST Cybersecurity Framework (nist.gov)
• World Health Organization Digital Health Security (who.int)

SUMMARY

A practical guide to ADHICS v2.0 compliance for Abu Dhabi healthcare facilities covering the 11 security domains, 692 controls, gap assessment methodology, policy development requirements, AAMEN platform submission, and the business case for proactive cybersecurity compliance in the UAE healthcare sector.