Case Study: Royal Flying Doctors Service Queensland protects patient data

Royal Flying Doctors Service Queensland (RFDSQ) is working to protect its patient data from getting into the hands of bad actors, through securing data in an off-premises, air-gapped environment.

RFDSQ provides aromatic emergency services across 1.8 million square kilometres of territory. The organisation delivers more than 98,000 episodes of care to some of Australia’s most remote communities, transporting 11,700 patients, running over 5,300 health clinics and providing health advice to more than 16,000 telehealth patients.

Digital Nation Australia spoke to RFDSQ chief technology officer Adam Carey about the organisation’s 54 element cyber security roadmap.

“Our crown jewels is our patient data. The main reason for having such a strong IT team is really to ensure that the clinical systems we manage and maintain are secure, that they're protected at all times, but they're still available in the field when the clinicians need them,” said Carey.

“We still need the ability to be mobile and remote, and have access to that data, but still have it secure. So it's quite a challenge for us to make sure that that data is secure at all times.”

RFDSQ is working with Rubrik as part of its roadmap to protect the backend storage of information.

According to Carey, as the ransomware methods become more sophisticated, RFDSQ has had to lift its maturity level in cyber.

“When I started in RFDS four years ago, there was certainly a maturity journey underway and we are basically taking it to the next level,” he said.

“We have obviously our normal backups and internal protections. That information is copied out to a logically air-gapped location, off premise, completely separated, with only access to two trusted internal engineers. And even that data itself is protected by multifactor.”

Should a ransomware attack take place, Carey believes that the organisation is now in a position where it does not have to negotiate.

“We're not negotiating with a bad player on how much we're going to pay. We know we have the data protected and safe, so it really changes the conversation that the executives and the board would have with a bad player.

While Rubrik has provided peace of mind for the Board, RFDSQ is also working on a number of other elements to securing the organisation.

“We also have protection of the data itself. So, we're looking at the suspicious activity. We're looking for incorrect permissions over the data. So that second part is looking at the data life cycle and making sure our data is classified,” said Carey.

“And the other element was around endpoint protection because we are such a mobile and distributed workforce we obviously have to make sure people are protected when they're out in the field and that the endpoint isn't a weak point in the network.

Carey said the organisation has upgraded to the Microsoft e5 licencing suite, providing defender-level protection, threat and vulnerability monitoring and data classification policies.

“We've really been able to implement a multifaceted program of which Rubrik is one of the key components.”