Security Questionnaire Support

The information below is provided to assist locations investigating the Noah System application and looking for product specifications and security details to meet the documentation requirements of enterprise locations.

Application, technology, and security questionnaires are to be filled out by the requesting location using the resources provided by HIMSA.

Q. I have vendor Application, Security, and Technology questionnaires that need to be completed for my location; do I submit these to HIMSA?

A. HIMSA has provided the resources to answer questions on Noah infrastructure, functionality, and security features. Please use the material on the HIMSA website to complete your assessments, questionnaires and forms.

If you have questions that were not answered on the HIMSA website, and your forms are filled out as completely as possible, with details specific to your Noah installation, please reach out to your Noah technical support contact at a HIMSA Member Company. As with all Noah technical support, HIMSA Member companies are the first contact. If there are advanced questions or information required, the member company will contact HIMSA.

Q. I have a Business Associate agreement that needs to be completed by HIMSA; where do we send it?

A. Business Associate agreements might be requested by an enterprise location if they anticipate patient data is going to be exchanged or viewed by the vendor or by HIMSA.

HIMSA does not process Business Associate agreements for Noah System as Noah is installed as an on-premise application that is fully in control of the hearing care business.  HIMSA does not have access to patient data nor requires remote access to the computers that Noah is installed on.

 

Security Questionnaire for Noah System 4

General Information

What technology is Noah based on Noah is developed using .NET 4.6
Does the Noah application save and store Protected Health Information (PHI)?   Yes
Is the application FDA regulated? Yes, as a Medical Device Data System, reg. number 880.6310
Does the application make available documentation that explains error or messages to users and system administrators and information on what action is required? Yes
Does the application’s client software operate without requiring the user to have local administrator level rights to run the application? Yes
 link to server operating system and hardware resource requirements

Unique User Identification

Does the system provide an opportunity for unique login name for all users and administrators? Yes
Are account roles identified and documented?  Yes

User Authentication/Authorization

Can this system use Active Directory for user authentication and to determine user rights? Yes with Noah 4.9 and later

Password Standards

Does the system support and enforce password changes? Yes 
Does the system offer complex passwords with the following minimum attributes?
 

A. Minimum of 8 characters

B. Inclusion of at least three of the following elements:

  • An alpha character
  • A numeric character
  • A capitalized letter or punctuation or non-alphanumeric character (e.g., !@#*+)
Yes

Inactive Sessions

Does the system provide a feature for session timeout that will terminate the session screen after a set number of minutes of inactivity?  No

Encryption

Will information at rest on computing devices be encrypted? Yes, with Noah 4.9 and later there is the option to encrypt the database
Does the application encrypt data in transit?  Yes, in Noah System 4.4 and higher data is encrypted as it is passed between the Noah server and Noah client services. 
What is the encryption standard for Noah 4.9 and older

Noah’s encryption is based on the AES or Advanced Encryption Standard and uses the Rijndael algorithm. The key for symmetric encryption is exchanged via 1024 bit RSA. 

What is the encryption standard for Noah 4.10 and newer

By default, the communication between Noah Client and Noah Server is encrypted with TLS (Transport Layer Security) protocol. Noah supports versions 1.0,1.1 and 1.2.

The strength of the encryption used within the TLS session is determined by the encryption cipher negotiated between the Windows operating system hosting the Noah System 4 Server and the Windows operating system hosting each the Noah System 4 Client installation.  HIMSA does not provide technical assistance on the configuration of cipher suites and priority order but information can be found here.
Are the application’s user passwords hashed in the database table and not viewable even to the system administrators? Yes

User Access Audit Logs 

Will application create a secure audit record each time a user accesses, creates, edits, or deletes (PHI) via the system? Yes

Does the audit log contain at least

a) A unique user Identifier,

b) a patient identifier,

c) the function performed,

d) time and date the function was performed? 

Yes

Are the audit logs exportable? 

Are the audit logs archivable?

Yes  

Yes, with Noah 4.9 and higher

Networking and Virtualization

Does the technology support TCP/IP connections?  Yes

What are the required ports for Noah 4.9 or earlier?

What are the required ports for Noah 4.10 and later?

8200 

8200, 8206

Is Noah System a hosted, “cloud computing,” or software-as-a-service (SaaS) application?  No
Does the application require any external connectivity inbound or outbound? No
Will the technology require a wireless network connection? No 
Can the technology run across a routed interface? Yes
Is the technology Citrix enabled? No
Is the Noah Server application supported in a virtual environment, for example VMWare? Yes

Database Information

What is the default database solution? Microsoft Compact Edition (CE)
Can the Noah application be configured with Microsoft SQL Server? Yes
Can the database be installed on a separate database server? Yes
Can the database run in a high availability (HA) clustered environment? Yes
link to supported SQL Servers

Backup and recovery

Does the Noah application have any tools for database backup and recovery? Yes
What is the backup responsibility if using Microsoft SQL Server? The location supports SQL Server

Antivirus 

Is the application compatible with commercial off the shelf virus scanning software products for removal and prevention from malicious code? Yes

Deployment

Does the application currently have a deployment package available for client installations?  Yes