ADHICS Security Testing Services
Healthcare data in Abu Dhabi doesn’t get a second chance; a breach of patient information carries regulatory, legal, and reputational consequences that policy documents alone can’t prevent. ADHICS, the Department of Health’s mandatory cybersecurity standard, expects healthcare entities to prove their systems are actually secure, not just documented as such. Nathan Labs delivers ADHICS-aligned security testing, penetration testing, vulnerability assessment, and HIS/EMR-focused testing that gives Abu Dhabi healthcare organizations the evidence DoH audits and AAMEN submissions require.
What Is ADHICS, and Why Does Security Testing Matter?
The Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS) was introduced by the Department of Health, Abu Dhabi (DoH) in 2019 to protect the confidentiality, integrity, and availability of health information across the emirate. It applies to every healthcare entity that stores, processes, or handles health information, including hospitals, clinics, pharmacies, insurers, labs, telehealth platforms, health tech companies, and medical device manufacturers.
ADHICS v2.0, released in 2024, significantly expanded the original standard, spanning domains covering governance, risk management, asset classification, access control, communications security, and health information protection, plus newer requirements around AI and emerging technology governance, IoMT (Internet of Medical Things) and medical device security, healthcare-specific cloud controls, mandatory 72-hour breach notification, and third-party risk management. Organizations still operating against v1.0 are required to upgrade.
ADHICS is more prescriptive than many comparable frameworks, including HIPAA, and is explicit about penetration testing as a compliance requirement, not an optional best practice. It calls for continuous security assessments and penetration testing of systems handling patient data, with particular attention to Hospital Information Systems (HIS), Electronic Medical Records (EMR) platforms, and patient-facing services. Compliance is tracked through DoH’s AAMEN platform, and non-compliance can result in license suspension, fines, and operational restrictions.
Who Needs ADHICS Security Testing?
- Hospitals and hospital networks operating in Abu Dhabi
- Clinics, specialty medical centers, and diagnostic labs
- Pharmacies and pharmacy chains handling patient records
- Health insurers processing patient and claims data
- Telehealth and telemedicine platforms
- Hospital Information System (HIS) and EMR vendors serving the Abu Dhabi market
- Medical device manufacturers with connected or IoMT products
If your organization touches patient health information anywhere in its lifecycle, from creation to storage, transmission, or disposal, ADHICS applies, regardless of whether you’re a hospital or a technology vendor supplying one.
What ADHICS Security Testing Needs to Cover
- HIS and EMR platforms: The core systems ADHICS treats as highest priority, given their direct access to patient health data
- Patient-facing portals and telehealth platforms: External attack surface exposed to the public internet
- IoMT and connected medical devices: A newly emphasized area under v2.0, often under-tested by generic providers
- Cloud infrastructure: ADHICS restricts storing or processing patient information outside the UAE, making cloud configuration and data residency testing essential
- Network segmentation: Isolating clinical systems from administrative and guest networks
- Access controls: Role-based permissions, multi-factor authentication on administrative access, and periodic revalidation
Testing should run at least annually, with retesting after significant system changes, new integrations, or major platform updates, and organizations that outsource HIS or EMR hosting still carry responsibility for confirming their vendor’s security posture.
How Nathan Labs Delivers ADHICS Security Testing
- Healthcare-specific scoping: We map your environment, HIS, EMR, patient portals, connected devices, and cloud infrastructure against ADHICS control domains, so testing reflects what DoH and AAMEN submissions need to be evidenced.
- Penetration testing across clinical and administrative systems: We test patient-facing platforms, internal clinical networks, and administrative systems, simulating real attacker behavior rather than relying on automated scanning alone.
- IoMT and medical device testing: Connected medical devices are a growing attack surface under ADHICS v2.0. We assess device communication protocols, authentication, and network exposure specific to healthcare IoT.
- Cloud and data residency testing: Since ADHICS restricts patient data storage to UAE-based infrastructure, we verify cloud configurations, access controls, and data residency alongside standard security testing.
- Audit-ready reporting and retesting: Every engagement produces an executive summary suited for DoH inspection and AAMEN documentation, plus a technical report your IT team can act on directly. We retest remediated findings and document closure, so your compliance file reflects resolved risk.
Why Abu Dhabi Healthcare Organizations Choose Nathan Labs
- ADHICS-mapped scoping: Testing tied to specific control domains, not a generic infrastructure test relabeled for healthcare.
- HIS/EMR and IoMT expertise: Coverage of the systems ADHICS treats as highest priority, including newer connected-device requirements.
- Two-track reporting: Evidence formatted for DoH auditors and AAMEN submissions, with technical depth for your IT teams.
- Retesting included: Every finding tracked to verified closure.
- UAE-based delivery: Direct familiarity with DoH expectations and the Abu Dhabi healthcare regulatory landscape.
Frequently Asked Questions
Yes. ADHICS explicitly requires continuous security assessments and penetration testing for systems handling patient data, making it more prescriptive on this point than several comparable international frameworks.
At least annually, with additional testing after significant system changes, new integrations, or major updates to HIS, EMR, or patient-facing platforms.
Yes. ADHICS v2.0 added specific requirements around IoMT and connected medical device security, an area often overlooked in generic penetration testing engagements.
Consequences can include license suspension, fines, and operational restrictions from the Department of Health, alongside the reputational damage of a patient data incident.
The frameworks overlap; PDPL classifies health data as sensitive personal data requiring elevated protection, while ADHICS sets the healthcare-specific controls. A well-scoped test can generate evidence relevant to both.


