TL;DR

Royal Cornwall Hospitals NHS Trust has migrated to Microsoft Sentinel as its security information and event management (SIEM) platform. The Trust manages over 200 sites across Cornwall and the Isles of Scilly, serving 15,000 users with tens of thousands of networked devices.

Why the Trust switched

Modern healthcare runs on digital systems — clinical records, scanners, prescriptions, patient observations — and each connected system widens the attack surface for malicious actors. Josh Kendall, Cyber Security Operations Centre Manager for Cornwall IT Services, said attacks are now largely opportunistic and automated, targeting anyone with weaknesses rather than specific organisations.

The Trust chose Sentinel for its integration with existing Microsoft security tools, compatibility with national NHS systems, and cost effectiveness. Kelvyn Hipperson, Executive Chief Information Officer, noted that working with national NHS teams makes compatible tooling particularly valuable.

How it works in practice

Sentinel collects and analyses logs from devices and systems across the Trust’s network, applying rules to flag unusual activity. A login from an unexpected location triggers an alert. A printer communicating with an unfamiliar server gets investigated. Not every alert indicates a breach, but early detection matters — Kendall said five minutes can be the difference between one compromised machine and a network-wide foothold.

The Trust operates a 24/7 Cyber Security Operations Centre with a small team and specialist on-call resource. When an alert arrives, the priority is containment first, then investigation.

The wider NHS picture

The NHS has faced several high-profile cyber incidents in recent years, including the 2024 Synnovis attack that disrupted London hospital services for months. Cornwall’s geographic isolation adds complexity — the Trust is remote from mainland support and must maintain resilience independently. Kendall also pointed to AI as a growing factor, both as a potential defensive tool for processing large volumes of security data and as something that is changing the threat environment.

Looking forward

Kendall described a SIEM as a product that is never finished, requiring constant development as new datasets and threats emerge. For NHS trusts weighing their own security investments, Cornwall’s approach offers a practical template: align with national tooling, automate detection, and build a culture where cybersecurity is treated as an operational responsibility rather than an IT afterthought.