Possible Opportunity for Dental Office

Velvis said:
If each user is logging into their own account on Patterson Eaglesoft dental software, is it really a security concern that they share a login to the computers themselves?
Obviously, this doesn't apply to the front desk staff who are using M365 apps and what not, but the dentists & hygienists who are using strictly the Patterson software.
Click to expand...

HIPAA strongly recommends unique logins per employee. How can you "prove" that nothing was downloading locally on the workstation....that is shared with others? How can you prove who inserted a USB drive that....download something, or uploaded something? How can you prove that.....etc ...etc...
Employee termination or even just..retiring.HIPAA mandates all access be terminated quickly and cleanly.
Without proper setup of unique logins....you have a huge...huge uphill battle.
 
@YeOldeStonecat

I'm not arguing anything about what you've said in regard to HIPAA, but if @Velvis does NOT sign on as their HIPAA compliance officer, and, in fact, put it in writing that he is not such, that should cover him. Note: Anyone who's thinking of doing IT in environments that require HIPAA compliance, and particularly those who are not willing to accept responsibility for compliance, should have the contractual language drawn up by a lawyer. It should be boilerplate, but it's well worth having professionally drawn up boilerplate that's ironclad in insulating you from that role and responsibility.

One of the reasons I refuse to take any of this on is because it is well-nigh impossible to ensure that there is, in actuality, full compliance. And even those who take on the role of HIPAA compliance officer as a third party will often put it in the contract that they are not responsible if the client fails to follow any one of the recommendations that they make.

If someone who doesn't "do HIPAA compliance" for a living gets involved in IT where it's necessary, there had better be contractual language that holds them harmless for compliance violations.

I have hated HIPAA as both a former healthcare provider and as an IT person because virtually no one really understands what compliance really entails and even those who do cannot be held responsible if those "on the ground" work around certain things (e.g., exactly what's being talked about here). It's all a freakin' house of cards! I honestly doubt that virtually any healthcare organization would pass a strict audit for HIPAA compliance and primarily because it's unreasonable to expect that there will be no shared workstations where logins to the workstations themselves isn't going to be at the invidual level. I've never worked in a healthcare setting where things like labs are involved where walk-up workstations are not the norm and no one ever logs in to them with an individual user ID.
 
Last edited:
YeOldeStonecat said:
Business Premium adds many services that do not care if you're hybrid joined, AzureAD registered, or azure AD joined.

Conditional Access is a huge feature I don't want to manage any business client without.
Having the additional Defender protection for inbound spam, phish, safe links, safe attachments, anti impersonation...features I do not want any business to be without
Enforcement of MFA via conditional access...something I don't want to manage a client without
Entra P2 adds important "risk" features I'd not want to support a more risky (compliance) business...without
InTune...actually helps keeps costs lower because you can "automate more". Many IT people fail to grasp that, so they're not able to education the client on....well, yes..this costs more, but...I do things much quicker so in the end it saves you money because there is less labor from my side". Not to mention, proof of...setting up many important security features that compliance requires (proof as in...InTune configuration profiles...and their logging..to show proof things are done).
Click to expand...
Would you think something like Huntress is necessary in addition to Business Premium?
 
Huntress is monthly invoicing....and your price varies greatly on how many endpoints you'll be carrying over. We brought over around 1400 for the EDR, (the EDR is their endpoint detection and remediation)..which is "managed" by them.
They matched our pricing that we had with SentinelOne...as we played the "competitive upgrade game". I think at our volume, the starting point was a "cost" of around 3 bucks an endpoint per month.

I forget what their minimum was...50 endpoints I think...didn't pay attention to that as I knew we'd clear it.
Not sure what the cost is...at a lower volume like that.

The Microsoft 365 monitoring component is another product of theirs, called ITDR....I was trying to get him under a buck per...but he would not go that low.

When you start getting to the "better level" EDRs....custie prices get more towards 7 bucks and upwards. You should see "BlackPoint".
 
Last edited:
YeOldeStonecat said:
Huntress is monthly invoicing....and your price varies greatly on how many endpoints you'll be carrying over. We brought over around 1400 for the EDR, (the EDR is their endpoint detection and remediation)..which is "managed" by them.
They matched our pricing that we had with SentinelOne...as we played the "competitive upgrade game". I think at our volume, the starting point was a "cost" of around 3 bucks an endpoint per month.

I forget what their minimum was...50 endpoints I think...didn't pay attention to that as I knew we'd clear it.
Not sure what the cost is...at a lower volume like that.

The Microsoft 365 monitoring component is another product of theirs, called ITDR....I was trying to get him under a buck per...but he would not go that low.

When you start getting to the "better level" EDRs....custie prices get more towards 7 bucks and upwards. You should see "BlackPoint".
Click to expand...
Thank you!
 
YeOldeStonecat said:
Fast running server...10 gig switch interface to server.
Fast running network
Fast workstation

Dental offices have software that....needs speed.

You want "business continuity" backup...like Datto/Axcient.

HIPAA....HIPAA HIPAA HIPAA.

M365 Business Premium for a minimum license. Stack on Entra ID P2.
Fully leverage conditional access
Get that 365 tenant security score up above 60, above 70...shoot for 80.

Fast response times needed....xray imaging stops working, etc. Need to get them back up and running quick.

Credit card processing....gotta keep that going. I have worked with a small dentist office that ran Patterson Eaglesoft..many years ago. They closed, the other dental offices we manage run on Dentrix and Dexis. Sometimes their credit card service gets sleepy.

Many dental offices open early, taking appointments starting at 0700....so be ready for that.

Set them up on a professional cybersecurity training...one of those "monthly" trainings that's documented with individual employee tracking.

Pretty much their cybersecurity insurance will provide a list.
Click to expand...
Question about Business Premium, would you suggest each person in the office have that even if they would not be taking part in any of the Office apps or need email accounts?

Essentially, a good portion of the employees would only be using the Patterson Dental software and just need the login benefits/Windows Defender that Business Premium brings but not Word, Excel, OneDrive, or an email account. Many of the employees would be using the same computers throughout the day.

Is there a lower tier that would allow something like this?
 
Velvis said:
Question about Business Premium, would you suggest each person in the office have that even if they would not be taking part in any of the Office apps or need email accounts?

Essentially, a good portion of the employees would only be using the Patterson Dental software and just need the login benefits/Windows Defender that Business Premium brings but not Word, Excel, OneDrive, or an email account. Many of the employees would be using the same computers throughout the day.

Is there a lower tier that would allow something like this?
Click to expand...
Depends...

If Entra ID is serving as your central directory, then all users will need a login there. Those users, however, would only potentially require Entra ID P1 if all they need is a Conditional Access–protected login from the cloud directory.

If you want full endpoint management, the best way to go is M365 F3 + F5 Security.

M365 F3 includes a kiosk mailbox, Entra ID P1, Intune P1, Windows 10/11 Enterprise basically everything you need to manage endpoint devices, whether they’re Windows, Android, or iOS. That’s $8/user/month.

Then there’s M365 F5 Security. This is M365 E5 Security for frontline workers: Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps everything Defender. This license is also $8. So for $16/user/month, you get full enterprise-grade security for users who need a cloud-managed endpoint. If you require compliance, the F5 Security and Compliance bundle is $13. That brings you to $21/user/month still below Business Premium pricing, but in many ways is even more power than Premium Provides!

I use this combo as much as I can, because the environments that need the full stack are otherwise up against M365 E5 (no Teams) + Teams Enterprise, which runs about $60/user/month. Cutting that to a third makes a real difference.

Your bare-minimum setup Entra ID login + Intune + Defender for Endpoint P2 would be Enterprise Mobility + Security E3 ($11.13) + Defender for Endpoint P2 ($5.46), totaling $16.59/user/month. The reason I don’t recommend that combo is the lack of a CASB (Cloud Access Security Broker).

But did you see the other reason? I go with F3 + F5 Security? It’s cheaper by $0.59 / user and does much more. Use and abuse the F-series SKUs wherever possible.

The F-series combo also includes Defender for Cloud Apps, which really needs to be paired with M365 Business Premium. On its own, Defender for Cloud Apps is $4.20/user/month. Defender for Cloud Apps is IMHO the best security investment any org can make after identity itself.

Why do this? If you’re going to use Entra, then you need to use Entra. That means all those web apps your customer depends on? They get SSO integrated with Entra logins. Once that’s in place, you layer on Defender for Cloud Apps and—bam—every one of those apps now has a firewall in front of it. Conditional Access extends over the top.

You can do powerful things like: “Want to log in to Dentrix? OK—but only from the office.”

This is real security coverage. Real risk reduction. But it means not just deploying Business Premium—it means actually using all the features it brings to the table. That’s hard. That’s a ton of work. And that's also where most providers fall short. The SMB has so much power in their hands with Business Premium, but we arne't selling it, and they aren't buying it, because they don't realize the return. Do M365 correctly, and it makes everyone buckets of money, there is simply no competition. Do it wrong, and your customer will run off to anywhere else, just to get away.
 
Sky-Knight said:
Depends...

If Entra ID is serving as your central directory, then all users will need a login there. Those users, however, would only potentially require Entra ID P1 if all they need is a Conditional Access–protected login from the cloud directory.

If you want full endpoint management, the best way to go is M365 F3 + F5 Security.

M365 F3 includes a kiosk mailbox, Entra ID P1, Intune P1, Windows 10/11 Enterprise basically everything you need to manage endpoint devices, whether they’re Windows, Android, or iOS. That’s $8/user/month.

Then there’s M365 F5 Security. This is M365 E5 Security for frontline workers: Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps everything Defender. This license is also $8. So for $16/user/month, you get full enterprise-grade security for users who need a cloud-managed endpoint. If you require compliance, the F5 Security and Compliance bundle is $13. That brings you to $21/user/month still below Business Premium pricing, but in many ways is even more power than Premium Provides!

I use this combo as much as I can, because the environments that need the full stack are otherwise up against M365 E5 (no Teams) + Teams Enterprise, which runs about $60/user/month. Cutting that to a third makes a real difference.

Your bare-minimum setup Entra ID login + Intune + Defender for Endpoint P2 would be Enterprise Mobility + Security E3 ($11.13) + Defender for Endpoint P2 ($5.46), totaling $16.59/user/month. The reason I don’t recommend that combo is the lack of a CASB (Cloud Access Security Broker).

But did you see the other reason? I go with F3 + F5 Security? It’s cheaper by $0.59 / user and does much more. Use and abuse the F-series SKUs wherever possible.

The F-series combo also includes Defender for Cloud Apps, which really needs to be paired with M365 Business Premium. On its own, Defender for Cloud Apps is $4.20/user/month. Defender for Cloud Apps is IMHO the best security investment any org can make after identity itself.

Why do this? If you’re going to use Entra, then you need to use Entra. That means all those web apps your customer depends on? They get SSO integrated with Entra logins. Once that’s in place, you layer on Defender for Cloud Apps and—bam—every one of those apps now has a firewall in front of it. Conditional Access extends over the top.

You can do powerful things like: “Want to log in to Dentrix? OK—but only from the office.”

This is real security coverage. Real risk reduction. But it means not just deploying Business Premium—it means actually using all the features it brings to the table. That’s hard. That’s a ton of work. And that's also where most providers fall short. The SMB has so much power in their hands with Business Premium, but we arne't selling it, and they aren't buying it, because they don't realize the return. Do M365 correctly, and it makes everyone buckets of money, there is simply no competition. Do it wrong, and your customer will run off to anywhere else, just to get away.
Click to expand...
Thank you. This is great. Do you have any recommendations on getting up to speed on this stuff? (books, youtube, podcasts, etc.?)
 
Velvis said:
Thank you. This is great. Do you have any recommendations on getting up to speed on this stuff? (books, youtube, podcasts, etc.?)
Click to expand...
https://learn.microsoft.com, honestly that's the best place.
MS-900 is an exam to start with, and it covers every topic of administration on M365 services, including licensing.
MS-100 follows

There are a ton more, and I'm not suggesting you take the tests if you do not want to. But reviewing the preparation materials for the tests will help you ask the correct questions.

The licensing... honestly... You just have to survive it long enough to get it drilled into your head. There are thousands of SKUs and each have their own purpose. I'm still working on a common list of personas for my own organization, this is a specific space that for some reason beyond my own understanding, I'm good at. All I can provide here is a surface to answer questions. I'm still trying to figure out how to communicate exactly what you're asking for to my own team.
 
Don't forget that in addition to everything else, computer logs must be kept for 6 years in most cases. This is non-trivial to accomplish, requires advance planning, onsite & offsite storage, third party software, etc.
 
HCHTech said:
Don't forget that in addition to everything else, computer logs must be kept for 6 years in most cases. This is non-trivial to accomplish, requires advance planning, onsite & offsite storage, third party software, etc.
Click to expand...
This is why we push Dentists to M365 Business Premium across the board, and then pair that up with what we call "MDR". That is an SMB focused and stripped down service that implements Azure Sentinel, and enrolls all devices. The required logs are sucked into the SIEM, and the SIEM has the 7 year retention set.
 
Sky-Knight said:
Depends...

If Entra ID is serving as your central directory, then all users will need a login there. Those users, however, would only potentially require Entra ID P1 if all they need is a Conditional Access–protected login from the cloud directory.

If you want full endpoint management, the best way to go is M365 F3 + F5 Security.

M365 F3 includes a kiosk mailbox, Entra ID P1, Intune P1, Windows 10/11 Enterprise basically everything you need to manage endpoint devices, whether they’re Windows, Android, or iOS. That’s $8/user/month.

Then there’s M365 F5 Security. This is M365 E5 Security for frontline workers: Defender for Endpoint P2, Defender for Identity, Defender for Cloud Apps everything Defender. This license is also $8. So for $16/user/month, you get full enterprise-grade security for users who need a cloud-managed endpoint. If you require compliance, the F5 Security and Compliance bundle is $13. That brings you to $21/user/month still below Business Premium pricing, but in many ways is even more power than Premium Provides!

I use this combo as much as I can, because the environments that need the full stack are otherwise up against M365 E5 (no Teams) + Teams Enterprise, which runs about $60/user/month. Cutting that to a third makes a real difference.

Your bare-minimum setup Entra ID login + Intune + Defender for Endpoint P2 would be Enterprise Mobility + Security E3 ($11.13) + Defender for Endpoint P2 ($5.46), totaling $16.59/user/month. The reason I don’t recommend that combo is the lack of a CASB (Cloud Access Security Broker).

But did you see the other reason? I go with F3 + F5 Security? It’s cheaper by $0.59 / user and does much more. Use and abuse the F-series SKUs wherever possible.

The F-series combo also includes Defender for Cloud Apps, which really needs to be paired with M365 Business Premium. On its own, Defender for Cloud Apps is $4.20/user/month. Defender for Cloud Apps is IMHO the best security investment any org can make after identity itself.

Why do this? If you’re going to use Entra, then you need to use Entra. That means all those web apps your customer depends on? They get SSO integrated with Entra logins. Once that’s in place, you layer on Defender for Cloud Apps and—bam—every one of those apps now has a firewall in front of it. Conditional Access extends over the top.

You can do powerful things like: “Want to log in to Dentrix? OK—but only from the office.”

This is real security coverage. Real risk reduction. But it means not just deploying Business Premium—it means actually using all the features it brings to the table. That’s hard. That’s a ton of work. And that's also where most providers fall short. The SMB has so much power in their hands with Business Premium, but we arne't selling it, and they aren't buying it, because they don't realize the return. Do M365 correctly, and it makes everyone buckets of money, there is simply no competition. Do it wrong, and your customer will run off to anywhere else, just to get away.
Click to expand...
With the Entra SSO apply to on-premises Eaglesoft?
 
Velvis said:
With the Entra SSO apply to on-premises Eaglesoft?
Click to expand...
According to Patterson’s own documentation (https://pattersonsupport.custhelp.c...soft-on-a-domain-network-or-domain-controller), it doesn’t support installation on a domain controller (GOOD!), but it lacks proper Active Directory integration. Which means you can also forget about using Entra ID for identity management.

Because Eaglesoft isn’t an HTTPS-based web application, you can’t leverage Entra App Proxy to expose it securely. The only viable path to cloud-enabling this mess is through Azure Virtual Desktop or another VDI solution which means spinning up costly infrastructure just to keep it functional.

If you're forced to support Eaglesoft, migrating a dental practice to the cloud becomes a convoluted process:
  • You’ll need on-premises Active Directory to manage local devices. (Cloud be Azure hosted)
  • You'll need a separate VM or server to run Eaglesoft itself. (Needs to be close to the client installations)
    • This VM will need to be encrypted!
    • Encrypted storage isn't good enough, the VM itself must manage the encryption of the media. (Per our compliance people)
  • Entra Connect to sync identities and devices to Entra ID.
  • A hybrid management setup using both Intune and Group Policy.
  • Only then can you deploy Defender for Endpoint and tap into Microsoft 365’s security stack.
All of this just to support an app that should’ve been refactored years ago. Eaglesoft is a technical deadweight it demands expensive infrastructure, complicates cloud adoption, and offers no modern integration path. If you're serious about building secure, scalable environments, this is the kind of software you leave behind.

All of this is triple true for small businesses that lack the technical budget to operate all of the above. I can support Eaglesoft, I can even make it "cloud ready", but it costs a mint to do it. This is the kind of app that leaves oraganizations permanently at risk of crypto assault, and represents huge data exfiltration risks. There's no way I can see to easily mitigate these risks either.

The app requiring the use of local admin rights for every user to support updates to the endpoints is just icing on the risk cake. This thing needs to die in a fire!
 
Last edited:
So, the Doctor is "cloud adverse" and would like to keep everything local. The office does have an on-premise Windows server but it is just used for hosting Eaglesoft. No active directory or any other services being used.

Since Eaglesoft doesnt work with Entra anyways and no one has M365 accounts, does it make sense just to skip all that cloud based services and setup active directory on the on-prem server to try and tighten things up?
 
Velvis said:
So, the Doctor is "cloud adverse" and would like to keep everything local. The office does have an on-premise Windows server but it is just used for hosting Eaglesoft. No active directory or any other services being used.

Since Eaglesoft doesnt work with Entra anyways and no one has M365 accounts, does it make sense just to skip all that cloud based services and setup active directory on the on-prem server to try and tighten things up?
Click to expand...
Only if you want to sink the ship.

That monster is MSSQL based, and you do NOT change the foundational identity from under an active MSSQL installation. That is, unless you want to murder it and have to find yourself more work.

The doctor being "cloud adverse" also means "security adverse" and he will get nuked, and he will try to sue you. That's your signal to run I'm afraid. There is no such thing as secure, on-premises technology that's still capable of accessing the Internet.
 
Sky-Knight said:
Only if you want to sink the ship.

That monster is MSSQL based, and you do NOT change the foundational identity from under an active MSSQL installation. That is, unless you want to murder it and have to find yourself more work.

The doctor being "cloud adverse" also means "security adverse" and he will get nuked, and he will try to sue you. That's your signal to run I'm afraid. There is no such thing as secure, on-premises technology that's still capable of accessing the Internet.
Click to expand...
What do you expect to happen? MSSQL isn't black magic. Since it will currently be using sqlauth I wouldn't expect much to happen from domain joining the system it is on. If you switch to using Windows Auth afterwards, there would be some more work.
 
trevm999 said:
What do you expect to happen? MSSQL isn't black magic. Since it will currently be using sqlauth I wouldn't expect much to happen from domain joining the system it is on. If you switch to using Windows Auth afterwards, there would be some more work.
Click to expand...
The services that support SQL all lose their identities. The services that access SQL, if using Windows auth... the same. No one should be using SQL auth anymore, and if you are... congrats you're part of the problem.

Fixing this disaster means reinstalling the platform in most cases.
 
Sky-Knight said:
The services that support SQL all lose their identities. The services that access SQL, if using Windows auth... the same. No one should be using SQL auth anymore, and if you are... congrats you're part of the problem.

Fixing this disaster means reinstalling the platform in most cases.
Click to expand...
If they are not on a domain, then they will be using sql auth. The only way I can think of domain joining mattering in that situation is if you had made the SQL services run on local Windows identities so you could do the whole "same username and password on two systems" thing so that SQL could use SMB to backup to another computer. But that would be insane. In all likelihood, they should be able to domain join the machine, and then transition to using Windows Auth separately.

And reality check, there's probably going to be a lot sql auth still out there, simply just because sometimes Kerberos is not easily supported. For our Kubernetes workloads we had to create a sidecar for our services that grab the password for an actual AD User account, convert that to a ktab and get a ticket for the application to use. I can guarantee that not everyone is doing that and will just opt into using SQL auth. And the new Entra ID auth? Not supported on MS SQL running on Windows failover clusters, so it's a no go for us.
 
You must log in or register to reply here.

Similar threads

Velvis
Dentist office using Eaglesoft
Replies
1
Views
520
YeOldeStonecat
YeOldeStonecat
autumn
Outlook (Office) printing to default settings
Replies
1
Views
351
autumn
autumn
thecomputerguy
HIPPA Compliant document portal for dental office recommendation?
Replies
5
Views
687
Sky-Knight
Sky-Knight
HCHTech
GoDaddy again - Outlook error 7ita9
Replies
3
Views
568
callthatgirl
callthatgirl
Sky-Knight
Dell Optiplex 3000 Micro - BIOS Update Issues / Win11
Replies
18
Views
1K
fincoder
fincoder
Back
Top