Overview, Responsibilities, Challenges, and Penalties

The Abu Dhabi – Healthcare Information and Cyber Security Standard (ADHICS) applies to all healthcare facilities and practitioners operating in the Emirate of Abu Dhabi. ADHICS has been created to ensure that Abu Dhabi’s digital healthcare infrastructure matches international standards in healthcare data security and enhances public trust in the digital transformation of healthcare. The standard was published on, and is effective from, 3^rd February 2019, and can be downloaded here. Implementation guidelines can be found here.

ADHICS Overview

Control Domains

ADHICS specifies control measures that are categorised into 11 domains; these are listed below along with their controls:

1. Human Resource Security – Policy, Prior to Employment, During Employment, Termination or Change
2. Asset Management – Policy, Management, Classification & Labelling, Handling, Disposal
3. Physical and Environmental Security – Policy, Secure Areas, Equipment Security
4. Access Control – Policy, Management, Equipment and Devices Access Control, Access Reviews, Network Access Control, Operating System Access Control, Application and Information Access Control
5. Operations Management – Policy, Operational Procedures, Planning and Acceptance, Malware Protection, Backup and Archival, Monitoring and Logging, Security Assessment and Vulnerability Management
6. Communications – Policy, Information Exchange, Electronic Commerce, Information Sharing Platforms, Network Security Management
7. Health Information and Security – Policy, Privacy and Protection
8. Third Party Security – Policy, Delivery and Monitoring
9. Information Systems Acquisition, Development, and Maintenance – Policy, Security Requirement of Information Systems and Applications, Correct Processing in Applications, Cryptographic Controls, Security of System Files, Outsourced Software Development, Supply Chain Management
10. Information Security Incident Management – Policy, Management and Improvements, Events and Weakness Reporting
11. Information Systems Continuity Management – Policy, Planning

A control may have multiple sub-controls. ADHICS lists 692 controls in total (162 Primary Controls, 530 Sub-controls), though all may not apply to an individual organisation.

ADHICS also lists policy references relevant to each domain e.g., the section on Access Control lists ‘Information Access Management as part of Administrative Safeguards of HIPAA’ and states that the level of applicability of such supporting/dependent policy references will vary based on the individual healthcare entity.

Control Categories

Each of the 692 controls are classified under 3 categories/criteria: Basic, Transitional, and Advanced. The ADHICS document specifies that category for each control. An organisation will need to implement these controls depending on the category that applies to the organisation.

Basic

Number of Controls – 328 (Primary Controls – 73; Sub-controls – 255).

Applicability – These are essential controls that apply to all healthcare entities and are therefore considered to be of the highest priority. The organisation will need to provide valid business justification with associated evidence if it believes any of these controls are not relevant to its business operations.

Compliance – All healthcare organisations must comply with these controls within 6 months of the release of the ADHICS standard i.e., within 2019; all organisations are therefore now expected to have achieved, and continue to maintain, compliance with the Basic controls.

Transitional

Number of Controls – 218 (Primary Controls – 56; Sub-controls – 162).

Applicability – The Transitional controls apply to

• Hospitals with up to 20 beds
• Day Care Surgery Centres
• Primary Health Care Centres
• Diagnostic Centres
• Rehabilitation Centres
• Dialysis Centres
• Fertilisation Centres
• Mobile Healthcare Units
• Home Care Service Providers
• Drug/Medical Stores

All entities that must implement Transitional controls must also implement the Basic controls.

Compliance – All qualifying healthcare organisations must comply with these controls within 1 year of the release of the ADHICS standard i.e., early 2020; all qualifying organisations are therefore now expected to have achieved, and continue to maintain, compliance with the Transitional controls.

Advanced

Number of Controls – 146 (Primary Controls – 33; Sub-controls – 113).

Applicability – These controls apply only to hospitals with 21 (or more) beds. These hospitals must also implement the Basic and Transitional controls.

Compliance – All qualifying hospitals must comply with these controls within 1 year of the release of the ADHICS standard i.e., early 2020; all qualifying hospitals are therefore now expected to have achieved, and continue to maintain, compliance with the Advanced controls.

To summarise, Basic and Transitional controls will need to be implemented by most smaller healthcare organisations i.e., 546 of the 692 controls will need to be implemented. Advanced controls (146 controls) will need to be implemented only when a hospital grows beyond 20 beds.

Sample Controls

We can gain an understanding of how these control measures will apply to organisations, and the organisations’ obligations under the standard, by examining a sample of controls under Communication – Information Exchange across the three categories:

• Basic – The healthcare entity must ensure critical and private information is protected in transit by
  • Ensuring that user-name and password are communicated using two different communication channels (email and SMS-text, or email and phone, etc.)
  • Encrypting critical information before transferring and sharing encryption/decryption key using a different communication channel
• Transitional – The healthcare entity shall protect information involved in electronic messaging by
  • Identifying and categorising all means of electronic messaging through which information can be transmitted
  • Defining specific control requirements for each category
  • Ensuring exchange of information is based on need and is addressed to authorised and legitimate resources
  • Ensuring appropriate electronic signatures containing legal disclaimers are used
• Advanced – The healthcare entity shall develop, enforce and maintain procedures that will
  • Identify all interconnections and integrations between business information systems, and identify the information to be protected
  • Identify adequate security measures to be applied to protect each type of information

We can see that compliance obligations increase in scope and complexity as we progress through the categories, and an in-depth understanding of the standard is required to ensure that compliance is maintained.

Key Responsibilities Under ADHICS

Each organisation will be evaluated based on effective implementation of applicable controls in each domain. In addition to implementing the technology measures, every healthcare entity is expected to

1. Periodically Assess Risks – The assessment must include
   1. Probability of occurrence of the risk event
   2. Impact
   3. Mitigation strategies and countermeasures
2. Implement Risk Remediation – These measures should be prioritised based on the impact of identified risk and prioritisation mentioned in ADHICS. The organisation should
   1. Establish and maintain risk mitigation policies
   2. Define procedures to support these policies
   3. Address risk by implementing controls including controls specified in ADHICS
3. Periodically Report on Control Performance – The organisation is expected to monitor
   1. Relevance and need of control measures based on organisational risk
   2. Performance of control measures
   3. Effectiveness of control measures in mitigating risk
4. Classify Assets – A healthcare organisation must classify its assets, including information, as
   1. Public – Information that has no legal, regulatory, or organisational restriction on access, and is destined for public use
   2. Restricted – Information relating to the internal functioning of the organisation that will have limited adverse impact if accessed without authorisation
   3. Confidential – Information such as personal, financial, or government information, as well as information relating to designs, configuration, and vulnerabilities
   4. Secret – Highly sensitive information that, if accessed, could impact national security, public order, and otherwise affect the nation
5. Maintain Records – The organisation is expected to maintain records of all legislative, regulatory and governmental executive orders and establish
   1. Demands applicable to the business
   2. Implementation and maintenance stakeholders
   3. Compliance checklists
   4. Reporting obligations
   5. Escalation demands
6. Conduct Audits – The healthcare entity must conduct, share reports with the Department of Health, and preserve the results of
   1. Yearly audits to verify compliance
   2. Yearly Vulnerability Assessment and Penetration Testing on the system, network applications, and security infrastructure and environment (K7 recommends performing Vulnerability Assessment and Penetration Testing every 6 months)
   3. Yearly web security assessments on web applications
7. Conduct Awareness Programmes – The healthcare facility should conduct
   1. Yearly awareness campaigns on cybersecurity topics including risks, learnings, benefits of compliance, responsibilities, and regulatory requirements
   2. Orientation on healthcare information protection and sanctions to all employees, contractors, and third parties, prior to granting access to healthcare information
8. Check Cybersecurity Measures – The organisation must periodically review cybersecurity measures by
   1. Conducting random audits of equipment, devices, systems, and facilities at teleworking sites
   2. Reviewing user access and privileges at least once a year or earlier as determined by the organisation’s risk profile
   3. Performing audits of third-party services on a regular basis
   4. Reviewing source code from outsourced software development to identify potential vulnerabilities, backdoors, and malicious code
   5. Including the right to audit/monitor activities that involve personal health/personally identifiable information when establishing agreements with external parties for exchange of information and software
9. Avoid the Cloud – The healthcare entity must ensure that cloud storage or infrastructure is not used to store, process, or share health information. Any systems that make use of cloud services must be identified and disconnected from the healthcare entity’s systems that process, store, or use health information
10. Control Access to Health Information Exchange Platforms – The organisation must
    1. Periodically validate access to health information exchange systems
    2. Frequently assess and audit to identify misuse and ensure compliance
    3. Report incidents and misuse to the exchange operator and the health sector regulator

The above is not an exhaustive list of responsibilities. Please refer to the ADHICS document for the complete list of cybersecurity obligations under the standard.

ADHICS Compliance Challenges

Understanding 692 controls, and implementing them when and where appropriate, is a daunting challenge for a smaller healthcare organisation that may not have an internal IT team or include cybersecurity specialists in its talent pool. Some of the most common challenges faced by such organisations include:

1. Incorrect Prioritisation of IT Investment – Merely having an IT budget is not enough. The funds need to be allocated towards measures that will help achieve the minimum 86% score required to clear ADHICS audits. Some of the deficiencies common in smaller healthcare facilities include
   1. Lack of data backups (or lack of offsite backup, limited backup storage capacity)
   2. No alarm for the door to the data centre room
   3. No asset classification (or incorrect asset classification)
   4. Lack of a paper shredder
2. Inadequate Control Measures in Processes – Every healthcare facility will follow numerous internal processes, which must integrate data security measures. Smaller facilities often struggle with implementing adequate controls in
   1. Employee lifecycle management (maintaining data security in recruitment, onboarding, and exit)
   2. Asset management (handling and disposal of assets)
3. Legacy Devices – Devices that are no longer supported by their vendors are often found in healthcare establishments as these devices will last, and remain perfectly functional, long after their software support ends. Such devices may present a data security risk, and result in non-compliance, if
   1. No antivirus protection is provided
   2. Enterprise antivirus is available, but does not support the legacy platform
4. Insufficient Maintenance Contracts – The healthcare facility’s IT infrastructure will require regular maintenance to remain secure. This maintenance may be provided either by the OEM or a 3^rd party maintenance specialist. The organisation may be found non-compliant if it
   1. Lacks maintenance contracts (or available maintenance contracts do not cover all critical equipment)
   2. Scope of activities in the maintenance contracts is inadequate to ensure ADHICS compliance

ADHICS Penalties for Non-Compliance

Any healthcare facility that does not achieve a score of at least 86% in the Annual Surveillance Audit conducted by TASNEEF-RINA Business Assurance (TRBA) will be provided the opportunity to implement corrective measures and improve its score through a Corrective Action Plan, failing which its business license will not be renewed.

K7 ADHICS Compliance Services

K7 Security’s ADHICS Compliance Services provide turnkey consulting services that eliminate concerns over non-compliance, and allow the healthcare organisation’s management and staff to focus on providing quality healthcare services while our specialists manage the technical and administrative responsibilities defined by ADHICS. Our services include

1. One-time/single-audit compliance consulting for all 11 controls
2. Annual sustenance contract to ensure continuing compliance for all 11 controls
3. Quarterly submission of reports to the regulator
4. Vulnerability Assessment and Penetration Testing (VAPT)
5. Responding to information requests from the regulator
6. Prioritising and addressing communication from the regulator

Contact us for more information on how we can help your healthcare facility achieve and maintain ADHICS compliance. Our ADHICS Compliance Services are designed to suit any scale of healthcare operations.