Root Canal or Rootkit? Why Your Dentist’s PC Might Be More Dangerous Than the Drill

The Dental Time Machine You Never Asked For

You’re at the dentist, maybe getting a check-up, or maybe something worse. You glance over. Sitting on the desk behind the receptionist is a computer that looks like it belongs in a historical reenactment of the early 2000s.

It’s running Windows XP. Or Windows 7. You can tell instantly. That default wallpaper is burned into your brain from childhood.

This isn’t quaint. It’s horrifying.

At that moment, you realise: This place has your name, your NHS number, your medical history, your contact details, and maybe even payment information. And it’s all running on software that stopped being supported years ago.

Not years as in one or two. Try five. Try more than a decade in the case of XP.

That machine should be in a skip. Instead, it’s in charge of your mouth.

A Quick Recap of How Bad This Really Is

Let’s put some dates to this farce.

Windows XP lost support in April 2014.
Windows 7 lost support in January 2020.

That means these systems haven’t had security patches since before COVID. Before TikTok. Before the term "hybrid working" existed. XP was done before the iPhone became mainstream.

Every second those machines are switched on, they become a security liability. They are not just unsupported; they are actively vulnerable.

Think of them as open wounds in a sterile environment. You wouldn’t accept surgical instruments from 2003. Why accept software from the same year?

Unsupported Means Unsafe, Every Time

It isn't safe if a piece of software isn’t getting patched. It is that simple.

The moment Microsoft stopped pushing updates, these operating systems became soft targets. They can’t protect themselves. They can’t defend your data. They don’t understand modern encryption. They don’t talk properly to updated browsers, antivirus tools, or backup systems.

They are digital corpses pretending to be computers.

Still think it’s fine? Consider this. A huge chunk of modern malware is designed to sniff out outdated systems. Once it finds one, it exploits vulnerabilities that have been patched for everyone else.

Your dentist’s ancient Windows box might already be infected. They probably don’t even know.

GDPR Wasn't Optional

Under the UK GDPR, organisations that handle personal or sensitive data are legally responsible for keeping that data safe. That’s not a suggestion. That’s the law.

Health data is considered "special category" information, which means extra rules apply and stronger protection is required.

Running your dental practice on Windows XP or Windows 7 in 2025 fails that requirement. Completely.

No clause in the law says "unless your receptionist prefers the old interface." You cannot hide behind nostalgia or cost-saving when putting thousands of people’s private medical information at risk.

And yet, here we are.

The Excuses Are Getting Old, Too

The excuses always sound the same if you talk to these practices or their IT providers.

“It still works.”

“Our practice management software doesn’t run on newer systems.”

“We don’t have the budget.”

“Nothing bad has happened yet.”

All of these translate to one thing. We can’t be bothered.

The software excuse is especially infuriating. If your dental software only runs on XP or 7, it is long past its use-by date. If your provider hasn’t upgraded it in a decade, they’re not just incompetent, they are to put it clearly and simply, extremely dangerous.

You wouldn’t trust a dentist using rusty tools because "they still work." Don’t trust their systems either.

A Word on Air Gapping, That Favourite Myth

Another excuse you’ll hear is this one.

“Oh, it’s not online. It’s air-gapped.”

Let’s unpack that.

Unless the computer is physically isolated, has no USB ports, Wi-Fi, or Bluetooth, and is locked in a room with a chain of custody log, it is not air-gapped. It’s just disconnected. And probably not even that. What about the fancy X-ray machines that talk to it, for starters? You just know they are connected to the cloud for monitoring purposes…

Chances are, someone still plugs a USB in every day. Or the system is used to print things. Or maybe they connect it to email occasionally. At that point, it’s no safer than any other unprotected machine.

Air gapping isn’t a magic phrase that stops ransomware. It’s a specific, controlled configuration. Most surgeries claiming to be air-gapped have no idea what it means.

What Happens When the Worst Happens

So let’s say this dental practice gets hit.

Maybe someone clicks a phishing link, an attacker finds the old machine via exposed RDP, or a supplier gets breached and leaks their credentials. Whatever the cause, the result is the same.

Ransomware. Encryption. Patient records gone.

That might include names, dates of birth, NHS numbers, treatment plans, and financial details. If they had no decent backups, that data is gone. If the backup was stored on the same network, it’s probably encrypted too.

Best case? They lose a week of appointments.

Worst case? They go out of business.

And yes, this has happened before.

A Real-World Horror Show

In 2023, a dental practice in Australia was hit by ransomware. The practice was using a local records system that only ran on Windows 7. The entire patient database was encrypted, and there were no off-site backups.

They didn’t pay the ransom and didn’t recover the data. Within three months, the practice closed.

In the UK, several private practices have reported incidents to the ICO, many of which were never made public. When they do go public, it’s because the breach is so bad it can’t be hidden.

And you can bet that every one of those surgeries said the same thing before it happened.
“It’s fine. Nothing bad has happened yet.”

Let’s Talk About Backups

If your systems are ancient, your backups probably are too. I’ve lost count of how many places I’ve seen still backing up to:

• USB sticks

• External hard drives

• NAS boxes on the same network

• Cloud services that haven't been tested since setup

One even emailed their backup to themselves every Friday.

Newsflash. If your backup is accessible to your compromised machine, it’s toast. You’ve created a second copy of your failure, not a backup.

Modern backups should be encrypted, tested, stored offsite or in an immutable cloud, and monitored.

Anything less is just paperwork waiting to burn.

The IT Providers Are Not Innocent

Let’s not pretend this is all the dentist’s fault. Someone is getting paid to maintain this mess.

That someone is usually an outsourced IT provider, often a “mate who does computers.” Or worse, a so-called MSP that hasn’t updated its playbook since Windows Vista.

If you’re an IT provider allowing XP or 7 to stay in production, you’re part of the problem. You are not providing a service. You are delaying a breach.

At the very least, you should document the risk and push for change. Ideally, you should refuse to support it entirely.

Because when the breach hits, guess whose name comes up during the forensic investigation? Yours.

What Should the Setup Look Like?

Let’s make this simple.

• Windows 10 or 11 only

• All systems are auto-patched weekly

• Full disk encryption with BitLocker

• Cloud-based records software with MFA

• Proper role-based access

• EDR/MDR endpoint protection

• Secure email scanning

• Immutable off-site backups

• At least Quarterly mandatory security awareness training for all staff

• Cyber Essentials Plus certified

That’s not a wishlist. That’s the baseline for operating any healthcare practice in 2025. Anything below that is reckless.

What You Can Do as a Patient

If you spot XP or 7 while sitting in the chair, speak up.

Ask them why they’re still using it, what their IT provider says, and if they are compliant with the UK GDPR.

Watch how fast they change the subject.

If you feel brave, report them to the ICO. You don’t need to give your name. It takes five minutes. And it might save your data, and the data of thousands of others.

https://ico.org.uk/make-a-complaint/

Final Word: Enough Is Enough

There is no excuse! Not in 2025, not with ransomware hitting record highs, not with free guidance, better tools, and a mountain of case studies showing what happens when you ignore the basics.

If your dentist is still using Windows XP or 7, they need to stop, not next quarter, not next year, but now.

If they refuse, find a new one.

Because if they don’t care about the security of your records, what else are they cutting corners on?

Addendum: Naming and Shaming Those Still Supporting EOL Systems in 2025

Let’s be absolutely clear. If you're a dental software provider still marketing compatibility with Windows XP or Windows 7 in 2025, you are actively enabling catastrophic risk. You are part of the problem.

Yes, migration is hard. Yes, the dental industry can be conservative. But that does not excuse vendors from propping up insecure tech that should have been scrapped years ago.

Here are the offenders, as found in public documentation:

🔴 Practice-Web Dental Software

Status: Still lists compatibility with Windows XP, Vista, and Windows 7.
Source: Dental Compare Listing
Comment: This is indefensible. The moment Microsoft dropped support, you should have too. Stop dragging your customers into compliance hell.

🔴 Pearl Dental Software

Status: Explicitly calls out XP support being discontinued — but waited until very recently.
Source: Windows XP: Rest in Peace
Comment: Better late than never, but why were customers allowed to stay on XP for this long?

🟡 Planmeca Romexis

Status: Announced XP support ending at version 3.6.0.R
Source: Romexis Release Info
Comment: At least they publicly declared it, but questions remain on how long it was quietly allowed.

🟡 Carestream Dental (SoftDent)

Status: OS support not clearly disclosed
Source: SourceForge listing
Comment: The silence is suspicious. In 2025, if you're still supporting legacy installs without declaring OS support policies, you're not being transparent.

🟢 CareStack

Status: Fully cloud-based, OS agnostic
Source: carestack.com
Comment: This is how it's done. No legacy dependencies, secure by design. Good.

🟢 Dentally

Status: Cloud-first, supports modern browsers and platforms
Source: Dentally Help Article
Comment: Secure, scalable, and forward-looking. Nothing runs locally, nothing relies on EOL hardware. Gold star.

🟡 Software of Excellence (EXACT)

Status: Unclear
Source: softwareofexcellence.com
Comment: Modern system, but operating system requirements are not clearly published. Time to be explicit. State your standards.

🟡 Systems for Dentists (SFD)

Status: OS requirements not available
Source: sfd.co
Comment: No excuse in 2025 for not publishing platform support. Transparency builds trust. Publish your minimum spec.

🟡 Dentsys Edge

Status: No clear OS support information
Source: dentsys.co.uk
Comment: Like SFD, this needs a public declaration. If you don’t support EOL systems, say so. If you do, explain yourself.

Final Thought

If you are a vendor still clinging to Windows XP or Windows 7 support, you are helping your clients fail GDPR compliance even passively. You are increasing their breach risk. You are making them a headline waiting to happen.

It’s time to draw a line.

Upgrade your software. Update your requirements. Educate your clients.

And for the love of all that is encrypted, stop enabling Windows XP.