Security Q and A for Noah ES
Noah ES Network Diagram
Please see the descriptions of the numbered points.
Diagram Section | Decription | Related Information |
|---|---|---|
1 | When a Noah ES User uses Noah ES features, they are first identified, authenticated, and authorized by Noah ES via a standard OAuth process within a standard internet browser. A Noah ES-provided account can identify Noah ES users, or the Noah ES account can be configured so that all or some users can use Entra ID (Azure AD) or other systems that support OpenID Connect. | https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/3166208001 https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/3596877855 |
2 | Today, a Hearing Care Professional (HCP) will likely interact most with Noah ES via the Noah ES Client. The Client is a Windows desktop application that has been used for the last 10 years with the on-premise Noah System 4 product adapted to exchange data with Noah ES services securely. This application is very important as it supports the hearing instrument fitting and hearing loss diagnostic software created by different HIMSA member companies. Windows PCs are not provided by HIMSA. It is the customer's responsibility to obtain a PC that meets minimum requirements. These applications are known as “Modules.” Modules typically provide features to diagnose hearing loss or to custom-program hearing instruments for a patient. Modules are installed on each PC/Noah ES client. Each HIMSA Member company distributes these software applications. These applications gain access to the currently selected patient record. These applications are approved by the Hearing Care Business IT or other management staff by agreeing to install the software on the PC. The Noah ES Client also provides features like adding and searching for patients. Most importantly, all the data stored by the Noah ES compatible applications are attached to a given patient record and are easily viewable as a combined patient history. |
|
3 | Noah ES account administrators make use of the Noah ES portal to manage users, Apps, and other account settings. | https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/1626734597 |
4 | Noah ES also exposes a REST-based API so browser-based, non-Windows, and Windows applications can exchange data with a Noah ES account. Access to this API is only made available to HIMSA Member Companies. Noah Apps, using this API, do not automatically gain access to a Noah ES account. Each App must first request access and then be granted access by a Noah ES account administrator. This approval process includes approving access to different patient demographics and types of data. This approval is at the complete control of the hearing care business and can be edited or removed at any time. | |
5 | HIMSA Member Companies can also create Service Apps (also known as Machine-to-Machine systems) that allow integration directly to a Noah ES account. Stipulations for access are the same as listed in point 4. |
|
6 | Data processing is all processed within regional Microsoft Azure data centers. Paired regions are employed for redundancy purposes. All data in transit is encrypted by use of TLS 1.3. Below is a summary of the main components: Clustered MicroservicesKubernetees cluster services are used to provide all of the business rules and processing of data while interacting with the the database. The cluster is prepared to scale up resources when needed. Noah ES is set up so that a fallback cluster is ready in the rare event of a major technical issue. Azure MS SQL Database Failover Groups/PolicyEach NoahES account has its own database. Patient data is not combined with data from another account. All databases are set up so that data at rest is encrypted (AES-256). Each database is replicated in a secondary data center region and configured in a failover cluster configuration. Data backups are taken every 10 minutes for 30 days and weekly for 12 weeks. Backups are contained within both the primary and secondary regions. Audit Trail StorageNoah ES tracks all user activity (accessing patients, adding data, and adding new users) and stores this information in a separate storage from the patient database. | Data Residency All data is processed and stored within the following geographic limits (Contained within MS Azure Regions):
For example. A European Noah ES customer account will be provisioned in Europe, and the data will only be posted and stored in the European Azure region.
|
7 | HIMSA employees do have access to Noah ES accounts to manage and attend to support issues. By default, HIMSA employees do not have access to see patient data and all management tools used are employed by APIs to the system. | https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/2152005752 |
8 | In the rare event that a HIMSA employee needs more access (e.g., for a technical issue), management approval must be provided, and detailed activity logs are recorded. If access to patient demographics or fitting/measurement is needed, the Noah ES account administrator will also be consulted for approval prior to the work. |
|
9 | Noah ES is constantly monitored for reliability. This monitoring includes simulating real user activity using the same software used by Noah ES users. If an important event occurs, HIMSA will note it on the Noah ES status page. Noah ES accounts also have the option to subscribe to events for this service. |
Business Topics
Q: Does HIMSA provide an SLA (Service Level Agreement) with Noah ES?
A: The Noah ES Terms of Service does not guarantee a specific benchmark but rather states that HIMSA intends that Noah ES will have an availability of at least 99 % of the time. See https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/2020049257 for a list of historical issues.
Q: Does HIMSA provide specific terms regarding recovery time during unexpected larger issues?
A: HIMSA does not, but please see section 6 above. The system is currently designed to be fully operational in 2 hours or less.
Q: Does HIMSA provide HIPAA/GDPR/Security training for each new HIMSA employee as well as periodically for all other members of your workforce?
A: Yes
Q: Does HIMSA require non-disclosure agreements (NDAs) or confidentiality agreements with third-party vendors if confidential, sensitive, or Personally Identifiable Information (PII) will be disclosed?
A: Yes
Q: Does HIMSA require all employees to sign a confidentiality (non-disclosure) agreement as a condition of employment?
A: Yes
Q: How frequently does HIMSA assess the risk of your subcontractors?
A: At least annually
Q: Does Noah ES use Online Tracking technologies to collect information about users that interact with your application? (e.g. Google Analytics, Meta Pixel, Hotjar, Mixpanel, etc.)?
A: No
Q: Does HIMSA incorporate security (i.e. controls, processes, training) as part of your Software Development Lifecycle?
A: Yes
Q: Does Noah ES have an Artificial Intelligence (AI) component?
A: No
Technical
Q: Where is Noah ES data processed and stored
A: see section 6 of the network diagram
Q: Does Noah ES require a desktop client application
A: Yes, see part 2 in the above network diagram. The Noah ES client-supported versions and support operating systems can be found here
Q: Who is responsible for keeping the Noah ES client software versions up to date?
A: The customer is.
Q: What network URLs need to be whitelisted for Noah ES to function?
A: See https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/1629028353
Identity and Access Management
Q: Who is responsible for provisioning customer user accounts?
A: The customer is. Please see https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/1626734597
Also, see https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/1739620390
Noah ES provided user account authentication (local)
By default, Noah ES provides a user authentication system based on a username (email address) and a password (see the password requirements to the right).
Noah ES also provides https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/3649568949 as an included service.
Q: Does Noah ES require passwords to be rotated or require users to change their passwords on a regular automated schedule?
A: No.
Q: Can an administrator for the Noah ES account force password resets?
A: Yes, please see https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/1629093889.
HIMSA recommends that you set users to use MFA or to consider optional integration with MS Entra ID and other Open ID Connected-based identity systems, offered at no additional Noah ES cost, see:
https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/3166208001
https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/3596877855
Noah ES Local account password requirements
Passwords will be required to be strong, defined as:
Minimum 8 characters in length
Maximum 64 characters in length
Additionally, the password must contain characters from 3 of the following points
Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
Base 10 digits (0 through 9)
Nonalphanumeric characters: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
Any Unicode character is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages
Monitoring
Noah ES Provides an extensive log called the Activity Log. The Activity Log is available via the Noah ES Portal and can be exported via a CSV file format. This log records items such as:
User activity (Login, Logout, Failed login, adding and editing users, MFA enabled, disabled)
user assignment to different permission levels
changes to the definitions of permissions levels
Exporting and importing data
Patient record activity, adding, viewing, deleting
The activity log entries are kept for one year and then deleted.
Q: Does HIMSA take the responsibility to review the activity log for suspicious activity for a Noah ES customer
A: No
Notifications for important events are emailed to all Noah ES Administrators:
First time Noah ES Account Access
User login from a new device
Exporting patients out of Noah ES
User permissions elevated
User group permissions changed
The first time Noah ES API app is enabled
Noah ES API App access levels edited
Vulnerability Management
Q: Has a third party conducted a penetration test on your product or service within the last year?
A: Yes
Q: Does HIMSA use a documented or formal change/release management process?
A: Before any change is made, HIMSA ensures that the problem is properly understood by clear and easy-to-understand text. The development team investigates possible solutions. Product and Project Management and the Development team conduct a security risk analysis on the proposed solution.
Once the security review is complete, QA implements and tests the solution in a non-production environment. Once it is proven to address the issue, the solution is published in the production environment.