Royal Cornwall NHS Trust’s fight to keep its hospitals safe from cyber-attack

Successful cyber-attacks on hospitals can cost lives, which is why Royal Cornwall Hospitals NHS Trust decided to bolster its security and switch to Microsoft Sentinel, giving its digitally enabled healthcare system even better protection.

Think of Cornwall, and we think of beaches, clifftop walks, quaint fishing villages, and a long drive from anywhere else. But for the Royal Cornwall Hospitals NHS Trust, a network of three hospitals and the host organisation for Cornwall IT Services (CITS), that attractive remoteness also presents challenges.

“We’re geographically isolated from the rest of the country,” says Kelvyn Hipperson, Executive Chief Information Officer across Royal Cornwall Hospitals, Cornwall Partnership NHS Foundation Trust, and the Integrated Care Board.

“We cover more than 200 sites across Cornwall and the Isles of Scilly, serving about 15,000 users. And there are tens of thousands of devices on our network.”

Rambler walking along Cornish coastal path — Cornwall’s rugged remoteness is part of its attraction, but also presents a challenge for healthcare providers

That remoteness and complexity necessitate a robust cybersecurity infrastructure to reduce the risk of a successful cyber-attack, explains Josh Kendall, Cyber Security Operations Centre Manager for CITS, which provides digital services for health partners across the county.

Modern healthcare runs on digital systems: clinical records, scanners, prescriptions, observations, identity, and connectivity between sites. While this technology undoubtedly improves patient health outcomes, it also increases the “attack surface” for hackers.

“I don’t think they care who they attack anymore,” says Kendall.

“Many cyber-attacks are opportunistic and automated, targeting anyone with weaknesses and vulnerabilities.”

When criminals do get in, the aim is usually financial, either by locking systems for ransom or stealing data to sell.

Microsoft Sentinel move

Like many large organisations, Royal Cornwall uses a security information and event management platform (often shortened to SIEM), to help protect it against sophisticated attacks.

A SIEM brings security data together so teams can spot suspicious activity quickly. The Trust recently moved to Microsoft Sentinel as its provider, not only because it offered value for money, but also because it “integrates seamlessly into our cyber tooling,” Kendall explains.

“It’s more user-friendly because everyone is used to using Microsoft security products. Compatibility with national systems was another compelling reason to adopt the tool.”

Hipperson adds: “We work in partnership with national NHS teams. Having compatible tools is really helpful.”

Log collecting

“Microsoft Sentinel, in a nutshell, is a log collector, analyser and response orchestrator,” Kendall explains. “We collect logs from various key assets, combine them, apply analytical rules, and monitor for unusual activity.”

In practice, “unusual” can be as straightforward as a sign-in that makes it not normal.

“If you normally log in from Cornwall, and then tomorrow you turn up logging in from Madrid, that’s unusual and needs investigation,” Kendall says.

Or it can even involve pieces of equipment behaving oddly: “We’d only expect a printer to communicate with our print services, so if it starts communicating with a completely different server-application, that’s unusual and again needs investigation.”

Not every alert means there’s going to be a successful attack, though. But giving the security team a reliable way to spot anomalies early, determine what is legitimate, and isolate and respond to any malicious threats before they spread, is a valuable addition to the security armoury.

Round-the-clock security

Like many NHS organisations, Royal Cornwall is balancing the pressures of numerous threats against finite specialist capacity.

“We’re a fairly small team,” Kendall says, “but we’re able to operate a 24/7 Cyber Security Operation Centre (CSOC) with a specialist on-call resource.”

That speed matters because even minutes can alter the outcome.

Royal Cornwall Hospital sign — Hospitals are constantly bombarded by cyber-attacks and need highly robust cybersecurity to defend themselves

“Five minutes could be the difference between it affecting one machine or gaining a foothold in the network.” Kendall says.

When an alert hits, speed of response is crucial. Using its security toolset, the team can isolate a threat and limit the risk.

It’s a practical example of what modern security looks like in a hospital: contain first, investigate fast, restore safely.

Evolving system

Kendall says a SIEM “is a product that’s never completed, needing constant development. It just gets more and more advanced. You find more and more datasets.”

That matters in an environment as varied as healthcare, where there is a lot of legacy hardware and software and “what normal looks like for me looks very different for a doctor.”

The work is part-engineering, part-detective story, and part-patient-safety planning.

Kendall feels AI has begun to change the threat landscape fundamentally and remains optimistic about its potential to bolster defence capabilities, especially by helping teams sift through vast amounts of data and prioritise what matters.

In the end, the Trust’s Microsoft Sentinel move is as much about readiness as it is about software: aligning tools with national capability; speeding up local response; and building a culture where security is understood as a shared operational responsibility.