When you think of online security, your first thought is probably about protecting your money or identity. That makes sense, since losing control of either can be disastrous. With smartwatches, smart scales, and other fitness trackers becoming increasingly common, it’s important to be aware of what’s happening with your health data, too. You wouldn’t want an employer, insurer, hacker, or someone else spying on your info and turning chronic conditions against you.
Many iPhone and Apple Watch apps sync with Apple’s Health app (and each other) via HealthKit’s framework. This makes it easier to centralize all your health content, but how secure is this system? Is there anything you need to be worried about?
Related
4 Apple Health app features you don’t need a smartwatch for
An Apple Watch isn’t the only way Apple users can track and develop healthy habits. This built-in iPhone app is effective and easy to use.
How Apple Health’s data security works
Zero vulnerabilities, on paper
Apple / Pocket-lint
In a 2023 white paper (PDF), Apple notes that much of Health’s data is calculated on-device, such as trends, your resting heart rate, and menstruation cycle predictions. The idea is that if data doesn’t have to be processed online, it’s inherently less exposed.
All on-device info is encrypted and accessible only after unlocking it with your passcode, Face ID, or Touch ID. You can change settings to disable some sensor or data generation types, such as period predictions.
Health data is encrypted end-to-end when going through Apple servers.
Data occasionally needs to be passed through Apple servers, whether for iCloud backup or sync with other devices. In those cases, the company says that as long as you use two-factor Apple Account authentication, a device passcode, and iOS 12 or later, Health data is encrypted end-to-end. Two-factor authentication (2FA) is already required for many Apple online services, including sharing Health data. The company claims that with end-to-end encryption, even its teams can’t access your info. You can also disable iCloud sync, limiting your Health data to a single device.
What about shared data?
Sharing is the primary purpose of HealthKit, whether you’re sharing data with family, healthcare providers, or third-party apps. In all situations, Apple lets you choose the data to be shared and revoke access if need be. You can, for example, decide that a third-party workout app shouldn’t have access to your step count or calorie burn data.
This approach extends to the Health Records feature, which lets you gather data from supporting providers. While the Health app pulls directly from provider APIs (application programming interfaces), bypassing Apple servers, data is still said to be fully encrypted. If you remove a provider from Health, local records will be deleted, including those from anywhere you’re syncing via iCloud.
Related
Somehow, iCloud+ is the subscription I rely on the most
iCloud+ offers several robust features that provide so much value to me that I cannot fathom cancelling it.
Is my Apple Health data safe?
No major issues so far
Both Health and HealthKit appear to be extremely secure overall. I’m aware of no reports of Health data being hacked, which makes sense given Apple’s end-to-end encryption practices. It would also be difficult, if not impossible, for governments to decrypt that data, even if they have a search warrant for your devices or Apple servers.
If there’s a threat, it lies with intentional hooks to the outside world. You can, for instance, create a Medical ID that’s publicly accessible on your iPhone’s lockscreen, and during emergency calls — you shouldn’t share anything there that you wouldn’t be comfortable with a paramedic or 911 operator knowing. If you share Health data with a romantic partner, you’ll need to manually revoke access if you ever break up.
If there’s a threat, it lies with intentional hooks to the outside world.
Simially, if you share with providers and third-party apps, at least some of your health data will be in someone else’s hands at some point. Those parties tend to have their own security measures in force — such as encryption systems and healthcare laws — but there’s still a chance that some of your data could be leaked.
Related
Emergency SOS via satellite: Everything you need to know about Apple’s iPhone safety feature
This is everything you need to know about Apple’s Emergency SOS via Satellite feature, available on all four iPhone 14 models.
How can I protect my Apple Health data?
Being mindful goes a long way
Be sure you trust any apps and providers you connect. HealthKit’s engineering and security demands make it highly unlikely you’ll encounter malicious software, but you’ll (probably) be safer with a brand like Garmin, Polar, or Strava than a small company you’ve never heard of. Of course, you should always support small brands, but make sure they have a positive reputation first.
Remember that your Apple Account and device passcodes can be vulnerabilities,
Remember that your Apple Account and device passcodes can become vulnerable, too. It’s unlikely someone will hijack your account if it has 2FA enabled, yet you could be tricked into allowing it, giving an attacker a chance to sync Health data if they can sign in to an Apple device.
As for your passcode, that’s only relevant with physical access to one of your devices, but some attackers are versed in guessing or brute-forcing simple codes. Use a six-digit code that isn’t your birthday, “123456,” or an obvious dial-pad pattern.
