UCF STIG Viewer Logo

Apple iOS must not store Personally Identifiable Information (PII) in Medical ID in the Health app.


Finding ID Version Rule ID IA Controls Severity
V-54311 AIOS-05-080103 SV-68557r1_rule Medium
Citing Government Accountability Office GAO Report 08-536's expression of the definitions of PII from Office of Management and Budget Memorandums 07-16 and 06-19, NIST Special Publication 800-122 states, "PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." The Medical ID in the Health app contains fields for the user's name, date of birth, and medical information, including medical conditions and allergies. It also enables a user to include an personally identifying photograph and list the user's weight, both of which are listed as potential PII in NIST SP 80-122. Avoiding use of the Medical ID mitigates the risk of improper PII disclosure. SFR ID: FMT_SMF.1.1 #42
Apple iOS 8 Interim Security Configuration Guide 2014-09-16


Check Text ( C-54947r2_chk )
Review configuration settings to confirm the Medical ID in the Health app does not contain PII.

This check procedure is performed on the iOS device only.

On the iOS device:
1. Open the Health app.
2. Tap "Medical ID".
3. Verify that no information has been entered into any of listed fields.
4. Verify that there is not a photo of the user.

If the user's photo or any data appears in Medical ID, this is a finding.
Fix Text (F-59165r1_fix)
The user must remove PII from Medical ID in the Health App.