How to Review a Dental IT Support's Work (Quality Checklist)

My first dental IT vendor sent over a “network assessment report” that was eleven pages of screenshots and two sentences of actual findings. I paid $1,200 for it. When I asked what was wrong and what they fixed, I got a shrug and a renewal quote.

That’s the dirty secret of dental IT support: most practices have no idea how to tell good work from busywork. And the vendors know it.

Here’s what I learned after that experience — and after talking to practices that had gone through ransomware recovery, HIPAA audits, and software migrations — about what quality dental IT work actually looks like, and how to check it yourself.

The Short Version: Good dental IT support is measurable. Encrypted EHR, sub-30-second image loads, segmented Wi-Fi, current hardware, and documented audit trails aren’t optional — they’re table stakes. If your vendor can’t show you evidence of each one, that’s a gap, not a mystery.

Key Takeaways:

• Workstations running unsupported operating systems are immediately exploitable — no grace period
• Hardware older than 3–5 years is a liability on your IT vendor’s watch, not just bad luck
• A complete review covers four areas: cybersecurity, imaging performance, network integrity, and documentation
• “We checked everything” without written deliverables is not a deliverable

---

The Four Areas That Actually Matter

Here’s what most people miss: dental IT isn’t one thing. It’s four distinct problem domains that require four distinct review passes. Most practices treat it as one opaque service and wonder why things still break.

1. Cybersecurity and HIPAA Compliance

This is where the legal exposure lives. The checklist is not complicated, but it has to be verified — not assumed.

Your IT provider should be able to show you, in writing:

That last row is non-negotiable. A workstation running an unsupported OS isn’t a “we’ll get to it” item — it’s an open door. No patch cycle means no protection.

Reality Check: If your IT vendor’s risk assessment is a generic template with your practice name dropped in, it doesn’t count. A real assessment names your specific software versions, your actual network topology, and your real access control gaps. Ask for the previous year’s version and compare. If nothing changed, ask why.

2. Imaging and Practice Management Software Performance

Two-minute image load times are not a hardware problem waiting to happen — they’re a billable hour problem happening right now. Every time a hygienist waits on a 3D scan, a provider apologizes to a patient, or a billing crash interrupts checkout, that’s recoverable revenue that left.

What to verify:

• Image load times: 3D CBCT files should render without buffering on your local server. If your vendor says “it’s the file size,” push back — proper server and network configuration handles it.
• PMS stability: If Dentrix, Eaglesoft, or Open Dental is crashing during billing, that’s an update or configuration issue, not a software conspiracy. Your IT vendor owns that.
• Traffic segmentation: Clinical imaging traffic should never compete with streaming or administrative browsing on the same pipe.

Pro Tip: Run a stopwatch on your next full-mouth X-ray load and your PMS checkout process during a busy Tuesday afternoon. That’s your real benchmark, not what the vendor told you during the sales call.

3. Network and Hardware Integrity

Guest Wi-Fi on the same network as your clinical systems is a configuration error that took about five minutes to avoid. If it exists in your practice, that’s not something that slipped through — it’s something your IT vendor either didn’t check or didn’t fix.

Review this list at your next quarterly check-in:

• Guest and clinical networks are fully segmented
• All workstations running supported operating systems
• Server hardware within 3–5 year refresh window
• No single points of failure (backup server, offsite backup confirmed)
• Firewall firmware current
• Remote monitoring agent active on all endpoints

The 3–5 year hardware cycle isn’t arbitrary. Aging workstations create bottlenecks that no software update can fix, and lifecycle planning should be part of your managed services agreement, not a surprise invoice.

4. Documentation and Audit Trails

This is the area where good vendors separate themselves fastest, because bad vendors almost never do it.

After any IT work — routine maintenance, an incident, a software update, a new workstation deployment — you should receive a written record that includes:

• What was done
• What was found (including anything they didn’t fix and why)
• Who performed the work
• When it was completed
• What changed from before to after

For AI-assisted diagnostic software specifically, the bar is higher. Sensitivity and specificity metrics must be disclosed by the vendor — any claim of 100% accuracy is a red flag, not a selling point. Audit trails should capture manual overrides, and performance calibration should happen on a documented schedule.

Reality Check: California dentists face mandatory annual on-site QA reviews by DMHC covering facility, equipment, and patient records. If you’re in a regulated state and your IT documentation wouldn’t survive that review, it’s not just a vendor problem — it becomes your problem.

---

When to Request Re-Work

Don’t negotiate on these:

• Any workstation running end-of-life software — replace or remediate, same week
• Unencrypted patient data anywhere in your workflow
• No written risk assessment in the last 12 months
• Clinical and guest networks on the same segment
• Hardware past the 5-year mark with no lifecycle plan documented

Push back with specifics. “Our imaging performance doesn’t meet our standard” is harder to deflect than “our 3D files are taking over 90 seconds to render.”

---

The Downloadable Checklist Version

Print this and run it quarterly:

Cybersecurity

• EHR encrypted at rest and in transit
• User permissions audited; no terminated staff with active access
• Audit logs retained (90 days minimum)
• Annual risk assessment completed and dated
• Zero end-of-life operating systems in practice

Performance

• 3D image load time under acceptable threshold (test it)
• PMS running current version; no crash reports in last 30 days
• Clinical traffic segregated from guest/administrative

Network and Hardware

• Guest Wi-Fi on separate segment
• All hardware within 3–5 year lifecycle window
• Offsite backup confirmed active

Documentation

• Written report received after every service visit
• Findings documented, not just completed tasks
• AI diagnostic software metrics disclosed and current

---

Practical Bottom Line

The best dental IT vendors welcome this checklist. They’ll have documentation ready before you ask, they’ll flag the hardware refresh conversation proactively, and they’ll tell you exactly what they found — including the things they didn’t fix yet and why.

The vendors who get defensive when you ask for written deliverables are showing you something important.

Start with the cybersecurity column. If your IT provider can’t produce a signed risk assessment from the last 12 months and a current list of your OS versions in the next 48 hours, you have a gap that matters legally, not just operationally.

For a broader look at how to evaluate and hire the right provider from the start, the Complete Guide to Dental IT Support covers what credentials to look for, what a managed services agreement should include, and the questions that separate specialists from generalists.