How does SharkStriker help you become ADHICS compliant? 

What is ADHICS compliance about? 

Abu Dhabi Health Information and Cybersecurity Standards or ADHICS by the Abu Dhabi Department of Health was passed in 2019 to protect and secure the privacy and security of health information. It offers some of the best practices in the industry for information security of all sensitive health-specific information.   

ADHICS has clearly defined the controls that apply to all healthcare entities specific to their maturity, the level of risk exposed to, and their status quo capacities.  It comprises of detailed controls to secure health information that is created, maintained, displayed, used, processed, transmitted, or disposed, recommending guidelines that protect integrity, availability, and confidentiality of information. The guidelines offer all the necessary measures for establishing an effective Information Security program.   

Who governs it? 

ADHICS is governed by all the federal, local, authorities and legislation  

What kind of controls does it cover?   

1. Asset management  
2. Access and communication control  
3. Data security  
4. Data sovereignty and retention  
5. Third-party security  
6. Information Security and Incident Management  
7. Information Security Continuity Management  
8. Information Systems Management  
9. Physical and Environmental Security
10. Human Resource Security  
11. Operations Management 

Whom does it apply to?  

It applies to every public and private organization offering healthcare services, healthcare insurance services, is a third-party partner, or any other form of medical facilities.

Benefits of being ADHICS compliant  

Apart from detailed guidelines on cybersecurity posture resilience and information security, the following are some of the business benefits experienced by all compliant organizations: 

Fosters higher degree of information assurance  

It makes way for better information assurance standards with all healthcare entities and users that are citizens of the UAE.   

It ripens the trust between patients and healthcare entities  

It builds trust through a holistic approach not limited to IT but also covers people, processes, and technology. It emphasizes holistically addressing the underlying cyber risks and enables organizations with a thorough understanding of the security risks. It increases predictability and reduces the possibility of disruption in business operations, increasing brand trust considerably.   

 Reduces business cost  

It provides cybersecurity recommendations that reduce the risk of operational downtime and costs from disruption of services. It renders easy-to-predict outcomes that mitigate risks considerably, saving costs significantly.  ADHICS ensures that healthcare organizations run smoothly without the risk of cyber-attacks that often cause a fatal blow to operations that may comprise emergency services on which many lives depend.    

Global benchmarks  

It encompasses many best practices recommended by global regulatory bodies for information security.  Therefore, by adhering to the recommended guidelines stipulated in ADHICS, organizations automatically adhere to many global compliances for privacy, data protection, and information security. It empowers businesses to operate without the fear of facing data privacy violations that may severely impact them financially and impact their reputation.    

It provides a secure way for healthcare information to be stored 

ADHICS guides on how to securely store electronically processed healthcare information that is sensitive in nature. It comprises some of the best practices for information security, including how it is stored, processed, and controlled, with a higher degree of accountability, integrity, and availability.  

What are the consequences of being non-compliant with ADHICS?

Auditors appointed by the governing body of ADHICS periodically assess organizations against the recommended guidelines.

If any healthcare entities subjected to ADHICS have a score less than 86% on the Annual Surveillance Audit, they are deemed non-compliant, and their license is canceled.   

There is no specification on how much penalty will be imposed on the organization. However, the law that regulates healthcare entities may impose a penalty of not less than AED 5,00,000 and AED 700000 for non-compliance.   

What are the challenges of becoming compliant with ADHICS?  

Healthcare organizations often face challenges in implementing ADHICS compliance guidelines. The following are some of the common challenges that are faced by organizations that are subjected to ADHICS: 

Existence of legacy systems in large healthcare organizations 

One of the major challenges is that healthcare organizations, especially large-scale, have legacy systems that process, control, store, and manage data, making it difficult for them to implement all the guidelines laid down by ADHICS.   

Distributed responsibility of security controls making it difficult to implement unified cybersecurity framework 

Another challenge is that in most healthcare organizations, security controls are distributed across multiple levels, making it highly challenging to implement all the controls for a unified cybersecurity framework.   

They have a limited team for compliance, with mostly IT experts. 

Most healthcare organizations face this challenge of having a limited team that can help them with both cybersecurity and compliance. Another added challenge relating to this is that to cover all the aspects of cybersecurity the have to rely on multiple vendors managing them is a big challenge in itself. All of these factors make it challenging for them to implement over 692 controls that are recommended by ADHICS.  

Cybersecurity is not prioritized 

The most common challenge faced by healthcare organizations is that they don’t prioritize cybersecurity therefore there is a limited budget to implement the measures with the right set of people, processes, and technology.   

Lack of regular maintenance contracts or limited maintenance contracts   

Healthcare organizations, especially small organizations, rely on vendors for the maintenance of their IT infrastructure. However, the contracts often miss the most critical aspects of cybersecurity, making it a challenge to implement ADHICS guidelines.

How does SharkStriker help Abu Dhabi-based businesses in becoming ADHICS compliant? 

We have seen how businesses face multiple business challenges on their ADHICS compliance journey. SharkStriker addresses those challenges seamlessly through a dedicated team for cybersecurity and compliance that utilizes its unified human and technologically powered platform STRIEGO to assist organizations by smoothening their journey to compliance.   

SharkStriker’s compliance consultants assist organizations to keep up with the changing compliance environment. The following is the approach that they follow to become compliant: 

Risk Assessment  

The foremost step is drawing up a scope based on a thorough assessment of the status quo cybersecurity posture and all the compliance requirements stipulated by clients. Then, they conduct a comprehensive risk assessment using VAPT of the status quo cybersecurity, identifying and categorizing all the risks across their IT infrastructure. We have prepared a detailed report with all the measures undertaken to remediate all the risks.    

Gap Assessment 

In the next step, they assess all the gaps in compliance across the IT infrastructure and prepare a detailed report with recommendations. 

Risk Treatment Plan 

Based on the identification and categorization of all the risks across the IT infrastructure, the team prepares a detailed plan comprising all the procedures, security measures, policies, security controls, and rules that are to be implemented based on the degree of risks across the IT infrastructure.      

Implementation 

It is the most vital step where we implement the risk treatment plan with the right technology, resources, and expertise. We ensure there is no margin for error in the implementation of the risk treatment plan.   

Post Implementation Audit 

To ensure that the risk treatment plan is implemented without any errors, we conduct a post-implementation audit to assess whether there are any gaps in implementation. If we find any gaps, we take measures to bridge those gaps 

Training and Awareness 

Since awareness is the most critical aspect of compliance management, we prepare training modules and awareness campaigns to ensure that all the awareness gaps are bridged, and that the compliance journey is well received across the entire organization across different levels.