Ransomware in Dentistry: Why Small Practices Are Target #1

There's a common assumption in small healthcare: ransomware hits big targets. Hospitals. Insurance companies. Major health systems. The kind of places with IT departments and dedicated security budgets.

That assumption is wrong, and it's costing small practices everything.

The shift away from large hospital targets happened gradually over the past several years. Health systems invested heavily in security infrastructure — 24/7 monitoring, incident response teams, network segmentation. Attacking them became expensive and unpredictable. So ransomware groups, which operate like businesses, followed the money somewhere easier.

They found it in small dental offices.

Why Attackers Deliberately Target Small Practices

Ransomware groups optimize for return on investment. A successful attack requires breaching a target, encrypting their data, and collecting payment. Every stage of that process is cheaper and more reliable against a small dental practice than against a hospital.

Large health systems have dedicated security teams, 24/7 network monitoring, and documented incident response plans. Small practices typically have a part-time IT person — if they have one at all.
Small practices run outdated software. Dental imaging systems are notorious for this — many practices are running X-ray software from 2012 or earlier, on Windows versions that haven't received security patches in years.
The data is genuinely valuable. A dental practice holds names, dates of birth, Social Security numbers in some cases, insurance information, and detailed health records. That's a complete identity theft package.
Small practices absolutely cannot afford extended downtime. A hospital can operate in degraded mode. A 3-chair dental office cannot see patients without their scheduling system, x-rays, and treatment records.
They usually have cyber insurance, which means there's a known, reliable payment mechanism.

The attackers' math is straightforward: soft target, real assets, motivated to pay. Small dental and medical practices hit all three criteria.

How Ransomware Actually Gets In

Understanding the attack vectors helps demystify what feels like an unknowable threat. Ransomware doesn't appear from nowhere — it enters through specific, predictable paths.

// Phishing email

This is the most common vector by a significant margin. A staff member receives an email that looks legitimate — a patient inquiry, an insurance notification, a vendor invoice — and opens an attachment or clicks a link. A small piece of malware installs silently in the background, giving attackers a foothold. From there, they work quietly to expand their access before triggering the ransomware.

// Exposed Remote Desktop Protocol (RDP)

Many dental practices have RDP enabled so their IT provider or software vendors can access systems remotely. When RDP is exposed directly to the internet without additional protections, it's visible to every automated scanner running on the internet. Attackers find open RDP ports, attempt common username and password combinations, and often succeed because the credentials are weak or default. This is one of the most exploited vectors in small healthcare.

// Unpatched software vulnerabilities

Dental imaging software — Dexis, Carestream, Planmeca, and others — runs on Windows and has its own vulnerability history. When patches aren't applied, known exploits remain available to anyone who wants to use them. The same applies to unpatched Windows itself, outdated versions of common software, and any internet-facing applications.

// The infection timeline

This part surprises most people. Ransomware doesn't encrypt your files the moment it enters your network. Modern ransomware sits dormant for days or weeks — sometimes longer. During that time, it's doing reconnaissance: mapping your network, identifying your backup systems, and spreading laterally to other machines. When the attackers are ready, they activate it all at once. By then, the infection has often reached your backups too.

Then the ransom note appears — typically demanding $50,000 to $200,000 in cryptocurrency, with a 72-hour countdown. Pay within the window or the price doubles. In many attacks today, the threat is compounded: pay or we publish your patient data publicly.

The Real Cost (It's More Than the Ransom)

The ransom demand gets all the attention, but it's often not even the largest cost in a successful ransomware attack. The total impact typically runs three to five times the ransom itself.

// Typical cost breakdown — small dental practice

Ransom payment (average) $85,000

Practice downtime (2–4 weeks, no revenue) $40,000–$120,000

Forensics and incident response firm $15,000–$50,000

Recovery labor (100–300 hours) $10,000–$30,000

Patient breach notification (if PHI exfiltrated) $5,000–$25,000

HIPAA investigation and potential fines varies

Reputation and patient loss ongoing

Total realistic range $200,000–$400,000+

One Utah dental practice paid $65,000 in ransom in 2022 — and still lost three weeks of patient data that hadn't been properly isolated in backups. The ransomware had silently encrypted the backup drive weeks before the attack was triggered. Total cost including downtime exceeded $400,000. The practice nearly closed.

Paying the ransom doesn't guarantee recovery either. Decryption keys provided by attackers are frequently incomplete, corrupted, or slow to the point of being useless. Even with a working key, rebuilding a practice's systems from encrypted files typically takes weeks.

The Three Things That Actually Protect You

The security industry has a tendency to make defense sound complicated. For a small dental practice, it isn't. There are three controls that, implemented correctly, will either prevent an attack entirely or allow you to recover without paying. Everything else is secondary to these.

// 1. Offsite, encrypted, tested backups

This is the single most important defense against ransomware. If you have clean, recent backups that ransomware hasn't reached, you can recover without paying anything. The ransom becomes irrelevant.

Every word in "offsite, encrypted, tested" matters:

Offsite: A backup drive plugged into your server is not a backup — it will be encrypted alongside everything else. Backups must be isolated from your network, either to a separate cloud service or to removable media that is physically disconnected after each backup.
Encrypted: Backup files containing patient records are PHI. They need to be encrypted at rest.
Tested: A backup you've never attempted to restore from is not a backup — it's an assumption. Test your restore process at least quarterly. You should know exactly how long a full restoration takes before you're under pressure to do it.

The industry standard framework is 3-2-1: three copies of your data, on two different media types, with one copy stored offsite. For a dental practice, this typically looks like: local backup, cloud backup, and periodic offline cold storage.

// 2. Endpoint detection and response (EDR)

Traditional antivirus software detects threats by comparing files against a database of known malware signatures. Modern ransomware evades this easily — new variants are released constantly, and polymorphic ransomware changes its signature with each infection.

EDR software takes a different approach: it monitors the behavior of processes running on your machines rather than comparing signatures. When a process starts attempting to encrypt large numbers of files rapidly, EDR recognizes that behavioral pattern and can halt the process — often mid-encryption, before the attack completes. For a practice with 5–20 endpoints, EDR is not expensive. It's one of the better per-dollar investments in small practice security.

// 3. Staff training that actually sticks

Your front desk staff opening email at 8am is your most important security control — not your firewall, not your antivirus. The majority of ransomware attacks begin with a human clicking something they shouldn't have.

Generic "don't click links" training doesn't work. What does work:

Phishing simulation: Send your own fake phishing emails to staff using a simulation platform. See who clicks. Train the people who do — immediately, while the experience is fresh. Repeat quarterly. Click rates drop dramatically within a few rounds.
Verification habit: Any unexpected attachment or request — especially anything involving payments, credentials, or patient data — gets verified by calling the sender directly, not by replying to the email.
Report without fear: Staff who think they've clicked something bad need to report it immediately. A five-minute response window can prevent an attack from spreading. Create a culture where "I clicked something suspicious" is treated as good behavior, not a disciplinable offense.

What To Do If It Happens

If you arrive at the office and see ransom notes on screens, the next hour matters enormously. Here's the right sequence:

Isolate immediately. Unplug affected machines from the network. Turn off Wi-Fi on devices you can. The goal is to stop lateral spread — ransomware actively tries to reach every machine it can. Disconnecting from the network contains the damage.
Do not attempt to decrypt yourself. DIY decryption attempts frequently destroy forensic evidence and make professional recovery harder or impossible. Don't run decryption tools you find online.
Call your IT provider first. They need to assess scope and begin the incident response process. If you don't have a provider, call a healthcare-focused incident response firm immediately.
Call your cyber insurance carrier. Most healthcare cyber insurance policies cover ransomware response, including forensics, recovery, and sometimes ransom payment. Your carrier has a 24/7 hotline for exactly this situation.
Contact the FBI. This is not optional and it's not just for large organizations. The FBI's Cyber Division tracks ransomware groups and sometimes has decryption keys available from previous law enforcement operations. Reporting costs you nothing. There is occasionally a key available that makes paying unnecessary.
Do not pay immediately. Get a full assessment of what was encrypted and whether your backups are intact before making any payment decisions. Sometimes recovery is possible without payment. Sometimes paying gets you nothing back anyway.

Dental practices are targeted specifically because most don't have basic protections in place. Attackers know this — they know the software that dental practices run, they know the common configurations, and they have automated tools that scan for known vulnerabilities at scale.

The good news is that the fixes aren't expensive or technically complex. Isolated backups, EDR, and real staff training address the vast majority of ransomware risk for a small practice. The challenge is that someone has to actually implement and maintain them.

A 15-minute checkup is a good place to find out where you actually stand — whether your backups are configured correctly, whether you have any exposed RDP ports, and what your current risk profile looks like.