Content Comparison

Noah ES Network Diagram

Please see the descriptions of the numbered points.

Business Topics

Q: Does HIMSA provide an SLA (Service Level Agreement) with Noah ES?

A: The Noah ES Terms of Service does not guarantee a specific benchmark but rather states that HIMSA intends that Noah ES will have an availability of at least 99 % of the time. See Noah ES Service Status for a list of historical issues.

Q: Does HIMSA provide specific terms regarding recovery time during unexpected larger issues?

A: HIMSA does not, but please see section 6 above. The system is currently designed to be fully operational in 2 hours or less.

Q: Does your organization provide HIPAA/GDPR/Security training for each new employee as well as periodically for all other members of your workforce?

A: Yes

Q: Does your organization require non-disclosure agreements (NDAs) or confidentiality agreements with your third-party vendors if confidential, sensitive, or Personally Identifiable Information (PII) will be disclosed?

A: Yes

Q: Does your organization require all employees to sign a confidentiality (non-disclosure) agreement as a condition of employment?

A: Yes

Q: How frequently does your organization assess the risk of your subcontractors?

A: At least annually

Q: Does your product use Online Tracking technologies to collect information about users that interact with your application? (e.g. Google Analytics, Meta Pixel, Hotjar, Mixpanel, etc.)?

A: No

Q: Do you incorporate security (i.e. controls, processes, training) as part of your Software Development Lifecycle?

A: Yes

Q: Does Noah ES have an Artificial Intelligence (AI) component?

A: No

Technical

Q: Where is Noah ES data processed and stored

A: see section 6 of the network diagram

Q: Does Noah ES require a desktop client application

A: Yes, see part 2 in the above network diagram. The Noah ES client-supported versions and support operating systems can be found here

Q: Who is responsible for keeping the Noah ES client software versions up to date?

A: The customer is.

Q: What network URLs need to be whitelisted for Noah ES to function?

A: See Internet Connection, Firewall and Browser Requirements

Identity and Access Management

Q: Who is responsible for provisioning customer user accounts?

A: The customer is. Please see The Noah ES Portal

Also, see Managing User Levels and Permissions

Q: Does Noah ES support integration with MS Entra ID and other Open ID Connected-based identity systems?

A: Yes, see Using Microsoft Entra ID (Azure Active Directory) for Single Sign-on (SSO) and Configure NoahES for OpenID Connect single sign-on

Monitoring

Noah ES Provides an extensive log called the Activity Log. The Activity Log is available via the Noah ES Portal and can be exported via a CSV file format. This log records items such as:

• User activity (Login, Logout, Failed login, adding and editing users, MFA enabled, disabled)

• user assignment to different permission levels

• changes to the definitions of permissions levels

• Exporting and importing data

• Patient record activity, adding, viewing, deleting

The activity log entries are kept for one year and then deleted.

Q: Does HIMSA take the responsibility to review the activity log for suspicious activity for a Noah ES customer

A: No

Notifications for important events emailed to all Noah ES Administrators:

• First time Noah ES Account Access

• User login from a new device

• Exporting patients out of Noah ES

• User permissions elevated

• User group permissions changed

• The first time Noah ES API app is enabled

• Noah ES API App access levels edited

Vulnerability Management

Q: Has a third party conducted a penetration test on your product or service within the last year?

A: Yes

Q: Does HIMSA use a documented or formal change/release management process?

A: Before any change is made, HIMSA ensures that the problem is properly understood by clear and easy-to-understand text. The development team investigates possible solutions. Product and Project Management and the Develop team conduct a security risk analysis on the proposed solution.

Once the security review is complete, QA implements and tests the solution in a non-production environment. Once it is proven to address the issue, the solution is published in the production environment.