...
Q: Does your organization provide HIPAA/GDPR/Security training for each new employee as well as periodically for all other members of your workforce?
...
A: see section 6 of the network diagram
Q: Does Noah ES require a desktop client application
A: Yes, see part 2 in the above network diagram. The Noah ES client-supported versions and support operating systems can be found here
Q: Who is responsible for keeping the Noah ES client software versions up to date?
A: The customer is.
Q: What network URLs need to be whitelisted for Noah ES to function?
A: See Internet Connection, Firewall and Browser Requirements
Identity and Access Management
...
Q: Does Noah ES support integration with MS Entra ID and other Open ID Connected-based identity systems?
A: Yes, see Using Microsoft Entra ID (Azure Active Directory) for Single Sign-on (SSO) and Configure NoahES for OpenID Connect single sign-on
Monitoring
Noah ES Provides an extensive log called the Activity Log. The Activity Log is available via the Noah ES Portal and can be exported via a CSV file format. This log records items such as:
User activity (Login, Logout, Failed login, adding and editing users, MFA enabled, disabled)
user assignment to different permission levels
changes to the definitions of permissions levels
Exporting and importing data
Patient record activity, adding, viewing, deleting
The activity log entries are kept for one year and then deleted.
Q: Does HIMSA take the responsibility to review the activity log for suspicious activity for a Noah ES customer
A: No
Notifications for important events emailed to all Noah ES Administrators:
First time Noah ES Account Access
User login from a new device
Exporting patients out of Noah ES
User permissions elevated
User group permissions changed
The first time Noah ES API app is enabled
Noah ES API App access levels edited
Vulnerability Management
Q: Has a third party conducted a penetration test on your product or service within the last year?
A: Yes
Q: Does HIMSA use a documented or formal change/release management process?
A: Before any change is made, HIMSA ensures that the problem is properly understood by clear and easy-to-understand text. The development team investigates possible solutions. Product and Project Management and the Develop team conduct a security risk analysis on the proposed solution.
Once the security review is complete, QA implements and tests the solution in a non-production environment. Once it is proven to address the issue, the solution is published in the production environment.