Backup Solutions Every Dental Office Should Consider

Talk to any dental office manager in Norman or Moore who has lived through a real backup failure and you will hear the same sentence: "I thought it was running." The practice management database has been "backed up" nightly for years — except nobody has ever tested a restore, the backup target was on the same server that got encrypted, and the imaging files were never actually included. A dental practice without a working backup is a one-bad-Monday business.

This article walks through what makes dental data unique, why ransomware crews specifically target dental offices, the 3-2-1 backup rule applied to a real practice, and what to look for in a backup solution — all with HIPAA in the back of your mind.

What dental practices actually need to back up

The temptation is to think of the backup as "the database." In a dental office, it is much more than that:

• Practice management database — Dentrix, Eaglesoft, Open Dental, Curve, Denticon. This is the patient ledger, the schedule, the insurance history, the treatment plans. The PM database is usually a Microsoft SQL Server or Firebird database living on a server in the back office.
• Imaging and X-ray data — Dexis, Carestream, Sirona, Apteryx, Romexis, Planmeca. Imaging files are often stored separately from the PM database, frequently in large folder structures that the nightly backup forgot about. Losing a year of bitewings is its own malpractice problem.
• 3D and CBCT scans — if you have a cone beam, those files are huge and expensive to re-acquire (in radiation dose to the patient and in chair time).
• Documents and signed forms — consent forms, HIPAA acknowledgments, insurance authorizations. Frequently in a separate folder, often on a workstation, often not backed up.
• Email — increasingly used for referral communication, insurance appeals, lab communication. If you use Microsoft 365, Microsoft does not back this up for you the way you probably think.
• Workstation configurations — operatory PC images, driver chains for sensors and intraoral cameras. Rebuilding a workstation from scratch can take a full day per chair if you have nothing.

Why dental practices are a ransomware bullseye

Dental offices check every box for an opportunistic attacker:

• High-value, low-margin data. A dental practice cannot operate for a day without the schedule and chart. The willingness to pay (or panic) is high.
• Specialty software that is rarely patched. Practice management and imaging systems often depend on older SQL versions and have integration quirks that make owners afraid to update.
• Flat networks.The X-ray sensor PC, the front desk, the doctor's laptop, and the imaging server are often on the same VLAN as the guest Wi-Fi.
• Shared logins.The "front desk" password used by four people. One credential leak, and the whole practice is reachable.
• HIPAA leverage. Attackers know a breach notification is expensive, which they use as a second extortion lever — pay to decrypt, then pay again to keep stolen data from being published.

The HHS Office for Civil Rights public breach portal lists dental practices regularly. The headlines focus on hospitals; the casualties are often single-location small practices.

The 3-2-1 backup rule, translated for a dental office

The 3-2-1 rule is the industry standard for backups: 3 copies of your data, on 2 different media types, with 1 copy offsite. Here is what that looks like for a real dental practice:

Copy 1: The live production data

Dentrix or Eaglesoft running on the server, imaging files on the imaging server or NAS, documents on the file share, mail in Microsoft 365. This is your day-to-day data.

Copy 2: Local backup, immutable

A purpose-built local backup appliance (Datto SIRIS, Veeam with a hardened repository, or a Synology with immutable snapshots) that captures the PM database, the imaging folders, and the file share on a schedule — ideally every hour during business hours. The critical word is immutable: the backup files cannot be deleted or encrypted by ransomware, even if the attacker has domain admin. If your "backup" is a USB drive plugged into the server, ransomware will encrypt it before lunch.

Copy 3: Offsite, in the cloud

A nightly replication of the local backup to the cloud — Datto Cloud, Wasabi, Azure, AWS S3 with Object Lock. If the building burns down, floods (Oklahoma weather is a real backup criterion), or gets thoroughly ransomwared, the offsite copy is your business. Encryption in transit and at rest is non-negotiable for HIPAA.

What ransomware actually does to a dental office (the case pattern)

A composite of recent incidents we have seen at Oklahoma practices: someone clicks a phishing link Friday afternoon. By Saturday morning, the attacker has mapped the network, found the backup server (running under a domain admin account, of course), deleted the backup retention, and triggered encryption across the Dentrix server, the imaging server, and three operatory workstations. Monday at 7 a.m. the front desk arrives, the schedule will not open, and the doctor is staring at a ransom note.

With proper backups: the practice falls over to the local appliance's virtualized copy of the Dentrix server within an hour, sees patients on time, and a forensic recovery runs in the background. Without: closed for the week, breach notifications to every patient, an OCR investigation, and a five- or six-figure recovery bill.

What to look for in a dental backup solution

• Application-aware backup of SQL Server / Firebird. A file-level copy of a live PM database is often corrupt on restore. The backup software must understand the database engine.
• Explicit coverage of imaging paths. Walk through every imaging vendor (Dexis, Carestream, Romexis, etc.) and confirm the exact folder is included. Get it in writing.
• Immutability and air-gap. Backup data cannot be deleted by a credential, only by physical action or a separate process.
• Fast recovery, including bare-metal and virtualized restore. Can you be back online the same day? Ask for a recovery time objective (RTO) in writing.
• Recovery point objective (RPO) measured in hours, not days. For a busy practice, losing a day of charting is a clinical and billing nightmare.
• HIPAA-aligned encryption and a signed Business Associate Agreement (BAA). The backup vendor and the IT provider both need BAAs on file.
• Quarterly test restores, documented. Untested backups are not backups — they are a hope. Documentation also matters when OCR asks.
• Monitoring and alerting that you can see. A monthly report at minimum; a dashboard if possible. Silence is not success.

HIPAA, briefly and accurately

HIPAA's Security Rule is principles-based, not prescriptive — it requires "reasonable and appropriate" safeguards. In practice, OCR investigations and settlements have made clear that a dental practice should have:

• A written risk analysis covering electronic PHI, including in backups.
• Encryption of PHI at rest and in transit (or documented reasoning if not).
• Tested data backup and disaster recovery procedures.
• Access controls and audit logging on PHI systems.
• Business Associate Agreements with every vendor handling PHI.

Backups sit inside several of those requirements — the data is PHI, so the backup is regulated. A practice that cannot demonstrate tested restores is not just operationally exposed, it is HIPAA-exposed.

Where to start if you are not sure where you stand

Three questions to ask whoever runs your IT today:

• What is in the backup, specifically — show me the file list, including imaging folders.
• When was the last successful test restore, of what, by whom?
• If our server were encrypted right now, how long until we are seeing patients again?

If those answers are vague, you are not unusual — but you are exposed. Great Plains Networking works with dental practices across the OKC metro on full backup, disaster recovery, and HIPAA-aligned IT. We will do a free review of your current backup configuration, test a restore in front of you, and give you a written report of what we found. Reach out to schedule a no-pressure assessment.