Some things that come to mind, in no particular order:
1) Encrypt any sensitive data that is stored
2) Store passwords hashed
3) Limit access by IP address if possible
4) Require strong passwords, and deal with failed login attempts (maybe by limiting the number of attempts, or by increasing exponentially the time until a further attempt can be made)
5) Defend against XSS, SQL injection and other typical attacks on web apps
6) As much as possible use pre-existing libraries, such as
Apache Shiro, instead of developing all this yourself
7) Think about where you host this, who has access to the host system, and how to safeguard against people inside of your organization doing inappropriate things with the systems and the data
8) Make frequent backups of everything that you keep both onsite and offsite