"I do not trust the cloud with patient data. Our server in the back office is more secure."
TMR hears some version of this from dentists every week. It is an understandable instinct. You can see your server. You can touch it. It feels secure because it is physically present.
But the breach data tells a different story.
The Numbers Do Not Lie
In 2025, the healthcare industry recorded at least 642 large data breaches affecting over 57 million people. Hacking and IT incidents accounted for 76.7% of those breaches. The majority did not come from sophisticated cloud platform attacks. They came from the kinds of vulnerabilities that are common in on-premise environments: unpatched software, misconfigured networks, phishing attacks on staff credentials, and improperly secured databases.
Absolute Dental, a Nevada practice with 50+ locations, suffered a breach in February 2025 that exposed records on over 1.2 million individuals. The compromised data included names, Social Security numbers, health histories, diagnosis and treatment information, insurance details, and financial account information.
How did the attackers get in? Through a malicious version of a legitimate software tool, executed via an account associated with the practice managed services provider -- their IT company. The very people hired to keep their on-premise systems secure became the attack vector.
TMR Take: The Absolute Dental breach illustrates why relying solely on a single IT provider is not a complete security strategy. A cloud platform with 24/7 automated monitoring would have flagged anomalous access patterns within minutes.
Why Cloud Platforms Have a Security Advantage
What Cloud Platforms Provide (Standard)
- AES-256 encryption for data at rest and in transit
- 24/7/365 security monitoring by dedicated security operations teams
- Automatic security patching -- vulnerabilities fixed within hours
- Multi-factor authentication (MFA) as a default
- Role-based access controls with audit logging
- Geographic redundancy -- data exists in multiple secure data centers
- SOC 2 Type II, HITRUST, or ISO 27001 certifications
- Regular penetration testing by third-party security firms
Common Challenges with On-Premise Security
Many dental offices running their own servers face practical security gaps -- not from negligence, but from the reality of running a busy practice:
- Software updates may fall behind when the team is focused on patient care
- Firewall configurations set during initial setup may not be revisited regularly
- Backups stored on-site are vulnerable to the same physical risks as the server
- MFA adoption can lag when it adds friction to daily workflows
- 24/7 monitoring and intrusion detection require dedicated resources most practices do not have
"But Cloud Providers Are Bigger Targets"
Yes, cloud providers are higher-value targets. But:
- Cloud providers spend hundreds of millions annually on security. You are paying for a fraction of that investment through your subscription.
- Major cloud platform breaches at the infrastructure level are extraordinarily rare. Most "cloud breaches" are actually breaches of customer applications.
- Healthcare practices of all sizes are targets. Ransomware gangs actively target organizations that store valuable PHI.
TMR Take: The question is not "can the cloud be breached?" Everything can be breached. The question is "who provides stronger security infrastructure -- a cloud platform with a dedicated security team, or a dental office managing security alongside patient care?" For most practices, the cloud platform has the advantage.
The Real Cloud Considerations (And How to Address Them)
Internet dependency. If your internet goes down, you lose access. Address this with a backup internet connection (cellular hotspot or secondary ISP).
Data portability. Understand your vendor's data export policies upfront. Negotiate data portability clauses before you sign to ensure you always have access to your information.
Shared responsibility. The platform secures the infrastructure; you are responsible for strong passwords, MFA, user access management, and staff security training.
What You Should Expect from Any Cloud Vendor
- AES-256 encryption at rest and in transit
- SOC 2 Type II or HITRUST certification (ask for the report)
- Multi-factor authentication (mandatory, not optional)
- Role-based access controls with audit logging
- Business Associate Agreement (BAA) executed before any data transfer
- Documented incident response plan with specific notification timelines
- Geographic redundancy for disaster recovery
- Annual third-party penetration testing
These are standard expectations for any cloud dental software vendor handling patient data.
The Bottom Line
Over 60% of U.S. dental practices have already migrated to cloud services. For most practices, cloud platforms offer a stronger security posture than on-premise servers -- not because on-premise cannot be secured, but because cloud providers dedicate far more resources to security than any individual practice can.
Security is not a feeling. It is a measurable, auditable set of controls. And by most objective measures, a well-run cloud platform provides stronger protections than a typical dental office server environment.
Ready to compare? Check out our software comparison tool for side-by-side evaluations.
