Atlassian Cloud vs Data Center: Which is Better for Healthcare Organizations?

Posted on 08.12.2021
-
Written by Jake Sullivan
-

Atlassian Cloud vs Data center? If your organization uses Atlassian products such as Jira or Confluence, you are likely aware of and planning for Atlassian’s shift toward a cloud-first strategy. In short:

  • The sale of new Atlassian Server licenses have been discontinued as of February 2021.
  • Support and maintenance for Atlassian Server products will end in 2024.
  • Atlassian is making significant investments and updates to Data Center and Cloud hosting options, in an effort to improve their core offerings.

While much has been said about the differences between Atlassian Cloud and Data Center products (in fact, we wrote an entire Buyer’s Guide on this topic), the question of what to do next takes on particular significance for healthcare organizations and other entities operating in high compliance industries. Is Atlassian (Jira) Cloud HIPAA compliant? How do I know whether Atlassian Cloud or Data Center will satisfy our security and regulatory requirements? What are the tradeoffs associated with Cloud vs Data Center vs hybrid approaches?

This page will be kept up-to-date with the latest information related to HIPAA compliance with Atlassian so that you can better understand your options and select the path that best suits your needs. If you’d like to take a deeper dive into your Atlassian Cloud options, feel free to download a copy of our new whitepaper, Atlassian Cloud vs Data Center: Key Considerations for Enterprise, Compliance-Heavy Organizations.

Atlassian Cloud is not HIPAA compliant (yet). Depending on how you use it, that may be OK.

Atlassian’s Cloud products are not currently HIPAA compliant, as Atlassian is unable to sign a Business Associate Agreement and instead recommends Data Center products for companies that need to comply. HIPAA compliance for Jira and Confluence Cloud is currently slated for Q2 2022. That being said, your organization’s compliance regime is just one piece of the puzzle. Depending on how you intend to use your tools, and what type of data is being stored, you may still be able to take advantage of this SaaS offering.

If you do not intend to store PHI/PII in the Atlassian Cloud, we highly recommend taking the following items into consideration.

Data Loss Prevention Tools

Data Loss Prevention (DLP) tools are critical for enforcing data upload policies so that sensitive information such as PHI/PII doesn’t make its way into the Atlassian Cloud in the form of attachments, service requests, or internal comments. DLPs also play an important role in the identification, classification, and remediation of PHI which may have slipped past your technical, physical, and process controls. DLPs generally fall into one of four categories: browser, endpoint, network, or application based.

As a healthcare organization, you are likely already leveraging one or more DLPs as part of your HIPAA-compliance strategy. Oxalis can help you determine whether your existing controls are sufficient to secure your Atlassian Cloud, or if a purpose-built market solution is a required add-on.

Third Party Plugin Usage

One of Atlassian’s greatest features is the Atlassian Marketplace, a platform to buy apps that enhance and extend the base functionality of Atlassian’s products. With thousands of apps and integrations in the Marketplace, it’s likely that your system already has a third party plugin installed today. While Atlassian is targeting HIPAA compliance in 2022, this does not guarantee that third party plugin vendors will also sign BAAs. It is best to utilize a Zero Trust mindset when dealing with the Atlassian ecosystem, and to carefully scrutinize where data is transmitted and stored by these third parties.

Process & Policy for Reporting and Remediation

While DLP tools should help keep PHI out of your system, and will identify PHI that’s already been added, you will inevitably need a manual reporting mechanism for flagging records containing sensitive information. You will also need to define a cadence for reviewing manual/automated reports of PHI/PII, verifying that the report is accurate, and triggering an appropriate response for remediation. Atlassian’s products such as Jira and Confluence include rich audit history and versioning for easy auditing, but these can stand in the way of simple “data scrubbing.” A carefully crafted approach will differentiate between Jira issues and Confluence pages that can be deleted outright vs those that require separate quarantining so that important data may be salvaged.

Atlassian’s Compliance Roadmap

The chart below details current and future Cloud compliance standards according to the Atlassian Cloud compliance roadmap.

Compliance StandardSoftwareStatus
SOC 2 Type IIJira Service Management, Halp, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and Statuspage.Shipped
ISO IEC 27001Jira Service Management, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and Statuspage.Shipped
ISO IEC 27018Jira Service Management, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and StatuspageShipped
GDPRJira Software, Confluence, Jira Service Management, BitbucketShipped
VPAT for Cloud ProductsJira Software, Confluence, Jira Service Management, BitbucketIn the Works
WCAG 2.1 StandardsJira Software, Confluence, Jira Service Management, BitbucketIn the Works
FedRAMP TailoredJira Software Cloud and Confluence CloudFuture – 2021
HIPAAJira Software and ConfluenceFuture – Q2 2022
Financial services industry compliance – Australia (APRA)Jira Software and ConfluenceFuture – 2022
NIST 800.53Jira Software and ConfluenceFuture – 2022
Financial services industry compliance – USJira Software and ConfluenceFuture – 2022
Financial services industry compliance – EU (BaFin)Jira Software and ConfluenceFuture – 2022
FedRAMP ModerateJira Software and ConfluenceFuture – 2023

Atlassian’s Data Center is a more traditional “Behind the Firewall” option.

Atlassian’s Data Center products offer a traditional “Behind the Firewall” approach for organizations that must handle PHI/PII in their environment, and cannot adopt the Atlassian Cloud. With greater security capabilities, options for self-hosting, and more hands-on customization, Data Center serves larger companies well should they find a need for any extra levels of security or compliance that Cloud does not offer at this time.

The Data Center versions of Jira and Confluence are reliable tools providing easy scalability, high availability, load balancing, improved performance with project archiving, and Atlassian-supported disaster recovery. You will get all of the same functionality you’re familiar with from the old Server products, but with features and capabilities designed to serve enterprise organizations.

The primary drawbacks of Atlassian’s Data Center offerings, are that:

  1. There’s a higher cost associated with hosting and support resources.
  2. Data Center licenses are priced differently than Atlassian’s Cloud, with higher user minimums (ex. 500 user minimum for Jira Software) that may price out small-to-medium-sized organizations.

A “hybrid cloud” approach can give you the best of both worlds.

For organizations looking to get the best of both worlds, a “hybrid cloud” approach may be justified where one or multiple Atlassian Cloud products are combined with one or multiple Atlassian Data Center products. A few scenarios below illustrate this concept:

  1. A healthcare IT company leveraging Atlassian for its customer-facing portal, agile development, and knowledge management may choose to deploy Jira Service Management on Atlassian’s Data Center (hosted behind-the-firewall) assuming that PHI/PII will enter the system via customer requests, while Jira Software and Confluence will not contain PHI/PII and may be hosted on Atlassian’s Cloud.
  2. A multi-state healthcare delivery organization has a Quality Management department operating out of Jira Cloud, although occasionally work is performed that benefits from storing and transmitting PHI/PII in a standard Jira workflow. These sensitive projects may be run out of a dedicated Jira Data Center system while the majority of work continues to be managed in Jira Cloud.

Oxalis can help you assess your needs, architect a hybrid cloud strategy, and deploy a process for integration, manual (or automated) import/export, and archival data retention.

Oxalis Can Help You Determine the Best Path Forward.

At Oxalis, it’s important that clients be able to make good decisions and select a course of action that meets the needs of their business. But it’s equally important that you make sure you aren’t boxing yourself into a place where you won’t be able to take advantage of future cloud evolution.

Furthermore, the professionals at Oxalis want to help you approach the decision between Atlassian Cloud and Data Center with a holistic, compliance-first mindset. If not, this is a great time to make a shift in priorities and select a path that will meet your needs today and in the future.

After all, a migration is an investment. You want to ensure you’re getting the most of your investment by providing a full picture of compliance for your organization, even if that involves incorporating additional tools outside Atlassian.

To learn more about how to plan a path forward with your Atlassian products, please download a copy of Oxalis’ new whitepaper, Atlassian Cloud vs Data Center: Key Considerations for Enterprise, Compliance-Heavy Organizations.

Or, if you need 1:1 support planning your next steps with Atlassian, please reach out today to set up a time to chat.

Contact us

Get the conversation started!

Feel free to send us a message in the form below. We’re very approachable and would like to talk more about how we can meet your needs: