Is 3-2-1 enough against ransomware?

Not by itself. Ransomware seeks out and encrypts backups it can reach over the network, so add an offline or immutable copy that cannot be altered, giving you a guaranteed clean restore point. The modern standard is 3-2-1-1-0: the extra immutable copy, plus zero errors verified by restore testing.

What should a dental practice back up?

The practice-management database (Dentrix, Eaglesoft, or Open Dental), the images or A-to-Z folder, and configuration and documents needed to rebuild. The images are large and sometimes missed - a backup that captures the database but not the images is only half a recovery.

Dental data backup best practices: the 3-2-1 rule and beyond

Q: What is the 3-2-1 backup rule?

Keep three copies of your data, on two different types of media, with one copy off-site. It protects against a single drive failing, a media type failing, and a physical disaster at the office. For dental practices holding patient records, it is the minimum standard, not the finish line.

7 min read · Published 2026-06-29 

backup3-2-1best practicesimmutable backuphipaa

What is the 3-2-1 backup rule for dental practices?

The 3-2-1 rule is the baseline for protecting dental data: keep 3 copies of your data, on 2 different types of media, with 1 copy off-site. It is simple, battle-tested, and the minimum a practice holding patient records should meet. The modern extension - 3-2-1-1-0 - adds 1 offline or immutable copy (so ransomware cannot encrypt it) and 0 errors verified by restore testing.

The rule, unpacked

3 copies: the live data plus at least two backups. One backup is not a backup strategy; it is a single point of failure.
2 media types: for example, local disk plus cloud. Two copies on the same drive do not protect against that drive failing.
1 off-site: a copy that survives a fire, flood, or theft at the office. An off-site or cloud copy is what makes a physical disaster survivable.

Beyond 3-2-1: the offline/immutable copy and verification

Ransomware changed the math. Attackers now seek out and encrypt backups they can reach over the network. The fix is a copy that cannot be altered - an immutable cloud copy or an offline copy - so there is always a clean restore point. And the "0" matters: a backup you have not verified by restore is a backup you are only hoping works. (See ransomware recovery for dental offices and do my dental backups actually work?)

What to actually back up

The practice-management database - Dentrix, Eaglesoft, or Open Dental.
Images - the imaging library or A-to-Z folder, which is often large and sometimes missed.
Configuration and documents - so you can rebuild, not just restore data.

A backup that captures the database but not the images is only half a recovery.

Frequency, encryption, and HIPAA

Frequency should match your RPO - how much data you can afford to lose. Nightly is common; busier practices back up more often. (See backup and disaster recovery.)
Encryption in transit and at rest is expected for backups containing patient data, and is part of a defensible HIPAA posture. (See Security & Compliance.)

Verify, then monitor

Set up 3-2-1-1-0, then make backup health a monitored signal so a failure is caught the day it happens - not discovered during a restore you cannot complete. Best practices on paper do not protect anyone; verified, monitored backups do.