Cyber security might not be the first thing on a dental practice’s agenda. However, from digital patient records to online payment systems technology is becoming more embedded in everyday operations and so the risks are growing.
In a recent Practice Plan Business of Dentistry Podcast IT expert, Tracy Pound, outlined why dental practices are now prime targets for cybercriminals. Here she explains how, with a bit of awareness and simple, low‑cost actions, practices can dramatically reduce their risk.
Why cybersecurity should matter to dental teams
Dental practices hold a goldmine of valuable information. Under GDPR, you’re legally responsible for protecting personal and sensitive patient data. These are things such as names, dates of birth, contact details, medical histories, X‑rays, treatment plans. If stolen, this information can be used to impersonate patients, commit fraud, or be sold on the dark web. So, it’s important to keep them safe.
If the worst happened and your practice experienced a hack, the consequences of a breach are significant:
- Heavy fines from the Information Commissioner’s Office (ICO)
- Reputational damage, leading to loss of patient trust
- Costly forensic investigations to find and fix the breach
- Operational disruption, potentially closing a practice temporarily
- Financial loss which, without cyber insurance, could fall entirely on the business.
Despite these risks, many UK dental practices still lack basic protections such as multi‑factor authentication or up‑to‑date systems. This is particularly worrying as statistically, a business is now more likely to suffer a cyber attack than a physical break‑in.
The basics: (mostly) free precautions to take
There are plenty of no- or low-cost cyber security measures that practices can take. All they need is a little time and consistency. Such as:
Keep all devices updated
Failing to run updates is one of the biggest causes of successful cyber attacks. The NHS ransomware (Wannacry) attack in 2017 was caused by NHS trusts and related bodies using outdated systems or not enabling a patch issued by Microsoft.
Updates patch weaknesses and bugs, so every computer, printer, scanner, and networked device in the practice must:
- Have updates enabled
- Be updated at least weekly
- Never run on outdated software or operating systems.
This need not be a time consuming process as many updates happen automatically if you allow them to.
Use Multi‑Factor Authentication (2FA/MFA)
A huge number of dental practices still aren’t using Multi-factor Authentication, known as MFA or 2FA (two-factor authentication), despite most software offering it free of charge.
MFA requires you to prove your identity in two ways. This could be by entering a password and then confirming a code on your phone, for example. This makes unauthorised access extremely difficult and offers protection to your systems.
It’s good practise to enable MFA everywhere you can: practice management software, email accounts, cloud storage, HR systems and even social media logins.
Protect your Wi‑Fi
Public and private Wi‑Fi should never be the same. Your patient Wi‑Fi must not give a route into the same network used for clinical systems or admin computers as this presents a potential area for hackers to exploit.
Also ensure:
- Default router passwords are changed
- Only authorised people can access the internal network
- Firewalls are properly configured and updated.
This is essential for keeping your doors closed to cybercriminals.
Lock screens every time you walk away
It’s common for reception desks and surgery computers to be left unattended briefly. Popping out of the room to go and get something can be long enough for someone to access confidential data so, it’s essential to lock your screen every time you leave the desk.
Set automatic timeouts (usually 2–5 minutes), and train staff to manually lock their screens (Windows key + L) when they’re moving away from them. This is one of the easiest, quickest wins.
Be vigilant about phishing
Most cyber-attacks start with a single click on a dodgy link. Thanks to AI, phishing emails and texts now look incredibly convincing. Logos, wording, grammar, tone of voice and even spoofed email addresses can all look genuine with the help of AI. So, it’s even more important to make sure you check before you click on a link in an email or a text.
Teach your team to:
- Double‑check email addresses by clicking to reveal the full address
- When using a desktop, hover over links to check the true destination
- Never click unexpected delivery, bank, or password emails
- Independently verify payment‑related messages by phoning the supplier on a known number
- Be on the lookout for phone and text scams.
A moment’s hesitation can prevent a major breach. Don’t allow scammers to panic you into doing something out of the ordinary. Take the time to check first.
Create simple cyber policies and human checkpoints
Policies don’t have to be complicated. Here are a few examples:
- Always verify bank detail changes by phone with a known contact
- Require two people to approve significant payments
- Never connect personal devices to staff Wi‑Fi without safeguards
- Avoid posting identifiable practice info on social media.
These human processes act as another layer in your “Swiss cheese model” of defence ensuring that even if one layer has a hole, others catch the threat.
Train your team regularly
Cyber security can’t be viewed as a one‑off task. People forget, threats evolve, and cybercriminals get smarter. So, training your team is essential and needn’t be expensive. The National Cyber Security Centre (NCSC) offers excellent free tabletop exercises that walk your team through realistic scenarios like “Your system has been hacked—what now?”
These exercises highlight gaps you didn’t know you had and give clarity on who does what in a crisis.
Consider cyber insurance and Cyber Essentials Certification
Cyber insurance is declining in dental practices, but it’s increasingly vital. If something goes wrong, insurance helps cover investigations, recovery, legal costs, and lost income. Practice Plan’s friends at Wesleyan can help practices looking for cyber insurance cover.
Cyber Essentials is another option. It’s a government‑backed certification that proves your practice meets core security requirements. As well as making sure you cover the basics, being able to display the Cyber Essentials logo on your website can also help build trust with patients.
Sadly, these days no matter what size your business being the victim of a cyber-attack is a matter of ‘when’ rather than ‘if’. Although cyber security can feel overwhelming taking a few easy steps can go a long way. Most breaches happen because someone didn’t update a device, lock a screen, or question a suspicious message. The simple things.
By training your team and creating a culture of awareness, you can protect your practice, your team, and your patients. Because in today’s digital world, for a dental practice, looking after data is as essential as looking after teeth.