12 Questions to Ask a Dental MSP Before Signing a Contract

Most people evaluate IT providers the way they evaluate any professional service: a demo, a proposal, maybe a reference or two, then a gut check. That process is fine for choosing a coffee vendor. For choosing the company that will be responsible for your patient data, your HIPAA compliance, and your practice's uptime, you need to be more deliberate.

These twelve questions cut through the marketing and tell you what you actually need to know. For each one, there's a clear answer that inspires confidence and a response pattern that should give you pause. You don't need to ask them all in one conversation — spread them across the evaluation process as naturally as the opportunity allows.

Important: These aren't trick questions. A provider who has been doing this work competently in dental IT should be able to answer every single one of them without hesitation. The ones that cause fumbling or deflection are the ones that matter most.

Question 1: "Do you have dental practices as current clients, and can I speak with three of them?"

A good answer: "Yes — here are three practices of similar size to yours. Two have been clients for more than five years. I'd suggest calling [name] at [practice] specifically; they went through a server migration with us last year and can speak to how we handled it." They produce the references within 48 hours.

A bad answer: "We work with healthcare clients broadly." Or they offer one reference and it's the practice owner's personal contact. Or references aren't available for two weeks.

Why it matters: Dental IT is a specialty. The software, the imaging infrastructure, the HIPAA obligations, and the clinical workflow sensitivities are not the same as general small-business IT. A provider who hasn't done this work repeatedly in dental doesn't know what they don't know — and that gap tends to show up at the worst possible times. The references aren't just validation; the quality of the reference conversation will tell you how this provider handles real problems.

Question 2: "What EDR and SIEM do you use, and who reviews alerts at 2am on Saturday?"

A good answer: "We deploy [specific EDR product, e.g., Huntress] on all endpoints. Alerts are reviewed 24/7 by [named SOC provider or internal team]. For critical alerts after hours, the on-call tech receives a page and is expected to respond within 15 minutes. Here's how our escalation path works." They can name the product and the coverage model without checking notes.

A bad answer: "We use enterprise-grade antivirus and next-generation firewall protection." Or "we have a security tool that handles that." Or any answer that doesn't name a specific EDR product and describe who monitors it after hours.

Why it matters: Most ransomware executes outside business hours, specifically to maximize dwell time before detection. If nobody is watching at 2am on Saturday, that's exactly when an attacker will move. Antivirus is not EDR. "Enterprise antivirus" is not a substitute for behavioral detection and 24/7 SOC coverage. If they can't name the product and describe the coverage model, they don't have it.

Question 3: "Show me your standard BAA — who at your company signs it?"

A good answer: They produce a BAA within 24 hours. It covers breach notification obligations, data handling requirements, sub-contractor obligations, and has a named officer (typically the owner or compliance officer) as the signatory. They can explain what the key provisions mean.

A bad answer: "We'll get that to you during onboarding." A one-paragraph document that doesn't address breach notification. Resistance to signing one at all — "we don't really touch patient data directly." A BAA signed by a junior employee with no stated authority.

Why it matters: Under HIPAA, any vendor who accesses systems where PHI is stored or transmitted is a Business Associate. Your IT provider accesses those systems every time they remote in. Without a properly executed BAA, your practice is in technical violation — and if a breach occurs and you can't produce one, the civil monetary penalty exposure increases significantly. The quality of the BAA also tells you how seriously they take compliance. A boilerplate one-pager suggests they don't.

Question 4: "What's your documented incident response plan for ransomware?"

A good answer: They describe a specific, step-by-step process: detection and alert, isolation of affected systems, engagement of internal escalation and (if warranted) third-party forensics, notification to your cyber insurance carrier, breach analysis to determine if PHI was exfiltrated, and documentation for potential OCR reporting. They can tell you who owns each step. Bonus if they mention running tabletop exercises.

A bad answer: "We'd isolate the affected machines and restore from backup." This is a recovery description, not an incident response plan. Any answer that doesn't address notification obligations, forensic analysis, or PHI exposure assessment is incomplete.

Why it matters: Ransomware recovery is one part of the response. HIPAA requires you to determine whether PHI was accessed or exfiltrated — not just encrypted — and potentially report to OCR and notify affected patients within 60 days. A provider who hasn't thought through this entire chain will leave you exposed on the compliance side even after the technical issue is resolved.

Question 5: "How often do you do penetration testing on your own systems?"

A good answer: "We conduct annual penetration testing with [named firm or process] on our own infrastructure and our remote access systems. Here's our most recent summary report." Or: "We have continuous vulnerability scanning plus annual pentesting — here's our methodology."

A bad answer: "We're very secure, we haven't had any issues." "We do internal vulnerability scans." Confusion about what penetration testing is. Any answer that suggests they haven't thought about their own attack surface.

Why it matters: Your MSP has privileged access to your network — they can remote into your systems, they hold your credentials, and they manage your firewalls. If their own infrastructure is compromised, your practice is compromised by extension. An MSP that doesn't test their own security posture is a supply chain risk. This question filters out providers who haven't earned the access they're asking for.

Question 6: "What's your typical response time to a critical ticket after hours?"

A good answer: "Our SLA for critical tickets — defined as a complete practice outage or security incident — is a 15-minute acknowledgment and 30-minute engaged response, 24/7. We track compliance against that SLA monthly. I can share last quarter's metrics." They have a definition of "critical" that matches your expectations.

A bad answer: "We try to respond quickly." "Our business hours are 8–5 but we have an on-call number." Any answer that doesn't include a specific time commitment. Any answer where "critical" means "we'll get to it next business day."

Why it matters: Dental practices run Saturday hours. Servers fail Friday evenings. Ransomware launches Sunday mornings. A provider who can only respond Monday through Friday during business hours is not a managed service provider — they're a daytime helpdesk with an answering machine. The SLA commitment is meaningless without a track record to back it up; ask for the metrics.

Question 7: "Can you show me a sample HIPAA risk assessment you've produced for a client?"

A good answer: They produce a redacted sample risk assessment that is detailed, specific, and addresses all of the HIPAA Security Rule safeguard categories (administrative, physical, technical). It includes threat identification, likelihood and impact ratings, and remediation recommendations. It's clearly a real document, not a template with checkboxes.

A bad answer: "HIPAA risk assessments are your responsibility to manage, we just handle the technical side." A generic checklist that could apply to any small business. A document that hasn't been updated in three years. No sample available.

Why it matters: The HIPAA Security Rule risk assessment is both a legal requirement and a practical tool for identifying your real vulnerabilities. A provider who produces rigorous risk assessments is doing the compliance work seriously. A provider who deflects this to "your responsibility" is leaving you exposed — and is probably not managing your environment with HIPAA compliance in mind.

Question 8: "Which dental PM platforms have you migrated between in the past year?"

A good answer: "We've done three Dentrix to Eaglesoft migrations, one Eaglesoft to Open Dental, and one Ascend implementation in the past 12 months. The Ascend migration was complex because the practice had legacy image data going back 15 years — here's how we handled that." Specific, recent, detailed.

A bad answer: "We support all major PM platforms." "We can handle whatever you need." Unable to name a specific migration they've done recently. "We'd coordinate with the vendor on that."

Why it matters: Practice management software migrations are high-stakes. Patient records, financial history, imaging links, scheduling data — all of it needs to come through cleanly. A provider who hasn't actually done this work recently will discover the edge cases on your data. And "coordinating with the vendor" means they're watching the vendor do the work, not driving it. You want a provider who has muscle memory on this.

Question 9: "What does your backup look like — product, frequency, retention, test schedule?"

A good answer: "We use [specific product]. Your database and configuration files are backed up every 4 hours to local storage, replicated off-site nightly, and we maintain 30-day retention. We run a documented restore test quarterly — the last one was [date] and we restored [X amount of data] successfully in [X minutes]. Here's the test log."

A bad answer: "We have a cloud backup solution that runs automatically." Inability to name the product. No documented restore testing. "We've never had to do a restore, so we know it works." (This is backwards logic — untested backups are not confirmed backups.)

Why it matters: Backup is not a checkbox — it's a recovery capability. The only thing that matters about a backup is whether you can restore from it, within an acceptable time window, when you actually need it. A backup that has never been tested is a backup that may not work. Frequency and retention matter enormously: a backup that runs nightly means you could lose an entire day of records. Quarterly restore tests mean you only discover problems four times a year — potentially 90 days after the backup broke.

Question 10: "What's the termination clause in the contract, and what's the data transfer process?"

A good answer: "Our contract has a 30-day written notice termination clause. On your notice date, we begin preparing a full documentation package — network diagrams, credential inventories, configuration exports, and backup archives — which we deliver within 10 business days of termination. We don't hold data hostage; it's your data and you get it." They can point to this in the contract.

A bad answer: "We have a 2-year contract with early termination fees equal to the remaining balance." A vague or nonexistent data transfer process. "You'd need to contact our accounts team to discuss that." Any resistance to discussing termination before signing.

Why it matters: The exit clause tells you how confident a provider is in their service quality. A provider who demands a punishing lock-in knows that customers who experience the service might want to leave. A reasonable exit clause protects you if the relationship doesn't work out — and a clear data transfer process ensures you're not held hostage to your own infrastructure documentation.

Question 11: "What's NOT included in your flat monthly fee?"

A good answer: "Project work — anything that requires more than two hours of dedicated engineering time, like server replacements, location buildouts, or major software migrations — is billed at $[X]/hour or estimated as a fixed project fee. Hardware is not included but we can provide vendor pricing. Microsoft 365 licensing is a pass-through at Microsoft's rate. Everything else — helpdesk, monitoring, patching, security tooling, backup, documentation — is in the flat fee."

A bad answer: "Everything is included, it's truly unlimited." No clear answer. A list of exclusions that is vague or contradicts what was promised verbally. Defensive response to the question.

Why it matters: Every "unlimited" managed IT contract has exclusions. The question is whether they're disclosed upfront or discovered when you get a surprise invoice. Hardware replacement, major project work, and software licensing are the most common sources of unexpected bills. A provider who won't answer this question clearly is planning to answer it later on an invoice.

Question 12: "Can I see the resumes and certifications of the team that would actually support my practice?"

A good answer: "I can give you an overview of the team's certifications and experience — here's our technical team page, and I can provide LinkedIn profiles or certification records for the engineers assigned to your account. Our lead Dentrix engineer has 8 years of dental IT experience and holds [relevant certifications]."

A bad answer: "We have a highly qualified team." Inability to name the specific people or their credentials. A promise that "a senior engineer" will handle your account without being able to say who that is. Sharing credentials for people who aren't actually on your account team.

Why it matters: You're not buying a service from a logo — you're getting the specific humans who will answer the phone when your server is down. Those humans have varying levels of skill and dental industry experience. Knowing who they are, and verifying that their credentials match the service level being sold, is basic due diligence. A provider who resists this question is often trying to obscure that their advertised team and their actual delivery team are different.

How to Score the Conversation

This isn't a pass/fail test, but the pattern matters:

  • 10–12 clear, specific answers: This provider has done this work, has thought about these questions, and is confident in their answers. Proceed with contract review and reference calls.
  • 7–9 clear answers with a few fumbles: Worth exploring further. Follow up specifically on the questions they fumbled. A legitimate gap in experience on one or two questions is less concerning than vague deflection across multiple areas.
  • 6 or fewer clear answers, or fumbles on Questions 2, 3, 4, or 7: Walk away. Questions 2, 3, 4, and 7 cover the security, legal, incident response, and compliance foundations that a dental IT provider cannot deliver without. Deficiencies here are not fixable by the time you need them.
Important: A provider can be technically capable but a poor fit for your practice for other reasons — culture, communication style, geographic coverage, pricing model. The twelve questions above establish the floor. Everything above the floor is about fit.

Quick-Reference Checklist

Print this and bring it to your next provider evaluation conversation:

  1. Do you have dental practices as current clients, and can I speak with three of them?
  2. What EDR and SIEM do you use, and who reviews alerts at 2am on Saturday?
  3. Show me your standard BAA — who at your company signs it?
  4. What's your documented incident response plan for ransomware?
  5. How often do you do penetration testing on your own systems?
  6. What's your typical response time to a critical ticket after hours?
  7. Can you show me a sample HIPAA risk assessment you've produced for a client?
  8. Which dental PM platforms have you migrated between in the past year?
  9. What does your backup look like — product, frequency, retention, test schedule?
  10. What's the termination clause in the contract, and what's the data transfer process?
  11. What's NOT included in your flat monthly fee?
  12. Can I see the resumes and certifications of the team that would actually support my practice?
The takeaway: The right IT provider for a dental practice isn't necessarily the one with the most polished website or the lowest price. It's the one that can answer these twelve questions with specific, verifiable, confident answers — and then delivers on what they describe. The questions exist to help you find that provider before you sign, not after you've had a problem.