Noah ES Network Diagram
Please see the descriptions of the numbered points.
Can’t find what you are looking for? Feel free to open a support issue. Click Here.
Diagram Section | Decription | Related Information |
|---|---|---|
1 | When a Noah ES User uses Noah ES features, they are first identified, authenticated, and authorized by Noah ES via a standard OAuth process within a standard internet browser. A Noah ES-provided account can identify Noah ES users, or the Noah ES account can be configured so that all or some users can use Entra ID (Azure AD) or other systems that support OpenID Connect. | Using Microsoft Entra ID (Azure Active Directory) for Single Sign-on (SSO) |
2 | Today, a Hearing Care Professional (HCP) will likely interact most with Noah ES via the Noah ES Client. The Client is a Windows desktop application that has been used for the last 10 years with the on-premise Noah System 4 product adapted to exchange data with Noah ES services securely. This application is very important as it supports the hearing instrument fitting and hearing loss diagnostic software created by different HIMSA member companies. These applications are known as “Modules.” Modules typically provide features to diagnose hearing loss or to custom-program hearing instruments for a patient. Modules are installed on each PC/Noah ES client. Each HIMSA Member company distributes these software applications. These applications gain access to the currently selected patient record. These applications are approved by the Hearing Care Business IT or other management staff by agreeing to install the software on the PC. The Noah ES Client also provides features like adding and searching for patients. Most importantly, all the data stored by the Noah ES compatible applications are attached to a given patient record and are easily viewable as a combined patient history. |
|
3 | Noah ES account administrators make use of the Noah ES portal to manage users, Apps, and other account settings. | |
4 | Noah ES also exposes a REST-based API so browser-based, non-Windows, and Windows applications can exchange data with a Noah ES account. Access to this API is only made available to HIMSA Member Companies. Noah Apps, using this API, do not automatically gain access to a Noah ES account. Each App must first request access and then be granted access by a Noah ES account administrator. This approval process includes approving access to different patient demographics and types of data. This approval is at the complete control of the hearing care business and can be edited or removed at any time. | |
5 | HIMSA Member Companies can also create Service Apps (also known as Machine-to-Machine systems) that allow integration directly to a Noah ES account. Stipulations for access are the same as listed in point 4. |
|
6 | Data processing is all processed within regional Microsoft Azure data centers. Paired regions are employed for redundancy purposes. All data in transit is encrypted by use of TLS 1.3. Below is a summary of the main components: Clustered MicroservicesKubernetees cluster services are used to provide all of the business rules and processing of data while interacting with the the database. The cluster is prepared to scale up resources when needed. Noah ES is set up so that a fallback cluster is ready in the rare event of a major technical issue. Azure MS SQL Database Failover Groups/PolicyEach NoahES account has its own database. Patient data is not combined with data from another account. All databases are set up so that data at rest is encrypted. Each database is replicated in a secondary data center region and configured in a failover cluster configuration. Data backups are taken every 10 minutes for 30 days and weekly for 12 weeks. Backups are contained within both the primary and secondary regions. Audit Trail StorageNoah ES tracks all user activity (accessing patients, adding data, adding new users) and stores this information in storage separate from the patient database. | Data Residency All data is processed and stored within the following geographic limits (Contained within MS Azure Regions):
For example. A European Noah ES customer account will be provisioned in Europe, and the data will only be posted and stored in the European Azure region.
|
7 | HIMSA employees do have access to Noah ES accounts to manage and attend to support issues. By default, HIMSA employees do not have access to see patient data and all management tools used are employed by APIs to the system. | |
8 | In the rare event that a HIMSA employee needs more access (e.g., for a technical issue), management approval must be provided, and detailed activity logs are recorded. If access to patient demographics or fitting/measurement is needed, the Noah ES account administrator will also be consulted for approval prior to the work. |
|
9 | Noah ES is constantly monitored for reliability. This monitoring includes simulating real user activity using the same software used by Noah ES users. If an important event occurs, HIMSA will note it on the Noah ES status page. Noah ES accounts also have the option to subscribe to events for this service. |
Can’t find what you are looking for? Feel free to open a support issue. Click Here.
Business Topics
Q: Does your organization provide HIPAA/GDPR/Security training for each new employee as well as periodically for all other members of your workforce?
A: Yes
Q: Does your organization require non-disclosure agreements (NDAs) or confidentiality agreements with your third-party vendors if confidential, sensitive, or Personally Identifiable Information (PII) will be disclosed?
A: Yes
Q: Does your organization require all employees to sign a confidentiality (non-disclosure) agreement as a condition of employment?
A: Yes
Q: How frequently does your organization assess the risk of your subcontractors?
A: At least annually
Q: Does your product use Online Tracking technologies to collect information about users that interact with your application? (e.g. Google Analytics, Meta Pixel, Hotjar, Mixpanel, etc.)?
A: No
Q: Do you incorporate security (i.e. controls, processes, training) as part of your Software Development Lifecycle?
A: Yes
Q: Does Noah ES have an Artificial Intelligence (AI) component?
A: No
Technical
Q: Where is Noah ES data processed and stored
A: see section 6 of the network diagram
Q: Does Noah ES require a desktop client application
A: Yes, see part 2 in the above network diagram. The Noah ES client-supported versions and support operating systems can be found here
Q: Who is responsible for keeping the Noah ES client software versions up to date?
A: The customer is.
Q: What network URLs need to be whitelisted for Noah ES to function?
A: See Internet Connection, Firewall and Browser Requirements
Identity and Access Management
Q: Who is responsible for provisioning customer user accounts?
A: The customer is. Please see The Noah ES Portal
Also, see Managing User Levels and Permissions
Q: Does Noah ES support integration with MS Entra ID and other Open ID Connected-based identity systems?
A: Yes, see Using Microsoft Entra ID (Azure Active Directory) for Single Sign-on (SSO) and Configure NoahES for OpenID Connect single sign-on
Monitoring
Noah ES Provides an extensive log called the Activity Log. The Activity Log is available via the Noah ES Portal and can be exported via a CSV file format. This log records items such as:
User activity (Login, Logout, Failed login, adding and editing users, MFA enabled, disabled)
user assignment to different permission levels
changes to the definitions of permissions levels
Exporting and importing data
Patient record activity, adding, viewing, deleting
The activity log entries are kept for one year and then deleted.
Q: Does HIMSA take the responsibility to review the activity log for suspicious activity for a Noah ES customer
A: No
Notifications for important events emailed to all Noah ES Administrators:
First time Noah ES Account Access
User login from a new device
Exporting patients out of Noah ES
User permissions elevated
User group permissions changed
The first time Noah ES API app is enabled
Noah ES API App access levels edited
Vulnerability Management
Q: Has a third party conducted a penetration test on your product or service within the last year?
A: Yes
Q: Does HIMSA use a documented or formal change/release management process?
A: Before any change is made, HIMSA ensures that the problem is properly understood by clear and easy-to-understand text. The development team investigates possible solutions. Product and Project Management and the Develop team conduct a security risk analysis on the proposed solution.
Once the security review is complete, QA implements and tests the solution in a non-production environment. Once it is proven to address the issue, the solution is published in the production environment.