ADHICS Penetration Testing: 2026 Compliance Checklist

ADHICS penetration testing is no longer a one-time project for Abu Dhabi healthcare entities - it is a recurring legal obligation. With the rollout of ADHICS V2, the Department of Health Abu Dhabi (DoH Abu Dhabi) standard now mandates regular technical security assessments with explicit penetration-testing scope. For every hospital, clinic, HIS vendor, and healthtech platform that touches patient data in the emirate, that converts pentesting from a once-a-year event into a continuous compliance requirement.

This is the auditor-grade checklist healthtech buyers actually search for. It answers the only question that matters when you have a DoH deadline: exactly what scope auditors expect, and how to evidence it. Use the scope table below as a scoping worksheet for your own system inventory.

Is penetration testing mandatory under ADHICS V2?

Yes. ADHICS V2 requires regular technical security assessments, including penetration testing, for all DoH-regulated healthcare entities and the vendors connected to them. The requirement is not buried in one obscure clause - it is reinforced across several control domains:

• Technical security assessment - mandates that systems handling health information undergo regular vulnerability assessment and penetration testing.
• Vulnerability management - requires identification, risk-rating, and remediation of vulnerabilities on a defined cadence.
• Third-party and cloud security - extends testing obligations to integrated vendors and cloud-hosted health data platforms.

ADHICS is the successor to the legacy HAAD information security guidance and is the healthcare-specific counterpart to NESA at the national level. Where NESA governs critical national infrastructure broadly, ADHICS applies the same security philosophy to the healthcare sector under DoH Abu Dhabi authority.

Who is in scope

If your organisation creates, stores, transmits, or processes patient data in Abu Dhabi, you are almost certainly in ADHICS scope:

• Hospitals and clinics operating under a DoH licence
• HIS and EMR vendors supplying or hosting clinical systems
• Healthtech SaaS platforms (telehealth, scheduling, patient engagement)
• Medical device integrators connecting IoMT equipment to clinical networks
• Cloud-hosted health data platforms running on AWS, Azure, or OCI

The cost of non-compliance

ADHICS is enforced through DoH audits tied to healthcare licensing and accreditation. A missing or inadequate penetration-testing program surfaces as an audit finding. Repeated or serious findings put your DoH accreditation and operating licence at risk. For HIS and healthtech vendors, an ADHICS gap can also disqualify you from selling into Abu Dhabi providers entirely - your customers will fail their own audits if your platform is not tested.

For the broader picture of how this fits alongside national healthcare security obligations, see our guide to healthcare penetration testing under DHA and ADHICS.

How often does ADHICS require penetration testing?

ADHICS V2 establishes a bi-annual cadence for security assessments. In practice, most DoH auditors treat an annual external penetration test as the minimum acceptable floor, with internal and targeted assessments filling the gaps between full engagements.

Cadence alone is not enough. ADHICS treats testing as change-driven as well as calendar-driven. Re-testing is triggered whenever your risk surface shifts.

ADHICS testing cadence table

This is why a growing number of Abu Dhabi healthcare entities move from one-off tests to a continuous testing retainer. When you deploy new releases, onboard a new lab integration, or stand up a new cloud workload monthly, a single January pentest does not reflect your security posture by June. A retainer model - like our Guardian retainer - assesses every material change before it reaches production and keeps your evidence package continuously audit-ready.

What systems are in ADHICS pentest scope? The scope table

ADHICS scope is defined by where protected health information (PHI) flows. Before any testing begins, you map every system, interface, and device that touches PHI - that data-flow map becomes the basis for your approved scope document. The table below lists the eight categories DoH auditors expect to see covered.

ADHICS penetration testing scope table

The two most-missed scope items

In our experience, medical devices and third-party integrations are the two most-missed scope items in failed ADHICS audits. Both get silently excluded for the same reason: they feel like someone else’s responsibility. Teams assume the device manufacturer or the integration vendor owns the security. ADHICS does not see it that way. If a connected infusion pump or a lab interface processes PHI on your network, it is in your scope, and an auditor will expect evidence it was tested.

Coverage expectations

A compliant ADHICS pentest is not just an external scan. Auditors expect:

• External and internal testing - the attacker outside the perimeter and the compromised insider or pivoting attacker inside it
• Authenticated and unauthenticated testing - what an anonymous attacker sees versus what a logged-in user (or stolen credential) can reach
• PHI data-flow mapping as the foundation - the scope is justified by where patient data actually travels, not by a convenient subset of systems

The ADHICS pentest checklist auditors actually check

Use this as a pre-engagement and delivery checklist. Each item maps to something a DoH auditor will look for.

Pre-engagement

• Approved scope document signed off by the entity, listing all eight system categories and justifying any exclusions
• Rules of engagement - testing windows, emergency contacts, production safeguards
• PHI handling agreement - how the testing provider handles any patient data encountered, with data-residency commitments
• PHI data-flow map justifying the scope boundary

Coverage during testing

• OWASP-aligned web and API testing across the full Top 10 plus business logic
• Segmentation testing - proving clinical networks are isolated from corporate and guest networks
• Access-control validation - role-based access, privilege escalation, IDOR on patient records
• Audit-logging validation - confirming security events on PHI systems are actually logged
• Third-party integration boundaries and medical/IoMT device exposure tested, not skipped

Deliverables auditors want

• Methodology statement referencing OWASP, PTES, or NIST
• Risk-rated findings with CVSS scores, business impact, and remediation guidance
• Findings mapped to ADHICS control domains so each result traces to the standard
• Remediation evidence showing fixes were applied
• Re-test confirmation letter verifying closure of critical and high findings

Common gaps that fail ADHICS audits

• Stale patching - known CVEs left open past the vulnerability-management SLA
• Weak segmentation - clinical and corporate networks that are flat or bridgeable
• Exposed third-party integrations - lab or insurance interfaces with no authentication or weak authorization
• Missing re-test evidence - findings reported but never verified as fixed, leaving the audit loop open

ADHICS requirement to pentest activity mapping

From checklist to a compliant ADHICS engagement

A scoped ADHICS penetration test follows a predictable structure that produces the evidence your auditor expects.

How the engagement runs

1. Kickoff - share your system inventory and PHI data-flow map; agree timelines and contacts.
2. Scope sign-off - finalise the approved scope document covering all eight categories, with exclusions justified.
3. Testing - external, internal, authenticated, and unauthenticated coverage; critical findings reported in real time, not held for the report.
4. Reporting - risk-rated findings mapped to ADHICS control domains, with a methodology statement and an executive summary.
5. Remediation re-test - your team fixes the findings; the tester verifies and issues a re-test confirmation letter.

Typical timeline and report package

For a mid-sized Abu Dhabi healthcare entity, a scoped ADHICS engagement runs roughly 3 to 5 weeks end-to-end, depending on the number of in-scope systems and integrations. A DoH-ready report package contains the methodology statement, the approved scope document, risk-rated findings with CVSS and business impact, the ADHICS control-domain mapping, remediation evidence, and the re-test confirmation letter - everything an auditor needs in one bundle.

For budgeting, see our penetration testing cost and pricing guide, and to get your team ready, our guide on how to prepare for a penetration test.

Why a UAE provider that maps to ADHICS beats a generic vendor

A global pentest vendor will hand you a technically competent report structured for nobody in particular. A UAE-based provider that maps every finding to ADHICS control domains hands you a report your DoH auditor can trace line by line - saving weeks of internal translation and removing the risk that a finding is dismissed because it was not framed against the standard. Data residency, local regulatory fluency, and direct mapping to ADHICS, NESA, and DoH expectations are the difference between an evidence package that passes and one that triggers follow-up questions.

Book a scoped ADHICS penetration test

pentest.ae delivers ADHICS-aligned penetration testing for Abu Dhabi hospitals, clinics, HIS and EMR vendors, and healthtech platforms. Every engagement produces a DoH-ready report package with findings mapped directly to ADHICS control domains and a re-test confirmation letter included at no extra cost.

Bring your system inventory and the scope table above doubles as your scoping form. We will turn it into an approved scope document and a compliant engagement.

Book a scoped ADHICS penetration test with a pentest.ae security researcher, or explore our full penetration testing services.