Cybersecurity Checklist for Dental & Medical Practices

Healthcare is the most-breached industry per capita, and small practices are the softest targets: patient records sell for far more than credit cards, HIPAA enforcement applies at any practice size, and downtime cancels appointments. This checklist covers the controls examiners and cyber insurers expect a practice to have.

The threats that actually hit medical and dental offices

Ransomware on practice management systems

Encrypting Dentrix/Eaglesoft/EHR data halts scheduling, billing, and charts at once — attackers know practices pay quickly to restore operations.

Phishing for patient data

Staff inboxes receive fake insurance verifications and referral requests; one credential grants access to thousands of patient records — a reportable HIPAA breach.

Legacy equipment and unsupported software

Imaging machines and old practice software often run on unsupported Windows versions that can't be patched — a permanent open door if not isolated.

How many of these boxes can you actually check?

Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.

Get Your Free Security Grade

The checklist

1.Turn on MFA for email, EHR, and remote access

quick win

Stolen staff credentials are the #1 entry point in healthcare breaches; MFA blocks the vast majority.

2.Encrypt every device that touches patient data

quick win

A lost unencrypted laptop is a reportable HIPAA breach; an encrypted one usually is not.

3.Run daily, tested, off-site backups of patient records

an afternoon

Backups are the difference between a bad day and paying a ransom — but only if a restore has actually been tested.

4.Isolate imaging and lab equipment on a separate network segment

an afternoon

Unpatched X-ray and imaging machines can't be secured — so wall them off from everything that can.

5.Sign Business Associate Agreements with every vendor touching PHI

an afternoon

HIPAA requires them; missing BAAs are among the most-cited findings in OCR investigations.

6.Run annual security-awareness training and record attendance

ongoing

HIPAA's training requirement is audited by paperwork — no attendance record, no training happened.

7.Limit chart access by role

an afternoon

Front desk doesn't need full clinical records; least-privilege access shrinks both breach impact and insider risk.

8.Write a one-page breach response plan naming who calls whom

an afternoon

HIPAA has notification deadlines; deciding the plan during the incident burns them.

Frequently asked questions

Does HIPAA apply to small practices?

Yes — HIPAA applies to every covered entity regardless of size, and OCR has fined solo and two-dentist practices. Enforcement discretion considers size, but 'too small for HIPAA' is not a category that exists.

What does a healthcare data breach cost a small practice?

Beyond OCR penalties, the real costs are mandatory patient notification, credit monitoring, legal review, and reputation damage in a local market where patients have choices. Industry estimates put healthcare breach costs at the highest of any sector.

Is cyber insurance required for medical practices?

Not legally required, but increasingly required by hospital systems and payers you contract with — and insurers now require MFA, backups, and training before they'll write the policy. This checklist doubles as the insurance-readiness list.

How many of these boxes can you actually check?

Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.

Get Your Free Security Grade