The information below is provided to assist locations investigating the Noah System application and looking for product specifications and security details to meet the documentation requirements of enterprise locations.
Application, technology, and security questionnaires are to be filled out by the requesting location using the resources provided by HIMSA.
Q. I have vendor Application, Security, and Technology questionnaires that need to be completed for my location; do I submit these to HIMSA?
A. HIMSA has provided the resources to answer questions on Noah infrastructure, functionality, and security features. Please use the material on the HIMSA website to complete your assessments, questionnaires and forms.
If you have questions that were not answered on the HIMSA website, and your forms are filled out as completely as possible, with details specific to your Noah installation, please reach out to your Noah technical support contact at a HIMSA Member Company. As with all Noah technical support, HIMSA Member companies are the first contact. If there are advanced questions or information required, the member company will contact HIMSA.
Q. I have a Business Associate agreement that needs to be completed by HIMSA; where do we send it?
A. Business Associate agreements might be requested by an enterprise location if they anticipate patient data is going to be exchanged or viewed by the vendor or by HIMSA.
HIMSA does not process Business Associate agreements for Noah System as Noah is installed as an on-premise application that is fully in control of the hearing care business. HIMSA does not have access to patient data nor requires remote access to the computers that Noah is installed on.
|What technology is Noah based on||Noah is developed using .NET 4.6|
|Does the Noah application save and store Protected Health Information (PHI)?||Yes|
|Is the application FDA regulated?||Yes, as a Medical Device Data System, reg. number 880.6310|
|Does the application make available documentation that explains error or messages to users and system administrators and information on what action is required?||Yes|
|Does the application’s client software operate without requiring the user to have local administrator level rights to run the application?||Yes|
|link to server operating system and hardware resource requirements|
|Unique User Identification|
|Does the system provide an opportunity for unique login name for all users and administrators?||Yes|
|Are account roles identified and documented?||Yes|
|Can this system use Active Directory for user authentication and to determine user rights?||Yes, with Noah 4.9 and later|
|Does the system support and enforce password changes?||Yes|
|Does the system offer complex passwords with the following minimum attributes?|
A. Minimum of 8 characters
B. Inclusion of at least three of the following elements:
An alpha character
A numeric character
A capitalized letter or punctuation or non-alphanumeric character (e.g., !@#*+)
|Does the system provide a feature for session timeout that will terminate the session screen after a set number of minutes of inactivity?||No|
|Will information at rest on computing devices be encrypted?||Yes, with Noah 4.9 and later there is the option to encrypt the database|
|Does the application encrypt data in transit?||Yes, in Noah System 4.4 and higher data is encrypted as it is passed between the Noah server and Noah client services.|
|What is the encryption standard for Noah 4.9 and older||Noah’s encryption is based on the AES or Advanced Encryption Standard and uses the Rijndael algorithm. The key for symmetric encryption is exchanged via 1024 bit RSA.|
|What is the encryption standard for Noah 4.10 and newer||By default, the communication between Noah Client and Noah Server is encrypted with TLS (Transport Layer Security) protocol. Noah supports versions 1.0,1.1 and 1.2.|
The strength of the encryption used within the TLS session is determined by the encryption cipher negotiated between the Windows operating system hosting the Noah System 4 Server and the Windows operating system hosting each the Noah System 4 Client installation. HIMSA does not provide technical assistance on the configuration of cipher suites and priority order but information can be found here.
|Are the application’s user passwords hashed in the database table and not viewable even to the system administrators?||Yes|
|User Access Audit Logs|
|Will application create a secure audit record each time a user accesses, creates, edits, or deletes (PHI) via the system?||Yes|
|Does the audit log contain at least|
a) A unique user Identifier,
b) a patient identifier,
c) the function performed,
d) time and date the function was performed?
|Are the audit logs exportable? ||Yes|
|Are the audit logs archivable?||Yes, with Noah 4.9 and higher|
|Networking and Virtualization|
|Does the technology support TCP/IP connections?||Yes|
|What are the required ports for Noah 4.9 or earlier?||8200|
|What are the required ports for Noah 4.10 and later?||8200, 8206|
|Is Noah System a hosted, “cloud computing,” or software-as-a-service (SaaS) application?||No|
|Does the application require any external connectivity inbound or outbound?||No|
|Will the technology require a wireless network connection?||No|
|Can the technology run across a routed interface?||Yes|
|Is the technology Citrix enabled?||No|
|Is the Noah Server application supported in a virtual environment, for example VMWare?||Yes|
|What is the default database solution?||Microsoft Compact Edition (CE)|
|Can the Noah application be configured with Microsoft SQL Server?||Yes|
|Can the database be installed on a separate database server?||Yes|
|Can the database run in a high availability (HA) clustered environment?||Yes|
|link to supported SQL Servers|
|Backup and recovery|
|Does the Noah application have any tools for database backup and recovery?||Yes|
|What is the backup responsibility if using Microsoft SQL Server?||The location supports SQL Server|
|Is the application compatible with commercial off the shelf virus scanning software products for removal and prevention from malicious code?||Yes|
|Does the application currently have a deployment package available for client installations?||Yes|