Air-Gapped vs Immutable Backups

Are air-gapped and immutable backups the same thing?

No, but they aim at the same target. Both exist to keep at least one copy of your data somewhere ransomware cannot reach it. The difference is how they put that copy out of reach: an air-gapped backup is disconnected, while an immutable backup is online but unchangeable. Understanding that distinction matters because modern ransomware does not just encrypt your live practice management server. It actively searches the network for connected backups and encrypts or deletes those first, so that paying the ransom becomes your only option.

That tactic is exactly why so many recoveries fail. Across ransomware victims, only about 2% who paid the ransom actually recovered all their data , and healthcare is now a primary target, with ransomware against the sector up roughly 58% in 2025 and dental and secondary-care providers making up about 26% of incidents (Comparitech 2025-26). A backup that was sitting on the same network as the infected server is, in practice, no backup at all.

What is an air-gapped backup?

An air-gapped backup is a copy stored on media that is physically or logically isolated from your production network. The classic example is a tape or external drive that gets written, then unplugged and locked away. Because the media is offline, ransomware running on your servers cannot touch it. The protection is conceptually simple and very strong, but it comes with real operational cost: someone has to rotate the media, the gap only holds while the media is actually disconnected, and restoring from offline media is slow.

What is an immutable backup?

An immutable backup stays connected and online, but it is written in a write-once, object-locked form. For a retention window you define, the data physically cannot be modified, overwritten, or deleted, even by someone holding valid administrator credentials. This is enforced at the storage layer through object-lock, not by a policy that an attacker could toggle off. The result is air-gap-like protection without anyone unplugging anything: ransomware can encrypt the live copy all it wants, but it cannot rewrite history in the locked store.

Air-gapped vs immutable backups: a side-by-side comparison

Both approaches are valid, and the table below shows where each one shines. The key insight is that they are complementary, not competing.

	Air-gapped backup	Immutable (object-locked) backup
Definition	Copy on media physically/logically disconnected from the network	Online copy written write-once with an enforced object-lock retention window
How it resists ransomware	Malware can't reach what isn't connected	Malware (or stolen admin creds) can't alter or delete a locked object until retention expires
Recovery speed	Slow — locate, connect, and read offline media	Fast — data is online and ready to restore immediately
Automation / overhead	Manual media rotation and handling	Fully automated; no media to swap
Restore frequency & cost	Infrequent, labor-intensive restores	Frequent restores are cheap and self-service
Offline-window risk	Vulnerable whenever media is connected for writing	No connect/disconnect window; protection is continuous
Best for	Long-term archival, regulatory cold storage, ultra-high-value data	Day-to-day ransomware resilience and fast operational recovery

Notice that the weaknesses of one are the strengths of the other. Air-gapping has an unavoidable window of exposure each time the media is attached to be written, and that is precisely when an already-present infection can spread to it. Immutability removes that window because the copy never has to be disconnected to be safe. Conversely, true physical air-gapping gives you a copy that is unreachable over any network path at all, which is reassuring for long-horizon archives.

So which one should a dental practice choose?

For most practices, the honest answer is: lead with immutability, and don't agonize over manual air-gapping. Object-lock gives you the protection that actually matters day to day, which is a tamper-proof copy that survives an attacker with full domain admin rights, and it does so without anyone remembering to rotate a drive. With DDSArk, backups are written to immutable, object-locked storage off-site, encrypted in transit and at rest, and managed by your MSP under a HIPAA Business Associate Agreement, so the tamper-proof copy is created automatically every cycle.

The reason this is urgent for dentistry specifically is that attackers keep hitting the backups. In one widely reported case, Tampa Bay Dental Implants had roughly 6,400 patients affected when the encrypted server also held the practice's backups , leaving nothing clean to restore from. By contrast, True Dental Care in Pennsylvania was able to restore from backups and chose not to pay the ransom , which is the entire point of getting this layer right. We dig into how connected backups get caught in the blast radius in why your dental backup got encrypted too, and into the financial stakes in dental ransomware in 2026: the real costs.

The modern best practice: combine them

The most resilient setups don't pick a side. They follow the 3-2-1-1-0 principle, an evolution of the old 3-2-1 rule:

• 3 copies of your data
• 2 different media types
• 1 copy off-site
• 1 copy offline or immutable (object-locked)
• 0 recovery errors — meaning your restores are tested and verified, not assumed

That fourth digit is where air-gapping and immutability meet: either approach satisfies the "offline or immutable" requirement. An immutable cloud copy covers it automatically for nearly every practice; a physically air-gapped archive can be layered on top when you have regulatory or ultra-long-retention reasons to want a copy that touches no network at all. The final zero is the one most practices skip and the one that bites hardest, because a backup you have never test-restored is a backup you are only assuming will work.

The takeaway is not air-gapped versus immutable. It is immutable as your reliable, automated baseline, air-gapping as an optional reinforcement, and a tested restore proving the whole thing actually works.