Backup and Disaster Recovery for Dental Practices: What You Actually Need

What Actually Needs to Be Backed Up

Before discussing how to back up, you need to know what to back up. In a typical dental practice, there are three distinct categories — and most backup setups only address one of them adequately.

Practice Management System (PMS) Data

Your Dentrix, Eaglesoft, Curve, Open Dental, or other PMS database is the operational core of your practice. Most PMS platforms include a built-in backup function, but the default configuration is frequently inadequate — backing up to the same machine the database lives on, or to a single USB drive that hasn't been swapped in months.

PMS backup should be automated, stored in at least two locations, and tested regularly by actually restoring the database and verifying it opens correctly. A backup file that can't be restored is not a backup — it's a false sense of security.

Imaging Data

CBCT files, digital panoramic X-rays, intraoral sensor images, and patient photos can easily reach several terabytes over a few years of active practice. This data lives in vendor-specific archive formats (DICOM and proprietary equivalents) and requires software-aware backup that preserves directory structure and metadata intact. A file-level copy that doesn't account for the imaging software's database index is not a complete backup — the files may exist but the software won't be able to find them.

Imaging data also has different recovery characteristics than PMS data. A 500 GB imaging archive takes time to restore over a network connection. Your recovery plan needs to account for that.

Server and Workstation System Images

If your server fails without a system image backup, you're not just restoring data — you're spending hours reinstalling Windows Server, your PMS server software, imaging software backends, license keys, and configuration. System image backups capture the full operating environment, not just files. For CBCT workstations, this also includes calibration data and vendor-specific configurations that aren't trivial to recreate.

Microsoft 365 and Cloud Data

Microsoft 365 does not back up your Exchange mailbox long-term. Its native retention policies are not a backup strategy. If an email is deleted — accidentally or maliciously — the recovery window is short. Third-party M365 backup (Veeam, Acronis, Datto SaaS, or equivalent) is a separate line item that many practices skip. It shouldn't be.

The 3-2-1 Rule Applied to Dental

The 3-2-1 rule is the standard baseline for any defensible backup strategy:

• 3 copies of your data
• 2 different storage media or locations
• 1 offsite copy

For a dental practice, this typically looks like: primary data on the server, a local backup to a network-attached storage device or dedicated backup appliance on-site, and an encrypted offsite/cloud backup. All three copies need to be independently verified — a backup that replicates a corrupted file three times is still a corrupted backup.

Backup Frequency and Retention

PMS data should back up continuously or multiple times per day — patient records, treatment notes, and financial transactions are entered throughout the day, and a full-day loss is operationally catastrophic. Imaging data should back up at minimum nightly. Retention schedules matter too: keeping only 7 days of rolling backups means that if ransomware sits dormant for 10 days before triggering, you have no clean restore point.

Practical minimums we recommend:

• PMS database: Continuous or hourly local backup + nightly encrypted offsite; 90-day retention minimum
• Imaging data: Nightly incremental + weekly full; 30-day retention for recent cases, permanent archival storage for completed cases
• Server system images: Weekly; 4-week rotation with monthly archive
• Workstation images: After any major change (OS update, software install); keep prior image until new one is verified

Backup Testing Is Not Optional

A backup that has never been tested is a guess. We see this consistently when practices come to us after an incident — they had a backup running for two years, but no one had ever actually restored from it. The backup job had been failing silently for months. The files existed but the PMS database was corrupt. The imaging archive was incomplete.

We perform quarterly restore tests on the PMS databases and imaging archives we manage — actually restoring data to a test environment and verifying it opens correctly in the relevant software. This is the part most providers skip, and it's the part that determines whether your backup is real or theoretical.

Ransomware and Why Your Backup Architecture Matters

Modern ransomware operators routinely identify and encrypt backup files before triggering the main payload. Network-connected backup drives and standard cloud sync folders are targets. This means:

• Backups that are always-connected to the network can be compromised along with primary data
• Immutable backups — write-once cloud storage, air-gapped local media, or backup solutions with immutability features — are critical for ransomware resilience
• Retention depth matters: you need enough clean restore points to get back to before the infection began
• Recovery time matters: a backup that takes 48 hours to restore means 48 hours of practice downtime

Backup architecture should be designed with a ransomware scenario in mind, not just hardware failure. The threat model is different and the design requirements are different.

How TechniWorX Manages Dental Practice Backups

TechniWorX deploys backup solutions designed around the specific data footprint of dental practices — including imaging-aware archiving, immutable offsite storage, and documented quarterly recovery tests. We configure your PMS vendor's native backup tool correctly, layer image-based backup on top of it, and connect everything to monitored cloud storage that alerts us if a job fails.

If you're not sure whether your current backup would survive a ransomware event or a server failure, get in touch. We'll review your current setup and give you an honest assessment — what's covered, what's not, and what the actual recovery time would look like if you needed it today.