Security management and governance
Apple is responsible for ensuring the confidentiality, integrity, security, and availability of the End-User Data that it transmits and stores in its systems in connection with offering Health app data Share with Provider. The specific methods that Apple uses to achieve these objectives include—but aren’t limited to—the development and distribution of information security and HIPAA-related policies, procedures, and trainings; reporting on security assessments; logging and monitoring security events and alerts; and identifying and responding to potential incidents.
People, policies, and training
Apple is committed to providing appropriate HIPAA Security and Privacy training to support Health app data Share with Provider. For protecting End-User Data, Apple maintains a set of policies and standards to serve as the body of requirements, as well as guidelines for implementing highly secure and highly available systems. Apple’s HIPAA-covered workforce is made up of a limited set of Apple personnel, all of whom are required to complete HIPAA training annually. Additional security awareness and role-based trainings are available to individuals who have responsibilities that impact the security of products, services, systems, and compliance efforts.
Risk management
Privacy risk assessments and security risk and threat analyses are periodically conducted on the people, process, and technology supporting Health app data Share with Provider. The design and effectiveness of the security controls in place to address risks are also assessed. All assessments are conducted at least annually, and they’re conducted more frequently if Health app data Share with Provider has significant changes.
Identified security risks, threats, and vulnerabilities—in association with their remediation activities—are formally documented and managed in a Risk Treatment Plan (RTP). RTPs are in place to reduce residual risk to an acceptable level by improving controls and processes and mitigating technology risks. Each RTP item is attributed to a level of effort and priority so that remediation timeliness can be addressed.
Security assessments and vulnerability management
To maintain the security of the systems that support Health app data Share with Provider, security assessments are performed to review and test new features, services, and significant changes before code is released. These assessments are conducted to address the likelihood and impact of new risks introduced to the production environment when changes are made. Additionally, scans are periodically performed against the Health Sharing Cloud and Web Application to identify new vulnerabilities or risks that require remediation.