This is a sample snapshot with redacted data. Real snapshots contain your actual domain findings.

PRACTICESHIELD SECURITY SNAPSHOT

Riverside Family Dental

riversidefamilydental.com · Scan date: April 2026

Risk Level
Critical

This scan identified 5 security findings across your external infrastructure — 2 critical, 2 high, and 1 medium severity. The most urgent issue is confirmed credential exposure in breach databases combined with an open remote access port. Together these represent a high probability of ransomware risk if not addressed. A remediation checklist is included at the end of this snapshot.

2
Critical
2
High
1
Medium
0
Low

Findings

CriticalStaff credentials confirmed in breach database

info@[practice].com was found in 2 known breach databases (Collection #1, LinkedIn 2021). Attackers with access to these lists can attempt credential-stuffing against your email, patient portal, and billing systems.

Fix: Force a password reset for all staff. Enable multi-factor authentication on email and any patient-facing portals immediately.

CriticalPort 3389 (RDP) open and publicly accessible

Remote Desktop Protocol is reachable from the public internet on your practice IP. This is one of the most common ransomware entry points. Attackers actively scan for open RDP and brute-force credentials.

Fix: Close port 3389 at the firewall immediately unless remote access is required. If needed, restrict to specific IPs only and enable Network Level Authentication.

HighSPF record misconfigured — domain spoofing risk

Your domain's SPF record uses ~all (soft fail) instead of -all (hard fail). This allows anyone to send email appearing to come from your practice domain. Patients and vendors can receive spoofed emails that look like they're from you.

Fix: Update your DNS SPF record to end with -all. Add a DMARC record with p=quarantine or p=reject. Your IT provider or domain registrar can make this change.

HighTLS 1.0 and 1.1 enabled on web server

Your practice website supports deprecated encryption protocols. HIPAA requires the use of current, supported encryption standards. TLS 1.0/1.1 have known vulnerabilities that can allow traffic interception.

Fix: Disable TLS 1.0 and 1.1 on your web server. Enable TLS 1.2 minimum, TLS 1.3 preferred. This is typically a one-line configuration change for your hosting provider.

MediumNo DMARC record found

Without a DMARC policy, you have no visibility into who is sending email using your domain, and no mechanism to reject spoofed emails. Combined with the SPF issue above, your domain is actively spoofable.

Fix: Add a DMARC TXT record to your DNS. Start with p=none to monitor, then move to p=quarantine or p=reject after review.

HIPAA Compliance Notes

  • TLS 1.0/1.1 violates HIPAA Security Rule § 164.312(e)(2)(ii) — addressable encryption standard requirement.
  • Open RDP without access controls violates § 164.312(a)(1) — access control standard.
  • No DMARC policy increases risk of phishing attacks targeting patients — addressable under § 164.308(a)(5).

Ready to see your actual snapshot?

This sample used generic data. Your snapshot will show your real domain, your real findings, and a remediation checklist specific to your practice.

Get My Security Snapshot — $199

Money-back guarantee · Delivered in 24 hours