HIMSA has identified a potential security issue for Noah System 4.14 when it is integrated with WSI API-enabled business systems. Noah System 4.14.1 service release addresses the issue.
Q: If a hearing care business does not use a business system using the WSI API, do they need to upgrade? Or, if any business is using an older version of Noah 4 (e.g. 4.13 or 4.12) do they need to upgrade?
A: No. This service release only applies to Noah 4.14 installations that are integrated with WSI business systems.
Q: If a hearing care business that does not use WSI has installed Noah System 4.14, and now needs to add additional computers in a networked installation, do they need to install Noah System 4.14.1 on the server first?
A: No. It is fine to have Noah 4.14 and 4.14.1 in the same network installation. For example, it is o.k. to have 4.14 on the server, 4.14.1 on one client, and 4.14 on another client workstation.
Q: What are the criteria of an impacted installation?
A: The security issue has the chance to occur in the following conditions:
- The Noah System installation is currently on version 4.14.
- A WSI API-enabled business system is integrated with the Noah installation
- The business system provides a feature to start Noah System and automatically select the patient record via the business system.
Q: Why is this a potential security issue?
A: If the three above conditions are met, it is possible, in certain timing events, that a user may not be asked to authenticate access to Noah System 4. After the user closes Noah, it is possible for another user to start Noah, within 2 minutes, without providing a user name and password. After 2 minutes have expired the issue will not occur.
The issue is not in any way connected to the business system developer but rather a problem that Noah System is responsible for. All impacted businesses are encouraged to upgrade their installation of Noah to 14.4.1, which resolves the issue.
Q: What specific business systems does this issue impact?
A: The feature to open Noah from the business system is an optional feature to support. HIMSA does not keep records of what API features each business system supports. WSI API business systems that are listed as commercially available are provided here. Please note that just because the system is listed does NOT mean that it is an impacted system.