How does ADHICS relate to Malaffi?

Connectivity to Malaffi (the emirate's HIE) carries additional security expectations layered on top of the ADHICS baseline. We scope both in one engagement.

Does ADHICS replace HIPAA?

No — ADHICS is the local mandate. HIPAA may still apply where you handle US-resident PHI. The two map cleanly and we build a unified control set.

What about Dubai healthcare entities?

Dubai's DHA has its own framework. ADHICS is specific to Abu Dhabi — we cover both emirates and handle the cross-emirate scoping for groups.

How often is the audit?

Annual at minimum, with continuous control monitoring expected. DoH inspection cycles may compress this for higher-risk facilities.

Abu Dhabi Healthcare Information & Cyber Security Standard · DoH

ADHICS Compliance Audit

Full ADHICS readiness for Abu Dhabi healthcare providers, payers and Malaffi participants.

End-to-end ADHICS (Abu Dhabi Healthcare Information and Cyber Security) Standard audit — Department of Health Abu Dhabi (DoH) controls across governance, asset management, HR, communications, third-party, incident response and health-information exchange. Designed for hospitals, clinics, insurers, labs, pharmacies and HealthTech integrators connected to Malaffi.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

ADHICS Standard (latest published version, Department of Health Abu Dhabi)
DoH licensing standards and circulars
Malaffi Health Information Exchange security requirements
UAE Federal PDPL (Decree-Law 45 of 2021)
UAE Information Assurance Standards
ISO 27001:2022 (mapped)
HIPAA Security Rule (mapped for multinational operators)

Why this matters

Compliance is leverage, not paperwork.

ADHICS is the Department of Health Abu Dhabi's mandatory information and cyber-security standard for all licensed healthcare entities in the emirate. Non-compliance can trigger licence-condition action, exclusion from the Malaffi health-information exchange and reputational risk in a sector where DoH publishes facility ratings. Macksofy's ADHICS audit walks the control families end-to-end with the evidence DoH inspectors actually sample — control statements, technical artefacts and a submission pack mapped to the standard.

Applicability

Hospitals, clinics and day-surgery centres licensed by DoH
Diagnostic labs, imaging centres and pharmacies in Abu Dhabi
Health insurance / TPA entities operating in the emirate
Malaffi-connected providers and HealthTech integrators
Telemedicine and digital-health platforms serving Abu Dhabi residents
Suppliers handling protected health information for DoH-licensed entities

Standards & frameworks

Aligned to the regulations that matter.

ADHICS Standard (latest published version, Department of Health Abu Dhabi)

DoH licensing standards and circulars

Malaffi Health Information Exchange security requirements

UAE Federal PDPL (Decree-Law 45 of 2021)

UAE Information Assurance Standards

ISO 27001:2022 (mapped)

HIPAA Security Rule (mapped for multinational operators)

Methodology

How we run a ADHICS engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 5

1 · Scoping + applicability

DoH licence-category mapping
Malaffi-connectivity scoping
PHI flow + crown-jewel identification

Deliverables

Everything you need to satisfy auditors.

ADHICS applicability + scoping memo
Control-by-control compliance register
PHI data-flow + Malaffi-integration diagram
Medical-device / IoMT inventory + risk register
Third-party + supplier risk pack
PHI breach notification SOP
DoH submission pack + inspector Q&A deck

Recent engagements

Abu Dhabi multi-specialty hospital group

ADHICS audit + Malaffi-integration security review

Outcome: Closed all priority-1 gaps before annual DoH inspection; Malaffi integration cleared without remediation conditions

Diagnostic-lab chain (Abu Dhabi + Al Ain)

ADHICS + ISO 27001 unified program

Outcome: Single ISMS satisfied both DoH and ISO assessors; audit effort cut by an estimated 35% in year two

At a glance

The shape of a ADHICS engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Governance & policy3 pts
PHI inventory & classification3 pts
Access control & cryptography3 pts
Medical device & IoMT security3 pts
Third-party & Malaffi integration3 pts
Incident response & submission3 pts

Pillar 01

Governance & policy

Board-down accountability for PHI with DoH-aligned policy library.

Information-security policy currency
CISO / security-officer charter
Risk-register + board reporting cadence

Pillar 02

PHI inventory & classification

ADHICS audits live or die on completeness of the PHI inventory.

PHI discovery across EMR, PACS, lab + billing
Information classification + handling rules
Crown-jewel + Malaffi-asset map

Pillar 03

Access control & cryptography

Clinical workflows, identity and PHI encryption walked end-to-end.

Role-based access in EMR + clinical apps
MFA + privileged-access for admins
Encryption-at-rest + in-transit on PHI

Pillar 04

Medical device & IoMT security

The control set most healthcare audits skip — and where DoH increasingly focuses.

Connected-device inventory + patching
Network segmentation for IoMT
Vendor-managed device risk register

Pillar 05

Third-party & Malaffi integration

Suppliers and HIE connectivity tested against ADHICS supplier controls.

Supplier risk + contract clause review
Malaffi integration security testing
Cloud + outsourcing due diligence

Pillar 06

Incident response & submission

DoH-format submission pack and a tested PHI breach playbook.

PHI breach detection + escalation
Tabletop drill (clinical + technical)
DoH submission pack + inspector deck

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a ADHICS engagement. Click any station for detail in the methodology section above.

Week 1

Scoping + applicability

Week 2

Governance + HR controls

Week 3

Technical + operational controls

Week 4

Third-party + HIE controls

Week 5

Incident response + submission

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

Yes — for DoH-licensed healthcare entities operating in Abu Dhabi and their PHI-handling suppliers. Compliance evidence is sampled during DoH licensing and inspection cycles.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.