Dental Practice IT Checklist

Most dental practices do not have an IT problem. They have a “we will get to it” problem.

The IT checklist for dental practices below is what we run when a new office hires us, when a practice owner suspects something is off, or when a buyer is about to acquire a location and wants to know what they are walking into. A dental practice IT checklist is a 20-item annual audit covering hardware, network, HIPAA safeguards, vendor contracts, and business continuity. Those are the five domains where single-practice dental offices accumulate the most risk between audits. None of it is theoretical. Every item has either caused a real outage, triggered a real OCR investigation, or surfaced during real due diligence.

You can work through it in an afternoon. The ones you cannot check off in 10 minutes are usually the ones that matter most.

If you only have an hour: items 1, 9, 11, 14, and 18 are where we find the most consequential gaps in 9 out of 10 audits. Start there.

Stage 1: Foundation and hardware

The boring stuff that breaks first.

1. Verify every operatory workstation meets current PMS and imaging specs

Open your PMS vendor’s published system requirements (Dentrix, Eaglesoft, Open Dental, Curve, Denticon all post these). Check RAM, SSD vs spinning disk, and operating system. Windows 10 reached end of support on October 14, 2025 (LTSC and IoT editions have separate lifecycles), so any 2026 audit needs to flag every Home or Pro workstation still on it.

2. Confirm the server (or cloud PMS host) is on supported hardware with active warranty

If you run a local server, check the manufacturer warranty status and your operating system support window. If you use a cloud-hosted PMS, confirm your hosting contract is current and you know who to call at 6 a.m. when it is down.

3. Confirm imaging workstation monitors are diagnostic-grade

General dentistry does not require formal monitor calibration, but you do need medical-grade displays (not consumer monitors) positioned to minimize glare. Practices reading CBCT or doing teleradiology should follow DICOM GSDF calibration. Standard 2D intraoral review does not require it.

4. Inventory every endpoint with owner, OS version, and last patch date

Desktops, laptops, tablets, kiosks. Every device that touches the network. You cannot patch what you cannot see, and you cannot prove HIPAA compliance on a device you forgot you owned.

Stage 2: Network and connectivity

Where downtime starts.

5. Segment patient and guest Wi-Fi from your clinical network via VLAN

If a patient on guest Wi-Fi can ping your imaging server, you have a problem. This is a single-config-change item on a business-class firewall.

6. Install UPS battery backup on the server rack, network gear, and any imaging workstation

Surge protection at minimum on every operatory. A full UPS in every operatory is ideal but uncommon outside larger practices. The non-negotiable line is the server, the switch, and the firewall. Those three going dark mid-procedure is the worst-case version of a power blip.

7. Confirm a business-class firewall with active subscription and current firmware

If your “firewall” is the router your ISP dropped off, you do not have a firewall. Consumer-grade routers are a recurring weak point flagged in HIPAA risk assessments and post-breach investigations.

8. Document an ISP redundancy or failover plan

LTE backup, a secondary circuit, or at minimum a written plan for what staff do when the internet drops. Cloud PMS practices are entirely offline without it.

Stage 3: HIPAA and patient-data safeguards

Where most practices have the biggest exposure gap.

9. Conduct and document a current Security Risk Analysis (SRA)

HIPAA requires the SRA be reviewed periodically and whenever significant changes occur, like a new PMS, a new location, a breach, or a major staff change. Most MSPs and OCR settlements treat annual review as the defensible cadence. NIST SP 800-66 Revision 2 is the implementation guide most auditors map dental SRAs against. If you cannot produce one dated in the last 12 months, you are in the highest-risk category. Medix can run a formal Security Risk Analysis for your practice if you have never had one.

10. Inventory every vendor with PHI access and confirm a signed BAA for each

Your PMS, imaging cloud, online booking, communications platform, billing service, and any AI tool that touches patient data all need a signed Business Associate Agreement on file. This is one of the common HIPAA violations to avoid and it is the easiest one to fix in an afternoon.

11. Enforce MFA on PMS, email, imaging, and remote-access tools

Multi-factor authentication is not yet an explicit HIPAA requirement, but it is what OCR expects to see in any breach investigation. HHS published a Notice of Proposed Rulemaking in early 2025 that would make MFA a hard requirement. That update is still pending finalization. Get ahead of it now.

12. Encrypt all endpoints at rest and PHI in transit

BitLocker on Windows, FileVault on Mac, TLS on everything in motion. Encryption is technically “addressable” under the HIPAA Security Rule rather than “required,” but an unencrypted laptop that goes missing triggers breach notification. Implement it or formally document an equivalent safeguard.

13. Document HIPAA workforce training for every staff member

The rule requires training for new hires and after material policy changes. Annual refreshers are the widely accepted best-practice cadence and what OCR expects to see documented. Keep the completion certificates in one place where you can produce them on request.

Stage 4: Vendor and contract hygiene

Where transitions go sideways.

14. Confirm your practice owns the domain, DNS, and Google Workspace or M365 tenant

Not your former IT guy. Not the marketing agency that built your website six years ago. Not the office manager who set up the email on her personal account. The practice. We see this on almost every acquisition: the new owner buys the building and the chairs and discovers an ex-vendor still controls the email domain.

15. Audit every software subscription against actual seat count and renewal date

Pull your last 12 months of credit card statements and list every recurring SaaS charge: PMS add-ons, Zoom, Adobe, marketing tools, AI scribes, online booking, communications platforms. Cancel anything no one logged into last quarter. You are probably paying for seats no one uses and renewing tools nobody opened last year.

16. Review your MSP or IT-provider contract for response time, after-hours coverage, and offboarding terms

Three questions: what is the guaranteed response SLA, what happens at 7 p.m. when something breaks, and what does it take to leave if you ever want to? If your provider cannot answer those in writing, that is the problem.

17. Verify cyber liability insurance coverage matches your practice profile

There is no dental-specific published benchmark. Many small practices carry $1M per claim as a common floor, with higher limits for multi-location offices or anyone with a higher patient-record count. Walk through current revenue, record volume, and ransomware exposure with your broker once a year.

Stage 5: Continuity and transition triggers

Where surprise becomes disaster.

18. Perform a documented backup restore test, not just a successful backup log

A backup that has never been restored is a theory. HIPAA requires periodic contingency-plan testing under 45 CFR §164.308(a)(7)(ii)(D). We recommend a quarterly restore test as a practical cadence for dental practices. If you have not actually pulled patient records out of your backup and confirmed they open, you do not know if it works.

19. Maintain a written incident response plan with named contacts and a first-hour playbook

Who do you call at 5:47 a.m. when ransomware hits? What do you tell patients arriving at 8 a.m.? Who notifies your cyber insurance carrier within the 24-72 hour window most policies require? A one-page document answers all of this before you need it.

20. Trigger a full IT diligence review before any acquisition, MSP switch, or partner buyout

The three events that surface every hidden IT problem at the worst possible time. IT diligence when acquiring a practice is its own discipline. Build it into the deal timeline, not after closing.

Working Through This IT Checklist

Walk through these 20 items this quarter. Anything you cannot check off in 10 minutes is the next thing to fix. Most single-practice owners get through 15 of them in an afternoon and discover the remaining five are the ones quietly creating risk.

Medix runs this exact audit as part of onboarding for every new client. If you would rather not run it yourself, that is what we are here for. We work with independent dental practices across the country who reached out after one of these items finally broke.

Posted in Dental Cybersecurity

Filter By: