Data integrity and transmission security
End-User Data processed in connection with Health app data Share with Provider is encrypted end-to-end, from the point the data is transmitted from an End User’s device to the point a Provider views the data in the Web Application. End-User Data at rest remains encrypted in the Health Sharing Cloud using strong cryptographic keys, algorithms, and key sizes. Data in transit is additionally protected by TLS.
Data encryption
As part of Apple’s commitment to protecting sensitive information, End-User Data that’s transmitted, stored, or otherwise processed in connection with Health app data Share with Provider is encrypted and authenticated. A new Encryption Key is generated each time new data is uploaded. All End-User Data transmitted or stored in the Health Sharing Cloud is encrypted in a way that makes Apple unable to access the keys to decrypt End-User Data—making the End-User Data neither accessible nor modifiable by Apple.
End-User Data is encrypted in the following ways:
Data in transit:
End-User Data is encrypted and signed before being transmitted to the Health Sharing Cloud.
Encrypted and signed End-User Data is transmitted using a minimum of TLS 1.2.
Data at rest:
End-User Data at rest is stored using AES-GCM authenticated encryption with a 256-bit key.
The End User’s iPhone or
iPad encrypts the End User’s data by generating a unique Encryption Key specifically for the relevant Customer. The encryption algorithm is AES-GCM. When the End User authenticates by signing in to their patient portal for the Customer, the Encryption Key is sent to the End User’s patient portal account.
Data retention and management
Whether Apple stores End-User Data depends only on the End User’s upload activity. End Users can choose to continuously share their Health app data or to stop sharing their data. If an End User doesn’t sync their End-User Data after an extended period of time, it will be purged from the Health Sharing Cloud.
If a Customer needs to provide Apple with End-User Data that’s considered PHI so that Apple can troubleshoot bugs or give the Customer technical support, Apple will make sure the PHI is encrypted and deidentified and that access is restricted to the appropriate personnel, in accordance with the principle of least privilege.