Atlassian Cloud vs Data Center: Which is Better for Healthcare Organizations?

Posted on 08.12.2021
Written by Jake Sullivan

Things you’ll learn

Atlassian Cloud vs Data center? If your organization uses Atlassian products such as Jira or Confluence, you are likely aware of and planning for Atlassian’s shift toward a cloud-first strategy. In short:

  • The sale of new Atlassian Server licenses have been discontinued as of February 2021.
  • Support and maintenance for Atlassian Server products will end in 2024.
  • Atlassian is making significant investments and updates to Data Center and Cloud hosting options, in an effort to improve their core offerings.

While much has been said about the differences between Atlassian Cloud and Data Center products (in fact, we wrote an entire Buyer’s Guide on this topic), the question of what to do next takes on particular significance for healthcare organizations and other entities operating in high compliance industries. Is Atlassian (Jira) Cloud HIPAA compliant? How do I know whether Atlassian Cloud or Data Center will satisfy our security and regulatory requirements? What are the tradeoffs associated with Cloud vs Data Center vs hybrid approaches?

This page will be kept up-to-date with the latest information related to HIPAA compliance with Atlassian so that you can better understand your options and select the path that best suits your needs. If you’d like to take a deeper dive into your Atlassian Cloud options, feel free to download a copy of our new whitepaper, Atlassian Cloud vs Data Center: Key Considerations for Enterprise, Compliance-Heavy Organizations.

Most Atlassian Enterprise Cloud products are HIPAA-compliant.

The Cloud versions of Jira Software, Jira Service Management, and Confluence are HIPAA-compliant on the Enterprise plan, and Atlassian is prepared to sign Business Associate Agreements for them. We’ve covered the details in another post.

If you aren’t on the Enterprise plan, and can’t upgrade, there’s still hope. Depending on how you intend to use your tools, and what type of data is being stored, you may still be able to store PHI/PII in the Atlassian Cloud. Consider the following factors.

Data Loss Prevention Tools

Data Loss Prevention (DLP) tools are critical for enforcing data upload policies so that sensitive information such as PHI/PII doesn’t make its way into the Atlassian Cloud in the form of attachments, service requests, or internal comments. DLPs also play an important role in the identification, classification, and remediation of PHI which may have slipped past your technical, physical, and process controls. DLPs generally fall into one of four categories: browser, endpoint, network, or application based.

As a healthcare organization, you are likely already leveraging one or more DLPs as part of your HIPAA-compliance strategy. Oxalis can help you determine whether your existing controls are sufficient to secure your Atlassian Cloud, or if a purpose-built market solution is a required add-on.

Third-Party Plugin Usage

One of Atlassian’s greatest features is the Atlassian Marketplace, a platform to buy apps that enhance and extend the base functionality of Atlassian’s products. With thousands of apps and integrations in the Marketplace, it’s likely that your system already has a third-party plugin installed today. Plugin vendors may or may not sign BAAs, and may or may not provide that information in the Marketplace. Remember that ultimately you’re responsible for HIPAA compliance regardless of what a vendor discloses, so contact them if necessary to know for sure whether a plugin is compliant.

Process & Policy for Reporting and Remediation

While DLP tools should help keep PHI out of your system, and will identify PHI that’s already been added, you will inevitably need a manual reporting mechanism for flagging records containing sensitive information. You will also need to define a cadence for reviewing manual/automated reports of PHI/PII, verifying that the report is accurate, and triggering an appropriate response for remediation. Atlassian’s products such as Jira and Confluence include rich audit history and versioning for easy auditing, but these can stand in the way of simple “data scrubbing.” A carefully crafted approach will differentiate between Jira issues and Confluence pages that can be deleted outright vs those that require separate quarantining so that important data may be salvaged.

Atlassian’s Compliance Roadmap

The chart below details current and future Cloud compliance standards according to the Atlassian Cloud compliance roadmap.

Compliance StandardSoftwareStatus
SOC 2 Type IIJira Service Management, Halp, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and Statuspage.Shipped
ISO IEC 27001Jira Service Management, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and Statuspage.Shipped
ISO IEC 27018Jira Service Management, Jira Software Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align, and StatuspageShipped
GDPRJira Software, Confluence, Jira Service Management, BitbucketShipped
VPAT for Cloud ProductsJira Software, Confluence, Jira Service Management, BitbucketShipped
WCAG 2.1 StandardsJira Software, Confluence, Jira Service Management, BitbucketShipped
HIPAAJira Software, JSM, and ConfluenceShipped
Financial services industry compliance – USJira Software and ConfluenceShipped
Financial services industry compliance – Australia (APRA)Jira Software and ConfluenceShipped
Financial services industry compliance – EU (BaFin)Jira Software and ConfluenceShipped
NIST 800.53Jira Software and ConfluenceFuture
FedRAMP TailoredJira Software Cloud and Confluence CloudFuture
FedRAMP ModerateJira Software and ConfluenceFuture

Atlassian’s Data Center is a more traditional “Behind the Firewall” option.

Atlassian’s Data Center products offer a traditional “Behind the Firewall” approach for organizations that must handle PHI/PII in their environment, and cannot adopt the Atlassian Cloud. With greater security capabilities, options for self-hosting, and more hands-on customization, Data Center serves larger companies well should they find a need for any extra levels of security or compliance that Cloud does not offer at this time.

The Data Center versions of Jira and Confluence are reliable tools providing easy scalability, high availability, load balancing, improved performance with project archiving, and Atlassian-supported disaster recovery. You will get all of the same functionality you’re familiar with from the old Server products, but with features and capabilities designed to serve enterprise organizations.

The primary drawbacks of Atlassian’s Data Center offerings, are that:

  1. There’s a higher cost associated with hosting and support resources.
  2. Data Center licenses are priced differently than Atlassian’s Cloud, with higher user minimums (ex. 500 user minimum for Jira Software) that may price out small-to-medium-sized organizations.

A “hybrid cloud” approach can give you the best of both worlds.

For organizations looking to get the best of both worlds, a “hybrid cloud” approach may be justified where one or multiple Atlassian Cloud products are combined with one or multiple Atlassian Data Center products. A few scenarios below illustrate this concept:

  1. A healthcare IT company leveraging Atlassian for its customer-facing portal, agile development, and knowledge management may choose to deploy Jira Service Management on Atlassian’s Data Center (hosted behind-the-firewall) assuming that PHI/PII will enter the system via customer requests, while Jira Software and Confluence will not contain PHI/PII and may be hosted on Atlassian’s Cloud.
  2. A multi-state healthcare delivery organization has a Quality Management department operating out of Jira Cloud, although occasionally work is performed that benefits from storing and transmitting PHI/PII in a standard Jira workflow. These sensitive projects may be run out of a dedicated Jira Data Center system while the majority of work continues to be managed in Jira Cloud.

Oxalis can help you assess your needs, architect a hybrid cloud strategy, and deploy a process for integration, manual (or automated) import/export, and archival data retention.

As Atlassian cloud migration advisors, Oxalis’s unique expertise ensures Cloud Migration success.

The Cloud Migration Playbook, written for any company that needs to migrate from Atlassian Server or Data Center to the Cloud, covers the entire migration process from pre-planning to testing to executing the migration.

Oxalis Can Help You Determine the Best Path Forward.

At Oxalis, it’s important that clients be able to make good decisions and select a course of action that meets the needs of their business. But it’s equally important that you make sure you aren’t boxing yourself into a place where you won’t be able to take advantage of future cloud evolution.

Furthermore, the professionals at Oxalis want to help you approach the decision between Atlassian Cloud and Data Center with a holistic, compliance-first mindset. If not, this is a great time to make a shift in priorities and select a path that will meet your needs today and in the future.

After all, a migration is an investment. You want to ensure you’re getting the most of your investment by providing a full picture of compliance for your organization, even if that involves incorporating additional tools outside Atlassian.

To learn more about how to plan a path forward with your Atlassian products, please download a copy of Oxalis’ new whitepaper, Atlassian Cloud vs Data Center: Key Considerations for Enterprise, Compliance-Heavy Organizations.

Or, if you need 1:1 support planning your next steps with Atlassian, please reach out today to set up a time to chat.

Recommended Blog posts

Contact us

Get the conversation started!

Feel free to send us a message in the form below. We’re very approachable and would like to talk more about how we can meet your needs: