⚕️
AUTHORISED TESTING ONLY — EDUCATIONAL PURPOSE

Everything in this walkthrough is based on legitimate penetration testing techniques and common configuration weaknesses found during authorised security assessments of healthcare practices. No real patient data was accessed or exposed. Names and specifics have been generalised. The purpose is to show practice owners what an attacker sees — so you can close those doors before someone unauthorised walks through them.

I Know Your Practice Because I Work In One

Most cybersecurity writing about healthcare talks about hospitals, enterprise networks, and six-figure security budgets. That's not you. You have a reception desk, two or three treatment rooms, a server PC in the back office that nobody touches, and an IT guy who comes in when something breaks. You have between one and five support staff who have worked with you for years and would never intentionally compromise your practice.

And yet, from a security standpoint, your practice is one of the most accessible targets I encounter. Not because you've done anything wrong. Because the way a dental practice is physically laid out, and the way small practice networks are typically built, creates a set of entry points that an attacker can chain together in minutes.

I know this because I walk through the same door your patients do. I sit in the same chair. I look at the same bracket table, the same USB hub, the same wall where the WiFi password is written in marker. And I know exactly what I could do with it.

Here's what that looks like — from first step through the door to full access to every patient record in your system.

TYPICAL SMALL DENTAL PRACTICE NETWORK
RECEPTION PC
Bookings · Billing · Patient check-in
INTERNET-FACING EMAIL
CHAIR-SIDE PC (×2)
Treatment notes · X-ray viewing
USB HUB ACCESSIBLE TO PATIENT
SERVER / NAS PC
Patient DB · X-rays · Backups
ALL PCs HAVE FULL ACCESS
WIFI ROUTER
One SSID · Same password for staff + patients
NO NETWORK SEPARATION
⚠ All four nodes share the same network segment — every device can communicate freely with every other device

The Three Things That Make This Possible

Before we walk through the timeline, understand that this attack doesn't rely on any obscure software exploit or nation-state tooling. It relies entirely on three configuration realities that exist in the majority of small dental practices — and probably yours.

Finding 01 — The USB Hub
Physical Access at Patient Level · Treatment Room
CRITICAL

Look down next to the dental chair. In most modern practices there's a USB hub or charging station mounted at the base of the bracket table or integrated into the chair-side unit. It's there so patients can charge their phones during treatment. It's a thoughtful touch. It is also a direct hardware connection to the chair-side PC that controls your digital X-ray system, your treatment note software, and your practice network.

A USB Rubber Ducky is a commercial penetration testing device — available for around $60 — that looks exactly like an ordinary USB flash drive. The moment it's plugged in, Windows recognises it as a keyboard (not a storage device, so USB storage blockers don't help). It then types a pre-loaded keystroke payload at speeds no human could match — typically several hundred keystrokes in under ten seconds — launching a command prompt, downloading a script, and establishing a remote connection, all before the operating system has finished showing the "device connected" notification.

The attacker plugs it in. The dentist is gloved, focused on the patient's mouth, and wouldn't notice if someone reached across to the bracket table. In a single-handed practice the receptionist is at the front desk. The payload runs in silence. The device is removed. Eleven seconds of physical access and the attacker has a persistent foothold on a machine inside your network.

USB EMULATES KEYBOARD USB BLOCKERS DON'T HELP PAYLOAD IN UNDER 15 SECONDS SILENT — NO SCREEN ACTIVITY
Finding 02 — The Shared WiFi
One SSID · Staff and Patients on the Same Network
HIGH

The waiting room WiFi password is on the wall. Sometimes it's on a small sign at the reception desk. Sometimes the receptionist just tells you. This is normal and it's fine — patients need internet access, and you want to provide it. The problem is not the password on the wall. The problem is what network that password connects to.

In most small practices, there's one router, one WiFi network, and everything is on it: patient phones, staff laptops, the reception PC, the chair-side PCs, the server. When a patient connects to your WiFi, their device is on the same network segment as every other device in your practice. They can — if they know what they're doing — see and attempt to communicate with all of them.

An attacker sitting in your waiting room with a laptop can run a passive network scan without sending a single packet that looks suspicious. Within two minutes they have a complete list of every device on your network: IP addresses, device names, operating system fingerprints. They know you have a PC named SURGERY-PC-1, a server named PRACTICE-SERVER, and a workstation running an older version of Windows because the imaging software vendor hasn't certified the latest OS release yet.

PATIENTS ON SAME SEGMENT AS SERVERS FULL NETWORK VISIBLE FROM WAITING ROOM SERVER NAMES VISIBLE IN SCAN
Finding 03 — The Flat Network
No Segmentation · All PCs Trust Each Other Completely
CRITICAL

A "flat network" means every device can freely communicate with every other device. There's no firewall rule saying the reception PC can only talk to the booking server. There's no policy preventing a chair-side PC from accessing the accounts folder on the server. If you're on the network — whether legitimately or not — you can reach everything on it.

This is how small networks are typically set up, because it's simpler and cheaper and there's no IT complexity to manage. But it means that the moment an attacker has a foothold on any machine — through the USB hub, through the WiFi, through a phishing email — they can immediately attempt to access every other machine. There's no internal wall to stop them.

Combined with the reality that practice management software typically runs on a shared server with network file shares accessible to all PCs, and that staff user accounts frequently have broad permissions because it's easier to give everyone access than to manage individual permissions — a flat network turns one compromised endpoint into full practice access within minutes.

ONE BREACH = ACCESS TO EVERYTHING NETWORK SHARES OPEN TO ALL BROAD STAFF PERMISSIONS

The 11-Minute Timeline

Here's what happens when you chain those three findings together. This is a realistic sequence based on documented penetration testing methodology. Every step uses real, legitimate security testing tools and techniques. The times are conservative estimates based on a typical small practice network.

00:00
USB Rubber Ducky Inserted
Patient sits in the chair. The dentist is gloved and working. The attacker reaches across to the USB hub mounted under the bracket table and plugs in what looks like a standard USB stick. Windows registers it as a keyboard input device. Nobody looks twice — patients plug things in there every day.
00:11
Payload Executes — Reverse Shell Opens
The device has typed its entire keystroke payload — opening a hidden PowerShell window, running a one-line command that downloads a small script from an attacker-controlled server, and establishing an encrypted reverse connection back to the attacker's device. The chair-side PC screen hasn't flickered. No window opened. No antivirus triggered — the payload used legitimate Windows scripting tools. The USB device is removed and pocketed. The connection persists.
02:00
Network Discovery Scan Complete
From the established shell, the attacker runs a basic network scan. Within 90 seconds they have a complete map of the local network: four devices — the chair-side PC they're on, the reception PC, a second surgery PC, and a server. All four are on the same subnet, all reachable. The server is running Windows Server with file sharing enabled. The attacker can see it from here as clearly as any other machine on the network.
04:30
Network Shares Enumerated — Patient Data Located
The attacker lists the shared folders on the server. Because the practice is on a flat network and the chair-side PC's user account has been granted access to the practice management folder (so the dentist can pull up records during treatment), those shares are visible and accessible from the current session — no additional credentials required. The attacker can see folders labelled with patient names, X-ray archives by date, financial records, and staff documents. All of it is readable from the current session.
07:00
Credentials Located — Cached in Session
Practice management software stores its database connection credentials in a configuration file — a standard and necessary part of how client-server software works. That config file is in a folder the current user can read. The credentials are in plain text or lightly encoded. The attacker now has direct database access credentials. On a flat network these credentials also frequently work across multiple services — including remote desktop on the server itself.
09:30
Remote Desktop Session to Practice Server
Using the credentials from the config file, the attacker opens a Remote Desktop connection to the server. The RDP service is enabled — it's how your IT support connects when something needs fixing. The attacker is now logged into the server itself, with the same level of access as your IT support provider. They have a full graphical desktop. Every file, every database, every backup — it's all here.
11:00
Full Access — All Patient Records, All Data
Eleven minutes after the USB device was plugged in, the attacker has unrestricted access to the complete patient database — names, ID numbers, contact details, medical histories, treatment records, X-rays, account balances. They have access to staff payroll records and supplier invoices. They can read, copy, modify, or delete any file on the server. They could deploy ransomware across all four PCs simultaneously from this session. The patient in the chair is still having their filling done. Nobody in the practice knows any of this has happened.
📋
AND THIS IS JUST ONE ENTRY PATH

The USB attack requires a moment of physical access. But remember: an attacker sitting in your waiting room on your shared WiFi has a network-level vantage point from which they can attempt the same network scan, the same share enumeration, the same credential discovery — all without ever touching your hardware. The USB path is faster. The WiFi path requires no physical contact at all. Both end in the same place.

What This Means Under POPIA

At the eleven-minute mark, you have a notifiable security compromise under Section 22 of POPIA. Patient records — including health information, which is special personal information under Section 26 and carries heightened protection obligations — have been accessed by an unauthorised person. It doesn't matter that you didn't know it happened. It doesn't matter that nothing was visibly damaged. The access event itself is the breach.

Your obligations from that point are: notify the Information Regulator as soon as reasonably possible, notify every affected data subject, document the circumstances, and demonstrate what reasonable security measures you had in place at the time. A USB hub physically accessible to patients, a flat network with no segmentation, and shared WiFi with no guest isolation are three findings that make "reasonable security measures" a very difficult case to argue.

The exposure isn't theoretical. Dental patient records contain some of the most personally identifiable data in healthcare — medical history, chronic conditions, medications, ID numbers, photographs. In a practice of any size, that's hundreds or thousands of people whose information you hold and are legally responsible for protecting.

Five Fixes. None of Them Are Expensive.

The good news is that nothing in this scenario requires a security overhaul. Each of the three underlying weaknesses has a specific, practical remedy. Here they are.

YOUR DENTAL PRACTICE SECURITY HARDENING CHECKLIST
Relocate or Disable Patient-Accessible USB Ports
Move USB charging to a standalone charging hub that is not connected to any computer — a simple USB power adapter with multiple ports gives patients charging without any network connection whatsoever. If chair-side USB ports are needed for clinical devices, ask your IT provider to disable USB data transfer on those ports in the BIOS or via group policy, leaving only power passthrough. A USB port that can only charge — not communicate with the PC — cannot be used for this attack.
Create a Separate Guest WiFi Network
Every modern consumer router — including the ones most practices already have — supports creating a second "guest" WiFi network that is completely isolated from your main network. Patients connect to the guest network and get internet access. They cannot see or reach any device on your staff network. This single change, which takes about ten minutes to configure, eliminates the WiFi entry path entirely. The guest network can have a different password that you're comfortable putting on the wall.
Segment Your Network — Keep Clinical PCs Separate
Ask your IT provider to place your clinical PCs (chair-side, X-ray) and your server on a separate network segment from reception and admin PCs. This doesn't require expensive hardware — most business-grade routers support VLANs. The result: a compromised reception PC cannot reach the clinical server, and vice versa. A breach of one segment does not automatically mean a breach of all of them. This is the single most structurally important change you can make.
Lock Down Remote Desktop
If your IT provider uses Remote Desktop to support your server, that's legitimate and necessary. But RDP should not be accessible from inside the local network to any user except your IT provider's specific account. Restrict it by user, and consider requiring your IT provider to connect via VPN rather than direct RDP. Change all default or simple server passwords to long, unique ones. This closes the escalation path that turned network access into full server control.
Get a Penetration Test — Done Annually
The scenario above took eleven minutes because the attacker knew exactly what to look for. A penetration test runs the same process — finding the USB hub, scanning the network, enumerating shares — and gives you the findings in a report rather than a breach notification. Annual testing is the only way to know your network has actually been hardened, not just that you think it has. Under POPIA Section 19, "reasonable technical measures" means tested security, not assumed security.

A Note From One Dentist to Another

I wrote this article because I've sat in that chair. I know the pressure of a full appointment book, an unhappy patient in room two, a receptionist calling through the intercom, and a phone that won't stop. The last thing on your mind during a clinical day is network segmentation.

But I also know what's on that server. I know you have years of patient records, treatment histories, X-rays, accounts, staff details. I know how long it took you to build that patient base and how much trust each one of those records represents. And I know that under POPIA, you are the responsible party — the Information Officer — for every single one of them.

None of the five fixes above require you to become a cybersecurity expert. They require one conversation with your IT provider, who should be able to implement all of them in a single half-day visit. The USB charging solution costs under R200. The guest WiFi costs nothing — it's already in your router. The peace of mind that comes from knowing your patient data is actually protected, not just probably protected, is worth considerably more than that.

LET US FIND YOUR GAPS FIRST

Book a Dental Practice Penetration Test

We assess dental practices specifically — including physical security, network architecture, WiFi isolation, and staff awareness. You get a written findings report and a remediation plan you can hand to your IT provider. Conducted by a dentist who understands your clinical environment.

Book an Assessment Free Self-Assessment
Dr David Sykes
AUTHOR
Dr David Sykes

Practicing dentist and independent cybersecurity practitioner based in Umhlanga, South Africa. Founder of Greyhat4Hire. Specialises in penetration testing of healthcare and dental practices — with the unique advantage of knowing exactly what your clinical environment looks like from the inside.

About Dr Sykes
Dental Security Physical Pentest USB Rubber Ducky Network Segmentation POPIA Healthcare Guest WiFi Penetration Testing