Apple iOS must not store Personally Identifiable Information (PII) in Medical ID in the Health app.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-54311	AIOS-05-080103	SV-68557r1_rule		Medium

Description
Citing Government Accountability Office GAO Report 08-536's expression of the definitions of PII from Office of Management and Budget Memorandums 07-16 and 06-19, NIST Special Publication 800-122 states, "PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." The Medical ID in the Health app contains fields for the user's name, date of birth, and medical information, including medical conditions and allergies. It also enables a user to include an personally identifying photograph and list the user's weight, both of which are listed as potential PII in NIST SP 80-122. Avoiding use of the Medical ID mitigates the risk of improper PII disclosure. SFR ID: FMT_SMF.1.1 #42

Description

Citing Government Accountability Office GAO Report 08-536's expression of the definitions of PII from Office of Management and Budget Memorandums 07-16 and 06-19, NIST Special Publication 800-122 states, "PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." The Medical ID in the Health app contains fields for the user's name, date of birth, and medical information, including medical conditions and allergies. It also enables a user to include an personally identifying photograph and list the user's weight, both of which are listed as potential PII in NIST SP 80-122. Avoiding use of the Medical ID mitigates the risk of improper PII disclosure. SFR ID: FMT_SMF.1.1 #42

STIG	Date
Apple iOS 8 Interim Security Configuration Guide	2014-09-16

Details

Check Text ( C-54947r2_chk )
Review configuration settings to confirm the Medical ID in the Health app does not contain PII. This check procedure is performed on the iOS device only. On the iOS device: 1. Open the Health app. 2. Tap "Medical ID". 3. Verify that no information has been entered into any of listed fields. 4. Verify that there is not a photo of the user. If the user's photo or any data appears in Medical ID, this is a finding.

Check Text ( C-54947r2_chk )

Review configuration settings to confirm the Medical ID in the Health app does not contain PII.

This check procedure is performed on the iOS device only.

On the iOS device:
1. Open the Health app.
2. Tap "Medical ID".
3. Verify that no information has been entered into any of listed fields.
4. Verify that there is not a photo of the user.

If the user's photo or any data appears in Medical ID, this is a finding.

Fix Text (F-59165r1_fix)
The user must remove PII from Medical ID in the Health App.