Why USB and NAS Backups Aren't Enough

Most dental practices feel covered the moment a backup drive shows a green checkmark. The image server copies to a USB disk or a network-attached storage (NAS) box in the server closet, the job reports success, and everyone moves on. The trouble is that a backup sitting on the same network as the thing it protects isn't really separate from it. When something goes badly wrong, it usually goes wrong for both at once.

Why does ransomware encrypt my USB and NAS backups too?

Because they're on the same network and reachable from the infected machine. Ransomware doesn't politely stop at the workstation that opened the malicious attachment. It enumerates mapped drives, network shares, and reachable hosts, then encrypts everything it can touch. A USB drive plugged into the server and a NAS sitting on the same LAN are both trivially reachable, and modern ransomware deliberately targets backups first so victims have no clean copy to fall back on.

This isn't hypothetical for dentistry. Healthcare ransomware activity rose roughly 58% in 2025, with dental and secondary providers making up around 26% of incidents (Comparitech 2025-26). And recovery odds are brutal once you're hit: only about 2% of organizations that paid a ransom got all of their data back . In one real case, Tampa Bay Dental Implants lost roughly 6,400 records when the encrypted server also held the backups — the exact failure mode of keeping everything in one place.

We go deeper on this in why your dental backup got encrypted too.

Isn't an on-site backup safe if ransomware doesn't hit?

Not really, because ransomware is only one of several ways an on-site backup disappears. A USB drive or NAS shares the building with your server, which means it shares the building's risks:

• Fire, flood, or power surge takes the server room and the backup in the same event.
• Theft or burglary walks off with the small, portable drive sitting next to the computer.
• Hardware failure — drives and NAS units fail, and a backup on failing media is no backup at all.

This is the "blast radius" problem. Anything physically and logically close to your primary system fails together. The whole point of a backup is to survive an event that destroys the original, and a copy in the same closet can't do that.

What about the human side — doesn't someone manage the drive?

Usually no one does, consistently. On-site backups quietly depend on a person remembering to do something:

• Swapping or rotating drives so a fresh copy goes off-site.
• Noticing when last night's job silently failed.
• Checking that the NAS isn't full and dropping the oldest images.

In a busy practice, that routine is the first thing to slip. Drives stay plugged in for months "temporarily." The rotation that was supposed to carry a copy home stops happening. Nobody is watching the backup, so a string of failed jobs can go unnoticed until the day you try to restore and discover the last good copy is weeks or months old. Dental imaging is large and grows fast, so a NAS that fit comfortably last year may now be silently truncating retention.

Are USB and NAS backups ever worth keeping?

Yes — as a local tier, not the whole plan. A USB drive or NAS is genuinely useful for fast local recovery. If a single workstation dies or someone deletes a chart, pulling from a drive on the same network is quick and convenient. That speed is exactly what makes local storage valuable as one layer.

The rule that captures this is 3-2-1: keep at least 3 copies of your data, on 2 different types of media, with 1 copy off-site. Your USB or NAS can absolutely be part of the "2 media" — they just can't be the off-site copy, and they can't be your only copy. We break the full framework down in the 3-2-1 backup rule for dental practices.

What does a backup actually need that USB and NAS lack?

Three things on-site storage rarely provides on its own: distance, immutability, and verification.

• Off-site distance — a copy stored somewhere else entirely, outside your building's blast radius, so a local disaster can't reach it.
• Immutability — write-once storage that can't be altered or deleted, even by an attacker with admin credentials or by ransomware. A plain NAS share can be encrypted; immutable storage can't be silently overwritten.
• Monitoring and tested restores — someone watching every job and periodically proving a real restore works, so you find problems before an emergency does.

This is the gap a managed, off-site backup is built to close. DDSArk keeps an encrypted copy off-site on immutable, write-once storage, monitored and recovery-tested by an MSP under a HIPAA business associate agreement — so your fast local USB or NAS tier is backed by a copy that ransomware on your network simply can't reach. Whether to lean local, cloud, or both is the subject of cloud vs local backup for dental practices.

The bottom line

A USB drive or NAS isn't a bad backup — it's an incomplete one. As a local recovery tier it earns its place. As the only backup, it leaves your practice one fire, one theft, or one ransomware infection away from losing everything at once. The fix isn't to throw out the drive in the closet. It's to make sure there's also a copy your worst day can't touch.