Is a 1-2 chair dental practice really a target?

Yes. Verizon DBIR 2024 reports that in the under-50-staff segment, ransomware accounts for 88% of malware incidents. Bots scan publicly-visible Polish IPs every few hours - an exposed RDP or an outdated practice-management system puts you in the queue regardless of size.

Do CGM/Estomed/Kamsoft vendors handle our security?

Only partially. The vendor patches the application engine and CVEs. You own MFA, access rights, backup, network segmentation, internet exposure, and staff passwords. Most incidents stem from your configuration, not the application itself.

Do I have to encrypt the patient database?

Yes. Medical data is a special category under GDPR Article 9. The Polish DPA (UODO) treats missing at-rest encryption for health data as a serious Article 32 violation. BitLocker on workstations + database encryption in the practice-management system (if offered) + encrypted backup.

What about X-ray and CBCT systems?

Devices often run unpatched Windows. Mitigation: segmentation - X-ray/CBCT on a separate VLAN with no email or web access, only diagnostic workstations can reach them. Patient Wi-Fi must be a fully separate guest network.

How long does first-pass implementation take?

Week 1: 6-8 hours of work (MFA, backup verification, team briefing). First 90 days: 20-30 additional hours (segmentation, policies, external audit). Realistic for a 1-2 chair practice with the owner-dentist as decision-maker.

Does NIS2 apply to my practice?

Almost never. The healthcare sector in UKSC Annex I covers medical entities employing 50+ people. A solo or 1-3 chair practice is out of scope. A multi-clinic network with 10+ chairs and dozens of staff should run the scope test.

A solo practice usually doesn't. A multi-clinic network with hundreds of patients - yes (GDPR Article 37, large-scale processing of health data). UODO judges case by case. DPO outsourcing for a clinic: PLN 800-2,500 per month.

How much does an external audit cost?

CyberCerber CyberAudyt for a typical practice - fixed price, see pricing page. Polish-language report in 5 business days with CVSS-prioritized findings and remediation plan. Guarantee: if the report does not contain at least three actionable findings, full refund. Pentest available for larger clinic networks.

What do we do during an active incident?

Disconnect infected workstations from the network (cable + Wi-Fi), do not power them off. Preserve logs. Notify CERT Polska (cert.pl/zglos) and UODO within 72 hours if patient data was affected. Consult an incident response firm before any recovery.

Can staff use personal phones for follow-up photos?

No. Personal phone = no control over iCloud/Google backup, leak risk, GDPR Article 32 not implemented. Only encrypted work devices, transferred via the clinic system or an encrypted shared folder.

Is cyber insurance worth it for a solo practice?

Borderline. Policies cost PLN 1-3K per year and cover incident costs plus GDPR fines (up to policy limit). Insurers require MFA, backup, and a cyber audit - all baseline hygiene worth having anyway.

What about partner-clinic cross-practice arrangements?

Each partner clinic is a separate data controller. Required: data processing agreements if you share systems, cyber clauses in the partnership contract, MFA on shared accounts, distinct logins per clinic, audit log on every access.

Dental Clinic Cybersecurity - 2026 Guide

Dental clinic cybersecurity is not an enterprise SOC - it is six practical habits: MFA on the practice-management system (CGM, Estomed, Kamsoft) and email, regular software updates, encrypted backup of medical records with an offline copy, segmenting X-ray devices from the reception network, brief team training on Polish-context phishing (fake NFZ emails), and one external vulnerability assessment per year. 80% protection in one week of work and under PLN 8,000 annually.

1. Why dental clinics are targeted

Three reasons dental clinics are over-represented among Polish SMB victims:

Market value of medical records. IBM Cost of a Data Breach 2024 puts the dark-web price of a full medical record at USD 250-500 per patient - roughly 50× a stolen credit card. A 500-patient practice represents around USD 100K in attacker revenue potential.

Time pressure. Encrypted medical records mean no appointments. A clinic can run in emergency mode for 1-3 days at most, then loses patients and revenue. Attackers know ransom payment comes faster here than in other industries.

Low baseline cyber hygiene. Most Polish dental practices lack in-house IT. The external technician shows up “when something breaks”, not preventively. MFA is not standard. RDP exposed for the manager’s remote work is common.

CERT Polska recorded dozens of confirmed ransomware incidents in the Polish healthcare sector in 2024; the report does not break down by entity type, but incident-response firms point to dental and aesthetic clinics as a top reporting category.

2. Three defence layers - applied to the dental clinic

Same three-layer model (access, data, anti-fraud), with dental specifics.

Layer 1 - Access to the practice-management system

MFA on the main CGM/Estomed/Kamsoft Dent account, MFA on business email (fake NFZ phishing is the most common Polish entry vector), monthly vendor patches with critical CVEs deployed within 7 days, separate logins for every employee (no shared “dentist1” account), 12-character passwords, 5-minute screen lock.

Layer 2 - Data: records and imaging

3-2-1 backup of medical records with one offline copy. RPO ≤24h, RTO ≤72h. Monthly restore test of one patient card + one X-ray. X-ray and CBCT devices on a separate VLAN - they typically run unpatched Windows. Patient Wi-Fi on a fully separate guest network. BitLocker at rest on every workstation.

Layer 3 - Anti-fraud

Polish-specific phishing patterns: “fake NFZ” (impersonating the National Health Fund), “fake Police” demanding patient data. SPF + DKIM + DMARC on the clinic domain (p=reject after 4-8 weeks of report collection). Written procedure for transfer verification via a second channel. Annual 3-hour team training + bi-monthly phishing simulations targeting <5% click rate after 12 months.

3. Compliance specifics

GDPR Article 9. Medical data = special category. Patient consent (treatment + separately for photo publication), information clauses, processing register, DPAs with the practice-management vendor, 20-year retention for medical records.

Medical secrecy (Polish Act on Physician Professions, Article 40). Parallel regime to GDPR. Violation of both = double liability (administrative + professional before the medical chamber).

NIS2 - almost never applies. Solo or 1-3 chair practices are out. A 10+ chair network with 50+ staff may qualify - run the scope test in the NIS2/UKSC pillar.

Not needed for a solo practice: ISO 27001 (only if a corporate client demands it), full SOC, dedicated SIEM, full-time security staff.

4. Budget

Annual ranges for a typical 1-4 chair practice, 1-5 staff, 2026 PLN, gross:

0-1,000 PLN/year: MFA on all accounts (free in Google Workspace or Microsoft 365), SPF/DKIM/DMARC, BitLocker, written policy.
1,000-3,000 PLN/year: Microsoft 365 Business Premium (~25-30 PLN/user/month, includes EDR), 2-bay NAS one-time 2,000-3,000 PLN, immutable cloud backup 50-150 PLN/month.
3,000-8,000 PLN/year: Annual CyberAudyt CyberCerber vulnerability assessment, phishing simulator, cyber insurance 1,000-3,000 PLN.
Above 8,000 PLN/year: Multi-chair clinic. CyberAudyt or Pentest, retained SOC, DPO outsourcing (800-2,500 PLN/month).

5. 30-60-90 day plan

Weeks 1-2: Account inventory, MFA, domain breach check in Have I Been Pwned. Weeks 3-4: Backup 3-2-1, BitLocker, vendor patch schedule. Weeks 5-8: X-ray VLAN segmentation, guest Wi-Fi, SPF/DKIM/DMARC, written transfer-verification procedure, team briefing. Weeks 9-12: External vulnerability assessment (CyberAudyt CyberCerber), remediation of critical findings in 7 days, calendar entry for the annual audit.

After 90 days: three defence layers, GDPR Article 32 documentation, written incident-response plan.

6. CyberCerber for dental clinics

Fixed-price external vulnerability assessment for Polish SMB dental clinics. Polish-language report - readable by the dentist-owner, not just IT. Three products: PreScan (free diagnostic in 24h), CyberAudyt (full vulnerability assessment, report in 5 business days), Pentest (for larger clinic networks and regulated entities). Guarantee on CyberAudyt: if the report does not surface at least three actionable findings, full refund. Free PreScan - 24 hours, nothing to install. Pricing. Services page for dental clinics.

7. FAQ

(See faq field in frontmatter - 12 Q/A pairs.)

NIS2 and Poland’s UKSC for SMBs