Does HIPAA require a security assessment for a dental practice?

Yes. The HIPAA Security Rule (45 CFR § 164.308(a)(1)) requires covered entities to conduct an accurate and thorough risk analysis of threats to ePHI. An external vulnerability assessment is the most efficient way to satisfy that requirement and document it — before an OCR audit asks for it.

Can you assess our Dentrix or Eaglesoft software?

Yes. We check whether Dentrix, Eaglesoft, Open Dental, Curve Dental, or Dentimax are reachable from the internet and how remote access to them is configured. We do not read patient records - we assess the attack surface, meaning what is visible from outside.

“Will the test disrupt the clinic?”

No. The PreScan is passive - it only reads what your systems already publish to the internet. No logins, no installed agents, no network load. The clinic runs normally and patients notice nothing.

“How long does a scan take with 5 workstations?”

The PreScan itself is tens of minutes of scanning plus a manual review - you get the report within 24 hours. A full CyberAudyt is delivered as a report in 5 business days, whether you have 5 workstations or 25. The price is fixed too.

“If you find a gap - how much does fixing it cost?”

It depends on the gap. Most clinic findings are configuration your IT person fixes in a few hours (enabling MFA, closing RDP, fixing DMARC) - close to zero cost. The report always gives priority and estimated effort so you know what to fix first.

What does the report look like?

The CyberAudyt report is written for the practice owner, not the IT person: an executive summary, a prioritised findings list with severity ratings (Critical / High / Medium / Low), a remediation plan, and a separate technical section for your IT provider or MSP.

“Does the test cover the X-ray system?”

Yes - from the network side. We check whether the X-ray, panoramic or CBCT station (Romexis, Carestream, DEXIS, Vatech) is visible from the internet and whether it is segmented from the reception network. It is one of the most overlooked points in a dental practice.

“”Can I take part in the test within my professional ethics as a clinician?”

Yes. We assess only internet-facing infrastructure - we need no access to medical records or patient data. This does not breach medical confidentiality; on the contrary, it helps protect it in line with your duty to secure that data.

”We use a practice management software that's hosted in the cloud - isn't that the vendor's problem?”

“Partially. The vendor is responsible for their infrastructure. You are responsible for the accounts that access it, the devices those accounts log in from, and the staff email addresses those credentials are tied to. We check exactly those - the parts the vendor explicitly doesn't cover.�

”We've never had a breach. Is this really necessary?”

“Most breaches are discovered months after they happen - IBM's 2024 research puts mean time to identify at 194 days. The relevant question is not 'have we been breached' but 'would we even know.' The PreScan answers that in 24 hours. For free.�

”If you find something serious, do we have to hire you to fix it?”

“No. The assessment tells you what's wrong and what to fix. Your IT provider, or any cybersecurity firm, can do the remediation. We can refer you to partners we trust if you don't have an IT provider, but there's no lock-in.�

Dental clinics

Your dental practice handles patient records every day.
We make sure attackers can't.

A fixed-price dental clinic cybersecurity assessment. We check your practice system, X-ray station, email and booking - exactly where an attacker looks for a way in. Free PreScan in 24 hours, full report in 5 business days. No IT department required on your end.

Book a free pre-scan

We know the systems your clinic runs on

Dentrix
Eaglesoft
Open Dental
Curve Dental
Dentimax
WaveRTE
Romexis
Carestream
DEXIS

The honest version

Why ransomware groups love dental practices

This isn't opinion - it's what the last three years of Verizon DBIR⁴ and IBM breach reports² show plainly about small healthcare businesses.

Your records are worth more than a credit card.

Medical records sell for up to 50× more on dark-web markets than stolen payment cards, because they contain full identity, health history, and payment data in one file - perfect for identity fraud, insurance fraud, and targeted extortion.

Your downtime is unusually expensive.

You can't operate without digital X-rays and scheduling. Every day your systems are encrypted is a day of cancelled appointments, rescheduled patients, lost deposits, and - worst - patients who quietly don't come back. Industry recovery time for ransomware in healthcare SMBs averages multiple weeks.

You look like a soft target from the outside.

Most dental clinics run a mix of consumer-grade routers, unpatched Windows, remote-access software for the practice manager, and WordPress booking sites. To a scanner running across every IP range on the public internet, you light up.

The assessment

What we check at your practice

Practice-management system exposure

We check whether your practice software (Dentrix, Eaglesoft, Open Dental, Curve Dental, Dentimax) is reachable from the internet - through open RDP, TeamViewer or AnyDesk. An exposed practice system is the most common ransomware entry point.

X-ray & imaging systems (PACS)

X-ray, panoramic and CBCT workstations (Romexis, Carestream, DEXIS, Vatech) often run on ageing Windows on the same network as reception. We check they are not internet-facing and are segmented from the rest of the clinic.

Email security (SPF/DKIM/DMARC)

SPF, DKIM and DMARC configuration for your domain (e.g. info@my-clinic.com). Without them, anyone can send a patient or your bookkeeper an email that looks like it came from you - the opening move in invoice-redirect fraud.

Staff passwords & shared logins

We check practice email addresses against breach feeds (Have I Been Pwned and dark-web), plus the common clinic pattern of one shared reception login. One leaked password is usually the whole path into patient records.

Booking & payment exposure

Your online booking system (custom, WordPress, or third-party) and its payment-processor integration put patient data and money in one place. We look for injectable forms, outdated plugins and exposed admin panels.

Backup accessibility & 3-2-1

Whether your record backup is reachable from the internet (and therefore by ransomware), whether an offline or immutable copy exists, and whether it meets the 3-2-1 rule. A backup nobody has tested is not a backup - it is hope.

The real cost

What a breach actually costs

Up to $2.07M1

HIPAA penalty

Patient records are ePHI under HIPAA. A breach triggers OCR investigation; penalties range from $137 to $2.07M per violation category. OCR issued $6.6M in fines in 2025 alone — dental practices are not exempt. Inadequate risk analysis is the most cited violation.

$3.31M average2

Incident cost

That's the IBM 2024 average cost of a breach for organisations under 500 employees. Legal, notification, remediation, and lost business combined. The clinic-specific number is typically lower, but rarely under $100k once HIPAA counsel and patient-notification logistics are included.

Referral-driven

Reputation

A single breach-notification letter sent to your patient list is the business-ending event in a referral-driven practice. Unlike enterprise, you don't have a PR firm to absorb the story. Recovery of trust takes years - if it happens.

How it plays out in practice

Five ways a dental clinic gets hit

None of these require you to be an "interesting" target. They all start with something a scan finds in the first few hours.

1

Ransomware via open RDP

The manager works from home, so the clinic PC is exposed to the internet. A bot finds it within hours, brute-forces a weak password, and encrypts the entire record system. The ransom note is on the reception screen on Monday morning.
2

Phishing the front desk

Reception receives an email dressed up as an insurer notice or an e-invoice. One click installs malware or harvests the practice-system password. Reception clicks dozens of emails a day - it is the weakest link.
3

Invoice fraud (BEC)

Without proper DMARC, an attacker spoofs your domain and emails your bookkeeper or supplier with a 'changed account number.' The money leaves before anyone notices. The most common real financial loss in SMBs.
4

X-ray station exposed to the internet

The PC driving the panoramic or CBCT unit, connected to the network for remote servicing, is publicly visible. The attacker walks into the clinic network through it - bypassing reception and every "defence" you thought you had.
5

Booking-system credential leak

The online-booking password leaks in another vendor breach. Because the team reuses the same password everywhere, the attacker logs into the appointment calendar - and from there, every patient contact detail.

See what a real report looks like

Here's what a PreScan report for a dental clinic actually contains

We've redacted the name and domain. Everything else is the real output - the findings, the severity scoring, the prioritised action list, and the plain-English explanation your practice manager can hand to your IT provider on the same day.

Request sample report …or skip the sample - get my own PreScan in 24 h

Deliverables

What you receive

Every clinic that orders the full assessment gets the same package - no tiers, no upsells, no "enterprise only" features held back.

Executive PDF report in plain English - no jargon, written for the practice owner
Full vulnerability list with severity scores (Critical / High / Medium / Low) and CVSS where applicable
Prioritised remediation plan your IT provider can action directly
Email security configuration guide for your domain (SPF, DKIM, DMARC)
Credential exposure report - affected email addresses, which breaches they appeared in, dates
External network map - exactly what the internet can see from your clinic’s IP
30-minute debrief call with the assessor to walk through findings

Pricing

Fixed price, visible up front

You start free. You only pay if there is something to fix. The CyberAudyt price is fixed - regardless of how many workstations or locations you run.

Start here

PreScan

Free

results in 24 h

Passive external scan of your clinic. We show what is visible from the internet - with zero access on your end. Answers the question "is there even anything to worry about."

CyberAudyt

$900

report in 5 business days

Full external assessment with manual verification: practice system, X-ray/PACS, email, booking, backup. Plain-language report with prioritised fixes and a 30-minute call. Fixed price regardless of how many workstations you run.

Re-scan after fixes

50% off

once remediation is done

After you close the gaps, we re-check that the fixes actually worked - at half the CyberAudyt price for clinics that already completed one. Proof, for you and your patients, that the holes are shut.

Fixed price - no hourly billing, no surprises. Larger clinic groups, or when a corporate client requires it: a full penetration test is also available.

Guarantee: if CyberAudyt doesn't surface at least 3 actionable findings, you pay nothing.

Start with the free PreScan

Questions dental owners ask us

Dental-clinic objections, answered

"Does HIPAA require a security assessment for a dental practice?": Yes. The HIPAA Security Rule (45 CFR § 164.308(a)(1)) requires covered entities to conduct an accurate and thorough risk analysis of threats to ePHI. An external vulnerability assessment is the most efficient way to satisfy that requirement and document it — before an OCR audit asks for it.
"Can you assess our Dentrix or Eaglesoft software?": Yes. We check whether Dentrix, Eaglesoft, Open Dental, Curve Dental, or Dentimax are reachable from the internet and how remote access to them is configured. We do not read patient records - we assess the attack surface, meaning what is visible from outside.
“Will the test disrupt the clinic?”: No. The PreScan is passive - it only reads what your systems already publish to the internet. No logins, no installed agents, no network load. The clinic runs normally and patients notice nothing.
“How long does a scan take with 5 workstations?”: The PreScan itself is tens of minutes of scanning plus a manual review - you get the report within 24 hours. A full CyberAudyt is delivered as a report in 5 business days, whether you have 5 workstations or 25. The price is fixed too.
“If you find a gap - how much does fixing it cost?”: It depends on the gap. Most clinic findings are configuration your IT person fixes in a few hours (enabling MFA, closing RDP, fixing DMARC) - close to zero cost. The report always gives priority and estimated effort so you know what to fix first.
"What does the report look like?": The CyberAudyt report is written for the practice owner, not the IT person: an executive summary, a prioritised findings list with severity ratings (Critical / High / Medium / Low), a remediation plan, and a separate technical section for your IT provider or MSP.
“Does the test cover the X-ray system?”: Yes - from the network side. We check whether the X-ray, panoramic or CBCT station (Romexis, Carestream, DEXIS, Vatech) is visible from the internet and whether it is segmented from the reception network. It is one of the most overlooked points in a dental practice.
“”Can I take part in the test within my professional ethics as a clinician?”: Yes. We assess only internet-facing infrastructure - we need no access to medical records or patient data. This does not breach medical confidentiality; on the contrary, it helps protect it in line with your duty to secure that data.
”We use a practice management software that's hosted in the cloud - isn't that the vendor's problem?”: “Partially. The vendor is responsible for their infrastructure. You are responsible for the accounts that access it, the devices those accounts log in from, and the staff email addresses those credentials are tied to. We check exactly those - the parts the vendor explicitly doesn't cover.�
”We've never had a breach. Is this really necessary?”: “Most breaches are discovered months after they happen - IBM's 2024 research puts mean time to identify at 194 days. The relevant question is not 'have we been breached' but 'would we even know.' The PreScan answers that in 24 hours. For free.�
”If you find something serious, do we have to hire you to fix it?”: “No. The assessment tells you what's wrong and what to fix. Your IT provider, or any cybersecurity firm, can do the remediation. We can refer you to partners we trust if you don't have an IT provider, but there's no lock-in.�

Get a free PreScan for your clinic

You send us your domain name. We tell you in 24 hours what an attacker sees. If that's nothing serious, you keep the report and we disappear. If it's serious, you get a fixed-price proposal - no pressure, no subscription.

Book a free pre-scan Prefer to talk first? Contact us

No credit card. No access to your systems. No recurring fees.

Sources

¹HIPAA Civil Monetary Penalties — HHS OCR enforcement tiers and penalty caps (hhs.gov)
²IBM Cost of a Data Breach Report 2024 (ibm.com/reports/data-breach)
³HIPAA Breach Notification Rule — 60-day HHS notification requirement (hhs.gov)
⁴Verizon Data Breach Investigations Report 2024 (verizon.com/dbir)

Your dental practice handles patient records every day. We make sure attackers can't.