Safeguarding PHI / PII in Jira & Confluence

We know it is something you shouldn’t be doing, storing personally identifiable information (PII) or protected health information (PHI) in your Jira issues. But, mistakes happen, or maybe you are required by your organization to securely store / access this information. Throughout Ascend Integrated’s time as an Atlassian Solutions Provider, we’ve worked across Healthcare and Financial organizations looking to protect their highly sensitive information, including PII and in the case of Healthcare, PHI.

Here we explore several key factors to maintaining HIPAA Compliance with your instance, along with ensuring data is stored correctly. 

How to keep PHI / PII secured? 

HIPAA compliance is made up a group of safeguards, including Administrative, Physical, and Technical safeguards, defining processes and procedures for guarding and securing your PHI / PII. Atlassian has already come out and stated the Cloud is not meant for PHI / PII compliance. A server, or data center instance is absolutely required for maintaining this type of information (or if your Jira / Confluence system touches this data in any way). 

What techniques can you use with the Atlassian Tool Suite?

Use a SSL Certificate

While its basic, installing and configuring a SSL certificate with your Jira / Confluence suite is an absolute necessity when implementing HIPAA compliance. Ensuring all data is encrypted and accessed only through a secure connection is step 0!

Control Access Tightly Using Permission Schemes and SSO

There are several options here, including restricting who can access projects / spaces using advanced permission scheme configurations, or implementing a SSO / Active Directory authentication and authorization step will ensure only those users within your organization will have access to your data. Ensure groups are properly set up and controlled across both applications.

Make use of Issue Security

Out of the box, Jira allows you to restrict the viewing of issues to specific individuals / team members or groups. Similarly in Confluence, ensure only specific users have access to any pages containing links to, or actual PII / PHI. 

Explore Add-ons / Apps: PII Protector for Jira

A plug for the hard working folks at Enhancera, the PII protector will help you maintain PII securely, hiding data from users who are not required to view / manage the data. Auditability and traceability is built right into the tool as well. You can find additional information on this app here: PII Protector for Jira.

Enable Database Encryption

While not supported by Atlassian, Database encryption provides an extra layer of security. All Jira / Confluence applications sit atop a RDBMS (i.e. MySQL, PostgreSQL, SQL Server, Oracle). Enable encryption, and ensure backup / copies are maintained in a secure location. 

Conduct Regular Security Audits

Regular security audits (monthly / quarterly, etc.) will help you determine where your flaws may be, and what you can do to alleviate / reduce the risk of exposure. Ensure your security team understands and documents the use of Jira and Confluence in your system. 

What Next?

Interested in learning more, or have Ascend Integrated review your instance? Contact Us Today!