The information below is provided to assist locations investigating the Noah System application and looking for product specifications and security details to meet the documentation requirements of enterprise locations.

Application, technology, and security questionnaires are to be filled out by the requesting location using the resources provided by HIMSA.

Q. I have vendor Application, Security, and Technology questionnaires that need to be completed for my location; do I submit these to HIMSA?

A. HIMSA has provided the resources to answer questions on Noah infrastructure, functionality, and security features. Please use the material on the HIMSA website to complete your assessments, questionnaires and forms.

If you have questions that were not answered on the HIMSA website, and your forms are filled out as completely as possible, with details specific to your Noah installation, please reach out to your Noah technical support contact at a HIMSA Member Company. As with all Noah technical support, HIMSA Member companies are the first contact. If there are advanced questions or information required, the member company will contact HIMSA.

Q. I have a Business Associate agreement that needs to be completed by HIMSA; where do we send it?

A. Business Associate agreements might be requested by an enterprise location if they anticipate patient data is going to be exchanged or viewed by the vendor or by HIMSA.

HIMSA does not process Business Associate agreements for Noah System as Noah is installed as an on-premise application that is fully in control of the hearing care business.  HIMSA does not have access to patient data nor requires remote access to the computers that Noah is installed on.

General Info
What technology is Noah based onNoah is developed using .NET 4.6
Does the Noah application save and store Protected Health Information (PHI)?  Yes
Is the application FDA regulated?Yes, as a Medical Device Data System, reg. number 880.6310
Does the application make available documentation that explains error or messages to users and system administrators and information on what action is required?Yes
Does the application’s client software operate without requiring the user to have local administrator level rights to run the application?Yes
link to server operating system and hardware resource requirements
Unique User Identification
Does the system provide an opportunity for unique login name for all users and administrators?Yes
Are account roles identified and documented?Yes
User Authentication/Authorization
Can this system use Active Directory for user authentication and to determine user rights?Yes, with Noah 4.9 and later
Password Standards
Does the system support and enforce password changes?Yes
Does the system offer complex passwords with the following minimum attributes?
A. Minimum of 8 characters
B. Inclusion of at least three of the following elements:
An alpha character
A numeric character
A capitalized letter or punctuation or non-alphanumeric character (e.g., !@#*+)
Yes
Inactive Sessions
Does the system provide a feature for session timeout that will terminate the session screen after a set number of minutes of inactivity?No
Encryption
Will information at rest on computing devices be encrypted?Yes, there is the option in the Noah Console to encrypt the database
Does the application encrypt data in transit?Yes, data is encrypted as it is passed between the Noah server and Noah client services.
What is the Noah encryption standard?By default, the communication between Noah Client and Noah Server is encrypted with TLS (Transport Layer Security) protocol. Noah supports versions 1.0,1.1 and 1.2.
The strength of the encryption used within the TLS session is determined by the encryption cipher negotiated between the Windows operating system hosting the Noah System 4 Server and the Windows operating system hosting each the Noah System 4 Client installation.  HIMSA does not provide technical assistance on the configuration of cipher suites and priority order but information can be found here.
Are the application’s user passwords hashed in the database table and not viewable even to the system administrators?Yes
User Access Audit Logs 
Will application create a secure audit record each time a user accesses, creates, edits, or deletes (PHI) via the system?Yes
Does the audit log contain at least
a) A unique user Identifier,
b) a patient identifier,
c) the function performed,
d) time and date the function was performed? 
Yes
Are the audit logs exportable? 
Yes
Are the audit logs archivable?Yes, with Noah 4.9 and higher
Networking and Virtualization
Does the technology support TCP/IP connections? Yes
What are the required ports for Noah?8200, 8206
Is Noah System a hosted, “cloud computing,” or software-as-a-service (SaaS) application? No
Does the application require any external connectivity inbound or outbound?No
Will the technology require a wireless network connection?No
Can the technology run across a routed interface?Yes
Is the technology Citrix enabled?No
Is the Noah Server application supported in a virtual environment, for example VMWare?Yes
Database Information
What is the default database solution?Noah 4.14 and earlier: Microsoft Compact Edition (CE)
Noah 4.15 and later: SQLite
Can the Noah application be configured with Microsoft SQL Server?Yes
Can the database be installed on a separate database server?Yes
Can the database run in a high availability (HA) clustered environment?Yes
link to supported SQL Servers
Backup and recovery
Does the Noah application have any tools for database backup and recovery?Yes
What is the backup responsibility if using Microsoft SQL Server?The location supports SQL Server
Antivirus 
Is the application compatible with commercial off the shelf virus scanning software products for removal and prevention from malicious code?Yes
Deployment
Does the application currently have a deployment package available for client installations?Yes