For a healthcare organization, ransomware can become both a security incident and an interruption to patient care. Scheduling, imaging, claims, prescriptions, communications, and clinical history may all depend on connected systems. A response plan that begins after files are encrypted begins too late.
No single product makes an organization “ransomware-proof.” Effective preparation layers identity security, vulnerability management, endpoint protection, segmentation, monitoring, resilient backups, and practiced response. These ten controls form a practical starting point for dental practices, clinics, and other organizations handling ePHI.
1. Know which systems are critical
Maintain a current inventory of workstations, servers, network equipment, cloud services, applications, service accounts, and vendors. Mark which assets handle ePHI and which are required to keep the practice operational. Include systems that are easy to overlook: imaging capture computers, front-desk kiosks, printers, remote-support tools, and legacy devices attached to clinical equipment.
Prioritize remediation and recovery around business impact. The practice should know which systems must return first, what they depend on, and who can authorize emergency changes.
2. Protect identities with MFA and least privilege
CISA recommends MFA for remote access and emphasizes phishing-resistant MFA for important services. Start with email, VPNs, remote desktop gateways, cloud administration, backup consoles, and any account capable of changing security controls.
Give each worker a unique account, remove routine administrative rights, separate administrator identities from everyday email and browsing, and review privileged access regularly. Disable dormant accounts and replace shared credentials with accountable, role-based access wherever possible.
3. Reduce exposed remote access
Attackers actively target exposed remote administration services and poorly secured vendor tools. Inventory every path into the environment, close anything no longer needed, require MFA, limit allowed sources when practical, and monitor authentication activity.
Vendor access should be approved, time-bounded where possible, and tied to a named organization and responsible owner. “The vendor needs it” is not a sufficient access model.
4. Patch internet-facing and high-risk systems quickly
Establish a defined process for learning about vulnerabilities, identifying affected assets, testing updates, deploying them, and recording exceptions. Prioritize internet-facing services, remote-access products, firewalls, email systems, browsers, operating systems, and known exploited vulnerabilities.
Where a clinical or imaging vendor prevents normal patching, document the constraint and use compensating safeguards such as isolation, restricted communication, application control, and closer monitoring.
5. Make phishing harder to succeed
Use layered email filtering, block risky attachment types where appropriate, protect domains with email-authentication controls, and train staff to report suspicious messages quickly. Training should reflect real workflows—payment changes, shared-document notices, password resets, patient records, insurance requests, and messages that impersonate leadership or vendors.
A reporting process matters as much as awareness. Staff should know exactly how to report a suspicious message without forwarding harmful content to coworkers.
6. Monitor endpoints and restrict execution
Managed endpoint protection should cover supported workstations and servers, report centrally, and generate alerts someone is responsible for reviewing. Application allowlisting or similar execution controls can reduce opportunities for unapproved software and scripts to run, especially on fixed-purpose clinical workstations.
Logging should make it possible to reconstruct important events. Time synchronization, identity logs, endpoint detections, firewall records, and cloud audit activity are much more useful when retained and reviewed before an incident.
7. Segment the network
A flat network lets one compromised device reach too much. Separate guest wireless, business workstations, servers, backups, building systems, and clinical or imaging devices according to their communication needs. Restrict management interfaces and administrative protocols to authorized systems.
Segmentation is not only a firewall configuration. Keep a current diagram, document permitted traffic, test the boundaries, and update the design when new devices or locations are added.
8. Maintain isolated, protected backups
CISA warns that ransomware frequently attempts to delete or encrypt accessible backups. Keep recovery copies offline or otherwise isolated from ordinary production access. Use separate administrative credentials, MFA, retention protections, and immutability or object-lock capabilities where appropriate.
Back up the information and configuration needed to rebuild—not only shared documents. That may include EHR exports, application databases, server configurations, cloud data, network-device settings, license information, and secure copies of recovery procedures.
9. Test restoration and downtime procedures
A successful backup job is not the same as a successful recovery. Restore representative data and complete systems on a schedule. Verify integrity, measure how long recovery takes, record dependencies, and fix gaps discovered during the exercise.
Practice downtime operations too. Teams should know how to communicate, schedule, document care, access essential contact information, and reconcile records after systems return. Store response procedures somewhere reachable when normal network access is unavailable.
10. Rehearse incident response
Define who leads technical containment, operations, executive decisions, legal and regulatory coordination, insurance notification, vendor escalation, evidence preservation, and communications. Keep current contact information for each role and establish an alternate communication channel.
Run a tabletop exercise using a realistic scenario: suspicious activity becomes an outage, backups are uncertain, a vendor is involved, and patient operations are affected. The purpose is not to perform perfectly. It is to expose unclear authority, missing information, and dependencies while there is time to fix them.
What to do first
If the list feels large, begin with the controls that most improve both prevention and recovery:
- Enforce MFA on email, remote access, administrators, and backup systems.
- Close unnecessary remote-access paths and patch exposed services.
- Remove routine local-administrator access.
- Confirm every critical system has an isolated recovery copy.
- Perform and document a real restoration test.
- Create an offline incident contact list and run a tabletop exercise.
Authoritative resources
This article provides general educational information. Incident-response, reporting, legal, insurance, and regulatory decisions should be made with qualified professionals based on the specific facts.


