“We use a practice management software that’s hosted in the cloud - isn’t that the vendor’s problem?”

Partially. The vendor is responsible for their infrastructure. You are responsible for the accounts that access it, the devices those accounts log in from, and the staff email addresses those credentials are tied to. We check exactly those - the parts the vendor explicitly doesn’t cover.

“We’ve never had a breach. Is this really necessary?”

Most breaches are discovered months after they happen - IBM’s 2024 research puts mean time to identify at 194 days. The relevant question is not “have we been breached” but “would we even know.” The pre-scan answers that in 24 hours. For free.

“If you find something serious, do we have to hire you to fix it?”

No. The assessment tells you what’s wrong and what to fix. Your IT provider, or any cybersecurity firm, can do the remediation. We can refer you to partners we trust if you don’t have an IT provider, but there’s no lock-in.

Dental clinics

One ransomware note away
from your last Monday morning.

Dental practices are the perfect ransomware target: high-value medical records, full payment data, ageing Windows machines, no dedicated IT security, and a business that can't operate without its scheduling software for more than a day. We find the gaps before attackers turn them into a Monday-morning phone call.

Get my free pre-scan

The honest version

Why ransomware groups love dental practices

This isn't opinion - it's what the last three years of Verizon DBIR⁴ and IBM breach reports² show plainly about small healthcare businesses.

Your records are worth more than a credit card.

Medical records sell for up to 50× more on dark-web markets than stolen payment cards, because they contain full identity, health history, and payment data in one file - perfect for identity fraud, insurance fraud, and targeted extortion.

Your downtime is unusually expensive.

You can't operate without digital X-rays and scheduling. Every day your systems are encrypted is a day of cancelled appointments, rescheduled patients, lost deposits, and - worst - patients who quietly don't come back. Industry recovery time for ransomware in healthcare SMBs averages multiple weeks.

You look like a soft target from the outside.

Most dental clinics run a mix of consumer-grade routers, unpatched Windows, remote-access software for the practice manager, and WordPress booking sites. To a scanner running across every IP range on the public internet, you light up.

The assessment

What we check at your practice

Domain & email security

SPF, DKIM, DMARC configuration. Missing or misconfigured records let attackers send emails that look like they came from your practice - the opening move in most invoice-redirect fraud.

Exposed remote access

Open RDP (port 3389), TeamViewer, AnyDesk, or VNC endpoints reachable from the internet. The single most common ransomware entry point in SMB breaches.

Leaked staff credentials

We check every practice email address against Have I Been Pwned and dark-web breach feeds. One leaked password is usually the whole path in.

Software version exposure

Unpatched Windows, outdated dental practice software (Dentrix, Medicover, custom EMR). Known CVEs are public and actively being scanned for.

Web & CMS vulnerabilities

WordPress, Wix, or custom booking sites often have injectable forms, outdated plugins, or exposed admin panels. Bookings are handled by the same site that's bleeding.

Network perimeter exposure

Open ports, misconfigured firewalls, public-facing services that should be private. We map exactly what the internet can see from your clinic's IP.

The real cost

What a breach actually costs

Up to €20M1

GDPR fine

Patient records are personal data under GDPR. Late breach notification (the window is 72 hours - GDPR Art. 33) or inadequate safeguards can trigger fines from your data-protection authority. Healthcare enforcement actions are published across the EU; it's not hypothetical.

$3.31M average2

Incident cost

That's the IBM 2024 average cost of a breach for organisations under 500 employees. Legal, notification, remediation, and lost business combined. The clinic-specific number is typically lower, but rarely under €100k once GDPR counsel and patient-notification logistics are included.

Referral-driven

Reputation

A single breach-notification letter sent to your patient list is the business-ending event in a referral-driven practice. Unlike enterprise, you don't have a PR firm to absorb the story. Recovery of trust takes years - if it happens.

See what a real report looks like

Here's what a pre-scan report for a dental clinic actually contains

We've redacted the name and domain. Everything else is the real output - the findings, the severity scoring, the prioritised action list, and the plain-English explanation your practice manager can hand to your IT provider on the same day.

Download sample report (PDF) …or skip the sample - get my own pre-scan in 24 h

Deliverables

What you receive

Every clinic that orders the full assessment gets the same package - no tiers, no upsells, no "enterprise only" features held back.

Executive PDF report in plain English (Polish version on request) - no jargon
Full vulnerability list with severity scores (Critical / High / Medium / Low) and CVSS where applicable
Prioritised remediation plan your IT provider can action directly
Email security configuration guide for your domain (SPF, DKIM, DMARC)
Credential exposure report - affected email addresses, which breaches they appeared in, dates
External network map - exactly what the internet can see from your clinic’s IP
30-minute debrief call with the assessor to walk through findings

Questions dental owners ask us

Dental-clinic objections, answered

“We use a practice management software that’s hosted in the cloud - isn’t that the vendor’s problem?”: Partially. The vendor is responsible for their infrastructure. You are responsible for the accounts that access it, the devices those accounts log in from, and the staff email addresses those credentials are tied to. We check exactly those - the parts the vendor explicitly doesn’t cover.
“We’ve never had a breach. Is this really necessary?”: Most breaches are discovered months after they happen - IBM’s 2024 research puts mean time to identify at 194 days. The relevant question is not “have we been breached” but “would we even know.” The pre-scan answers that in 24 hours. For free.
“If you find something serious, do we have to hire you to fix it?”: No. The assessment tells you what’s wrong and what to fix. Your IT provider, or any cybersecurity firm, can do the remediation. We can refer you to partners we trust if you don’t have an IT provider, but there’s no lock-in.

Get a free pre-scan for your clinic

You send us your domain name. We tell you in 24 hours what an attacker sees. If that's nothing serious, you keep the report and we disappear. If it's serious, you get a fixed-price proposal - no pressure, no subscription.