Arun Mehra explains why it is essential for dental practice owners to have a strategy to protect their digital information from cyberattacks.
As reports emerge that ‘national treasure’ Marks & Spencer could take months to recover from a cyberattack, it’s an opportune moment for the dental profession to evaluate its own data security measures.
Cyberhacking is not restricted to big names on the high street (the Co-op and Harrods both fell victim shortly after the M&S hack). It occurs daily, and dentistry is as vulnerable as any other sector.
In July 2020, the British Dental Association (BDA) was the victim of a cyberattack that resulted in a data breach, with hackers accessing its systems.
In 2024, Facebook scammers fraudulently used the identity of a real dentist to elicit upfront payments for treatment before disappearing with the cash. Dentistry.co.uk reported last year on stark warnings about an impending crisis: British healthcare is perilously vulnerable to cyberattacks from Russian hackers. The analysis revealed that the outdated technology and legacy systems of our healthcare infrastructure could lead to disastrous outcomes.
High importance
Cyber security within the profession is, therefore, crucial. Hackers often earmark smaller healthcare businesses because they believe these organisations lack the resources for sophisticated security measures.
This then makes dental practices prime targets for cybercriminals because they hold vast amounts of personal data, including confidential patient information, such as birthdates, addresses, names – and crucially, banking information.
In May, senior minister and cabinet office minister responsible for UK cyber security Pat McFadden warned: ‘AI is going to increase not only the frequency but the intensity of cyberattacks in the coming years.’
With the growing dependence on cloud storage and processing, it is now essential for dentists to develop a strategy to safeguard their digital information.
In this article, Arun Mehra offers some vital tips for dental professionals looking to protect their business from cyberattacks.
1. Staff training
Your staff are your first line of defence. Their training is just as necessary, if not more so, than any software solution. Well-informed employees are crucial to preventing data breaches and maintaining cyber security.
Most personal health information data breaches result from human error by healthcare employees. Training is therefore the number one prevention tactic. While computers should have antivirus software to block potential threats, educating team members on their responsibilities regarding dental records and patient data is vital.
Regular training sessions and written policy documents can help staff understand why security matters and how they can contribute. Encourage preventive measures, such as regular password changes. Most team members won’t need to manage security, but they should be aware of the risks.
2. Antivirus software
Using antivirus software is essential for preventing cyberattacks and significantly contributes to security.
An antivirus program scans files or code that pass through your network. It should then quarantine malicious files to ensure they cannot access and compromise the computer.
Depending on the company, these programs create an extensive database of known viruses and malware, match files against this database, and determine whether to quarantine them.
3. Firewall security
Installing a firewall secures your networks while potentially limiting internet usage for staff and patients.
A firewall serves as a virtual barrier that determines whether to allow or block network traffic. Similar to antivirus software, firewalls scan for malicious code or known threats. If flagged as a security risk, the firewall prevents it from entering the network. You can configure the firewall to permit or restrict specific activities.
Several options are available; your internet service provider (ISP) may offer one, or you can purchase a software solution.
4. Phishing emails
According to the UK’s National Cyber Security Centre: ‘Phishing is when criminals use scam emails, text messages or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.’
As of March 2025, the number of reports received exceeds 40 million reported scams, resulting in 214k scams being removed across 387,536 URLs. So, how do phishing emails work? First, they can create a sense of urgency in their writing. This leads to pressure, distracting you from the overall message and forcing you to act quickly. It’s a tactic often involving tight deadlines that can impact the reader’s ability to critically evaluate the content.
Authority also plays a significant role in how messages are perceived. Senders may impersonate senior executives or trusted colleagues to lend credibility to their communication. This can convince recipients that the message is from a reliable source. Imitation is another strategy used to exploit familiar business communications and daily habits.
By mimicking normal processes, senders can trick you into reacting impulsively. It’s essential to check the email’s recipient; if it addresses you as ‘friend’ or ‘valued customer’, it might indicate that the sender lacks specific knowledge about you.
5. Password protection
It’s an obvious point, but having a secure password can make the difference between having access and not.
Nowadays, websites require a secure password with at least one capital letter, six lowercase letters, and one number. People often prefer to create passwords they can remember, typically using personal names and dates. Please don’t! A helpful method is to use three entirely random words, ideally followed by a random number; however, any number would suffice, even a significant date.
Using three different words will greatly enhance protection against brute force attacks.
6. Risk and responsibility
Regarding computer security, it is essential to identify the necessary actions and assign specific responsibilities to team members. This allocation of tasks is vital for effective management and the successful execution of security protocols.
A senior manager with a broad view of all risks and how to tackle them should have overall responsibility. Other individuals can handle particular aspects, such as installing security software.
Management should identify which information and technology are vital to the business; this is where the significant risks lie.
For example, damage to your dental practice’s financial or clinical system, or the loss of your dental patient list, could lead to the complete failure of the business.
Other information may be less important.
Similarly, some computers are likely more critical or more vulnerable than others. Identifying the risks and establishing what security measures already exist, whether they are effective, and what additional ones are needed will help you direct your security efforts to where they are most required in your dental practice.
Compile a list of all the cyber security measures that need to be implemented and create a spreadsheet assigning these tasks to specific staff members.
7. Stay up to date
Suppliers of PCs, software, and operating systems, such as Windows, frequently issue software updates to fix minor bugs or improve security. It’s essential to keep all devices up to date with the latest patches and software updates. They can usually be downloaded and installed automatically.
Remember that just one vulnerable computer puts all the others at risk, so it’s important to ensure all available patches are applied to all of them.
Although a firewall should guard your computers, you should still protect user accounts (each person’s ‘identity’ with which they log on to a laptop) and sensitive documents with passwords. Because each individual should have a unique username and a password, access to different parts of your IT system can be limited to certain people. It is important to remember that some individuals may have more than one username and password, perhaps if they have multiple roles.
This not only protects against accidental or intentional damage by staff to systems and information but also provides further security against outside intrusions. To achieve this, you can use security options built into operating systems such as Windows or buy specialised software online.
You can decide whether password control for a given item should be basic (for instance, one password authorising access to an entire computer) or stronger (each document or application requiring a separate password).
Some individuals designated as computer admin may be given access to nearly everything, to perform technical work. You should keep the number of admins to a minimum.
Security software usually generates records showing which employees have used particular computers or documents at different times. This can be useful for pinpointing problems, but access to these records should, of course, be tightly limited. Otherwise, people misusing the system could alter them to cover their tracks.
8. Check regularly
Install and run antivirus software on all your devices regularly to check for any issues or threats. Conduct a review of all the devices your employees use to access or store patient data or dental records. Ensure they all have the proper antivirus, firewall and data protection features.
Removable disks and drives, such as DVDs and USB sticks, pose security risks in two ways. They can introduce malware into your computers and be mislaid when containing sensitive information.
Ensure that, as far as possible, only disks and drives owned by your dental practice are used with your computers.
9. Back up your data
Do this daily and in multiple locations. Maintain an on-site backup using an external hard drive, and ensure at least one off-site backup through cloud storage. Ideally, use two separate cloud services to create redundancy and minimise risk.
The weakest link
Sadly, no system is 100% secure, so plan for when things go wrong. Define what ‘major’ means for you; something that puts a non-critical department offline for hours might not be considered as such, but something that prevents serving customers or vital functions like payroll is.
Establish how you will know if there’s a problem. Your firewall or antivirus software may warn you of unusual activity. Plan your next steps: what help should you call in? Do you need to contact key dental patients or suppliers? Can some functions continue using other computers or pen and paper while systems are repaired?
Ensure clarity on who is responsible in an emergency.
Your plan can be documented and delivered in training sessions. It may incorporate elements of your plans for other disasters, like a fire, and can be adapted for less damaging incidents. Security is an ongoing process, not a one-off fix.
A cyber security strategy relying on effective record-keeping helps avoid pitfalls and safeguards against attacks. Regularly evaluate security measures and maintain updated software. Remember, a business’s security depends on its weakest link – a thorough approach ensures nothing gets missed.
Follow Dentistry.co.uk on Instagram to keep up with all the latest dental news and trends.
