Let me be honest with you up front. Privileged access management, or PAM, is not the most thrilling thing we sell. It is a bit dry, and it does not have the easy familiarity of antivirus or the buzz of the newer EDR and MDR tools. But it quietly closes one of the biggest security holes in a typical dental practice, and it does so for a surprisingly small amount of money. So stay with me, because this dull-sounding product might be the most useful thing you read about this month.
PAM is niche. It does one particular job, and it does it really well. It is not a magic wand and it does not replace anything you already have. What it does is fix a problem that almost every practice has without realising it.
The hidden problem: everyone is an administrator
On a lot of networks, and dental ones especially, staff have historically been given local administrator rights on their computers. That means their everyday login can install software, change system settings, and do more or less anything to that machine.
How does this happen? Usually not maliciously. Sometimes it is simply how the machine was set up, and nobody ever changed it. Sometimes admin rights were handed out to fix one specific problem and never taken back. Very often it is because a third party, an imaging company or a practice software vendor, needed their program to run as an administrator, so whoever set it up just made everyone an admin to make the software work, and left it like that for convenience.
It is understandable. It is also a serious problem.
Why local admin rights are a gaping hole
When a user runs as a local administrator, so does anything that user runs, including anything nasty that slips in.
That is the part people miss. It is not only about whether your staff are trustworthy, and to be clear, this is not about distrusting your team. It is that any virus, spyware or malware that lands on that machine inherits those same administrator rights. With them, it can install itself properly, dig into the system, and in the worst cases introduce ransomware that spreads across the whole network and takes your data, your reputation and your money with it. Antivirus catches a lot, but it cannot catch everything, and admin rights make the things it misses far more damaging.
There is a second, more everyday side to it too. If everyone is an administrator, anyone can install anything. We have genuinely come across staff quietly installing remote access software so they could get onto practice PCs from home, or tools to copy data onto USB sticks, all without the practice owner having any idea. Usually it is well meant convenience rather than anything sinister, but it is exactly the sort of thing that should never be possible on a machine holding patient data. This is the same class of avoidable weakness we wrote about in the security holes that cost nothing to fix.
What PAM actually does
Privileged access management closes all of this, and the clever part is that it does it without making everyone's day harder.
It removes standing local administrator rights from the everyday user, so neither staff nor stray malware can install or change things at will. Then it handles the genuine cases where admin really is needed:
- On-demand elevation. When a user or an app legitimately needs administrator rights for a moment, PAM sends a request to us, the IT team. We can approve it, refuse it, or look into why it is being asked for, all in a few seconds. The user is not left stuck, and you get a record of what was elevated and why.
- Permanent rules for awkward software. That old, legacy or poorly maintained program that insists on running as an administrator? We can write a specific rule that lets just that application run with the rights it needs, without opening up the rest of the machine. The software keeps working, the door stays shut.
- A proper audit trail. Because every elevation goes through the system, you get visibility of who needed what, which is exactly the kind of control a practice handling patient data should have.
The result is a machine where the normal user cannot do damage, malware cannot quietly help itself to admin rights, and the legitimate software still runs perfectly.
It works with your antivirus, not instead of it
This is important: PAM does not replace your antivirus or your other security tools. It sits alongside them and covers a gap they were never designed to fill. Antivirus tries to spot and stop bad things. PAM removes the power those bad things rely on in the first place. Together they are far stronger than either alone, which is the layered approach we always recommend and explain in our guide to cybersecurity for smaller businesses.
What we use, and what it costs
The PAM product we use and recommend is AutoElevate. It is well suited to practices, it is straightforward for our team to manage on your behalf, and relative to what it protects, the cost is genuinely small. For closing a hole this big, it is one of the best value security improvements a practice can make.
If you are not sure whether your staff are running as local administrators right now, that alone is worth finding out, and it is usually an eye-opener. Get in touch and we will check how your machines are set up and talk you through whether PAM is right for your practice. No jargon, no scare tactics, just a straight answer.
And if you read all the way to here, on a topic this dry, then genuinely, well done. Your practice's security is in better hands for it.