Information access management and authentication
Credentials, passwords, and multi-factor authentication
The security of Health app data Share with Provider starts with the secure creation and management of credentials and passwords. Apple employees are provisioned unique IDs for authentication into internal networks, systems, and environments, including those supporting Health app data Share with Provider. Employees must comply with Apple’s established multi-factor authentication (MFA) requirements and password complexity standards. Employees are also required to comply with policies that address proper ways to securely store passwords, which include not displaying, printing, or storing passwords in a readable format in any location that others could discover. All interactive access—such as administrative access to the in-scope environments that support Health app data Share with Provider—is limited to authorized employees through MFA. By applying the principle of least privilege and role-based access control features, Apple is able to provide highly granular permissions to different types of administrators.
Access provisioning
Apple has implemented policies, procedures, and technical measures governing access to internal systems. Access to components housing End-User Data in scope of the HIPAA Covered Services is limited to the Apple HIPAA covered workforce. Access permissions must be requested, reviewed, approved, and provisioned through Apple’s identity and access management system. As part of MFA enforcement, employees must use their unique ID credential, a secure password, and one additional authentication factor to successfully authenticate into networks and systems.