The single biggest threat to healthcare institution security is the end-user desktop. Even though user desktops do not commonly contain critical data, they are the end point through which data is accessed. User workstations are also the devices that are statistically the most likely to become infected with malware.
Needless to say, you really don't want users to access sensitive patient health data (or any other network resources) from an infected computer. Although antivirus software has improved considerably over the last few years, it is still far from perfect. That being the case, it is important for administrators in healthcare organizations to be proactive in the fight against malware. Fortunately, there are several things that you can do to reduce the risks of a malware infection.
Use virtual desktop pools
One of the most effective ways to prevent malware infections is to use pools of virtual desktops. The way that some (but not all) VDI software works is that when virtual desktops are pooled, a user's session is connected to a random virtual desktop within the pool of virtual desktops. When the user logs out of their session, they relinquish ownership of the virtual desktop and the virtual desktop is reset to a pristine condition.
Using a virtual desktop pool will not prevent a malware infection from occurring. However if the virtual desktop is reset to a pristine state upon user logout then any malware that does happen to make it onto the virtual desktop will be promptly removed.
Use mandatory user profiles
Another thing that you can do to help to protect against malware in Windows environments is to make use of mandatory profiles. Mandatory user profiles are kept on a file server and are copied to a workstation when the user logs in. When the user logs out for the day then any changes that the user has made to their profile are lost.
This technique can be at least somewhat effective at preventing malware because some forms of malware target user profiles.
Remove the web browser
It's an extreme step, but if you can get away with it then you can greatly reduce the chances of a malware infection by removing the web browser from user's PCs. Most malware infections occur as a result of visiting malicious websites, so getting rid of the web browser decreases the chances of contracting an infection.
If users are used to having Internet access, but don't necessarily need it in order to do their jobs then there are a few alternatives to desktop web browsers. For example, you might provide users with a WiFi connection that they can use to access the Internet from personal devices. Another idea is to create hardened virtual machines that are accessible from the user's desktops and place web browsers on those virtual machines. Doing so isolates the web browser from anything else that the user has access to.
Diversify your antivirus protection
Another way that you can improve your odds of preventing malware infections is to diversify your antivirus software. Antivirus software is signature-based. In other words, an antivirus program will not recognize a virus unless the program contains a signature for that particular virus. The problem with this approach to catching viruses is that when a virus created it takes a while for the antivirus vendors to get a copy of the virus and create a signature for it.
With that in mind, you can improve your detection odds by using multiple scanning engines. The idea is that if a virus slips past one scanning engine because it does not have a signature for the virus then another scanning engine might have better luck detecting the virus.
There are antivirus products (such as Microsoft's Forefront) that use multiple scanning engines. As an alternative, you could use one vendor's antivirus product to scan workstations and a different vendor's product to scan servers.
Enforce browser security
If you do decide to leave the web browser installed on the desktop it's a good idea to centralize control over the browser's security settings. Suppose that Internet Explorer's security settings prevent a user from viewing a particular webpage. If the user is relatively computer savvy then they might lower the security settings just so that they can view the webpage. Nevermind that they compromise the computer's security by doing so. To prevent this sort of thing from happening you can use group policy settings to control Internet Explorer's security settings.
It should also be pointed out that these solutions work well in other organizations such as education or finacial services where multiple users may be logging on to workstations across an enterprise. There are a number of different things that you can do to reduce the risk of malware infections on desktop computers in these settings. Obviously not every suggestion will be practical for every organization, but it is a good idea to implement protect against malware wherever you can.