Medical Device Compliance & Atlassian Cloud

On the 16th of October 2020, Atlassian announced radical changes to their offering.

From February 2nd 2021, Atlassian will not sell any new Server licenses for any of their products.

A year later, in February 2022, it will not be possible to upgrade or downgrade your Atlassian Server product tier.

From February 2023, it will not be possible to buy new Atlassian Server apps.

The last deadline, February 2024, will see no license renewal available for Server products, and that will be the end of Atlassian Server support.

Of course, as Server licenses are perpetual, Server users may continue their operation on the existing version and configuration of their existing system.

Impact on the Regulated Industries

For many regulated domains, cloud services are a big no-no. This may come from doubts around security aspects of data hosting, data localisation (e.g. GDPR), and the more simple reason that the Atlassian Cloud products are dynamic, i.e. updates happen frequently, almost continuously.

The latter has an immediate impact on the validation state of the instance and its connected apps. It’s not possible to demonstrate that you are in control of your instance because, well, you are not. Any completed validation activity may quickly become invalid because the underlying version it is based on has changed.

What are Your Options?

1. Stick to Server

   1. New users can still purchase a license before the February 2021 deadline and potentially use the product for an unlimited time, as licenses are perpetual.

   2. Existing Server users can decide to remain on Server for the foreseeable future and either never move away from it, or monitor the evolution of Cloud and Data Center options as the support date draws closer.

2. Move to Data Center

   1. Data Center is basically identical to Server with some additional features like high performance, scalability, seamless user management and solid security and it comes with mandatory yearly renewal fee. The downside of Data Center is that the entry level is 500 users (starting price of $15,000 for Confluence), so not really an option for small-medium sized companies.

3. (Plan to) Move to Cloud

   1. This is a viable solution, the one Atlassian is pushing users to make. The problems with instance and data control remain today and in addition some of the Apps that you use on Server are either not available or have limited performance.

A Compliant Confluence Document Management System on Confluence Cloud

Compliance to the more generic Medical Device regulations and standards, such as ISO 13485, or the more demanding ones like FDA 21 CFR 11 will be a challenge on Cloud. But it can be done.

Compliant workflows (such as Comala Document Management) are already available on Confluence Cloud, albeit with limited features. Comalatech is putting a tremendous amount of effort in building feature parity with the Server version of the Comala Document Management app, including the availability of a publishing extension, the Comala Publishing app.

Regular backups take care of any potential data loss of corruption as a result of an update.

A number of (automated) regular checks of your instance can help present the case to an auditor or inspector.

So, it is mainly about risk mitigation of the identified gaps.

A Light at the End of the Tunnel

It’s not all doom and gloom in Atlassian Cloud.

Atlassian recognises the importance and the complexity of the regulations we have to comply to in the Medical Device industry. They are moving towards providing a number of additional features to help bridge the existing gaps to compliance. Some examples for Confluence will include:

1. Password policy is available for all tiers;

2. Audit logs are available for all subscription tiers;

3. Encryption in transit and at rest is available for all tiers;

4. Sandbox mode and Release Tracks will be available for Cloud Premium and Cloud Enterprise versions;

5. Data residency is currently available only for Cloud Enterprise plans;

6. Apps will be allowed to manage their own data residency for GDPR purposes;

7. Atlassian will be HIPAA compliant.

The most important of all is the Sandbox and Release Tracks. With these tools a company will be able to “delay” updates for a couple of weeks while performing validation tests to ensure the integrity of the update. This will require a certain amount of automation, as it is not reasonable to re-validate your instance every 2 weeks.

In light of all of this, we at SoftComply have decided to focus our development efforts on automating the integrity check of Confluence before an update is released. Stay tuned!

To learn more about how SoftComply supports you in migration, please read on here.