/
Security Q and A for Noah ES

Security Q and A for Noah ES

Owned by Scott Peterson
Last updated: Dec 13, 2024
3 min read

Noah ES Network Diagram

Please see the descriptions of the numbered points.

Business Topics

Q: Does your organization provide HIPAA/GDPR/Security training for each new employee as well as periodically for all other members of your workforce?

A: Yes

Q: Does your organization require non-disclosure agreements (NDAs) or confidentiality agreements with your third-party vendors if confidential, sensitive, or Personally Identifiable Information (PII) will be disclosed?

A: Yes

Q: Does your organization require all employees to sign a confidentiality (non-disclosure) agreement as a condition of employment?

A: Yes

Q: How frequently does your organization assess the risk of your subcontractors?

A: At least annually

Q: Does your product use Online Tracking technologies to collect information about users that interact with your application? (e.g. Google Analytics, Meta Pixel, Hotjar, Mixpanel, etc.)?

A: No

Q: Do you incorporate security (i.e. controls, processes, training) as part of your Software Development Lifecycle?

A: Yes

Q: Does Noah ES have an Artificial Intelligence (AI) component?

A: No

Technical

Q: Where is Noah ES data processed and stored

A: see section 6 of the network diagram

Q: Does Noah ES require a desktop client application

A: Yes, see part 2 in the above network diagram. The Noah ES client-supported versions and support operating systems can be found here

Q: Who is responsible for keeping the Noah ES client software versions up to date?

A: The customer is.

Q: What network URLs need to be whitelisted for Noah ES to function?

A: See Internet Connection, Firewall and Browser Requirements

Identity and Access Management

Q: Who is responsible for provisioning customer user accounts?

A: The customer is. Please see The Noah ES Portal

Also, see Managing User Levels and Permissions

Q: Does Noah ES support integration with MS Entra ID and other Open ID Connected-based identity systems?

A: Yes, see Using Microsoft Entra ID (Azure Active Directory) for Single Sign-on (SSO) and Configure NoahES for OpenID Connect single sign-on

Monitoring

Noah ES Provides an extensive log called the Activity Log. The Activity Log is available via the Noah ES Portal and can be exported via a CSV file format. This log records items such as:

  • User activity (Login, Logout, Failed login, adding and editing users, MFA enabled, disabled)

  • user assignment to different permission levels

  • changes to the definitions of permissions levels

  • Exporting and importing data

  • Patient record activity, adding, viewing, deleting

The activity log entries are kept for one year and then deleted.

Q: Does HIMSA take the responsibility to review the activity log for suspicious activity for a Noah ES customer

A: No

Notifications for important events emailed to all Noah ES Administrators:

  • First time Noah ES Account Access

  • User login from a new device

  • Exporting patients out of Noah ES

  • User permissions elevated

  • User group permissions changed

  • The first time Noah ES API app is enabled

  • Noah ES API App access levels edited

Vulnerability Management

Q: Has a third party conducted a penetration test on your product or service within the last year?

A: Yes

Q: Does HIMSA use a documented or formal change/release management process?

A: Before any change is made, HIMSA ensures that the problem is properly understood by clear and easy-to-understand text. The development team investigates possible solutions. Product and Project Management and the Develop team conduct a security risk analysis on the proposed solution.

Once the security review is complete, QA implements and tests the solution in a non-production environment. Once it is proven to address the issue, the solution is published in the production environment.