Does Your Dental Office Have a Separate Guest Wi-Fi on Its Own VLAN?

Offering patients Wi-Fi in the waiting room is a nice touch. But if that network is the same one your Dentrix server, imaging workstations, and staff computers sit on — you have a significant security and compliance problem.

What Is a VLAN and Why Does It Matter?

A VLAN (Virtual Local Area Network) is a way to segment your network at the infrastructure level, so that devices on one segment cannot communicate with devices on another — even if they're connected to the same physical switch or access point.

In a dental office context, this means your guest Wi-Fi traffic is completely isolated from your clinical network. A patient watching YouTube in the waiting room is on an entirely separate logical network from your Dentrix server, imaging workstations, and staff computers.

Without this separation, any device on your guest network can potentially communicate with every other device on your network — including servers that hold protected health information (PHI).

What a Flat Network Looks Like (and Why It's Risky)

Many dental offices were set up with a single network: one router, one Wi-Fi password, everything connected together. Staff devices, clinical workstations, the Dentrix server, the Dexis sensor controller, and the patient waiting room all on one flat network.

This is sometimes called a "flat" network because there's no segmentation — it's all one layer. The risks are real:

• A patient with a compromised device can probe your internal network. This isn't theoretical — many consumer malware programs automatically scan connected networks for exploitable systems.
• A malicious actor who connects to your guest Wi-Fi has the same network access as your clinical workstations. If your Dentrix server has any unpatched vulnerabilities, it's exposed.
• It's a HIPAA risk. HIPAA requires that access to systems containing PHI be controlled and restricted. A network where any guest with the Wi-Fi password can potentially reach your patient database does not meet that standard.
• It creates a PCI scope problem. If any payment processing runs over your network, having untrusted devices on the same segment complicates your PCI-DSS compliance significantly.

The Right Architecture for a Dental Office

At minimum, a properly segmented dental office network should have:

1. Clinical VLAN: Practice management server (Dentrix, Eaglesoft, etc.), imaging workstations, CBCT and panoramic systems, treatment room computers. Firewalled from everything else.
2. Staff VLAN: Non-clinical staff devices, phones (unless VoIP is on its own segment), admin workstations. Limited access to clinical systems based on role.
3. Guest VLAN: Waiting room Wi-Fi and any patient-facing devices. Internet access only — no ability to reach clinical or staff segments at all.
4. IoT/Device VLAN (optional but recommended): Smart TVs, thermostats, digital signage, networked printers. These devices often have poor security and don't need access to your clinical infrastructure.

What This Requires in Practice

Proper VLAN segmentation requires managed network hardware — a managed switch and a firewall or router that supports VLAN tagging (like Cisco, Ubiquiti, or Fortinet). Consumer-grade equipment from a big-box store typically does not support VLANs.

If your practice is running on consumer-grade networking equipment, VLAN segmentation isn't possible until that hardware is replaced. This is one of the first things we assess when evaluating a new client's infrastructure.

The good news: for most dental practices, a properly designed network with managed hardware is a one-time investment that provides years of improved security and easier management. It also makes it significantly easier to demonstrate HIPAA compliance if you're ever audited.

How to Tell If You Have This Problem

A quick check: connect a personal phone to your "guest" Wi-Fi and try to access your internal network resources. If you can reach shared drives, printers on your clinical network, or internal IP addresses — your network is flat and guest traffic is not properly isolated.

A more thorough assessment requires reviewing your router/firewall configuration, switch VLAN assignments, and wireless access point settings — which is something we do as part of every network assessment for Colorado Front Range dental practices.