Dental Office Network Security: A 12-Point Checklist

Practical, prioritized security tasks your practice can start today — rated by difficulty and time required

We audit dental office networks every day. The same vulnerabilities show up in 80% of practices: the firewall hasn't been updated in three years, Remote Desktop is exposed to the internet, the Carestream imaging server still has its factory default password, and every device sits on the same flat network. An attacker who finds one weak point can reach everything — your server, your patient records, your imaging archive, your billing data.

This checklist covers the 12 most impactful security improvements for a dental practice network, ordered from easiest to hardest. Each item includes a difficulty rating, estimated time, and why it matters.

Easy Wins (Under 30 Minutes Each)

1. Change Default Passwords on All Network Devices

Difficulty: Easy | Time: 15 minutes | Impact: Critical

Log into your firewall, router, switches, and imaging devices. If the username is "admin" and the password is "admin," "password," or the manufacturer default — change it now. We've seen dental imaging servers (DEXIS, Carestream) still running factory credentials two years after installation because the imaging technician set it up and the IT provider never checked. Use a strong, unique password for each device.

2. Disable Remote Desktop Protocol (RDP) on the Firewall

Difficulty: Easy | Time: 10 minutes | Impact: Critical

RDP (port 3389) exposed to the internet is the single most common entry point for ransomware attacks on dental practices. Log into your firewall and confirm that port 3389 is not forwarded to any internal device. If your IT provider needs remote access, they should use a VPN or a remote monitoring tool — not direct RDP access over the internet. Check this today.

3. Enable Automatic Firmware Updates on Your Firewall

Difficulty: Easy | Time: 10 minutes | Impact: High

Your firewall's firmware contains the security rules that protect your network. If it hasn't been updated in over a year, it has known vulnerabilities that attackers can exploit. Most modern firewalls (SonicWall, Fortinet, Meraki) support automatic firmware updates. Enable them. If your firewall is too old to receive updates, it's time to replace it.

4. Verify Antivirus Is Running on Every Workstation

Difficulty: Easy | Time: 20 minutes | Impact: High

Walk to each workstation. Open Windows Security (or your third-party antivirus) and confirm it's running with current definitions. We routinely find dental workstations where Windows Defender was disabled during a software installation and never re-enabled. Open Dental and Dentrix sometimes prompt users to add antivirus exclusions — make sure "add exclusion" doesn't turn into "disable antivirus entirely."

Moderate Effort (1–3 Hours Each)

5. Implement a Password Policy

Difficulty: Medium | Time: 1 hour | Impact: High

Set minimum password requirements across your practice: 12 characters minimum, mix of letters and numbers, no reuse of previous passwords. If your workstations are domain-joined, set this through Group Policy. If they're in a workgroup (common in small practices), configure it on each machine. Better yet: enable Windows Hello PIN or biometric login for faster, more secure daily authentication.

6. Enable Multi-Factor Authentication (MFA) for Remote Access

Difficulty: Medium | Time: 1 hour | Impact: Critical

Any remote access to your network — VPN, cloud services, email — should require a second factor beyond a password. Microsoft 365, Google Workspace, and most VPN solutions support MFA. If your IT provider remotes into your server using a simple username and password, that's a security risk. Require MFA on every remote access point.

7. Review and Remove Unused User Accounts

Difficulty: Medium | Time: 1 hour | Impact: Medium

Former employees, temporary staff, and vendor accounts accumulate on dental practice networks. Each unused account is a potential entry point. Review your Active Directory or local user accounts. Disable any account that hasn't been used in 60 days. Delete any account for a person who no longer works at or with the practice. Check your Open Dental and Dentrix user lists too — inactive software accounts with admin privileges are a liability.

8. Segment Your WiFi Network

Difficulty: Medium | Time: 2 hours | Impact: High

Your patient WiFi should not be on the same network as your practice workstations and server. If a patient's infected laptop connects to your WiFi and it's on the same network as your server, that infection can spread. Create a separate VLAN for guest WiFi that has internet access but zero access to internal resources. Most managed switches and access points support VLAN configuration — your IT provider can set this up in under two hours.

Advanced Security (Half-Day Projects)

9. Implement Network Segmentation

Difficulty: Hard | Time: 4 hours | Impact: Critical

Beyond WiFi segmentation, separate your entire network into zones: workstations on one VLAN, server on another, imaging devices (Carestream, DEXIS) on a third. Configure firewall rules between VLANs so that workstations can reach the server's database port but nothing else. If ransomware compromises a workstation, it can't spread to the imaging server because they're on different network segments with restricted access between them.

10. Deploy a DNS Filtering Service

Difficulty: Medium | Time: 2 hours | Impact: High

DNS filtering blocks your network from connecting to known malicious domains. When a phishing email tricks a staff member into clicking a link, DNS filtering stops the connection before the malware downloads. Services like Cisco Umbrella, DNSFilter, or Cloudflare Gateway can be configured at the firewall level to protect every device on the network without installing software on each workstation.

11. Enable Logging and Centralized Monitoring

Difficulty: Hard | Time: 4 hours | Impact: High

Most dental practice firewalls and servers generate security logs. Almost nobody reads them. Enable logging on your firewall, server, and critical workstations. Forward those logs to a centralized system that alerts on suspicious patterns: repeated failed logins, connections to unusual external IPs, large data transfers outside business hours. CyberCore's agent monitors security-relevant events across all endpoints and generates alerts in real time without requiring a separate SIEM infrastructure.

12. Conduct a Penetration Test

Difficulty: Hard | Time: 1 day (outsourced) | Impact: Critical

Hire a professional to test your network security by attempting to breach it — the same way an attacker would. A penetration test reveals vulnerabilities that checklists miss: misconfigured firewall rules, weak service accounts, unpatched server software, and social engineering susceptibility. For a dental practice, a basic external penetration test costs $2,000 to $5,000 and should be done annually.

Where to Start

You don't have to do all 12 items this week. Start with the critical items: change default passwords, close RDP, and segment your WiFi. Those three changes eliminate the attack vectors responsible for over 60% of dental practice security incidents we've investigated.

Then work through the moderate items over the next month. Schedule the advanced items for next quarter. Print this checklist and tape it to your server room door. Cross off items as you complete them. Every item you finish makes your practice harder to attack.

CyberCore audits your network security posture automatically every six hours, checking for exposed ports, missing patches, disabled security services, and configuration drift. That continuous visibility turns security from a quarterly project into a daily operating standard.