Should a dental practice pay the ransom?

Paying is a last resort, not a plan. It funds the attacker, gives no guarantee of a working decryptor, and does not remove breach-notification obligations. Preparation - a clean, tested, immutable backup - is what makes paying unnecessary. On a live event, engage incident-response professionals and counsel.

Can ransomware encrypt my backups too?

Yes, if it can reach them. Attackers deliberately hunt for and encrypt network-reachable backups first. The defense is an immutable or offline copy that cannot be altered, so you always have a clean restore point. A backup ransomware can reach is not a recovery plan.

Ransomware recovery for dental offices: what a real plan looks like

Q: What should a dental ransomware recovery plan include?

An immutable or offline backup the attacker cannot reach, a written response sequence (isolate, assess, restore), a defined recovery-time objective, and the contacts and notification steps you will need. The goal is to restore from a clean copy rather than negotiate, so the backup is the heart of the plan.

8 min read · Published 2026-06-29 

ransomwarerecoverybackupimmutable backupincident response

What does a real dental ransomware recovery plan look like?

A real plan answers one question in advance: when our files are encrypted, how do we get the practice running again from a clean copy - without paying? It has four pillars: an immutable or offline backup the attacker cannot reach, a written response sequence (isolate, assess, restore), a defined recovery-time objective, and the contacts and notifications you will need. Dental and healthcare practices are increasingly targeted, so "it will not happen to us" is not a plan. (See dental practice cybersecurity in 2026.)

Why backups are the heart of recovery

The entire leverage of ransomware is that you cannot get your data back. A clean, recent, immutable backup removes that leverage: you restore instead of negotiate. Attackers know this, which is why they hunt for and encrypt reachable backups first - so the copy that saves you is the one they cannot touch. (See the 3-2-1 rule and beyond.)

The response sequence

Isolate. Disconnect affected machines from the network to stop the spread - power/network, not a clean shutdown that may destroy forensic evidence.
Assess. Determine what is encrypted, how far it spread, and whether your backups are intact and clean.
Engage help. Your IT provider, and where appropriate, cyber-insurance and incident-response contacts.
Restore from a clean backup. Rebuild affected systems and restore from a verified, uninfected copy.
Notify as required. A ransomware event involving patient data carries breach-notification obligations; involve counsel.
Rebuild and harden. Close the entry point before returning to normal, so it does not recur.

Should you pay the ransom?

Paying is a last resort, not a plan - it funds the attacker, offers no guarantee of a working decryptor, and does not erase notification obligations. The entire point of preparation is to make paying unnecessary by holding a clean restore point. This is general guidance; an incident-response professional and counsel should advise on a live event.

Recovery time is a decision you make in advance

How long the practice is down after ransomware is mostly set before the attack: by whether you have an immutable backup, whether restores are tested, and whether you have defined an RTO and the resources to meet it. A practice with a tested, immutable backup recovers in a planned window; one without faces an open-ended catastrophe. (See backup and disaster recovery.)

Prevention is cheaper than recovery

The best recovery is the attack that never lands. MFA, patching, endpoint protection, scoped and audited vendor access, and staff awareness shrink the odds; immutable backups make the worst case survivable. The two work together. (See is my IT vendor my biggest security risk? and Security & Compliance.)