Key Takeaway
Starting point: 42% compliance score, no encryption, shared passwords, no incident plan.
End result: 87% compliance score in 30 days with minimal disruption to patient care.
Cost: S$15,200/year after PSG grant. Less than one ransomware attack would cost.
*Clinic name changed to protect privacy. Details represent actual engagement patterns.*
---
The Practice: XYZ Dental
| Characteristic | Details |
| Location | Central Singapore |
| Staff | 3 dentists, 5 assistants, 2 admin |
| Years operating | 15+ |
| Active patients | ~3,000 |
| Starting compliance score | 42/100 |
Think of it Like This
Like many established practices, XYZ Dental's technology had grown organically—functional but never audited for security. Think of it like a clinic that's been operating for years but never had a full compliance review of their sterilisation procedures.
---
The Wake-Up Call
Dr. Lim, the practice owner, attended a dental association seminar on HIB compliance. What he learned disturbed him:
What He Discovered
Important
Critical gaps found:
Patient records on aging server with no encryption
Backups manual and inconsistent (sometimes weeks between)
All staff using shared login credentials
No incident response plan
Minimal audit logging—couldn't track who accessed what
With HIB enforcement approaching, Dr. Lim needed to act fast—but couldn't shut down for weeks to fix everything.
---
Week 1: Discovery
Our Assessment Process
| Area | Method |
| Technical infrastructure | System scans, configuration review |
| Policies & procedures | Document review, gap analysis |
| Staff practices | Interviews, observation |
| Data flows | Mapping where patient data lives and moves |
| Risk assessment | Threat modelling, vulnerability prioritisation |
The Findings
- Critical (Must Fix Immediately):
- Server vulnerable to ransomware (no endpoint protection)
- Backups on same network as primary data (ransomware encrypts both)
- No multi-factor authentication
- All staff could access all patient data (no role-based restrictions)
- Moderate (Fix Soon):
- Outdated software on workstations
- No formal access control policy
- Incomplete audit logging
- Security training last done: never
- Minor (Address When Possible):
- Password policy not enforced
- Screen timeout set to 30 minutes (should be 5)
- Some paper records on open shelves
Starting Score: 42/100
Good to Know
Passing threshold for HIB compliance: 80/100
Gap to close: 38 points in 30 days
---
Week 1-2: Planning
Prioritisation Logic
Pro Tip
Our approach: Fix the highest-risk items first. If a ransomware attack hit during our work, we wanted critical defences in place.
| Priority | Items | Timing |
| Immediate | Endpoint protection, backups, MFA, logging | Week 1-2 |
| Short-term | Access controls, network segmentation, updates, training | Week 2-3 |
| Ongoing | Policies, incident plan, monitoring, validation | Week 3-4 |
Resource Reality
| Resource | Requirement |
| Dr. Lim's time | 3 hours total (kick-off, mid-point check, final review) |
| Staff time | 2 hours (training session) |
| Downtime | Less than 2 hours total (after-hours work) |
| Budget | S$4,000 setup + S$2,200/month |
| After PSG | S$2,000 setup + S$1,100/month |
---
Week 2: Foundation Work
Monday-Tuesday: Endpoint Protection
- Deployed enterprise-grade antivirus/anti-malware on all 12 devices
- Configured real-time threat monitoring
- Updated all operating systems and software patches
Wednesday-Thursday: Backup Overhaul
Good to Know
The 3-2-1 implementation:
3 copies: Server, local backup, cloud backup
2 media types: Physical drive + cloud storage
1 offsite: Cloud backup isolated from clinic network
- Implemented automated daily cloud backups
- Tested restoration (successfully recovered test files)
- Encrypted local backup copies
Friday: Access Security
- Enabled MFA for all user accounts
- Created individual accounts (eliminated shared logins)
- Configured comprehensive audit logging
---
Week 3: Access & Network
Monday-Tuesday: Role-Based Access
| Role | Access Level |
| Dentists | Full clinical records |
| Dental assistants | Clinical records for assigned patients |
| Admin staff | Scheduling, billing—no clinical notes |
Wednesday-Thursday: Network Segmentation
- Clinical systems isolated from guest Wi-Fi
- Firewall rules preventing lateral movement
- Staff personal devices on separate network
Friday: Staff Training
- 2-hour session covering:
- Why these changes matter (HIB requirements)
- New login procedures (individual accounts, MFA)
- Recognising phishing attempts
- What to do if something seems wrong
- Quick reference guides distributed
---
Week 4: Documentation & Validation
Monday-Tuesday: Policy Creation
- Data protection policy
- Information security policy
- Acceptable use policy
- Incident response plan
Wednesday-Thursday: Testing
Pro Tip
The real test: We ran a simulated incident response exercise. Could the team notify MOH within 2 hours? Answer: Yes.
- Tabletop exercise for breach scenario
- Validated all technical controls
- Tested backup restoration again
Friday: Final Assessment
New Score: 87/100
---
The Results
Compliance Transformation
| Area | Before | After | Change |
| Overall score | 42% | 87% | +45 points |
| Access controls | 30% | 95% | +65 points |
| Data protection | 45% | 90% | +45 points |
| Incident response | 20% | 85% | +65 points |
| Documentation | 35% | 85% | +50 points |
What Changed Technically
Quick Checklist
- Endpoint protection on all 12 devices
Automated daily backups with tested monthly restoration
MFA on all accounts
Role-based access limiting who sees what
24/7 monitoring detecting threats in real-time
Network segmentation containing potential breaches
What Changed Operationally
- Backup restoration: 3x faster
- Staff training: 100% completed
- Incident response: Clear procedures documented
- Audit capability: Can answer "who accessed what" instantly
---
The Investment
| Item | Full Cost | After PSG (50%) |
| One-time setup | S$4,000 | S$2,000 |
| Monthly service | S$2,200 | S$1,100 |
| First year total | S$30,400 | S$15,200 |
Good to Know
ROI Perspective:
Average ransomware attack cost: S$100,000+
Annual protection cost: S$15,200
One prevented attack pays for 6+ years of service.
---
Lessons Learned
What Worked
| Factor | Why It Mattered |
| Clear communication | Staff understood the "why," not just the "what" |
| After-hours work | Zero disruption to patient care |
| Phased approach | Manageable changes, not overwhelming overhaul |
| Quick wins first | Early improvements built momentum and confidence |
What We'd Do Differently
Pro Tip
Dr. Lim's advice to other clinic owners:
"Start earlier. We got it done in 30 days, but it was tight. With 2-3 months, we could have been more thorough and less stressed. Don't wait until you're worried—by then you're already behind."
---
Dr. Lim's Experience
> "Before this, I was constantly worried about compliance and security. I knew we had problems but had no idea where to start or what to prioritise. > > The Synexo team made it seamless. I spent maybe 3 hours total on this—everything else happened in the background. The staff training was practical, not theoretical, and my team actually understood it. > > Now I have one less thing keeping me up at night. I can focus on what I actually trained to do: taking care of my patients."
---
Is This Achievable for Your Clinic?
Quick Checklist
If you have:
Willingness to make changes
Budget of S$15,000-25,000/year (after PSG)
30 days of lead time
A few hours for your personal involvement
Then yes, this is achievable for you.
---
*Curious where your practice stands? Our free assessment takes 30 minutes and gives you a clear compliance score—just like the 42% we found at XYZ Dental. Book your assessment and see your starting point.*