Endpoint & Detection
A field-tested hardening guide for Dentrix, Eaglesoft, and Open Dental — server isolation, account hygiene, backup strategy, audit logging, and the specific defaults that get practices breached.
Dental practice management software runs the practice. It holds the schedule, the chart, the imaging links, the insurance data, and the billing. It is also one of the least-hardened pieces of software in a typical small business, because the people who install it are trained on workflow — not on Windows server hardening, SQL Server defaults, or HIPAA-grade audit logging.
This is a practitioner guide for the three systems I see most often in the field: Dentrix, Eaglesoft, and Open Dental. The vendors document features; they do not really document security configuration. The defaults are not secure, and the defaults are what most practices are running.
Every PMS vendor publishes an install guide. None of them publishes a security baseline that a regulator or a cyber insurer would recognize. The install guide tells you how to get the software running. It does not tell you to rotate the SQL Server sa password, disable interactive logins for service accounts, segment the imaging share, enable per-user accounts, or test your restores.
That gap is what attackers walk through. Ransomware operators do not need a zero-day to encrypt a dental practice — they need a port-forwarded RDP, a shared FrontDesk account, and a USB backup drive plugged in 24/7. All three are standard.
The most common finding on a dental assessment is a shared FrontDesk1 account (or Reception, or Office) logged into the reception desktop, with PMS administrator rights, and four people using it throughout the day.
That single configuration breaks several things at once:
Every PMS in this category supports per-user accounts. Dentrix has user accounts with role-based passwords. Eaglesoft has per-user logins with security rights. Open Dental has a full user/group/permission model. The work is enabling them, training staff to lock the workstation when they walk away (Win+L), and shortening the PMS auto-logout to five to ten minutes at the front desk. Do this before anything else on this list — most of the controls below depend on it.
The piece most office managers — and many MSPs — do not realize: the PMS is just a front end. The real prize for an attacker is the database.
Both Dentrix and Eaglesoft run on Microsoft SQL Server, typically Standard Edition on a dedicated server and Express on smaller installs. The default sa (system administrator) account is set during installation. On older installations it is set to a weak, well-known, or vendor-default value. Anyone with network access to the SQL listener and that password owns the entire patient database.
The fixes:
sa password to a long, random string stored in a password manager.sa. Create named SQL accounts for the PMS service and any DBA-style maintenance.Open Dental ships with a MySQL or MariaDB backend. The same problem exists with different account names:
root account must have a strong, rotated password.opendental database user must also be set — not left at the documented default.If you are running Open Dental and you can run telnet your.public.ip 3306 from outside the office and get a connection, stop reading and fix that first.
The PMS server is a Windows machine that holds patient data. It should be treated like a server — even when, as is increasingly common in small practices, the "server" is a Windows 11 Pro desktop sitting under the front desk acting as one. (That configuration is unsupported by Microsoft for multi-user database hosting and is its own risk; budget for a proper Windows Server or a cloud move.)
Baseline:
C$, ADMIN$) from anywhere they are not strictly required.Remote access is where most dental practices get breached. The wrong patterns are very consistent:
The right patterns are not exotic:
If you only do one thing this quarter, remove the port-forwarded RDP and the unattended TeamViewer.
Every PMS in this category has an audit log. Most practices have never opened it.
Review the log at least monthly. Specifically look for:
This review takes thirty minutes a month once you know what to look for. It is the cheapest control on this list.
The classic 3-2-1 backup rule is not enough in a ransomware-active threat model. The version I use for dental practices is 3-2-1-1-0:
What I see in the field instead: a single USB drive plugged into the PMS server 24/7, running a nightly copy of the database file. When ransomware hits the server, it encrypts the USB drive at the same time. The practice now has no backups.
Test a restore monthly. Pick a non-production machine, restore last night's backup, open the database, confirm you can read a recent patient record. Any practice that has not tested a restore in six months is operating on hope, not on a backup strategy.
Digital X-ray (Sirona/Schick, Carestream, Dexis), CBCT, and intraoral cameras almost always write images to a shared folder on the server. That folder is the second-highest-value target for ransomware after the PMS database, because encrypting it stops the practice from operating today — not just billing tomorrow.
Two specific problems:
If your imaging vendor's support tech tells you to disable AV entirely, get that in writing and then get a different recommendation from your security provider.
The awkward truth: dental PMS vendors have historically lagged on supporting current Windows releases. It is not unusual for a major Windows version to ship and for Eaglesoft or Dentrix to take 12 to 24 months to formally certify it. That forces practices into a bad choice between running an unsupported OS and breaking PMS compatibility.
The honest controls when you cannot patch on Microsoft's timeline:
This is the part of the conversation that practice owners find frustrating. It is also where having a security provider who will document the tradeoff is worth the line item.
A growing share of practices are moving off on-prem PMS entirely. Curve Dental, Denticon, and Dentrix Cloud all shift the server-hardening burden to the vendor. That is a real benefit, especially for single-location practices that cannot justify the IT overhead of a hardened on-prem server.
It does not remove your risk. It changes it:
Cloud is not a security strategy. Cloud plus identity monitoring plus MFA is.
When we onboard a dental practice, the typical sequence is straightforward:
sa (Dentrix/Eaglesoft) or MySQL root (Open Dental) credentials and remove interactive use.None of that is exotic. All of it is the difference between a practice that recovers from an incident in a week and a practice that pays a ransom, notifies patients, and explains itself to its state dental board.
If you run a dental practice and you are not sure where you stand against this list, book an assessment. We will walk through your PMS configuration, your backups, your remote-access path, and your audit logs, and tell you honestly what to fix first.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Because every action in the PMS — viewing a chart, deleting an appointment, exporting patient data — is logged against whoever is signed in. If five people share one account, your audit log is effectively useless and HIPAA workforce access management (164.308(a)(4)) is not satisfied. Per-user accounts are supported in Dentrix, Eaglesoft, and Open Dental; the work is enabling them and training staff to sign out, not buying new software.
Dentrix: Practice Information then Audit Log. Eaglesoft: Reports then Audit Trail. Open Dental: User Audit Trail under the Setup menu. Reviewing these monthly for after-hours access, deleted appointments, and patient-record exports is the minimum bar.
Yes. Dentrix and Eaglesoft both run on Microsoft SQL Server, and on older installs the sa account is left with a weak, well-known, or vendor-default password. Anyone with network access to the SQL listener can pull the entire patient database. Rotate it, store it in a password manager, and stop using it for interactive logins — create named SQL accounts for any maintenance tasks.
No. Unattended TeamViewer or AnyDesk on the PMS server with a static password and no MFA is one of the most common initial-access vectors for ransomware in dental practices. Use Microsoft Entra ID with conditional access, an RDP gateway, or a zero-trust remote-access tool that enforces MFA on every session and produces a real audit log.
Cloud-hosted PMS shifts the server-hardening burden to the vendor, which is a real benefit for small practices. It does not remove your risk — it changes it. Account compromise via phishing becomes the dominant threat, so you need a BAA, MFA on every account, and identity-layer monitoring on your Microsoft 365 or Google Workspace tenant.
Native MFA inside Dentrix, Eaglesoft, and Open Dental is limited. The practical answer is to wrap MFA around what the PMS depends on: the Windows logon, the remote-access path, the Microsoft 365 or Google Workspace account, and any web portal the vendor provides. That covers the realistic attack paths even when the PMS UI itself has no MFA toggle.
PMS vendors historically lag on certifying current Windows versions — sometimes by 12 to 24 months. That forces practices to choose between running an unsupported Windows release or breaking PMS compatibility. The honest control is to track vendor release notes, do a quarterly compatibility review, document the risk acceptance when you cannot patch, and compensate with EDR, network isolation, and tighter access controls.
Related reading
A practitioner-style comparison of Huntress and SentinelOne for small businesses, focused on operations, staffing, response ownership, and what actually changes after deployment.
Read articleA practical 2026 buyer's guide to EDR, MDR, and XDR for small businesses, with honest recommendations, tradeoffs, and staffing realities.
Read articleLearn how to build a phishing training program for small business employees with realistic simulations, easy reporting, and metrics that matter.
Read article