5-Question Ransomware Readiness Scorecard For Dental Practices
REZ CYBER | RANSOMWARE READINESS
A practical readiness screen for dental practices that want evidence around backups, MFA, user access, dental data, and incident response.
If you own or manage a dental practice, you do not need a 40-page cybersecurity audit to find the first gaps that could turn a technical problem into downtime.
You need five honest answers.
The questions below are not meant to scare you, and they are not meant to replace a full risk analysis. They are an operational readiness screen. They help you see whether your practice has evidence around the controls that matter when ransomware, a server failure, a compromised login, or a vendor issue threatens chair flow.
This word matters: evidence.
Not "the backup software says it is running." Not "we think everyone has their own login." Not "our IT company probably has a plan."
Evidence.
For a dental practice, IT is not just computers. It is scheduling, operatories, imaging, claims, patient records, prescriptions, communication tools, front desk workflows, and the systems that keep chairs full.
REZ Cyber is a cybersecurity and IT partner for dental practices. We built this scorecard for independent practices that want a clear, practical way to ask better questions of their current IT provider, internal team, or vendors.
Quick note: This is an operational readiness screen. It is not legal advice and it is not a HIPAA compliance certification.
You can read through the five questions below, or use the one-page PDF version with your office manager or IT provider:
Download the free 5-question scorecard →
Question 1: Can you restore your PMS and imaging from a recent backup?
The first question is not "do we have backups?"
Almost every dental practice believes it has backups.
The better question is: can someone show you a recent restore test?
For a dental office, a useful restore test has to include the systems that actually run the practice:
•Practice management software such as Dentrix, Eaglesoft, Open Dental, or another PMS
•Scheduling and charting data
•Ledger, claims, and billing records
•Imaging, X-rays, CBCT, DICOM, and related files
•Attachments, documents, exports, templates, and scanned records
If a server fails or ransomware encrypts files, a green backup dashboard is not enough. The practice needs to know that the right data can be restored, opened, and used.
Ask your IT provider:
•What was the date of the last restore test?
•What was restored?
•Did the restored data include PMS data and imaging data?
•Was the test documented?
Backups are not just an IT checkbox. They protect chair flow, patient data, claims, and the practice’s ability to operate after a disruption.
Question 2: Is MFA active where it matters most?
Multi-factor authentication, or MFA, means a password is not the only thing protecting an account. There is a second step, such as an authenticator app, security key, or another approved factor.
For dental practices, start with four places:
•Remote access
•Admin accounts
•Cloud systems
Email matters because the front desk receives messages from patients, insurers, labs, referral partners, vendors, and staff all day. If email is compromised, an attacker may be able to impersonate the practice, read sensitive messages, and reset passwords for other systems.
Remote access matters because any path into the office network needs stronger protection than a password alone.
Admin accounts matter because they can install software, change settings, manage users, and touch backups.
Cloud systems matter because Microsoft 365, Google Workspace, patient communication tools, payment platforms, analytics, and other cloud services may hold patient or business data.
HIPAA is risk-based, and this post is not legal advice. From a practical dental IT perspective, MFA is one of the strongest baseline controls for protecting patient data, reducing account takeover risk, and answering common cyber insurance and security review questions.
Question 3: Does every user have a unique login?
This is one of the least glamorous security questions, and one of the most important.
In a busy dental office, shared logins can feel convenient. One front desk account. One operatory account. One shared admin password. One login that "everyone knows."
The problem is accountability.
If a patient record is accessed, a claim is changed, a file is deleted, or a setting is modified, the practice needs to know who did what. Shared accounts make that difficult or impossible.
Unique logins help you:
•Track activity
•Remove access when someone leaves
•Limit each person to the access they actually need
•Separate admin rights from daily-use accounts
•Reduce the chance that one exposed password affects the whole practice
Ask for a current user list. Then ask:
•Does every active employee have their own account?
•Have former employees been disabled?
•Are admin accounts separate from everyday accounts?
•Are shared accounts documented, limited, and being phased out where possible?
If you only do one thing after reading this post, ask for the current user list. It is a simple document, but it tells you a lot about whether access is actually being managed.
Question 4: Is all dental data included in backup scope?
This is where dental practices are different from many other small businesses.
Your important data may not live in one clean folder.
•The practice management database may be in one place.
•Imaging files may be somewhere else.
•CBCT, DICOM, intraoral images, and exports may have their own locations.
•Scanned documents, attachments, templates, and patient pictures may sit in separate folders.
•Server configuration and application data may matter for recovery.
That is why "we back up the server" is not always a complete answer.
The better question is: what data is in scope, and how do we know?
Your practice should be able to map backup scope to real dental workflows:
•Can we recover the schedule?
•Can we recover patient records?
•Can we recover X-rays and intraoral images?
•Can we recover CBCT or DICOM data where applicable?
•Can we recover attachments, scanned documents, and exports?
•Can we restore enough of the environment to actually operate?
Assumption is the dangerous word. Dental practices need backup evidence, not backup assumptions.
Question 5: Is there a written incident response plan with vendor contacts?
This does not need to be a giant binder.
For many independent practices, a practical first version is a one-page plan that answers:
•Who is the first call?
•Who is allowed to make decisions?
•Who contacts the PMS vendor?
•Who contacts the imaging vendor?
•Who contacts the backup provider?
•Who contacts cyber insurance or the broker?
•Who contacts legal counsel if patient data may be involved?
•Where are those phone numbers stored if email is unavailable?
•What should staff do first if they see a ransomware note, suspicious lockout, or unexpected encryption message?
During an incident, the office is stressed. Patients are scheduled. Staff are asking what to do. Every minute feels expensive.
That is the wrong time to discover that the backup provider, PMS vendor, imaging vendor, cyber insurance contact, and IT partner have never been coordinated.
That last answer is common. It is also fixable.
Score your practice
Count your "yes" answers.
The goal is not fear.
The goal is clarity.
For a dental practice, ransomware readiness should come down to practical evidence:
•Can we restore?
•Can we control access?
•Can we see who did what?
•Do we know where patient data lives?
•Do we know what to do if something goes wrong?
If those answers are clear, the owner sleeps better, the office manager has less chaos, and the practice has a stronger foundation for protecting patient data and keeping chairs productive.
Download the scorecard
We created a one-page version of this scorecard so you can run it with your office manager, your current IT provider, or your internal team.
Download the free 5-question scorecard →
Want help reviewing your answers?
REZ Cyber offers a Dental HIPAA + Ransomware Readiness Checkup for independent dental practices.
It is a practical review of the controls that protect patient data and keep chairs productive: access, MFA, backups, vendor remote access, imaging dependencies, and incident response.
You walk away with a red/yellow/green view of your readiness, the top gaps to address, and a practical next step. It is not a legal certification. It is an operational readiness review.
Get a Free Dental IT Checkup →
Frequently asked questions
What is dental ransomware readiness?
Dental ransomware readiness is the operational evidence that a dental practice can restore PMS and imaging data, control access to systems, and respond quickly to an incident without avoidable downtime or confusion.
How often should a dental practice test backups?
Restore tests should be performed and documented on a recurring schedule. At minimum, the test should confirm that the practice management database opens and that imaging files and key documents are restorable.
Is MFA required for dental practices under HIPAA?
HIPAA is risk-based, and this post is not legal advice. In practical terms, dental practices should treat MFA on email, remote access, admin accounts, and major cloud systems as a baseline safeguard for protecting patient data and reducing account takeover risk.
What dental software locations need to be in a backup?
At minimum, review the PMS database, imaging files, CBCT or DICOM data where applicable, attachments, scanned documents, exported files, templates, and any vendor-specific folders or configuration files needed for recovery.
What should be in a dental incident response plan?
A practical one-page plan should include the first call, decision authority, PMS vendor contact, imaging vendor contact, backup provider, cyber insurance or broker, legal counsel if patient data may be involved, offline contact storage, and first staff actions.
REZ Cyber is a Westchester-based, dental-focused cybersecurity and IT partner serving practices across the New York metro area. We help dental practices keep chairs full and data protected.
