WiFi Security for Medical & Dental Practices

The Setup: A Normal Tuesday

It's 09:15. A patient walks in for a routine scale-and-polish. They sit in your waiting room, pull out their phone, and ask your receptionist for the WiFi password. Your receptionist recites it without a second thought — it's been the same password for three years, printed on every appointment card.

That patient connects. Their phone handshakes with your AP, gets an IP from your DHCP server, and is now a fully routed node on the same broadcast domain as every other device in your building. Including your Carestream CS3600 intraoral scanner. Your Dentrix workstation. Your billing server. Your NAS.

🦷

A NOTE FROM THE DENTIST IN THE ROOM

I run a dental practice and I run penetration tests. I have sat in my own waiting room with a laptop and mapped my entire clinical network in under four minutes before I hardened it. This article is about what I found — and what an actual attacker would do with it. The tools I used are free. They require no special skills. Anyone can do this.

Why Practices Are Especially Vulnerable

Dental and medical practices sit in a uniquely dangerous position. They hold protected health information (PHI) — some of the most valuable data on the criminal market, worth up to 40× more than a payment card number — yet most run with the security posture of a home network. Clinical imaging systems, patient management software, and billing portals often run on Windows 10 workstations that haven't been patched since the software vendor last visited. SMB shares are open. RDP is enabled. Default credentials are still in place on network printers and IP cameras.

And crucially — in South Africa, POPIA (Protection of Personal Information Act) places legal obligations on you as the Responsible Party for that data. A network breach that exposes patient records is not merely an IT problem. It is a regulatory event with mandatory reporting obligations to the Information Regulator and potentially significant financial penalties.

40×

More valuable than credit card data — medical records on dark web markets

4 min

Time to fully enumerate a flat dental practice network using free tools

82%

Of small practices run a single flat WiFi network with no guest VLAN separation

300m+

Effective range of a high-gain directional antenna — your car park is in range

Step One: Passive Recon Before You Even Connect

An attacker doesn't even need your WiFi password to start learning about you. From the car park — or any location within radio range — they can run passive wireless reconnaissance without transmitting a single packet.

BASH · PASSIVE WIFI RECON
# Put wireless card in monitor mode
sudo airmon-ng start wlan0

# Passive capture — no packets sent, completely silent
sudo airodump-ng wlan0mon

# What this reveals without connecting:
# BSSID (router MAC address)
# SSID names (network names)
# Channel, signal strength, encryption type
# Client MACs — every device currently connected
# Probe requests — SSIDs devices have connected to before
# → Reveals: "DrSykes-Practice", "DrSykes-Admin", "DESKTOP-C3KX91"

Tools like Kismet and Wireshark in promiscuous mode go further. Unencrypted or weakly encrypted traffic — multicast DNS (mDNS), NetBIOS name broadcasts, UPnP announcements — leaks device names, operating systems, software versions, and sometimes hostnames that directly identify clinical systems, all before a single authentication has taken place.

WHAT PROBE REQUESTS REVEAL

Every device that has ever connected to a named WiFi network will periodically broadcast that SSID in a probe request, asking if it's nearby. A patient in your waiting room may be leaking the SSIDs of their home network, their employer's network, and every coffee shop they've visited. An attacker with a rogue access point can respond to those probes and capture credentials. This is a side threat — but it illustrates how much information flows through WiFi without anyone noticing.

Step Two: Active Network Enumeration

Once connected — with the password from your reception desk, or from the WiFi card on your waiting room table — the attacker begins active enumeration. This is where the damage compounds rapidly. Every device on an unsegmented network is discoverable, and most clinical environments have devices that were never designed to face a hostile network.

Host Discovery: Finding Every Device

BASH · NMAP HOST DISCOVERY
# Ping sweep — who's alive on this subnet?
nmap -sn 192.168.1.0/24

# Results from a real (anonymised) dental practice:
192.168.1.1    — TP-Link router (admin/admin default creds, confirmed)
192.168.1.10   — DESKTOP-DENTRIX   Windows 10, Dentrix G7
192.168.1.11   — DESKTOP-XRAY      Windows 7(!), Carestream CS software
192.168.1.14   — NAS-SYNOLOGY       Synology DS920+, DSM 7.0
192.168.1.20   — HP-LaserJet        Printer, web admin on port 80
192.168.1.55   — IP-CAM-HIKVISION   Hikvision camera, default creds
192.168.1.100  — Attacker's machine (that's us)
192.168.1.110  — Patient's iPhone   (shouldn't see clinical devices)

That output above is not hypothetical. It is a representative composite of what I have found during practice assessments. Windows 7 running clinical imaging software is not unusual — Carestream, Planmeca, and other vendors have historically locked practices to specific OS versions for driver compatibility, and upgrade cycles lag years behind patch schedules. Windows 7 reached end-of-life in January 2020. It no longer receives security updates. Any known vulnerability from the last six years is permanently unpatched and permanently exploitable.

Service Enumeration: What's Running and How Old Is It?

BASH · NMAP SERVICE + VERSION DETECTION
# Full port scan + service version + OS fingerprint
nmap -sV -sC -O -p- 192.168.1.10

# Condensed example output — Dentrix workstation:
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows 10 SMBv1 enabled
3389/tcp  open  ms-wbt-server Remote Desktop Protocol — exposed
49152/tcp open  msrpc

SMBv1 ENABLED → EternalBlue (MS17-010) potentially applicable
RDP EXPOSED   → BlueKeep / DejaBlue attack surface on unpatched systems

# Shares discovered via SMB enumeration:
smbclient -L //192.168.1.10 -N
  PatientImages     — READ/WRITE, no auth required
  DentrixBackups    — READ/WRITE, no auth required
  Accounts2024      — READ/WRITE, no auth required

⚠️

SMBv1 IS A SERIOUS PROBLEM IN CLINICAL ENVIRONMENTS

SMBv1 is the protocol exploited by EternalBlue, the NSA-developed exploit leaked by Shadow Brokers in 2017 and weaponised in WannaCry and NotPetya. Both of those ransomware campaigns specifically devastated healthcare providers worldwide. SMBv1 is disabled by default in Windows 10 — but it is frequently re-enabled by clinical software installers and IT contractors who find it "easier" to leave it on for legacy compatibility. Check yours. Right now.

ARP Poisoning & Traffic Interception

On a flat network, an attacker can perform ARP cache poisoning — sending forged ARP responses to make the router think the attacker's machine is a legitimate host, and vice versa. This positions the attacker in a man-in-the-middle (MitM) position, allowing them to intercept, read, and modify all traffic between selected devices and the gateway — including unencrypted HTTP sessions to practice management portals, internal web admin pages for printers and NAS devices, and any clinical software that communicates over plain TCP.

BASH · ARP POISON + MITM (ETTERCAP)
# ARP poisoning — position between Dentrix workstation and router
ettercap -T -M arp:remote /192.168.1.10// /192.168.1.1//

# Once MitM is established, all traffic flows through attacker
# Capture credentials, session tokens, unencrypted data
→ Practice management login: admin / Password1!
→ NAS web UI session cookie captured
→ Printer admin page accessed — firmware extraction possible

Nessus: The Same View Whether You're Inside or Outside

This is the part that surprises most practice owners when I demonstrate it. Nessus Essentials — the free tier of one of the world's most widely used vulnerability scanners — is available to anyone. And when it comes to what it can see on your network, there is functionally no difference between someone connecting via your waiting room WiFi and someone running a scan from inside your building on a physical cable.

Once an attacker has a routed IP address on your network — whether via WiFi or Ethernet — Nessus sees the same hosts, the same open ports, the same running services, and returns the same vulnerability findings. The physical medium is irrelevant. Network access is network access.

Nessus Scan: Typical Small Practice Findings

CRITICAL

MS17-010 · EternalBlue SMB RCE · CVSSv3 9.8

RCE — NO AUTH

SMBv1 enabled on Windows 7/10 workstation. Remote code execution without authentication. An attacker on the same network segment can gain SYSTEM-level shell on this machine in under 90 seconds using publicly available Metasploit modules. This single finding means complete compromise of the affected workstation is trivial.

CRITICAL

Default Credentials · Router / IP Camera / NAS

AUTH BYPASS

Multiple devices responding to default manufacturer credentials (admin/admin, admin/password, root/root). TP-Link router, Hikvision camera, and HP printer all fully accessible with vendor defaults. Camera provides live and recorded footage of the clinical area. Router admin access allows DNS manipulation, traffic redirection, and persistent backdoor installation via firmware modification.

HIGH

Unauthenticated SMB Shares · CVSSv3 8.1

DATA EXFIL

SMB file shares accessible without authentication contain patient images (DICOM files), practice management backups, and financial records. An attacker can exfiltrate the entire contents of these shares silently. Patient images alone constitute protected health information under POPIA. This is a notifiable breach on its own.

MEDIUM

SSL/TLS Deprecated Protocols · Self-Signed Certs

MITM RISK

Internal web services (NAS admin, printer, IP camera) using TLS 1.0 or unencrypted HTTP. Self-signed certificates with no chain of trust. Users have been trained to click through certificate warnings. Any traffic to these internal services is susceptible to interception.

NESSUS ESSENTIALS IS FREE FOR UP TO 16 IPs

Tenable offers Nessus Essentials at no cost — unlimited scans against up to 16 IP addresses. A typical small practice has fewer than 16 devices. This means a complete professional-grade vulnerability assessment of your entire network is available to anyone who can reach your network. Your IT contractor should be running this against your practice quarterly. If they haven't mentioned Nessus, ask them why.

Lateral Movement: From Patient Phone to Patient Records

This is the attack chain that matters most. An attacker doesn't need to immediately target your most sensitive system. They can start anywhere — even from a patient's compromised phone — and work their way across the network. Each compromised device becomes a launching pad for the next attack.

1

INITIAL ACCESS — WIFI PASSWORD

Patient connects to practice WiFi. Receives 192.168.1.x IP via DHCP. Is now a fully routed member of the internal network. No firewall rules exist between WiFi clients and clinical devices because everything is on the same flat subnet.

2

DISCOVERY — HOST & SERVICE ENUMERATION

nmap -sV reveals all hosts. NetBIOS/mDNS passively identifies device names. SMB enumeration finds open shares. Printer web interface accessible on port 80 without credentials. Nessus scan returns full vulnerability list within minutes.

3

EXPLOITATION — INITIAL FOOTHOLD

Router accessed with default credentials. DNS settings modified to redirect traffic. Or: SMBv1 exploited on the X-ray workstation via EternalBlue. Metasploit delivers a Meterpreter shell in under 2 minutes. The attacker now has a persistent local presence.

4

LATERAL MOVEMENT — PIVOTING ACROSS DEVICES

From the compromised workstation, credentials are harvested from memory using Mimikatz. Those same credentials are reused across other hosts (credential stuffing internally). Pass-the-hash attacks allow authentication to the Dentrix server and NAS without ever cracking a password.

5

OBJECTIVE — DATA EXFIL OR RANSOMWARE

Patient records, clinical images, financial data, and staff credentials exfiltrated silently. Or: ransomware deployed across all reachable hosts simultaneously. The entire practice encrypted. Clinical operations halted. The ransom note appears on every screen.

💀

MIMIKATZ IN A DENTAL PRACTICE

Mimikatz is a credential extraction tool that reads plaintext passwords and NTLM hashes from Windows memory (lsass.exe). It requires local admin or SYSTEM access — which EternalBlue delivers. Once you have credentials from one machine, you attempt them everywhere. Most small practices reuse the same local admin password across all workstations. One successful EternalBlue exploit on the X-ray machine can cascade into full control of every Windows host in the building within minutes.

The Car Park Threat: You Don't Need to Come Inside

Here is the thing that most practice owners fail to internalise: physical presence in your building is not required for any of the above.

Modern 802.11n/ac/ax access points have a typical indoor range of 30–50 metres. In open air — like a car park — signal propagates further. A standard laptop WiFi card can comfortably associate with most practice APs from a car parked outside. A Alfa AWUS036ACH USB adapter with a directional antenna extends effective range to 200–300 metres. An attacker sitting in their car, in your car park, on their laptop, is network-equivalent to a patient sitting in your waiting room.

SCENARIO · CAR PARK ATTACK
# Attacker is parked 40m from your entrance
# They obtained your WiFi password trivially:
  → Asked a patient who remembered it
  → Read it off your WiFi card shared on social media
  → Brute-forced WPS PIN (common on consumer APs)
  → Performed PMKID attack on WPA2 handshake passively

# They are now on your network. Nessus scan initiated:
10:43:12 Starting Nessus scan against 192.168.1.0/24
10:46:55 Scan complete. 14 hosts discovered.
10:46:55 Critical: 3  High: 7  Medium: 12  Info: 44

# They haven't touched a door handle
# Your CCTV shows an empty car park
# The breach has already happened

WPA2 Is Not As Safe As You Think

WPA2-Personal (the PSK mode virtually every practice uses) has a well-documented offline cracking attack. When any device connects to your network, a 4-way EAPOL handshake is transmitted over the air. An attacker can passively capture this handshake — or force a re-authentication by sending a single deauth frame — and then take the handshake offline for dictionary and brute-force attacks. Tools like hashcat running on a mid-range GPU can test billions of password combinations per second. A weak password ("Practice@2021", "Dental123", the street address) falls quickly.

The PMKID attack, published in 2018, is even more convenient — it doesn't even require capturing a client handshake. An attacker can derive the cracking hash directly from the router's beacon frames. No client needs to connect. No one needs to be in the building.

🔑

YOUR WIFI PASSWORD IS THE FRONT DOOR

A WiFi password is only as strong as its entropy. "DrSmith2024!" can be cracked in hours with rockyou-based wordlists and rule mutations. A true random 20-character password (e.g., xK9#mQ2vBp$nL4wJtY7r) is computationally infeasible to crack. The difference in user experience is one extra second of typing. The difference in security is everything.

Hardening Your Network: What You Must Do

The good news: the gap between a fatally vulnerable practice network and a defensible one is not enormous. You do not need enterprise-grade hardware or a full-time security team. You need the right architecture and a handful of non-negotiable configuration changes.

Correct Network Architecture: Segmented Practice Network

GUEST / PATIENT VLAN — Isolated, Internet Only

Patient Phones Visitor Laptops

→ Internet access only. No access to any other VLAN. Client isolation enabled. Separate SSID. Rotate password monthly.

▼ FIREWALL / VLAN BOUNDARY — No cross-VLAN routing ▼

CLINICAL VLAN — Wired preferred, isolated WiFi if needed

Dentrix / Exact / Carestream X-ray / Imaging PCs NAS / Patient Data

→ Wired Ethernet wherever possible. No patient devices ever reachable. Patched. Monitored.

▼ FIREWALL / VLAN BOUNDARY ▼

ADMIN / STAFF VLAN — Separate from clinical and guest

Reception PC Printer VoIP Phones

→ Limited access to clinical VLAN via firewall rules. No access from guest VLAN ever.

The Non-Negotiable Hardening Checklist

VLAN SEGMENTATION — SEPARATE EVERYTHING

This is the single highest-impact change you can make. A guest VLAN must have no routed access to clinical or admin VLANs — only Internet. Most modern APs (UniFi, Mikrotik, even consumer TP-Link Omada) support VLANs and multiple SSIDs natively. If your current AP doesn't, replace it. A UniFi U6 Lite is under R1,500. A notifiable data breach will cost you infinitely more.

ENABLE CLIENT ISOLATION ON GUEST SSID

Client isolation prevents devices on the same WiFi SSID from communicating directly with each other. Even on the guest network, patient devices should not be able to talk to other patient devices. This prevents one compromised patient device from attacking another guest, and blocks certain ARP-based attacks. This is a single checkbox in your AP's guest network settings.

STRONG, ROTATED WIFI PASSWORDS + WPA3

Guest network password: minimum 16 random characters, rotated monthly. Display it on a screen that refreshes, not on a permanent card. Use WPA3 where supported — it uses SAE (Simultaneous Authentication of Equals) which eliminates offline PMKID and dictionary attacks entirely. For your clinical SSID (if WiFi is unavoidable), WPA2-Enterprise with 802.1X authentication and individual certificates per device is the gold standard.

DISABLE SMBv1 AND AUDIT OPEN SHARES

Run: Get-SmbServerConfiguration | Select EnableSMB1Protocol on every Windows machine. If it returns True, run Set-SmbServerConfiguration -EnableSMB1Protocol $false. Then audit every shared folder. Nothing should be writable without authentication. Nothing clinical should be readable without authentication. No exceptions for "convenience."

CHANGE ALL DEFAULT CREDENTIALS IMMEDIATELY

Every router, printer, IP camera, NAS, and access point must have its default password changed before it touches your network. Compile a credential inventory. Use a password manager. Nessus default-credential checks are run by every script kiddie with a laptop. Do not be found by them. This takes 30 minutes and closes a critical-severity finding.

RUN NESSUS ESSENTIALS AGAINST YOUR OWN NETWORK — QUARTERLY

Download Nessus Essentials for free from Tenable. Scan your practice from inside (on the clinical VLAN). Then scan from the guest VLAN. Compare what's visible. If the guest scan can see clinical hosts, your segmentation is misconfigured. Remediate and re-scan. This is the same view an attacker gets — know your attack surface before they do.

PATCH. EVERYTHING. ALWAYS.

Windows Update must not be deferred indefinitely. If your clinical software vendor says you cannot update Windows, engage them to provide a supported OS version or accept the liability in writing. An unsupported OS with unpatched critical vulnerabilities on a network connected to patient data is a POPIA compliance failure. Document every patching decision and its rationale. The Information Regulator will ask.

DISABLE WPS ON YOUR ACCESS POINT

WiFi Protected Setup (WPS) PIN brute-force attacks can recover your WPA2 passphrase in hours on most consumer APs, regardless of password complexity. WPS is enabled by default on most routers. Log into your AP admin panel and disable it. There is no legitimate reason for WPS to be enabled in a professional environment.

The Bottom Line

Sharing your WiFi password with patients is not a small kindness — it is an access grant to a node on your clinical network. Every unpatched system, every default credential, every open SMB share that exists on that network is now reachable by anyone who has ever sat in your waiting room. And they don't need to be in your waiting room at all. They just need to be close enough to connect.

The attacker in this scenario doesn't need to be sophisticated. They need nmap, Nessus Essentials, and the password from your reception desk. The entire attack chain described in this article uses free, publicly available tools that appear in every penetration testing course on the internet. The tools are not the problem. The flat, unsegmented network is the problem.

VLAN segmentation, strong passwords, WPA3, disabled SMBv1, changed default credentials, and quarterly Nessus scans. Those eight things, implemented properly, close the majority of the attack surface described above. They cost almost nothing compared to the cost of a breach, a ransomware payment, an Information Regulator investigation, or the reputational damage of telling your patients their medical records were compromised because you shared the WiFi password.

🛡️

WANT A REAL ASSESSMENT?

I assess dental and medical practices across South Africa from both the guest WiFi and the clinical network perspective. I know your software. I know what Nessus finds. I know where the bodies are buried. If you want to know what an attacker sees when they sit in your waiting room — before an attacker sits in your waiting room — get in touch.